Abstract
In this paper, we propose a novel secure multi-party quantum summation protocol based on quantum Fourier transform, where the traveling particles are transmitted in a tree-type mode. The party who prepares the initial quantum states is assumed to be semi-honest, which means that she may misbehave on her own but will not conspire with anyone. The proposed protocol can resist both the outside attacks and the participant attacks. Especially, one party cannot obtain other parties’ private integer strings; and it is secure for the colluding attack performed by at most \( n - 2 \) parties, where \( n \) is the number of parties. In addition, the proposed protocol calculates the addition of modulo \( d \) and implements the calculation of addition in a secret-by-secret way rather than a bit-by-bit way.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
1 Introduction
Quantum cryptography, which can be regarded as the combination of quantum mechanics and classical cryptography, has attracted a lot of attention since it was derived by Bennett and Brassard [1] in 1984, as it can attain unconditional security in theory through the physical principles of quantum mechanics. During the past three decades, quantum cryptography was widely investigated so that numerous branches have been established, such as quantum key distribution (QKD) [1,2,3,4,5], quantum secure direct communication (QSDC) [6,7,8], quantum secret sharing (QSS) [9,10,11], quantum key agreement (QKA) [12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40], quantum private query (QPQ) [41,42,43,44,45] etc.
Secure multi-party computation, first introduced by Yao [46] and extended by Goldreich et al. [47], is a significant subfield of classical cryptography. Naturally, whether the physical principle of quantum mechanics can be applied into secure multi-party computation is an important and interesting question. To date, many researchers have investigated secure multi-party computation within quantum settings [48,49,50,51]. Lo [48] thought that the equality function cannot be securely evaluated in a two-party scenario. Thus, some additional assumptions, such as a third party (TP), should be considered. Ben-Or et al. [49] studied the question that in order for distributed quantum computations to be possible, how many players must keep honest. Chau [50] put forward a scheme to improve the speed of classical multi-party computation with quantum techniques. Smith [51] pointed out that any multi-party quantum computation can be secure as long as the number of dishonest players is less than \( n/6 \).
Secure multi-party summation, which can be used to construct complex secure protocols for other multi-party computation, is a fundamental problem of secure multi-party computation. It can be formulated as follows [52]:\( n \) players, \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), want to evaluate a summation function \( f\left( {x_{1} ,x_{2} , \ldots ,x_{n} } \right) \), where \( x_{i} \) is the secret value from \( {\text{P}}_{i} \). The result of this function can be revealed publicly or privately to some particular player. The task of secure multi-party summation is to preserve the privacy of the players’ inputs and guarantee the correctness of computation. In 2002, Heinrich [53] investigated quantum summation with an application to integration. In 2003, Heinrich [54] studied quantum Boolean summation with repetitions in the worst-average setting. In 2006, Hillery [55] put forward a multi-party quantum summation protocol by using two-particle \( N \)-level entangled states which accomplishes the summation of \( N \) players in voting procedure on the basis of ensuring the anonymity of players. In 2007, Du et al. [56] suggested a novel scheme of secure quantum addition modulo \( n + 1 \)\( \left( {n \ge 2} \right) \) by using non-orthogonal states, which can add a number to an unknown number secretly. Here, \( n \) represents the number of parties carrying a secret. In 2010, Chen et al. [52] proposed a quantum addition modulo 2 protocol based on multi-particle GHZ entangled states. In 2014, Zhang et al. [57] constructed a high-capacity quantum addition modulo 2 protocol with single photons in both polarization and spatial-mode degrees of freedom. In 2015, Zhang et al. [58] suggested a three-party quantum addition modulo 2 protocol by using six-qubit genuinely maximally entangled states. In 2016, Shi et al. [59] thought that the protocols in Refs [52, 56] have two drawbacks: on the one hand, the modulo of these two protocols is too small, resulting in the limitation for more extensive applications; on the other hand, these two protocols do not possess an enough high computation efficiency because of their bit-by-bit computation. Then, they proposed a quantum addition modulo \( N \) protocol through quantum Fourier transform, controlled-not operation, oracle operation and inverse quantum Fourier transform, which implements the calculation of summation in a secret-by-secret way rather than a bit-by-bit way. Here, \( N = 2^{m} \) and \( m \) is the number of qubits represented by one basis state. In this protocol, the calculations of secure multi-party summation are securely transferred into the calculations of the corresponding phase information by quantum Fourier transform. And later, the phase information is extracted after an inverse quantum Fourier transform. In 2017, Shi and Zhang [60] presented a common quantum solution to a class of special two-party private summation problems. In the same year, Zhang et al. [61] put forward a multi-party quantum addition modulo 2 protocol without a trusted TP based on single particles.
