1 Introduction

With the development of computer and the advent of information society, the protection of private information has become particularly important. Cryptography has played a great role in ensuring the integrity, confidentiality and authenticity of information. However, the emergence of quantum parallel computing with strong computing power threatens the security of classical cryptography, which depends on computational complexity. However, quantum cryptography, which depends on the basic principles of quantum mechanics, has unconditional security, so it has attracted extensive attention.

In 1984, Bennett and Brassard [1] combined classical cryptography with quantum mechanics and proposed the first quantum key distribution protocol. After that, quantum mechanics is more and more widely used in cryptography. People have proposed various quantum protocols, such as quantum election [2, 3], quantum secret sharing [4, 5], quantum key distribution [6, 7] and quantum digital signature [8, 9].

In the past decade, quantum privacy comparison (QPC) has become a hot issue in quantum cryptography. The concept of privacy comparison originates from the millionaire problem proposed by Yao [10]. It can compare the equality of two or more parties’ privacy information without disclosing them. In 2009, Yang [11] proposed the first quantum privacy comparison protocol, which uses Bell state as quantum resource to compare the equality of two parties’ secret values. After that, various QPC protocols for multi-particle entanglement have been proposed, such as W state, eight-qubit entangled state, six-qubit entangled state, cluster states and so on [12,13,14,15,16,17,18,19,20]. At same time, different quantum technologies such as unitary transformation, quantum shift operation and decoy photon are also gradually applied to QPC protocol. For example, Duan [21] proposes a new quantum privacy comparison protocol based on quantum shift operation. The protocol encodes the private information of participants into quantum states through quantum shift operation, and compares the equality of private information of all participants by executing the protocol once.

On the premise of ensuring security, it is possible to use the easily prepared quantum states as quantum resources and avoid the use of complex quantum technologies, which can improve the availability of the protocol. Based on the above principles, this paper proposes a quantum privacy comparison protocol based on classical-quantum authentication channel. Participants encrypt the secret information according to the entanglement characteristics of Bell state and use decoy photon technology and QKD technology to ensure the security of the protocol. As described in Lo [22], it is impossible to design a safe equality function in the two-party scenario, and some additional assumptions need to be introduced. Therefore, this paper introduces a semi-honest third party, which allows itself to misbehave, but TP does not collude with other participants. Finally, the security analysis shows that our proposed protocol can resist external and internal attacks and is secure.

The structure of this paper is as follows: In Sect. 2, the proposed QPC protocol is described in detail. In Sect. 3 and Sect. 4, the correctness and the security of the proposed protocol are analyzed, respectively. In Sect. 5, we compare our protocol with some existing protocols. Finally, we make a summary in Sect. 6.

2 The proposed scheme

In this section, we offer an explicit description of the presented protocol. Three communicants, Alice, Bob and Charlie, have three private integers, \(X=(x_{1},x_{2},\cdots ,x_{n}), Y=(y_{1}, y_{2},\cdots , y_{n})\) and \(Z=(z_{1}, z_{2}, \cdots , z_{n})\), respectively. Here \(x_{i}, y_{i}, z_{i}\in \{0, 1\}\) for \(i=1, 2, \cdots , n\). With the help of the semi-honest third party(TP) who is curious but does not collude with communicants, Alice, Bob and Charlie want to judge whether X, Y and Z are equal or not. The process of the proposed QPC protocol can be described as follow.

Step 1 TP chooses five random number sequence \(K_{TA}\), \(K_{TB}\), \(K_{TC}\), \(K_{1}\) and \(K_{2}\), i.e.,

$$\begin{aligned}{} & {} K_{TA}=(k_{TA}^{1},k_{TA}^{2},\cdots ,k_{TA}^{n}),\\{} & {} K_{TB}=(k_{TB}^{1},k_{TB}^{2},\cdots ,k_{TB}^{n}),\\{} & {} K_{TC}=(k_{TC}^{1},k_{TC}^{2},\cdots ,k_{TC}^{n}). \end{aligned}$$

where \(k_{TA}^{i}, k_{TB}^{i}, k_{TC}^{i}\in \{0, 1\}\) for \(i=1,2,\cdots ,n\).

