Efficient Quantum Private Comparison Based on GHZ States

Quantum private comparison (QPC) is a fundamental cryptographic protocol that allows two parties to compare the equality of their private inputs without revealing any information about those inputs to each other. In recent years, QPC protocols utilizing various quantum resources have been proposed. However, these QPC protocols have lower utilization of quantum resources and qubit efficiency. To address this issue, we propose an efficient QPC protocol based on GHZ states, which leverages the unique properties of GHZ states and rotation operations to achieve secure and efficient private comparison. The secret information is encoded in the rotation angles of rotation operations performed on the received quantum sequence transmitted along the circular mode. This results in the multiplexing of quantum resources and enhances the utilization of quantum resources. Our protocol does not require quantum key distribution (QKD) for sharing a secret key to ensure the security of the inputs, resulting in no consumption of quantum resources for key sharing. One GHZ state can be compared to three bits of classical information in each comparison, leading to qubit efficiency reaching 100%. Compared with the existing QPC protocol, our protocol does not require quantum resources for sharing a secret key. It also demonstrates enhanced performance in qubit efficiency and the utilization of quantum resources.


Introduction
Quantum private comparison (QPC) plays a crucial role in secure multi-party computation and privacy-preserving applications.It enables two parties, Alice and Bob, to compare their private inputs without disclosing any information about those inputs to each other or to any eavesdroppers.Traditional classical private comparison protocols are inherently vulnerable to information leakage because they rely on the assumption of number-theoretical complexity, which is no longer reliable due to the emergence of quantum algorithms (e.g., Shor's algorithm [1] and Grover's algorithm [2]).QPC, on the other hand, leverages the unique properties of quantum mechanics (such as quantum entanglement, non-cloning, the uncertainty principle, and the superposition principle) to conduct secure comparisons while safeguarding the privacy of the inputs and ensuring information-theoretic security.
The first QPC protocol was suggested by Yang and Wen [3], utilizing two-photon entangled states and four unitary operations to achieve the comparison.Decoy photons and hash functions are used to prevent eavesdropping on players' private inputs.In 2010, triplet GHZ states and single-particle measurements were used to develop an efficient QPC protocol [4].This protocol divides secret messages into multiple groups, resulting in saved quantum resources.Nevertheless, Ref. [4] was susceptible to quantum attacks and, thus, results in information leakage.Some improvements have been proposed to Entropy 2024, 26, 413 2 of 15 enhance its security [5].Then, Tseng et al. [6] utilized quantum entanglement of Bell states to propose an easier implementation of the QPC protocol, achieving a qubit efficiency of 50%.Jia et al. [7] employed the entanglement properties of χ-type states as information carriers to accomplish private comparison.Local unitary operations are used to encode private information, and joint measurements are adopted to extract the results.Quantum superdense coding is utilized to achieve higher efficiency.Since then, several QPC protocols have been proposed, utilizing various quantum resources such as single photons [8][9][10][11], entangled states [12][13][14][15][16][17][18][19][20][21], and cluster states [22][23][24][25][26]. Additionally, two-atom product states and single-atom measurements are used in a QPC protocol [27].This protocol enables the comparison of the equality of one