Based on the above analysis, in this paper, we propose a novel secure multi-party quantum summation protocol based on quantum Fourier transform. The party who prepares the initial quantum states is assumed to be semi-honest, which means that she may misbehave on her own but will not conspire with anyone. The proposed protocol can resist both the outside attacks and the participant attacks. Especially, one party cannot obtain other parties’ private integer strings; and it is secure for the colluding attack performed by at most \( n - 2 \) parties. In addition, the proposed protocol calculates the addition of modulo \( d \), and implements the calculation of addition in a secret-by-secret way rather than a bit-by-bit way.
The rest of this paper is organized as follows. In Sect. 2, we introduce the preliminary knowledge used in this paper. In Sect. 3, we describe and analyze the proposed secure multi-party quantum summation protocol. Finally, discussion and conclusion are given in Sect. 4.
2 Preliminary knowledge
Before depicting the proposed protocol, it is necessary for us to introduce the preliminary knowledge first.
2.1 Quantum Fourier transform and its application
Let us define the \( d \)-level \( n \)-particle entangled state as follows:
where each \( \left| r \right\rangle \) is a \( d \)-level basis state, \( r \in \left\{ {0,1, \ldots ,d - 1} \right\} \) and \( d \ge 2 \). For each \( d \)-level basis state \( \left| r \right\rangle \), the \( d \) th order discrete quantum Fourier transform is defined to be
where \( \zeta = e^{2\pi i/d} \). The two sets, \( V_{1} = \left\{ {\left| r \right\rangle } \right\}_{r = 0}^{d - 1} \) and \( V_{2} = \left\{ {F\left| r \right\rangle } \right\}_{r = 0}^{d - 1} \), are two common conjugate bases.
Further, we define a transformation operation \( U_{k} \) as follows:
where \( k \) runs from 0 to \( d - 1 \). Throughout this paper, \( \oplus \) represents the addition modulo \( d \). Apparently, after the operation \( U_{k} \) is performed on the \( d \)-level basis state \( \left| r \right\rangle \), we can obtain
After performing the operation \( \left( {U_{{k_{1} }} F} \right) \otimes \left( {U_{{k_{2} }} F} \right) \otimes \ldots \otimes \left( {U_{{k_{n} }} F} \right) \) (\( k_{1} ,k_{2} , \ldots ,k_{n} \in \left\{ {0,1, \ldots ,d - 1} \right\} \)) on the state \( \left| \omega \right\rangle_{12 \ldots n} \), we can get
If we perform quantum measurements with the \( V_{1} \) basis on the right of Eq. (5), we will get the results of \( l_{i} \oplus k_{i} \) (\( i = 1,2, \ldots ,n \)). According to Eq. (5), it is apparent that
2.2 Particle transmission mode of secure multi-party quantum computation
In secure multi-party quantum computation protocols (such as multi-party QKA), there are three kinds of particle transmission mode [32], i.e., the complete-graph-type, the circle-type and the tree-type (shown in Fig. 1). In the complete-graph-type particle transmission mode, every party prepares the initial quantum states and sends each of the other parties a sequence of prepared particles; in the circle-type particle transmission mode, every party prepares the initial quantum states and only sends out one sequence of prepared particles which will be operated by each of the other parties in turn and finally sent back to the one who prepared it; and in the tree-type particle transmission mode, only one party prepares the initial quantum states and sends each of the other parties a sequence of prepared particles which may or may not be sent back after operation (Fig. 2).
3 The proposed secure multi-party quantum summation protocol and its analysis
3.1 Protocol description
Secure multi-party quantum summation should meet the following requirements [52]:
-
1.
Correctness. The computation result of summation of players’ inputs is correct.
-
2.
Security. An outside eavesdropper cannot obtain any useful information about each player’s input without being detected.
-
3.
Privacy. Each player cannot learn any useful information more than her prescribed out, i.e., each player’s input can be kept secret.
However, the computation result of summation can be published.
Suppose that there are \( n \) (\( n > 2 \)) parties, \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), where \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) has a private integer string \( K_{i} \) of length \( N \). That is,
where \( k_{1}^{t} ,k_{2}^{t} , \ldots ,k_{n}^{t} \in \left\{ {0,1, \ldots ,d - 1} \right\} \) for \( t = 1,2, \ldots ,N \). \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \) want to jointly derive the summation of their private integer strings shown in Eq. (8) without revealing the genuine contents of their private integer strings.
The detailed procedures of the proposed secure multi-party quantum summation protocol can be illustrated as follows. Without loss of generality, we suppose that \( {\rm P}_{1} \) is the party who prepares the initial quantum states. Moreover, \( {\rm P}_{1} \) is assumed to be semi-honest, which means that she may misbehave on her own but will not conspire with anyone. Here, only ideal channel (without noise) is considered.