$$\begin{aligned}{} & {} K_{1}=(k_{A1}^{1}k_{B1}^{1}k_{C1}^{1},k_{A1}^{2}k_{B1}^{2}k_{C1}^{2},\cdots ,k_{A1}^{n}k_{B1}^{n}k_{C1}^{n}),\\{} & {} K_{2}=(k_{A2}^{1}k_{B2}^{1}k_{C2}^{1},k_{A2}^{2}k_{B2}^{2}k_{C2}^{2},\cdots ,k_{A2}^{n}k_{B2}^{n}k_{C2}^{n}). \end{aligned}$$

where \(k_{A1}^{i}k_{B1}^{i}k_{C1}^{i},k_{A2}^{i}k_{B2}^{i}k_{C2}^{i}\in \{011,101,110\}\) for \(i=1,2,\cdots ,n\). It should be noted that \(k_{A1}^{i}k_{B1}^{i}k_{C1}^{i}\ne k_{A2}^{i}k_{B2}^{i}k_{C2}^{i}\).

Then, TP divides \(K_{1}\) into three sequences, \(K_{A1}\), \(K_{B1}\) and \(K_{C1}\),which are formed by all the first, the second and the third number, respectively.

$$\begin{aligned} K_{A1}=(k_{A1}^{1},k_{A1}^{2},\cdots ,k_{A1}^{n}), K_{B1}=(k_{B1}^{1},k_{B1}^{2},\cdots ,k_{B1}^{n}), K_{C1}=(k_{C1}^{1},k_{C1}^{2},\cdots ,k_{C1}^{n}). \end{aligned}$$

Similarly, TP takes the first number, the second number and the third number in \(K_{2}\) to form sequences \(K_{A2}\), \(K_{B2}\) and \(K_{C2}\)

$$\begin{aligned} K_{A2}=(k_{A2}^{1},k_{A2}^{2},\cdots ,k_{A2}^{n}), K_{B2}=(k_{B2}^{1},k_{B2}^{2},\cdots ,k_{B2}^{n}), K_{C2}=(k_{C2}^{1},k_{C2}^{2},\cdots ,k_{C2}^{n}). \end{aligned}$$

Finally, TP sends the sequences \(K_{TA}, K_{A1}, K_{A2}\) to Alice, the sequences \(K_{TB}, K_{B1}, K_{B2}\) to Bob and the sequences \(K_{TC}, K_{C1}, K_{C2}\) to Charlie in advance through the authenticated classical (or quantum) channels, respectively.

Step 2 Alice and Bob use the QKD protocol to generate two shared secret key sequence \(K_{AB}=(k_{AB}^{1},k_{AB}^{2},\cdots ,k_{AB}^{n})\). Similarly, Bob and Charlie generate two shared key sequence \(K_{BC1}=(k_{BC1}^{1},k_{BC1}^{2},\cdots ,k_{BC1}^{n})\) and \(K_{BC2}=(k_{BC2}^{1},k_{BC2}^{2},\cdots ,k_{BC2}^{n})\). Charlie and Alice generate a shared key sequence \(K_{AC}=(k_{AC}^{1},k_{AC}^{2},\cdots ,k_{AC}^{n})\) Here, \(k_{AB}^{i},k_{BC1}^{i},k_{BC2}^{i},k_{AC}^{i}\in \{0,1\}\).

Step 3 Alice (Bob and Charlie) prepares quantum states according to the i-th binary representation \(k_{TA}^{i}\)(\(k_{TB}^{i}\) and \(k_{TC}^{i}\)). If \(k_{TA}^{i}=0\) (\(k_{TB}^{i}=0\) and \(k_{TC}^{i}=0\)), Alice (Bob and Charlie) generates a Bell state \(\vert \phi ^{+}\rangle =\frac{1}{\sqrt{2}}(\vert 00\rangle +\vert 11\rangle )\); Otherwise Alice (Bob and Charlie) generates a Bell state \(\vert \psi ^{+}\rangle =\frac{1}{\sqrt{2}}(\vert 01\rangle +\vert 10\rangle )\). Then, Alice, Bob and Charlie obtain the quantum state sequences \(S_{A}\), \(S_{B}\) and \(S_{C}\), respectively.

