Multiparty Quantum Private Comparison Using Rotation Operations

Abstract

This paper presents a multiparty quantum private comparison (MQPC) protocol that facilitates multiple users to compare the equality of their private inputs while preserving the confidentiality of each input through the principles of quantum mechanics. In our approach, users initially convert their secret integers into binary representations, which are then encoded into single photons that act as carriers of the information. These encoded single-photon states undergo encryption via rotational operations, effectively obscuring the original inputs before transmission to a semi-honest third party (TP). The TP decrypts the quantum states and conducts Z-basis measurements to derive the comparison results. To enhance security, the protocol incorporates decoy photons, enabling participants to detect potential eavesdropping on the quantum channel. Importantly, even if the TP or other participants attempt to glean insights into each other’s inputs, the encryption via rotational operations ensures that private information remains inaccessible. This protocol demonstrates significant advancements in practicality compared to existing MQPC frameworks that rely on complex quantum technologies, such as entanglement swapping and multi-particle entanglement. By leveraging the simplicity of single photons, rotation operations, and Z-basis measurements, our protocol is more accessible for implementation.

1. Introduction

The BB84 protocol [1], introduced by Bennett and Brassard in 1984, represents a pivotal advancement in quantum cryptography, showcasing the feasibility of unconditional security through the principles of quantum mechanics, notably the behavior of quantum states and the no-cloning theorem. Building on the success of BB84, a diverse array of quantum cryptographic protocols have emerged, including quantum key distribution (QKD) [2,3,4,5,6], quantum key agreement (QKA) [7,8], quantum secure direct communication (QSDC) [9,10,11], and quantum private set intersection [12,13,14]. These protocols are designed to fulfill traditional cryptographic objectives while ensuring resilience against quantum attacks.

Private comparison plays a crucial role in secure multiparty computation and was originally motivated by the millionaires’ problem [15], where two millionaires aim to ascertain who possesses greater wealth without disclosing their actual financial amounts. A notable variation proposed by Boudot et al. [16] centers on determining whether two millionaires possess identical wealth. In two-party computation scenarios, Lo [17] emphasized the challenges of constructing a secure equality function independently. To navigate these challenges, a semi-honest third party (TP) is employed to assist in the private comparison while preserving the privacy of the participants.

Historically, the security of private comparison protocols has relied on the computational complexity of specific mathematical problems, such as factoring large integers or solving discrete logarithms. These protocols utilize traditional cryptographic principles to ensure confidentiality and integrity. However, the rise in quantum computing presents significant threats to classical cryptographic systems. Quantum algorithms, notably the Shor algorithm [18], can efficiently solve problems previously deemed intractable, thereby undermining the security foundations of many classical protocols. In response to these vulnerabilities, researchers have begun developing innovative private comparison protocols that leverage quantum principles. These protocols aim to enhance security by utilizing the unique properties of quantum mechanics, such as superposition and entanglement, providing stronger guarantees against potential quantum attacks.

The primary goal of quantum private comparison (QPC) is to enable two parties to compare their confidential secrets while preserving the privacy of each participant. This is achieved by combining classical private comparison techniques with the unique properties of quantum mechanics. By leveraging quantum principles, QPC protocols enhance security and facilitate new methods for secure communication and data comparison. The foundational QPC protocol, developed by Yang and Wen in 2009 [19], employs Bell states to encode the confidential secrets of the participants. Additionally, the use of decoy states allows for the detection of any eavesdropping attempts, thereby maintaining the confidentiality of the participants’ secrets. Following this pioneering work, a variety of quantum states have been explored for use in designing QPC protocols, including single-particle states [20,21,22,23,24,25], Bell states [26,27,28,29,30,31,32,33], multi-qubit entangled states [34,35,36,37,38,39,40,41,42,43], multi-qubit cluster states [44,45,46,47,48,49,50], and d-level quantum states [51,52,53,54]. Despite these advancements, most of the existing QPC protocols are primarily designed for comparing the private data of just two participants. This limitation poses challenges when scaling the protocol to multiple participants. When n participants wish to engage in a private comparison, the two-party QPC protocol needs to be executed multiple times, specifically running the protocol $n-1$ to ${\displaystyle \frac{n\left(n-1\right)}{2}}$ times in a repeated manner. This repeated execution can lead to significant inefficiencies and increased communication overhead. Therefore, there is a pressing need for the development of more efficient multiparty QPC protocols that can handle comparisons among n participants simultaneously, without the exponential increase in protocol executions.

A new branch multiparty quantum private comparison (MQPC) has emerged, aiming at reducing the number of required executions and improving efficiency. Chang et al. [55] introduced a pioneering MQPC protocol that utilizes n-particle Greenberger–Horne–Zeilinger class states, which allows for the comparison of arbitrary pairs of participants within a single execution. The participants utilize bitwise exclusive-OR (XOR) operations to encrypt their inputs, ensuring that their data remain confidential throughout the comparison process. Building on the pioneering MQPC protocol, Liu et al. [56] introduced a novel approach to multiparty quantum private comparison by performing local unitary operations on d-dimensional basis states, which enables n parties to compare their private inputs without encrypting them into ciphertext. Wang et al. [57] proposed two distinct MQPC protocols that utilize d-level entangled states to facilitate secure comparisons among multiple participants. These protocols are designed to operate in different modes: distributed mode and traveling mode. The first protocol employs d-level n-particle entangled states and quantum Fourier transform (QFT), which allows for comparisons involving multiple participants simultaneously. The second protocol uses d-level two-particle entangled states and quantum phase shifting operation, focusing on pairwise comparisons while leveraging the entanglement properties of the states. In 2017, Ji and Ye [58] introduced a novel MQPC protocol that utilized entanglement swapping of d-level cat states and d-level Bell states. This protocol encodes participant inputs through unitary operations, allowing for secure comparisons among multiple parties. Despite this innovative approach, the realization of d-level cat states and d-level Bell states presents significant experimental challenges. These challenges can hinder the practical implementation of the protocol in real-world scenarios. Considering the difficulties associated with implementing the Ji and Ye protocol, Ye and Hu [59] proposed an alternative MQPC protocol that simplifies the process. Their protocol is based on d-level two-particle Bell entangled states, which are generally easier to realize experimentally compared to d-level cat states. While the existing MQPC protocols [55,56,57,58,59] are theoretically sound, they often rely on advanced technologies that are not yet fully realized in practice. Developing a practical MQPC protocol is critical for advancing the field of quantum cryptography. A protocol that can be reliably implemented using existing technologies would greatly enhance the applicability of quantum private comparison in real-world scenarios.