Step 1: \( {\rm P}_{1} \) prepares \( N \)\( d \)-level \( n \)-particle entangled states all in the state \( \left| \omega \right\rangle_{12 \ldots n} \) and arranges them into an ordered sequence
where the superscripts \( 1,2, \ldots ,N \) denote the order of \( d \)-level \( n \)-particle entangled states in the sequence. Afterward, \( {\rm P}_{1} \) takes the \( i \)th (\( i = 1,2, \ldots ,n \)) particle out from each state to construct \( n \) particle sequences which are labeled as:
where \( p_{i}^{t} \) represents the \( i \)th particle of the \( t \)th entangled state and \( t = 1,2, \ldots ,N \). For detecting eavesdropping, \( {\rm P}_{1} \) prepares \( n - 1 \) groups of decoy photons, each of which is randomly chosen from the set \( V_{1} \) or \( V_{2} \). Then, \( {\rm P}_{1} \) randomly picks out one group of decoy photons and randomly inserts the chosen decoy photons into particle sequence \( S_{j} \) to form a new sequence \( S_{j}^{'} \). Here, \( j = 2,3, \ldots ,n \). Finally, \( {\rm P}_{1} \) keeps \( S_{1} \) in her hand and sends \( S_{j}^{'} \) to \( {\rm P}_{j} \).
Step 2: After confirming that \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) has received all the particles in sequence \( S_{j}^{'} \), \( {\rm P}_{1} \) checks the transmission security of sequence \( S_{j}^{'} \) together with \( {\rm P}_{j} \). Concretely, \( {\rm P}_{1} \) tells \( {\rm P}_{j} \) the positions and the measurement basis of decoy photons in sequence \( S_{j}^{'} \). In the following, \( {\rm P}_{j} \) uses the correct basis to measure the corresponding decoy photons and tells \( {\rm P}_{1} \) half of the measurement results. Afterward, \( {\rm P}_{1} \) announces the initial states of the remaining half of decoy photons. Finally, they check whether the measurement results of decoy photons are consistent with their initial states. In this way, \( {\rm P}_{1} \) and \( {\rm P}_{j} \) can check the transmission security of sequence \( S_{j}^{'} \). If the error rate is greater than a predetermined threshold, they will terminate the protocol; otherwise, they will proceed to the next step.
Step 3: \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) discards the decoy photons in sequence \( S_{j}^{'} \) and obtains sequence \( S_{j} \). Then, \( {\rm P}_{j} \) encodes her private integer string \( K_{j} \) on the particles in sequence \( S_{j} \). Concretely, \( {\rm P}_{j} \) performs \( U_{{k_{j}^{t} }} F \) on particle \( p_{j}^{t} \), where \( t = 1,2, \ldots ,N \). The new sequence of \( S_{j} \) after encoded is denoted as \( ES_{j} \).
In the same time, \( {\rm P}_{1} \) also encodes her private integer string \( K_{1} \) on the particles in sequence \( S_{1} \) by performing \( U_{{k_{1}^{t} }} F \) on particle \( p_{1}^{t} \). The new sequence of \( S_{1} \) after encoded is denoted as \( ES_{1} \).
Step 4: After all parties have finishing encoding of their private integer strings, each of them measures all particles in their respective hand with the basis \( V_{1} \) and obtains the corresponding measurement results. As a result, it can be derived that
where \( m_{i}^{t} \) is the measurement result of particle \( p_{i}^{t} \) after encoded, \( i = 1,2, \ldots ,n \) and \( t = 1,2, \ldots ,N \). According to Eq. (5), it can be obtained that \( m_{i}^{t} = l_{i}^{t} \oplus k_{i}^{t} \) and \( l_{1}^{t} + l_{2}^{t} + \ldots + l_{n}^{t} \equiv 0\left( {\bmod d} \right) \). Then, \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) announces \( M_{j} \) to \( {\rm P}_{1} \). Finally, according to Eq. (6), \( {\rm P}_{1} \) obtains the summation of all parties’ private integer strings by computing
In order to let the other parties know the result of summation, \( {\rm P}_{1} \) announces it publicly.
It concludes the description of the proposed secure multi-party quantum summation protocol. It is apparent that in the above protocol, only \( {\rm P}_{1} \) prepares the initial quantum states and sends each of the other parties a sequence of prepared particles. Thus, the above protocol adopts the tree-type particle transmission mode.
3.2 Analysis
-
A.
Output correctness
In this subsection, we verify that the output of the above protocol is correct. There are \( n \) parties named \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), where \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) has a private integer string \( K_{i} \) of length \( N \). Without loss of generality, after ignoring the eavesdropping check processes, we take the first integer of each private integer string (i.e., \( k_{i}^{1} \), \( i = 1,2, \ldots ,n \)) for example, to illustrate the output correctness.