Alice (Bob and Charlie) picks out the first particle from each state to form an ordered sequence \(S_{A1}\)(\(S_{B1}\) and \(S_{C1}\)). The remaining second particle from each state automatically forms the other ordered sequence \(S_{A2}\)(\(S_{B2}\) and \(S_{C2}\)). Alice (Bob and Charlie) prepares a set of decoy photon, which are randomly chosen from the four states\(\{\vert 0\rangle ,\vert 1\rangle ,\vert +\rangle ,\vert -\rangle \}\), and randomly inserts them into \(S_{A1}\)(\(S_{B1}\) and \(S_{C1}\)) to compose a new sequence \(S_{A1}^{\prime }\)(\(S_{B1}^{\prime }\) and \(S_{C1}^{\prime }\)). Finally, Alice sends \(S_{A1}^{\prime }\) to Bob, Bob sends \(S_{B1}^{\prime }\) to Charlie, and Charlie sends \(S_{C1}^{\prime }\) to Alice.

Step 4 After Bob receives \(S_{A1}^{\prime }\), Alice and Bob check the transmission security of \(S_{A1}^{\prime }\) together. Alice tells Bob the positions and the preparation bases of decoy photons in \(S_{A1}^{\prime }\). Afterward, Bob uses the preparation basis of Alice to measure the decoy photons in \(S_{A1}^{\prime }\) and tell Alice the measurement results. By comparing Bob’s measurement results with the initial states of decoy photons, Alice can judge whether the transmission of \(S_{A1}^{\prime }\) was secure or not.If the error rate exceeds the threshold, the communication will be aborted; otherwise, they will continue the communication and remove the decoy photons in \(S_{A1}^{\prime }\) to restore \(S_{A1}\); it should be noted that the value of the error rate depends on to the channel situation, the distance, etc. According to Refs [23,24,25], the threshold of the detected error rate is [\(\tau \approx 2~8.9\%\)].

Bob and Charlie, Charlie and Alice use the same eavesdropping check method to check the transmission security of \(S_{B1}^{\prime }\) and \(S_{C1}^{\prime }\).

Step 5 Alice performs single-particle measurements on each particle in \(S_{C1}\) and \(S_{A2}\) with Z basis, and denotes obtaining the measurement result \(M_{C1}^{i}\) and \(M_{A2}^{i}\). Alice transforms \(M_{C1}^{i}\) and \(M_{A2}^{i}\) into classical bit according to the following rule: if \(M_{C1}^{i}=\vert 0\rangle \)(\(M_{A2}^{i}=\vert 0\rangle \)), then \(c_{1}^{i}=0\)(\(a_{2}^{i}=0\)); and if \(M_{C1}^{i}=\vert 1\rangle \)(\(M_{A2}^{i}=\vert 1\rangle \)), then \(c_{1}^{i}=1\)(\(a_{2}^{i}=1\)). Alice computes \(R_{A1}^{i}\) and \(R_{A2}^{i}\) as follows:

$$\begin{aligned}{} & {} R_{A1}^{i}=c_{1}^{i}\oplus a_{2}^{i}\oplus k_{AB}^{i}\oplus (k_{A1}^{i}\wedge x_{i}),\\{} & {} R_{A2}^{i}=c_{1}^{i}\oplus a_{2}^{i}\oplus k_{AC}^{i}\oplus (k_{A2}^{i}\wedge x_{i}). \end{aligned}$$

where the symbol \(\oplus \) represents XOR operation and the symbol \(\wedge \) represents logical multiplication throughout this paper.

Bob measures the sequences \(S_{A1}\) and \(S_{B2}\) with Z basis and the measurement results are denoted as \(M_{A1}^{i}\) and \(M_{B2}^{i}\). Then, according to the coding rules, he denotes binary number corresponding to the measurement result as \(a_{1}^{i}\) and \(b_{2}^{i}\). Bob computes \(R_{B1}^{i}\) and \(R_{B2}^{i}\) in following:

$$\begin{aligned}{} & {} R_{B1}^{i}=a_{1}^{i}\oplus b_{2}^{i}\oplus k_{AB}^{i}\oplus k_{BC1}^{i}\oplus (k_{B1}^{i}\wedge y_{i}),\\{} & {} R_{B2}^{i}=a_{1}^{i}\oplus b_{2}^{i}\oplus k_{BC2}^{i}\oplus (k_{B2}^{i}\wedge y_{i}). \end{aligned}$$

