1 Introduction

Various quantum cryptography protocols have been flourished by utilizing quantum mechanics principles, since Bennett and Brassard proposed the first quantum key distribution protocol in 1984 [3], which ensured two remote users can share a common random key securely. Over recent years many classical cryptographic impossibilities and interesting applications can be solved in quantum ways, such as quantum secret sharing (QSS) [10, 14, 16, 17, 19, 27], quantum key distribution (QKD) [2, 13, 15, 22, 28, 30, 34], quantum teleportation [4, 7, 8, 33], etc.

As a fundamental primitive in modern cryptography, secure multiparty computation (SMC) is to enable distrustful parties to jointly compute a function over their inputs, without leaking their respective secrets under the only assumption that some of them will follow the protocol honestly. Recently research on SMC arouses tremendous interests owing to its extensive applications and prospects, including secure multi-party quantum summation [11], secret ballot elections [1], and anonymous voting [6] and so on. Large numbers of natural protocols can be reworded to special cases of multiparty computation problems, so it is significant to design and analyze the special multiparty computation protocols. In the usual secure two-party computation scenario, Alice and Bob have their inputs x and y individually, and both of them wish to compute f(x,y) which is well known to themselves.

Quantum private comparison (QPC) is an important branch of secure multiparty computing, which allows two participants to determine whether their secrets happened to be equal, at the same time their inputs can be kept in secret. The first QPC protocol was proposed by Yang et al. [31, 32], the secrets of two parties can be compared based on the decoy photon and EPR pairs, and its security was guaranteed by one-way hash function, which utilized to encrypt their own secrets by both of the players. In addition to avoid some special attacks in their round trip transmissions, a number of special optical filters are inserted in every round, which decreases the qubit efficiency apparently. Soon after that, Chen et al.proposed a more efficient QPC protocol [9], which utilized the triplet entangled states and the simple single-particle measurement.

By reason that it is proved to be insecure, to construct a secure equality function in a two-party scheme [25], almost all previous QPC protocols have drawn support from a semi-honest third party (Trent). Trent might try to steal the players’ private inputs, but he cannot be corrupted by the adversary. Following some ideas of the quantum computation protocols [18, 21, 23, 24, 29], enlightened by Kye et al.’s quantum key distribution protocol [20], we proposed a QPC protocol with random rotation angle, and it is also under the help of Trent. There are several features in our protocol. Firstly, participants share a sequence of secret classical keys in advance, which can prevent Trent and outsiders to steal or analyze their inputs. Secondly, the selected polarization angles θ and θ+π are not necessary for participants to discuss with each other, as Bob and Alice do not need to know the other’s polarization basis. Thirdly, no round-trip transmission exists in the protocol, so that many kinds of attacks are invalid to this protocol.

The structure of this paper is as follows. In Sect. 2, we propose a private comparison protocol with the random rotation. Then, we analyze the security of this protocol in Sect. 3. Finally, a brief discussion and summary are given in Sect. 4.

2 Quantum Private Comparison Protocol with the Random Rotation

The case with two distrustful players who want to compare whether their secrets are equal with Trent’s help is taken into consideration. Supposed that the two players, Alice and Bob have secrets a and b, respectively.

Let A={a n−1,a n−2,…,a 0} and B={b n−1,b n−2,…,b 0} be the binary representations of a and b in \(F_{2^{n}}\), where \(a=\sum_{i=0}^{n-1}{a_{i} 2^{i}}\), \(b=\sum_{i=0}^{n-1}{b_{i} 2^{i}}\), with a i ,b i ∈(0,1), 2n−1≤max{a,b}≤2n.

Then Alice divides her classic secrets into \(\lceil\frac{n}{m}\rceil \) (m≥2) groups, which are

Bob does the same operation as Alice and gets

Step 1

Alice and Bob share a sequence of secret classical keys Θ={θ 0,θ 1,…,θ n−1} in advance, in which n is the length of secrets and \(\theta_{i}\in\{\frac{\pi }{4},\frac{\pi}{2}\}\)(i=0,1,…,n−1). Trent prepares m EPR pairs to form initial sequence S T , every pair is randomly chosen from \(\{|\phi^{+}\rangle=\frac{1}{\sqrt{2}}(|00\rangle+|11\rangle),|\psi ^{-}\rangle=\frac{1}{\sqrt{2}}(|01\rangle-|10\rangle)\}\), and records the initial states, after that divides these EPR pairs into two sequences, namely S A ,S B . The first particles of all EPR pairs are formed to the sequence S A , and the rest are formed to the sequence S B .

