Multi-Party Quantum Summation Based on Quantum Teleportation

We present a secure multi-party quantum summation protocol based on quantum teleportation, in which a malicious, but non-collusive, third party (TP) helps compute the summation. In our protocol, TP is in charge of entanglement distribution and Bell states are shared between participants. Users encode the qubits in their hand according to their private bits and perform Bell-state measurements. After obtaining participants’ measurement results, TP can figure out the summation. The participants do not need to send their encoded states to others, and the protocol is therefore congenitally free from Trojan horse attacks. In addition, our protocol can be made secure against loss errors, because the entanglement distribution occurs only once at the beginning of our protocol. We show that our protocol is secure against attacks by the participants as well as the outsiders.


Introduction
Secure multi-party computation, as a subfield in cryptography, has been gaining attention in recent years [1][2][3][4]. It was first introduced by Yao [5] and later extended by Goldreich et al. [6]. Secure multi-party computation has also been studied in quantum settings [7][8][9][10][11]. Lo [7] pointed out the insecurity of quantum computation without a third party in a two-party scenario. Chau [9] employed quantum resources to speed up classical multi-party computation. Ben-Or et al. [10] investigated distributed quantum computation. They showed how many players must be honest in order to make any multi-party quantum computation secure. Smith [11] proved that any multi-party quantum computation can be secure as long as the number of dishonest players is less than n/6, when n, the number of players, is larger than 6.
Secure multi-party quantum summation [12][13][14][15][16], which helps the construction of complex multi-party computation, is a fundamental primitive of secure multi-party quantum computation. In quantum summation protocols, the privacy of participants' inputs is preserved and the correctness of the summation is guaranteed by quantum properties. Quantum summation has also potential applications in quantum voting [17][18][19][20][21] and quantum private equality comparison [22][23][24]. Designing quantum summation protocols that can be implemented with current or near future quantum technologies is therefore of interest, as we pursue in this paper.
In the past few years, various quantum summation protocols have been proposed by employing a variety of quantum resources. Zhang et al. [25] presented a quantum summation protocol with single photons encoded in both polarization and spatial-mode degrees of freedom in 2014, in which unitary operations are utilized to encode the private bits on the travelling single photons. Such single photons must somehow be handed over/transmitted to the next user so that the collective sum of all private bits can be calculated. Most other protocols rely on sharing a multipartite entangled state among players. For instance, in 2015, a quantum summation protocol without a trusted third party was constructed [26]. However, the number of participants was limited to three due to the requirement of the so-called genuinely maximally entangled six-qubit states. In 2016, Shi et al. [27] used quantum Fourier transform, controlled NOT (CNOT) gates and oracle operators to propose protocols for summation and multiplication. Later, they proposed a common quantum solution to a class of two-party private summation problems [28]. In 2017, a multi-party quantum summation without a trusted third party was investigated by first generating a multipartite entangled state by one player and then sharing it with other users [29]. In the same year, Liu et al. [30] adopted Bell states to construct multipartite entangled states that were used to carry participants' inputs, where the quantum communication in their protocol is two-way. This means that special care with regard to Trojan horse attacks [31][32][33] should be provided to participants. Unlike their protocols, participants in our protocol do not need to send the encoded states back to others, thus our protocol is naturally free from Trojan horse attacks and no protection against such attacks are needed. In 2018, Yang et al. [34] provided a quantum solution to secure summation depending on n-partite multi-dimensional entangled states.
One common feature in all hitherto proposed quantum summation protocols is their dependence on a reliable means for quantum state transfer. In the case of protocols that rely on sharing multipartite entangled states [27][28][29][30]34], such a state is often generated by one player and then its different components are sent to other players. If any of these components does not reach its respective destination, then the whole procedure must be repeated. In such a case, relying on photons travelling through lossy channels does not seem to be an efficient option. Moreover, it could open us to new security threats that an eavesdropper can exploit by hiding behind the channel loss. Even for the case of the protocol in Ref. [25], the loss of the single photon in any leg of the system requires repeating the whole procedure. In addition, an eavesdropper can send a photon of her choice to a user and measure it after the user has applied his encoding to find out about the user's private bit. Most of these protocols fail to work unless a reliable quantum state transfer (RQST) service is available to them. This is a kind of service that one may expect to have once we have a fully functional quantum network.
