Multi-Party Semi-Quantum Simultaneous Ascending Auction Protocol Based on Single-Particle States

Abstract

Simultaneous ascending auctions find extensive applications in spectrum licensing and advertising space allocation. However, existing quantum sealed-bid auction protocols suffer from dual limitations: they cannot support multi-item simultaneous bidding scenarios, and their reliance on complex quantum resources along with requiring full quantum operational capabilities from bidders fails to accommodate practical constraints of quantum resource-limited users. To address these challenges, this paper proposes a multi-party semi-quantum simultaneous ascending auction protocol based on single-particle states. The protocol employs a trusted honest third party (HTP) responsible for quantum state generation, distribution, and security verification. Bidders determine their groups through quantum measurements and privately encode their bid vectors. Upon successful HTP authentication, each bidder obtains a unique identity code. During the bidding phase, HTP dynamically updates quantum sequences, allowing bidders to submit bids for multiple items by performing only simple unitary operations. HTP announces the highest bid for each item in real time and iteratively generates auction sequences until no new highest bid emerges, thereby achieving simultaneous ascending auctions for multiple items. It acts as a quantum-secured signaling layer, ensuring unconditional security for bid transmission and identity verification while maintaining classical auction logic. Quantum circuit simulations validate the protocol’s feasibility with current technology while satisfying critical security requirements, including anonymity, verifiability, non-repudiation, and privacy preservation. It provides a scalable semi-quantum auction solution for resource-constrained scenarios.

1. Introduction

Quantum cryptography, a key subfield of quantum information science, combines quantum-mechanical principles with classical cryptography. It has achieved major advances in protocol design and implementation, including Quantum Key Distribution (QKD) [1,2], Quantum Secure Direct Communication (QSDC) [3,4], and Quantum Secret Sharing (QSS) [5,6]. These technologies are increasingly deployed in practice, such as quantum voting systems [7] and quantum transaction platforms, offering new models for secure applications.

Auctions are fundamental mechanisms for resource allocation and trading [8,9,10]. By information transparency and bidding rules, they can be categorized into open-cry and sealed-bid formats [11]. English and Dutch auctions are open-cry, with real-time price discovery. Sealed-bid auctions require bidders to submit offers independently and confidentially, which better preserves strategy privacy and suits anonymity-sensitive scenarios.

However, conventional sealed-bid mechanisms rely on computational assumptions in classical cryptography (e.g., integer factorization and discrete logarithms). With rapid progress in quantum computing [12,13], Shor’s algorithm solves these problems in polynomial time [14] and Grover’s algorithm speeds up search [15], exposing sealed-bid systems to quantum attacks [16]. This motivates security protocols grounded in physical principles.

Unlike classical schemes that offer computational security, quantum cryptographic protocols provide information-theoretic security (or unconditional security). This ensures that encrypted data remains secure even against adversaries with unlimited computing power, guaranteeing forward secrecy. In the context of auctions, this prevents historical bid data from being decrypted retroactively once powerful quantum computers become available. It is important to clarify that our proposed protocol serves as a quantum-secured signaling layer. It utilizes quantum mechanics to secure the transmission of bids and verify identities, while the underlying auction allocation logic (comparing bids and determining winners) follows the classical simultaneous ascending auction mechanism.

Against this backdrop, research on quantum sealed-bid auction (QSA) protocols has grown rapidly. The goal is to design quantum-resilient mechanisms that ensure fairness, preserve privacy, and enhance security.

The conceptual framework of quantum auctions was introduced in 2008 [17]. In 2009, Naseri [18] proposed a GHZ-based QSA enabling secure multi-party bid transmission. That scheme resisted only external attacks and was vulnerable internally. Follow-up work refined designs and security analyses. Qin et al. [19] and Yang et al. [20] exposed attacks via double CNOT and pseudo-entangled states; their fixes did not consider a dishonest auction center. In 2010, Zhao et al. [21] added post-confirmation to mitigate collusion, later refined for partial collusion. In 2014, Liu et al. [22] integrated QKD for bid encryption and hash-based confirmation. In 2016, they proposed a single-particle QSBA [23], reducing quantum resources, but Zhang et al. [24] showed coordinated attacks remained. Recent advances include QFT- and d-dimensional-state protocols [25], an anonymous QSA via the Chinese Remainder Theorem [26], and an auctioneer-free scheme with Bell-state swapping [27]. Semi-quantum secure multi-party summation (SQSMS) [28,29,30,31,32,33] has also gained attention due to its compatibility with users of varying quantum capabilities.

Despite these advancements, existing QSA research faces two primary “shortages”: (1) Capability Shortage—most protocols require fully quantum-capable participants, which is impractical for general users. (2) Functional Shortage: Most studies focus on single-item sealed-bid auctions, failing to address the complexity of simultaneous ascending auctions for multiple items. To address this, we combine Milgrom’s simultaneous ascending auction theory [34] with a semi-quantum design and propose a quantum simultaneous ascending auction (QSAA) framework that supports users with diverse capabilities. Under capability constraints, semi-quantum bidders obtain unique identity codes from an honest, fully quantum third party (HTP) and submit bids using simple unitary operations. The protocol preserves anonymity, privacy, fairness, verifiability, and non-repudiation: only HTP learns bids; sealed bids are disclosed simultaneously; bidders cannot repudiate submitted bids and HTP cannot deny receipts.

The remainder of this paper is organized as follows: Section 2 introduces the fundamental concepts of simultaneous ascending auction mechanisms and semi-quantum protocols. Section 3 elaborates on a multi-party semi-quantum simultaneous ascending auction protocol in detail. Section 4 presents simulation analyses. Section 5 provides performance evaluations. Finally, Section 6 concludes the paper.

2. Preliminaries

Our protocol enables anonymous auctions for users with limited quantum capabilities. The semi-quantum simultaneous ascending auction (SQSAA) assigns each bidder a unique identity code. Bidders apply unitary operations to encode bid prices onto quantum sequences, implementing a simultaneous ascending-price auction. We first introduce the auction mechanism and the semi-quantum model used in this paper.

2.1. Simultaneous Ascending Auction Mechanism

The simultaneous ascending-price auction is a multi-item dynamic mechanism widely used in spectrum licensing and advertisement allocation. Its core characteristics include simultaneous bidding for multiple items, round-by-round price increments, and a public bidding process. In each round, bidders may raise bids on any items. After each round, each item’s price updates to the highest bid received. The process repeats until no further bids are submitted, and items are allocated to the highest bidders at their final prices.

2.2. Semi-Quantum Protocol Architecture and Trust Model

The semi-quantum architecture involves two types of users:

Quantum Users (HTP)—the honest third party (HTP) possesses full quantum capabilities (preparation, manipulation, and measurement). Assumption: In this semi-quantum model, the HTP is assumed to be a trusted authority. The HTP generates and measures states correctly and does not collude with bidders to reveal bids to others, although the HTP itself learns the bid values.

