Authenticated Multi-Party Quantum Private Set Intersection with Single Particles

Abstract

As an important branch of secure multi-party computation, privacy set intersection enables multiple parties to input their private sets and jointly compute the intersection of these sets without revealing any information other than the intersection itself. With the increasing demand for privacy protection of user data, privacy set intersection has been widely used in privacy computing and other fields. In this paper, we utilize the properties of mutually unbiased bases to propose a multi-party quantum private set intersection protocol that incorporates identity authentication mechanisms. A semi-honest third party (TP) is introduced to facilitate the secure execution of this task among the multiple participating parties. The TP establishes a shared master key with each party, which serves as the basis for authenticating the identity of each participant throughout the protocol. Single-particle quantum states, prepared by the TP, act as the information carriers and are sequentially transmitted among the participating parties. Each party performs a local unitary operation on the circulating particle, thereby encoding their private data within the quantum state. At the end of the protocol, the TP announces his measurement result, by which all participants can concurrently ascertain the intersection of their private data sets. Notably, the proposed protocol eliminates the need for long-term storage of single-particle quantum states, thereby rendering it feasible with existing quantum technological capabilities. Furthermore, a comprehensive security analysis demonstrates that the protocol effectively resists some common external and internal attacks, thereby ensuring its theoretical security.

1. Introduction

Based on the principles of quantum mechanics, particularly the Heisenberg uncertainty principle and the No-Cloning theorem, quantum cryptography transcends the computational limitations of classical encryption by utilizing physical laws to guarantee security. For example, the famous BB84 protocol [1] enables two parties to generate a shared secret key with unconditional security. This security arises from the impossibility of measuring or copying an unknown quantum state chosen from four mutually unbiased base states rather than unproven mathematical hardness assumptions. Thus, quantum cryptography’s security is information-theoretically verifiable, rendering it immune to advances in quantum computing. In the past three decades, researchers have attempted to use quantum cryptography to address other security issues, such as quantum secret sharing [2,3,4,5], quantum secure direct communication [6,7,8,9], quantum private comparison [10,11,12,13,14], and so on.

The extension of quantum cryptographic principles to multi-party computation introduces quantum private set intersection (QPSI), which is a critical tool for secure collaborative data analysis. In QPSI, multiple parties aim to compute the intersection of their private data sets without revealing any information beyond the intersection itself. Traditional classical private set intersection protocols face vulnerabilities to quantum attacks, as their security often hinges on computational assumptions that quantum computers could invalidate. In contrast, QPSI uses quantum-resistant techniques, such as single-photon manipulation [15,16,17,18], rotation operations [19,20,21], and entanglement-based correlations [22,23,24], to achieve quantum-proof security. By embedding security into the fabric of quantum physics, QPSI protocols offer a future-proof solution for privacy-preserving applications, such as contact tracking, federated learning, and medical data sharing, where the integrity of sensitive information must be preserved against both classical and quantum threats.

As demonstrated in Ref. [25], some theoretically secure quantum cryptography protocols remain susceptible to man-in-the-middle attacks, due to the lack of identity verification. This is especially true for QPSI. In a two-party QPSI protocol, if an adversary successfully impersonates a legitimate participant, he can easily steal the private data set of the other participant. Here, he does not need to perform any attack operation, but only needs to enter his secret data set as the full set when executing the protocol and then obtain the other private data set based on the final intersection result. Therefore, identity authentication should be considered when designing a practical QPSI protocol. In Ref. [25], Wu et al. delved into the issue and proposed a quantum protocol theoretically to achieve the computation of private sets with identity authentication. The protocol hinges on the quantum entanglement properties of Greenberger–Horne–Zeilinger (GHZ) states, ensuring that only two authenticated users can compute the private set intersection/union cardinality. Stimulated by this work, an authenticated multi-party quantum private set intersection protocol with single particles is presented in this paper. In the designed protocol, a third party is incorporated to enable the secure execution of private set intersection involving multiple participating entities. First, the TP shares a master key with each individual party that forms the cornerstone for authenticating the identity of every participant, ensuring a secure and verified environment throughout the protocol’s execution. Secondly, single-particle quantum states prepared by the TP, which serve as carriers of sensitive data, are sequentially transmitted among the participating parties. Upon receiving the circulating particle, each party applies two phase operations to it. One operation is employed to encode the party’s private data, while the other aims to keep the information confidential. Similarly to the BB84 protocol, mutually unbiased bases are utilized here to ensure the secure transmission of the particles. Finally, based on the public message declared by the TP, all participants can simultaneously determine the intersection of their private data sets. In this way, the goal of the protocol is achieved in a secure and efficient manner. Note that the TP in the proposed protocol here is assumed to be semi-honest [26]. If he were misbehaving, TP could collude with other participants to attack the protocol. In such a case, the protocol could be viewed as secure computation between two parties: one being the honest participants, and the other being the misbehaving TP combined with the remaining dishonest participants. According to the no-go theorem [27,28], such a quantum secure computation protocol would theoretically be unsafe. Therefore, like most quantum secure multi-party computation protocols, the TP in this protocol is also assumed to be semi-honest. That is, he behaves honestly during the protocol execution and refrains from colluding with other participants, but may attempt to infer more information afterward.

The remainder of this paper is organized as follows. The relevant preliminary knowledge related to this paper is introduced in Section 2. Subsequently, the proposed multi-party quantum private set intersection protocol and a toy example are elaborated in Section 3 and Section 4, respectively. The security of the proposed protocol is analyzed in Section 5. In Section 6, the experimental simulation is provided to demonstrate its feasibility. Finally, Section 7 offers a short conclusion.

2. Preliminary

Unlike classical bits, which can only exist in a definite state of 0 or 1, quantum bits (qubits) can exist in any superposition state. Moreover, it is impossible to accurately measure non-orthogonal quantum states simultaneously. This unique quantum property is often utilized in the design of quantum cryptographic protocols, such as the BB84 protocol [1]. In this protocol, four non-orthogonal quantum states, $|0\rangle ,|1\rangle ,|0^{\prime }\rangle = {\displaystyle \frac{1}{\sqrt{2}}}(|0\rangle +|1\rangle ),$ and $|1^{\prime }\rangle = {\displaystyle \frac{1}{\sqrt{2}}}(|0\rangle -|1\rangle )$, are used as signal particles for transmission, thereby ensuring the unconditional security of the protocol in theory. These four quantum states in a two-dimensional Hilbert space are composed of two sets of mutually unbiased bases (MUBs), $\{|0\rangle ,|1\rangle \}$ and $\{|0^{\prime }\rangle ,|1^{\prime }\rangle \}$, making the protocol more sensitive to eavesdropping.

