1 Introduction

With the development of quantum mechanics, quantum cryptography attracts more and more attention, and many secure protocols have been designed for quantum key distribution (QKD) [17], quantum secret sharing (QSS) [815], quantum secure direct communication (QSDC) [1619], quantum teleportation (QT) [2024], and so on. Secure multiparty computation (SMPC) [25, 26] is an important and fundamental cryptographic protocol. Unfortunately, it was shown by Mayers [27] and Lo-Chau [28] that deterministic two-party-setting computation was impossible, even with quantum means. However, if some additional assumptions are introduced, the quantum secure multiparty computation (QSMPC) maybe have higher security than classical SMPC.

Recently, the quantum private comparison (QPC) became a novel topic in quantum cryptography. To be specific, QPC allows two distrustful parties, Alice and Bob, to determine whether their secret inputs are equal or not without disclosing their own secret to each other. In 2009, QPC was proposed by Yang et al. [29, 30]. After these, some QPC protocols based on different states are proposed [3138]. Summarily, the QPC schemes presented previously have the following principles.

  1. (1)

    A Third Party (TP) which is at least semi-honest is required to help the two parties (Alice and Bob) accomplish the comparison. And TP always follows the procedure of the protocol. He/she will take a record of all intermediate computations, and will not be corrupted by an outside eavesdropper. However, TP might try to steal the information from the record.

  2. (2)

    No matter whether TP will know the positions of different bit value in the compared information or not, he/she will not be able to know the actual bit value of the information.

  3. (3)

    All outsiders and the two players should only know the result of the comparison (i.e., identical or different), but not the different positions of the information.

These schemes are feasible in the ideal scenario. However, in this paper, we will point that these schemes would not be secure in practical scenario where fault (including noise and error) is existent in the quantum channel and measurement. And we design a new QPC scheme based on Greenberger-Horne-Zeilinger (GHZ) states and error-correcting code (ECC) against noise.

The rest of this paper is constructed as follows. Section 2 analyzes the previously QPC schemes’ security in practical scenario. Then a new QPC scheme based on GHZ states and ECC is proposed in Sect. 3. In Sect. 4, we analyzes the protocol’s security and the capability of fault-tolerate. Finally, a short conclusion is given in Sect. 5.

2 Analysis of Some QPC Schemes’ Security in Practical Scenario

In all the QPC schemes proposed previously, there are two participants, Alice and Bob, and a semi-honest third party, Calvin. Alice has a private information X, Bob has a private information Y. The binary representations of X and Y in \(F_{2^{n}}\) are (x 0,x 1,…,x n−1), (y 0,y 1,…,y n−1), where x i ,y i ∈{0,1}; \(X=\sum_{i=0}^{n-1}x_{i}\cdot{2^{i}}, Y=\sum_{i=0}^{n-1}y_{i}\cdot{2^{i}}\).

These QPC schemes could be divided into two families, one is based on sharing states, one is based on travelling photons. For simpleness, we give the processes that they compare two bits x i and y i . In the first family, without loss of generality, the main steps which removes the steps of detecting cheating could be described as

  1. (1)

    Calvin, Alice and Bob (or only Alice and Bob) share a entangled state.

  2. (2)

    After measurements, they have three bits, s C , s A and s B respectively (or only Alice and Bob have two bits, s A and s B respectively), where the value of k=s C s A s B is known to Calvin (or the value of k=s A s B is known to all of Calvin, Alice and Bob).

  3. (3)

    Then Alice and Bob announce the values of s A x i and s B y i publicly (or in private) to Calvin.

  4. (4)

    Calvin could judge whether x i =y i or not by comparing s A s B and (s A x i )⊕(s B y i ).

In the second family, without loss of generality, the main steps removes the steps of detecting cheating could be described as

  1. (1)

    Calvin prepares a photon S and sends it to Alice.

  2. (2)

    Alice performs an unitary operator I or U 1 on S when x i =0 or 1, where 〈s|(U 1|s〉)=0, U 1(U 1|s〉)=|s〉 and |s〉 is arbitrary one in all the possible states of photon S. Then she sends S to Bob.

  3. (3)

    Bob performs an unitary operator I or U 1 on S when y i =0 or 1. Then he sends S to Calvin.

