Quantum Secure Multi-Party Summation Using Single Photons

In this paper, we propose a secure multi-party summation based on single photons. With the help of a semi-honest third party, n participants can simultaneously obtain the summation result without revealing their secret inputs. Our protocol uses single photon states as the information carriers. In addition, each participant with secret input only performs simple single-particle operators rather than particle preparation and any complex quantum measurements. These features make our protocol more feasible to implement. We demonstrate the correctness and security of the proposed protocol, which is resistant to participant attack and outside attack. In the end, we compare in detail the performance of the quantum summation protocol in this paper with other schemes in terms of different indicators. By comparison, our protocol is efficient and easy to implement.


Introduction
As a fundamental primitive in modern cryptography, secure multi-party computation (SMC) enables n (n ≥ 2) parties to jointly compute a function based on their private inputs while keeping these inputs private. Yao [1] first put forward the idea of SMC in 1982. SMC has a wide range of applications in secret ballot elections [2], private bidding and auctions [3,4], secret sharing [5], data mining [6], and so on. However, the appearance of Shor's algorithm [7] and Grover's algorithm [8] threatened the security of classical cryptography protocols based on difficult mathematical problems. To cope with this problem, people considered using the principles of quantum mechanics in cryptography protocols, which led to the birth of various interesting research fields, such as quantum key distribution (QKD) [9][10][11][12], quantum secret sharing (QSS) [13,14] and, the area of research in which this article is based, secure multi-party quantum computation (SMQC). Of these, the QKD field has made many notable advances. In 2018, Lucamarini et al. [9] presented overcoming the rate-distance limit of quantum key distribution protocol without quantum repeaters. Lin et al. [10] proposed a simple security analysis of the phase-matching measurementdevice-independent quantum key distribution protocol. In 2022, Gu et al. [11] proposed an experimental measurement-device-independent-type quantum key distribution protocol with flawed and correlated sources. Xie et al. [12] presented a breaking the rate-loss bound of quantum key distribution protocol with asynchronous two-photon interference.
Secure multi-party quantum summation (SMQS) is a subfield of secure multi-party quantum computing and has gained much attention these years. It can enable n participants to jointly calculate a summation without revealing any participant's secret to others. Quantum summation can be applied to a variety of fields, such as quantum voting [15][16][17][18] , quantum anonymous ranking [19,20], and quantum private equality comparison [21][22][23]. Designing efficient and practical quantum summation protocols is thus significant.
To date, a variety of quantum summation protocols have been proposed by using various quantum resources. For example, in 2006, Hillery et al. [24] proposed a multi-party summation protocol with the two-particle N-level entangled states. In 2010, Chen et al. [25] presented a binary quantum summation protocol based on GHZ entangled states. In 2016, Shi et al. [26] proposed an interesting quantum algorithm to calculate multi-party summation and multiplication. The calculation result is safely translated into the corresponding phase information by using the quantum Fourier transform. In 2017, Zhang et al. [27] devised a multi-party quantum summation protocol that requires three-particle entangled states to be shared among users. Liu et al. [28] presented a quantum summation protocol by sharing multi-particle entangled states, including bell state, among users. Since their protocol's quantum communication is two-way, it is vulnerable to Trojan horse attack. In 2019, Ji et al. [29] designed two quantum summation protocols by employing entanglement swapping property between the d-level Bell state and the d-level n-partite cat state. In 2021, Wu et al. [30] proposed a multi-party quantum summation protocol based on the d-level Bell states. In 2022, Hayashi et al. [31] utilized phase GHZ states to construct a secure quantum modulo summation protocol that had the advantage of verifiability based on self-testing, allowing it to perform in worse security environments.
In the above proposed QSMS protocols, most protocols depend on sharing a multiparticle entangled state among users. Nevertheless, these protocols encounter a problem in practical application, that is, it is difficult to prepare the information carriers (multi-particle entangled states) with current technology. With this in mind, some papers designed the QSMS protocol in single particles. In 2014, Zhang et al. [32] employed single photons in both polarization and spatial-mode degrees of freedom to design a high-capacity quantum summation protocol. However, their protocol has a security vulnerability. A malicious participant can use an intercept-resend attack to obtain the next participant's secret [33]. In 2019, Zhang et al. [34] used a set of mutually unbiased bases in a single d-level quantum system to construct a multi-party quantum summation protocol. Unlike other protocols that sum a whole string of numbers, their protocol can only sum a single number. In 2020, Duan et al. [35] used single photons to construct a quantum summation protocol for transmission in a circular way. In their protocol, randomly selected encoded particles need to be measured to check the security of the communication, which prevents the final result from being calculated as each participant wishes, thus greatly limiting the practical application of their protocol.
Based on the above, publishing safe, efficient and easy to implement protocols is necessary. So, we propose a novel quantum secure multi-party summation protocol using single photons. The secret inputs are encoded as single photons and then encrypted with a simple unitary operation. Relying on this method, our protocol can achieve efficient and easy-to-implement goals with fewer quantum resources. The rest of this paper is organized as follows. In Section 2, we propose a three-party quantum summation protocol and discuss the security of the presented protocol. In Section 3, we generalize the proposed three-party quantum summation protocol to multi-part and analyze the security of the multi-party protocol. In Section 4, we compare the previous quantum summation protocols with our multi-party quantum summation protocol. Finally, we make a conclusion in Section 5.