For a d-dimensional Hilbert space $H_d$, there are at most $d+1$ mutually unbiased bases [29]. Suppose that the computational basis of $H_d$ is denoted by ${\Pi }_d=\{|0\rangle , |1\rangle , \dots$, $|d-1\rangle \}$. When d is an odd prime, the other d bases are given as ${\Pi }_0, {\Pi }_1, \dots , {\Pi }_{d-1}$, where ${\Pi }_y=\{|{ϵ}_{x,y}^d\rangle ={\displaystyle \frac{1}{\sqrt{d}}}{\sum }_{k=0}^{d-1}{\omega }^{k(x+yk)}|k\rangle |x, y\in Z_d, \omega =e^{2\pi \mathrm{i}/d},\mathrm{i}=\sqrt{-1}\}$ and $Z_d=\{0, 1, \dots , d-1\}$. Through simple calculations, it can be shown that for any $x, y, x^{\prime }, y^{\prime }, z\in Z_d$, $\langle z|{ϵ}_{x,y}^d\rangle ={\displaystyle \frac{1}{\sqrt{d}}}$ and

$$\begin{array}{c}\langle {ϵ}_{x,y}^d|{ϵ}_{x^{\prime },y^{\prime }}^d\rangle =\left\{\begin{array}{cc}{\displaystyle \frac{1}{\sqrt{d}}}\hfill & \mathrm{if}y\ne y^{\prime }\hfill \\ 0\hfill & \mathrm{if}y=y^{\prime }\hfill \end{array}\right..\hfill \end{array}$$

(1)

Thus, these $d+1$ sets of bases are mutually unbiased, and will be utilized in the protocol presented in this paper.

Moreover, the transformation between these states can be achieved using two unitary phase operators. One is $E_{x^{\prime }}^d$, which is defined by

$$\begin{array}{c}\hfill E_{x^{\prime }}^d=\sum _{k=0}^{d-1}{\omega }^{k{x}^{\prime }}|k\rangle \langle k|.\end{array}$$

(2)

For any state $|{ϵ}_{x,y}^d\rangle$, we have

$$\begin{array}{c}\hfill E_{x^{\prime }}^d|{ϵ}_{x,y}^d\rangle =|{ϵ}_{x+x^{\prime },y}^d\rangle .\end{array}$$

(3)

The other is $S_{y^{\prime }}^d$,

$$\begin{array}{c}\hfill S_{y^{\prime }}^d=\sum _{k=0}^{d-1}{\omega }^{k^2{y}^{\prime }}|k\rangle \langle k|,\end{array}$$

(4)

which can convert the state $|{ϵ}_{x,y}^d\rangle$ to $|{ϵ}_{x,y+y^{\prime }}^d\rangle$, i.e.,

$$\begin{array}{c}\hfill S_{y^{\prime }}^d|{ϵ}_{x,y}^d\rangle =|{ϵ}_{x,y+y^{\prime }}^d\rangle .\end{array}$$

(5)

From Equations (3) and (5), we can derive

$$\begin{array}{c}\hfill S_{y^{\prime }}^d{E}_{x^{\prime }}^d|{ϵ}_{x,y}^d\rangle =|{ϵ}_{x+x^{\prime },y+y^{\prime }}^d\rangle .\end{array}$$

(6)

That is, any $|{ϵ}_{x,y}^d\rangle$ can be transformed into $|{ϵ}_{x+x^{\prime },y+y^{\prime }}^d\rangle$ by performing the unitary operator $S_{y^{\prime }}^d{E}_{x^{\prime }}^d$. Thus, these two operators will serve as the encoding and encrypting operations, respectively, in the presented protocol.

3. Proposed Protocol

In this section, we propose a multi-party QPSI protocol with identity authentication. For generality, we consider a system model consisting of m participants, Bob_i ($i=1, 2, \dots , m$) and a third party, Trent. Each participant Bob_i holds a private data set $B_i=\{b_i^1, b_i^2, \dots , b_i^{n_i}\}\subseteq {\mathrm{Z}}_n=\{0, 1, \dots , n-1\}$, and has a secure key $k_i$ with Trent. With the help of Trent, the m participants aim to securely compute the intersection of their private sets, denoted as $B_1\cap B_2\cap \dots \cap B_m$. Meanwhile, the identity of each Bob_i is authenticated by Trent. The entire communication process is shown in Figure 1. The proposed protocol consists of four phases, which are detailed as follows.

I. Initializing phase

I.1. m participants Bob_i request a PSI from Trent. They each generate a random bit string $r_i$ and send it to Trent. Meanwhile, according to the following rule,

$$\begin{array}{c}{c}_i^j=\left\{\begin{array}{cc}1\hfill & \mathrm{if}j\in B_i\hfill \\ 0\hfill & \mathrm{otherwise}\hfill \end{array}\right.,\hfill \end{array}$$

(7)

each participant Bob_i converts his secret private set $B_i$ into an n-bit string $C_i=(c_i^1, c_i^2, \dots , c_i^n)$.

I.2. Based on the actual environment and security requirements, Trent sets a security parameter $\xi$, which is the number of particles detected. Then, he chooses a hash function from a class of universal one-way hash function, $h:{\{0,1\}}^{*}\to {\{0, 1, \dots , d-1\}}^{n^{\prime }}$, where $n^{\prime }=n+\xi$ and $d>m$. He generates a random bit string $r_0$, and calculates m private strings, $Y_1, Y_2, \dots , Y_m$, where $Y_i=(y_i^1, y_i^2, \dots , y_i^{n^{\prime }})=h(r_0||r_1||\dots ||r_m||k_i)$. At last, Trent announces $\xi$, h, and $r_0$ to all participants.