Charlie uses Z basis to measure each particle of \(S_{B1}\) and \(S_{C2}\) and get the measurement outcomes \(M_{B1}^{i}\) and \(M_{C2}^{i}\). He transforms \(M_{B1}^{i}\) and \(M_{C2}^{i}\) into classical bit as \(b_{1}^{i}\) and \(c_{2}^{i}\) according to the coding rules. Charlie computes \(R_{C1}^{i}\) and \(R_{C2}^{i}\) as follows:

$$\begin{aligned}{} & {} R_{C1}^{i}=b_{1}^{i}\oplus c_{2}^{i}\oplus k_{BC1}^{i}\oplus (k_{C1}^{i}\wedge z_{i}),\\{} & {} R_{C2}^{i}=b_{1}^{i}\oplus c_{2}^{i}\oplus k_{AC}^{i}\oplus k_{BC2}^{i}\oplus (k_{C2}^{i}\wedge z_{i}). \end{aligned}$$

Finally, the binary number \(R_{A1}^{i}\), \(R_{A2}^{i}\), \(R_{B1}^{i}\), \(R_{B2}^{i}\), \(R_{C1}^{i}\) and \(R_{C2}^{i}\) are announced to TP using classical channels.

Step 6TP computes:

$$\begin{aligned}{} & {} R_{AB1}^{i}=R_{A1}^{i}\oplus R_{B1}^{i}\oplus k_{AT}^{i}\oplus k_{BT}^{i}=c_{1}^{i}\oplus b_{2}^{i}\oplus k_{BC1}^{i}\oplus (k_{A1}^{i}\wedge x_{i})\oplus (k_{B1}^{i}\wedge y_{i})\oplus k_{BT}^{i},\\{} & {} R_{C1}^{i\prime }=R_{C1}^{i}\oplus k_{CT}^{i}=b_{1}^{i}\oplus c_{2}^{i}\oplus k_{BC1}^{i}\oplus (k_{C1}^{i}\wedge z_{i})\oplus k_{CT}^{i}. \end{aligned}$$

If TP discovers that \(R_{AB1}^{i}\ne R_{C1}^{i\prime }\), TP will stop the protocol and announce that the secrets of X,Y,Z are not same; otherwise, she will continue to calculate:

$$\begin{aligned}{} & {} R_{BC}^{i}=R_{B2}^{i}\oplus R_{C2}^{i}\oplus k_{AT}^{i}\oplus k_{BT}^{i}=a_{1}^{i}\oplus c_{2}^{i}\oplus k_{AC}^{i}\oplus (k_{B2}^{i}\wedge y_{i})\oplus (k_{C2}^{i}\wedge z_{i})\oplus k_{CT}^{i},\\{} & {} R_{A2}^{i\prime }=R_{A2}^{i}\oplus k_{AT}^{i}=c_{1}^{i}\oplus a_{2}^{i}\oplus k_{AC}^{i}\oplus (k_{A2}^{i}\wedge x_{i})\oplus k_{AT}^{i}. \end{aligned}$$

If there exists \(R_{AB2}^{i}\ne R_{C2}^{i\prime }\), TP will announce the inequality of the customers’ private data and terminate this work; otherwise, TP can conclude that \(X=Y=Z\) and announce the comparison result to Alice, Bob and Charlie.

3 Correctness

The correctness of our protocol is proved in this section.

In step 3, Alice Bob and Charlie generate Bell states according to the value of \(k_{TA}^{i}\), \(k_{TB}^{i}\) and \(k_{TC}^{i}\), respectively. If \(k_{TA}^{i}=0\) (\(k_{TB}^{i}=0\) and \(k_{TC}^{i}=0\)), Alice (Bob and Charlie) generates a Bell state \(\vert \phi ^{+}\rangle \); If \(k_{TA}^{i}=1\) (\(k_{TB}^{i}=1\) and \(k_{TC}^{i}=1\)), Alice (Bob and Charlie) generates a Bell state \(\vert \psi ^{+}\rangle \). It is well known that Bell state \(\vert \phi ^{+}\rangle =\frac{1}{\sqrt{2}}\left( \vert 00\rangle +\vert 11\rangle \right) \) once measured will collapse to one of the two states \(\{\vert 00\rangle ,\vert 11\rangle \}\). In a similar way, the Bell state \(\vert \psi ^{+}\rangle =\frac{1}{\sqrt{2}}(\vert 01\rangle +\vert 10\rangle )\) will collapse to one of the two states \(\{\vert 01\rangle ,\vert 10\rangle \}\). Therefore, these equation will be hold:

$$\begin{aligned} \begin{aligned} {a_{1}^{i}\oplus a_{2}^{i}\oplus k_{TA}^{i}=b_{1}^{i}\oplus b_{2}^{i}\oplus k_{TB}^{i}=c_{1}^{i}\oplus c_{2}^{i}\oplus k_{TC}^{i}=0.} \end{aligned} \end{aligned}$$
(1)