Proposed Protocol
Secure three modulo-2 summation is defined as follows. Suppose that there are three participants named Alice, Bob and Charlie, who all own the same length of secret input Here, x At , x Bt , x Ct ∈ {0, 1} for t = 1, 2, . . . , m. They calculate the sum by encoding the information on the information carrier, that is, ( Here, "⊕" denotes the addition modulo 2).
In addition, it should satisfy the following requirements (please refer to [36]): Correctness: The result of modulo-2 summation of all participants' secret inputs should be correct.
Fairness: All participants receive the summation result simultaneously.
Privacy: Participants' secret inputs are private. In other words, no participant can learn about other participants' secret inputs, even though the participant can launch various quantum attacks and up to n-2 participants are allowed to conspire but not with TP and an outside eavesdropper (here, n is the number of participants in the protocol).
Security: An outside eavesdropper cannot learn any information about each participant's secret input without being detected.
In the following, we propose a secure protocol to accomplish this task with the help of a third party (TP). The TP is assumed to be semi-honest but non-collusive, that is to say, TP is allowed to launch various attacks by using different quantum resources under the premise of loyally execution of the protocol, but he cannot collude with other participants. The classical and quantum channel used in our protocol are assumed to be authenticated and noiseless, respectively.
Step 2: According to the secret key sequence l A previously shared with Alice, TP generates m copies of single photon states and uses these particles to construct a sequence To ensure the security of particle transmission, TP prepares m decoy photons, which randomly in {|0 , |1 , |+ , |− }. Then, he inserts the decoy photons into S A at random positions and records the insertion positions. Denote the new sequence by S A . Finally, TP sends S A to Alice.
Step 3: After confirming that Alice has received all the particles from TP, Alice checks the security of the transmission of S A with TP. Specifically, TP announces the insertion positions and the bases of the decoy photons in S A to Alice. Then, based on the announced information, Alice measures these decoy states on the correct bases and publishes the measurement results to TP. Subsequently, according to Alice's measurements, TP checks for the presence of eavesdroppers in the quantum channel. If the error rate is higher than the threshold determined by the channel noise, TP cancels this protocol and restarts it. Otherwise, TP proceeds to the next steps.
Step 4: After determining that the transmission has not eavesdropped, Alice obtains S A by extracting decoy photons from S A . Then, Alice encodes his secret input x A on the sequence S A . Concretely, Alice performs the unitary operation U x At Y on the t th particle of S A . Here, the operators are defined by [37], Obviously, after Alice finishes the encoding operations, the quantum states in S A are changed into |x A1 l A1 , |x A2 l A2 , . . . , |x Am l Am . The transformed sequence is denoted as S B . Alice prepares m decoy states that are randomly in {|0 , |1 , |+ , |− } and inserts them in S B to form a new sequence S B . Afterward, Alice sends S B to Bob. After receiving the sequence S B , Bob performs the same operation as Alice, namely, security checking and encoding secret information. In addition, Bob performs the Hadamard operation H l Bt on the t th particle of S B according to the received secret key sequence l B : After completing the above operations, Bob obtains a sequence S C . Then, he randomly places decoy photons into the sequence S C to form a new sequence S C . Finally, Bob sends S C to Charlie. When Charlie receives the sequence S C , he performs the same operations as Bob, namely security checking, encoding the secret information and the secret key. Then Charlie sends the resulting new sequence S TP to TP.
Step 5: After receiving the sequence S TP , TP and Charlie jointly check the security of the transmission channel. TP obtains the sequence S TP by extracting decoy photons after confirming that the channel is safe. Then, TP computing L 1 = l A1 ⊕ l B1 ⊕ l C1 , L 2 = l A2 ⊕ l B2 ⊕ l C2 , . . . , L m = l Am ⊕ l Bm ⊕ l Cm . If L t = 1(t = 1, 2, . . . , m), TP will perform the Hadamard operation on the t th particle of S TP . Otherwise, the particles in S TP will remain the same. After the above operation, TP measures the particles with the Z basis. Then, TP can acquire the summation Finally, TP announces the summation result to Alice, Bob, and Charlie via a public channel.
To illustrate our protocol more clearly, we will take an example with three participants, Alice, Bob and Charlie. For the sake of convenience, we will omit the security checking.
Sample 1: We assume the secret input of Alice Bob and Charlie are x A = (010), x B = (011) and x C = (011), respectively.
First, TP sends secret key sequences to Alice, Bob and Charlie, where the secret key sequence is l A = (001), l B = (010) and l C = (011), respectively. Then, TP generates the three copies of single photon states |0 0 , |0 0 , |0 1 and sends them to Alice. Alice applies the encoding operations on the signal particles according to the secret numbers x A and transmits the encoded particles to Bob. Subsequently, Bob encodes the received particles according to his secret input x B and secret key sequence l B and transmits them to Charlie. When Charlie receives the signal particles, he performs the same operation as Bob. He encodes the particles according to his secret input x C and secret key sequence l C and then transmits them to the TP. The corresponding operations and the changes in quantum states are shown in Table 1. Table 1. Encoding operations on the sequence.
After the above steps, TP calculates the sum of the keys L 1 = 0, L 2 = 0, L 3 = 0. He performs the operation I ⊗ I ⊗ I based on the calculation result and yields the states |0 , |1 , |0 . Finally, TP measures these particles in the Z basis and obtains the summation Channel loss of the cited QKD protocol: Although we assumed that the quantum channel is noiseless, channel loss is a major issue in the construction of QKD, so it is discussed here. The QKD protocol [11] used in our protocol utilizes coherent states to against realistic flawed sources and ensure security by adopting the reference technique. A proof-of-principle experiment in Ref. [11] demonstrates the feasibility of the QKD protocol in terms of resistance to channel loss.