To address this challenge, we propose a multiparty quantum private comparison (MQPC) that employs rotation operations to protect the privacy of the inputs. Users begin by converting their secret integers into binary representations that are encoded into single photons. These single photons serve as carriers of the information, leveraging their quantum properties for secure communication. Once encoded, the single-photon states undergo encryption through rotation operations. This process effectively obscures the original inputs, ensuring that the information remains private during transmission to a semi-honest third party (TP). The TP, while semi-honest, is responsible for decrypting the quantum states received from the users and conducts Z-basis measurements on the quantum states. These measurements allow the TP to derive the comparison results between the users’ secret integers without revealing the actual values of the inputs. The use of rotation operations and decoy photons provides a robust mechanism for protecting the privacy of participants’ inputs, making the protocol resistant against the outsider eavesdropping and participant attacks. By using single photons and straightforward rotation operations, the protocol is designed to be easily implementable with current quantum technologies. Compared to existing MQPC frameworks that rely on complex quantum technologies, such as entanglement swapping and multi-particle entanglement, our protocol demonstrates advancements in practicality due to the simplicity of single photons, rotation operations, and Z-basis measurements.

The remainder of this paper is organized as follows. Section 2 provides an introduction of rotation operations used for encrypting the quantum states. The detailed steps of the proposed MQPC protocol and its analyses, including correctness, security, and fairness, are presented in Section 3 and Section 4, respectively. Section 5 hosts a discussion. Finally, we summarize our work in Section 6.

2. Rotation Operation

The R_y rotation operator is defined as follows:

$$R_y\left(\theta \right)=e^{-i{\displaystyle \frac{\theta }{2}}Y}=\cos \left({\displaystyle \frac{\theta }{2}}\right)I-i\sin \left({\displaystyle \frac{\theta }{2}}\right)Y=\left(\begin{array}{cc}\cos {\displaystyle \frac{\theta }{2}}& -\sin {\displaystyle \frac{\theta }{2}}\\ \sin {\displaystyle \frac{\theta }{2}}& \cos {\displaystyle \frac{\theta }{2}}\end{array}\right)$$

(1)

where I and Y represent the identity matrix and Pauli Y matrix, respectively. θ is the rotation angle around the y-axis on the Bloch sphere [60]. The R_y operator can be utilized as an encryption mechanism in quantum communication. By applying R_y(θ) to a quantum state, we convert it into an unknown state, effectively obscuring the original information. The parameter θ serves as the encryption key, allowing for the transformation of the quantum state into a form that is not immediately recognizable.

Let $E_k\left[\left|\psi \right.⟩\right]$ denote the encryption of quantum state $\left|\psi \right.⟩=\left|0\right.⟩$ with the key k. When encrypting $\left|\psi \right.⟩$ with a key k = θ∈[0, 2π), this can be mathematically represented as follows:

$$\left|{\psi }^{\prime }\right.〉=E_{\theta }\left[\left|0\right.〉\right]=R_y\left(\theta \right)\left|0\right.〉=\left(\begin{array}{cc}\cos {\displaystyle \frac{\theta }{2}}& -\sin {\displaystyle \frac{\theta }{2}}\\ \sin {\displaystyle \frac{\theta }{2}}& \cos {\displaystyle \frac{\theta }{2}}\end{array}\right)\left(\begin{array}{c}1\\ 0\end{array}\right)=\left(\begin{array}{c}\cos {\displaystyle \frac{\theta }{2}}\\ \sin {\displaystyle \frac{\theta }{2}}\end{array}\right)=\cos {\displaystyle \frac{\theta }{2}}\left|0\right.〉+\sin {\displaystyle \frac{\theta }{2}}\left|1\right.〉$$

(2)

The decryption process is denoted by $D_k\left[\left|\psi \right.⟩\right]$. To decrypt the state, the same rotation angle k = θ is applied in the opposite direction:

$$\left|\psi \right.〉=D_{\theta }\left[\left|{\psi }^{\prime }\right.〉\right]=R_y\left(-\theta \right)\left|{\psi }^{\prime }\right.〉=\left(\begin{array}{cc}\cos {\displaystyle \frac{\theta }{2}}& \sin {\displaystyle \frac{\theta }{2}}\\ -\sin {\displaystyle \frac{\theta }{2}}& \cos {\displaystyle \frac{\theta }{2}}\end{array}\right)\left(\begin{array}{c}\cos {\displaystyle \frac{\theta }{2}}\\ \sin {\displaystyle \frac{\theta }{2}}\end{array}\right)=\left(\begin{array}{c}\cos {\displaystyle \frac{\theta }{2}}\cos {\displaystyle \frac{\theta }{2}}+\sin {\displaystyle \frac{\theta }{2}}\sin {\displaystyle \frac{\theta }{2}}\\ -\sin {\displaystyle \frac{\theta }{2}}\cos {\displaystyle \frac{\theta }{2}}+\cos {\displaystyle \frac{\theta }{2}}\sin {\displaystyle \frac{\theta }{2}}\end{array}\right)=\left(\begin{array}{c}1\\ 0\end{array}\right)=\left|\psi \right.〉$$

(3)

By applying R_y(−θ) to the encrypted state, we can retrieve the original quantum state.

