A Semi-Quantum Private Comparison Base on W-States

Privacy comparison is an important research topic in secure multi-party computing, widely used in e-commerce, secret ballots, and other fields. However, the development of quantum computing power poses a growing potential security threat to secure multi-party algorithms based on mathematically tricky problems, and most of the proposed quantum privacy comparison schemes could be more efficient. Therefore, based on the W-state, we offer a more efficient semi-quantum privacy comparison method. The security analysis shows that the scheme can resist third-party, measurement, and entanglement attacks. Compared with the previous work, the scheme significantly improves communication efficiency and has stronger practicability.


Introduction
Secure multiparty computing (secure multiparty computation, SMC) was proposed by Yao to prevent multiple participants' privacy leakage and let them work together to solve the computing problem [1].SMC is widely used in e-commerce, data compression, and secret ballots.Secure multiparty computing (SMC) is an essential topic in distributed computing.It allows a group of users who do not trust each other to perform distributed computing with the participation of a semi-trusted third party to obtain the comparison results of private information without revealing their input.
However, the quantum computer threatens the security of classical SMC.With the improvement of computing power and the emergence of quantum algorithms [2,3], the SMC cryptographic protocol based on classical NP problems is repeatedly broken.As an indivisible smallest unit, quantum has its unique properties.The principle of quantum uncertainty makes it impossible for eavesdroppers to measure the state of transmitted quantum states accurately, and the principle of quantum non-cloning ensures that eavesdroppers cannot accurately copy transmitted quantum states and obtain adequate information [4][5][6].Therefore, quantum privacy comparison is applied to resist quantum attacks as a branch of quantum cryptography.
Compared with quantum communication, semi-quantum communication has unique advantages, which are easier to realize while ensuring security.Users can use only straightforward quantum devices, saving the high cost of buying or preparing quantum states.In particular, if the device fails during quantum communication, it can switch from quantum communication to semi-quantum communication to complete the whole process.Therefore, the research on semi-quantum cryptographic communication is significant in quantum communication.Compared with quantum privacy comparison, semi-quantum privacy comparison has the advantages of lower requirements on hardware devices, easier realization, and more common application scenarios.
In 2016, the first semi-quantum privacy comparison protocol (SQPC) [7] based on Bell states was proposed by Chou et al., ensuring that two classical users compare their private information without revealing privacy.Subsequently, many improvements and optimizations of SQPC have been proposed [8][9][10][11][12][13][14][15][16][17][18].In 2018, Ye et al. [11] constructed an SQPC protocol based on the product of two-particle tensors without an entanglement exchange.In 2018, Thapliyal et al. [12] proposed an SQPC protocol based on an orthogonal state in a noisy environment, which adopted the Bell state as a quantum state carrier In the same year, Lang [13] proposed two SQPC protocols with different TP identities and abandoned the quantum entanglement exchange operation.For malicious TP, he cannot know the private information or the results.Lin et al. [14] abandoned the quantum entanglement exchange operation in 2019.They used a single-photon state to build a practical and efficient SQPC protocol, requiring a shared key in advance to achieve.In 2021, Tian et al. [15] proposed a novel semi-quantum private comparison (SQPC) protocol based on W-state, which is more efficient.In 2022, Wang et al. [16] designed an SQPC protocol using the GHZ state with D-dimension.Geng et al. [17] constructed the SQPC protocol for the D-level single-particle state size relationship.In 2023, He et al. [18] proposed an improved SQPC protocol with a higher security level than Tian et al. 's scheme [15].Based on the decoherence-free states, two multi-party semi-quantum private comparison protocols are proposed to counteract collective noises [19].And by adopting d-dimensional Bell states, Lian et al. [20] constructed an MQPC protocol that can be used in a strange user environment.
In this work, a semi-quantum privacy comparison (SQPC) protocol is proposed, which has higher efficiency compared with before works; it does not need to share the key in advance and has a higher interception detection rate.Therefore, this scheme is more practical.The structure of this paper is as follows: in Section 2, the work related to semiquantum privacy comparison and the basis of quantum information are introduced; in Section 3, the steps and contents of the protocol are explained in detail; the security analysis part is shown in the fourth part; finally, the summary of this work is given.

Entangled States
The two W-states were used to distribute to the three participants, and they are denoted by The |W state can be described as Therein, the subscript marks the particle position.
The |H state can be described as Accordingly, the following circuit is used to implement |H in Figure 1.