Correctness
In this part, we discuss the correctness of the proposed three-party quantum summation protocol. Here, we show that all participants provide their secret inputs honestly, and they can eventually obtain the correct summation result: By deriving Equations (2)-(5), we can obtain the following equations: Before the protocol is implemented, Alice, Bob and Charlie negotiate a coding rule (1), where |0 , |1 represent the classical bits 0, 1, respectively. Without loss of generality, we consider only the operation performed on the j-th particle. Suppose that the initial state of the t-th particle is |S j {|0 , |+ } . In step 4, Alice, Bob and Charlie perform their unitary operations on |S t , and the state of the t-th particle will change to the following form: Obviously, we know So, we can obtain the In addition, the Hadamard operator is equivalent to the interchange of Z basis (|0 , |1 ) and X basis (|+ , |− ). This is expressed in the following forms: By Equations (12) and (13), |S * t can be expressed in the following form: In step 5, TP performs unitary operations on |S * t based on the sum of the secret keys. Through the above equations, we can derive that After TP performs Z basis measurement on the t-th particle of sequence S TP , the particle collapse into classical information x At ⊕ x Bt ⊕ x Ct . Therefore, when TP has finished performing Z basis measurements, the particles in sequence S TP will collapse into the sum of Alice, Bob and Charlie's secret inputs.
It can be concluded that the output of the three-party quantum summation protocol is correct.

Security Analysis
This part will prove that the proposed three-party quantum summation protocol is secure against two kinds of threats: outside attack and participant attack. In the aspect of defending against the outside attack, we will show that an outside eavesdropper cannot learn any participant's secret. In the aspect of the participant attack, we will show that the protocol is information-theoretically secure [38], that is, anyone including TP cannot obtain any information about other participants.