Semi-Quantum Users (Bidders): Participants with constrained quantum capabilities, typically limited to Z-basis or X-basis measurements (computational or Fourier bases), applying simple unitary operations, and reflecting received quantum states. This design reduces hardware complexity and cost.

2.3. Protocol Characteristics

The semi-quantum design offers two practical advantages [30]:

System compatibility—basic quantum operations can be implemented using low-cost optical components. When devices malfunction, systems can fall back to a semi-quantum mode, enhancing robustness and easing the transition from classical to quantum infrastructures.

Cost efficiency: Limiting some users’ quantum capabilities reduces dependence on expensive quantum resources and large-scale quantum memory processing, enabling economically viable deployment during the current transitional phase.

3. Multi-Party Semi-Quantum Simultaneous Ascending Auction Protocol

Assume an honest third party (HTP) with full quantum capability acts as the auction coordinator and never colludes with bidders. There are n semi-quantum participants $P_1,P_2,\dots ,P_n$ who serve as bidders with restricted capabilities: computational-basis or Fourier-basis measurement, simple unitary operations, and reflection. Each bidder $P_i(i=1,2,\dots ,n)$ independently generates a private randomized identity vector $v_i$ satisfying $v_i=(v_i^1,v_i^2,\dots ,v_i^n),v_i^o\in \{0,1\},o=(1,2,\dots ,n).$ These vectors serve as cryptographic identity anchors, dynamically integrated into quantum state manipulations through controlled unitary operations.

The protocol has four phases: initialization, identity encoding distribution, bidding, and result announcement. In initialization, HTP constructs differentiated quantum sequences for each bidder and collaborates with $P_i$ to validate channel security. In identity encoding distribution, each bidder generates a private identity vector, applies unitary operations to assigned particles, HTP constructs a verification matrix, and validates integrity against predefined rules. In bidding, each bidder applies unitary operations to encode bids and computes a commitment. In the result announcement, HTP determines the highest bid and bidder per item, and others verify using commitments. The schematic diagram of the protocol is shown in Figure 1.

Figure 1. Workflow of identity encoding distribution and verification at HTP. (Lateral diagrams correspond to Step 4 and 5).

3.1. Initialization Phase

Step 1: HTP and each authorized bidder pre-share an authenticated key sequence $K_i=(k_i^1,k_i^2,\dots ,k_i^{4n+1+m}),k_i^l\in \{0,1\}$. * Note: These keys are distributed via a secure classical channel or a prior standard QKD session before the auction begins. If keys are compromised, the authentication fails; thus, key refreshment is recommended for subsequent sessions. * HTP randomly prepares $(4n+1)$ rotation-basis particles $R_i=(r_i^1,r_i^2,\dots ,r_i^{4n+1}),r_i^p\in \{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\}$ and m decoy particles $C_i=(c_i^1,\dots ,c_i^m),c_i^q\in \{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\}$ for each bidder. According to $K_i$, HTP determines the embedding order of decoy and rotation particles in the quantum sequence, using (1) if $k_i^l$ = 0, a rotational particle $r_i^p$ is inserted into the sequence. (2) If $k_i^l$ = 1, a decoy particle $c_i^q$ is embedded instead. HTP then produces a quantum sequence $Se{q}_i$ of length $(4n+1+m)$. Repeating this for all bidders yields n sequences $(Se{q}_1,\dots ,Se{q}_n)$, which HTP sends over authenticated quantum channels.

Step 2: Upon receiving $Se{q}_i$, bidder $P_i$ routes each particle according to $k_i^l$: If $k_i^l=1$, $P_i$ directly reflects the particle to HTP; if $k_i^l=0$, $P_i$ retains the particle for Step 4.

Step 3: HTP measures the reflected particles using the preparation bases indicated by $k_i^l$ and computes the quantum bit error rate (QBER) by comparing outcomes with prepared states. If QBER exceeds a threshold $\eta$, the protocol aborts; otherwise it proceeds. Threshold Selection: The threshold $\eta$ is not arbitrary; it is selected based on standard security proofs for BB84-type protocols. To tolerate environmental noise while securely detecting intercept-resend attacks (which theoretically induce $\sim 25\%$ error), $\eta$ is typically set strictly below the coherent attack bound (approx. 11%), for example, in the range of 5–8% in practical scenarios.

3.2. Identity Encoding Distribution Phase

Step 4: After eavesdropping detection, each $P_i$ discards decoy particles and keeps rotation particles. HTP designates the first rotation particle as the grouping particle and publishes its measurement basis on the bulletin board. HTP records initial states and counts bidders per group. Each $P_i$ measures the grouping particle according to determine its group: outcomes $\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩$ map to groups 1–4.

Step 5: Each $P_i$ generates a private n-dimensional vector $v_i$, then applies unitary operations to assigned particles according to: (1) if $v_i^o$ = 0, it applies the Pauli-I operation (${\sigma }_I$) to the rotational particle. (2) If $v_i^o$ = 1, it performs the Pauli-Y operation (${\sigma }_Y$) on the rotational particle.

Afterward, $P_i$ sends the updated sequence $Se{q}_i^{\prime }$ to HTP.

Step 6: Upon receiving $Se{q}_i^{\prime }$ from all bidders, HTP determines each bidder’s group from $k_i^l$ and the grouping particles, then measures each particle in the corresponding basis to form a mapping $f_x:x\mapsto z_i^j$ (Table 1). For both computational and Fourier bases, record $z_i^j=1$ if the outcome flips relative to the initial state; otherwise, set $z_i^j=0$.

$$\mathbf{Z}=\left[\begin{array}{cccc}{z}_1^1& z_1^2& \dots & z_1^{4n}\\ ⋮& ⋮& \ddots & ⋮\\ z_n^1& z_n^2& \dots & z_n^{4n}\end{array}\right]$$

(1)

Table 1. Initial states and mapping results.

Initial States	Measurement Results	Mapping Results ${\mathit{z}}_{\mathit{i}}$
$\left|0\right.⟩$	$\left|0\right.⟩$	0
$\left|0\right.⟩$	$\left|1\right.⟩$	1
$\left|1\right.⟩$	$\left|1\right.⟩$	0
$\left|1\right.⟩$	$\left|0\right.⟩$	1
$\left|+\right.⟩$	$\left|+\right.⟩$	0
$\left|+\right.⟩$	$\left|-\right.⟩$	1
$\left|-\right.⟩$	$\left|-\right.⟩$	0
$\left|-\right.⟩$	$\left|+\right.⟩$	1

After constructing the $n\times 4n$ matrix from $z_i^j$ of the quantum sequences $Se{q}_i^{\prime }$ returned by bidders, HTP checks the Hamming weight of each valid column. Identity encoding distribution succeeds iff, for every valid column j,

$$\sum _{i=1}^n{z}_i^j=1$$

(2)

and the number of bidders within each group matches HTP’s initial records. Liveness and Restart: If this condition is not met (e.g., column sum $\ne 1$) or if the number of bidders in a group mismatches the record (group collision), HTP broadcasts a “Restart” signal. The current round is discarded, and the Identity Encoding Phase repeats from Step 1. This ensures the protocol remains live and reaches a valid distribution state. Columns with no embedded identity encoding are excluded from verification.

