1 Introduction

Quantum cryptography, which can be regarded as the combination of quantum mechanics and classical cryptography, has attracted a lot of attention since it was derived by Bennett and Brassard [1] in 1984, as it can attain unconditional security in theory through the physical principles of quantum mechanics. During the past three decades, quantum cryptography was widely investigated so that numerous branches have been established, such as quantum key distribution (QKD) [1,2,3,4,5], quantum secure direct communication (QSDC) [6,7,8], quantum secret sharing (QSS) [9,10,11], quantum key agreement (QKA) [12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40], quantum private query (QPQ) [41,42,43,44,45] etc.

Secure multi-party computation, first introduced by Yao [46] and extended by Goldreich et al. [47], is a significant subfield of classical cryptography. Naturally, whether the physical principle of quantum mechanics can be applied into secure multi-party computation is an important and interesting question. To date, many researchers have investigated secure multi-party computation within quantum settings [48,49,50,51]. Lo [48] thought that the equality function cannot be securely evaluated in a two-party scenario. Thus, some additional assumptions, such as a third party (TP), should be considered. Ben-Or et al. [49] studied the question that in order for distributed quantum computations to be possible, how many players must keep honest. Chau [50] put forward a scheme to improve the speed of classical multi-party computation with quantum techniques. Smith [51] pointed out that any multi-party quantum computation can be secure as long as the number of dishonest players is less than \( n/6 \).

Secure multi-party summation, which can be used to construct complex secure protocols for other multi-party computation, is a fundamental problem of secure multi-party computation. It can be formulated as follows [52]:\( n \) players, \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), want to evaluate a summation function \( f\left( {x_{1} ,x_{2} , \ldots ,x_{n} } \right) \), where \( x_{i} \) is the secret value from \( {\text{P}}_{i} \). The result of this function can be revealed publicly or privately to some particular player. The task of secure multi-party summation is to preserve the privacy of the players’ inputs and guarantee the correctness of computation. In 2002, Heinrich [53] investigated quantum summation with an application to integration. In 2003, Heinrich [54] studied quantum Boolean summation with repetitions in the worst-average setting. In 2006, Hillery [55] put forward a multi-party quantum summation protocol by using two-particle \( N \)-level entangled states which accomplishes the summation of \( N \) players in voting procedure on the basis of ensuring the anonymity of players. In 2007, Du et al. [56] suggested a novel scheme of secure quantum addition modulo \( n + 1 \)\( \left( {n \ge 2} \right) \) by using non-orthogonal states, which can add a number to an unknown number secretly. Here, \( n \) represents the number of parties carrying a secret. In 2010, Chen et al. [52] proposed a quantum addition modulo 2 protocol based on multi-particle GHZ entangled states. In 2014, Zhang et al. [57] constructed a high-capacity quantum addition modulo 2 protocol with single photons in both polarization and spatial-mode degrees of freedom. In 2015, Zhang et al. [58] suggested a three-party quantum addition modulo 2 protocol by using six-qubit genuinely maximally entangled states. In 2016, Shi et al. [59] thought that the protocols in Refs [52, 56] have two drawbacks: on the one hand, the modulo of these two protocols is too small, resulting in the limitation for more extensive applications; on the other hand, these two protocols do not possess an enough high computation efficiency because of their bit-by-bit computation. Then, they proposed a quantum addition modulo \( N \) protocol through quantum Fourier transform, controlled-not operation, oracle operation and inverse quantum Fourier transform, which implements the calculation of summation in a secret-by-secret way rather than a bit-by-bit way. Here, \( N = 2^{m} \) and \( m \) is the number of qubits represented by one basis state. In this protocol, the calculations of secure multi-party summation are securely transferred into the calculations of the corresponding phase information by quantum Fourier transform. And later, the phase information is extracted after an inverse quantum Fourier transform. In 2017, Shi and Zhang [60] presented a common quantum solution to a class of special two-party private summation problems. In the same year, Zhang et al. [61] put forward a multi-party quantum addition modulo 2 protocol without a trusted TP based on single particles.

Based on the above analysis, in this paper, we propose a novel secure multi-party quantum summation protocol based on quantum Fourier transform. The party who prepares the initial quantum states is assumed to be semi-honest, which means that she may misbehave on her own but will not conspire with anyone. The proposed protocol can resist both the outside attacks and the participant attacks. Especially, one party cannot obtain other parties’ private integer strings; and it is secure for the colluding attack performed by at most \( n - 2 \) parties. In addition, the proposed protocol calculates the addition of modulo \( d \), and implements the calculation of addition in a secret-by-secret way rather than a bit-by-bit way.

The rest of this paper is organized as follows. In Sect. 2, we introduce the preliminary knowledge used in this paper. In Sect. 3, we describe and analyze the proposed secure multi-party quantum summation protocol. Finally, discussion and conclusion are given in Sect. 4.

2 Preliminary knowledge

Before depicting the proposed protocol, it is necessary for us to introduce the preliminary knowledge first.