Outside Attack
Obviously, the same protection measures are used for each transmission of the particles. Without loss of generality, here, we only analyze the security of the transmission of S C against an outside eavesdropper, namely Eve. She strives to steal the secret inputs of participants. Hence, she could exploit any possible attack strategies but not collusion, such as the Trojan horse attack, the entanglement attack, the intercept-resend attack, the measure-resend attack. We will explain that our protocol is resistant to these attacks, and the specific analysis is as follows: (1) The Trojan horse attacks The Trojan horse attacks consist mainly of the delay-photon Trojan horse attack [39] and the invisible photon eavesdropping attack [40]. Since the particles of S C are transmitting one-way, this protocol is naturally protected against the Trojan horse attacks from Eve.
(2) The entangle-measure attack Eve cannot discover the difference between target and decoy photons. Therefore, she usually extracts some useful information by entangling her auxiliary particle |ε with the one in S C through a unitary operation U E . Her behavior can be expressed as Equations (17) and (18): where |a i | 2 + |b i | 2 = 1 (i = 1, 2). If Eve's operation does not introduce an error in the eavesdropping check, the following requirements are met: Taking U E |− |ε = |− |ε − as an example, we expand both sides of the equation as follows: Here, 0 donates a column zero vector. In the same way, we can infer Hence, we can deduce the following result from Equation (21): a 2 = b 1 = 0, a 1 = b 2 = 1 and |ε 00 = |ε 11 = |ε 0 = |ε 1 . Substituting these results for the symbols in the Equations (17) and (18), we can obtain Consequently, Eve cannot distinguish {|0 , |1 } without introducing errors. If there is an error, it will be detected in the eavesdropping check. Then the protocol will be restarted without information disclosure, which makes Eve launch this kind of attack while acquiring nothing.
(3) The intercept-resend attack Since Eve does not know the positions of the decoy photons, in order to obtain information from Bob, Eve intercepts S C that Bob sends to Charlie. Eve then substitutes all the particles with fake ones randomly generated in {|0 , |1 , |+ , |− } and sends them to Charlie. Suppose that the initial decoy particle state is |0 , if Eve generates the particle randomly in the {|0 , |1 } basis, the probability that Eve's attack will be detected is 1 2 , and if Eve generates the particle randomly in the {|+ , |− } basis, the probability that Eve's attack will be detected is 1 2 .
In conclusion, the probability that Eve's attack can be detected is When we use n decoy particles for eavesdropping, the probability of Eve's attack being detected is 1 − ( 1 2 ) n , which will approach 1 if n is large enough. (4) The measurement-resend attack Since Eve does not know the positions of the decoy photons, in order to obtain information from Bob, Eve intercepts S C that Bob sends to Charlie. Subsequently, Eve randomly selects the Z basis or X basis to measure the intercepted particles and prepares new quantum states to send to Charlie based on the results of the measurements. Suppose that the initial decoy particle state is |0 . If Eve chooses to measure with Z basis, Eve's attack will incur no error, and if Eve chooses to measure with X basis, the probability that Eve's attack will be detected is 1 2 .
In conclusion, the probability that Eve's attack can be detected is . When we use n decoy particles for eavesdropping, the probability of Eve's attack being detected is 1 − ( 3 4 ) n , which will approach 1 if n is large enough.