The R_y rotation operator is utilized as an encryption tool in quantum communication, transforming quantum states into unknown forms using the angle θ as the encryption key. Recovery of the original state is achieved through the application of the inverse operator R_y(−θ), ensuring that the quantum information remains confidential. Without knowledge of the key θ, an eavesdropper cannot easily deduce the original quantum state.

3. The Proposed MQPC Protocol

3.1. The Protocol Description

Suppose that n participants $P_i\left(i=\mathrm{1,2},\cdots ,n\right)$ desire to determine whether their private inputs $M_i$ are equal or not with the semi-honest third party (e.g., a quantum server with quantum abilities) while ensuring the privacy of their inputs. The semi-honest third party (TP) is one that follows protocol rules honestly while attempting to extract information from other parties’ private data. While it cannot collude with dishonest parties [57,58], its behavior necessitates careful protocol design to ensure that the privacy of all participants is maintained. The binary representations $M_i$ in $F_2^L$ are written as $M_i=\left(m_{i,L-1},m_{i,L-2},\cdots ,m_{i,0}\right)$. If the length of $M_i$ is less than L, pad with zeros in the higher-order bits. We assume that the following protocol operates under noise-free and lossless conditions and that the classical channel used for communication between the parties is authenticated.

Our protocol will satisfy the following requirements:

(1)

Correctness. If each participant provides their respective inputs and performs the protocol faithfully, the comparison results announced by the third party are correct.

(2)

Privacy. The participant’s inputs remain confidential as long as the TP cannot collude with any participant, even in the presence of outsider eavesdropping or attacks from other participants aiming to learn about their inputs.

(3)

Fairness. All the parties are perfect peer entities, and they can receive the comparison result simultaneously, ensuring that no participant has an advantage over the other.

The proposed protocol is as follows:

Step 1. The n participants run a multiparty quantum key agreement (MQKA) protocol [61] to share a secret non-zero binary key $K=\left(k_{L-1},k_{L-2},\cdots ,k_0\right)$, where $k_j\in \left\{\mathrm{0,1}\right\}$ for $j=\mathrm{0,1},\cdots ,L-1$.

Step 2. $P_i$ performs the XOR operation with their binary inputs $M_i$ and the secret non-zero binary key K, represented as $m_{i,j}\oplus k_j$. Based on the result of the XOR operation, $P_i$ prepares their respective single-photon sequence. If $m_{i,j}\oplus k_j=0,$ $P_i$ prepares the single-photon state $\left|0\right.⟩$; otherwise, state $\left|1\right.⟩$ is prepared. The collection of all single-photon states prepared by $P_i$ is denoted as $S_i$.

Step 3. $P_i$ prepares the secret key ${\Theta }_i=\left({\theta }_{i,L-1},{\theta }_{i,L-2},\cdots ,{\theta }_{i,0}\right)$, where ${\theta }_{i,j}\in \left.[\mathrm{0,2}\pi \right)$ for $j=\mathrm{0,1},\cdots ,L-1$, and encrypts each state in $S_i$ by applying the R_y rotation operator using the key ${\Theta }_i$. The resulting encrypted sequence is denoted as $E_i$.

Step 4. To detect potential eavesdropping, $P_i$ performs the following operations:

(1)

$P_i$ prepares $\delta$ decoy photons randomly selected from the set of four nonorthogonal states $\left\{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\right\}$, aiming at detecting potential eavesdropping.

(2)

$P_i$ inserts the prepared decoy photons into their encrypted quantum sequence $E_i$ at random positions. This results in a new sequence denoted as $E_i^{\prime }$.

(3)

$P_i$ keeps a record of the states and the exact positions of the decoy photons within the sequence $E_i^{\prime }$.

(4)

$P_i$ sends $E_i^{\prime }$ to the TP via a quantum channel.

Step 5. After $P_i$ confirms that the TP has received the sequence $E_i^{\prime }$, they proceed to the next steps.

(1)

$P_i$ discloses the positions of the $\delta$ decoy photons in the sequence $E_i^{\prime }$ via the authenticated classical channel.

(2)

$P_i$ publishes the measurement basis used for each decoy photon. Z-basis is used for measuring states $\left|0\right.⟩$ or $\left|1\right.⟩$ and X-basis is used for measuring states $\left|+\right.⟩$ or $\left|-\right.⟩$.

(3)

The TP performs Z-basis or X-basis measurements on these decoy photons in sequence $E_i^{\prime }$ according to the published bases.

(4)

The TP collects the measurement results and sends this information back to $P_i$ via the authenticated classical channel.

(5)

$P_i$ calculates the error rate based on the measurement results received from the TP. The error rate is calculated as the ratio of the number of incorrect measurements to the total number of measurements.

(6)

If the calculated error rate exceeds a pre-agreed threshold, the protocol is restarted from Step 5. Otherwise, $P_i$ announces her/his secret key ${\Theta }_i$ to the TP via authenticated classical channel.

Step 6. TP recovers the sequence $E_i$ by discarding all decoy photons from the sequence $E_i^{\prime }$ and decrypts $E_i$ using the secret key ${\Theta }_i$. The TP recovers the original quantum sequence $S_i$ by applying the inverse operation. This involves performing the R_y (−${\Theta }_i$) operator on the encrypted quantum sequence $E_i$. The TP measures all states in $S_i$ using the Z-basis and checks if all the measurement results from $E_i$ are identical. If all the measurement results of $S_i$ are identical, then $X=Y$; otherwise, $X\ne Y$. Finally, the TP announces the comparison results to the n participants.