3.3. Bidding Phase

Step 7: Completing these operations, each bidder obtains a unique identity code. Repeating Steps 1–3, HTP generates a new quantum sequence ${\mathrm{Seq}}_i^{\left(r\right)}$ and new $K_i^{\left(r\right)}$ for each round r. In each sequence, the first $(2+n)$ particles encode identity (2 group particles followed by n identity particles). For item w with domain $\{0,\dots ,d_w-1\}$, the next $\lceil {log}_2{d}_w\rceil$ particles encode the bid.

Step 8: Assuming HTP specifies that the initial bid range for the w-th auctioned item lies within $[0,d_w-1]$. HTP broadcasts the valid bidding range and specifies the required bit-length $L=\lceil {log}_2{d}_w\rceil$ for the bid vector. This ensures all bidders encode their bids using a consistent quantum sequence length. Each bidder $P_i$ converts their bid into a corresponding private bid binary sequence $b_i^{\left(w\right)}=(b_i^{\lceil {log}_2{d}_w\rceil },\dots ,b_i^2,b_i^1)$.

Each bidder first encodes their identity sequence. Based on the grouping of particles, the first two particles encode the group identifier, with the conventions 00, 01, 10, and 11 designating the first, second, third and fourth groups, respectively. For example, for group 2 (01), apply I to the first qubit and H to the second. The subsequent n particles encode the private identity code.

For all items, bits are encoded from most significant to least significant (left to right in the vector, applied right to left on qubits as specified in Step 9).

Step 9: The bidder applies the Hadamard, Pauli-Y and Pauli-I operations to the first two particles and encodes their identity vector. Subsequently, they encode their private bid binary sequence $b_i^a$ (where $a=1,2,\dots ,\lceil {log}_2{d}_w\rceil$) onto the specific bid particle sequence from right to left. If $b_i^a$ = 0, $P_i$ performs the ${\sigma }_I$ operation; if $b_i^a$ = 1, $P_i$ applies the ${\sigma }_Y$ operation. Otherwise (if no bid is intended), the bidder performs no operations on any particles in the specific bid particle sequence. Then, $P_i$ returns the newly processed particle sequence ${\mathrm{Seq}}_i^{\left(r^{\prime }\right)}$ to HTP, particle by particle. It is noteworthy that for multiple auction items, the initial-round bidding prices are encoded in the particle sequence following the first auctioned item. Correspondingly, the particle count of ${\mathrm{Seq}}_i^{\left(r\right)}$ is augmented according to the same rule established for the first item.

Step 10: Concurrently, in each round, each bidder $P_i$ computes a binding, hiding commitment to their bid for each item using a collision-resistant hash function $Hash(·)$. Let $s_i^w\in {\mathbb{Z}}_N$ be a per-round random nonce. Define ${\mathrm{com}}_i^w=\mathrm{Hash}\left(\mathrm{round}\_\mathrm{id}\parallel w\parallel {\mathrm{id}}_i\parallel b_i^w\parallel s_i^w\right),$ where $b_i^w$ is the bidder’s decimal bid for item w in that round, and ∥ denotes concatenation. HTP records ${\mathrm{com}}_i^w$ for each bidder and item per round. Any bid update must include a fresh commitment.

3.4. Result Announcement Phase

Step 11: After receiving the quantum sequences ${\mathrm{Seq}}_i^{\left(r^{\prime }\right)}$ from all bidders, HTP first constructs a mapping result matrix according to the identity encoding distribution rules and verifies each bidder’s identity encoding sequence. Subsequently, HTP measures the first two particles using the following rules. When the Pauli-I operation is applied to a qubit, the HTP measures it in the same basis as its initial state. Conversely, when the Hadamard operation is applied, measurement occurs in the conjugate basis relative to the initial state.

Taking $P_2$ as an example, its identity code is Group 2, Number 3. The unitary operation for its group particles consists of applying the Pauli-I operation to the first particle and the Hadamard operation to the second particle. The HTP measures the first particle using the same measurement basis as its initial state. Regardless of the initial state, if the measurement outcome matches the initial state, the HTP calculates the mapping result of the first particle as 0. For the second particle, the HTP employs the measurement basis orthogonal to the initial state: if the initial state is $|0⟩$ or $|1⟩$, the measurement outcome will be $|+⟩$ or $|-⟩$; conversely, if the initial state is $|+⟩$ or $|-⟩$, the measurement outcome will be $|0⟩$ or $|1⟩$. In this case, the HTP calculates the mapping result of the second particle as 1, as illustrated in the diagram. Please refer to Table 2 for detailed information.

Table 2. Group mapping measurement and mapping results.

Initial State	Comp. Basis	Mapping	Fourier Basis	Mapping
$\left|0\right.⟩$	$\left|0\right.⟩$	0	$\left|+\right.⟩$	1
$\left|1\right.⟩$	$\left|1\right.⟩$	0	$\left|-\right.⟩$	1
$\left|+\right.⟩$	$\left|0\right.⟩$	1	$\left|+\right.⟩$	0
$\left|-\right.⟩$	$\left|1\right.⟩$	1	$\left|-\right.⟩$	0

Then, HTP measures the specific bid particle sequence from right to left using the corresponding basis, recording each outcome $t_i^a$: if the measurement result is opposite to the initial state, it is recorded as $t_i^a$ = 1; otherwise, $t_i^a$ = 0. Finally, HTP arranges all specific bid results $t_i^a$, converts the bits to a decimal bid, selects the highest first-round bid, and publishes it on the bulletin board (or via a classical channel).

Step 12: After completing initial bidding for all auctioned items, bidders collectively negotiate the bid increment range for subsequent rounds.Specifically, suppose they determine the starting price for each new round as 10% of the previous round’s highest bid for that item, $\mathrm{Starting}{\mathrm{Price}}_{\mathrm{next}}=(1+10\%)\times \mathrm{Highest}{\mathrm{Bid}}_{\mathrm{previous}}$. Then, they repeat Steps 7–10 for the next round. Upon receiving quantum sequences, HTP executes Step 11.

If a bid does not exceed the current highest bid, HTP withholds updates. The auction concludes when no item receives a higher bid; HTP then publishes all final highest bids.

Step 13: Assume bidder $P_e$ is the highest bidder for item w. He discloses $b_e^w$ and $s_e^w$, enabling others to recompute ${\mathrm{com}}_e^w=Hash\left(\mathrm{round}\_\mathrm{id}\parallel w\parallel {\mathrm{id}}_e\parallel b_e^w\parallel s_e^w\right)$ and check it matches the recorded commitment. If $P_e$’s commitment is validated by all bidders and HTP, he is confirmed as the highest bidder; otherwise, verification fails. If any bidder $P_f$ ($f\ne e$) claims their bid exceeds HTP’s published highest bid or $P_e$, $P_f$ broadcasts a complaint and discloses $(b_f^w,s_f^w)$ for verification. Successful verification mandates HTP to update the item’s highest bid; failed verification maintains the current highest bid. HTP declares $P_e$ the winner for item w only when no valid complaints are substantiated (Figure 2).