I.3. After receiving the messages announced by Trent, each participant Bob_i obtains his authenticated message by calculating $Y_i=(y_i^1, y_i^2, \dots , y_i^{n^{\prime }})=h(r_0||r_1||\dots ||r_m||k_i)$. After that, these m participants agree on a permutation function $\varpi$, which transforms each element of the set $Z_{n^{\prime }}$ into a unique element within the same set, with no repetitions or omissions. Finally, each participant Bob_i generates a private $\xi$-bit string, $A_i=(a_i^1, a_i^2, \dots , a_i^{\xi })$, which is used as the check samples. Bob_i utilizes the function $\varpi$ to permute the bit string $C_i||A_i$ and obtain a new bit string $X_i=(x_i^1, x_i^2, \dots , x_i^{n^{\prime }})$.

II. Quantum phase

II.1. Trent prepares $n^{\prime }$ particles, each initially in the state $|{ϵ}_{0,0}^d\rangle = {\displaystyle \frac{1}{\sqrt{d}}}{\sum }_{k=0}^{d-1}|k\rangle$. For the j-th particle ($j=1, 2, \dots , n^{\prime }$), Trent generates two random numbers $x_0^j, y_0^j\in {\mathrm{Z}}_d$. According to these two values, he performs the operation $S_{y_0^j}^d{E}_{x_0^j}^d$ on the particle, and obtains the state, $|{\varphi }_1^j\rangle = S_{y_0^j}^d{E}_{x_0^j}^d|{ϵ}_{0,0}^d\rangle = |{ϵ}_{x_0^j,y_0^j}^d\rangle$. Finally, Trent sends these $n^{\prime }$ particles in the state $|{\Phi }_1\rangle = {\otimes }_{j=1}^{n^{\prime }}|{\varphi }_1^j\rangle$ to the first participant Bob₁.

II.2. Upon receiving the quantum state $|{\varphi }_1^j\rangle$ ($j=1, 2, \dots , n^{\prime }$), Bob₁ performs his encoding operation $E_{x_1^j}^d$ on the signal particle, and executes the encrypting operation, $S_{y_1^j}^d$. In this way, Bob₁ obtains the state $|{\Phi }_2\rangle = {\otimes }_{j=1}^{n^{\prime }}|{\varphi }_2^j\rangle$, where $|{\varphi }_2^j\rangle = S_{y_1^j}^d{E}_{x_1^j}^d|{\varphi }_1^j\rangle = |{ϵ}_{x_0^j+x_1^j,y_0^j+y_1^j}^d\rangle$ and sends it to the next participant, Bob₂.

II.3. Bob_i ($i=2, 3, \dots , m$) conducts a process analogous to that in II.2. Specifically, when Bob_i receives the j-th signal particle, he performs his operation $S_{y_i^j}^d{E}_{x_i^j}^d$ on it. Then, he sends the quantum state $|{\varphi }_{i+1}^j\rangle = S_{y_i^j}^d{E}_{x_i^j}^d|{\varphi }_i^j\rangle = |{ϵ}_{x_0^j+x_1^j+\dots +x_i^j,y_0^j+y_1^j+\dots +y_i^j}^d\rangle$ to the subsequent participant. Notably, the last participant, Bob_m, returns these $n^{\prime }$ signal particles to Trent.

II.4. When receiving the quantum state $|{\varphi }_{m+1}^j\rangle$, Trent performs the corresponding decrypting operation, $S_{-y_0^j-y_1^j-\dots -y_m^j}^d$, on the state $|{\varphi }_{m+1}^j\rangle$. Then, he measures these signal particles in the bases ${\Pi }_0=\{|{ϵ}_{0,0}^d\rangle , |{ϵ}_{1,0}^d\rangle , \dots , |{ϵ}_{d-1,0}^d\rangle \}$, and obtains the result, $o^j$. According to $o^j$ and $x_0^j$, Trent calculates $z^j=o^j-x_0^j$, and obtains $Z=(z^1, z^2, \dots , z^{n^{\prime }})$.

III. Eavesdropping check phase

The m participants tell Trent the positions of the test samples, i.e., $\{\varpi (n+1), \varpi (n+2), \dots , \varpi \left(n^{\prime }\right)\}$, and tell Trent their $A_i$s, respectively. In terms of these public messages, Trent uses these $\xi$ samples to execute the eavesdropping detection process. Concretely, for the j-th sample ($j=1, 2, \dots , \xi$), Trent judges whether $o^{\varpi (j+n)}$ is equal to $x_0^{\varpi (j+n)}+a_1^j+a_2^j+\dots +a_m^j$ or not. If they are not equal, the number of errors is increased by 1. Finally, if the error rate exceeds a predefined threshold, Trent believes that the protocol is eavesdropping, abandons and restarts the protocol. Otherwise, he proceeds to the next step.

IV. Result announcement phase

After abandoning these test samples, Trent obtains the remaining n results to get $T=(t^1, t^2, \dots , t^n)$. When $t^j=m$, he announces the value of j. In accordance with this message, all participants infer that the ${\varpi }^{-1}\left(j\right)$-th element is present in the intersection of their private data sets. In this way, the m participants simultaneously acquire the intersection of their private data sets, $B_1\cap B_2\cap \dots \cap B_m$.

4. Toy Example

In this section, we will take a toy example (depicted in

Table 1. The quantum and classical sequences in this toy example.