3.2. A Toy Example

Let $P_1$, $P_2$, and $P_3$ be three participants with private inputs $M_1=9$, $M_2=10$, and $M_3=11$. The binary representations $M_i(i=1,2,3)$ in $F_2^L$ are as follows:

• $M_1=\left(1001\right)$;
• $M_2=\left(1010\right)$;
• $M_3=\left(1011\right)$.

Step 1: The three participants share a non-zero binary key $K=\left(0101\right)$ via an MQKA protocol.

Step 2: The sequences $S_i(i=1,2,3)$ are prepared based on the XOR operation of $M_i$ and K:

• $S_1=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|0\right.⟩,\left|0\right.⟩\right\}$;
• $S_2=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩\right\}$;
• $S_3=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩,\left|0\right.⟩\right\}$.

Step 3: Each participant $P_i$ $\left(i=1,2,3\right)$ prepares a secret key:

• ${\Theta }_1=\left({\displaystyle \frac{\pi }{3}},{\displaystyle \frac{5\pi }{6}},{\displaystyle \frac{9\pi }{7}},{\displaystyle \frac{5\pi }{8}}\right)$;
• ${\Theta }_2=\left({\displaystyle \frac{\pi }{7}},{\displaystyle \frac{3\pi }{26}},{\displaystyle \frac{9\pi }{5}},{\displaystyle \frac{3\pi }{4}}\right)$;
• ${\Theta }_3=\left({\displaystyle \frac{\pi }{4}},{\displaystyle \frac{3\pi }{2}},{\displaystyle \frac{7\pi }{11}},{\displaystyle \frac{4\pi }{5}}\right)$.

By applying the R_y$\left({\Theta }_i\right)$ on each state in $S_i$, the encrypted sequences $E_i$ are as follows:

• $E_1=\left\{R_y\left({\displaystyle \frac{\pi }{3}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{5\pi }{6}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{9\pi }{7}}\right)\left|0\right.⟩,R_y\left({\displaystyle \frac{5\pi }{8}}\right)\left|0\right.⟩\right\}$;
• $E_2=\left\{R_y\left({\displaystyle \frac{\pi }{7}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{3\pi }{26}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{9\pi }{5}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{3\pi }{4}}\right)\left|1\right.⟩\right\}$;
• $E_3=\left\{R_y\left({\displaystyle \frac{\pi }{4}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{3\pi }{2}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{7\pi }{11}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{4\pi }{5}}\right)\left|1\right.⟩\right\}$.

Step 4: Each $P_i$ $\left(i=1,2,3\right)$ prepares $\delta$ decoy photons and inserts them into $E_i$ at random positions:

• For $E_1:$ 4th and 5th positions;
• For $E_2:$ 1st and 3rd positions;
• For $E_3:$ 2nd and 4th positions.

The new generated sequence $E_i^{\prime }$ are as follows:

• $E_1=\left\{R_y\left({\displaystyle \frac{\pi }{3}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{5\pi }{6}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{9\pi }{7}}\right)\left|0\right.⟩,\left|+\right.⟩,\left|0\right.⟩,R_y\left({\displaystyle \frac{5\pi }{8}}\right)\left|0\right.⟩\right\}$;
• $E_2=\left\{{\left|1\right.⟩,R}_y\left({\displaystyle \frac{\pi }{7}}\right)\left|1\right.⟩,\left|-\right.⟩,R_y\left({\displaystyle \frac{3\pi }{26}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{9\pi }{5}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{3\pi }{4}}\right)\left|1\right.⟩\right\}$;
• $E_3=\left\{R_y\left({\displaystyle \frac{\pi }{4}}\right)\left|1\right.⟩,\left|1\right.⟩,R_y\left({\displaystyle \frac{3\pi }{2}}\right)\left|1\right.⟩,\left|+\right.⟩,R_y\left({\displaystyle \frac{7\pi }{11}}\right)\left|1\right.⟩,R_y\left({\displaystyle \frac{4\pi }{5}}\right)\left|1\right.⟩\right\}$.

Finally, $P_i$ $\left(i=1,2,3\right)$ sends $E_i^{\prime }$ to the TP via a quantum channel.

Step 5: Each $P_i$ discloses the positions and measurement bases of the decoy photons in the sequence $E_i^{\prime }$ via the authenticated classical channel, and the measurement bases for the decoy photons in $E_i^{\prime }$ are as follows:

• For $E_1:$ {X, Z};
• For $E_2:$ {Z, X};
• For $E_{12}:$ {Z, X}.

The TP performs the corresponding measurements on these decoy photons and returns the results to $P_i$. Each $P_i$ calculates the error rate. If the error rate does not exceed a pre-agreed threshold, they announce their secret key ${\Theta }_i$ to the TP via the authenticated classical channel.

Step 6: The TP recovers the sequence $E_i$ by discarding all the decoy photons from $E_i^{\prime }$. By performing the R_y (−${\Theta }_i$) operator on the encrypted quantum sequence $E_i$, the TP can recover the original quantum sequence:

• $S_1=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|0\right.⟩,\left|0\right.⟩\right\}$;
• $S_2=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩\right\}$;
• $S_3=\left\{\left|1\right.⟩,\left|1\right.⟩,\left|1\right.⟩,\left|0\right.⟩\right\}$.

The TP measures all states in $S_i$ using the Z-basis and determines that not all of the measurement results of $S_i$ are identical. Finally, the TP announces the comparison results to the three participants.