classical bit in each round, resulting in the qubit efficiency reaching 50%.Another QPC protocol, which does not require any classical computation, was proposed by Lang [28] in 2020.In this protocol, quantum gates are utilized for classical calculations instead of the bitwise XOR operation, leading to improved security.Zhang et al. [29] utilized quantum homomorphic encryption to develop a multiparty QPC protocol with a TP who will faithfully perform homomorphic calculations, effectively reducing the quantum resources required.A different QPC protocol, developed by Huang et al. in 2023 [30], is used to determine the equality of single-qubit states.This protocol utilizes more accessible quantum technologies, such as rotation encryption and swap test, to compare qubits.
According to the analysis of previous QPC protocols, while the aforementioned QPC protocols have shown potential for achieving secure private comparison, they often encounter challenges related to the utilization of quantum resources and qubit efficiency.For example, in most cases, the equality of one classical bit can be compared with Bell states and GHZ states.The qubit efficiency only reaches 50% and 33%, respectively, which limits qubit efficiency.In addition, most QPC protocols require the implementation of QKD protocol to share a secret key used for encrypting private inputs, resulting in a decrease in the utilization of quantum states.Therefore, appropriate measures need to be selected to enhance the qubit efficiency of QPC protocols.Rotation operations, which are special unitary operations, have received widespread attention.Various rotation-operation-based quantum secure protocols have been proposed, such as quantum secret sharing (QSS) [31], quantum signature [32], and quantum key agreement [33].Rotation operations can also be applied in designing QPC protocols due to their unique properties.
In this paper, we utilize GHZ states and rotation operations to propose an efficient QPC protocol, which achieves a qubit efficiency of 100% and a higher utilization rate of quantum resources.In our protocol, two users encode their secrets into the received quantum sequence, that is, performing the corresponding rotation operation on the received GHZ states.The secrets can be privately compared with a TP who will not deviate from the protocol execution or conspire with any participant, but may attempt to obtain the inputs of the users by learning the immediate data.The function of the TP is to prepare and encrypt an initial quantum sequence contained in GHZ states at the beginning and, then, decrypt and measure the decrypted quantum sequence at the end.
The main contributions of our paper are as follows.
(1) Our protocol does not require QKD protocol for sharing a secret key to ensure the security of the inputs.This results in no consumption of quantum resources for key sharing.(2) The quantum sequence is transmitted between the TP and two users in a circular mode.The inputs of the two users are encoded into the transmitted quantum sequence, leading to the multiplexing of quantum resources and improving the utilization of quantum resources.(3) One GHZ state can be compared to three-bit classical information, enabling qubit efficiency to reach 100%.
The rest of this paper is structured as follows.Preliminary knowledge is introduced in Section 2. The proposed quantum private comparison based on GHZ states is presented in Section 3. A simulation experiment demonstrating the correctness and feasibility of our Proof.Let us consider |φ 1 ⟩ as an example.We have the following equation.
In the same way, we can prove that Thus, Lemma 1 holds.□ Lemma 2. For θ j ∈ {0, π}, j ∈ {1, 2, 3},the resultant states, without considering the global phase, are shown in Table 1 when performing the corresponding rotation operation R y θ j on each particle of different GHZ states.