Figure 2. Overall simultaneous ascending auction workflow with identity and bid encoding.

4. Simulation of the Proposed Protocol

The Qiskit simulation presented here aims to validate the correctness of the quantum physical layer—specifically the single-particle encoding, decoding, and noise robustness—rather than to simulate the classical arithmetic logic of the auctioneer.

We illustrate the protocol with Qiskit simulations in two phases: multi-party semi-quantum identity encoding distribution and multi-party semi-quantum simultaneous ascending auction. Consider an HTP coordinating three semi-quantum bidders $P_1,P_2,P_3$. Bidders independently sample private vectors $v_1=(0,1,0),v_2=(0,1,1),v_3=(1,0,1)$.

4.1. Multi-Party Semi-Quantum Identity Encoding Distribution

Assume at this stage, HTP allocates distinct key sequences $K_1,K_2,K_3$ to bidders $P_1,P_2,P_3$ respectively, where

$$\begin{array}{cc}\hfill K_1& =\{0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,0,0\}\hfill \\ \hfill K_2& =\{1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,0,0,1\}\hfill \\ \hfill K_3& =\{1,1,0,1,0,0,0,0,1,0,1,1,0,0,0,1,0,0,0,0\}\hfill \end{array}$$

Step 1: HTP randomly generates rotation particles $R_1,R_2,R_3$ and decoy particles $C_1,C_2,C_3$ from BB84 state $\{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\}$. According to the rules specified in the aforementioned protocol, the quantum sequences $Se{q}_1$, $Se{q}_2$ and $Se{q}_3$ are formed in Table 3. The quantum circuit diagram for $P_1$ is illustrated in Figure 3 according to the aforementioned conditions. In this simulation, we employ a decoy state ratio of approximately 50% (1:1 with rotation particles) to maximize statistical detection sensitivity for the case study.

Table 3. Example construction of sequences $Se{q}_1,Se{q}_2,Se{q}_3$ based on keys $K_1,K_2,K_3$ and BB84 states.

	1	2	3	4	5	6	7	8	9	10
$K_1$	0	1	0	1	0	1	0	0	1	0
$R_1$	∣0⟩	∣1⟩	∣+⟩	∣1⟩	∣1⟩	∣0⟩	∣0⟩	∣0⟩	∣−⟩	∣−⟩
$C_1$	∣0⟩	∣−⟩	∣−⟩	∣0⟩	∣+⟩	∣+⟩	∣−⟩	∣0⟩	∣+⟩	∣−⟩
$Se{q}_1$	∣0⟩	∣−⟩	∣+⟩	∣0⟩	∣1⟩	∣+⟩	∣0⟩	∣0⟩	∣+⟩	∣−⟩
$K_2$	1	0	0	0	1	1	0	1	0	0
$R_2$	∣+⟩	∣1⟩	∣−⟩	∣0⟩	∣0⟩	∣−⟩	∣+⟩	∣1⟩	∣+⟩	∣1⟩
$C_2$	∣−⟩	∣+⟩	∣1⟩	∣−⟩	∣+⟩	∣+⟩	∣−⟩	∣1⟩	∣1⟩	∣0⟩
$Se{q}_2$	∣−⟩	∣1⟩	∣−⟩	∣0⟩	∣+⟩	∣+⟩	∣+⟩	∣1⟩	∣+⟩	∣1⟩
$K_3$	1	1	0	1	0	0	0	0	1	0
$R_3$	∣−⟩	∣−⟩	∣+⟩	∣0⟩	∣1⟩	∣−⟩	∣0⟩	∣+⟩	∣−⟩	∣1⟩
$C_3$	∣−⟩	∣0⟩	∣1⟩	∣+⟩	∣−⟩	∣−⟩	∣0⟩	∣0⟩	∣−⟩	∣+⟩
$Se{q}_3$	∣−⟩	∣0⟩	∣+⟩	∣+⟩	∣1⟩	∣−⟩	∣0⟩	∣+⟩	∣−⟩	∣1⟩
	11	12	13	14	15	16	17	18	19	20
$K_1$	0	1	0	1	0	0	1	0	0	0
$R_1$	∣+⟩	∣1⟩	∣+⟩	∣1⟩	∣−⟩	∣1⟩	∣0⟩	∣0⟩	∣+⟩	∣1⟩
$C_1$	∣−⟩	∣0⟩	∣+⟩	∣1⟩	∣1⟩	∣1⟩	∣+⟩	∣0⟩	∣+⟩	∣0⟩
$Se{q}_1$	∣+⟩	∣0⟩	∣+⟩	∣1⟩	∣−⟩	∣1⟩	∣+⟩	∣0⟩	∣+⟩	∣1⟩
$K_2$	0	0	1	0	1	0	0	0	0	1
$R_2$	∣0⟩	∣+⟩	∣1⟩	∣−⟩	∣−⟩	∣1⟩	∣0⟩	∣+⟩	∣−⟩	∣+⟩
$C_2$	∣0⟩	∣1⟩	∣−⟩	∣1⟩	∣+⟩	∣−⟩	1	∣−⟩	∣+⟩	∣1⟩
$Se{q}_2$	∣0⟩	∣+⟩	∣−⟩	∣−⟩	∣+⟩	∣1⟩	∣0⟩	∣+⟩	∣−⟩	∣1⟩
$K_3$	1	1	0	0	0	1	0	0	0	0
$R_3$	∣0⟩	∣1⟩	∣+⟩	∣1⟩	∣−⟩	∣0⟩	∣1⟩	∣−⟩	∣+⟩	∣+⟩
$C_3$	∣−⟩	∣0⟩	∣+⟩	∣−⟩	∣−⟩	∣+⟩	∣1⟩	∣−⟩	∣0⟩	∣1⟩
$Se{q}_3$	∣−⟩	∣0⟩	∣+⟩	∣1⟩	∣−⟩	∣+⟩	∣1⟩	∣−⟩	∣+⟩	∣+⟩

BB84 states include ∣0⟩, ∣1⟩, ∣+⟩, and ∣−⟩; K represents the key, R represents the receiver state, C represents the channel state, and $Seq$ represents the resulting sequence.

Figure 3. Circuit for identity encoding distribution using BB84 single-qubit states.

Step 2: Each bidder routes particles according to $K_i$. $P_i$ reflects decoy particles and retains rotation particles. HTP measures reflected particles in the corresponding bases and computes QBER. For example, in $Se{q}_1$ the particles at positions 2, 4, 6, 9, 12, 14, and 17 are reflected (Figure 4). If the error rate is below the threshold, the protocol proceeds (Figure 5).

Figure 4. Decoy particle reflection and QBER estimation circuit used for channel checking.

Figure 5. Example of positions reflected by bidder $P_1$ for decoy checking according to $K_1$.