\( {\rm P}_{1} \) prepares one \( d \)-level \( n \)-particle entangled state in the state \( \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{1} \left| r \right\rangle_{2}^{1} \ldots \left| r \right\rangle_{n}^{1} } \). Then, \( {\rm P}_{1} \) keeps particle \( p_{1}^{1} \) in her hand and sends particle \( p_{j}^{1} \) to \( {\rm P}_{j} \). Here, \( j = 2,3, \ldots ,n \). After receiving particle \( p_{j}^{1} \), \( {\rm P}_{j} \) performs \( U_{{k_{j}^{1} }} F \) on particle \( p_{j}^{1} \) to encode the private integer \( k_{j}^{1} \). In the same time, \( {\rm P}_{1} \) also encodes her private integer \( k_{1}^{1} \) by performing \( U_{{k_{1}^{1} }} F \) on particle \( p_{1}^{1} \). Then, \( {\rm P}_{j} \) measures particle \( p_{j}^{1} \) after encoded with the basis \( V_{1} \) and tells \( {\rm P}_{1} \) the measurement result \( m_{j}^{1} \). \( {\rm P}_{1} \) also uses the basis \( V_{1} \) to measure \( p_{1}^{1} \) after encoded and obtains the measurement result \( m_{1}^{1} \). Here, \( m_{i}^{1} = l_{i}^{1} \oplus k_{i}^{1} \) and \( i = 1,2, \ldots ,n \). Finally, according to Eq. (6), \( {\rm P}_{1} \) obtains \( k_{1}^{1} \oplus k_{2}^{1} \oplus \ldots \oplus k_{n}^{1} \) by computing \( m_{1}^{1} \oplus m_{2}^{1} \oplus \ldots \oplus m_{n}^{1} \). Concretely,
It can be concluded now that the output of the above protocol is correct.
-
B.
Security
In this subsection, we verify that both the outside attack and the participant attack are ineffective for the above protocol.
-
(i)
Outside attack
We analyze the possibility for an outside eavesdropper to steal the private integer strings from all parties here.
In the above protocol, in order to get something useful about the private integer strings, an outside eavesdropper may utilize the particle transmission that \( {\rm P}_{1} \) sends \( S_{j}^{'} \) (\( j = 2,3, \ldots ,n \)) to \( {\rm P}_{j} \) in Step 1 to launch active attacks, such as the intercept-resend attack, the measure-resend attack and the entangle-measure attack and so on. However, the above protocol employs the decoy photons, which are randomly chosen from the two conjugate bases, \( V_{1} \) and \( V_{2} \), to detect the presence of an outside eavesdropper. Note that the decoy photon technique [62, 63] can be thought as a variant of the BB84 eavesdropping check method [1] which has been proven to be unconditionally secure [64]. Moreover, the effectiveness of decoy photon technology in 2-level quantum system against an outside eavesdropper’s attacks has also been validated in Refs [65, 66]. It is straightforward that the decoy photon technology is also effective against an outside eavesdropper’s attacks in \( d \)-level quantum system. Therefore, if an outside eavesdropper launches active attacks during the particle transmissions, due to having no knowledge about the positions and the measurement basis of decoy photons before the announcement on them, she will inevitably leave her trace on decoy photons and be detected by the eavesdropping check process.
On the other hand, in Step 4, an outside eavesdropper may hear of \( M_{j} \) when \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) announces it to \( {\rm P}_{1} \) and the result of summation when \( {\rm P}_{1} \) publishes it. However, she still cannot decrypt out \( k_{j}^{t} \) (\( t = 1,2, \ldots ,N \)) from \( m_{j}^{t} \), because she does not know the value of \( l_{j}^{t} \). In addition, an outside eavesdropper can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. However, due to lack of the knowledge of the value of \( l_{1}^{t} \), she cannot know \( k_{1}^{t} \) either.
-
(ii)
Participant attack
In 2007, Gao et al. [67] first pointed out that the participant attack, i.e., the attack from one or more dishonest parties, is generally more powerful and should be paid more attention to. To date, the participant attack has attracted much attention in the cryptanalysis of quantum cryptography [68,69,70]. To see this in a sufficient way, we consider two cases of participant attack. Firstly, we discuss the participant attack from one single dishonest party; and then, we analyze the colluding attack from two or more dishonest parties.
-
(a)
The participant attack from one single dishonest party
In the above protocol, the roles of different \( {\rm P}_{j} \) s (\( j = 2,3, \ldots ,n \)) are the same, but are different from \( {\rm P}_{1} \) who prepares the initial quantum states and distributes the prepared particle sequences. Thus, there are two kinds of the participant attack from one single dishonest party, i.e., the participant attack from a single dishonest \( {\rm P}_{j} \) and the participant attack from semi-honest \( {\rm P}_{1} \).