Quantum Private Comparison Based on GHZ States
In this section, we will provide detailed steps of the proposed QPC protocol, where a semi-honest TP assists two distrustful players, Alice and Bob, in comparing whether their secrets are equal.The semi-honest TP will not deviate from the protocol execution or conspire with any participant, but may try to obtain useful information about the users' inputs through illicit means.
Suppose that Alice and Bob hold their private integers denoted as I a and I b , respectively.I a and I b can be represented in binary form as We assume that the quantum channel in the communication process is noiseless and lossless, while the classical channel is authenticated.By authenticating the classical channel, the identities of all communication parties can be verified, ensuring that only legitimate entities participate in the execution of the protocol.The detailed steps of the proposed QPC protocol based on GHZ states are as follows, and its diagram is depicted in Figure 1.

Simulation Experiment
In this section, we utilize a concrete example and its simulation on IBM Quantum Composer to show the correctness and feasibility of our protocol.Suppose that the private integers of Alice and Bob are X = 10 and Y = 18, which can be represented in binary form Step 1. Alice and Bob divide an N-bit string X and Y into N/3 groups, respectively.Each group consists of 3-bit classical information.If Nmod3 ̸ = 0, fill in 3 − (Nmod3) 0 for the last group.The N-bit strings X and Y are converted to X Step 2. TP prepares N/3 GHZ states selected from Equations ( 1)-( 8) and records these states.Then, she generates a secret key Finally, she performs rotation operations R y TP j on the j-th GHZ states to obtain a sequence S initial .
Step 3. TP prepares 3M photons randomly chosen from four quantum states |0 , |1 ⟩ , |+ ⟩ and |− ⟩ as decoy states.These photons are then inserted into S initial at random positions to obtain a new sequence S ′ initial .The corresponding states and positions of decoy states are recorded by TP who will then send the sequence S ′ initial to Alice.
Step 4. Upon receiving the sequence S ′ initial , Alice sends an acknowledgment to TP who will verify the presence of eavesdroppers.TP announces the corresponding bases and positions of decoy states to Alice, who will then conduct measurements on these states and return the measurement outcomes to TP. TP detects the presence of eavesdroppers in the transmission channel by comparing the consistency of the measurement outcomes with the initially prepared decoy states and calculates the error rate.If the error rate exceeds a predefined threshold, this protocol will be rebooted.Otherwise, the protocol proceeds to the following steps.
Step 5. Alice discards decoy states in S ′ initial to obtain S initial and performs rotation operations R y π A j on the j-th states in S initial to obtain a sequence S A .She then generates her secret key and performs rotation operations R y KA j on the j-th states in S A to obtain a sequence S Enc_A .To prevent eavesdropping, Alice randomly selects 3M photons from four quantum states |0 , |1 ⟩ , |+ ⟩ and |− ⟩ as decoy states.These photons are then inserted into S Enc_A at random positions to obtain a new sequence S ′ Enc_A .Alice records the corresponding states and positions of decoy states and sends the sequence S ′ Enc_A to Bob.Step 6. Upon receiving the sequence S ′ Enc_A , Bob interacts with Alice to check for the presence of eavesdroppers in the transmission process, similar to Step 4. If no outsider eavesdropper exists, Alice announces her secret key Θ KA to Bob, who will then discard decoy states in S ′ Enc_A to obtain S Enc_A and perform rotation operations R y −KA j on the j-th states in S Enc_A to recover the sequence S A .
Step 7. Bob performs rotation operations R y πB j on the j-th states in S A to obtain a sequence S B .He then generates his secret key Enc_B , TP interacts with Bob to detect eavesdropping, similar to Step 4. If no eavesdropper exists in the transmission process, Bob will announce his secret key Θ KB to TP, who will then discard the decoy states in S ′ Enc_B to obtain S Enc_B and perform rotation operations R y −KB j on the j-th states in S Enc_B to recover the sequence S B .
Step 9. TP performs rotation operations R y −TP j on the j-th GHZ states in S B to obtain a sequence S f inal and, then, conducts GHZ-basis measurements on the j-th states in S f inal to obtain the measurement outcomes.If each measurement outcome is consistent with the initially prepared GHZ states in Step 2, then X = Y.Otherwise, X ̸ = Y.TP announces the comparison results to Alice and Bob.

