Multi-Party Quantum Private Comparison Protocol with an Almost-Dishonest Third Party using GHZ States

Abstract

This article proposes an innovative quantum private comparison (QPC) protocol for n users using GHZ states, where an almost-dishonest third party (TP) is introduced to assist the participants for comparing their secrets. It is argued that as compared to the existing QPC protocols our proposed scheme has some considerable advantages. First, in the existing QPC protocols, the TP can only to determine whether all participants’ secrets are equal or not. Instead of that, in our proposed scheme a TP can even compare the secrets between any subsects of users. Second, since our proposed scheme is based on GHZ state; hence it can ensure higher efficiency as compared to other existing multi-party QPC protocols on d-dimension photons.

1 Introduction

Quantum private comparison (QPC) is an imperative branch of secure multiparty computing, which allows two participants to determine whether their secrets happened to be equal or not, and at the same time their inputs can be kept in secret. The first pioneering work in QPC was proposed by Yang et al. [2], where the secrets of two parties can be compared with the Einstein-Podolsky-Rosen (EPR) pairs, and its security was guaranteed with the concept of the inclusion of decoy photons in the quantum sequence and the one-way hash function, which utilizes to encipher their own secrets by both of the players. Moreover, to resist some special attacks in their round trip transmissions, a number of special optical filters are inserted in every round, which decreases the qubit efficiency. Hereafter, Chen et al. [3] proposed a QPC protocol using a triplet Greenberger-Horne-Zeilinger (GHZ) states. In their protocol, to construct a secure equality function in a two-party scheme, a semi-honest TP was introduced, where TP might try to steal the players’ private inputs, which makes the protocol insecure.

Subsequently, few more interesting QPC protocols have been proposed, where all comparison are between two parties. Examples of them include, Tseng et al.’s [4] QPC protocol without any entangled EPR pairs and Liu et al. [5–9] proposed QPC protocols which are based on the GHZ states, triplet W states and the χ-type genuine four particle entangled states. Besides, there are some QPC protocols [14–17], which have been proposed with the concept of d-dimensional photon. However, because of the requirement of the highly-constrained equipment, 2-dimensional photon is considered to be more practical than the d-dimensional one.

In 2013, the first multi-party QPC was proposed by Chang et al. [1], where, if there are nparties, each of them have a private information, then nparties can determine their nsecrets are equal or not. Now, like [3], and [5–9] in this case also, a semi-honest TP is involved to help the participants, which we consider as a strong assumption, because, in the real world, TP may not be semi-honest always. Here, by semi-honest TP we mean that the TP has to execute the protocol loyally and announce the result of the comparison faithfully. If TP wants to obtain the two participants’ secret information, he/she might be able to do that by using the records of all intermediate transmissions and computations of the participants to reveal the private information. Till date, there are two kinds of definitions for the semi-honest TP. One is similar to the definition, used in [1], and [5–9]. On the other hand, the other definition of the semi-honest TP is that, except colluding with the participants, TP may try to perform several possible attacks for disclosing the secret information of the participants. There are some existing QPC protocols [14–17], where the second definition of the semi-honest TP is used. Even though, the capabilities of the TP in two different definitions are dissimilar. However, they are represented with the same designation, i.e. semi-honest, which may confuse a reader (especially a beginner). In this article, at first we resolve this issue by designating the TP used in [14–17], as almost-dishonest [18, 19]. Subsequently, we propose a quantum private comparison (QPC) protocol for n users using GHZ states, where an almost-dishonest third party (TP) will support the participants for comparing their secrets. As compared to the existing QPC protocols our proposed scheme has some notable advantages. Firstly, in the existing QPC protocols, a TP only to determine whether all participants’ secrets are equal or not, instead in our proposed QPC protocol, a TP can even compare the secrets between any subsects of users. Secondly, since our proposed QPC protocol is based on GHZ state; hence it can ensure higher efficiency as compared to other existing multi-party QPC protocols on dimension photons [14–17], where capability of the TP is similar as ours.

Therefore, the rest of the article is organized as follows. In Section 2, we present our proposed scheme. Security of the proposed scheme is analyzed in Section 3. Finally, the concluding remarks are given in Section 4.