We can further deduce out that:

$$\begin{aligned} \begin{aligned}&c_{1}^{i}\oplus b_{2}^{i}\oplus k_{BT}^{i}=b_{1}^{i}\oplus c_{2}^{i}\oplus k_{CT}^{i},\\&a_{1}^{i}\oplus c_{2}^{i}\oplus k_{CT}^{i}=c_{1}^{i}\oplus a_{2}^{i}\oplus k_{AT}^{i},\\ \end{aligned} \end{aligned}$$
(2)

TP compares the equality of \(R_{AB}^{i}\) and \(R_{C1}^{i\prime }\) in the last step of our protocol. Based on the above analysis, TP is essentially to compare the equality of \((k_{A1}^{i}\wedge x_{i})\oplus (k_{B1}^{i}\wedge y_{i})\) and \(k_{C1}^{i}\wedge z_{i}\). Similarly, TP compares the equality of \(R_{BC}^{i}\) and \(R_{A2}^{i\prime }\). In essence, it compares the equality of \((k_{B2}^{i}\wedge y_{i})\oplus (k_{C2}^{i}\wedge z_{i})\) and \(k_{A2}^{i}\wedge x_{i}\).

In Table 1, all possible situations in the calculation process are listed. For clarity, we bold the font of the calculation result when \((k_{A1}^{i}\wedge x_{i})\oplus (k_{B1}^{i}\wedge y_{i})=k_{C1}^{i}\wedge z_{i}\) or \((k_{B2}^{i}\wedge y_{i})\oplus (k_{C2}^{i}\wedge z_{i})=k_{A2}^{i}\wedge x_{i}\). As can be seen from the table, if and only if \((k_{A1}^{i}\wedge x_{i})\oplus (k_{B1}^{i}\wedge y_{i})=k_{C1}^{i}\wedge z_{i}\) and \((k_{B2}^{i}\wedge y_{i})\oplus (k_{C2}^{i}\wedge z_{i})=k_{A2}^{i}\wedge x_{i}\) are both true, we can get \(x_{i}=y_{i}=z_{i}\).

So the presented protocol can be performed correctly.

Table 1 Relationship of essential variables
Full size table

4 Analysis

In this section, we will discuss two cases of attacks. One is the attack from an outside eavesdropper, while the other is the attack from the dishonest participant.

4.1 Outsider attack

Suppose that there is an outside attacker Eve. Eve steals the secret data of participants by attacking the communication channel among participants and between participants and TP. Next, we analyze Eve’s opportunities to obtain private information of participants in each step of the protocol.

Step 1 and step 5 transmit classical information through the classical authentication channel. According to the definition of the authenticated classical channel, any outside attacker can obtain the information transmitted on the classical authentication channel, but they cannot modify the data. Even if Eve gets the classical information transmitted, he cannot infer the secret from them. In Step 5, Eve may obtain the value of \(R_{A1}^{i}\)/\(R_{A2}^{i}\) (\(R_{B1}^{i}\)/\(R_{B2}^{i}\) and \(R_{C1}^{i}\)/\(R_{C2}^{i}\)) when Alice (Bob and Charlie) sends them to TP. However, these information is encrypted by shared keys, in which the value of shared keys is unknown to Eve. Thus, \(x_{i}, y_{i}, z_{i}\) will not be revealed to anyone.

In step 3, Eve can launch many common attacks to obtain qubits transmitted in quantum channels. The QKD technology and decoy photon technology are used to ensure the security of the protocol. We will analyze in detail how this protocol can resist common attacks in the following sections.

Case 1 Intercept-resend attack

The intercept-resend attack means that Eve intercepts qubits transmitted in the quantum channel and generates some fake qubits to send to the receiver. Without loss of generality, we assume Eve steals the sequence \(S_{A1}^{\prime }\) that Alice sent to Bob. After Alice announces the positions and bases of decoy photons, Eve performs single-particle measurement on \(S_{A1}^{\prime }\). Then, he can obtain the value of \(a_{1}^{i}\). However, he cannot learn Bob’s secret because the secret is encrypted by the keys generated by the QKD protocol. What is more, Eve’s attack will fail since he only has a \(\frac{1}{4}\) probability of producing the same qubit as the correct decoy photon. For m decoy photons, the detection rate is \(1-(3/4)^{m}\) which is close to 1 if m is large enough.

