1 Introduction

In 1982, Yao [1] introduced the millionaire problem, i.e., two millionaires want to know who is richer while keeping their genuine assets secret to each other. Since then, secure multi-party computation (SMPC) in classical cryptography began to arouse the interests of researchers, as it has important applications in many circumstances such as private bidding and auctions, secret ballot elections, e-commerce, data mining et al..

In 2009, Yang and Wen [2] put forward quantum private comparison (QPC) for the first time, in order to judge whether two inputs from two users are equal or not while keeping them secret through the quantum means. Since then, a lot of attentions from researchers have been focused on it. In the early development, numerous two-party QPC protocols [2,3,4,5,6,7,8,9] were designed through different quantum technologies. Later, researchers became more interested in constructing multi-party quantum private comparison (MQPC) protocols, as it can accomplish the comparison of equality among many users within one execution of protocol. Until now, numerous MQPC protocols [10,11,12,13,14,15,16,17,18,19] have been proposed through different quantum technologies. In 2013, Chang et al. [10] proposed the first MQPC protocol using GHZ class states. In 2014, Wang et al. [11] proposed a MQPC protocol withn-level entangled states. In 2015, Huang et al. [12] put forward a MQPC protocol with an almost-dishonest third party. In 2016, Ye [13] put forward a MQPC protocol based on entanglement swapping of Bell entangled states; Liu and Wang [14] suggested a dynamic MQPC protocol with single photons in both polarization and spatial-mode degrees of freedom; Huang et al. [15] designed a MQPC protocol with an almost-dishonest third party using GHZ states. In 2017, Hung et al. [16] constructed a MQPC protocol with almost dishonest third parties for strangers; Ji and Ye [17] put forward a MQPC protocol based on the entanglement swapping of d-level Cat states and d-level Bell states; Ye and Ji [18] proposed a novel MQPC protocol with scattered preparation and one-way convergent transmission of quantum states. In 2018, Ye and Ye [19] proposed a MQPC protocol of size relation with d-level single-particle states.

Based on the above analysis, inspired by the summation method of Ref. [20], this paper also concentrates on designing the MQPC protocol, by using the qudit shifting operation. The remaining part of this paper is arranged as follows: in Sect. 2, the MQPC protocol with qudit shifting operation is proposed; in Sect. 3, the security of the proposed MQPC protocol is validated; and finally, in Sect. 4, the conclusion are illustrated.

2 The Proposed MQPC Protocol with Qudit Shifting Operation

In a n-level quantum system, two common conjugate bases, C1 and C2, can be defined as.

$$ {C}_1=\left\{\left.\right|\left.k\right\rangle \right\},\kern0.5em k=0,1,\dots, \kern0.5em n-1, $$
(1)
$$ {C}_2=\left\{\left.F\right|\left.k\right\rangle \right\}=\left\{\frac{1}{\sqrt{n}}\sum \limits_{j=0}^{n-1}\left.{\omega}^{jk}\right|\left.j\right\rangle \right\},\kern0.5em {\displaystyle \begin{array}{cc}k=0,1,\dots, & n-1\end{array}}, $$
(2)

where \( \omega ={e}^{\frac{2\pi i}{n}} \) and F represents the nth order discrete quantum Fourier transform. Apparently, any two different elements in the set C1 are mutually orthogonal. Likewise, any two different elements in the set C2 are also mutually orthogonal. In addition, in a n-level quantum system, the qudit shifting operation can be defined as

$$ {U}_v=\sum \limits_{u=0}^{n-1}\left|u\oplus \left.v\right\rangle \left\langle u\right.\right|, $$
(3)

where the symbol ‘⊕’ denotes the addition modulo n.

Suppose that there are n users, P1, P2, ⋯, Pn, where Pi has a private integer Xi, i = 1, 2, …, n. The binary representation of Xi in \( {F}_{2^L} \) is \( \left({x}_{L-1}^i,{x}_{L-2}^i,\dots, {x}_0^i\right) \), where \( {x}_j^i\in \left\{0,1\right\} \), j = 0, 1, …, L−1. They want to judge whether all of their private integers are equal or not under the help of the semi-honest TP. The proposed MQPC protocol with qudit shifting operation can be described as follows.

  1. Step 1:

    TP and Pi(i = 1, 2, …, n) share a key sequence Ki of length L via a secure QKD protocol. Here, \( {K}^i=\left({k}_{L-1}^i,{k}_{L-2}^i,\dots, {k}_0^i\right) \), where\( {k}_j^i\in \left\{0,1,\dots, n-1\right\} \), j = 0, 1, …, L−1.