  4. (4)

    Calvin measures S in its initial basis. Then he could judge x i =y i if the state are not changed, x i y i if the state are changed.

Now we analyze them in practical scenario. In the first family, there would be s C s A s B =k (or s A s B =k) in the ideal scenario. However, in practical scenario where fault (including noise and error) is existent in the quantum channel and measurement, it will be s C s A s B =k⊕1 (or s A s B =k⊕1) with some probability. For instance, in Chen et al.’s scheme [31], the sharing entangled state \((|000\rangle +|111\rangle)/\sqrt{2}\) would evolve to \((|001\rangle +|110\rangle)/\sqrt{2}\) in practical noise quantum channel which will change the correlation of Calvin, Alice and Bob’s measurement outcomes. In the case, Calvin will judge that x i =y i (or x i y i ) but in fact x i y i (or x i =y i ).

In the second family, the state of photon S does not change in the transmission, and measurement mistakes does not happen in the ideal scenario. However, when channel noise appears and measurement mistakes happens, the state |s〉 sent by one participant will evolve to |s⊥〉 with some probability when it arrives another participant, where 〈s|s⊥〉=0. For instance, in Yang et al.’s scheme [30], the state |0〉 sent by Calvin (denoted as TP in Ref. [30]) would evolve to |1〉 when it arrives Alice (denoted as Bob in Ref. [30]). In the case, Calvin will judge that x i =y i (or x i y i ) but in fact x i y i (or x i =y i ).

Consequently, using the above schemes to compare two n bits private information X and Y, Calvin will output X=Y (or XY) incorrectly but in fact XY (or X=Y) with some probability.

From above, we conclude that QPC schemes are very sensitive of fault, special in the case of X=Y. There even one error bit appears in the quantum channel and measurement will lead an absolute incorrect result. In some other quantum protocols, such as QKD and QSS, some technologies, such as privacy amplification [39] have been added to overcome limited error. Similarly, some technologies should be added in QPC to overcome noise and error. Next, we will give an example to solve the problem.

3 QPC Based on Error-Correcting Code

It has been shown that when the rate of error is below a certain threshold, fault tolerant quantum information manipulation is possible by using some strategies, such as classical error-correcting code (ECC) [40], quantum error correction [4143], and quantum error rejection [44]. Specially, ECC is a special form of QECC, and it is easier to implement than other QECC.

In this section, we will give a QPC scheme in the first QPC family based on GHZ states and ECC for fault-tolerate which is not achieved in the previously schemes. The specific steps of the scheme are described as follows.

  1. 1.

    Alice, Bob and Calvin prepare a [m,n] error-correcting code which uses m bits codeword to encode n bits word and can correct l error bits in codeword with the error-correcting function D(x m) according to the fault rate of the noise scenario. We suppose the error-correcting code’s generator matrix is G, check matrix is H. Then they encode X=(x 0,x 1,…,x N−1) and Y=(y 0,y 1,…,y N−1) to \(X'=(x'_{0}, x'_{1}, \ldots, x'_{N-1})\) and \(Y'=(y'_{0}, y'_{1}, \ldots, y'_{m-1})\) with the generator matrix G, respectively. There are

    $$ X'=X\cdot G, $$
    (1)
    $$ Y'=Y\cdot G. $$
    (2)
  2. 2.

    Calvin prepares m triplet GHZ states all in

    (3)

    where |0〉 and |1〉 are measured in Z basis, |+〉 and |−〉 are measured in X basis, and \(|\pm\rangle=\frac{1}{\sqrt{2}}(|0\rangle\pm|1\rangle)\). Then Calvin divides these m GHZ states into three sequences S A , S B and S C , which includes the first, the second, and the third particles of all GHZ states, respectively.

  3. 3.

    Calvin prepares some decoy photons prepared in states {|0〉,|1〉,|+〉,|−〉} in random. He inserts these decoy photons in S A and S B at random positions to form sequences \(S^{*}_{A}\) and \(S^{*}_{B}\) respectively. Then Calvin retains the quantum sequence S C and sends the sequence \(S^{*}_{A}\) to Alice, \(S^{*}_{B}\) to Bob.

  4. 4.