Case 2 Measure-resend attack

The measure-resend attack means that Eve intercepts qubits transmitted in the quantum channel and measures them. Then, Eve prepares Eve generates the same quantum states as the measurement result and sends them to the receiver. However, his attack will fail because Eve does not know the positions and the measurement basis of all decoy photons, the participants can detect Eve’s eavesdropping in the eavesdropping check step. If Eve measures an Z basis decoy photon \(\{\vert 0\rangle , \vert 1\rangle \}\) with X basis \(\{\vert +\rangle , \vert -\rangle \}\), he will have a chance of \(\frac{1}{2}\) to be discovered. Apparently, the probability of detection for each photon is \(\frac{1}{4}\). Eve is detected with a probability of \(1-(3/4)^{m}\) when m decoy photons are used for eavesdropping checking in step 4, where the probability will gradually approach 1 when m increases.

Case 3 Entangle-measure attack

The measure-resend attack means that Eve intercepts qubits transmitted in the quantum channel and entangle them with the ancillary qubit \(\vert e\rangle \) by performing a unitary operation \(U_{E}\) on them. The unitary operation \(U_{E}\) can be described as follows:

$$\begin{aligned}{} & {} U_{E}\vert 0\rangle \vert e\rangle =a\vert 0\rangle \vert e_{00}\rangle +b\vert 1\rangle \vert e_{01}\rangle , \end{aligned}$$
(3)
$$\begin{aligned}{} & {} U_{E}\vert 1\rangle \vert e\rangle =c\vert 0\rangle \vert e_{10}\rangle +d\vert 1\rangle \vert e_{11}\rangle , \end{aligned}$$
(4)

where \(\vert e_{00}\rangle \), \(\vert e_{01}\rangle \), \(\vert e_{10}\rangle \), \(\vert e_{11}\rangle \) are pure states uniquely determined by \(U_{E}\); \(\vert a\vert ^{2}+\vert b\vert ^{2}=1\), and \(\vert c\vert ^{2}+\vert d\vert ^{2}=1\). Next, we take the initial Bell state is \(\vert \phi ^{+}\rangle =\frac{1}{\sqrt{2}}(\vert 00\rangle +\vert 11\rangle )\) as an example to analyze the measure-resend attack. Suppose that Eve entangles the ancillary qubit \(\vert e\rangle \) with qubit in Bell state, the quantum system becomes:

$$\begin{aligned} \begin{aligned} U_{e}\vert \phi ^{+}\rangle \vert e\rangle =&\frac{1}{\sqrt{2}}[\vert 0\rangle (a\vert 0\rangle \vert e_{00}\rangle +b\vert 1\rangle \vert e_{01}\rangle )+\vert 1\rangle (c\vert 0\rangle \vert e_{10}\rangle +d\vert 1\rangle \vert e_{11}\rangle )]\\ =&\frac{1}{\sqrt{2}}[a\vert 00\rangle \vert e_{00}\rangle +b\vert 01\rangle \vert e_{01}\rangle +c\vert 10\rangle \vert e_{11}\rangle +d\vert 1\rangle \vert e_{11}\rangle ]\\ =&\frac{1}{2}[a(\vert \phi ^{+}\rangle +\vert \phi ^{-}\rangle )\vert e_{00}\rangle +b(\vert \psi ^{+}\rangle -\vert \psi ^{-}\rangle )\\&+c(\vert \psi ^{+}\rangle +\vert \psi ^{-}\rangle )\vert e_{10}\rangle +d(\vert \phi ^{+}\rangle -\vert \phi ^{-}\rangle )\vert e_{11}\rangle ].\\ \end{aligned} \end{aligned}$$
(5)