4. Analyses

4.1. Correctness

In step 2, the sequence $S_i$ prepared by $P_i$ can be written as

$$S_i=\left|m_{i,L-1}\oplus k_{L-1}\right.〉\otimes \left|m_{i,L-2}\oplus k_{L-2}\right.〉\otimes \cdots \otimes \left|m_{i,0}\oplus k_0\right.〉={\otimes }_{j=0}^{L-1}\left|m_{i,j}\oplus k_j\right.〉$$

(4)

In step 3, when $P_i$ encrypts each single-photon state in $S_i$ by applying the R_y rotation operator using the key ${\Theta }_i$, the resulting encrypted quantum sequence $E_i$ can be given by

$$\begin{array}{l}{E}_i=R\left({\Theta }_i\right)S_j=R\left({\Theta }_i\right){\otimes }_{j=0}^{L-1}\left|m_{i,j}\oplus k_j\right.〉\\ =R\left({\theta }_{i,L-1}\right)\left|m_{i,L-1}\oplus k_{L-1}\right.〉\otimes R\left({\theta }_{i,L-2}\right)\left|m_{i,L-2}\oplus k_{L-2}\right.〉\otimes \cdots \otimes R\left({\theta }_{i,0}\right)\left|m_{i,0}\oplus k_0\right.〉\\ ={\otimes }_{j=0}^{L-1}R\left({\theta }_{i,j}\right)\left|m_{i,j}\oplus k_j\right.〉\end{array}$$

(5)

Step 4 and step 5 are used for detecting eavesdropping.

In step 6, when $P_i$ performs the R_y (−${\Theta }_i$) operator on the encrypted quantum sequence $E_i$ to decrypt the sequence $E_i$ using the secret key ${\Theta }_i$, this process for recovering the original quantum sequence $S_i$ can be given by

$$\begin{array}{l}R\left(-{\Theta }_i\right)E_i=R\left(-{\Theta }_i\right){\otimes }_{j=0}^{L-1}R\left({\theta }_{i,j}\right)\left|m_{i,j}\oplus k_j\right.〉\\ =R\left(-{\theta }_{i,L-1}\right)R\left({\theta }_{i,L-1}\right)\left|m_{i,L-1}\oplus k_{L-1}\right.〉\otimes R\left(-{\theta }_{i,L-2}\right)R\left({\theta }_{i,L-2}\right)\left|m_{i,L-2}\oplus k_{L-2}\right.〉\\ \otimes \cdots \otimes R\left(-{\theta }_{i,0}\right)R\left({\theta }_{i,0}\right)\left|m_{i,0}\oplus k_0\right.〉\\ ={\otimes }_{j=0}^{L-1}\left|m_{i,j}\oplus k_j\right.〉=S_i\end{array}$$

(6)

When measuring $S_i$ using the Z-basis, we can know if all of the measurement results of $S_i$ are identical, then $X=Y$; otherwise, $X\ne Y$.

4.2. Security

The proposed MQPC protocol should satisfy the following security requirements:

(1)

Security against outsider eavesdropping: Any attempt at eavesdropping on the private information of the participants would be detectable, even if the outsider eavesdropper performs quantum-based attacks.

(2)

Security against attacks from the semi-honest trusted party (TP): The private information of the participants will not be leaked, even if the semi-honest TP utilizes the received information to deduce private information.

(3)

Security against attacks from participants: The participants’ inputs remain confidential, even if some participants collude to attempt to steal another participant’s inputs.

4.2.1. Outsider Eavesdropping

In quantum communication, the existence of an external eavesdropper, commonly known as Eve, presents a considerable threat. Eve may utilize a range of quantum-based attacks, such as intercept–resend [62], entangle–measure [63], and Trojan horse attacks [64], in an attempt to access private information. To mitigate these eavesdropping tactics, participants implement the decoy state strategy. This approach involves transmitting additional decoy states alongside the actual quantum states. Thanks to the decoy state technique, Eve’s various quantum attack methods become ineffective. Alice and Bob can accurately identify any eavesdropping efforts through inconsistencies in the statistical characteristics of the decoy states, thereby securing their communication.

Case I: Intercept–resend attack

In this scenario, an external assailant, Eve, attempts an intercept–resend attack on the quantum communication occurring between the transmission of quantum states. Eve intercepts the quantum states during their transmission, storing these intercepted particles for future exploitation. After securing the quantum states, Eve generates her own single particles, which she sends to the receiver instead of the originals. Once the receiver processes the particles sent by Eve, she captures the quantum sequences returned to the sender and measures them to extract confidential information while returning her previously stored particles back to the sender.

Upon receiving the particle sequences, both sides initiate an eavesdropping detection process. The sender reveals the locations and measurement bases of the decoy particles utilized during the process of communication. Since Eve lacks knowledge of the specific states of these particles, there exists a 50% chance that the receiver will obtain an erroneous outcome when measuring the particles sent by Eve. For instance, if the original decoy photon is in state $\left|1\right.⟩$, but Eve prepares a particle in states $\left|+\right.⟩$ or $\left|-\right.⟩$, the measurement conducted by the receiver on Eve’s particle has a 50% likelihood of resulting in an incorrect measurement. Therefore, the likelihood of Eve successfully evading detection is represented by

$$P\left(successfullyevadingdetection\right)={\left({\displaystyle \frac{1}{2}}\right)}^{\delta }$$

(7)

As the parameter δ increases significantly, this probability approaches zero. Consequently, the intercept–resend attack becomes ineffective within this communication framework, thereby safeguarding the participants’ private inputs $M_i$.