2.1 Quantum Fourier transform and its application

Let us define the \( d \)-level \( n \)-particle entangled state as follows:

$$ \left| \omega \right\rangle_{12 \ldots n} = \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1} \left| r \right\rangle_{2} \ldots \left| r \right\rangle_{n} } , $$
(1)

where each \( \left| r \right\rangle \) is a \( d \)-level basis state, \( r \in \left\{ {0,1, \ldots ,d - 1} \right\} \) and \( d \ge 2 \). For each \( d \)-level basis state \( \left| r \right\rangle \), the \( d \) th order discrete quantum Fourier transform is defined to be

$$ F\left| r \right\rangle = \frac{1}{\sqrt d }\sum\limits_{l = 0}^{d - 1} {\zeta^{lr} \left| l \right\rangle } , $$
(2)

where \( \zeta = e^{2\pi i/d} \). The two sets, \( V_{1} = \left\{ {\left| r \right\rangle } \right\}_{r = 0}^{d - 1} \) and \( V_{2} = \left\{ {F\left| r \right\rangle } \right\}_{r = 0}^{d - 1} \), are two common conjugate bases.

Further, we define a transformation operation \( U_{k} \) as follows:

$$ U_{k} = \sum\limits_{u = 0}^{d - 1} {\left| {u \oplus k} \right\rangle \left\langle u \right|} , $$
(3)

where \( k \) runs from 0 to \( d - 1 \). Throughout this paper, \( \oplus \) represents the addition modulo \( d \). Apparently, after the operation \( U_{k} \) is performed on the \( d \)-level basis state \( \left| r \right\rangle \), we can obtain

$$ U_{k} \left| r \right\rangle = \left| {r \oplus k} \right\rangle . $$
(4)

After performing the operation \( \left( {U_{{k_{1} }} F} \right) \otimes \left( {U_{{k_{2} }} F} \right) \otimes \ldots \otimes \left( {U_{{k_{n} }} F} \right) \) (\( k_{1} ,k_{2} , \ldots ,k_{n} \in \left\{ {0,1, \ldots ,d - 1} \right\} \)) on the state \( \left| \omega \right\rangle_{12 \ldots n} \), we can get

$$ \begin{aligned} & \left( {U_{{k_{1} }} F} \right) \otimes \left( {U_{{k_{2} }} F} \right) \otimes \ldots \otimes \left( {U_{{k_{n} }} F} \right)\left| \omega \right\rangle_{12 \ldots n} \\ & = \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left( {U_{{k_{1} }} F} \right)} \left| r \right\rangle_{1} \otimes \left( {U_{{k_{2} }} F} \right)\left| r \right\rangle_{2} \otimes \ldots \otimes \left( {U_{{k_{n} }} F} \right)\left| r \right\rangle_{n} \\ & = \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left( {U_{{k_{1} }} \frac{1}{\sqrt d }\sum\limits_{{l_{1} = 0}}^{d - 1} {\zeta^{{l_{1} r}} \left| {l_{1} } \right\rangle } } \right)} \otimes \left( {U_{{k_{2} }} \frac{1}{\sqrt d }\sum\limits_{{l_{2} = 0}}^{d - 1} {\zeta^{{l_{2} r}} \left| {l_{2} } \right\rangle } } \right) \otimes \ldots \otimes \left( {U_{{k_{n} }} \frac{1}{\sqrt d }\sum\limits_{{l_{n} = 0}}^{d - 1} {\zeta^{{l_{n} r}} \left| {l_{n} } \right\rangle } } \right) \\ & = d^{{ - \frac{n + 1}{2}}} \sum\limits_{{l_{1} ,l_{2} , \ldots ,l_{n} }} {\left( {\sum\limits_{r = 0}^{d - 1} {\zeta^{{r\left( {l_{1} + l_{2} + \ldots + l_{n} } \right)}} } } \right)\left| {l_{1} \oplus k_{1} } \right\rangle \otimes \left| {l_{2} \oplus k_{2} } \right\rangle \otimes \ldots \otimes \left| {l_{n} \oplus k_{n} } \right\rangle } \\ & = d^{{ - \frac{n - 1}{2}}} \sum\limits_{{l_{1} { + }l_{2} { + } \ldots { + }l_{n} \equiv 0\left( {\bmod d} \right)}} {\left| {l_{1} \oplus k_{1} } \right\rangle \otimes \left| {l_{2} \oplus k_{2} } \right\rangle \otimes \ldots \otimes \left| {l_{n} \oplus k_{n} } \right\rangle } . \\ \end{aligned} $$
(5)