2 Proposed Scheme

This section comprises of our proposed QPC protocol with almost-dishonest TP. To do so, here at first we make a specific way for choosing the initial states, which helps the participants to check that whether their particles generated by TP are entangled or not. In other words, if TP generates any fake states like single photons, which may benefit TP to comprehend the secrets of the participants. Now, in order to prevent TP to do such things, our approach for selecting the initial states helps the participants to verify that whether the initial states generated by TP are phony or not.

Considering the GHZ states are described as follows:

\(K^{m}=\frac {1}{\sqrt {2}} \left (|S_{m}\rangle + |\overline {S_{m}}\rangle \right ), K^{n}=\frac {1}{\sqrt {2}} \left (|S_{n}\rangle - |\overline {S_{n}}\rangle \right ),\) where m, n = 1,2,3,...,2^N−1, |S _m 〉,|S _n 〉=|q ₁, q ₂,..., q _N 〉, \(|\overline {S_{m}}\rangle + |\overline {S_{n}}\rangle =|\overline {q_{1} ,q_{2} ,...,q_{N}}\rangle \), q ₁ = 0, q ₂, q ₃,..., q _N ∈{0,1}. Here, N denotes the number of participants to compare the equality of their secrets.

In order to resist TP from preparing any fake initial states, here we selects the set of 2^N−1 initial states (IS) Ψⁱ, where i = 1,2,3,...,2^N−1, In which, 2^N−2 are chosen from K ^m and the rest 2^N−2 from K ⁿ where m≠n, and for every m≠n⇒|S _m 〉≠|S _n 〉. In other words, exactly equal number initial states should be chosen from K ^m and K ⁿ. Otherwise, any unequal ratio may cause information leakage problem.

Ψⁱ can be represented in Z-basis as follows:

\({\Psi }^{i}=\frac {1}{\sqrt {2}} \left (|q_{1} ,q_{2} ,...,q_{N} \rangle +(-1)^{\Delta } |\overline {q_{1} ,q_{2} ,...,q_{N}} \rangle \right ) \) where Δ is either 0 or 1

Now, for verifying the initial states, the participants need two conjugate bases to check the entanglement between their particles. So, we convert the above initial states in X-basis, which can be denoted as follows:

\({\Psi }^{i}=\frac {1}{\sqrt {2}} \left (|q_{1} ,q_{2} ,...,q_{N} \rangle +(-1)^{\Delta } |\overline {q_{1} ,q_{2} ,...,q_{N}} \rangle \right ) = \frac {1}{\sqrt {2^{N-1}}} (-1)^{\delta }|x_{1},x_{2},..., x_{N}, \rangle ,\) x _i ∈{+,−} and \(n(-)\left \{ {\begin {array}{l} even,if{\Delta } =0 \\ odd,if{\Delta } =1 \end {array}} \right .\), where \(\delta =\sum \nolimits _{\left \{ {j\vert x_{j} =-} \right \}} {q_{j} \left ({\bmod 2} \right )} \) means the sum of all the q _j mod 2 if j satisfy that x _j = − and in that case n(−) represents the total number of ‘ −’.Protocol Steps:

1. 1.

   TP selects a set of initial states \(\left \{ {{\Psi }^{1},{\Psi }^{2},...,{\Psi }^{2^{N-1}}} \right \}\) according to the above rule and publishes to all the participants. Hereafter, during each execution of the protocol, TP can randomly choose GHZ state from the set of initial states to establish the sequence of initial state IS _TP.

2. 2.

   Now, TP sends the sequence of ith photon, p _i with some decoy photons to the participant i and similarly, sends the sequence of (i+1)t h photons p _i+1 with the decoy photons to the participant i+1 and so on.

3. 3.

   Hereafter, TP needs to do the public discussion with every participant for informing the corresponding positions and bases of the decoy photons. Based on that, every participant can check their decoy photons. In that case, if the error rate is smaller than the threshold value, then execution of the protocol will be continued, otherwise, the execution of the protocol will be aborted.

4. 4.