  2. Step 2:

    TP prepares a particle sequence S0 which is composed of L n-level single photons |r0〉, |r1〉, …, |rL − 1〉, where rj ∈ {0, 1, …, n − 1},j = 0, 1, …, L − 1. For the sake of security check, TP also prepares δ n-level decoy single photons which are randomly chosen from the sets C1 and C2. Afterward, TP randomly inserts these decoy single photons into sequence S0 and obtains a new sequence \( {S}_0^{\hbox{'}} \). Finally, TP sends sequence \( {S}_0^{\hbox{'}} \) to P1.

  3. Step 3:

    After P1 receives sequence \( {S}_0^{\hbox{'}} \), P1 performs the security check together with TP to check whether the transmission of sequence \( {S}_0^{\hbox{'}} \) is secure or not. TP tells P1 the positions and the preparation basis of decoy single photons.P1 measures the decoy single photons with the basis TP told and informs TP of his measurement outcomes. TP compares the measurement outcomes of decoy single photons with their initial prepared states. If the error rate is unreasonably high, the communication will be terminated; otherwise, it will be continued.

P1 drops out the decoy single photons in sequence \( {S}_0^{\hbox{'}} \) to restore sequence S0. Then, P1 encodes \( {x}_j^1\oplus {k}_j^1\left(j=0,1,\dots, L-1\right) \) on the jth particle in sequence S0 by performing the qudit shifting operation \( {U}_{x_j^1\oplus {k}_j^1} \) on it. As a result, the jth particle is changed into \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\right\rangle \). Consequently, sequence S0 is turned into sequence S1, where \( {S}_1=\left[\left|{r}_0\oplus {x}_0^1\oplus {k}_0^1\right\rangle, \left|{r}_1\oplus {x}_1^1\oplus {k}_1^1\right\rangle, \dots, \left|{r}_{L-1}\oplus {x}_{L-1}^1\oplus {k}_{L-1}^1\right\rangle \right] \).

For the sake of security check, P1 prepares δ n-level decoy single photons which are randomly chosen from the sets C1 and C2. Afterward, P1 randomly inserts these decoy single photons into sequence S1 and obtains a new sequence \( {S}_1^{\hbox{'}} \). Finally,P1 sends sequence \( {S}_1^{\hbox{'}} \) to P2.

  1. Step 4:

    For i = 2, 3, …, n − 1:

After Pi receives sequence \( {S}_{i-1}^{\hbox{'}} \), Pi performs the security check together withPi ‐ 1 to check whether the transmission of sequence \( {S}_{i-1}^{\hbox{'}} \) is secure or not. Pi ‐ 1 tells Pithe positions and the preparation basis of decoy single photons. Pi measures the decoy single photons with the basis Pi ‐ 1 told and informs Pi ‐ 1 of his measurement outcomes.Pi ‐ 1 compares the measurement outcomes of decoy single photons with their initial prepared states. If the error rate is unreasonably high, the communication will be terminated; otherwise, it will be continued.

Pi drops out the decoy single photons in sequence \( {S}_{i-1}^{\hbox{'}} \) to restore sequence Si − 1. Then, Pi encodes \( {x}_j^i\oplus {k}_j^i\left(j=0,1,\dots, L-1\right) \) on the jth particle by performing the qudit shifting operation \( {U}_{x_j^i\oplus {k}_j^i} \) on it. As a result, the jth particle is changed into \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^i\oplus {k}_j^i\right\rangle \). Consequently, sequence Si − 1 is turned into sequence Si, where \( {S}_i=\left[\left|{r}_0\oplus {x}_0^1\oplus {k}_0^1\oplus {x}_0^2\oplus {k}_0^2\oplus \dots \oplus {x}_0^i\oplus {k}_0^i\right\rangle, \left|{r}_1\oplus {x}_1^1\oplus {k}_1^1\oplus {x}_1^2\oplus {k}_1^2\oplus \dots \oplus {x}_1^i\oplus {k}_1^i\right\rangle, \dots, \left|{r}_{L-1}\oplus {x}_{L-1}^1\oplus {k}_{L-1}^1\oplus {x}_{L-1}^2\oplus {k}_{L-1}^2\oplus \dots \oplus {x}_{L-1}^i\oplus {k}_{L-1}^i\right\rangle \right] \).

For the sake of security check, Pi prepares δ n-level decoy single photons which are randomly chosen from the sets C1 and C2. Afterward, Pi randomly inserts these decoy single photons into sequence Si and obtains a new sequence \( {S}_i^{\hbox{'}} \). Finally,Pi sends sequence \( {S}_i^{\hbox{'}} \) to Pi + 1.

  1. Step 5:

    After Pn receives sequence \( {S}_{n-1}^{\hbox{'}} \), Pn performs the security check together with Pn ‐ 1 to check whether the transmission of sequence \( {S}_{n-1}^{\hbox{'}} \) is secure or not. Pn ‐ 1 tells Pn the positions and the preparation basis of decoy single photons. Pn measures the decoy single photons with the basis Pn ‐ 1 told and informs Pn ‐ 1 of his measurement outcomes. Pn ‐ 1 compares the measurement outcomes of decoy single photons with their initial prepared states. If the error rate is unreasonably high, the communication will be terminated; otherwise, it will be continued.