Simulation Experiment
In this section, we utilize a concrete example and its simulation on IBM Quantum Composer to show the correctness and feasibility of our protocol.Suppose that the private integers of Alice and Bob are X = 10 and Y = 18, which can be represented in binary form as X = (x 1 , x 2 , x 3 , x 4 ) = 0101 and Y = (y 1 , y 2 , y 3 , y 4 , y 5 ) = 01001, respectively.Alice and Bob divide the strings X and Y into two groups, X = (A 1 , A 2 ) = (x 1 x 2 x 3 , x 4 ) and Y = (B 1 , B 2 ) = (y 1 y 2 y 3 , y 4 y 5 ).Since the lengths of X and Y are not multiples of three, Alice and Bob will add two zero and one zero in the group of A 2 and B 2 , respectively.Thereafter, A 1 = (x 1 x 2 x 3 ) = (010), A 2 = (x 4 00) = (100), B 1 = (y 1 y 2 y 3 ) = (010), B 2 = (y 4 y 5 0) = (010).
We assume that the semi-honest TP prepares two GHZ states denoted as | φ 1 ⟩ and | φ 6 ⟩ and the secret key )).When performing rotation operations R y (TP 1 ) and R y (TP 2 ) on the two GHZ states, the resultant sequence S initial can be written as When receiving the sequence S initial , Alice performs the rotation operations R y (πA 1 ) and R y (πA 2 ) on the two states in S initial to obtain a sequence S A , which can be expressed as We assume that the secret key . When performing rotation operations R y (KA 1 ) and R y (KA 2 ) on the two states in S A , the resultant sequence S Enc_A can be written as When receiving the secret key Θ KA and obtaining the sequence S Enc_A , Bob performs rotation operations R y (−KA 1 ) and R y (−KA 2 ) on the two states in S Enc_A to recover the sequence S A .This process can be written as When performing rotation operations R y (πB 1 ) and R y (πB 2 ) on the two states in S A , the resulting sequence S B can be written as We assume that the secret key . When performing rotation operations R y (KB 1 ) and R y (KB 2 ) on the two states in S B , the resultant sequence S Enc_B can be written as When receiving the secret key Θ KB and obtaining the sequence S Enc_B , the semi-honest TP performs rotation operations R y (−KB 1 ) and R y (−KB 2 ) on the two states in S Enc_B to recover the sequence S B .This process can be expressed as When performing rotation operations R y (−TP 1 ) and R y (−TP 2 ) on the two states in S B , the resultant sequence S f inal can be given by When conducting GHZ-basis measurements on the two states in S f inal , the measurement outcomes are | φ 1 ⟩ and | φ 4 ⟩ .Since the measurement outcomes | φ 1 ⟩ and | φ 4 ⟩ are not consistent with the initially prepared GHZ states | φ 1 ⟩ and | φ 6 ⟩ , TP can obtain the comparison result X ̸ = Y.
For the concrete example mentioned above, the quantum circuit of two GHZ states | φ 1 ⟩ and | φ 6 ⟩ , and its measurement outcome when executing this quantum circuit on IBM Quantum Composer are shown in Figures 2 and 3, respectively.The quantum circuit corresponding to the concrete example and the final measurement outcome can be seen in Figures 4 and 5, respectively.
For the concrete example mentioned above, the quantum circuit of two GH | 1 ⟩ and | 6 ⟩ , and its measurement outcome when executing this quantum c IBM Quantum Composer are shown in Figure 2 and Figure 3, respectively.The q circuit corresponding to the concrete example and the final measurement outcom seen in Figure 4 and Figure 5, respectively.From Figure 5, however, we can clearly observe that the measurement outcome when performing the quantum circuit of Figure 4 is different from the measurement outcome of the initially prepared two GHZ states in Figure 3.This discrepancy indicates that the measurement outcome is not consistent with the initially prepared GHZ states, suggesting that the comparison result is X ̸ = Y.

Security Analysis
In this section, we will consider both external and participant attacks and demonstrate that our protocol is resistant to these attacks.

External Attacks
We assume that the external attacker, Eve, may adopt quantum attack methods (e.g., the intercept-measurement-resend attack, the entanglement-measure attack, and the Trojan-horse attacks) to steal the secrets of Alice or Bob.We will demonstrate that these attacks are ineffective due to the decoy-state method utilized in our protocol.

The Intercept-Measurement-Resend Attack
The intercept-measurement-resend attack occurs when an external attacker, Eve, intercepts the quantum sequence in the quantum channel, measures the intercepted quantum sequence to steal secrets of Alice or Bob, and then resends a fake quantum sequence to the receiver in place of the intercepted one.However, the attack will inevitably introduce errors due to eavesdropping detection between the quantum sequence sender and receiver.When the receiver receives the quantum sequence, she will measure the decoy states using the measurement basis announced by the sender and, then, send the measurement results back to the sender.Eve has no chance to know the specific state of the decoy states, resulting in inconsistencies between the intercepted decoy states and the measurement results.When Eve intercepts the sequence, there is a 50% probability of selecting the incorrect measurement basis, resulting in a correct and incorrect outcome of 50% each, respectively.For example, the sender prepares a decoy state with a quantum state |1 ⟩.The probability of Eve choosing the correct measurement basis with Z-basis ({ |0 ⟩ , |1 ⟩} basis) is 50%, and Eve will deceive the eavesdropping detection with a probability of 1. Simultaneously, the probability of Eve choosing the incorrect measurement basis with X-basis ({ |+ ⟩ , |− ⟩} basis) is also 50%, and the probability of Eve deceiving the eavesdropping detection is 1/2.For n decoy states, the probability that Eve will deceive the eavesdropping detection is (3/4) n .The relationship between the number of decoy photons and the probability of Eve deceiving the eavesdropping detection is shown in Figure 6.When the number of decoy photons, n, is large enough, the probability of Eve being discovered in the eavesdropping detection approaches 1 infinitely.Therefore, the intercept-measurement-resend attack launched by Eve is invalid for stealing the secrets of Alice or Bob.