With respect to the participant attack from a single dishonest \( {\rm P}_{j} \), if \( {\rm P}_{j} \) launches attacks on the particles in \( S_{{j^{'} }}^{'} \) from \( {\rm P}_{1} \) to \( {\rm P}_{{j^{'} }} \) (\( j^{'} = 2,3, \ldots ,n \) and \( j^{'} \ne j \)) in Step 1, due to having no knowledge about the positions and the measurement basis of the inserted decoy photons in \( S_{{j^{'} }}^{'} \), she will inevitably be caught as an outside eavesdropper. In addition, \( {\rm P}_{j} \) may hear of \( M_{{j^{'} }} \) when \( {\rm P}_{{j^{'} }} \) announces it to \( {\rm P}_{1} \) in Step 4. However, due to having no access to the value of \( l_{{j^{'} }}^{t} \) (\( t = 1,2, \ldots ,N \)), she still cannot decrypt out \( k_{{j^{'} }}^{t} \) from \( m_{{j^{'} }}^{t} \). On the other hand, \( {\rm P}_{j} \) can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. However, due to lack of the knowledge of the value of \( l_{1}^{t} \), \( {\rm P}_{j} \) cannot know \( k_{1}^{t} \) either.
With respect to the participant attack from semi-honest \( {\rm P}_{1} \), in order to obtain the private integer strings of the other parties, \( {\rm P}_{1} \) can take the chance of preparing the initial quantum states to launch the following attack:
-
(1)
\( {\rm P}_{1} \) prepares \( N \)\( d \)-level \( n \)-particle entangled states all in the state \( \left| \omega \right\rangle_{12 \ldots n} \), and measures each of them with the basis \( V_{1} \). The collapsed states after measurement are denoted as
where \( \left| {r^{t} } \right\rangle_{i} \) denotes the collapsed state of the \( i \)th particle in the \( t \)th \( d \)-level \( n \)-particle entangled state after measurement. Here, \( t = 1,2, \ldots ,N \) and \( i = 1,2, \ldots ,n \). Afterward, \( {\rm P}_{1} \) constructs \( n \) particle sequences as follows:
For detecting eavesdropping, \( {\rm P}_{1} \) prepares \( n - 1 \) groups of decoy photons, each of which is randomly chosen from the set \( V_{1} \) or \( V_{2} \), and randomly inserts one group of decoy photons into particle sequence \( S_{j} \) to form a new sequence \( S_{j}^{'} \). Here, \( j = 2,3, \ldots ,n \). Then, \( {\rm P}_{1} \) keeps \( S_{1} \) in her hand and sends \( S_{j}^{'} \) to \( {\rm P}_{j} \).
-
(2)
\( {\rm P}_{1} \) and \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) check the transmission security of sequence \( S_{j}^{'} \) together as illustrated in Step 2. Apparently, \( {\rm P}_{j} \) cannot discover the misbehavior of \( {\rm P}_{1} \). Therefore, \( {\rm P}_{j} \) discards the decoy photons in sequence \( S_{j}^{'} \) to restore sequence \( S_{j} \) and performs \( U_{{k_{j}^{t} }} F \) on particle \( \left| {r^{t} } \right\rangle_{j} \), where \( t = 1,2, \ldots ,N \). The corresponding encoded particle of \( \left| {r^{t} } \right\rangle_{j} \) is
Afterward, \( {\rm P}_{j} \) measures all particles in her hand with the basis \( V_{1} \) and publishes her measurement result
Here, \( m_{j}^{t} = l_{j}^{'t} \oplus k_{j}^{t} \). Then, \( {\rm P}_{j} \) announces \( M_{j} \) to \( {\rm P}_{1} \). Finally, \( {\rm P}_{1} \) tries to extract \( k_{j}^{t} \) from \( m_{j}^{t} \).
However, although \( {\rm P}_{1} \) knows \( m_{j}^{t} \) from the announcement of \( {\rm P}_{j} \), she still cannot extract \( k_{j}^{t} \), as she has no knowledge about \( l_{j}^{'t} \). It can be concluded that the participant attack from semi-honest \( {\rm P}_{1} \) is ineffective.
-
(b)
The participant attack from two or more dishonest parties
Since \( {\rm P}_{1} \) is not allowed to collude with other parties, if the other \( n - 1 \) parties collude together, they can easily deduce the private integer string of \( {\rm P}_{1} \) from the result of summation. Therefore, the above protocol cannot resist the colluding attack from \( n - 1 \) parties.
Next, we will demonstrate that the above protocol can resist the colluding attack from \( n - 2 \) parties. Without loss of generality, assume that the dishonest \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) try to collude together to obtain the private integer strings of \( {\rm P}_{1} \) and \( {\rm P}_{i} \). Firstly, if \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) try to launch attacks on the particles in \( S_{i}^{'} \) from \( {\rm P}_{1} \) to \( {\rm P}_{i} \) in Step 1, due to having no knowledge about the positions and the measurement basis of the inserted decoy photons in \( S_{i}^{'} \), they will inevitably be caught as an outside eavesdropper. Secondly, in Step 4, \( {\rm P}_{s} \)\( \left( {s = 2, \ldots ,i - 1,i + 1, \ldots ,n} \right) \) can know \( M_{s} \), and may hear of \( M_{i} \) when \( {\rm P}_{i} \) announces it to \( {\rm P}_{1} \) and the result of summation when \( {\rm P}_{1} \) publishes it.\( {\rm P}_{s} \) can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. Moreover, \( {\rm P}_{s} \) can deduce \( l_{s}^{t} \) (\( t = 1,2, \ldots ,N \)) from \( k_{s}^{t} \) and \( m_{s}^{t} \). However, even though the \( n - 2 \) parties conclude together, they still cannot obtain the accurate values of \( l_{i}^{t} \) and \( l_{1}^{t} \). Therefore, \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) cannot decrypt out \( k_{i}^{t} \) and \( k_{1}^{t} \) from \( m_{i}^{t} \) and \( m_{1}^{t} \), respectively.