There are two well-known approaches to RQST. In one scenario, one distributes entangled states between the two end users of a quantum communication system, and then use teleportation to transfer an unknown quantum state from one place to another. In the second approach, one has to use perhaps complex quantum error correction codes to compensate for the erasure errors caused by photon loss as well as operational errors caused by system components. In both cases, we need quantum memories in our setup to store quantum states and to execute certain quantum processing tasks such as entanglement distillation or quantum error correction. This requirement of the system has thus far been neglected in the design of quantum summation protocols.
In this paper, we take advantage of the idea of quantum teleportation [35] to devise our protocol. In order to get a better insight into the practicality of a quantum summation protocol, in this work, we account for the bipartite entangled states that one would need to distribute if teleportation is used for the RQST part of the protocol. We discover that in fact such Bell states are sufficient to devise a secure quantum summation protocol without requiring the distribution of additional multipartite entangled states. Moreover, by not revealing the information about which Bell state is shared between two players, we, in effect, can protect ourselves against attacks by malicious participants. In our protocol, similar to Ref. [25], participants' private bits are encoded into single-qubit unitary operations. Encoded states are then effectively teleported to the next user by performing local Bell-state measurements (BSMs). This makes our protocol congenitally free from Trojan horse attacks. In our protocol, the required Bell states are shared by a third party (TP), who can be malicious but does not collide with other players. In any case, our protocol does not rely on multipartite entanglement or high-dimensional states, which makes its implementation much more feasible. Table 1 summarizes the required resources for various protocols as compared to ours. In particular, we have compared these protocols in terms of their efficiency, defined as the number of qubits (quantum memories) they need in order to find the sum of n private bits, when one accounts for a minimum of two quantum memories needed for teleportation. The assumption here is that maximally entangled states are shared among users, but we do not account for additional memories that may be needed for entanglement distillation or for possible repeater nodes. It is clear from this table that our protocol not only is more efficient than other protocols in the table but also only relies on bipartite entanglement rather than multipartitite states. The rest of this paper is organized as follows. In Section 2, we illustrate our idea to design a secure multi-party quantum summation protocol and provide an example of a two-party scenario. In Section 3, we describe our multi-party quantum summation protocol in detail, followed by its correctness and security analysis in Section 4. Practical considerations of our protocol will be discussed in Section 5, and conclusions are given in Section 6.

Key Idea of Our Protocol
In this section, we work out our proposed quantum summation protocol for the particular case of two participants and a malicious but non-collusive third party (TP). TP has to calculate the modulo 2 sum of the participants' secret bits by satisfying the following requirements: 1. Correctness: the result of summation in modulo two of all participants' private input bits is correct. 2. Security: an eavesdropping outsider cannot learn any information about participants' private input bits without being detected. 3. Privacy: TP cannot learn about participants' private inputs.
Note that although TP cannot obtain two participants' private bits in the two-party scenario, each participant can find out the private bit of the other participant once the sum is known. Nevertheless, this is a simple example by which we can explain our protocol. In Section 3, we generalize this idea to the multiple participants scenario, where the privacy requirement will be extended to include most participants as well as TP.
Our protocol relies on sharing a chain of Bell states among participants and teleporting an unknown state by TP to itself via this chain; see Figure 1. Along the way participants can affect the linked states by applying local operations on their share of entangled states. TP can calculate the sum by comparing the teleported state with the original state she has generated. Before describing the protocol, let us first review the teleportation protocol and introduce the notation used in the paper. In general, Bell states are of the following form where x, y ∈ {0, 1} and ⊕ represents addition modulo 2. The relationship between Bell states and classical bits can be defined as |B xy ↔ xy, x, y ∈ {0, 1}.