Case II: The entangle–measure attack

Eve might also execute an entangle–measure attack by entangling her auxiliary quantum particle $\left|e\right.⟩$ with the intercepted particles. This technique enables her to glean information by measuring her auxiliary particles. When Eve employs a unitary operation U to entangle her particle $\left|e\right.⟩$ with the four potential states $\{\left|0\right.⟩,\left|1\right.⟩,\left|+\right.⟩,\left|-\right.⟩\},$ the resultant states are as follows:

$$U\left|0\right.〉\left|e\right.〉=u_{00}\left|0\right.〉\left|e_{00}\right.〉+u_{01}\left|1\right.〉\left|e_{01}\right.〉$$

(8)

$$U\left|1\right.〉\left|e\right.〉=u_{10}\left|0\right.〉\left|e_{10}\right.〉+u_{11}\left|1\right.〉\left|e_{11}\right.〉$$

(9)

$$\begin{array}{ll}U\left|+\right.〉\left|e\right.〉& ={\displaystyle \frac{1}{2}}\left|+\right.〉\left(u_{00}\left|e_{00}\right.〉+u_{01}\left|e_{01}\right.〉+u_{10}\left|e_{10}\right.〉+u_{11}\left|e_{11}\right.〉\right)\\ & +{\displaystyle \frac{1}{2}}\left|-\right.〉\left(u_{00}\left|e_{00}\right.〉-u_{01}\left|e_{01}\right.〉+u_{10}\left|e_{10}\right.〉-u_{11}\left|e_{11}\right.〉\right)\end{array}$$

(10)

$$\begin{array}{ll}U\left|-\right.〉\left|e\right.〉& ={\displaystyle \frac{1}{2}}\left|+\right.〉\left(u_{00}\left|e_{00}\right.〉+u_{01}\left|e_{01}\right.〉-u_{10}\left|e_{10}\right.〉-u_{11}\left|e_{11}\right.〉\right)\\ & +{\displaystyle \frac{1}{2}}\left|-\right.〉\left(u_{00}\left|e_{00}\right.〉-u_{01}\left|e_{01}\right.〉-u_{10}\left|e_{10}\right.〉+u_{11}\left|e_{11}\right.〉\right)\end{array}$$

(11)

The coefficients must adhere to normalization conditions: ${‖u_{00}‖}^2+{‖u_{01}‖}^2=1$ and ${‖u_{10}‖}^2+{‖u_{11}‖}^2=1$. For Eve’s attack to remain undetected, the following conditions need to be met.

$$u_{01}=u_{10}=0,u_{00}\left|e_{00}\right.〉=u_{11}\left|e_{11}\right.〉$$

(12)

By substituting the results from Equation (12) into Equations (8)–(11), we obtain the following equation:

$$U\left|0\right.〉\left|e\right.〉=u_{00}\left|0\right.〉\left|e_{00}\right.〉$$

(13)

$$U\left|1\right.〉\left|e\right.〉=u_{11}\left|1\right.〉\left|e_{11}\right.〉=u_{00}\left|1\right.〉\left|e_{00}\right.〉$$

(14)

$$U\left|+\right.〉\left|e\right.〉={\displaystyle \frac{1}{2}}\left|+\right.〉\left(u_{00}\left|e_{00}\right.〉+u_{11}\left|e_{11}\right.〉\right)=u_{00}\left|+\right.〉\left|e_{00}\right.〉=u_{11}\left|+\right.〉\left|e_{11}\right.〉$$

(15)

$$U\left|-\right.〉\left|e\right.〉={\displaystyle \frac{1}{2}}\left|-\right.〉\left(u_{00}\left|e_{00}\right.〉+u_{11}\left|e_{11}\right.〉\right)=u_{00}\left|-\right.〉\left|e_{00}\right.〉=u_{11}\left|-\right.〉\left|e_{11}\right.〉$$

(16)

Based on Equations (13)–(16), Eve’s auxiliary particles remain independent of the target particles to prevent introducing errors during eavesdropping detection. By measuring the auxiliary particles, Eve cannot obtain any information about the decoy photons.

We assume that Eve employs a unitary operation U to entangle her particle $\left|e\right.⟩$ with the j-th encrypted quantum state in $E_i$ ($R\left({\theta }_{i,j}\right)\left|0\right.⟩orR\left({\theta }_{i,j}\right)\left|1\right.⟩$), so we can derive the following relationship:

$$\begin{array}{l}U\left(R\left({\theta }_{i,j}\right)\left|0\right.〉\left|e_i\right.〉\right)=U\left(\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉+\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\right)\left|e\right.〉\\ =\left|0\right.〉\left(u_{00}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{00}\right.〉+u_{01}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{10}\right.〉\right)+\left|1\right.〉\left(u_{10}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{01}\right.〉+u_{11}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{11}\right.〉\right)\\ orU\left(R\left({\theta }_{i,j}\right)\left|1\right.〉\left|e_i\right.〉\right)=U\left(-\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉+\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\right)\left|e\right.〉\\ =\left|0\right.〉\left(-u_{00}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{00}\right.〉+u_{01}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{10}\right.〉\right)+\left|1\right.〉\left(-u_{10}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{01}\right.〉+u_{11}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|e_{11}\right.〉\right)\end{array}$$

(17)

By substituting the results from Equation (12) into Equation (17), we deduce that

$$\begin{array}{l}U\left(R\left({\theta }_{i,j}\right)\left|0\right.〉\left|e_i\right.〉\right)=U^{*}\left(\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉+\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\right)\left|e\right.〉=u_{00}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉\left|e_{00}\right.〉+u_{11}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\left|e_{11}\right.〉\\ orU\left(R\left({\theta }_{i,j}\right)\left|1\right.〉\left|e_i\right.〉\right)=U^{*}\left(-\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉+\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\right)\left|e\right.〉=-u_{00}\sin {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|0\right.〉\left|e_{00}\right.〉+u_{11}\cos {\displaystyle \frac{{\theta }_{i,j}}{2}}\left|1\right.〉\left|e_{11}\right.〉\end{array}$$

(18)

The measurement results of Equation (17) are related with the secret key ${\Theta }_i$ that is disclosed to Eve, resulting in the fact that Eve cannot obtain the private inputs $M_i$.