	Trent	Bob1	Bob2	Bob3	Bob4
Input		$B_1=\{1,4\}$	$B_2=\{2,3,4\}$	$B_3=\{0,3,4\}$	$B_4=\{4,5\}$
	$k_1,k_2,k_3,k_4$	$k_1$ = ‘0010111111’	$k_2$ = ‘1100011010’	$k_3$ = ‘0100000110’	$k_4$ = ‘0011001111’
Phase I		$C_1$ = ‘010010’	$C_2$ = ‘001110’	$C_3$ = ‘100110’	$C_4$ = ‘000011’
	$r_0$ = ‘0100000110’	$r_1$ = ‘0011010001’	$r_2$ = ‘1101000010’	$r_3$ = ‘0111111101’	$r_4$ = ‘1111001011’
	$Y_1,Y_2,Y_3,Y_4$	$Y_1$ = ‘0000011100’	$Y_2$ = ‘1110111001’	$Y_3$ = ‘0110100101’	$Y_4$ = ‘0001101100’
		$A_1$ = ‘1101’	$A_2$ = ‘1000’	$A_3$ = ‘0101’	$A_4$ = ‘0100’
		$X_1$ = ‘1100011001’	$X_2$ = ‘1000101100’	$X_3$ = ‘1000010111’	$X_4$ = ‘1001000001’
Phase II	$X_0$ = ‘1000010101’
	$Y_0$ = ‘1011011000’
	$|{\Phi }_1\rangle = |{ϵ}_{1,1}^5\rangle |{ϵ}_{0,0}^5\rangle$
	$|{ϵ}_{0,1}^5\rangle |{ϵ}_{0,1}^5\rangle |{ϵ}_{0,0}^5\rangle |{ϵ}_{1,1}^5\rangle$
	$|{ϵ}_{0,1}^5\rangle |{ϵ}_{1,0}^5\rangle |{ϵ}_{0,0}^5\rangle |{ϵ}_{1,0}^5\rangle$
		$|{\Phi }_2\rangle = |{ϵ}_{2,1}^5\rangle |{ϵ}_{1,0}^5\rangle$
		$|{ϵ}_{0,1}^5\rangle |{ϵ}_{0,1}^5\rangle |{ϵ}_{0,0}^5\rangle |{ϵ}_{2,2}^5\rangle$
		$|{ϵ}_{1,2}^5\rangle |{ϵ}_{1,1}^5\rangle |{ϵ}_{0,0}^5\rangle |{ϵ}_{2,0}^5\rangle$
			$|{\Phi }_3\rangle = |{ϵ}_{3,2}^5\rangle |{ϵ}_{1,1}^5\rangle$
			$|{ϵ}_{0,2}^5\rangle |{ϵ}_{0,1}^5\rangle |{ϵ}_{1,1}^5\rangle |{ϵ}_{2,3}^5\rangle$
			$|{ϵ}_{2,3}^5\rangle |{ϵ}_{2,1}^5\rangle |{ϵ}_{0,0}^5\rangle |{ϵ}_{2,1}^5\rangle$
				$|{\Phi }_4\rangle = |{ϵ}_{4,2}^5\rangle |{ϵ}_{1,2}^5\rangle$
				$|{ϵ}_{0,3}^5\rangle |{ϵ}_{0,1}^5\rangle |{ϵ}_{1,2}^5\rangle |{ϵ}_{3,3}^5\rangle$
				$|{ϵ}_{2,3}^5\rangle |{ϵ}_{3,2}^5\rangle |{ϵ}_{1,0}^5\rangle |{ϵ}_{3,2}^5\rangle$
					$|{\Phi }_5\rangle = |{ϵ}_{5,2}^5\rangle |{ϵ}_{1,2}^5\rangle$
					$|{ϵ}_{0,3}^5\rangle |{ϵ}_{1,2}^5\rangle |{ϵ}_{1,3}^5\rangle |{ϵ}_{3,3}^5\rangle$
					$|{ϵ}_{2,4}^5\rangle |{ϵ}_{3,3}^5\rangle |{ϵ}_{1,0}^5\rangle |{ϵ}_{4,2}^5\rangle$
	Z = ‘4101122213’
Phase III	‘0223’	’0111’	‘0010’	‘0101’	‘0001’
Phase IV	$j=0$

) to better understand the presented protocol and show that it is correct. Suppose Bob₁, Bob₂, Bob₃, and Bob₄ are four parties ($m=4$, $d=5$), and $B_1, B_2, B_3, B_4\in Z_6$ ($n=6$) are their private sets, respectively, where $B_1=\{1, 4\},B_2=\{2, 3, 4\},B_3=\{0, 3, 4\},$ and $B_4=\{4, 5\}$. In accordance with Equation (7), the four participants each calculate their private six-bit strings, $C_1$ = ‘010010’, $C_2$ = ‘001110’, $C_3$ = ‘100110’, and $C_4$ = ‘000011’. Additionally, they each share four master keys, $k_1$ = ‘0010111111’, $k_2$ = ‘1100011010’, $k_3$ = ‘0100000110’, and $k_4$ = ‘0011001111’, with Trent.

In Step I.1, these participants respectively generate four random bit strings, $r_1$ = ‘0011010001’, $r_2$ = ‘1101000010’, $r_3$ = ‘0111111101’, and $r_4$ = ‘1111001011’, and send them to Trent. Then, Trent sets $\xi =4$ ($n^{\prime }=n+\xi =10$), $r_0$ = ‘0100000110’, and the hash function h. Here, for simplicity, the hash function is set as $h(r_0||r_1||r_2||r_3||r_4||k_i)=r_0\oplus r_1\oplus r_2\oplus r_3\oplus r_4\oplus k_i$, where ⊕ denotes a bitwise exclusive-OR (XOR) operation. Based on this function and $k_i$, Bob_i (i = 1, 2, 3, 4) and Trent obtain $Y_i$, depicted in Table 1, and keep it secret. In Step I.3, four participants respectively generate four 4-bit strings, $A_1$ = ‘1101’, $A_2$ = ‘1000’, $A_3$ = ‘0101’, and $A_4$ = ‘0100’, and agree on a permutation function $\varpi \left(j\right)=(3j+8)\mathrm{mod}10$ that is only known to them. Based on this function, the corresponding permutation table (

Table 2. The permutation table.

0	1	2	3	4	5	6	7	8	9
8	1	4	7	0	3	6	9	2	5

) is derived. Then, Bob_i can calculate $X_i=\varpi (C_i||A_i)$ as specified in Table 1.