   Next, all the participants require to choose some positions of p in order to check that whether TP cheats with the initial states or not. To do so, at first they need to discuss for choosing some positions, and ask TP to announce the initial states about those corresponding positions. After that, they also need to discuss for selecting the identical basis from Z basis {|0〉,|1〉} or X basis {|+〉,|−〉} (where \(|+\rangle =\frac {1}{\sqrt {2}} (|0\rangle +|1 \rangle ),|- \rangle =\frac {1}{\sqrt {2}} (|0 \rangle -|1\rangle ))\) and use the bases to measure the corresponding positions of p. In that case, if the error rate is smaller than a threshold value, then the execution of the protocol will be continued, or the protocol is required to be aborted. Conceive that, after dropping those checked photons, we have p ^′ photons.

5. 5.

   Hereafter, the participant i will measure p ^′ with Z basis and gets the measurement result M R _i and calculates C _i = M R _i ⊕S _i then sends C _i to TP.

6. 6.

   Now, based on the result of C _i ⊕C _j , TP can comprehend that whether each two of them are equal or not. Because, C _i ⊕C _j = M R _i ⊕S _i ⊕M R _j ⊕S _j , and TP knows M R _i ⊕M R _j which reveals by the corresponding initial states.

Example

In order to clarify our proposed scheme in detail, here we give an example. Conceive that, there are three participants namely, Alice, Bob and Charlie with secrets S _A = 4, S _B = 4 and S _C = 2, want to compare their secrets and there is a third party denoted as TP, who is almost-dishonest can help them. TP chooses \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\), \(\frac {1}{\sqrt {2}} (|001\rangle +|110\rangle )\), \(\frac {1}{\sqrt {2}} (|010\rangle -|101\rangle )\) and \(\frac {1}{\sqrt {2}} (|100\rangle -|011\rangle )\) from three-particle GHZ states according to the above rule as the set of initial states which is used for this round. Then, TP publishes the initial states of the above four states to all the participants. At the same time, TP generates five three-particle GHZ states \(\frac {1}{\sqrt {2}} (|010\rangle -|101\rangle )\), \(\frac {1}{\sqrt {2}} (|010\rangle -|101\rangle )\), \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\), \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\), and \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\) as the initial states. After that, TP sends the first, second and third photons of all sequences with decoy photons to Alice, Bob and Charlie, respectively. When all the participants receive the photons, TP announces the positions and measurement bases of the decoy photons. Then, every participant discusses with TP to check whether there exists any eavesdropper or not. If there is no eavesdropper, then all the participants discuss together to choose the positions one and three and ask TP to announce the initial states.

So, TP announces the initial state of position one with \(\frac {1}{\sqrt {2}} (|010\rangle -|101\rangle )\) and position three with \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\). Then, all the participants decide to use X basis to measure position one and Z basis to measure position three. Hereafter, they measure the corresponding photons and publish the measurement results and eventually check whether the states are correct or not. If so, then all the participants drop the checked photons and measure the remaining photons with Z-basis. Here, we assume Alice, Bob and Charlie get the measurement results M R _A , M R _B and M R _C with 001, 101, and 001. (Because the remaining states is \(\frac {1}{\sqrt {2}}(|010\rangle -|101\rangle )\), \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\), and \(\frac {1}{\sqrt {2}} (|000\rangle +|111\rangle )\).) Then, they XOR the secrets S _A = 4, S _B = 4 and S _C = 2 with the M R _A , M R _B and M R _C , respectively and eventually get C _A = 101, C _B = 001 and C _C = 011. Subsequently, they send them to TP. After receiving C _A , C _B and C _C , since TP knows M R _A ⊕M R _B = 100, hence, TP can compare Alice’s and Bob’s secrets by C _A ⊕C _B ⊕M R _A ⊕M R _B = 101⊕001⊕100=000. Then TP can comprehend that S _A is the same as S _B . On the other hand, since C _A ⊕C _B ⊕M R _A ⊕M R _B = 101⊕011⊕000=110, so, TP can know that S _A is not the same as S _C .

3 Security Analysis and Comparison

In this section, at first we will demonstrate that our proposed scheme holds several imperative security properties, which are indeed essential to offer a secure QPC protocol. Then, in order to manifest the advantages of our proposed scheme, we compare the performance of our proposed scheme with respect to [1–3].