If we perform quantum measurements with the \( V_{1} \) basis on the right of Eq. (5), we will get the results of \( l_{i} \oplus k_{i} \) (\( i = 1,2, \ldots ,n \)). According to Eq. (5), it is apparent that

$$ \begin{aligned} \left( {l_{1} \oplus k_{1} } \right) \oplus \left( {l_{2} \oplus k_{2} } \right) \oplus \ldots \oplus \left( {l_{n} \oplus k_{n} } \right) & = \left( {l_{1} + k_{1} + l_{2} + k_{2} + \ldots + l_{n} + k_{n} } \right)\bmod d \\ & = \left[ {\left( {l_{1} + l_{2} + \ldots + l_{n} } \right)\bmod d{ + }\left( {k_{1} + k_{2} + \ldots + k_{n} } \right)\bmod d} \right]\bmod d \\ & = \left( {k_{1} + k_{2} + \ldots + k_{n} } \right)\bmod d \\ & = k_{1} \oplus k_{2} \oplus \ldots \oplus k_{n} . \\ \end{aligned} $$
(6)

2.2 Particle transmission mode of secure multi-party quantum computation

In secure multi-party quantum computation protocols (such as multi-party QKA), there are three kinds of particle transmission mode [32], i.e., the complete-graph-type, the circle-type and the tree-type (shown in Fig. 1). In the complete-graph-type particle transmission mode, every party prepares the initial quantum states and sends each of the other parties a sequence of prepared particles; in the circle-type particle transmission mode, every party prepares the initial quantum states and only sends out one sequence of prepared particles which will be operated by each of the other parties in turn and finally sent back to the one who prepared it; and in the tree-type particle transmission mode, only one party prepares the initial quantum states and sends each of the other parties a sequence of prepared particles which may or may not be sent back after operation (Fig. 2).

Fig. 1
figure 1

Three types of particle transmission mode in secure multi-party quantum computation protocols (taking five parties for example) [32]. Here, the vertices denote the parties while the edges denote the particle transmissions between two parties

Full size image
Fig. 2
figure 2

The flow chart of the proposed secure multi-party quantum summation protocol (taking \( \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{t} \left| r \right\rangle_{2}^{t} \ldots \left| r \right\rangle_{n}^{t} } \) for example). a \( {\rm P}_{1} \) prepares quantum state \( \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{t} \left| r \right\rangle_{2}^{t} \ldots \left| r \right\rangle_{n}^{t} } \) as the quantum carrier. Here, the rectangle with solid lines denotes the quantum state preparation operation; b \( {\rm P}_{1} \) transmits particle \( p_{j}^{t} \) (\( j = 2,3, \ldots ,n \)) to \( {\rm P}_{j} \), and keeps particle \( p_{1}^{t} \) intact. Here, the solid line with an arrow denotes the quantum state transmission operation; c \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) encodes particle \( p_{i}^{t} \) by performing \( U_{{k_{i}^{t} }} F \) on it. Here, the solid circle denotes the encoding operation. d \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) measures particle \( p_{i}^{t} \) after encoded with the basis \( V_{1} \). Here, the square denotes the quantum state measurement operation. e \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) sends \( m_{j}^{t} \) to \( {\rm P}_{1} \). Then, \( {\rm P}_{1} \) computes \( k^{t} \) and sends it to \( {\rm P}_{j} \). Here, the dotted line with an arrow and the rectangle with dotted lines denote the classical information transmission operation and the classical computation operation, respectively

Full size image

3 The proposed secure multi-party quantum summation protocol and its analysis

3.1 Protocol description

Secure multi-party quantum summation should meet the following requirements [52]:

  1. 1.

    Correctness. The computation result of summation of players’ inputs is correct.

  2. 2.

    Security. An outside eavesdropper cannot obtain any useful information about each player’s input without being detected.

  3. 3.

    Privacy. Each player cannot learn any useful information more than her prescribed out, i.e., each player’s input can be kept secret.

However, the computation result of summation can be published.

Suppose that there are \( n \) (\( n > 2 \)) parties, \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), where \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) has a private integer string \( K_{i} \) of length \( N \). That is,

$$ \begin{array}{*{20}c} {K_{1} = \left( {k_{1}^{1} ,k_{1}^{2} , \ldots ,k_{1}^{N} } \right)} \\ {K_{2} = \left( {k_{2}^{1} ,k_{2}^{2} , \ldots ,k_{2}^{N} } \right)} \\ \vdots \\ {K_{n} = \left( {k_{n}^{1} ,k_{n}^{2} , \ldots ,k_{n}^{N} } \right)} \\ \end{array} , $$
(7)

where \( k_{1}^{t} ,k_{2}^{t} , \ldots ,k_{n}^{t} \in \left\{ {0,1, \ldots ,d - 1} \right\} \) for \( t = 1,2, \ldots ,N \). \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \) want to jointly derive the summation of their private integer strings shown in Eq. (8) without revealing the genuine contents of their private integer strings.

$$ K = K_{1} \oplus K_{2} \oplus \ldots \oplus K_{n} = \left( {k_{1}^{1} \oplus k_{2}^{1} \oplus \ldots \oplus k_{n}^{1} ,k_{1}^{2} \oplus k_{2}^{2} \oplus \ldots \oplus k_{n}^{2} , \ldots ,k_{1}^{N} \oplus k_{2}^{N} \oplus \ldots \oplus k_{n}^{N} } \right). $$
(8)

The detailed procedures of the proposed secure multi-party quantum summation protocol can be illustrated as follows. Without loss of generality, we suppose that \( {\rm P}_{1} \) is the party who prepares the initial quantum states. Moreover, \( {\rm P}_{1} \) is assumed to be semi-honest, which means that she may misbehave on her own but will not conspire with anyone. Here, only ideal channel (without noise) is considered.