In Step II, Trent generates two random bit strings $X_0$ = ‘1000010101’, and $Y_0$ = ‘1011011000’, and prepares 10 particles that are in the state $|{\Phi }_1\rangle = {\otimes }_{j=1}^{10}|{\varphi }_1^j\rangle = |{ϵ}_{0,0}^5\rangle$. After that, these ten signal particles are transmitted among the four participants. Each participant Bob_i performs his encoding operation and encrypting operation on these particles, and obtains the state $|{\Phi }_{i+1}\rangle$ as outlined in Table 1. In Step II.4, Trent applies the corresponding decrypting operation to these particles, and measures them in the basis ${\Pi }_0$. For example, the first qudit is in the state $|{ϵ}_{1,1}^5\rangle$, after Trent applies the operation $S_{y_0^j}^d{E}_{x_0^j}^d$ on state $|{ϵ}_{0,0}^5\rangle$. Subsequently, four participants, respectively, execute operations $S_0^d{E}_1^d$, $S_1^d{E}_1^d$, $S_0^d{E}_1^d$, and $S_0^d{E}_1^d$, when they receive this qudit. In this case, the state is transformed to $|{ϵ}_{5,2}^5\rangle$ and returned to Trent. After that, Trent executes the decrypting operation $S_{-2}^d$, and obtains the measurement result ‘5’. From this result and the first bit of $X_0$, he deduces that the first bit of Z is ‘4’.

In the eavesdropping check phase, the four participants tell Trent the positions of four samples, i.e., 2, 5, 6, and 9, and their $A_i$s. Based on these messages and Z, Trent determines whether the particles have been transmitted securely. After discarding the four samples, Trent obtains $t^0=4=m$, and announces it in Step IV. From this public message and the permutation function $\varpi$, the four participants can concurrently ascertain the intersection of their private data sets, i.e., $B_1\cap B_2\cap B_3\cap B_4=\{{\varpi }^{-1}\left(0\right)=4\}$.

From the above example, it can be seen that the proposed protocol requires that the dimension $d=5$ of the signal particles be a prime number greater than the number of participants, $m=4$. When the number of participants is large, this prime number becomes very large, which greatly limits the practicality of the proposed protocol. To solve this problem, we can group the users. Concretely, all participants are randomly divided into g disjoint groups, and then each group of participants performs the proposed protocol with Trent. In this way, Trent can obtain the intersection of private data sets of participants in each of the g groups, and further intersecting these intersections can yield the intersection of all private data sets. This solution effectively addresses the issue of the number of participants in the proposed protocol, but may lead to the leakage of some information to Trent, thereby reducing the security level of the protocol.

To further address this issue, the Chinese Remainder Theorem can be applied, which is similar to that in Ref. [30]. Given the number of participants m, a series of small primes $d_1, d_2, \dots , d_r$ can be obtained such that $D=d_1, d_2, \dots , d_r>m$. By executing the proposed protocol for r rounds, a series of values $t_{d_1}^j, t_{d_2}^j, \dots , t_{d_r}^j$ can be obtained and satisfy the following equation:

$$\begin{array}{c}\left\{\begin{array}{c}{t}_{d_1}^j=t^j\mathtt{mod}{d}_1\\ t_{d_2}^j=t^j\mathtt{mod}{d}_2\\ \dots \\ t_{d_r}^j=t^j\mathtt{mod}{d}_r\end{array}\right.\hfill \end{array}$$

(8)

Then, according to the Chinese Remainder Theorem, $t^j$ can be calculated,

$$\begin{array}{c}\hfill t^j=\sum _{i=1}^r{D}_i\times e_i\times t_{d_i}^j\mathtt{mod}D,\end{array}$$

(9)

where $D={\prod }_{i=1}^r{d}_i$, $D_i={\displaystyle \frac{D}{d_i}}$, and $1=e_i\times D_i\mathtt{mod}{d}_i$. Next, let us consider the same scenario as in the above example. Here, the four master keys, four private data sets, and two functions (h, $\varpi$) are identical to those in the previous example and are denoted using the same notation. Additionally, Trent and four participants agree on two primes $d_1=2$ and $d_2=3$, and execute the proposed protocol in two rounds.

In the first round, Trent and four participants respectively generate five new random bit strings, $r_0$ = ‘1101000010’, $r_1$ = ‘0111111101’, $r_2$ = ‘1111001011’, $r_3$ = ‘0100000110’, and $r_4$ = ‘1111101100’. Based on two new random bit strings $X_0^{\prime }$ = ‘0000000110’ and $Y_0^{\prime }$ = ‘0001001111’, Trent prepares ten qubits in the state $|{\Phi }_1^{\prime }\rangle = |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{0,1}^2\rangle$ and transmits them to Bob₁. After four participants respectively perform their operation on these qubits and send them back to Trent, he measures these qubits and obtains $t_2$ = ‘011101’. Similarly, in the second round, ten qutrits are used as signal particles and transmitted among Trent and four participants. After that, Trent obtains $t_3$ = ‘011101’. The corresponding quantum and classical sequences of these two rounds are presented in

Table 3. The quantum and classical sequences of the first round.

	Trent	Bob1	Bob2	Bob3	Bob4
Input		$B_1=\{1,4\}$	$B_2=\{2,3,4\}$	$B_3=\{0,3,4\}$	$B_4=\{4,5\}$
	$k_1,k_2,k_3,k_4$	$k_1$ = ‘0010111111’	$k_2$ = ‘1100011010’	$k_3$ = ‘0100000110’	$k_4$ = ‘0011001111’
Phase I		$C_1$ = ‘010010’	$C_2$ = ‘001110’	$C_3$ = ‘100110’	$C_4$ = ‘000011’
	$r_0^{\prime }$ = ‘1101000010’	$r_1^{\prime }$ = ‘0111111101’	$r_2^{\prime }$ = ‘1111001011’	$r_3^{\prime }$ = ‘0100000110’	$r_4^{\prime }$ = ‘1111101100’
	$Y_1^{\prime },Y_2^{\prime },Y_3^{\prime },Y_4^{\prime }$	$Y_1^{\prime }$ = ‘1100100001’	$Y_2^{\prime }$ = ‘0010000100’	$Y_3^{\prime }$ = ‘1010011000’	$Y_4^{\prime }$ = ‘1101010001’
		$A_1^{\prime }$ = ‘0111’	$A_2^{\prime }$ = ‘0101’	$A_3^{\prime }$ = ‘1100’	$A_4^{\prime }$ = ‘1111’
		$X_1^{\prime }$ = ‘1110010001’	$X_2^{\prime }$ = ‘1000110101’	$X_3^{\prime }$ = ‘1000001111’	$X_4^{\prime }$ = ‘1011011001’
Phase II	$X_0^{\prime }$ = ‘0000000110’
	$Y_0^{\prime }$ = ‘0001001111’
	$|{\Phi }_1^{\prime }\rangle = |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,0}^2\rangle$
	$|{ϵ}_{0,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{0,0}^2\rangle$
	$|{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{0,1}^2\rangle$
		$|{\Phi }_2^{\prime }\rangle = |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,1}^2\rangle$
		$|{ϵ}_{1,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,0}^2\rangle$
		$|{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,0}^2\rangle$
			$|{\Phi }_3^{\prime }\rangle = |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle$
			$|{ϵ}_{1,1}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{0,0}^2\rangle$
			$|{ϵ}_{0,1}^2\rangle |{ϵ}_{0,0}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{0,0}^2\rangle$
				$|{\Phi }_4^{\prime }\rangle = |{ϵ}_{1,0}^2\rangle |{ϵ}_{1,1}^2\rangle$
				$|{ϵ}_{1,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{0,1}^2\rangle$
				$|{ϵ}_{1,0}^2\rangle |{ϵ}_{1,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,0}^2\rangle$
					$|{\Phi }_5^{\prime }\rangle = |{ϵ}_{0,1}^2\rangle |{ϵ}_{1,0}^2\rangle$
					$|{ϵ}_{0,0}^2\rangle |{ϵ}_{1,0}^2\rangle |{ϵ}_{1,1}^2\rangle |{ϵ}_{1,0}^2\rangle$
					$|{ϵ}_{0,0}^2\rangle |{ϵ}_{1,0}^2\rangle |{ϵ}_{0,1}^2\rangle |{ϵ}_{0,1}^2\rangle$
	Z = ‘0101110010’
Phase III	‘0100’	‘1101’	‘0101’	‘0011’	‘1111’
Phase IV	$t_2=011101$