    When Alice and Bob arrive \(S^{*}_{A}\) and \(S^{*}_{B}\), Calvin announces the decoy photons’ positions and measurement base. Then Alice and Bob measure them in the base and announce their outcome. If the error rate exceeds a rational threshold, Calvin aborts the protocol and restarts from Step 1. Otherwise, there is no eavesdropper, and the protocol continues to the next step.

  5. 5.

    Alice and Bob recover S A and S B respectively by discarding the decoy photons. Then Alice, Bob and Calvin measure S A , S B and S C in X basis, respectively. If the measurement result is |+〉 (|−〉), then they encode it as the classical bit 0 (1). Thus, each of Alice, Bob and Calvin will obtain m bits from S A , S B and S C , respectively. We denote each of them as \(k_{i}^{A}\) , \(k_{i}^{B}\) and \(k_{i}^{C}\) (i=0,1,…,m−1).

  6. 6.

    Alice and Bob calculate \(x'_{i}=k_{i}^{A}\oplus x_{i}\) and \(y'_{i}=k_{i}^{B}\oplus y_{i}\) respectively. They announce \(X'=(x'_{0}, x'_{1}, \ldots, x'_{m-1})\) and \(Y'=(y'_{0}, y'_{1}, \ldots, y'_{m-1})\) to Calvin.

  7. 7.

    Calvin calculates \(c'_{i}=k_{i}^{C}\oplus x'_{i}\oplus y'_{i}\) to form m bits sequence \(C'=(c'_{0}, c'_{1}, \ldots, c'_{m-1})\).

  8. 8.

    Then Calvin uses the check matrix H to check whether the number of error bits exceeds the threshold l. If it does, Calvin aborts the protocol and restarts from Step 1. Otherwise, he arrives n bits sequence C by decoding C′ with error-correcting function D(C′). If there is at least one bit 0 in C, Calvin announces XY. Otherwise, he announces X=Y.

4 Analysis

4.1 Correctness

In the scheme, the GHZ state |Ψ〉 will collapse to one of the states {|+++〉,|+−−〉,|−+−〉,|−−+〉}, therefore, there always have \(k_{i}^{A}\oplus k_{i}^{B}\oplus k_{i}^{C}=0\). According to \(x'_{i}=k_{i}^{A}\oplus x_{i}\), \(y'_{i}=k_{i}^{B}\oplus y_{i}\) and \(c'_{i}=k_{i}^{C}\oplus x'_{i}\oplus y'_{i}\), we know that \(c'_{i}=x'_{i}\oplus y'_{i}\).

Based on Eqs. (1) and (2), there should be that

$$ C' = C\cdot G, $$
(4)

where C′=(x 0y 0,x 1y 1,…,x n−1y n−1). Namely, C′ is the codeword of C=(x 0y 0,x 1y 1,…,x n−1y n−1) decoded with the [m,n] error-correcting code. Therefore, C′ could be checked by the check matrix H, and C could be recoded with the error-correcting function D(C′).

If there is at least one bit 1 in C′, it indicates that at least one set of (x i ,y i ) are different, i.e., XY. Otherwise, if all the bits are 0 in C′, it indicates that all the sets of (x i ,y i ) are same, i.e., X=Y. So the presented scheme is correctness.

4.2 Security

In this sub-section, we will analyze the outsider attack and participant attack respectively.

4.2.1 Outsider Attack

After Alice and Bob received the quantum sequences \(S^{*}_{A}\) and \(S^{*}_{B}\) respectively, they and Calvin will start their public discussion to check for the existence of an eavesdropper. Calvin announces the positions and the measurement bases of all decoy photons. Later, both of Alice and Bob publish the measurement results. They can discuss the public results to determine whether an eavesdropper exists or not. Since the eavesdropper (say Eve) does not know the positions, and the measuring bases of all decoy photons before Calvin announces them, some well known attacks such as intercept-resend attack, measurement-resend attack, and entanglement-measure attack can be detected via the checking mechanism [29, 30]. For example, if Eve measures a X-basis decoy photon with Z basis, she will have a probability of \(\frac{1}{2}\) to be detected. Obviously, Eve has a probability of \(\frac{1}{2}\) to choose the wrong basis for measurement. Therefore, the detection rate for each decoy photon is \(\frac{1}{2}\times\frac{1}{2}=\frac{1}{4}\). For t decoy photons, the detection rate is \(1-(\frac{3}{4})^{t}\), which is close to 1 if t is large enough. Furthermore, since no round-trip transmission strategy is used in the protocol, the Trojan horse attack can be automatically prevented. Therefore, the proposed protocol can resist all well known outsider attacks.