Participant Attack
We now focus on the participant attack, a more severe threat to the protocol's security. Naturally, in a quantum summation protocol with n participants, when any n − 1 participants conspire together, they can easily learn the left one's secret input. Here, n is a positive integer equal or greater than 3. Therefore, we only analyze the participant attack from one dishonest participant.
In order to prevent their secret inputs from being known by others, each participant encrypts the t-th particle by using secret keys. He privately performs the Hadamard gate operation on the t-th particle. It is worth noting that if the protocol is informationtheoretically secure, then for every input ρ, the output ρ c is a totally mixed state [38]. So, we determine whether the proposed protocol is information-theoretically secure by comparing the input density matrix with the output density matrix. The input state is related to the output state as follows: where ρ in is the density matrix of all possible initial input states, and U i is the corresponding unitary operator applied to the input state. We only analyze the relationship between the initial state and the output state of the t-th particle sent by Bob to Charlie in that Alice, Bob and Charlie play the same role in our protocol. Firstly, since the initial state of the t-th particle is at either |0 or |+ , we can obtain Then, after Alice and Bob performing the corresponding operators, the output density matrix should be in By Equation (25), we can see that the output of the t th particle after Bob performs quantum operators is just a totally mixed state. Namely, anyone, including the next participant, cannot acquire any information about Bob's secret input x B .
We then consider the case where the attack comes from TP. Since TP is a assumed a semi-honest third party in our protocol, he may try his best to learn the participants' secret inputs without conspiring with anyone. Unlike an outside eavesdropper, TP can use various quantum resources to launch attacks, such as the Trojan horse attack, the intercept-resend attack and so on; besides, he can try to learn participants' information from intermediate recorded by himself in the procedure of the protocol. We will explain that TP cannot learn any participants' secret inputs. Similar to the density matrix analysis above, TP cannot learn the secret input of any participant from the recorded information. In addition, if TP wanted to intercept the transmitted particles without being detected, that would be impossible. Because, as analyzed in the outside attack above, every particle transmission requires a security check, any interception is detected in the security check.
Therefore, the proposed three-party quantum summation protocol is informationtheoretically secure.
Step 2: TP encodes the secret key sequence l 1 previously shared with P 1 according to the above agreement, and he can obtain m copies of single photon states S 1 = |0 l 11 , |0 l 12 , ..., |0 l 1m .
Step 3: After confirming that P 1 received all the particles S 1 , TP and P 1 check the transmissions between them for eavesdroppers. Concretely, TP first announces the insertion positions and the bases of the decoy photons to P 1 . Then, based on the announced information, P 1 uses the correct basis to measure these decoy photons and publishes the measurement results to TP. Subsequently, according to their measuring results, TP checks whether eavesdroppers exist in the quantum channels. If the error rate is higher than the threshold determined by the channel noise, TP cancels this protocol and restarts it. Otherwise, TP proceeds to the next step.
Step 4: By extracting all the decoy photons from S 1 and discarding them, P 1 can acquire the sequence S 1 . Then, P 1 performs the unitary operation U x 1t on the t-th particle of S 1 according to his secret input x 1 . When P 1 completes the encoding operation, the quantum states in S 1 would change to |x 11 l 11 , |x 12 l 12 , . . . , |x 1m l 1m . Define the changed sequence as S 2 . P 1 mixes S 2 with m decoy states randomly in {|0 , |1 , |+ , |− } to form a new sequence S 2 . Finally, P 1 sends S 2 to P 2 .
Step 5: For j = 2, 3, . . . , n: when P j received the sequence S j from P j−1 , P j−1 checks the security of transmission with P j , which similar to Step 3. After determining that the channel is secure, P j removes the decoy states and encodes his secret input X j similar to Step 4. Furthermore, P j encodes the information according to the secret key sequence l j sent by TP. To be clear, P j performs the unitary operation H l jt on the t th particle of S j . Then, P j mixes sequence S j and decoy photons randomly to form a new sequence S j , and sends it to P j+1 . Of note, the last participant P n sends the particle sequence S n+1 to TP.
Step 6: When TP has received the sequence S n+1 , TP checks the security of transmission channel with P n . TP obtains S n+1 by extracts and discards decoy photons from S n+1 .
If the result L t is 1, TP will perform the Hadamard operation on the t th particle of S n . Otherwise, the particles in S n will not change. After the above steps, TP measures the particles with Z basis. Then, TP can obtain the summation ∑ n i=1 x i1 , ∑ n i=1 x i2 , . . . , ∑ n i=1 x im . Finally, TP announces the summation result to P 1 , P 2 , . . . , P n .

Correctness
It is correct for a secure multi-party summation protocol, which means that all participants can obtain the sum without revealing any secrets. In the following, we will show that the result of this protocol is the sum of their secret inputs.
Before the protocol is executed, the participants P i , i = 1, . . . , n negotiate a coding rule whereby |0 and |1 represent the classical bits 0 and 1, respectively. Suppose that the initial state of the t th particle is |S t {|0 , |+ }, t = 1, 2, . . . , m. In Steps 4 and 5, the encoding operation H l it U x it Y has been performed n − 1 times, that is, where l it , x it ε{0, 1}. After these encoding operations, by Equations (7)- (13), we can obtain the following: In Step 6, TP performs unitary operations on |S * t based on the sum of secret keys. So, quantum states will change to the following form: Finally, TP performs the Z-basis measurement on the particles in the sequence S n+1 , and the particles collapse into classical information: Therefore, the correct result can be acquired by performing the protocol.