and

Table 4. The quantum and classical sequences of the second round.

	Trent	Bob1	Bob2	Bob3	Bob4
Input		$B_1=\{1,4\}$	$B_2=\{2,3,4\}$	$B_3=\{0,3,4\}$	$B_4=\{4,5\}$
	$k_1,k_2,k_3,k_4$	$k_1$ = ‘0010111111’	$k_2$ = ‘1100011010’	$k_3$ = ‘0100000110’	$k_4$ = ‘0011001111’
Phase I		$C_1$ = ‘010010’	$C_2$ = ‘001110’	$C_3$ = ‘100110’	$C_4$ = ‘000011’
	$r_0^{″}$ = ‘0010011111’	$r_1^{″}$ = ‘1000010101’	$r_2^{″}$ = ‘1011011000’	$r_3^{″}$ = ‘1111110011’	$r_4^{″}$ = ‘0100001000’
	$Y_1^{″},Y_2^{″},Y_3^{″},Y_4^{″}$	$Y_1^{″}$ = ‘1000010110’	$Y_2^{″}$ = ‘0110110011’	$Y_3^{″}$ = ‘1110101111’	$Y_4^{″}$ = ‘1001100110’
		$A_1^{″}$ = ‘0010’	$A_2^{″}$ = ‘1111’	$A_3^{″}$ = ‘1001’	$A_4^{″}$ = ‘0101’
		$X_1^{″}$ = ‘1110000000’	$X_2^{″}$ = ‘1010111101’	$X_3^{″}$ = ‘1000011110’	$X_4^{″}$ = ‘1001010001’
Phase II	$X_0^{″}$ = ‘1011101000’
	$Y_0^{″}$ = ‘0101001011’
	$|{\Phi }_1^{″}\rangle = |{ϵ}_{1,0}^3\rangle |{ϵ}_{0,1}^3\rangle$
	$|{ϵ}_{1,0}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{1,0}^3\rangle |{ϵ}_{0,0}^3\rangle$
	$|{ϵ}_{1,1}^3\rangle |{ϵ}_{0,0}^3\rangle |{ϵ}_{0,1}^3\rangle |{ϵ}_{0,1}^3\rangle$
		$|{\Phi }_2^{″}\rangle = |{ϵ}_{2,1}^3\rangle |{ϵ}_{1,1}^3\rangle$
		$|{ϵ}_{2,0}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{1,0}^3\rangle |{ϵ}_{0,1}^3\rangle$
		$|{ϵ}_{1,1}^3\rangle |{ϵ}_{0,1}^3\rangle |{ϵ}_{0,2}^3\rangle |{ϵ}_{0,1}^3\rangle$
			$|{\Phi }_3^{″}\rangle = |{ϵ}_{0,1}^3\rangle |{ϵ}_{1,2}^3\rangle$
			$|{ϵ}_{0,1}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{2,1}^3\rangle |{ϵ}_{1,2}^3\rangle$
			$|{ϵ}_{2,1}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{0,0}^3\rangle |{ϵ}_{1,2}^3\rangle$
				$|{\Phi }_4^{″}\rangle = |{ϵ}_{1,2}^3\rangle |{ϵ}_{1,0}^3\rangle$
				$|{ϵ}_{0,2}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{2,2}^3\rangle |{ϵ}_{2,2}^3\rangle$
				$|{ϵ}_{0,2}^3\rangle |{ϵ}_{2,2}^3\rangle |{ϵ}_{1,1}^3\rangle |{ϵ}_{1,0}^3\rangle$
					$|{\Phi }_5^{″}\rangle = |{ϵ}_{2,0}^3\rangle |{ϵ}_{1,0}^3\rangle$
					$|{ϵ}_{0,2}^3\rangle |{ϵ}_{2,2}^3\rangle |{ϵ}_{2,0}^3\rangle |{ϵ}_{0,2}^3\rangle$
					$|{ϵ}_{0,2}^3\rangle |{ϵ}_{2,0}^3\rangle |{ϵ}_{1,2}^3\rangle |{ϵ}_{2,0}^3\rangle$
	Z = ‘1121102212’
Phase III	‘0022’	‘1000’	‘1111’	‘0110’	‘0101’
Phase IV	$t_3=111121$

, respectively. In terms of $t_2$ and $t_3$, Trent calculates t = ‘411121’ using Equation (8), and then declares $t^0=4=m$ to four participants.

5. Security Analysis

The proposed protocol adopts a collaborative eavesdropping detection method, which can effectively enhance the detection efficiency and reduce the quantum capabilities required of participants, but it also leads to higher security risks for the protocol. In this section, a detailed security analysis of the protocol is provided. Based on the different roles of attackers in the protocol, three scenarios are considered, in which an external eavesdropper, some dishonest internal participants, and the semi-honest TP attack the proposed protocol, respectively.