4 Discussion and conclusion
We compare the proposed protocol with previous quantum summation protocols with respect to type of addition and type of computation. The comparison result is summarized in Table 1. From Table 1, it can be concluded that the modulo of the proposed protocol can easily be bigger than those of Refs [52, 56,57,58, 61], which may result in more extensive applications, and compared with the protocols of Refs [52, 56,57,58, 60, 61], the proposed protocol easily has higher computation efficiency because of its secret-by-secret computation.
Further, we give a more detailed comparison between the proposed protocol and the protocol of Ref [59] by ignoring their security check processes, since both of them utilize quantum Fourier transform. The comparison result is summarized in Table 2.
In addition, in some circumstance, it is necessary to make all parties share the result of summation privately among them. In other words, anyone else except all parties is not allowed to know the result of summation. In order to achieve this goal, every party can launch the proposed protocol acting as \( {\rm P}_{1} \) and does not announce the result of summation publicly.
To sum up, in this paper, a novel secure multi-party quantum summation protocol based on quantum Fourier transform is proposed, where the traveling particles are transmitted in a tree-type mode. We verify in detail that the proposed protocol can resist both the outside attacks and the participant attacks. Especially, one party cannot obtain other parties’ private integer strings; and it is secure for the colluding attack performed by at most \( n - 2 \) parties. The proposed protocol calculates the addition of modulo \( d \) and implements the calculation of addition in a secret-by-secret way rather than a bit-by-bit way. In addition, the proposed protocol only considers ideal channel. When noise is concerned, additional operation such as quantum private amplification is needed.
References
Bennett, C.H., Brassard, G.: Quantum cryptography: public-key distribution and coin tossing. In: Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179. IEEE Press, Bangalore (1984)
Ekert, A.K.: Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67(6), 661–663 (1991)
Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68(21), 3121 (1992)
Cabello, A.: Quantum key distribution in the Holevo limit. Phys. Rev. Lett. 85, 5635 (2000)
Shih, H.C., Lee, K.C., Hwang, T.: New efficient three-party quantum key distribution protocols. IEEE J. Sel. Top. Quantum Electron. 15(6), 1602–1606 (2009)
Long, G.L., Liu, X.S.: Theoretically efficient high-capacity quantum-key-distribution scheme. Phys. Rev. A 65, 032302 (2002)
Deng, F.G., Long, G.L., Liu, X.S.: Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block. Phys. Rev. A 68, 042317 (2003)
Deng, F.G., Long, G.L.: Secure direct communication with a quantum one-time pad. Phys. Rev. A 69, 052319 (2004)
Hillery, M., Buzek, V., Berthiaume, A.: Quantum secret sharing. Phys. Rev. A 59, 1829–1834 (1999)
Karlsson, A., Koashi, M., Imoto, N.: Quantum entanglement for secret sharing and secret splitting. Phys. Rev. A 59, 162–168 (1999)
Xiao, L., Long, G.L., Deng, F.G., Pan, J.W.: Efficient multiparty quantum-secret-sharing schemes. Phys. Rev. A 69, 052307 (2004)
Zhou, N., Zeng, G., Xiong, J.: Quantum key agreement protocol. Electron. Lett. 40, 1149 (2004)
Chong, S.K., Tsai, C.W., Hwang, T.: Improvement on quantum key agreement protocol with maximally entangled states. Int. J. Theor. Phys. 50, 1793–1802 (2011)
Chong, S.K., Hwang, T.: Quantum key agreement protocol based on BB84. Opt. Commun. 283, 1192–1195 (2010)
Liu, B., Gao, F., Huang, W., et al.: Multiparty quantum key agreement with single particles. Quantum Inf. Process. 12(4), 1797–1805 (2013)
Yin, X.R., Wen, W.P., Shen, D.S., et al.: Three-party quantum key agreement with Bell states. Acta Phys Sin 62(17), 170304 (2013)
Shi, R.H., Zhong, H.: Multi-party quantum key agreement with Bell states and Bell measurements. Quantum Inf. Process. 12(2), 921–932 (2013)
Yin, X.R., Wen, W.P., Liu, W.Y.: Three-party quantum key agreement with two-photon entanglement. Int. J. Theor. Phys. 52(11), 3915–3921 (2013)