Pn drops out the decoy single photons in sequence \( {S}_{n-1}^{\hbox{'}} \) to restore sequence Sn − 1. Then, Pn encodes \( {x}_j^n\oplus {k}_j^n\left(j=0,1,\dots, L-1\right) \) on the jth particle by performing the qudit shifting operation \( {U}_{x_j^n\oplus {k}_j^n} \) on it. As a result, the jth particle is changed into \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^n\oplus {k}_j^n\right\rangle \). Consequently, sequence Sn − 1 is turned into sequence Sn, where \( {S}_i=\left[\left|{r}_0\oplus {x}_0^1\oplus {k}_0^1\oplus {x}_0^2\oplus {k}_0^2\oplus \dots \oplus {x}_0^n\oplus {k}_0^n\right\rangle, \left|{r}_1\oplus {x}_1^1\oplus {k}_1^1\oplus {x}_1^2\oplus {k}_1^2\oplus \dots \oplus {x}_1^n\oplus {k}_1^n\right\rangle, \dots, \left|{r}_{L-1}\oplus {x}_{L-1}^1\oplus {k}_{L-1}^1\oplus {x}_{L-1}^2\oplus {k}_{L-1}^2\oplus \dots \oplus {x}_{L-1}^n\oplus {k}_{L-1}^n\right\rangle \right] \).

For the sake of security check, Pn prepares δ n-level decoy single photons which are randomly chosen from the sets C1 and C2. Afterward, Pn randomly inserts these decoy single photons into sequence Sn and obtains a new sequence \( {S}_n^{\hbox{'}} \). Finally, Pn sends sequence \( {S}_n^{\hbox{'}} \) to TP.

  1. Step 6:

    After TP receives sequence \( {S}_n^{\hbox{'}} \), TP performs the security check together with Pn to check whether the transmission of sequence \( {S}_n^{\hbox{'}} \) is secure or not. Pn tells TP the positions and the preparation basis of decoy single photons.TP measures the decoy single photons with the basis Pn told and informs Pn of his measurement outcomes. Pn compares the measurement outcomes of decoy single photons with their initial prepared states. If the error rate is unreasonably high, the communication will be terminated; otherwise, it will be continued.

TP drops out the decoy single photons in sequence \( {S}_n^{\hbox{'}} \) to restore sequence Sn. Then TP measures the particles in sequence Sn with the basis C1 and obtains the measurement results \( R=\left({r}_0^{\hbox{'}},{r}_1^{\hbox{'}},\dots, {r}_{L-1}^{\hbox{'}}\right) \), where \( {r}_j^{\hbox{'}} \) is the measurement result of the jth particle and j = 0, 1, …, L−1. Afterward, TP calculates

$$ {\displaystyle \begin{array}{c}\left({r}_j^{\prime}\oplus \left(n-{r}_j\right)-{k}_j^1\oplus {k}_j^2\oplus \dots \oplus {k}_j^n\right)\operatorname{mod}\ n\\ {}={x}_j^1\oplus {x}_j^2\oplus \dots \oplus {x}_j^n,\kern0.5em j=0,1,\dots, L-1\end{array}}. $$
(4)

If \( {x}_j^1\oplus {x}_j^2\oplus \dots \oplus {x}_j^n=0 \) for all j, all Xi(i = 1, 2, …, n) should be same; otherwise, not allXiare same. Finally, TP publicly informs P1, P2, ⋯, Pn of the comparison result.

3 Security Analysis

In this section, the security against the outside attack and the participant attack is validated in detail, respectively.

  1. (i)

    The outside attack

In the proposed protocol, the particles are transmitted in a circular way, i.e., from TP to P1, Pi to Pi + 1(i = 1, 2, …, n − 1) and Pn back to TP. During the transmission from one party to another party, an outside attacker, Eve, may launch her attack to steal something useful about the private integers, such as the intercept-resend attack, the measure-resend attack and the entangle-measure attack. Fortunately, the proposed protocol employs the decoy photon technology to guarantee the security of particle transmission. Because Eve is unaware of the genuine positions of decoy photons in the transmitted sequence, she will inevitably leave her trace on them so that she will be detected undoubtedly.

  1. (ii)

    The participant attack

In the proposed protocol, it is assumed that TP can not cooperate with any of users. Here, the participant attack from TP, the participant attack from one dishonest user and the participant attack from two or more dishonest users are validated in detail, respectively.