Step 1: \( {\rm P}_{1} \) prepares \( N \)\( d \)-level \( n \)-particle entangled states all in the state \( \left| \omega \right\rangle_{12 \ldots n} \) and arranges them into an ordered sequence

$$ \left[ {\begin{array}{*{20}c} {\frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{1} \left| r \right\rangle_{2}^{1} \ldots \left| r \right\rangle_{n}^{1} } ,} & {\frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{2} \left| r \right\rangle_{2}^{2} \ldots \left| r \right\rangle_{n}^{2} ,} } & { \ldots ,} & {\frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{N} \left| r \right\rangle_{2}^{N} \ldots \left| r \right\rangle_{n}^{N} } } \\ \end{array} } \right], $$
(9)

where the superscripts \( 1,2, \ldots ,N \) denote the order of \( d \)-level \( n \)-particle entangled states in the sequence. Afterward, \( {\rm P}_{1} \) takes the \( i \)th (\( i = 1,2, \ldots ,n \)) particle out from each state to construct \( n \) particle sequences which are labeled as:

$$ \begin{array}{*{20}c} {S_{1} = \left( {p_{1}^{1} ,p_{1}^{2} , \ldots ,p_{1}^{N} } \right)} \\ {S_{2} = \left( {p_{2}^{1} ,p_{2}^{2} , \ldots ,p_{2}^{N} } \right)} \\ {\begin{array}{*{20}c} \vdots \\ {S_{i} = \left( {p_{i}^{1} ,p_{i}^{2} , \ldots ,p_{i}^{N} } \right)} \\ \vdots \\ \end{array} } \\ {S_{n} = \left( {p_{n}^{1} ,p_{n}^{2} , \ldots ,p_{n}^{N} } \right)} \\ \end{array} , $$
(10)

where \( p_{i}^{t} \) represents the \( i \)th particle of the \( t \)th entangled state and \( t = 1,2, \ldots ,N \). For detecting eavesdropping, \( {\rm P}_{1} \) prepares \( n - 1 \) groups of decoy photons, each of which is randomly chosen from the set \( V_{1} \) or \( V_{2} \). Then, \( {\rm P}_{1} \) randomly picks out one group of decoy photons and randomly inserts the chosen decoy photons into particle sequence \( S_{j} \) to form a new sequence \( S_{j}^{'} \). Here, \( j = 2,3, \ldots ,n \). Finally, \( {\rm P}_{1} \) keeps \( S_{1} \) in her hand and sends \( S_{j}^{'} \) to \( {\rm P}_{j} \).

Step 2: After confirming that \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) has received all the particles in sequence \( S_{j}^{'} \), \( {\rm P}_{1} \) checks the transmission security of sequence \( S_{j}^{'} \) together with \( {\rm P}_{j} \). Concretely, \( {\rm P}_{1} \) tells \( {\rm P}_{j} \) the positions and the measurement basis of decoy photons in sequence \( S_{j}^{'} \). In the following, \( {\rm P}_{j} \) uses the correct basis to measure the corresponding decoy photons and tells \( {\rm P}_{1} \) half of the measurement results. Afterward, \( {\rm P}_{1} \) announces the initial states of the remaining half of decoy photons. Finally, they check whether the measurement results of decoy photons are consistent with their initial states. In this way, \( {\rm P}_{1} \) and \( {\rm P}_{j} \) can check the transmission security of sequence \( S_{j}^{'} \). If the error rate is greater than a predetermined threshold, they will terminate the protocol; otherwise, they will proceed to the next step.

Step 3: \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) discards the decoy photons in sequence \( S_{j}^{'} \) and obtains sequence \( S_{j} \). Then, \( {\rm P}_{j} \) encodes her private integer string \( K_{j} \) on the particles in sequence \( S_{j} \). Concretely, \( {\rm P}_{j} \) performs \( U_{{k_{j}^{t} }} F \) on particle \( p_{j}^{t} \), where \( t = 1,2, \ldots ,N \). The new sequence of \( S_{j} \) after encoded is denoted as \( ES_{j} \).

In the same time, \( {\rm P}_{1} \) also encodes her private integer string \( K_{1} \) on the particles in sequence \( S_{1} \) by performing \( U_{{k_{1}^{t} }} F \) on particle \( p_{1}^{t} \). The new sequence of \( S_{1} \) after encoded is denoted as \( ES_{1} \).