In this work, we are particularly interested in the unitary operation U = ZX, for which we have: where a, b ∈ {0, 1}. Additionally, the following equations . Note that both computational basis {|0 , |1 } and diagonal basis {|+ , |− } are closed under U. Ignoring the phase, U swaps |0 and |1 (|+ and |− ). We use U = ZX from now on and it will be applied on one of the two components of a Bell state if the participants' private bit is 1. Now, let us describe a simple version of our protocol that, for now, does not fulfill the security requirement; see Figure 1. Suppose each participant has two quantum memories. Then, we implement the following steps: (Step 1) Entanglement distribution. TP distributes Bell states, each of which is randomly selected from the Bell basis, among participants and generates a state |ϕ T chosen randomly from the set {|0 , |1 , |+ , |− }. The state |ϕ T is stored in quantum memory T. (Step 2) Private inputs encoding. P 1 (P 2 ) applies U = ZX on quantum memory 1 (quantum memory 3) if her private bit is 1. Otherwise, she does nothing. (Step 3) Bell-state measurement. TP measures quantum memories T and 0 in the Bell basis. Similarly, P 1 (P 2 ) measures quantum memories 1 and 2 (3 and 4) in the Bell basis. P 1 and P 2 will announce their measurement results to TP. (Step 4) Correction and computation. After necessary corrections on quantum memory 5 depending on all the measurement results and the original Bell states, TP measures quantum memory 5 in the same basis as that of the original state of quantum memory T. If the state of quantum memory 5 is the same as the original state of quantum memory T, TP concludes that the sum is 0, otherwise, the sum is 1. Let us work out a simple example to show how the protocol works. In Figure 1, (Step 1) Entanglement distribution. Suppose the initial state among TP, P 1 and P 2 is given by |ζ 0 j = |+ T ⊗ |B 00 01 ⊗ |B 00 23 ⊗ |B 00 45 . ( Step 2) Private input encoding. Suppose P 1 's (P 2 's) private bit is 0 (1), P 1 then does nothing on quantum memory 1, but P 2 applies U = ZX on quantum memory 3. According to Equations (3)-(8), the state becomes where a global phase in the state of quantum memory 5 is ignored. (Step 3) Bell-state measurement. Suppose all the measurement results are x 0 y 0 = x 1 y 1 = x 2 y 2 = 00, and they are announced to TP. Then, effectively, the state of T is teleported to qubit 1, and then teleported to qubit to 3, at which point it is flipped by the U operation, and teleported back to TP.
(Step 4) Correction and computation. In this particular case, there is no correction needed by TP. TP measures quantum memory 5 in the basis {|+ , |− }, and finds that the state of quantum memory 5 is different from the original state of quantum memory T. TP concludes that the sum is 1.
In (Step 3) of the above example, if not all the measurement results are 00, TP can correct the state of quantum memory 5 by performing quantum operations on it using Equations (3) and (4) before she measures quantum memory 5.
In a full protocol, we need to include steps that alert us to possible attacks. We consider two kinds of attacks in our protocol: those by outsides and those by malicious participants. We employ extra Bell states to detect these attacks and meet the security requirements. By measuring each component of a Bell state in the same basis (all in the computational basis or all in the diagonal basis) and comparing the measurement results, these attacks can be detected. The details of the detection process can be found in Section 3.

Multi-Party Quantum Summation
We assume that the classical channels are authenticated and quantum channels are noiseless. The third party, TP, who conducts the summation is assumed to be malicious but non-collusive. That is to say, TP can do whatever she would like within boundaries of quantum mechanics except collision with dishonest participants. The summation can be revealed in public. For simplicity, we denote TP as P 0 in the rest of the paper.
Suppose that the q-th participant (q = 1, 2, . . . , n; n > 2) has a private bit string M q . P 0 computes the summation ⊕ ∑ n q=1 M q , where ⊕ ∑ denotes pointwise addition in modulo 2, and where L is the length of each private bit string. Our n-party (n > 2) summation protocol shall meet the following requirements: 1. Correctness: the result of pointwise summation in modulo two of all participants' private input bits is correct. 2. Security: an outside eavesdropper cannot learn any information about participants' private input bits without being detected. 3. Privacy: no participant can learn about other participants' private input bits without being detected, except in the obvious case of n − 1 players collaborating to learn the remaining user's private bits.
Our full protocol is described in the following.
(Step 2) Security detection. Participants detect if genuine Bell states are shared among them in an honest way.