Case III: The man-in-the-middle attack

Eve might also execute a man-in-the-middle attack by intercepting the sequence $E_i^{\prime }$ transmitted from $P_i$ to the TP and preparing a fake sequence $S{E}_i^{\prime }$ instead of $E_i^{\prime }$. $S{E}_i^{\prime }$ is sent to the TP. To evade the eavesdropping detection, Eve can prepare guessed decoy photons in specific states. Let $D_i$ represent the i-th decoy photon in $E_i^{\prime }$, which may correspond to the j-th qubit in $E_i^{\prime }$. Let $D_i^{\prime }$ denote the j-th qubit of $S{E}_i^{\prime }$. The decoy photons $D_i$ and $D_i^{\prime }$ are prepared in $B=\left\{\left|0\right.⟩,\left|1\right.⟩\right\}$ and $B^{\prime }=\left\{\left|+\right.⟩,\left|-\right.⟩\right\}$, respectively. When $P_i$ publishes the measurement basis of $D_i$, Eve measures $D_i$ using basis B and obtains the results $D_i^{″}$. The probability that $D_i^{″}=D_i$ is as follows.

(1)

If $B^{\prime }=B$ and ${D^{\prime }}_i=D_i$, then the probability that ${D^{″}}_i={D^{\prime }}_i$ is 1.

(2)

If $B^{\prime }=B$ and ${D^{\prime }}_i\ne D_i$, then the probability that ${D^{″}}_i=D_i$ is 0.

(3)

If $B^{\prime }\ne B$ and ${D^{\prime }}_i=D_i$, then the probability that ${D^{″}}_i=D_i$ is 1/2.

The probability of detecting the man-in-the-middle attack for a decoy photon is

$$\begin{array}{ll}P\left(D_i^{″}=D_i\right)& =P\left(D_i^{″}=D_i|B^{\prime }=B\right)P\left(B^{\prime }=B\right)+P\left(D_i^{″}=D_i|B^{\prime }\ne B\right)P\left(B^{\prime }\ne B\right)\\ & ={\displaystyle \frac{1}{2}}\left(P\left(D_i^{″}=D_i|B^{\prime }=B\right)+P\left(\left(D_i^{″}=D_i|B^{\prime }\ne B\right)\right)\right)\\ & ={\displaystyle \frac{1}{2}}\left(\begin{array}{l}P\left(D_i^{″}=D_i|B^{\prime }=B,D_i^{\prime }=D_i\right)P\left(D_i^{\prime }=D_i\right)+\\ P\left(D_i^{″}=D_i|B^{\prime }=B,D_i^{\prime }\ne D_i\right)P\left(D_i^{\prime }\ne D_i\right)+{\displaystyle \frac{1}{2}}\end{array}\right)\\ & ={\displaystyle \frac{1}{2}}\left(1\times {\displaystyle \frac{1}{2}}+0\times {\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}\right)={\displaystyle \frac{1}{2}}\end{array}$$

(19)

Since the δ decoy photons are included in $E_i^{\prime }$, the man-in-the-middle attack will be detected with a probability of $1-{\left({\displaystyle \frac{1}{2}}\right)}^{\delta }$. When δ is sufficiently large, this probability approached 1, making it impossible for the man-in-the-middle attack to succeed.

Case IV The Trojan horse attacks

Trojan horse attacks [64] are primarily categorized into two types: the invisible photon eavesdropping attack, where an eavesdropper uses undetectable photons to gather information about the transmitted quantum states, and the delay photon attack, in which an eavesdropper delays photons to manipulate communication between the parties. These attacks pose significant threats in quantum communication, particularly in bidirectional channels. However, the proposed protocol functions as a unidirectional cryptographic protocol, which inherently resists both types of Trojan horse attacks.

To conclude, any attempt at eavesdropping on the private information of the participants would be detectable, even if the outsider eavesdropper performs quantum-based attacks.

4.2.2. Participant Attacks

In this section, we will demonstrate that the proposed MQPC protocol is secure against attacks from the TP or the participants.

Case I: Security against attacks from the semi-honest party (TP)

In our protocol, the semi-honest third party (TP) adheres to the protocol rules while attempting to extract information from the private data of other parties. Although it cannot collude with dishonest parties, its actions require careful protocol design to ensure that the privacy of all participants is maintained. While the TP can apply the R_y (−${\Theta }_i$) operator on the encrypted quantum sequence $E_i$ to decrypt it using the secret key ${\Theta }_i$, aiming to recover the original quantum sequence $S_i$ related to the binary inputs $M_i$ and the secret non-zero binary key K, it cannot access the binary inputs $M_i$ without knowing the shared key K between the participants. The secret non-zero binary key K, shared among n participants through a multiparty quantum key agreement (MQKA) protocol, remains undisclosed to the TP.

To conclude, the private information of the participants will not be leaked, even if the semi-honest TP utilizes the received information to deduce private information.

Case II: Security against attacks from participants

In our protocol, each participant sends $E_i^{\prime }$, which contains the encrypted quantum states and decoy photons, to the semi-honest third party (TP) via a quantum channel. If the quantum channel is secure, participant $P_i$ announces their secret key ${\Theta }_i$ to the TP. Each participant can act as Eve to eavesdrop on the private information of others using quantum-based attacks. However, eavesdropping detection calculated by the ratio of incorrect measurements to the total number of measurements prevents participants from stealing the private inputs $M_i$. Additionally, the secret key ${\Theta }_i$ will only be announced if the eavesdropping detection is successful.

Even if the participants know the secret non-zero binary key K and attempt to intercept $E_i^{\prime }$ sent to the TP, they cannot pass the eavesdropping detection; the protocol will restart if any eavesdropping is detected. Furthermore, even if some participants collude, they cannot access another participant’s inputs because they do not know the position and measurement bases of the decoy photons or the secret key ${\Theta }_i$.