Step 3: HTP publishes (or broadcasts via classical channel) the measurement basis for the first rotation particle on the bulletin board while recording the number of bidders in each group. Bidders $P_1,P_2,P_3$ measure the first particle in their respective rotation particle sequences $Se{q}_1$, $Se{q}_2$ and $Se{q}_3$ using the announced basis. Taking $P_1$ as an example: when the first particle in its rotation sequence is ∣0⟩ (Figure 6) and the computational basis measurement yields 0, $P_1$ is assigned to Group 1. Similarly, $P_2$ and $P_3$ are assigned to Group 2 and Group 3, respectively. These grouping results are consistent with the HTP’s recorded data. Then, Bidder $P_1$ performs unitary operations on positions 2–4 of its rotation particle sequence: specifically applying the ${\sigma }_Y$ operation to the 3rd position and the ${\sigma }_I$ operation to positions 2 and 4, while leaving other particles unchanged (Figure 7). Afterward, $P_1$ sends $Se{q}_1^{\prime }$ to HTP. Following the same rules, $P_2$ and $P_3$ execute their designated unitary operations and send their sequences $Se{q}_2^{\prime }$ and $Se{q}_3^{\prime }$ to HTP.

Figure 6. Circuit example of rotation-basis particle operations for identity and bid encoding.

Figure 7. Grouping via the first rotation particle and unitary operations per group.

Step 4: Upon receiving the modified quantum sequences $Se{q}_1^{\prime }$, $Se{q}_2^{\prime }$ and $Se{q}_3^{\prime }$ from bidders $P_1$, $P_2$ and $P_3$, HTP performs sequential measurements on each qubit of the sequences using the measurement basis corresponding to each bidder’s group assignment. The mapping results are organized into a $3\times 12$ matrix M, where each row represents a bidder’s sequence and each column corresponds to a specific qubit position.

The per-column Hamming weights (column sums) are (0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0). For every valid column, the sum equals 1; therefore, bidders $P_1$, $P_2$ and $P_3$ are assigned the identity designations Group 1 Member 2, Group 2 Member 3, and Group 3 Member 5, respectively, satisfying the predefined condition. Thus, the identity code distribution is successful without repetition (see Figure 8).

Figure 8. Mapping results arranged into a matrix for identity verification.

4.2. Multi-Party Semi-Quantum Simultaneous Ascending Auction

In this stage, all bidders simultaneously place bids on both auction items, A and B (though the protocol permits optional single-item bidding). For demonstration clarity, we assume single-round auction completion. Suppose the initial price ranges for items A and B in the first-round auction are [0, 8] and [0, 10], respectively, with a bid increment benchmark of 10% per round. In the first round, bidders $P_1$, $P_2$ and $P_3$ submit their initial bids for item A as (4, 7, 5) and for item B as (7, 7, 9). All bidders reveal their true maximum willingness-to-pay (i.e., their psychological reserve prices) in the first round, implying that no bidders will revise their bids in subsequent auction rounds.

Step 1: HTP initializes the protocol by assigning distinct key sequences $K_1^{\prime },K_2^{\prime },K_3^{\prime }$ to bidders $P_1,P_2,P_3$ respectively, where

$$\begin{array}{cc}\hfill K_1^{\prime }& =\{0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0\}\hfill \\ \hfill K_2^{\prime }& =\{1,0,0,1,1,1,0,1,0,0,0,0,1,0,1,0,1,1,0,0,0,0,1,0,1\}\hfill \\ \hfill K_3^{\prime }& =\{1,1,0,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,0,1,0\}\hfill \end{array}$$

Then, HTP randomly generates quantum sequences $Se{q}_1^{″}$, $Se{q}_2^{″}$ and $Se{q}_3^{″}$ according to the rules of Step 1,where

$$\begin{array}{cc}\hfill {\mathit{Seq}}_1^{″}& =\{\left|0\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|-\right.⟩,\hfill \\ & \left|+\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\hfill \\ & \left|-\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩\}\hfill \\ \hfill {\mathit{Seq}}_2^{″}& =\{\left|-\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|+\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\hfill \\ & \left|0\right.⟩,\left|+\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\hfill \\ & \left|+\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩\}\hfill \\ \hfill {\mathit{Seq}}_3^{″}& =\{\left|-\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|-\right.⟩,\left|1\right.⟩,\hfill \\ & \left|-\right.⟩,\left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\hfill \\ & \left|0\right.⟩,\left|+\right.⟩,\left|1\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|-\right.⟩,\left|-\right.⟩,\left|+\right.⟩,\left|0\right.⟩\}\hfill \end{array}$$

Step 2: Following the aforementioned rules, we conduct channel security eavesdropping detection by referencing the case study from Simulation Experiment 4.1.

Step 3: According to the established rules, bidders $P_1$, $P_2$ and $P_3$ perform group encoding operations on particles located at the first and second positions of the sequence, simultaneously executing identity encoding utilizing private vectors at positions 3 through 5.

As demonstrated in Simulation Experiment 4.1, the bidder $P_1$ was assigned the identity code “Group 1, Member 2” (with group encoding 00). Given $P_1$’s private vector (0, 1, 0), the identity encoding is implemented on qubits 1–5 through quantum operations: $P_1$ implements ${\sigma }_I$ operations on the first and second particles within their respective rotational particle; the ${\sigma }_Y$ operation is applied to the 4th qubit and ${\sigma }_I$ operations are maintained on qubits 3 and 5. Following the same rules, bidders $P_2$ and $P_3$ subsequently execute their respective unitary operations in accordance with their allocated group codes and private vectors.

Step 4:$P_1$, $P_2$ and $P_3$ convert the decimal bid value of item A into corresponding binary sequences (0, 1, 0, 0), (0, 1, 1, 1) and (0, 1, 0, 1). Concurrently, specific bid particle encoding is implemented at positions 6–9 to comprehensively embed auction information.

Taking bidder $P_1$ as an example, $P_1$ implement unitary operations on the rotational particle. Specifically, the ${\sigma }_Y$ operation is applied at positions 7, 11, 12, and 13, while the ${\sigma }_I$ operation is performed at positions 6, 8, 9, and 10. Then, $P_1$ sends $Se{q}_1^{‴}$ to HTP. Following the same procedure, bidders $P_2$ and $P_3$ perform their corresponding quantum operations and return $Se{q}_2^{‴}$ and $Se{q}_3^{‴}$ to HTP.

Step 5: In accordance with the established rules, HTP constructs a $1\times 5$ identity verification matrix (0, 0, 0, 1, 0), which matches the identity encoding assigned in Simulation Experiment 4.1. Subsequently, HTP conducts the following operations: (1) Using the same measurement basis as the initial state, HTP measures qubits 6–13 of $Se{q}_1^{‴}$, obtaining a $1\times 8$ matrix (0, 1, 0, 0, 0, 1, 1, 1) (Figure 9). The auction prices for items A and B are derived from their respective quantum sequences. When converted to decimal notation, these sequences yield the values 4 for A and 7 for B. The same verification procedure is applied to $Se{q}_2^{‴}$ and $Se{q}_3^{‴}$, revealing bids of (7, 7) and (5, 9) from $P_2$ and $P_3$, respectively, for item A and B.