  1. a)

    The participant attack from TP

TP sends her jth fake particle |gj〉 to Pt, where gj ∈ {0, 1, …, n − 1}, t = 1, 2, …, n. After Pt finishes his encoding, the jth fake particle is turned into \( \left|{g}_j\oplus {x}_j^t\oplus {k}_j^t\right\rangle \). Then,TP intercepts the transmitted sequence sent from Ptand measures its particles with the basis C1. However, she still cannot decode out \( {x}_j^t \), since she has no knowledge about the genuine position of the jth fake particle in the transmitted sequence. Moreover, this kind of attack from TP can be detected by the security check between Pt − 1 and Pt.

  1. b)

    The participant attack from one dishonest user

Assume that Pt is the dishonest user, where t = 1, 2, …, n.

After the security check with Pt − 1, Pt measures the jth (j = 0, 1, …, L − 1)particle \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^{t-1}\oplus {k}_j^{t-1}\right\rangle \) with the basis C1. However, he only obtains the value of \( {r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^{t-1}\oplus {k}_j^{t-1} \). He even has no idea about the value of \( {x}_j^1\oplus {x}_j^2\oplus \dots \oplus {x}_j^{t-1} \), as he is unaware of \( {k}_j^1,{k}_j^2,\dots, {k}_j^{t-1} \) and rj.

Secondly, Ptsends his jth fake particle |fj〉 to Pt + 1, where fj ∈ {0, 1, …, n − 1}. After Pt + 1 finishes his encoding, the jth fake particle is turned into \( \left|{f}_j\oplus {x}_j^{t+1}\oplus {k}_j^{t+1}\right\rangle \). Then, Pt intercepts the transmitted sequence sent from Pt + 1 and measures its particles with the basis C1. However, he still cannot decode out \( {x}_j^{t+1} \), since he has no knowledge about the genuine position of the jth fake particle in the transmitted sequence and the value of \( {k}_j^{t+1} \).

In addition, Pt may launch his attack on the particles transmitted from one party to another party. However, since he is unaware of the genuine positions of decoy photons in the transmitted sequence, he will inevitably leave his trace on them so that he will be detected undoubtedly as an outside eavesdropper.

  1. c)

    The participant attack from two or more dishonest users

Case 1: The participant attack from two dishonest users

In the proposed protocol, two dishonet users Pt and Pt + 2 may cooperate to steal the private integer of Pt + 1 in the following way, where t = 1, 2, …, n − 2. After encoding his private integer, Pt measures the jth (j = 0, 1, …, L − 1) particle \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^t\oplus {k}_j^t\right\rangle \) with the basis C1 and sends the same state to Pt + 1. After the encoding of Pt + 1, the jth particle is changed into \( \left|{r}_j\oplus {x}_j^1\oplus {k}_j^1\oplus {x}_j^2\oplus {k}_j^2\oplus \dots \oplus {x}_j^t\oplus {k}_j^t\oplus {x}_j^{t+1}\oplus {k}_j^{t+1}\right\rangle \). Then, after receiving the jth particle, Pt + 2 also measures it with the basis C1. Finally, Pt and Pt + 2 can cooperate to decode out the value of \( {x}_j^{t+1}\oplus {k}_j^{t+1} \) according to their measurement results. However, neither Pt or Pt + 2 knows the value of \( {k}_j^{t+1} \), so they still cannot decode out \( {x}_j^{t+1} \).

Case 2: The participant attack from more than two dishonest users

Here, we consider the case that more than two dishonet users conclude. The most powerful case is that n − 1 users conclude to steal the remaining user’s private integer. Without loss of generality, suppose that P1, P2, …, Pt, Pt + 2, …, Pn − 1, Pn cooperate to steal the private integer of Pt + 1, where t = 1, 2, …, n. If they launch the attack same to that of Case 1, due to having no knowledge about the value of \( {k}_j^{t+1}\left(j=0,1,\dots, L-1\right) \), they will cannot decode out \( {x}_j^{t+1} \). In addition, they may deduce the value of \( {x}_j^{t+1} \) from the comparison result. Although they can easily calculate the value of \( {x}_j^1\oplus {x}_j^2\oplus \dots \oplus {x}_j^t\oplus {x}_j^{t+2}\dots \oplus {x}_j^{n-1}\oplus {x}_j^n \), the compasion result of X1, X2, …, Xn is still helpless for them to know the value of \( {x}_j^{t+1} \).

4 Conclusion

To sum up, in this paper, a MQPC protocol is proposed based on the qudit shifting operation. The semi-honest TP prepares the initial particles and sends them to the first user. Then, each of n users encodes his private integers on the travelling particles with the qudit shifting operations and transmits them to the next user. Finally, the travelling particles are transmitted back to TP. The equality of the private integers from n users can be determined within one time execution of the protocol. It is verified that the proposed protocol is secure against both the outside attack and the participant attack. One user cannot obtain other users’ private integers except for the case that their private integers are same. TP cannot know the private integers from n users except their comparison result.