Step 4: After all parties have finishing encoding of their private integer strings, each of them measures all particles in their respective hand with the basis \( V_{1} \) and obtains the corresponding measurement results. As a result, it can be derived that

$$ \begin{array}{*{20}c} {M_{1} = \left( {m_{1}^{1} ,m_{1}^{2} , \ldots ,m_{1}^{N} } \right)} \\ {M_{2} = \left( {m_{2}^{1} ,m_{2}^{2} , \ldots ,m_{2}^{N} } \right)} \\ {\begin{array}{*{20}c} \vdots \\ {M_{i} = \left( {m_{i}^{1} ,m_{i}^{2} , \ldots ,m_{i}^{N} } \right)} \\ \vdots \\ \end{array} } \\ {M_{n} = \left( {m_{n}^{1} ,m_{n}^{2} , \ldots ,m_{n}^{N} } \right)} \\ \end{array} , $$
(11)

where \( m_{i}^{t} \) is the measurement result of particle \( p_{i}^{t} \) after encoded, \( i = 1,2, \ldots ,n \) and \( t = 1,2, \ldots ,N \). According to Eq. (5), it can be obtained that \( m_{i}^{t} = l_{i}^{t} \oplus k_{i}^{t} \) and \( l_{1}^{t} + l_{2}^{t} + \ldots + l_{n}^{t} \equiv 0\left( {\bmod d} \right) \). Then, \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) announces \( M_{j} \) to \( {\rm P}_{1} \). Finally, according to Eq. (6), \( {\rm P}_{1} \) obtains the summation of all parties’ private integer strings by computing

$$ \begin{aligned} M_{1} \oplus M_{2} \oplus \ldots \oplus M_{n} & = \left( {m_{1}^{1} \oplus m_{2}^{1} \oplus \ldots \oplus m_{n}^{1} ,m_{1}^{2} \oplus m_{2}^{2} \oplus \ldots \oplus m_{n}^{2} , \ldots ,m_{1}^{N} \oplus m_{2}^{N} \oplus \ldots \oplus m_{n}^{N} } \right) \\ & = \left( {k_{1}^{1} \oplus k_{2}^{1} \oplus \ldots \oplus k_{n}^{1} ,k_{1}^{2} \oplus k_{2}^{2} \oplus \ldots \oplus k_{n}^{2} , \ldots ,k_{1}^{N} \oplus k_{2}^{N} \oplus \ldots \oplus k_{n}^{N} } \right) \\ & = K_{1} \oplus K_{2} \oplus \ldots \oplus K_{n} = K. \\ \end{aligned} $$
(12)

In order to let the other parties know the result of summation, \( {\rm P}_{1} \) announces it publicly.

It concludes the description of the proposed secure multi-party quantum summation protocol. It is apparent that in the above protocol, only \( {\rm P}_{1} \) prepares the initial quantum states and sends each of the other parties a sequence of prepared particles. Thus, the above protocol adopts the tree-type particle transmission mode.

3.2 Analysis

  1. A.

    Output correctness

In this subsection, we verify that the output of the above protocol is correct. There are \( n \) parties named \( {\rm P}_{1} ,{\rm P}_{2} , \ldots ,{\rm P}_{n} \), where \( {\rm P}_{i} \) (\( i = 1,2, \ldots ,n \)) has a private integer string \( K_{i} \) of length \( N \). Without loss of generality, after ignoring the eavesdropping check processes, we take the first integer of each private integer string (i.e., \( k_{i}^{1} \), \( i = 1,2, \ldots ,n \)) for example, to illustrate the output correctness.

\( {\rm P}_{1} \) prepares one \( d \)-level \( n \)-particle entangled state in the state \( \frac{1}{\sqrt d }\sum\limits_{r = 0}^{d - 1} {\left| r \right\rangle_{1}^{1} \left| r \right\rangle_{2}^{1} \ldots \left| r \right\rangle_{n}^{1} } \). Then, \( {\rm P}_{1} \) keeps particle \( p_{1}^{1} \) in her hand and sends particle \( p_{j}^{1} \) to \( {\rm P}_{j} \). Here, \( j = 2,3, \ldots ,n \). After receiving particle \( p_{j}^{1} \), \( {\rm P}_{j} \) performs \( U_{{k_{j}^{1} }} F \) on particle \( p_{j}^{1} \) to encode the private integer \( k_{j}^{1} \). In the same time, \( {\rm P}_{1} \) also encodes her private integer \( k_{1}^{1} \) by performing \( U_{{k_{1}^{1} }} F \) on particle \( p_{1}^{1} \). Then, \( {\rm P}_{j} \) measures particle \( p_{j}^{1} \) after encoded with the basis \( V_{1} \) and tells \( {\rm P}_{1} \) the measurement result \( m_{j}^{1} \). \( {\rm P}_{1} \) also uses the basis \( V_{1} \) to measure \( p_{1}^{1} \) after encoded and obtains the measurement result \( m_{1}^{1} \). Here, \( m_{i}^{1} = l_{i}^{1} \oplus k_{i}^{1} \) and \( i = 1,2, \ldots ,n \). Finally, according to Eq. (6), \( {\rm P}_{1} \) obtains \( k_{1}^{1} \oplus k_{2}^{1} \oplus \ldots \oplus k_{n}^{1} \) by computing \( m_{1}^{1} \oplus m_{2}^{1} \oplus \ldots \oplus m_{n}^{1} \). Concretely,