Figure 9. Recovered bid bits per item and round at HTP and highest-bid update.

(2) HTP announces the highest bid for item A in the first auction round as 7 on the public bulletin board. Item B yields respective bids of 7, 7 and 9 from $P_1$, $P_2$ and $P_3$, with the highest bid of 9 being similarly published. (3) Bidders $P_1$, $P_2$ and $P_3$ each generate hash commitments for their bids on items A and B according to Step 10. For example, for item A with bid 7, bidder $P_1$ samples a random nonce $s_1^A$ and computes which is recorded by HTP.

$${\mathrm{com}}_1^A=\mathrm{SHA}-256(\mathrm{round}\_\mathrm{id}\parallel A\parallel {\mathrm{id}}_1\parallel 7\parallel s_1^A),$$

(3)

Step 6: According to the auction rules, the starting prices for items A and B in the second round are set to 7.7 and 9.9, respectively, calculated as $\mathrm{Starting}{\mathrm{Price}}_{\mathrm{A}-\mathrm{next}}=(1+10\%)\times 7=7.7$. Subsequently, HTP and bidders $P_1$, $P_2$ and $P_3$ repeat Steps 1–5 of the protocol. During Step 5, the bid matrices derived from the quantum sequences returned by the bidders to HTP are all (0, 0, 0, 0), indicating no new highest bids for either item. Next, the highest bidders for items A and B disclose their random numbers and commitment values to HTP and other bidders. Other bidders validate the commitment values, and HTP verifies both the commitment values and identity encodings.

If all verifications pass and no complaints are raised, HTP officially declares the highest bids for items A and B are 7 and 9, respectively. The winning bidders are Group 2 Member 3 for item A and Group 3 Member 5 for item B. The auction concludes upon this announcement.

5. Performance Analysis

We evaluate the proposed SQSAA protocol in terms of security, anonymity, verifiability, non-repudiation, and secrecy capacity.

5.1. External Attacks on Security

To obtain bidders’ secrets, an eavesdropper Eve may attempt intercept–resend, measure–resend, or Trojan-horse attacks.

5.1.1. Intercept-Resend Attack

In Step 1 or Step 7, Eve may intercept the quantum sequence $Se{q}_i$ or $Se{q}_i^{″}$ transmitted from HTP to $P_i$, insert an equivalent number of single particles, and subsequently forward the altered quantum sequence to $P_i$. Through this method, $P_i$ might encode the confidential information (identity codes or bidding information) onto these tampered particles. Eve then intercepts again the quantum sequence $Se{q}_i^{\prime }$ or $Se{q}_i^{‴}$ sent from $P_i$ to HTP and obtains the identity codes or bidding information. It is noteworthy that the intercepted sequences $Se{q}_i$ or $Se{q}_i^{″}$ contain decoy particles, with the probability of Eve’s fake particles matching the decoy particles being ${\displaystyle \frac{1}{4}}$. Without loss of generality, assuming the decoy particles prepared by HTP are in the ∣0⟩ state, the detection probabilities for Eve’s fake particles are presented in Table 4.

Table 4. Measurement results and probabilities of fake particles.

Fake Particles	Measurement Result	Probability
∣+⟩	∣+⟩	0
∣−⟩	∣−⟩	1
∣0⟩	∣+⟩ or ∣−⟩	$1/2$
∣1⟩	∣+⟩ or ∣−⟩	$1/2$

The table shows the measurement outcomes and corresponding probabilities for different types of fake particles.

Therefore, if the decoy particle is in the ∣+⟩ state and HTP measures in the Fourier basis, the probability of detecting Eve is

$$p={\displaystyle \frac{1}{4}}\times 0+{\displaystyle \frac{1}{4}}\times 1+{\displaystyle \frac{1}{4}}\times {\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{4}}\times {\displaystyle \frac{1}{2}}={\displaystyle \frac{1}{2}}.$$

(4)

Similarly, we can compute that the non-detection probabilities for ∣−⟩, ∣0⟩, and ∣1⟩ are all ${\displaystyle \frac{1}{2}}$.

In summary, the probability that HTP detects Eve’s attack is given by

$$P_1\left(w\right)=1-2^{-w},$$

(5)

where w represents the number of decoy particles (see Figure 10).

Figure 10. Detection probability $P_1\left(w\right)=1-2^{-w}$ versus number of decoy particles w under intercept-resend.

Consequently, Eve’s intercept-resend attack introduces an error rate in the eavesdropping detection phase that exceeds the threshold. Particularly when the number of decoy particles is sufficiently large, the probability of detecting the attack approaches 1, thereby effectively countering this attack.

5.1.2. Measure-Resend Attack

In Step 1 or Step 7, Eve intercepts and measures the quantum sequences $Se{q}_i$ or $Se{q}_i^{″}$ transmitted from HTP to $P_i$. Based on the measurement outcomes, she generates counterfeit quantum sequences $Se{q}_i$ or $Se{q}_i^{″}$ and transmits them to $P_i$. Through this approach, $P_i$ may encode the secret information onto the tampered photons. Eve subsequently intercepts and measures the quantum sequences $Se{q}_i^{\prime }$ or $Se{q}_i^{‴}$ sent from $P_i$ to HTP, thereby obtaining the secret information while simultaneously generating fake quantum sequences $Se{q}_i^{\prime }$ or $Se{q}_i^{‴}$ to forward to HTP.

However, Eve possesses no prior knowledge regarding either the positions or preparation bases of the decoy particles. For each decoy particle, Eve has a statistical probability of 50% to select the correct measurement basis. If Eve chooses the correct measurement basis, she can successfully pass the eavesdropping detection. Conversely, if an incorrect basis is selected, Eve will be detected with a probability of ${\displaystyle \frac{1}{2}}$ statistically. Without loss of generality, assuming the decoy particles prepared by HTP are in the ∣+⟩ state, the detection probabilities for Eve’s modified particles are presented in Table 5.

Table 5. Probabilities of Eve’s measurement choices and corresponding fake particles.

Eve’s Choice	Eve’s Measurement	Fake Particles	Probability
Fourier basis	∣+⟩	∣+⟩	0
Computational basis	∣+⟩	∣+⟩	0
Computational basis	∣−⟩	∣−⟩	1

“Eve’s Choice” refers to the basis selected by Eve for measurement; “Fake Particles” are the particles Eve replaces after measurement.

Similarly, we can compute that the detection probabilities for ∣−⟩, ∣0⟩, and ∣1⟩ are all ${\displaystyle \frac{1}{4}}$. Therefore, if the decoy particle is in the ∣+⟩ state, the probability of detecting Eve is

$$p={\displaystyle \frac{1}{2}}\times 1\times 0+{\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}\times 0+{\displaystyle \frac{1}{2}}\times {\displaystyle \frac{1}{2}}\times 1={\displaystyle \frac{1}{4}}.$$

(6)

In summary, the probability that HTP detects Eve’s attack is given by

$$P_2\left(w\right)=1-{\left({\displaystyle \frac{3}{4}}\right)}^w,$$

(7)

where w represents the number of decoy particles (see Figure 11).