Security Analyse
For security, we use the same method to prevent outside and participant attacks in both three-party and multi-party quantum summation because the idea of the proposed two protocols is the same. We analyze the security of our multi-party protocol. Firstly, we prove that our protocol is resistant to outside attacks. Secondly, we show that participant attacks are ineffective for our protocol.

Outside Attack
We analyze the possibility of an outside eavesdropper, Eve, obtaining the secret inputs from all participants.
Eve is considered to be able to launch various attacks using different quantum resources but not conspire. Next, we will explain that her attacks are ineffective. In order to obtain something useful information about participants' secret inputs, Eve can utilize the particle transmission in steps 2, 4, and 5 to launch active attacks, such as the intercept-resend attack, the entanglement-measure attack, the measurement-resend attack and so on. However, we use decoy photons, which are randomly chosen from the two conjugate bases, Z basis and X basis, to detect the presence of an outside eavesdropper. This idea is derived from the unconditional security BB84 protocol [41]. It has been proven to be unconditionally secure [42]. We take the measurement-resend attack as an example here: if Eve tries to intercept the particles sent from P i to P i+1 and measures them, then prepares fake quantum states based on the results to resend to P (i+1) , he will introduce an extra error rate that would allow him to be detected during security checking. For a decoy photon chosen for detection, Alice reflects this particle back to TP with a probability of 1/2. Thus, Eve has a (1/2)*(1/2) = (1/4) probability of being detected. When we use n decoy particles for eavesdropping, the probability of Eve being caught turns into 1 − (3/4) n , which will approach 1 if n is large enough. Therefore, if Eve launches active attacks during the particle transmissions, she will inevitably leave traces on the decoy photons and be detected by the eavesdropping check process since the locations and measurement basis of the decoy photons are not known until they are announced. In addition, since the transmission of particles in our protocol in the quantum channel is unidirectional, it is naturally resistant to the Trojan horse attacks.

Participant Attack
In this subsection, we will sufficiently analyze two scenarios of participant attack: the participant attack from one or more dishonest parties and the participant attack from TP.

Case 1: The participant attack from one or more dishonest parties
In the following, we will analyze two situations: one participant wants to learn the secret numbers from others; the other is more than one participant colluding together to learn secret numbers from others.
(a) The participant attack from one dishonest party Without loss of generality, we assume that P 2 is the dishonest participant. In Step 4, P 2 receives S 2 = |x 11 l 11 , |x 1 2 l 12 , . . . , |x 1m l 1m from P 1 , but he cannot learn P 1 's secret message X 1 from S 2 because P 2 does not know l 1 and he cannot conspire with TP, who knows the parties' keys. In the protocol of this paper, the secret key represents a change in the measurement base, and the attacker does not know the key, so naturally, he will not know the corresponding measurement base. In addition, if P 2 tries to intercept particles transmitted between the remaining participants, he will be detected as an outside attacker because he does not know the position of the decoy photon and the measurement base. Therefore, P 2 cannot obtain the secret input of P 1 .
(b) The participant attack from more than one dishonest party. If n − 1 participants collude, they can easily deduce the secret input of the other participant from the final summation result. Thus, the proposed multi-party quantum summation protocol can resist the collusion attack from at most n − 2 participants. Without loss of generality, we assume n − 2 parties P 1 , P 2 , . . . , P i−1 , P i+1 , . . . , P n−1 collude together to learn the secret input x i of P i . In Step 5, P i+1 can obtain By Equation (25), we can obtain the density matrix of the t-th particle output states in the sequence S i+1 : Since the output of the t-th particle after P i performs the corresponding operators is just a totally mixed state, no one can obtain any information about P i 's secret input, even if P 1 , P 2 , · · · , P i−1 , P i+1 , · · · , P n−1 collude together to deduce x i . Furthermore, from a measurement perspective, since P 1 , P 2 , · · · , P i−1 , P i+1 , · · · , P n−1 do not know the key, P i+1 cannot know the measurement basis corresponding to the quantum sequence and thus cannot obtain the secret information x i of P i . In Step 6, P 1 , P 2 , · · · , P i−1 , P i+1 , · · · , P n−1 can learn the summation result from TP. They can only obtain the value of x i ⊕ x n and cannot deduce x i because they have no knowledge about the secret input x n . Therefore, P 1 , P 2 , . . . , P i−1 , P i+1 , . . . , P n−1 cannot learn the secret information of P i , even if they conspire.