Step 2

Trent prepares two sequences of decoy states \(S_{A}'\) and \(S_{B}'\), randomly in photon states: |0〉,|1〉,|+〉,|−〉. Then he randomly inserts \(S_{A}'\) in S A and \(S_{B}'\) in S B to form new sequences \(S_{A}''\) and \(S_{B}''\). After that Trent sends the sequences \(S_{A}''\) to Alice, \(S_{B}''\) to Bob respectively.

Step 3

Alice and Bob inform Trent once they have received the quantum sequences \(S_{A}''\) and \(S_{B}''\). Then Trent announces to Alice and Bob respectively the positions and measuring bases ({|0〉,|1〉} or {|+〉,|−〉}) of the decoy states \(S_{A}'\) and \(S_{B}'\) for the eavesdropping check. Alice and Bob extract the checking states from \(S_{A}''\) and \(S_{B}''\), and perform the corresponding basis measurements to obtain two sequences of measuring results r A and r B . Thereafter, they report the results \(S_{A}'\) and \(S_{B}'\) to Trent respectively. If the error rate is limited in a predetermined threshold, Trent announces there is no eavesdropper and the protocol continues, otherwise Trent aborts the protocol and restarts.

Step 4

Alice and Bob recover the initial sequences S A and S B through discarding the decoy states, individually. Afterwards, they perform the operators U y (θ a +θ i ) and U y (θ b θ i ) on the ith particle respectively according to their secrets, where U y (θ)=cos(θ)Iisin(θ)σ y is the unitary operator which rotates the arbitrary angle along the y axis, and I and σ y are defined as above. If a i (b i )=0, Alice (Bob) chooses θ a (θ b ) randomly from {0,π}, otherwise Alice (Bob) chooses θ a (θ b ) randomly from \(\{\frac{\pi}{2}, \frac {3\pi}{2}\}\).

Step 5

After they perform the operators according to selected initial state, the EPR pairs turn to

or

Thereafter, Alice and Bob use Z basis ({|0〉,|1〉}) to measure the particles, and obtain a sequence of results \(R_{A_{i}}=\{ ra_{im},ra_{im+1},\ldots,ra_{(i+1)m-1}\}\) and \(R_{B_{i}}=\{ rb_{im},rb_{im+1},\ldots, rb_{(i+1)m-1}\}\). If the measuring result is |0〉, then ra j (rb j )=0; if the measuring result is |1〉, then ra j (rb j )=1, where imj≤(i+1)m−1.

Before they simultaneously transfer the results to Trent, the results should be revised and formed to another sequences \(C_{A_{i}}=\{ ca_{im},ca_{im+1},\dots,ca_{(i+1)m-1}\}\) and \(C_{B_{i}}=\{ cb_{im},cb_{im+1},\dots,cb_{(i+1)m-1}\}\), where cb im =rb im , cb im+1=rb im+1,… , cb (i+1)m−1=rb (i+1)m−1. If \(\theta_{j}=\frac{\pi}{4}\), ca j =ra j ⊕1, otherwise ca j =ra j , where imj≤(i+1)m−1.

Step 6

Trent calculates the exclusive-OR results r i =ca i cb i . If the initial state is \(|\phi^{+}\rangle=\frac {1}{\sqrt{2}}(|00\rangle+|11\rangle)\), Trent does nothing to the results, and otherwise he/she adds 1 to every exclusive-OR results, then the results change to t i . Now once there exists any j (imj≤(i+1)m−1), t j =1 in ith group, Trent interrupts the protocol and announces “1” to indicate Alice’s and Bob’s secrets are not equal, the (i+1)th, (i+2)th, … and (\(\lceil\frac {n}{m}\rceil\))th group secrets have no need to be compared. Otherwise Trent repeats the protocol until all the information has been compared, if \(T=\{t_{0},t_{1},\dots,t_{\lceil\frac{n}{m}\rceil-1}\}=\boldsymbol{0}\), he announces “0” to indicate Alice’s and Bob’s secrets are identical.

Table 1 shows two cases of comparison and the other cases can be proved in the same way.

Table 1 Two cases of comparison
Full size table

3 Security Analyses

In general, our protocol process is secure, and any information of the two parties will not be leaked. To see that, we will analyze the security of protocol from two main parts (outsider attack and insider attack).