4.2.2 Participant Attack

In QPC, every participant has more resources than outsider. With these resources, a dishonest participant has more strategies to cheat besides the strategies which outsider can perform. So the term participant attack, which emphasizes that the attacks from dishonest users are generally more powerful and should be paid more attention to, is first proposed by Gao et al. in Ref. [45] and has attracted much attention in the cryptanalysis of quantum cryptography [4652]. From the conclusions of QSMPC, we know that it should be insecure when less than a half of participants are honest [5358]. Since QPC is a instance of QSMPC, it can only guarantee the secure when there is only one dishonest participant. So we will only analyze the attacks performed by Alice, Bob, and Calvin respectively, but not two colluded participants.

The first case discusses the possibility that a participant obtains the other participant’s information. The second case discusses the possibility that the TP Calvin obtains Alice or Bob’s private information.

Case 1:

Alice and Bob want to learn the other’s information.

Suppose Bob is a dishonest participant who attempts to obtain the other participant’s (Alice’s) information. One possible way for Bob is to use the photons (i.e., the second article of all GHZ states in S B ) sent to him.

When Alice and Calvin have not measured their photons, the reduced density operator of Bob’s photon is

(5)

After Alice and Calvin’s measurements in basis X , Bob’s photons will collapse to |+〉 and |−〉 with probability 50 % respectively. If it collapses to |+〉, Alice and Calvin’s measurement outcomes should be one of {|++〉,|+−〉,|−+〉,|−−〉} with probability 1/4. Namely, Alice’s outcome should be |+〉 and |−〉 with equal probability. Consequently, Bob cannot obtain the information of \(k_{i}^{A}\). In fact, he only can obtain the information of \(k_{i}^{A}\oplus k_{i}^{C}\) by measuring his ith photon. Since \(k_{i}^{C}\) is hold by Calvin and cannot be known by Bob, Bob could know nothing about \(k_{i}^{A}\). Therefore, he could not obtain x i even he can decode the value of \(x_{i}\oplus k_{i}^{A}\). Namely, he cannot get any information about Alice’s private information.

Case 2:

Calvin wants to learn the private information X, Y.

In the scheme, Calvin is a semi-honest TP. He always follows the processes of the scheme. Such as, he will prepare GHZ states as an honest party. He will take a record of all intermediate computations, and will not be corrupted by an outside eavesdropper. So he only can use his measurement outcome and the announcements of Alice and Bob to cheat.

Same to a dishonest Bob, Calvin only can obtain the information of \(k_{i}^{A}\oplus k_{i}^{B}\) when he measures his ith photon. He only could obtain x i y i (but not x i or y i ) even he can decode the value of \(k_{i}^{A}\oplus x_{i}\) and \(k_{i}^{B}\oplus y_{i}\). Namely, he cannot get any information about Alice and Bob’s private information.

4.3 The Capability of Fault-Tolerate

In the presented scheme, error-correcting code is used for correcting the fault appears both in practical quantum channel and measurement. Since error-correcting code’s capability of error-correcting is limited, the protocol’s capability of error-correcting is limited too. In the protocol, the total fault rate must be less than l/m, otherwise, it would lead to restart the scheme. Then Alice, Bob and Calvin must prepare another error-correcting code which has higher error-correcting capability to utilize in the scheme.

We must point out that there are some computer power needed for utilizing error-correcting code. In the scheme, the participants might have not enough computer power to utilize the [m,n] error-correcting code when n is very large. For solving the problem, they can select a suitable value of n′ to split the n private information to [N/L] groups where [N/L] is the maximal integer which is less than N/L, then fill up the last group with some 0. After this, they can arrive the comparison result by comparing every groups using the presented scheme until Calvin announce XY at one group or announce X=Y all the time.

5 Conclusion

In this paper, we point out that the previously QPC schemes are not secure in practical scenario where fault (including noise and error) is existent in the quantum channel and measurement. Then we propose a QPC scheme using GHZ states and error-correcting code. The analysis indicates that the scheme is secure and has the capability of fault-tolerate. In future, with the error-correcting code, we also can design other QPC schemes using other quantum resources in practical scenario.