Case 2: The participant attack from TP
Let us now consider TP attacks. In our protocol, TP is assumed as a semi-honest third party, which means that TP can perform all sorts of attacks by using various quantum resources, and attempt learn the secret inputs of participants from the information he records while the protocol is in progress but non-collusive. Next we will show that TP cannot obtain secret inputs of any participants without being detected.
In Step 6, TP can obtain S n+1 = {|x 11 ⊕ · · · ⊕ x n1 l 11 ⊕···⊕l n1 , · · · , |x 1m ⊕ · · · ⊕x nm l 1m ⊕···⊕l nm }. TP obtains the sum of all secret inputs after encoding and measuring the quantum sequence S n+1 . Although TP knows the keys of all participants, he is still unable to learn any secret inputs from them. After encoding, the quantum states sequence S n+1 will become {|x 11 ⊕ · · · ⊕ x n1 0 , |x 12 ⊕ · · · ⊕ x n2 0 , · · · , |x 1m ⊕ · · · ⊕ x nm 0 }, and the effect of the key is eliminated. Thus, without colluding with the participants, TP does not derive clues about secret information from the sum. Even if TP measured the particles directly after obtaining the sequence S n+1 , he would still not acquire the desired result. It is worth noting that TP can infer the measurement base corresponding to each particle in the sequence S n+1 from the secret keys of all participants. Because it is still a mixture of information from all participants, TP does not separate the secret inputs of any participants from S n+1 . If TP attempts to intercept transited particles between any two participants, he will be detected as an outside attacker. Furthermore, even if TP does intercept the transmitted particles, it will not be able to obtain the desired secret information because it did not know the location of the decoy photons.
Therefore, TP cannot obtain any participants' secret inputs without being caught.