5.1. External Attack

Suppose that an external attacker, Eve, aims to obtain information about the private data sets (e.g., $B_i$) of m participants (e.g., Bob_i). Obviously, she can only achieve her goal by obtaining $X_i$. In the protocol, the operations and measurements performed by Trent and m participants are completed locally, which means that this process is secure. Therefore, to eavesdrop on $X_i$, Eve must attack the transmission of particles between Trent and m participants. In addition, Eve may also impersonate a participant and use the participant’s identity to execute the protocol. In this way, she tries to attain the intersection result of the private data sets, from which some information about the private data sets may be derived. In the following, we will analyze several common attack scenarios, including the intercept–measure–resend attack, entanglement–measure attack, and impersonation attack, to demonstrate the protocol’s resistance to external attack.

5.1.1. Intercept–Measure–Resend Attack

In this attack, Eve intercepts the quantum state $|{\varphi }_i^j\rangle$ sent by ${\mathrm{Bob}}_{i-1}$ and performs a certain measurement on this signal particle. Based on the measurement result, she forges a new quantum state and sends it to Bob_i. In the proposed protocol, the signal particle is in one of $d\times d$ states from d MUBs. Since Eve doesn’t know each participant’s key $K_i$, she can’t determine the correct $y_i^j$. In this case, she has to randomly choose one basis from the d bases to measure this particle.

When Eve selects the correct basis with a probability of ${\displaystyle \frac{1}{d}}$, her measurement result is accurate. The fabricated particle prepared based on this will successfully pass the eavesdropping detection in Step III. When she selects the incorrect basis, which occurs with a probability of ${\displaystyle \frac{d-1}{d}}$, her measurement result will be random. The corresponding fabricated particle will be detected in the eavesdropping detection phase with a probability of ${\displaystyle \frac{d-1}{d}}$ as well. In summary, the total error probability is ${\left({\displaystyle \frac{d-1}{d}}\right)}^2$, which is higher than the ${\displaystyle \frac{1}{4}}$ error probability in the BB84 protocol. Therefore, when the number of the test samples, $\xi$, is sufficiently large, the probability of detecting Eve’s attack, $1-{[1-{\left({\displaystyle \frac{d-1}{d}}\right)}^2]}^{\xi }$, approaches 1.

5.1.2. Entanglement–Measure Attack

In this attack scenario, to eavesdrop on Bob_i’s secret input $x_i^j$, Eve intercepts the quantum state $|{\varphi }_i^j\rangle =|{ϵ}_{\dot{x},\dot{y}}\rangle$ ($\dot{x}=x_0^j+x_1^j+\dots +x_{i-1}^j$, $\dot{y}=y_0^j+y_1^j+\dots +y_{i-1}^j$) sent by ${\mathrm{Bob}}_{i-1}$ and prepares an auxiliary particle $|0\rangle$. Subsequently, she entangles the signal particle with the auxiliary particle using a unitary operator $\Xi$. We write the most general operation Eve can do as

$$\Xi |k\rangle |0\rangle =\sum _{l=1}^{d-1}|l\rangle |{\eta }_{k,l}\rangle ,$$

(10)

where $k\in Z_d$ and $|{\eta }_{k,l}\rangle$ are pure ancilla states uniquely determined by $\Xi$. The following conditions can be derived from the unitary feature of $\Xi$:

$$\begin{array}{c}\sum _{l=1}^{d-1}\langle {\eta }_{k,l}|{\eta }_{k^{\prime },l}\rangle ={\delta }_{k,k^{\prime }}=\left\{\begin{array}{cc}1\hfill & k=k^{\prime }\hfill \\ 0\hfill & k\ne k^{\prime }\hfill \end{array}\right.,\hfill \end{array}$$

(11)

After this unitary interaction, the signal particle and the auxiliary particle are in the state

$$|{\phi }_1\rangle =\Xi |{\varphi }_i^j\rangle |0\rangle =\Xi |{ϵ}_{\dot{x},\dot{y}}\rangle |0\rangle ={\displaystyle \frac{1}{\sqrt{d}}}\sum _{k=0}^{d-1}{\omega }^{k(\dot{x}+\dot{y}k)}\sum _{l=0}^{d-1}|l\rangle |{\eta }_{k,l}\rangle .$$

(12)

Then, Eve sends the signal particle to Bob_i, and keeps the auxiliary particle in her possession. In Step II.3, Bob_i performs his operation $S_{y_i^j}^d{E}_{x_i^j}^d$ on the signal particle. The whole system is in the state

$$|{\phi }_2\rangle =S_{y_i^j}^d{E}_{x_i^j}^d|{\phi }_1\rangle ={\displaystyle \frac{1}{\sqrt{d}}}\sum _{k=0}^{d-1}{\omega }^{k(\dot{x}+\dot{y}k)}\sum _{l=0}^{d-1}{\omega }^{l(x_i^j+y_i^{j}l)}|l\rangle |{\eta }_{k,l}\rangle .$$

(13)

Similarly, after the remaining participants execute their operations, the state is converted to

$$|{\phi }_3\rangle =S_{y_m^j}^d{E}_{x_m^j}^d\dots S_{y_{i+1}^j}^d{E}_{x_{i+1}^j}^d|{\phi }_2\rangle ={\displaystyle \frac{1}{\sqrt{d}}}\sum _{k=0}^{d-1}{\omega }^{k(\dot{x}+\dot{y}k)}\sum _{l=0}^{d-1}{\omega }^{l(x_i^j+\ddot{x}+y_i^{j}l+\ddot{y}l)}|l\rangle |{\eta }_{k,l}\rangle ,$$

(14)

where $\ddot{x}=x_{i+1}^j+\dots +x_m^j$ and $\ddot{y}=y_{i+1}^j+\dots +y_m^j$. At the end of the protocol, Eve utilizes the auxiliary particle to eavesdrop on some information about $x_i^j$. However, it is impossible. In the following, we will show that Eve cannot obtain any information about $x_i^j$ under the condition that no errors are to occur.