Sun, Z.W., Zhang, C., Wang, B.H., et al.: Improvements on “multiparty quantum key agreement with single particles”. Quantum Inf. Process. 12(11), 3411–3420 (2013)
Huang, W., Wen, Q.Y., Liu, B., et al.: Quantum key agreement with EPR pairs and single-particle measurements. Quantum Inf. Process. 13(3), 649–663 (2014)
Huang, W., Su, Q., Wu, X., et al.: Quantum key agreement against collective decoherence. Int. J. Theor. Phys. 53, 2891–2901 (2014)
Shen, D.S., Ma, W.P., Wang, L.L.: Two-party quantum key agreement with four-qubit cluster states. Quantum Inf. Process. 13(10), 2313–2324 (2014)
Xu, G.B., Wen, Q.Y., Gao, F., Qin, S.J.: Novel multiparty quantum key agreement protocol with GHZ states. Quantum Inf. Process. 13(12), 2587–2594 (2014)
Shukla, C., Alam, N., Pathak, A.: Protocols of quantum key agreement solely using Bell states and Bell measurement. Quantum Inf. Process. 13(11), 2391–2405 (2014)
Huang, W., Wen, Q.Y., Liu, B., et al.: Cryptanalysis of a multi-party quantum key agreement protocol with single particles. Quantum Inf. Process. 13(7), 1651–1657 (2014)
He, Y.F., Ma, W.P.: Quantum key agreement protocols with four-qubit cluster states. Quantum Inf. Process. 14(9), 3483–3498 (2015)
Zhu, Z.C., Hu, A.Q., Fu, A.M.: Improving the security of protocols of quantum key agreement solely using Bell states and Bell measurement. Quantum Inf. Process. 14(11), 4245–4254 (2015)
Sun, Z.W., Yu, J.P., Wang, P.: Efficient multi-party quantum key agreement by cluster states. Quantum Inf. Process. 15(1), 373–384 (2016)
Sun, Z.W., Zhang, C., Wang, P., Yu, J.P., Zhang, Y., Long, D.Y.: Multi-party quantum key agreement by an entangled six-qubit state. Int. J. Theor. Phys. 55(3), 1920–1929 (2016)
Zhu, Z.C., Hu, A.Q., Fu, A.M.: Participant attack on three-party quantum key agreement with two-photon entanglement. Int. J. Theor. Phys. 55, 55–61 (2016)
He, Y.F., Ma, W.P.: Two-party quantum key agreement against collective noise. Quantum Inf. Process. 15, 5023–5035 (2016)
Liu, B., Xiao, D., Jia, H.Y., Liu, R.Z.: Collusive attacks to “circle-type” multi-party quantum key agreement protocols. Quantum Inf. Process. 15, 2113–2124 (2016)
Sun, Z.W., Huang, J.W., Wang, P.: Efficient multiparty quantum key agreement protocol based on commutative encryption. Quantum Inf. Process. 15, 2101–2111 (2016)
Huang, W., Su, Q., Xu, B.J., Liu, B., Fan, F., Jia, H.Y., Yang, Y.H.: Improved multiparty quantum key agreement in travelling mode. Sci China-Phys Mech Astron 59, 120311 (2016)
Mohajer, R., Eslami, Z.: Cryptanalysis of a multiparty quantum key agreement protocol based on commutative encryption. Quantum Inf. Process. 16, 197 (2017)
Cao, H., Ma, W.P.: Multiparty quantum key agreement based on quantum search algorithm. Sci Rep 7, 45046 (2017)
Wang, P., Sun, Z.W., Sun, X.Q.: Multi-party quantum key agreement protocol secure against collusion attacks. Quantum Inf. Process. 16, 170 (2017)
Cai, B.B., Guo, G.D., Lin, S.: Multi-party quantum key agreement without entanglement. Int. J. Theor. Phys. 56, 1039–1051 (2017)
Wang, L.L., Ma, W.P.: Quantum key agreement protocols with single photon in both polarization and spatial-mode degrees of freedom. Quantum Inf. Process. 16, 130 (2017)
He, Y.F., Ma, W.P.: Two quantum key agreement protocols immune to collective noise. Int. J. Theor. Phys. 56(2), 328–338 (2017)
Jakobi, M., Simon, C., Gisin, N., et al.: Practical private database queries based on a quantum-key-distribution protocol. Phys. Rev. A 83, 022301 (2011)
Gao, F., Liu, B., Huang, W., Wen, Q.Y.: Postprocessing of the oblivious key in quantum private query. IEEE J Sel Top Quant 21, 6600111 (2015)
Wei, C.Y., Wang, T.Y., Gao, F.: Practical quantum private query with better performance in resisting joint-measurement attack. Phys. Rev. A 93, 042318 (2016)
Wei, C.Y., Cai, X.Q., Liu, B., et al.: A generic construction of quantum-oblivious-key-transfer-based private query with ideal database security and zero failure. IEEE T Comput. 67, 2–8 (2018)
Liu, B., Gao, F., Huang, W.: QKD-based quantum private query without a failure probability. Sci. China-Phys. Mech. Astron. 58, 100301 (2015)