(Step 2.1) To examine the genuinity of the Bell states shared between P 0 and P 1 , P 1 first randomly chooses R Bell states shared between quantum memory G 0 0 and quantum memory G 0 1 and asks P 0 to announce the corresponding initial states. P 1 then measures each corresponding component in G 0 1 randomly in the computational basis {|0 , |1 } or in the diagonal basis {|+ , |− }, and keeps the measurement results to herself. Subsequently, P 1 asks P 0 to measure the corresponding components in the same basis as P 1 does and publicize the measurement results. According to the property of Bell states, P 1 checks if these measurement results are correlated with each other. If the error rate exceeds a certain threshold, the protocol will be aborted and repeated from (Step 1). Otherwise, the protocol will continue. (Step 2.2) To check the genuinity of the Bell states shared between P 0 and P n , P n also uses R Bell states to complete this detection utilizing the similar method as that used by P 1 . If the error rate exceeds the threshold, the protocol will be aborted and repeated from (Step 1). Otherwise, the protocol will continue. (Step 2.3) To check the genuinity of the Bell states shared between P i and P i+1 (i = 1, 2, . . . , n − 1), P i randomly selects R/2 Bell states shared between G i 2i and G i 2i+1 and asks P 0 to announce the corresponding initial states. Later, P i measures each corresponding component in G i 2i randomly in the computational basis or in the diagonal basis, announcing the measurement results. Next, P i+1 measures each component in G i 2i+1 entangled with the one in P i 's hands in the same basis, publicizing the measurement results. P i and P i+1 can finally check if these measurement results are correlated according to the initial states and the property of Bell states. The same procedure will be used by P i+1 with R/2 Bell states of his choice and randomly selected measurement bases. If the error rate in either case exceeds the threshold, the protocol will be aborted and repeated from (Step 1). Otherwise, they ensure that the states shared between them are genuine Bell states and distributed in an honest way, and the protocol will continue. (Step 3) Private input encoding. P 0 removes R states used for detection from quantum memory G 0 0 (G n 2n+1 ), leaving L ordered states, denoted by V 0 0 (V n 2n+1 ), in it. P i (i = 1, 2, . . . , n) also removes R states used for checking from quantum memory G i−1 2i−1 (G i 2i ), resulting in L ordered states, denoted by V i−1 2i−1 (V i 2i ), in it. Note that quantum memories G i 2i and G i 2i+1 (i = 0, 1, . . . , n) now share L ordered Bell states, which form L chains of Bell states among all participants (inlucding P 0 ). Namely, the j-th (j = 1, 2, . . . , L) state of V i 2i in G i 2i and the j-th one of V i 2i+1 in G i 2i+1 form a Bell state. Afterwards, P i (i = 1, 2, . . . , n) performs U m i1 Step 4) Bell-state measurement. P 0 measures the j-th (j = 1, 2, . . . , L) state of V 0 0 and the j-th one in quantum memory G 0 T in the Bell basis, obtaining measurement results (x 01 y 01 , x 02 y 02 , . . . , x 0L y 0L ) in accordance with Equation (2). Similarly, P i (i = 1, 2, . . . , n) measures the j-th state of V i−1 2i−1 and the j-th one of V i 2i in the Bell basis, attaining measurement results (x i1 y i1 , x i2 y i2 , . . . , x iL y iL ). Finally, They announce the measurement results to P 0 . (Step 5) Correction and computation. Based on all the measurement results and the knowledge of original Bell states (only known to P 0 ), P 0 performs correcting operations on the j-th (j = 1, 2, . . . , L) state of V n 2n+1 . Next, P 0 measures these resulting states in the same basis as the original states in quantum memory G 0 T , gaining the measurement results (t 1 , t 2 , . . . , t L ). With these measurement results, P 0 compares the j-th state of V n 2n+1 with the j-th original state in quantum memory G 0 T . If these two states are the same (different), P 0 knows that the j-th bit of the sum is 0 (1). At last, P 0 can achieve the sum modulo 2 of participants' private bit strings, and the privacy of these private strings is preserved.
Note that, if the summation is only intended for a certain participant, say P i , she can be selected as the one who distributes Bell states like TP. The process is analogous to that with TP if P i is also assumed to be malicious, but non-collusive.