One-Time Pad
The one-time pad (OTP) is a symmetric encryption algorithm, which was first i vented by Frank Miller [21].In OTP, the message sender and the message receiver sha a random secret key k , called a one-time pad.In general, it requires that the random pa k and the message m to be sent should have the same size.To encrypt the messag the sender calculates and sends OTP ciphertext c to the receiver, where th Among them, |ψ + , |φ + , |φ − are kinds of Bell states, which will be used to take the joint measurement and can be expressed a (5)

One-Time Pad
The one-time pad (OTP) is a symmetric encryption algorithm, which was first invented by Frank Miller [21].In OTP, the message sender and the message receiver share a random secret key k, called a one-time pad.In general, it requires that the random pad k and the message m to be sent should have the same size.To encrypt the message, the sender calculates c = m ⊕ k and sends OTP ciphertext c to the receiver, where the symbol "⊕" denotes addition under modular two.To decrypt c, the receiver calculates m = c ⊕ k.It is impossible for an adversary to break m from the ciphertext c due to the unconditional security of OTP [22,23].

Semi-Quantum Private Comparison Scheme
By default, the semi-quantum privacy comparison (SQPC) means two participants who do not have complete quantum capabilities are helped by a trusted third party (TP).As a semi-trusted third party, TP will not collude with participants to obtain users' privacy, nor will it disclose any participants' privacy; they have the full quantum capability to prepare, manipulate and measure quantum states.A new semi-quantum privacy comparison protocol based on three-particle entangled states is proposed below, which does not require a pre-shared key and has higher efficiency.The model of SQPC is shown in Figure 2. symbol " ⊕ " denotes addition under modular two.To decrypt c , the receiver calcul k c m ⊕ = . It is impossible for an adversary to break m from the ciphertext c du the unconditional security of OTP [22,23].

Semi-Quantum Private Comparison Scheme
By default, the semi-quantum privacy comparison (SQPC) means two particip who do not have complete quantum capabilities are helped by a trusted third party ( As a semi-trusted third party, TP will not collude with participants to obtain users' vacy, nor will it disclose any participants' privacy; they have the full quantum capab to prepare, manipulate and measure quantum states.A new semi-quantum privacy c parison protocol based on three-particle entangled states is proposed below, which d not require a pre-shared key and has higher efficiency.The model of SQPC is show Figure 2. Suppose that two copies of private information from Alice and Bob need to be c pared.TP must compare whether its private information is consistent without know the specific information.Alice and Bob establish a quantum channel and classical chan with TP, respectively, and can only do the following two operations for the received qu  Suppose that two copies of private information from Alice and Bob need to be compared.TP must compare whether its private information is consistent without knowing the specific information.Alice and Bob establish a quantum channel and classical channel with TP, respectively, and can only do the following two operations for the received qubit. (1) MEASURE: Using the Z-basis to measure the qubit, re-prepare the same one with the measurement result and send it back.(2) REFLECT: Return the qubit without doing anything.
Step 1: TP prepares N (= 4 n) entangled states according to Equations ( 1) and ( 2), including 2 n |W and 2 n |H .TP then divides these entangled states into three single particles.Separately, the particle at the first position forms the sequence TP selects the pairs in which Alice and Bob both perform the REFLECT operation, uses the Bell basis joint measurement (S i A , S i B ), and uses Z-basis to measure the retained in his own hand.Then, TP checks to see if the joint measurements match the state in S i T , that is, when the S i T is from |W , the joint measurement result should be either |φ + or |φ − ; conversely, when the S i T is from |H , the joint measurement result must only be |φ + .In particular, if the measurement in |H appears |φ − , then the channel has an eavesdropper.
Step 5: After the channel detection is complete, TP picks out the particles that both Alice and Bob choose the MEASURE operation.In this case, Alice's and Bob's measurements may agree or not, but TP cannot determine it by measurement outcome.TP makes a Z-basis measurement for S i T at these locations and publishes the measurement outcome, the published result in the corresponding position is marked 1 or 0. If the measurement is |0 , it is recorded as 0. Otherwise, it is recorded as 1.
Step 6: Alice and Bob negotiate whether TP is honest according to the position published by TP; for the position marked 1 by TP, Alice and Bob check that the measurements are consistent, and conversely, for the position marked 0, Alice and Bob check that the measurements are opposite.If the results show that the TP is honest, Alice and Bob share the key K AB through negotiation.When the measurement results of both parties are the same, K AB is the default value, that is the measurement result; when the measurement results are different, K AB is the random value, that is 0 or 1.
Step 7: Alice and Bob share the key with TP, respectively.For Alice and Bob take different operations, Alice and Bob keep a secret sequence of their measurements denoted as K AT , K BT .Concretely, when Alice adopts MEASURE and Bob adopts REFLECT, TP adopts the Bell base joint measurement for (S i A , S i T ).When Alice adopts REFLECT and Bob adopts MEASURE, TP adopts the Bell base joint measurement for (S i B , S i T ).According to Equations ( 2) and (3), if the measurement is |φ + or |φ − , TP yields K AT or K BT 1; otherwise, if the measurement result is |ψ + , TP yields K AT or K BT 0.
Step 8: TP implements privacy protection as follows.Suppose the private messages to be compared from Alice and Bob are m A = [m a1 , m a2 , . . .m an ], m B = [m b1 , m b2 , . . .m bn ].
Alice computes Bob computes Alice and Bob send the computation result to TP, respectively.Immediately after, TP computes According to the law of modular two operations, if C is a bit sequence of 0, it means the privacy information is the same; if 1 appears in the sequence, it means the privacy information is different.Below, the operations and purposes of different situations in the protocol are summarized in Table 1.