Yao, A.C.: Protocols for secure computations. In: Proceedings of 23rd IEEE Symposium on Foundations of Computer Science (FOCS’ 82), p. 160, Washington, DC, USA (1982)
Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC’87), p. 218, New York, NY, USA (1987)
Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 56(2), 1154–1162 (1997)
Ben-Or, M., Crepeau, C., Gottesman, D., Hassidim, A., Smith, A.: Secure multiparty quantum computation with (only) a strict honest majority. In: Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science. FOCS’06, pp. 249–260. IEEE, New York (2006)
Chau, H.F.: Quantum-classical complexity-security tradeoff in secure multiparty computations. Phys. Rev. A 61, 032308 (2000)
Smith, A.: Multi-party quantum computation. 2010. arXiv:quant-ph/0111030
Chen, X.B., Xu, G., Yang, Y.X., Wen, Q.Y.: An efficient protocol for the secure multi-party quantum summation. Int. J. Theor. Phys. 49(11), 2793–2804 (2010)
Heinrich, S.: Quantum summation with an application to integration. J Complex 18, 1–50 (2002)
Heinrich, S., Kwas, M., Wozniakowski, H.: Quantum Boolean summation with repetitions in the worst-average setting. arXiv:quant-ph/0311036 (2003)
Hillery, M., Ziman, M., Buzek, V., Bielikova, M.: Towards quantum-based privacy and voting. Phys. Lett. A 349, 75 (2006)
Du, J.Z., Chen, X.B., Wen, Q.Y., Zhu, F.C.: Secure multiparty quantum summation. Acta Phys Sin 56(11), 6214–6219 (2007)
Zhang, C., Sun, Z.W., Huang, Y., Long, D.Y.: High-capacity quantum summation with single photons in both polarization and spatial-mode degrees of freedom. Int. J. Theor. Phys. 53(3), 933–941 (2014)
Zhang, C., Sun, Z.W., Huang, X.: Three-party quantum summation without a trusted third party. Int. J. Quantum Inf. 13(2), 1550011 (2015)
Shi, R.H., Mu, Y., Zhong, H., Cui, J., Zhang, S.: Secure multiparty quantum computation for summation and multiplication. Sci. Rep. 6, 19655 (2016)
Shi, R.H., Zhang, S.: Quantum solution to a class of two-party private summation problems. Quantum Inf. Process. 16, 225 (2017)
Zhang, C., Situ, H.Z., Huang, Q., Yang, P.: Multi-party quantum summation without a trusted third party based on single particles. Int. J. Quantum Inf. 15(2), 1750010 (2017)
Li, C.Y., Zhou, H.Y., Wang, Y., Deng, F.G.: Secure quantum key distribution network with Bell states and local unitary operations. Chin. Phys. Lett. 22(5), 1049 (2005)
Li, C.Y., Li, X.H., Deng, F.G., Zhou, P., Liang, Y.J., Zhou, H.Y.: Efficient quantum cryptography network without entanglement and quantum memory. Chin. Phys. Lett. 23(11), 2896 (2006)
Shor, P.W., Preskill, J.: Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85(2), 441 (2000)
Chen, Y., Man, Z.X., Xia, Y.J.: Quantum bidirectional secure direct communication via entanglement swapping. Chin. Phys. Lett. 24(1), 19 (2007)
Ye, T.Y., Jiang, L.Z.: Improvement of controlled bidirectional quantum direct communication using a GHZ state. Chin. Phys. Lett. 30(4), 040305 (2013)
Gao, F., Qin, S.J., Wen, Q.Y., Zhu, F.C.: A simple participant attack on the Bradler-Dusek protocol. Quantum Inf. Comput. 7, 329 (2007)
Gao, F., Wen, Q.Y., Zhu, F.C.: Comment on:“quantum exam”[Phys Lett A 350(2006) 174]. Phys. Lett. A 360(6), 748–750 (2007)
Guo, F.Z., Qin, S.J., Gao, F., Lin, S., Wen, Q.Y., Zhu, F.C.: Participant attack on a kind of MQSS schemes based on entanglement swapping. Eur. Phys. J. D 56(3), 445–448 (2010)
Qin, S.J., Gao, F., Wen, Q.Y., Zhu, F.C.: Cryptanalysis of the Hillery-Buzek-Berthiaume quantum secret-sharing protocol. Phys. Rev. A 76(6), 062324 (2007)
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments that help enhancing the quality of this paper. Funding by the National Natural Science Foundation of China (Grant Nos. 61402407 and 11375152) and the Natural Science Foundation of Zhejiang Province (Grant No. LY18F020007) is gratefully acknowledged.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Rights and permissions
About this article
Cite this article
Yang, HY., Ye, TY. Secure multi-party quantum summation based on quantum Fourier transform. Quantum Inf Process 17, 129 (2018). https://doi.org/10.1007/s11128-018-1890-1
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11128-018-1890-1