When the unitary operation \(U_{E}\) is performed on the decoy photon, the state is changed as:

$$\begin{aligned} \begin{aligned} U_{E}\vert +\rangle \vert e\rangle&=\frac{1}{\sqrt{2}}(a\vert 0\rangle \vert e_{00}\rangle +b\vert 1\rangle \vert e_{01}\rangle +c\vert 0\rangle \vert e_{10}\rangle +d\vert 1\rangle \vert e_{11}\rangle )\\&=\frac{1}{2}\vert +\rangle (a\vert e_{00}\rangle +b\vert e_{01}\rangle +c\vert e_{10}\rangle +d\vert e_{11}\rangle )\\&\quad +\frac{1}{2}\vert -\rangle (a\vert e_{00}\rangle -b\vert e_{01}\rangle +c\vert e_{10}\rangle -d\vert e_{11}\rangle )\\ \end{aligned} \end{aligned}$$
(6)

and

$$\begin{aligned} \begin{aligned} U_{E}\vert -\rangle \vert e\rangle&=\frac{1}{\sqrt{2}}(a\vert 0\rangle \vert e_{00}\rangle +b\vert 1\rangle \vert e_{01}\rangle -c\vert 0\rangle \vert e_{10}\rangle -d\vert 1\rangle \vert e_{11}\rangle )\\&=\frac{1}{2}\vert -\rangle (a\vert e_{00}\rangle +b\vert e_{01}\rangle -c\vert e_{10}\rangle -d\vert e_{11}\rangle )\\&\quad +\frac{1}{2}\vert -\rangle (a\vert e_{00}\rangle -b\vert e_{01}\rangle -c\vert e_{10}\rangle +d\vert e_{11}\rangle )\\ \end{aligned} \end{aligned}$$
(7)

In order to prevent Eve’s attack from being detected, the unitary operation \(U_{E}\) must be satisfied the following conditions:

$$\begin{aligned} \begin{aligned} b=c=0,a=d=1,\vert e_{00}\rangle =\vert e_{11}\rangle . \end{aligned} \end{aligned}$$
(8)

From Eq.(8), the formula (5) can be rewritten as:

$$\begin{aligned} \begin{aligned} U_{e}\vert \phi ^{+}\rangle \vert e\rangle =\frac{1}{2}[a(\vert \phi ^{+}\rangle +\vert \phi ^{-}\rangle )\vert e_{00}\rangle +d(\vert \phi ^{+}\rangle -\vert \phi ^{-}\rangle )\vert e_{11}\rangle ]=\vert \phi ^{+}\rangle \vert e_{00}\rangle . \end{aligned} \end{aligned}$$
(9)

From the above analysis, it can be seen that some error must be introduced if Eve wants to obtain transmitted qubits through ancillary qubits. Thus, this attack must be detected.

Case 3. Trojan horse attack

In this protocol, the quantum sequences \(S_{A1}^{\prime }\), \(S_{B1}^{\prime }\) and \(S_{C1}^{\prime }\) are all transmitted in one direction and will not return, so they can resist Trojan horse attacks.

4.2 Insider attack

Gao [26] proposed that we should pay more attention to internal attacks, because internal attacks pose a greater threat to the protocol than external attackers. In what follows, we will considered the internal attacks in detail from the following three aspects. The first one is TP attempts to steal the data from participants. The second one is a dishonest participant trying to obtain the private information of other participants.

Case 1 The attack from TP

In our protocol, TP is assumed to be semi-honest, that is he may try his best to obtain participants’ secrets without conspiring with either of them. If TP tries to intercept the transmitted photons among participants, he will be caught as an outside attacker analyzed in the above situation. The only way for TP to obtain secret information from participants is to use the binary sequence in her hands. Although he obtains the binary number \(R_{A1}^{i}\), \(R_{A2}^{i}\), \(R_{B1}^{i}\), \(R_{B2}^{i}\), \(R_{C1}^{i}\) and \(R_{C2}^{i}\), he cannot deduce the secret. These information is encrypted by shared keys, in which the value of shared keys is unknown to TP.

Case 2 The attack from one dishonest participant

Individual attack means that a dishonest participant may try her/his best to get the other participants’ secrets without conspiring with others. Alice, Bob and Charlie play the same role in the agreement. Without loss of generality, we assume that Bob is dishonest and tries to learn other participants’ data. If Bob tries to intercept the transmitted photons from Alice to Charlie, she will be caught as an outside attacker analyzed in the above situation. Another way for Bob to get Alice and Charlie’s secret information is to utilize the photons send to her and all the classical information in her hands. Suppose Bob is powerful enough to obtain the classic information \(R_{A1}^{i}\), \(R_{A2}^{i}\), \(R_{C1}^{i}\) and \(R_{C2}^{i}\). Next, we analyze the possibility of Bob getting \(x_{i}\) and \(y_{i}\), respectively.