$$ \begin{aligned} m_{1}^{1} \oplus m_{2}^{1} \oplus \ldots \oplus m_{n}^{1} & = \left( {l_{1}^{1} \oplus k_{1}^{1} } \right) \oplus \left( {l_{2}^{1} \oplus k_{2}^{1} } \right) \oplus \ldots \oplus \left( {l_{n}^{1} \oplus k_{n}^{1} } \right) \\ & = \left( {l_{1}^{1} + k_{1}^{1} + l_{2}^{1} + k_{2}^{1} + \ldots + l_{n}^{1} + k_{n}^{1} } \right)\bmod d \\ & = \left[ {\left( {l_{1}^{1} + l_{2}^{1} + \ldots + l_{n}^{1} } \right)\bmod d{ + }\left( {k_{1}^{1} + k_{2}^{1} + \ldots + k_{n}^{1} } \right)\bmod d} \right]\bmod d \\ & = \left( {k_{1}^{1} + k_{2}^{1} + \ldots + k_{n}^{1} } \right)\bmod d \\ & = k_{1}^{1} \oplus k_{2}^{1} \oplus \ldots \oplus k_{n}^{1} = k^{1} . \\ \end{aligned} $$
(13)

It can be concluded now that the output of the above protocol is correct.

  1. B.

    Security

In this subsection, we verify that both the outside attack and the participant attack are ineffective for the above protocol.

  1. (i)

    Outside attack

We analyze the possibility for an outside eavesdropper to steal the private integer strings from all parties here.

In the above protocol, in order to get something useful about the private integer strings, an outside eavesdropper may utilize the particle transmission that \( {\rm P}_{1} \) sends \( S_{j}^{'} \) (\( j = 2,3, \ldots ,n \)) to \( {\rm P}_{j} \) in Step 1 to launch active attacks, such as the intercept-resend attack, the measure-resend attack and the entangle-measure attack and so on. However, the above protocol employs the decoy photons, which are randomly chosen from the two conjugate bases, \( V_{1} \) and \( V_{2} \), to detect the presence of an outside eavesdropper. Note that the decoy photon technique [62, 63] can be thought as a variant of the BB84 eavesdropping check method [1] which has been proven to be unconditionally secure [64]. Moreover, the effectiveness of decoy photon technology in 2-level quantum system against an outside eavesdropper’s attacks has also been validated in Refs [65, 66]. It is straightforward that the decoy photon technology is also effective against an outside eavesdropper’s attacks in \( d \)-level quantum system. Therefore, if an outside eavesdropper launches active attacks during the particle transmissions, due to having no knowledge about the positions and the measurement basis of decoy photons before the announcement on them, she will inevitably leave her trace on decoy photons and be detected by the eavesdropping check process.

On the other hand, in Step 4, an outside eavesdropper may hear of \( M_{j} \) when \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) announces it to \( {\rm P}_{1} \) and the result of summation when \( {\rm P}_{1} \) publishes it. However, she still cannot decrypt out \( k_{j}^{t} \) (\( t = 1,2, \ldots ,N \)) from \( m_{j}^{t} \), because she does not know the value of \( l_{j}^{t} \). In addition, an outside eavesdropper can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. However, due to lack of the knowledge of the value of \( l_{1}^{t} \), she cannot know \( k_{1}^{t} \) either.

  1. (ii)

    Participant attack

In 2007, Gao et al. [67] first pointed out that the participant attack, i.e., the attack from one or more dishonest parties, is generally more powerful and should be paid more attention to. To date, the participant attack has attracted much attention in the cryptanalysis of quantum cryptography [68,69,70]. To see this in a sufficient way, we consider two cases of participant attack. Firstly, we discuss the participant attack from one single dishonest party; and then, we analyze the colluding attack from two or more dishonest parties.

  1. (a)

    The participant attack from one single dishonest party

In the above protocol, the roles of different \( {\rm P}_{j} \) s (\( j = 2,3, \ldots ,n \)) are the same, but are different from \( {\rm P}_{1} \) who prepares the initial quantum states and distributes the prepared particle sequences. Thus, there are two kinds of the participant attack from one single dishonest party, i.e., the participant attack from a single dishonest \( {\rm P}_{j} \) and the participant attack from semi-honest \( {\rm P}_{1} \).

With respect to the participant attack from a single dishonest \( {\rm P}_{j} \), if \( {\rm P}_{j} \) launches attacks on the particles in \( S_{{j^{'} }}^{'} \) from \( {\rm P}_{1} \) to \( {\rm P}_{{j^{'} }} \) (\( j^{'} = 2,3, \ldots ,n \) and \( j^{'} \ne j \)) in Step 1, due to having no knowledge about the positions and the measurement basis of the inserted decoy photons in \( S_{{j^{'} }}^{'} \), she will inevitably be caught as an outside eavesdropper. In addition, \( {\rm P}_{j} \) may hear of \( M_{{j^{'} }} \) when \( {\rm P}_{{j^{'} }} \) announces it to \( {\rm P}_{1} \) in Step 4. However, due to having no access to the value of \( l_{{j^{'} }}^{t} \) (\( t = 1,2, \ldots ,N \)), she still cannot decrypt out \( k_{{j^{'} }}^{t} \) from \( m_{{j^{'} }}^{t} \). On the other hand, \( {\rm P}_{j} \) can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. However, due to lack of the knowledge of the value of \( l_{1}^{t} \), \( {\rm P}_{j} \) cannot know \( k_{1}^{t} \) either.