Security and Efficiency Analysis
This chapter first gives the correctness analysis, then analyzes the security of semi-trusted third parties and users, and finally provides the attack with the analysis of malicious users.

Correctness
According to Equations ( 6) and ( 7), Equation ( 8) is can be written as Therefore, they will satisfy the following equality, According to Equation (10), every bit of the binary sequence is performed modulo 2; if it is the same binary number in that position, the result is 0; otherwise it is 1.
To sum up, the privacy comparison of the protocol can be prepared to determine whether the binary sequence is consistent through the calculation results.If 1 appears in succession, it means that the information in this position is inverted; if C is a string of 0, it means that the two pieces of information are the same.

Outside Attack
Generally, there are three attack ways for external attackers to steal users' privacy information: intercept re-transmission attack, measurement-re-transmission attack, and entanglement measurement attack.For each type of attack, the following section provides a corresponding security analysis.

Intercept Re-Transmission Attack
Take the quantum channel of Alice and TP as an example.Assuming that Eve, as a fake TP, intercepts the sequence sent by TP to Alice, Eve sends Alice the fake sequence prepared in advance.Alice randomly performs MEASURE operations and REFLECT operations on the fake sequence.According to the protocol design, she will send the sequence to Eve (fake TP).Later, Alice and Bob will announce where they each took the non-stop action.At this point, Eve can use Alice's and Bob's disclosure to create a false key, denoted K AT and K BT respectively.However, Eve still does not have access to Alice and Bob's private information.According to protocol Step 8, Equations ( 6) and ( 7), even if Eve obtains Alice's and Bob's calculation results as a fake TP, he cannot obtain the privacy information m A and m B from the calculation results according to the one-time-secret nature of OTP [21][22][23].To make matters worse, TP will discover Eve's presence by comparing fake sequences forwarded by Eve.Furthermore, since the qubits corresponding to the false sequence and the issuing sequence are different, TP and Alice or Bob cannot complete the shared key stage.According to Equations ( 6) and ( 7), TP cannot decrypt C A and C B through K AT and K BT .At this time, TP will again determine that there is an attacker intercepting the particles of the channel.

Measure Re-Transmission Attack
In the measurement re-transmission attack, the attacker intercepts the TP sequence sent to the user, measures it, and forwards it.Taking Alice's channel as an example, it is assumed that Eve intercepts the sequence S A and makes a Z-basis measurement of its particles, and then Eve sends the measured sequence S A to Alice.According to the physical properties of the collapse measured by the entangled particles, Alice's random operation will not change the state of the particles.Therefore, when Alice sends the particle back to TP, TP will find Eve's attack behavior through the detection of Step 4.
Compared with the previous scheme, our scheme will have a higher interception detection rate.If Alice chooses the MEASURE operation and Bob chooses the REFLECT operation, the attack will not be detected.If Alice performs the MEASURE operation, Bob performs the REFLECT operation, and TP performs the Bell measurement and single measurement; then, if the single particle measurement is |0 , the attack behavior is detected with a probability of 1/4, if the single particle measurement is |1 , the probability in |W and |H are 1/2 and 1/4.If Alice and Bob both take the return operation, TP compares the relationship between the Bell measurement and the single particle measurement; then, if the single particle measurement is |0 , the attack behavior is detected with a probability of 1/4, and if it is |1 , the probability in |W and |H is 1/2 and 1/4.Therefore, the probability that Eve's attack behavior is detected under the measurement of repeated attacks is In this regard, the eavesdropping detection probability of n particle length sequence is It is possible for an attacker to construct a new quantum system by introducing auxiliary particles to avoid eavesdropping detection and monitor the whole system by measuring other particles.To achieve the purpose of obtaining private information.
A group of auxiliary particles is introduced to construct a two-dimensional Hilbert space, and a group of orthonormal basis is selected to describe the space vector, which can be expressed as |τ 00 , |τ 01 , |τ 10 , |τ 11 .To distinguish the source of the particles, we will represent Alice's particles from |W and |H as {|0 AW , |1 AW , |0 AH , |1 AH }, and Bob's particles from |W and |H as {|0 BW , |1 BW , |0 BH , |1 BH }.
For a particle in the |H , |0 H represents auxiliary particles.The unitary operations performed on qubits.
Then, the whole system space can be expressed as As can be seen from the above equation, Eve's attacks must meet the following conditions in order to remain undetected |τ 00 − |τ 11 = 0.
Therefore, for the particles from |W , Eve cannot obtain any information from the state of the auxiliary particle, because its state is independent of the state of the other particles.
For a particle in the |W , U W represents unitary operations performed on qubits.
At this point, the whole system can be described as Therefore, in order for Eve to pass eavesdropping detection, it needs to meet However, Eve will not be able to distinguish between Alice's measurements and will not be able to obtain useful information.