First, Bob may try to deduce out \(x_{i}\) from \(R_{A1}^{i}\) and \(R_{A2}^{i}\). If Bob want to calculate the value of \(x_{i}\) through \(R_{A1}^{i}\) or \(R_{A2}^{i}\), Bob needs to know the values of \(c_{1}^{i}\), \(a_{2}^{i}\), \(k_{AB1}^{i}\) and \(k_{AC}^{i}\) in advance. Since the value of \(c_{1}^{i}\) and \(a_{2}^{i}\) are related to the Bell state generated by Alice and Charlie, Bob have no knowledge about them. Therefore, Bob cannot know \(x_{i}\).

Second, Bob may try to deduce out \(y_{i}\) from \(R_{C1}^{i}\) and \(R_{C2}^{i}\). If Bob want to calculate the value of \(y_{i}\) through \(R_{C1}^{i}\) and \(R_{C2}^{i}\), Bob needs to know the values of \(b_{1}^{i}\), \(c_{2}^{i}\), \(k_{BC1}^{i}\), \(k_{BC2}^{i}\) and \(k_{AC}^{i}\) in advance. Since the value of \(c_{2}^{i}\) is related to the Bell state generated by Charlie, Bob have no knowledge about it. Therefore, Bob cannot know \(y_{i}\).

5 Comparison

In this section, we will make a comparison among our protocol and several current representative protocols. Qubit efficiency is an important indicator for evaluating QPC protocols. Here, the qubit efficiency is defined as:

$$\begin{aligned} \eta =\frac{c}{t} \end{aligned}$$

where c and t represent the classical bits that can be compared and the number of particles used for the comparison protocol, respectively. The photons consumed in the process of decoy photons and QKD key generation are not included in. In our protocol, each participant generates a Bell state to compare one classical bit, so the quantum bit efficiency is \(16.7\%\). We can calculate the qubit efficiency of other related protocols using the same method, and the comparison results are shown in Table 2.

From Table 2, it is obvious that each protocol has its own advantages and disadvantages. In terms of quantum carrier, our protocol uses Bell states as quantum carrier. Our protocol is superior to those using multi-particle entangled state as quantum carrier, for example, Refs. [14, 16, 33] using multi-particle entangled states as quantum resources and Refs. [21] based on d-level quantum system. As is known to all, the more qubits contained in the quantum state, the more difficult it is to prepare and operate the quantum state. There are still many challenges in the preparation and measurement of the quantum of multi-particle entangled state in practical application.

Table 2 The comparison of our protocol to the other protocols
Full size table

Moreover, in addition to the necessary quantum technologies such as quantum state preparation and quantum measurement, the proposed protocol does not use extra quantum technology. For example, as the protocol of Ref. [15] uses quantum swapping gate to compare the equality of two quantum states. Reference [27] encodes the participant’s secret into quantum state by unitary operation. Reference [15, 27, 29, 30] uses quantum entanglement swapping in the implementation process. To realize the above protocol, participants need not only basic quantum abilities such as quantum measurement and quantum preparation, but also additional quantum abilities. However, quantum resources are currently very scarce, and it is impractical for all participants to pay for expensive quantum equipment. Fortunately, our protocol does not have these problems, although its qubit efficiency is not high. A valuable feature of the proposed protocol is that, except for the generation and measurement of quantum states, the rest of the protocol is completely classical.

Another advantage of our protocol is that quantum states as information carriers are prepared by participants. At present, most protocols prepare quantum states through TP and send them to users, respectively, so TP has the opportunity to prepare false quantum states in this process. On this condition, the protocol will face greater risks. So the preparation of quantum states by participants can improve the security and efficiency of the protocol to a certain extent.

6 Conclusion

In this paper, we propose a three-party quantum privacy comparison protocol based on classical-quantum authentication channel, which can compare the information equality of three participants by executing the protocol once. Our protocol uses Bell states as quantum resources, and it does not use quantum technologies that may consume expensive equipment, such as entanglement exchange and unitary transformation. Therefore, the proposed protocol does not need expensive quantum equipment, which is more in line with the actual needs. The protocol uses the entanglement correlation of Bell states, decoy photon technology and shared key sequence to ensure the security of the protocol. Finally, security analysis shows that our proposed protocol can resist external attacks and participant attacks.