Figure 11. Detection probability $P_2\left(w\right)=1-{(3/4)}^w$ versus number of decoy particles w under measure-resend.

In practical implementations, the sequence length N is finite. Asymptotic security bounds do not strictly apply. Statistical fluctuations in the estimated error rate must be considered. Let $n_{decoy}$ be the number of decoy bits. The probability that an attacker’s induced error deviates from the expected value by a margin $\delta$ is bounded by Hoeffding’s inequality. To guarantee a security failure probability ${ϵ}_{sec}$, the threshold $\eta$ must be adjusted (lowered) as the sequence length decreases, ensuring that any malicious intervention is statistically distinguishable from channel noise with high confidence.

5.1.3. Trojan Horse Attack

Since the proposed protocol employs symmetric channels, it is vulnerable to Trojan horse attacks. A potential attacker, Eve, could exploit such attacks to intercept the private information of $P_i$. There are two primary types of Trojan horse attacks: delayed-photon attacks and invisible-photon attacks. To counter these attacks, each bidder $P_i$ needs to be equipped with both a wavelength quantum filter and a photon-number discriminator. The wavelength filter provides protection against invisible-photon attacks, while the photon-number splitter offers defense against delayed-photon attacks. These two devices have been demonstrated to exhibit strong resistance against Trojan horse attacks. Consequently, our protocol can effectively thwart Trojan horse attacks through the implementation of these devices.

5.2. Internal Attacks on Security

We focus on investigating an extreme case where $n-1$ dishonest users collaborate to attack the remaining single honest user. Without loss of generality, assume $P_1$ is the honest bidder while $P_2,P_3,\dots ,P_n$ are dishonest bidders conspiring to attack $P_1$, with the objective of obtaining $P_1$’s secret information.

In the SQSAA protocol, since each $P_i$ and HTP communicate through star-shaped symmetric channels, the dishonest bidders would attempt to intercept particles transmitted between HTP and $P_1$ to acquire secret information. In this scenario, the dishonest bidders will be detected as external attackers. According to the protocol specifications, each bidder shares a private key with HTP, and the private key determines the positions of both decoy particles and rotation particles. Since dishonest bidders possess neither the private key shared between HTP and $P_1$ nor the information about quantum states prepared by HTP, any attack strategy they employ will inevitably cause quantum state disturbance and transmission errors and ultimately lead to an error rate exceeding the predetermined threshold. That is to say, our protocol can resist attacks from dishonest users.

5.3. Secrecy Capacity Analysis

Generally speaking, any secure communication protocol can be analyzed using the wiretap channel model, wherein the SQSAA protocol the quantum channel serving as the main channel transmits secret information while Eve’s eavesdropping is modeled as the wiretap channel, whose specific model is illustrated in Figure 12.

Figure 12. Wiretap channel model for secrecy capacity analysis in SQSAA.

The secrecy capacity, serving as a fundamental metric for evaluating protocol security in quantum communications, represents the maximum secure information transmission rate between legitimate communicating parties (HTP and $P_i$) in the presence of eavesdropper Eve, which constitutes a critical parameter in SQSAA protocol analysis [35] and is expressed as $C_S$ according to Wyner’s wiretap channel theory.

$$C_s=\underset{p}{max}\left\{I(P_i:\mathrm{HTP})-I(P_i:E)\right\}$$

(8)

where I(X:Y) characterizes the mutual information between random variables X and Y. Since the particles prepared by HTP have equal probabilities of being in $\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩$ states, the system exhibits a completely mixed state $\rho ={\displaystyle \frac{1}{2}}\left(\left|0\right.⟩\left.⟨0\right|+\left|1\right.⟩\left.⟨1\right|\right)$. Under collective attack scenarios, Eve may perform joint operations on both the transmitted qubits and the ancillary qubits she prepares.

$${\rho }^{\left(HE\right)}=U(\rho \otimes \left|ϵ\right.⟩\left.⟨ϵ\right|)U^{†}$$

(9)

where $\left|ϵ\right.⟩$ denotes the state of Eve’s prepared ancillary qubit, and U is a unitary operator acting on the joint space of the qubit and ancillary qubit. Eve transmits the qubit to bidder $P_i$ while retaining her ancillary qubit until $P_i$ forwards the qubit to HTP. Upon reception, $P_i$ applies the ${\sigma }_Y$ operator with probability p or the ${\sigma }_I$ operator with probability (1 − p) based on secret information, evolving the qubit state to

$$\begin{array}{cc}\hfill {\rho }^{\mathrm{PHE}}& =p·{\rho }_0^{HE}+(1-p)·{\rho }_1^{HE}\hfill \end{array}$$

(10)

where ${\rho }_0^{HE}={\sigma }_y{\rho }^{HE}{\sigma }_y^{†}$ and ${\rho }_1^{HE}={\sigma }_I{\rho }^{HE}{\sigma }_I^{†}$. To obtain the secret information, Eve performs coherent measurements on an arbitrary number of qubits and ancillary qubits to distinguish between the quantum states ${\rho }_0^{HE}$ and ${\rho }_1^{HE}$ encoded by bidder $P_i$, where based on the Holevo bound (whose distinguishing capability is bounded by the Holevo information quantity) we obtain

$$\begin{array}{cc}\hfill I(P_i:E)& \le max\left\{S\left({\rho }^{PHE}\right)-p·S\left({\rho }_0^{BE}\right)-(1-p)·S\left({\rho }_1^{BE}\right)\right\}\hfill \end{array}$$

(11)

where S($\rho$) denotes the von Neumann entropy. The von Neumann entropy of the original quantum state $\rho ={\displaystyle \frac{1}{2}}\left(\left|0\right.⟩\left.⟨0\right|+\left|1\right.⟩\left.⟨1\right|\right)$ is $S\left(\rho \right)=-\left({\sum }_{i=1}^2{\displaystyle \frac{1}{2}}{log}_2\left({\displaystyle \frac{1}{2}}\right)\right)=1$. Therefore, the maximum mutual information between bidder $P_i$ and eavesdropper Eve is

$$\dot{I}(P_i:E)\le max\left\{S\left({\rho }^{ABE}\right)\right\}-1\le h\left(\xi \right),$$

(12)

where $h\left(\xi \right)$ is the binary Shannon entropy of $\xi$.

$$\begin{array}{cc}\hfill \xi & ={\displaystyle \frac{1}{2}}\left(1-\sqrt{{(1-2p)}^2+{[1-2({ϵ}_X+{ϵ}_Z)]}^2[1-{(1-2p)}^2]}\right)\hfill \end{array}$$

(13)

where ${ϵ}_X$ and ${ϵ}_Z$ are the detection bit error rate (DBER) in the X-basis and the Z-basis, respectively. Taking into account channel losses, when denoting the maximum accessible qubit rate for Eve as $Q^{Eve}$, the maximum mutual information between bidder $P_i$ and Eve consequently becomes

$$I(P_i:E)\le Q^{\mathrm{Eve}}·h\left(\xi \right)$$

(14)