In conclusion, the participants’ inputs remain confidential, even if some participants collude to attempt to steal another participant’s inputs.

4.3. Fairness

Fairness is a fundamental aspect of secure computation protocols, ensuring that all participants have equal access to the results of the comparison process. In the proposed QPC protocol, the role of the third party (TP) is crucial in maintaining this fairness. By publishing the comparison results simultaneously, the TP prevents any participant from gaining an undue advantage over others. This simultaneous access eliminates the opportunity for one participant to act on the results before the others, thereby fostering an equitable environment. Consequently, the proposed protocol effectively addresses the critical issue of fairness through the strategic role of the trusted party, ensuring that all participants are treated equally throughout the comparison process.

5. Discussion

The calculation of qubit efficiency [58] in the proposed QPC protocol focuses solely on the resources directly utilized for the comparison of private data, which can be defined as follows:

$${\eta }_e={\displaystyle \frac{{\eta }_c}{{\eta }_t}}$$

(20)

where ${\eta }_c$ denotes the length of binary representations $M_i$, and ${\eta }_t$ denotes the qubits consumed during the comparison process, excluding those allocated for eavesdropping detection and quantum key distribution. In this protocol, comparing an L-bit classical binary message requires preparing nL qubits as quantum resources; thus, we can obtain ${\eta }_c=L$ and ${\eta }_t=nL$. Consequently, the qubit efficiency of the proposed protocol is ${\eta }_e={\displaystyle \frac{{\eta }_c}{{\eta }_t}}={\displaystyle \frac{L}{nL}}$.

A comparative analysis of the proposed MQPC protocol against previous protocols is summarized in

Table 1. A comparison between the proposed MQPC protocol and previous protocols.

Protocol	Quantum Resource Used	Unitary Operation for Users	Quantum Technology Used	Key Sharing	Quantum Measurement for Users	Quantum Measurement for TP	Qubit Efficiency
Ref. [55]	n-particle GHZ class states	No	The entanglement correlation	No	Single particle	No	${\displaystyle \frac{L}{nL}}$
Ref. [56]	d-dimensional basis state	Yes	Quantum Fourier transform and unitary operation	No	No	d-level single particle	${\displaystyle \frac{L}{nL}}$
Ref. [57]	d-level n-particle entangled state and d-level two-particle entangled state	No	Quantum Fourier transform	No	d-level single particle	d-level single particle	${\displaystyle \frac{L}{3nL}}$
Ref. [58]	d-level n + 1-particle cat state and d-level two-particle Bell state	Yes	Quantum entanglement swapping	No	d-level two-particle Bell state	d-level n + 1-particle cat state	${\displaystyle \frac{L}{3nL+L}}$
Ref. [59]	d-level two-particle Bell entangled state	Yes	Quantum entanglement swapping and unitary operation	No	d-level two-particle Bell entangled state	d-level two-particle Bell entangled state	${\displaystyle \frac{L}{2nL+2L}}$
Ours	Single photons	Yes	Rotation operation	Yes	No	Z-basis	${\displaystyle \frac{L}{nL}}$

. The protocol demonstrates improvements in the following areas.

Firstly, unlike the protocols proposed in Refs. [55,56,57,58,59], which require the preparation of intricate high-dimensional quantum states, including n-particle GHZ class states or d-dimensional quantum states, posing significant challenges in implementation, our protocol simplifies these requirements. It does not necessitate the preparation of complex quantum states and instead utilizes single photons as quantum resources. This design makes it easily implementable with current quantum technologies due to the straightforward preparation of single photons.

Secondly, some existing MQPC protocols necessitate complex quantum technologies, such as the entanglement correlation of n-particles [55], the quantum entanglement swapping of d-level quantum states [58,59], and unitary operations for d-level quantum states [56], which are difficult to implement with current technologies. In contrast, our protocol employs rotation operations performed on single photons, which are readily implementable with existing quantum technologies.

Thirdly, our protocol utilizes single-particle measurements instead of d-level quantum state measurements, aligning it with current technical feasibility.

Although the qubit efficiency of our protocol is identical to that of Refs. [55,56] and requires the sharing of a secret key, it demonstrates superior performance due to the easier-to-implement quantum technologies used, particularly in terms of quantum resources, unitary operations, and quantum measurements.

6. Conclusions

In this paper, we propose a multiparty quantum private comparison (MQPC) protocol based on rotation operations to facilitate the comparison of equality relationships among n participants while preserving the confidentiality of their inputs. In this protocol, each participant’s inputs are encoded into single photons, which serve as easier-to-implement quantum resources. Rotation operations are employed for the encryption and decryption of these single photons, while Z-basis measurements are used to obtain comparison results. This design aligns the proposed protocol with current technical feasibility while providing a robust mechanism for protecting the privacy of participants’ inputs. Compared to existing MQPC frameworks that rely on complex quantum technologies, such as the entanglement correlation of n-particles, quantum entanglement swapping of d-level quantum states, and unitary operations for d-level quantum states, our protocol demonstrates significant advancements in practicality due to the simplicity of single photons, rotation operations, and Z-basis measurements. An illustrative example demonstrates the readability of the proposed protocol. The security analysis shows that the use of rotation operations and decoy photons provides a robust mechanism for protecting the privacy of the participants’ inputs, making the protocol resistant to outsider eavesdropping and participant attacks. Additionally, the protocol meets the requirement of fairness, as all participants access the comparison results simultaneously. However, since all participants in our protocol must possess full quantum capabilities to perform the equality comparison, there is an increased demand for quantum resources. Under current quantum technology conditions, not all users can afford the high cost associated with complete quantum equipment. In the future, we will focus on developing the MQPC protocol to compare size relations among n participants and designing semi-quantum privacy comparison protocols [39].