Analysis of the Multi-Party Quantum Summation
In this section, we study the security of our protocol. It can be verified that the protocol would provide us with the correct sum if all parties follow the protocol. A detailed derivation of the correctness is given in Appendix A. In terms of security, we have to show that our protocol is secure against both outsider and participant attacks, and it fulfills the security and privacy requirements mentioned in Section 3. In our case, an outsider can potentially influence our protocol via the initial entanglement distribution. We show here how by using extra Bell states we can verify if the distributed states are genuinely Bell states. There also exist Trojan horse attacks [31][32][33], such as the delay-photon Trojan horse attack and the invisible photon eavesdropping Trojan horse attack if quantum states are encoded and relayed in quantum communications protocols. Since our protocol uses Bell states to compute the summation and no encoded states are needed to be relayed, our protocol is secure against these attacks. We therefore focus here on the case of an attack by the TP, or possibly an outsider, and leave the details of the security against other malicious participants to Appendix A.
Attacks from P 0 . We here consider the attacks from P 0 who cannot collude with any other participants. For simplicity, we suppose that P 0 wants to obtain one bit of P i 's (i = 1, n) private bit string and consider the chain related to this bit. In order to learn about this bit of P i , P 0 has to find out if P i performs quantum operation U = ZX on her memory. P 0 can therefore launch entanglement swapping attack on this chain, as shown in Figure 3. Suppose, in Figure 3, the states of quantum memories b and (2i − 1) and quantum memories c and (2i) distributed by P 0 are |B 00 b(2i−1) and |B 00 c(2i) , respectively. P i will apply U = ZX on quantum memory (2i − 1) if her secret bit is 1, otherwise she will do nothing. P i then measures quantum memories (2i − 1) and (2i) in the Bell basis and announces her measurement result x i y i to P 0 as described in (Step 4) in the proposed protocol. After that, P 0 can measure quantum memories b and c as well and obtain the measurement result x c y c . Because the original states of quantum memories b and (2i − 1) and quantum memories c and (2i) are the same, if x i y i and x c y c are the same, P 0 knows that P i has not performed U on quantum memory (2i − 1) and learns about P i 's private bit being 0, according to the entanglement swapping property. Otherwise, P 0 concludes that P i 's private bit is 1. However, this attack will be detected in (Step 2) where the genuinity of Bell states shared between P i and P i+1 (between P i−1 and P i ) is checked.
To show this note that Bell states can be rewritten in linear and diagonal bases as follows If P i and P i+1 shared a known Bell state, and each one measures one component of the Bell state in the same basis (in the computational basis or in the diagonal basis), they will obtain a certain relationship between their measurement results. For a fake Bell state (the state of quantum memories (2i − 1) and (2i − 2) is not a Bell state, we call it a fake Bell state) used for detection, P 0 is able to pass the detection with probability of 1 2 . P 0 may distribute only one fake Bell state between P i and P i+1 and another fake Bell state between P i−1 and P i such that these two states are in the same chain to obtain P i 's private bit. At the same time, P 0 can get the maximum probability of passing the detection. In this case, these two states should not be chosen for detection. The probability of escaping the detection is L 2 /(L + R) 2 . For i = 1 or i = n, this probability becomes L/(L + R). These two probabilities of P 0 passing the detection and obtaining one bit of one participant will approach 0 if R is large enough. As a result, P 0 fails to steal participants' private input bits.

Practical Considerations
In this section, we discuss some practical aspects of our protocol in the light of new developments in the field. In general, secure multi-party quantum computation requires an infrastructure for reliable quantum communications as provided by quantum repeaters and quantum networks. Our protocol is not an exception, but given that some of the required resources for our protocol, as listed in Table 1, are easier to achieve, we can envisage a small-scale demonstration of this protocol in the near future. Multicore optical fibres [41,42] can be used to fish this task.
One of the key requirements in our scheme is to distribute Bell states between two parties. A full implementation of this aspect over any arbitrary distance is only possible with fully functional quantum repeaters. This may not be possible in the near future. But, a small-scale quantum network with nodes within tens of kilometers from each other is within reach. In fact, there are activities in Netherlands, for instance, to implement a four node quantum network within the country. Such a network can then be used for an initial demonstration of protocols like ours.
Another requirement of our system is that of quantum memories for storing and processing entangled states. In principle, we can run our protocol once all required entangled states are shared among users. This may increase the waiting time as well as the required storage/coherence time for memories. For a small-scale demonstration, with a few number of players at short distances from each other, this, can, however, be manageable. Quantum memories such as nitrogen vacancy centers in diamond [43] , or trapped ions [44,45], offer long storage times that could be suitable for our protocol. Plus, both these memories offer settings in which high-quality deterministic CNOT gates can be performed. The latter is necessary in order to keep our protocol loss resilient.