Inside Attack
Without loss of generality, Bob is a dishonest actor, assuming he is trying to obtain Alice's privacy while making a private comparison with her. Bob may take any attack form of the external attacker to obtain information.Unlike the external attacker, Bob has the same key K AB with Alice, so as long as he can obtain the correct K AT , he can really get the private information.However, in this case, he cannot obtain the correct and valid K AT , If Bob takes a measurement re-transmission attack to obtain K, Bob has no way of knowing what specific operation Alice has chosen.Alice has a 1/2 probability of measuring the quantum state, so once Bob returns all the intercepted S A , there is a 1/2 probability of choosing the wrong operation.At this time, the interception detection rate is 1/4, so the sequence's interception detection rate is 1 − 3 4 n , When n is large enough, the eavesdropping detection rate will approach 1.
On the other hand, if Bob tries to attack by measuring re-transmissions or entanglement measurements, he will be regarded as an external attacker.As analyzed in Sections 4.2.2 and 4.2.3, any attack strategy will inevitably introduce a certain error rate and fail to obtain any information.

Efficiency Analysis
The SQPC protocol efficiency calculation method is proposed in [24], which can be described as where the c represents the classical particle of comparison, q represents the total qubits used for exchange, and b represents the qubit used by the two participants.
The SQPC protocol uses a three-particle pure state for privacy comparisons.TP prepared 12 qubits and sent them to two participants.When Alice and Bob measured the particles, they each prepared 1 qubit.Hence the scheme of efficiency is Here, as shown in Table 2, a comparison table of schemes is given to show the preponderance of this work in the following.Compared with the previous scheme, the proposed scheme does not require preshared keys, and does not consume resources for key sharing; moreover, it improves qubit efficiency.

Conclusions
A secure and efficient SQPC protocol based on W-state is proposed.Two classic participants can compare the equality of their private information with the help of a semihonest assistant named TP.Alice and Bob cannot know each other's privacy information, and the semi-honest third-party TP cannot obtain any privacy information compared between Alice and Bob.The proposed protocol can resist attacks and guarantee high Entropy 2023, 25, 1269 9 of 10 efficiency and a high interception detection rate.Moreover, it doubles the bit efficiency of previous protocols.

Figure 1 .
Figure 1.The preparation circuit of H .

Figure 1 .
Figure 1.The preparation circuit of |H .

Figure 2 .
Figure 2. The model of protocol.

( 1 )
MEASURE: Using the Z-basis to measure the qubit, re-prepare the same one with

Figure 2 .
Figure 2. The model of protocol.
the particle at the second position forms the sequence S B = s 1 B , s 2 B , ...s n B , and the particle at the third position forms the sequenceS T = s 1 T , s2 T , . . .s n T ; S A , S B , and S T are random quantum sequences of |0 or |1 from the |W and |H states; S i A , S i B and S i T represents the first state, the second state, and the third state, respectively.Step 2: TP sends the particle in the travel sequence S A to Alice and the state in the travel sequence S B to Bob, while it remains in TP's own hands.Note that only TP knows whether the states come from |W or from |H .Step 3: Alice and Bob randomly perform both MEASURE and REFLECT operations when receiving S A and S B .Note that the probability that Alice and Bob choose both the MEASURE operation and the REFLECT operation is 1/2.Therein, Alice and Bob each select n quantum states to perform the MEASURE operation and select n quantum states to perform the REFLECT operation.The sequence sent back by Alice and bob is noted as ŜA and ŜB .Meanwhile, according to the measurement results of MEASURE operation, Alice and Bob record 1 if it is |1 ; otherwise, if the outcome is |0 , they record it as 0. Step 4: TP yields a new sequence of states after receiving all the sequences returned from Alice and Bob, respectively.Consequently, Alice and Bob each announce the position that is performed by the MEASURE operation.TP performs channel detection based on Alice's and Bob's operations.Specific operations are as follows:

Table 1 .
Summary table of state types and their corresponding operations.
If T is a bit.

Table 2 .
The comparison of related work.