The Entanglement-Measure Attack
The entanglement-measure attack occurs when Eve intercepts the quantum particles during transmission and, then, utilizes unitary operations to entangle her auxiliary particles |⟩ with the intercepted particles.She then measures the auxiliary particles to obtain private information about Alice or Bob.
When using the unitary operation U to entangle the intercepted particles with quantum state |+⟩ and |−⟩, this process can be expressed as

The Entanglement-Measure Attack
The entanglement-measure attack occurs when Eve intercepts the quantum particles during transmission and, then, utilizes unitary operations to entangle her auxiliary particles |ε ⟩ with the intercepted particles.She then measures the auxiliary particles to obtain private information about Alice or Bob.
Additionally, assuming that Eve entangles her auxiliary particles with the transmitted GHZ states, her behavior will not succeed since the transmitted GHZ states are encrypted by the rotation operations, which are unknown to her.Therefore, the rotation operations ensure the concealment of the transmitted quantum states from external attackers, and the decoy state method can be employed to safeguard the security of the quantum channel.

The Trojan-Horse Attacks
The Trojan-horse attacks [34], including the delay-photon Trojan-horse attack and the invisible photon eavesdropping Trojan-horse attack, mainly occur in two-way quantum communication.Since the quantum states in our protocol are transmitted in a circular mode, there may be potential security risks due to Trojan-horse attacks.However, these attacks can be detected using existing techniques.The Wavelength Quantum Filter (WQF) can be used to remove invisible photons using optical filters, and the Photons Number Splitter (PNS) can be used to separate legitimate photons from delayed photons.Once these attacks are detected, the protocol will be aborted and restarted.

Participant Attacks
The participants who have access to immediate results may deduce private information by launching more powerful attacks, which poses a security challenge for our protocol [35].In the following, three cases of attacks will be analyzed in detail.

TP's Attack
In the proposed protocol, TP is assumed to be semi-honest, which means she cannot conspire with Alice and Bob but may attempt to steal the secrets of Alice and Bob.If TP wants to learn information about Alice or Bob's inputs, she can act as an external attacker and perform the corresponding attacks.However, her behavior will be detected during the eavesdropping detection process as discussed in Section 5.1.In this scenario, we are examining a special case where TP executes an intercept-resend attack on the sequence sent from Alice to Bob.TP intercepts the sequence S ′ Enc_A and resends a fake sequence to Bob.When Alice announces the positions where decoy states were inserted, TP discards the decoy states in S ′ Enc_A and obtains the sequence S Enc_A containing Alice's encoding inputs.Although this attack will be detected, TP may perform rotation operations R y −TP j on the j-th GHZ states in S Enc_A to obtain a sequence S A→B and, then, conduct GHZ-basis measurements on the j-th states in S A→B to obtain the measurement outcomes.TP may deduce Alice's private inputs by comparing the measurement outcomes with the initially prepared GHZ states.Unfortunately, the sequence S Enc_A is obtained by performing rotation operations R y KA j on the j-th states in S A , and the secret key Θ KA will be disclosed by Alice under the condition that no external eavesdropper exists.TP has no chance to obtain Θ KA , and she cannot obtain the sequence S A , making it inaccessible to deduce the rotation operations R y KA j .TP's lack of knowledge about R y KA j is equivalent to her inability to access Alice's private inputs.Additionally, TP can leverage the benefits of preparing the initial GHZ states to compute the comparison results and infer the inputs of Alice or Bob based on the final measurement outcomes.In this case, the inputs of Alice and Bob will not be disclosed since each measurement outcome only reveals the XOR value of three bits.Therefore, our protocol is secure against TP's attacks.