With respect to the participant attack from semi-honest \( {\rm P}_{1} \), in order to obtain the private integer strings of the other parties, \( {\rm P}_{1} \) can take the chance of preparing the initial quantum states to launch the following attack:

  1. (1)

    \( {\rm P}_{1} \) prepares \( N \)\( d \)-level \( n \)-particle entangled states all in the state \( \left| \omega \right\rangle_{12 \ldots n} \), and measures each of them with the basis \( V_{1} \). The collapsed states after measurement are denoted as

$$ \left[ {\begin{array}{*{20}c} {\left( {\left| {r^{1} } \right\rangle_{1} ,\left| {r^{1} } \right\rangle_{2} , \ldots ,\left| {r^{1} } \right\rangle_{n} } \right),} & {\left( {\left| {r^{2} } \right\rangle_{1} ,\left| {r^{2} } \right\rangle_{2} , \ldots ,\left| {r^{2} } \right\rangle_{n} } \right),} & { \ldots ,} & {\left( {\left| {r^{N} } \right\rangle_{1} ,\left| {r^{N} } \right\rangle_{2} , \ldots ,\left| {r^{N} } \right\rangle_{n} } \right)} \\ \end{array} } \right], $$
(14)

where \( \left| {r^{t} } \right\rangle_{i} \) denotes the collapsed state of the \( i \)th particle in the \( t \)th \( d \)-level \( n \)-particle entangled state after measurement. Here, \( t = 1,2, \ldots ,N \) and \( i = 1,2, \ldots ,n \). Afterward, \( {\rm P}_{1} \) constructs \( n \) particle sequences as follows:

$$ \begin{array}{*{20}c} {S_{1} = \left( {\left| {r^{1} } \right\rangle_{1} ,\left| {r^{2} } \right\rangle_{1} , \ldots ,\left| {r^{N} } \right\rangle_{1} } \right)} \\ {S_{2} = \left( {\left| {r^{1} } \right\rangle_{2} ,\left| {r^{2} } \right\rangle_{2} , \ldots ,\left| {r^{N} } \right\rangle_{2} } \right)} \\ {\begin{array}{*{20}c} \vdots \\ {S_{i} = \left( {\left| {r^{1} } \right\rangle_{i} ,\left| {r^{2} } \right\rangle_{i} , \ldots ,\left| {r^{N} } \right\rangle_{i} } \right)} \\ \vdots \\ \end{array} } \\ {S_{n} = \left( {\left| {r^{1} } \right\rangle_{n} ,\left| {r^{2} } \right\rangle_{n} , \ldots ,\left| {r^{N} } \right\rangle_{n} } \right)} \\ \end{array} . $$
(15)

For detecting eavesdropping, \( {\rm P}_{1} \) prepares \( n - 1 \) groups of decoy photons, each of which is randomly chosen from the set \( V_{1} \) or \( V_{2} \), and randomly inserts one group of decoy photons into particle sequence \( S_{j} \) to form a new sequence \( S_{j}^{'} \). Here, \( j = 2,3, \ldots ,n \). Then, \( {\rm P}_{1} \) keeps \( S_{1} \) in her hand and sends \( S_{j}^{'} \) to \( {\rm P}_{j} \).

  1. (2)

    \( {\rm P}_{1} \) and \( {\rm P}_{j} \) (\( j = 2,3, \ldots ,n \)) check the transmission security of sequence \( S_{j}^{'} \) together as illustrated in Step 2. Apparently, \( {\rm P}_{j} \) cannot discover the misbehavior of \( {\rm P}_{1} \). Therefore, \( {\rm P}_{j} \) discards the decoy photons in sequence \( S_{j}^{'} \) to restore sequence \( S_{j} \) and performs \( U_{{k_{j}^{t} }} F \) on particle \( \left| {r^{t} } \right\rangle_{j} \), where \( t = 1,2, \ldots ,N \). The corresponding encoded particle of \( \left| {r^{t} } \right\rangle_{j} \) is

$$ \left( {U_{{k_{j}^{t} }} F} \right)\left| {r^{t} } \right\rangle_{j} = U_{{k_{j}^{t} }} \frac{1}{\sqrt d }\sum\limits_{{l_{j}^{'t} = 0}}^{d - 1} {\zeta^{{l_{j}^{'t} r^{t} }} \left| {l_{j}^{'t} } \right\rangle } = \frac{1}{\sqrt d }\sum\limits_{{l_{j}^{'t} = 0}}^{d - 1} {\zeta^{{l_{j}^{'t} r^{t} }} \left| {l_{j}^{'t} \oplus k_{j}^{t} } \right\rangle } . $$
(16)

Afterward, \( {\rm P}_{j} \) measures all particles in her hand with the basis \( V_{1} \) and publishes her measurement result

$$ M_{j} = \left( {m_{j}^{1} ,m_{j}^{2} , \ldots ,m_{j}^{N} } \right) . $$
(17)

Here, \( m_{j}^{t} = l_{j}^{'t} \oplus k_{j}^{t} \). Then, \( {\rm P}_{j} \) announces \( M_{j} \) to \( {\rm P}_{1} \). Finally, \( {\rm P}_{1} \) tries to extract \( k_{j}^{t} \) from \( m_{j}^{t} \).