In terms of performance, there are two parameters that typically matter: at what rate, we can distribute entangled states among parties, and what would be the quality of the generated entangled state. The rate of entanglement generation is mainly affected by channel loss, but, for moderately short links, this may not be the major obstacle. For instance, if the maximum distance between two players is 50 km, for standard optical fiber channels with 0.2 dB/km loss, we have a channel transmissivity of 0.1. By accounting for a similar efficiency, for other parts of the system, we have a 1% chance in generating entangled states in every attempt. For a repetition rate of 1 M/s, we can then generate 10,000 entangled links per second, which should be sufficient for a small-scale demonstration. In terms of quality, in our analysis, we have assumed perfect Bell states can be exchanged among users. This is in principle possible if one can use entanglement distillation or error correction techniques. For a simple demonstration, however, it is more likely that we have to accept a bit of error in our system. This error rate would scale with the distance between the shared entangled state versus maximally entangled states, as well as with the number of players. One should also add to that the errors that might arise during the Bell-state measurements. In the end, if the error caused by imperfections in the system is too high, the protocol will abort during its verification stage.
One final note is about the number of Bell states that are needed for attack detection in our protocol. Here, in principle, we are using similar ideas as those used in quantum key distribution (QKD) for detecting eavesdroppers. But, unlike QKD, the ratio L/R, in our case, should be very low to keep the protocol secure. The main reason behind this is that in any quantum summation protocol, the protocol fails even if only one of the private bits gets revealed. That is, we have no chance to remove the information that has leaked to an eavesdropper once it has happened, whereas, in QKD, one can use privacy amplification to reduced the amount of leaked information about the final key. This seems to be a common issue in all quantum summation protocols and is not specific to our case.

Conclusions
We proposed a secure multi-party quantum summation protocol based on quantum teleportation, in which a TP, who could be malicious but non-collusive, was involved. The correctness and the security of the protocol were analyzed in detail. Our protocol did not require multi-partite entangled states. Only bipartite states (Bell states), Pauli operators and Bell measurement were needed in our protocol. The latter were all required in any teleportation protocol, which would be implicitly used in all other quantum summation protocols as well. By reducing the required resources to those needed for teleportation, we, in effect, proposed the most feasible quantum summation protocol, which could, in principle, be demonstrated, at small scales, using current quantum technologies. A more detailed error analysis is needed to account for the effect of imperfect entanglement distribution and/or operation errors. We will consider these imperfections in our future work.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Analysis of the Multi-Party Quantum Summation
Appendix A. 1

. Correctness Analysis
We assume that all participants provide correct private bit strings. For the convenience of analyzing the correctness of our protocol, we define the relationship between quantum states {|0 , |1 , |+ , |− } and classical bits as follows: where m ∈ {0, 1}, |ϕ ∈ {|0 , |1 , |+ , |− }, U = ZX and a global phase is ignored, then . . . , (A7) |ψ n j (2n)(2n+1) = |B a n b n j (2n)(2n+1) , and P i (i = 1, 2, . . . , n) performs U m ij i (U i = U = ZX) on the j-th state of V i−1 2i−1 , the state becomes according to Equations (3)-(8), and a global phase of the state of quantum memory (2n + 1) is ignored. After P i (i = 0, 1, . . . , n) measures the corresponding states in the Bell basis, obtaining the measurement outcome x ij y ij (j = 1, 2, . . . , L), the state of quantum memory (2n + 1) collapses to With the announcement of x ij y ij (i = 1, 2, . . . , n) provided by P i , P 0 knowing the initial Bell states can calculate Later, X ⊕Σ n i=0 a i ⊕x ij Z ⊕Σ n i=0 b i ⊕y ij is performed on quantum memory (2n + 1). Consequently, the state of quantum memory (2n + 1) turns into After the measurement of quantum memory (2n + 1) in the same basis as that of quantum memory T, P 0 gains and therefore obtains the result for the j-th bit of the sum modulo 2 of participants' private bit strings, by using Equations (A1)-(A3).