3.1 Outsider Attack

After TP sent all the particles to each participant, every participant needs to do the public discussion to check whether any outside attacker exists or not. In that case, at first, TP will announce the positions and measurement bases of all the decoy photons to each participant. Then, each participant can get the measurement results by measuring the corresponding decoy photons. After that, every participant needs to publish the measurement results to TP and then TP can verify the measurement results sent from the participants to determine whether there exists any outside attacker or not.

Since, the outside attacker does not know the positions and measurement bases of the decoy photons, some well-known attacks such as intercept-resend attack [10], correlation-elicitation attack [11], and entanglement-measure attack [12] can be detected via the checking mechanism [13]. For example, if Eve measures a decoy photon |0〉 or |1〉 with Z basis {|0〉,|1〉}, she can pass the public discussion. However, if Eve measures a decoy photon |+〉 or |−〉 with Z basis {|0〉,|1〉}, she will have the probability of 50 % to be detected. Obviously, Eve has a probability of 50 % to choose the wrong basis for measurement. Therefore, the detection rate for each decoy photons is 25 % (50 % ×50 %). For l decoy photons (where l is large enough), the detection rate is 1−(3/4)^l which is close to 1 if l is large enough. Furthermore, since quantum bits are transmitted only once in the proposed protocol, the Trojan horse attack can be automatically prevented. Therefore, the proposed protocol is free from any outsider attack.

3.2 Insider Attack

In this sub-section, we consider two cases of insider attacks. The first case discusses how to resist for a user to obtain the other user’s private information. The second case discusses the possibility for TP from stealing each user’s information.

Case 1

Participant attack

Suppose, there is a user, Alice, who is basically a dishonest user, attempts to obtain the other user’s (Bob) private information. If Alice tries to intercept the transmitted photons from TP to Bob, she will be detected as an outside attacker as described in Section 3.1 Thus, the only possible way for Alice to do is to use her particles to extract Bob’s measurement result or infer M R _A ⊕M R _B . However, without knowing the initial states of the GHZ class states, it is impossible for her to do so.

Case 2

Almost-dishonest TP attack

Now, we consider TP who is an almost-dishonest entity, where TP has to help each participant to accomplish the protocol but TP cannot collude with the participants. However, TP may share the fake states in order to get the useful messages (information of participants). Fortunately, in our proposed QPC protocol, all the participants will come across with the verification process (in Step 4) to check whether TP shares the correct states with them or not.

Now, TP may also try to acquire useful information from the relation of the initial states and the returned value C _i sent from each participant. According to the Step 6, the returned value is C _i = M R _i ⊕S _i , that means, if TP can know the value of M R _i , then, he can get the secret of S _i However, according to the initial states, TP can know the relation between two participants but cannot know the value about M R _i . Hence, TP cannot comprehend the secret from any participant.

3.3 Comparison

Now, in order to manifest the advantages of the proposed scheme, here we compare our proposed scheme with the recently proposed QPC protocols [1–3] (shown in Table 1). From Table 1, it is clear that the performance of the proposed scheme is quite similar to [1]. However, in [1], TP was assumed to be semi-honest, which may not be true always, wherein our proposed scheme TP can be almost-dishonest, that specifies that the security resistance of our proposed scheme is much higher as compared to [1–3].

Table 1 The comparison of the proposed protocol to the other QPC protocols

To benchmark the performance of the proposed scheme more clearly, now we compare the proposed QPC protocol with respect to some recently proposed QPC protocols [14–17], where the TP is considered as an almost dishonest participant. From Table 2, it is clear that, since our proposed QPC protocol is based on the 2-diamentional photon rather than the d-dimensional one. Hence, our proposed scheme is more practical as compared to [14–17]. It should be noted that there are two protocols presented in [15], accordingly, we present them as [15-A] and [15-B].

Table 2 The comparison of the proposed protocol to the other almost dishonest based QPC protocols

4 Conclusion

In this article, we have presented a new multi-party quantum private comparison protocol with an almost-dishonest TP based on GHZ states. In order to do that, here have introduced some constraints for selecting the initial states, which helps the participants to check that whether their particles generated by the almost-dishonest TP are entangled or not. Finally, security analysis shows that our proposed scheme can resist several imperative attacks like insider and outsider attacks etc. Hence, the proposed scheme can be quite useful for the n-party secrets comparison.