However, although \( {\rm P}_{1} \) knows \( m_{j}^{t} \) from the announcement of \( {\rm P}_{j} \), she still cannot extract \( k_{j}^{t} \), as she has no knowledge about \( l_{j}^{'t} \). It can be concluded that the participant attack from semi-honest \( {\rm P}_{1} \) is ineffective.

  1. (b)

    The participant attack from two or more dishonest parties

Since \( {\rm P}_{1} \) is not allowed to collude with other parties, if the other \( n - 1 \) parties collude together, they can easily deduce the private integer string of \( {\rm P}_{1} \) from the result of summation. Therefore, the above protocol cannot resist the colluding attack from \( n - 1 \) parties.

Next, we will demonstrate that the above protocol can resist the colluding attack from \( n - 2 \) parties. Without loss of generality, assume that the dishonest \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) try to collude together to obtain the private integer strings of \( {\rm P}_{1} \) and \( {\rm P}_{i} \). Firstly, if \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) try to launch attacks on the particles in \( S_{i}^{'} \) from \( {\rm P}_{1} \) to \( {\rm P}_{i} \) in Step 1, due to having no knowledge about the positions and the measurement basis of the inserted decoy photons in \( S_{i}^{'} \), they will inevitably be caught as an outside eavesdropper. Secondly, in Step 4, \( {\rm P}_{s} \)\( \left( {s = 2, \ldots ,i - 1,i + 1, \ldots ,n} \right) \) can know \( M_{s} \), and may hear of \( M_{i} \) when \( {\rm P}_{i} \) announces it to \( {\rm P}_{1} \) and the result of summation when \( {\rm P}_{1} \) publishes it.\( {\rm P}_{s} \) can deduce \( M_{1} \) from \( M_{2} ,M_{3} , \ldots ,M_{n} \) and the result of summation. Moreover, \( {\rm P}_{s} \) can deduce \( l_{s}^{t} \) (\( t = 1,2, \ldots ,N \)) from \( k_{s}^{t} \) and \( m_{s}^{t} \). However, even though the \( n - 2 \) parties conclude together, they still cannot obtain the accurate values of \( l_{i}^{t} \) and \( l_{1}^{t} \). Therefore, \( {\rm P}_{2} , \ldots ,{\rm P}_{i - 1} ,{\rm P}_{i + 1} , \ldots ,{\rm P}_{n} \) cannot decrypt out \( k_{i}^{t} \) and \( k_{1}^{t} \) from \( m_{i}^{t} \) and \( m_{1}^{t} \), respectively.

4 Discussion and conclusion

We compare the proposed protocol with previous quantum summation protocols with respect to type of addition and type of computation. The comparison result is summarized in Table 1. From Table 1, it can be concluded that the modulo of the proposed protocol can easily be bigger than those of Refs [52, 56,57,58, 61], which may result in more extensive applications, and compared with the protocols of Refs [52, 56,57,58, 60, 61], the proposed protocol easily has higher computation efficiency because of its secret-by-secret computation.

Table 1 Comparison of previous quantum summation protocols and the proposed protocol
Full size table

Further, we give a more detailed comparison between the proposed protocol and the protocol of Ref [59] by ignoring their security check processes, since both of them utilize quantum Fourier transform. The comparison result is summarized in Table 2.

Table 2 Comparison of quantum summation protocol in Ref. [59] and the proposed protocol
Full size table

In addition, in some circumstance, it is necessary to make all parties share the result of summation privately among them. In other words, anyone else except all parties is not allowed to know the result of summation. In order to achieve this goal, every party can launch the proposed protocol acting as \( {\rm P}_{1} \) and does not announce the result of summation publicly.

To sum up, in this paper, a novel secure multi-party quantum summation protocol based on quantum Fourier transform is proposed, where the traveling particles are transmitted in a tree-type mode. We verify in detail that the proposed protocol can resist both the outside attacks and the participant attacks. Especially, one party cannot obtain other parties’ private integer strings; and it is secure for the colluding attack performed by at most \( n - 2 \) parties. The proposed protocol calculates the addition of modulo \( d \) and implements the calculation of addition in a secret-by-secret way rather than a bit-by-bit way. In addition, the proposed protocol only considers ideal channel. When noise is concerned, additional operation such as quantum private amplification is needed.