In the end, P 0 is able to learn about the sum modulo 2 of participants' private bit strings.
public. But if the summation is kept secret in TP's hands, n − 1 dishonest participant cannot obtain anything about the honest participant's private input. Here, we show that our protocol is secure against the collusive attack of n − 2 dishonest participants, which is the maximum possible in this case. Attacks from (n − 2) dishonest participants (not including P 0 ). If (n − 2) dishonest participants wish to steal the other two honest participants' private bit strings M p and M q (p < q), they may employ the states in their hands to get useful information. We consider the j-th bit (j = 1, 2, . . . , L) in M p and M q and the corresponding states.
For q = p + 1, we first show how dishonest participants try to learn about m pj , as shown in Figure A1. In this case, P p+1 does not apply unitary operation on quantum memory (2p + 1) and Bell-state measurement on quantum memories (2p + 1) and (2p + 2). After the private input encoding stage (Step 3), the state of quantum memory T and quantum memories 0 ∼ (2p + 1) will be . . . ∑ ⊗Z ⊕Σ p k=0 b k ⊕y k X ⊕Σ p k=0 a k ⊕x k U ⊕Σ p k=1 m kj |ϕ j 2p+1 , where the j-th state in quantum memory T is |ϕ j T and the j-th Bell state shared between P s and P s+1 (s = 0, 1, . . . , p) is |B a s b s j (2s)(2s+1) . The dishonest participants try to get m pj from quantum memory (2p + 1). However, they will fail.
From Equation (A16), we can see that if P p+1 knows m sj (s = 1, 2, . . . , p − 1) , the basis of |ϕ j T and (a r , b r ) (r = 0, 1, . . . , p) (the information about the initial Bell states), she can first apply the right correction on quantum memory (2p + 1) and measure it in the right basis. According to m sj (s = 1, 2, . . . , p − 1), she can then obtain m pj . But she cannot do that. Even though P p+1 knows m sj (s = 0, 1, . . . , p − 1) with the assistance of P s and the measurement results (x 0 y 0 , x 1 y 1 , . . . , x p y p ), she knows nothing about the basis of |ϕ j T and (a r , b r ) that are kept secret by P 0 . Thus, she cannot perform the right correction on quantum memory (2p + 1) and measure it in the right basis. Finally, she fails to obtain m pj , let alone M p . Similarly, they cannot learn about M q . For q = p + 1, they may use a similar method as in the above case to take M p and M q . Namely, P p+2 does nothing on quantum memory (2p + 3) and skips Bell-state measurement on the corresponding state. In this case. the dishonest participants cannot even get the m pj ⊕ m (p+1)j . Therefore, the privacy of M p and M q is preserved.
For any two Bell states |B xy 12 and |B ab 34 , if quantum memories 2 and 3 are measured in the Bell basis and the measurement outcome |B km 23 is obtained, the state of quantum memories 1 and 4 then collapses to |B xy⊕ab⊕km 14 due to the Bell entanglement swapping property.
The dishonest participants may also start an attack based on the entanglement swapping property. For the case of q = p + 1, as shown in the dash box in Figure A2, the j-th Bell state shared between P p−1 and P p and that shared between P p and P p+1 are |B a p−1 b p−1 j (2p−2)(2p−1) and |B a p b p j (2p)(2p+1) , respectively. After P p performs U m pj p (U p = ZX) on quantum memory (2p − 1) and then measures quantum memories (2p − 1) and (2p) in the Bell basis, obtaining the measurement outcome |B x p y p j (2p−1)(2p) , the state of quantum memories (2p − 2) and (2p + 1) becomes due to the property of entanglement swapping. P p+1 skips the private input encoding stage, instead she can collaborate with P p−1 to measure quantum memories (2p − 2) and (2p + 1) in the Bell basis.
Can the dishonest participants find out U m pj p performed by P p to steal m pj ? The answer is no. Although P p−1 and P p+1 can measure quantum memories (2p − 2) and (2p + 1) in the Bell basis and get x p y p after P p 's announcement, they have to know a p−1 b p−1 and a p b p to derive U m pj p , but this information is unknown to them. For the case of q = p + 1, the analysis is similar. Therefore, this attack is also invalid to our protocol. Figure A2. Entanglement swapping attack by (n − 2) participants, where P p and P q are honest participants.