Alice's Attack
For Alice, she may send a fake sequence S A to Bob, intercept the sequence S ′ Enc_B sent from Bob to TP, and then, resend another fake sequence to TP.Once the secret key Θ KB is announced by Bob, Alice can recover S B by performing rotation operation R y −KB j on the j-th states in S Enc_B .However, this attack method is invalid in our protocol.Once Alice intercepts the sequence S Enc_B , her behavior will inevitably be detected during the eavesdropping between Bob and TP.Once the eavesdropper intervenes in the transmission process, Bob will not disclose the secret key to TP.The protocol will be aborted and restarted.Therefore, Alice has no chance of learning Bob's inputs.

Bob's Attack
For Bob, he can measure the sequence S B in the GHZ-basis and obtain the measurement outcomes.He may deduce which rotation operations have been performed by Alice by comparing the measurement outcomes with the initially prepared GHZ states and learn Alice's inputs.However, this method does not work.On the one hand, the initially prepared GHZ states are only known to TP who cannot conspire with any participants, resulting in Bob having no chance to know them.On the other hand, Bob may attempt to obtain the sequence S initial by performing an intercept-resend attack on the sequence S ′ initial and infer the initially prepared GHZ states.Although his behavior will be detected, and he can obtain S initial , he still has no chance to learn the initially prepared GHZ states.This is because the sequence S initial is obtained by performing rotation operations R y TP j on the j-th GHZ states, and no one can know the initially prepared GHZ states without knowing the secret key Θ TP .Without knowledge of the initially prepared GHZ states, Bob is unable to acquire information about Alice's inputs.Third, our protocol reaches the maximum theoretical efficiency of 100%, because one GHZ state can be compared to three bits of classical information in each comparison.To sum up, our protocol requires no quantum resources for sharing a secret key, and it has shown improved performance in qubit efficiency and the utilization of quantum resources.

Conclusions
In this article, we propose an efficient QPC protocol based on GHZ states.With the assistance of a semi-honest TP, two users can compare their secrets by utilizing the properties of GHZ states and rotation operations.Compared with other QPC protocols, one of the advantages of our protocol is that it utilizes secret keys distributed through classical channels instead of QKD protocols to share a secret key, which results in no consumption of quantum resources for key sharing.The quantum sequence is transmitted between the TP and two users in a circular mode.The inputs of the two users are encoded into the transmitted quantum sequence, leading to the multiplexing of quantum resources and improving the utilization of quantum resources.More importantly, our protocol achieves a qubit efficiency of 100%, which is the theoretical maximum.

Figure 1 .
Figure 1.The diagram of the QPC protocol.

Figure 1 .
Figure 1.The diagram of the QPC protocol.

Figure 3 .
Figure 3.The measurement outcome in Figure 2.

Figure 3 .
Figure 3.The measurement outcome in Figure 2.

Figure 4 .
Figure 4.The quantum circuit corresponding to the concrete example.

Figure 3 .
Figure 3.The measurement outcome in Figure 2.

Figure 4 .
Figure 4.The quantum circuit corresponding to the concrete example.

Figure 5 .
Figure 5.The measurement outcome in Figure 4.Figure 5.The measurement outcome in Figure 4.

Figure 5 .
Figure 5.The measurement outcome in Figure 4.Figure 5.The measurement outcome in Figure 4.

17 Figure 6 .
Figure 6.The relationship between the number of decoy photons and the probability that Eve will deceive the eavesdropping detection.

Figure 6 .
Figure 6.The relationship between the number of decoy photons and the probability that Eve will deceive the eavesdropping detection.

Table 1 .
The resultant states without considering the global phase.
and performs rotation operations R y KB j on the j-th states in S B to obtain a sequence S Enc_B .To thwart potential external attacks by eavesdroppers, Bob randomly inserts 3M photons into S Enc_B at various positions to obtain a new sequence S ′ Enc_B .These photons are chosen from four quantum states |0 , |1 ⟩ , |+ ⟩ and |− ⟩ as decoy states.Bob records the states and positions of decoy states and sends the sequence S ′ Enc_B to TP. Step 8. Upon receiving the sequence S ′