3.1 Outsider Attack

Apart from the process of EPR pairs distribution, the rest information is transferred through a classical channel, in which the information is allowed eavesdropping but modifying. Because the information in the classical channel has no relationship with the participants’ secrets owing to the shared secret classical keys Θ, the eavesdroppers have no possibility to get the secrets. As a result, the only chance of outsider eavesdropper’s attack in this protocol is to attack the quantum channel in the Step 2. However, Trent inserts the decoy states \(S_{A}'\) and \(S_{B}'\) separately into S A and S B , and before Alice and Bob continue the next step, they will check the existence of eavesdropper. Trent announces respectively the positions and measuring bases ({|0〉,|1〉} or {|+〉,|−〉}) of the decoy states \(S_{A}'\) and \(S_{B}'\). Participants should measure the decoy states according to the measurements, which informed by Trent, then they and Trent publish the measuring results and initial decoy states. By discussion they can confirm whether there is an eavesdropper existing in the quantum channel.

Some well known attacks such as intercept-resend attack, measurement-resend attack, entanglement-measure attack and denial-of-service (DOS) attack can be detected with nonzero probability during the decoy checking process. What’s more, the Trojan horse attack can be automatically prevented, since there is no round-trip transmission in the protocol. Thus the outsider attack is invalid to our protocol.

When a qubit of entangled states travels in a noise quantum channel, parts of the initial entanglement might be lost. Fortunately, it has been proven that over any long distance, the reliably shared entanglement can be obtained by using the quantum-repeater technique, containing the entanglement purification [12, 26] and teleportation [7].

3.2 Insider Attack

In general, the participants have more advantages to attack the protocol than the outsider eavesdropper, because they can utilize their partial information without being detected legally. Although Alice’s role has superiority over Bob’s, the limited advantage does not threaten the security of our protocol. So we will consider two following possible cases.

3.2.1 Third Party Attack

As for Trent, what he does is to generate the initial states and calculate the final results. Due to the dishonesty of Trent, he might try to steal the participants’ secrets from the protocol.

In the generating process (S1), Trent could replace the initial states with other states, which can get through the decoy detection. However, by reason that the information Alice and Bob give Trent has irrelevance with the secrets they own, the substitution does not have any benefit for all of them in addition to the error. That is also the reason that Trent cannot obtain any information of Alice and Bob except the comparing results in the calculating process (S6). In the other steps, even though Trent is involved in the protocol process, its role has no more privileges than the outsiders. As a result Trent cannot get any secrets.

3.2.2 Participants’ Attack

Suppose Bob is a dishonest participant, who attempts to steal Alice’s information a. For that purpose Bob must get Alice’s initial states and the compared results by whatever means, actually it is not likely to succeed. Let alone the transportation in the classical channel cannot be modified in the quantum world, owing to the decoy states of the initial sequences, the probability is less than 50 %. Also, Bob can insert a filter in front of his devices to filter out the photon signal with an illegitimate wavelength, and obtain information by performing IPE Trojan horse attack strategies. However, there is no round-trip transmission in the protocol, so this method cannot make it.

Despite S5, what the two participants do is exactly same. Though it is Alice, who revises the results ca i based on their sharing classical secret keys, Bob also knows that which qubit should be revised.

Now we will discuss what will happen due to Alice’s superiority. However, the superiority is helpless. If she disobeys the protocol, send \(ca_{i}=ra_{i}(\theta_{i}=\frac{\pi}{4})\), or \(ca_{i}=ra_{i}\oplus 1(\theta_{i}=\frac{\pi}{2})\) according to her needs, the possibility is no higher than it of coin-flipping. Besides, Trent announces the comparing result by group, Alice has no idea whether the disobedience lead to the result. For instance, we suppose that m=5, the initial states is |ψ 〉, Alice’s secret a i is 01010, Bob’s b i is 10010, the comparing result is 1, but if Alice disobeys the rules on the first qubit, the result is 1. Therefore Alice cannot obtain any useful information. What’s worse, it leads to an inaccuracy that even Alice does not want to face up with this circumstance. In other words, Alice will introduce errors invariably if she wants to steal valuable information. So it suffices to conclude that our scheme is secure for Alice’s eavesdropping under an ideal environment. Moreover, if the quantum channels are noisy, the security of our scheme can be guaranteed by performing quantum error correction and privacy amplification [5, 7].

For these reasons, neither Alice nor Bob can get the other’s information via their own photons.

4 Conclusions

By and large, in this paper a private comparison protocol has been proposed, which utilized random rotation angle and EPR entangled states. The same as the previous protocols [9, 18, 21, 23, 29], our protocol is also under the help of a semi-honest third party and ensures fairness, security and efficiency. First and foremost, the selected polarization angles can efficiently prevent eavesdropping from the Trent and outsiders. At the same time because both of participants do not know each other’s selection, the secrets will not be analyzed and disclosed. What’s more, participants’ secret messages are divided into many groups, the comparison of following data do not need to continue as long as Trent announces the result “1” in a certain round, Alice and Bob both know the final result. Hence, it saves plenty of quantum recourses and time.