Similarly, we denote the reception rate at HTP as $Q^{HTP}$ and calculate the mutual information between the bidder $P_i$ and HTP.

$$I(P_i:HTP)=Q^{\mathrm{HTP}}·\left[h\right(p+ϵ-2pϵ)-h(ϵ\left)\right]$$

(15)

Thus, the secrecy capacity $C_S$ becomes

$$\begin{array}{cc}\hfill C_S& =max\left\{I(P_i:\mathrm{HTP})-I(P_i:E)\right\}\hfill \\ \hfill & =max\left\{Q^{\mathrm{HTP}}\left[h(p+ϵ-2pϵ)-h\left(ϵ\right)\right]-Q^{\mathrm{Eve}}h\left(\xi \right)\right\}\hfill \\ \hfill & =Q^{\mathrm{HTP}}·max\left[h(p+ϵ-2pϵ)-h\left(ϵ\right)-g·h\left(\xi \right)\right]\hfill \\ \hfill & \ge Q^{\mathrm{HTP}}·\left[1-h\left(ϵ\right)-g·h\left({ϵ}_X+{ϵ}_Z\right)\right]\hfill \end{array}$$

(16)

where g represents the discrepancy rate between $Q^{Eve}$ and $Q^{HTP}$, which depends on both channel loss and detector efficiency, reaching its maximum value at $p={\displaystyle \frac{1}{2}}$.

5.4. Anonymity Analysis

According to the protocol, HTP transmits the quantum sequence $Se{q}_i$ to each bidder $P_i$ respectively, where the first particle of sequence $Se{q}_j$ received by the j-th bidder $P_j$ serves as the grouping particle. Since this particle is randomly prepared by HTP from $\{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\}$ and the measurements of grouping particles among different bidders are mutually independent. Therefore, the mutual information between them can be quantitatively calculated as

$$\begin{array}{cc}\hfill I(P_j:P_l)& =S\left(P_j\right)+S\left(P_l\right)-S(P_j,P_l)\hfill \\ \hfill & =S\left(P_j\right)+S\left(P_l\right)-S\left(P_j\right)-S\left(P_l\right)\hfill \\ \hfill & =0.\hfill \end{array}$$

(17)

where $P_l$ denotes any dishonest bidder. Any collusion attempt by dishonest bidders to obtain $P_j$’s identity encoding is bound to fail. Attackers can neither access other bidders’ measurement results nor determine honest bidders’ group affiliation through the first particle, thus failing to reconstruct complete identity encoding. Furthermore, the decoy states introduced by HTP in $Se{q}_i$ ensure that any external eavesdropping will be detected due to induced errors during eavesdropping detection. Consequently, except for the trusted HTP, no bidder can obtain others’ identity information, guaranteeing the protocol’s anonymity.

The protocol guarantees that bidders cannot ascertain the identities or bids of other participants. However, it is important to note the Trusted HTP Assumption: The HTP knows the mapping between identity codes and real identities. Thus, the protocol provides anonymity against peers and outsiders, but not against the HTP.

5.5. Verifiability and Non-Repudiation Analysis

In Step 10 of the protocol, each bidder computes and submits the hash value of their bid to HTP, establishing a binding commitment since the original bid cannot be deduced without the random nonce. The protocol’s security guarantees non-repudiation, as any bid modification would require finding a new nonce matching the original hash value—a computationally infeasible task even for quantum computers due to the collision-resistant hash function.

Distinction from Channel Disruption: It is crucial to distinguish between *channel disruption* and *repudiation*. High QBER (Step 3) indicates an active attack or denial-of-service, leading to a protocol abort. In contrast, Non-Repudiation (Step 13) prevents a legitimate bidder—who has successfully transmitted a valid bid without triggering high QBER—from later denying their submission.

The verification phase (Step 13) requires the highest bidder to reveal their nonce and hash value for public verification, where successful verification leads to HTP disclosing the winner’s identity number and bid amount, while failed verification triggers a complaint mechanism that either initiates a new auction round for validated complaints or maintains the current highest bid for rejected complaints. This commitment verification framework satisfies the protocol’s verifiability requirement while maintaining quantum-resistant security throughout the auction process.

6. Conclusions

We presented a multi-party semi-quantum simultaneous ascending auction protocol based on single-particle states. HTP generates, distributes, and verifies quantum states; bidders determine groups via measurements and encode private identity vectors, obtaining identity codes after HTP authentication. During bidding, HTP dynamically updates sequences, and bidders submit prices for multiple items using only simple unitary operations. HTP announces current highest bids in real time and iteratively regenerates sequences until no higher bids appear, thereby realizing simultaneous multi-item ascending auctions.

The protocol serves as a quantum-secured signaling layer, providing information-theoretic security for bid transmission and identity verification over a classical auction mechanism. The protocol offers several practical advantages over prior art. First, it accommodates heterogeneous participants by requiring only semi-quantum capabilities on the bidder side (Z/X measurements, reflections, and elementary single-qubit operations), and it relies solely on single-particle resources, substantially lowering implementation cost. Second, it scales naturally to multi-item settings: identity is encoded in the first $(2+n)$ particles, while each item uses $\lceil {log}_2{d}_w\rceil$ particles for prices, enabling parallel, round-by-round price discovery. Third, the use of per-round hash commitments provides a simple, auditable path for public verification, supporting non-repudiation and complaint resolution without revealing secret randomness until the end.

From a deployment perspective, the protocol parameters are straightforward to tune. The decoy rate and QBER threshold $\eta$ control eavesdropping detectability and robustness; the per-item bit width $\lceil {log}_2{d}_w\rceil$ balances price granularity and sequence length; and the basic operation set (I, H, ${\sigma }_Y$, Z/X measurements) matches today’s photonic toolchains. Computational and storage complexity at bidders is minimal, and HTP’s classical processing (matrix checks and bit-to-decimal conversion) scales linearly in the number of bidders and items per round.

Finally, we must emphasize that theoretical validity does not automatically translate to immediate real-world applicability. Bridging the gap between our theoretical model and a fully operational real-world deployment remains a significant future challenge. This requires rigorous validation under realistic physical conditions, deep integration with existing technological infrastructures, and further study on practical device imperfections.

There remain limitations and opportunities for future work. The current model assumes a trusted HTP; relaxing this with distributed trust (e.g., threshold HTP, verifiable computation, or lightweight MPC among multiple centers) is an important direction. A finite-size and composable security analysis under realistic device imperfections and channel loss would strengthen the guarantees. On the systems side, building a prototype with time-bin or polarization-encoded photonics, integrating authenticated classical channels, and benchmarking end-to-end latency would support practical adoption. Finally, extending to richer auction formats (e.g., combinatorial or budget-constrained bidding), adaptive increment rules, and privacy-enhanced analytics while preserving semi-quantum feasibility are promising avenues.