Comparisons
In this section, we compare the previous quantum summation protocols with our multi-party quantum summation from the quantum resource, the quantum operations, particle transmission mode, quantum measurements and the qubit efficiency in Table 2.
The qubit efficiency of secure quantum communication was introduced by Cabello [43], defined as where c is the total number of the classical plaintext message bits, q represents the number of the used qubits and b denotes the number of classical bits exchanged for decoding the message. For simplicity, we suppose that the number of participants is N, the length of the summation is m, and m decoy particles are employed to check eavesdrop. Ref. [32] presented a secure multi-party summation protocol based on single photons in both polarization and spatial-mode degrees of freedom. In their protocol, m 2 single photons are used in both polarization and spatial-mode degrees of freedom for encoding, mN decoy particles are used for detecting the presence of eavesdroppers, and finally, TP announces the result will cost m classical bits. So, the qubit efficiency is η = 2 2N + 3 .
Ref. [35] proposed a multi-party summation protocol within a d-level quantum system. In their protocol, P 1 generates 2(m + δ) d-level single photons, of which (m + δ) photons are used to check whether the communication is secure, and δ photons are used to check the security of communication with P 2 , P 3 , . . . , P N . For ease of calculation, we assume that, ideally, δ = m. P 1 restores all photons in his hand to the original orders will cost 2(N − 1)m classical bits, and announcing the result when the summation is complete will cost m classical bits. So, the qubit efficiency is η = 1 2N + 3 . Ref. [34] employed single particles to construct a multi-party summation protocol in a d-level quantum system, where d is restricted to odd primes. Since the summation length of their protocol is 1, we assume for convenience of calculation that the number of decoy particles is also 1 for each participant. In their protocol, (N + 1) decoy particles are used for checking the presence of eavesdroppers, P 1 , . . . , P N announces that their encrypted number to TP for summation will cost N classical bits, and TP announces the result will cost 1 classical bit. So, the qubit efficiency is η = 1 2N + 3 .
Ref. [27] utilized three-party entangle states to construct a modulo-2 summation protocol. In their protocol, there are mN particles for key generation, mN particles for checking the honesty of the initiator, m(N − 1) decoy particles for eavesdropping detection, and participants need to announce mN classical bits to get the summation. So, the qubit Ref. [44] proposed a secure multi-party summation protocol by employing d-level n-particle entangle states. P 1 prepares mN particles for encoding and (N − 1)m decoy particles for eavesdropping detecting. In addition, P 2 , · · · , P N need to announce P 1 their measurements to acquire the sum, and this process will cost (N − 1)m particles. So, the qubit efficiency is η = 1 3N − 2 .
Ref. [28] used N-particle entangled states to construct a secure multi-party summation protocol. There are two cases for their protocol since the difference between the two cases is only in the number of particles prepared, and the difference is not significant. We will only consider the n − 1 mod 2 = 0 case. In their protocol, mN particles for encoding and (N − 1)m decoy particles are employed to detect eavesdropping during the transmission of the particle sequence S i from P 1 to P i , where i = 2, . . . , N. Moreover, (N − 1)m decoy particles are needed to detect eavesdropping during the particle sequence S i sent back to P 1 by P i . So, the qubit efficiency is η = 1 3N − 1 .
In the protocol of Ref. [30], d-level single quantum systems are employed to design a multi-party quantum summation. Within their protocol, there are 2mN particles for encoding and 2mN decoy particles for eavesdropping detection. Furthermore, participants need to announce mN classical bits to compute the summation. So, the qubit efficiency is Ref. [31] proposed a multi-party modulo summation protocol based on GHZ states. For ease of calculation, we assume that each group of N copies, except the final group, where each copy consists of N qubits. In their protocol, (4N 3 + 1)N particles for verifiable generation, N bits for summation, participants announce their result will cost N bites. So, the qubit efficiency is η = 1 4N 4 + 3N .
In our protocol, there are mN particles for previous keys distribution, m particles for encoding, and mN particles for eavesdropping detection. In addition, when the sum is obtained, TP needs to announce m classical bits. Then, the qubit efficiency of the presented protocols is η = 1 2N + 2 . In our work, only single photons, unitary operation, and singleparticle measurement are introduced. According to Table 2, we can conclude the following: 1 As for the qubit efficiency, our protocol is second only to the protocol in Ref. [32]. However, Ref. [32] has a drawback in terms of security. The secret input encoded on single photons is not encrypted, and a malicious participant P i (i = 1 , . . . , n − 1) can obtain P i+1 's secret by an intercept-resend attack. To solve this problem, Ref. [33] proposed a modification. At the beginning of the protocol, each participant first shares a set of keys with TP by using some secure quantum key distribution protocols, and then encodes the sum of secrets and keys on the photons instead. Although this modification increases safety, it makes Ref. [32] no longer advantageous in terms of qubit efficiency compared to our protocol. Our protocol can guarantee safety and convenience with excellent qubit efficiency. 2 As for the quantum resource, this protocol outperforms protocols in Refs. [27,28,[30][31][32]44], as the preparations of multiple-particle entangled states and single photons in both polarization and spatial-mode degree of freedom are more difficult than those of single photon states. In addition, in Refs. [28,30], every participant needs quantum generators to generate quantum states, which will make it more difficult to implement the protocol. 3 As for quantum operations, with the current technology, it is difficult to achieve the manipulation in the high-dimensional quantum system as in Refs. [26,27,34,35,44]. Our protocol is carried out in two-dimensional Hilbert space, which is feasible with current technology [45]. 4 As for quantum measurements, this protocol exceeds protocols in Refs. [27,30,34,35,44], since the single qudit measurements in Refs. [34,35,44] are much more complicated to realize than the single-photon projective measurements, and in Refs. [27,30,44], every participant requires quantum measurement devices in multiple different bases, which makes them more cumbersome to implement than our protocol. So, our protocol is more efficient and feasible compared to other protocols.

Conclusions
In summary, we presented a novel and efficient protocol for secure multi-party quantum summation. In our approach, n participants complete this task with the help of a semi-honest TP. TP is responsible for preparing and distributing single-photon states and performing quantum measurements, while participants only employ unitary operations to encode their secret data and transfer the particle to the next participant. The proposed protocol can also resist various attacks, such as the entanglement-measure attack, the measurement-resend attack, and the denial-of-service attack. Furthermore, considering the practical security and technical feasibility, our protocol takes single-photon states as quantum resources and only needs simple single-particle operators and single-photon measurements. Therefore, the proposed protocol is feasible with the current technology and of high efficiency.