In the eavesdropping detection phase, Trent applies the decrypting operation $S_{-y_0^j-y_1^j-\dots -y_m^j}^d$ on the signal particle, and obtains the following state:

$$|{\phi }_4\rangle =S_{-y_0^j-y_1^j-\dots -y_m^j}^d|{\phi }_3\rangle ={\displaystyle \frac{1}{\sqrt{d}}}\sum _{k=0}^{d-1}{\omega }^{k(\dot{x}+\dot{y}k)}\sum _{l=0}^{d-1}{\omega }^{l(x_i^j+\ddot{x}-\dot{y}l)}|l\rangle |{\eta }_{k,l}\rangle .$$

(15)

In order for there to be no errors, the projective measurement ${\Pi }_0$ executed by Trent should satisfy the following conditions:

$$\begin{array}{c}(|{\phi }_4\rangle ,|{ϵ}_{k,0}\rangle )=\left\{\begin{array}{cc}1\hfill & k=\dot{x}+x_i^j+\ddot{x}\hfill \\ 0\hfill & k\ne \dot{x}+x_i^j+\ddot{x}\hfill \end{array}\right.,\hfill \end{array}$$

(16)

According to Equations (9) and (14), the following equations can be deduced:

$$\begin{array}{c}\left\{\begin{array}{c}|{\eta }_{0,0}\rangle =|{\eta }_{1,1}\rangle =\dots =|{\eta }_{d-1,d-1}\rangle ,\hfill \\ |{\eta }_{k,l}\rangle =\mathbf{0}\mathrm{if}k\ne l\hfill \end{array}\right.,\hfill \end{array}$$

(17)

where $\mathbf{0}$ denotes the null vector. As a result, it is evident that $|{\phi }_1\rangle$ is a product of $|{\varphi }_i^j\rangle$ and the ancilla. This implies that Eve cannot obtain more information about Bob_i’s secret input $x_i^j$ from observing the ancilla. Consequently, the proposed protocol is immune to the entanglement–measure attacks.

5.1.3. Impersonation Attack

Let us start by considering a simple scenario in which Eve impersonates a participant named ${\mathrm{Bob}}_i^{*}$, together with other participants, makes a computation request to Trent. According to the protocol, she generates a random number ${\tilde{r}}_i$ and announces it publicly. However, since she does not know $k_i$, Eve cannot compute the correct $Y_i=h(r_0||\dots {\tilde{r}}_i||\dots ||r_m||k_i)$. In Step II.3, she has to randomly select a ${\tilde{y}}_i^j$ and perform the operation $S_{{\tilde{y}}_i^j}^d$ on the j-th particle. Evidently, the probability of choosing incorrectly, that is, ${\tilde{y}}_i^j\ne y_i^j$, is ${\displaystyle \frac{d-1}{d}}$. In Step II.4, based on $y_i^j$, Trent performs his decrypting operation on this particle. When ${\tilde{y}}_i^j\ne y_i^j$, Trent’s measurement basis does not match, causing the measurement result to be random. Therefore, the total probability of error is ${\left({\displaystyle \frac{d-1}{d}}\right)}^2$, which will inevitably be detected by Trent. Furthermore, since the protocol requires each participant to generate a random number $r_i$, this ensures that each $Y_i$ remains fresh. In other words, even if Eve knows some old ${\dot{Y}}_i$s that Bob_i has used before, she cannot leverage this advantage for her impersonation attack. This is because the other random numbers $r_0, \dots , r_{i-1}, r_{i+1}, \dots , r_m$ are determined by Trent and other participants, and obviously $Y_i$ generated based on these are not correlated with previous ${\dot{Y}}_i$ s.

Next, we discuss the worst-case scenario in which Eve impersonates $m-1$ participants. Without loss of generality, assume that Bob₁ is the honest participant, while the remaining $m-1$ participants, ${\mathrm{Bob}}_2^{*}$, …, and ${\mathrm{Bob}}_m^{*}$ are impersonated by Eve who intends to eavesdrop on Bob₁’s secret input $x_1^j$. As shown in the above section, if they entangle an auxiliary particle with the signal particle, Eve cannot obtain $x_1^j$, because $y_1^j$ is unknown to them. Therefore, they may utilize their advantage to perform a more practical attack that poses a viable threat to QPSI protocols without identity authentication.

After receiving the signal particle transmitted by Bob₁ in Step II.2, which is in the state $|{\varphi }_2^j\rangle$, Eve carries out the encoding operation $E_1^d$ on this particle $m-1$ times, i.e., $x_2^j=x_3^j=\dots =x_m^j=1$ and sends it back to Trent. The particle is in the state $|{\varphi }_{m+1}^j\rangle = |{ϵ}_{x_0^j+x_1^j+m-1,y_0^j+y_1^j+{\tilde{y}}_2^j+\dots +{\tilde{y}}_m^j}\rangle$. Here, the corresponding ${\tilde{y}}_i^j$ ($i=2, 3, \dots , m$) is random, because Eve doesn’t know $k_i$ and cannot calculate the right $Y_i=(y_i^1, y_i^2, \dots , y_i^{n^{\prime }})=h(r_0||r_1||\dots ||r_m||k_i)$. Thus, the probability that ${\sum }_{i=2}^m{\tilde{y}}_i^j$ is equal to ${\sum }_{i=2}^m{y}_i^j$ is ${\displaystyle \frac{1}{d}}$. After performing his decrypting operation on this particle, the state is not in one of the sets ${\Pi }_0$ if ${\sum }_{i=2}^m{\tilde{y}}_i^j\ne {\sum }_{i=2}^m{y}_i^j$, which occurs with a probability of ${\displaystyle \frac{1}{d}}$. In this case, Trent’s measurement result is random, with a probability of ${\displaystyle \frac{d-1}{d}}$. No matter what fake messages in which Eve impersonates ${\mathrm{Bob}}_i^{*}$ ($i=2, 3, \dots , m$) to announce in Phase III, this attack will also introduce a ${\left({\displaystyle \frac{d-1}{d}}\right)}^2$ error rate, which will be detected by Trent. Therefore, the result announcement phase is canceled, Eve cannot deduce any information about Bob₁’s private set according to Trent’s declared message in this phase. Moreover, since $Y_1$ remains confidential throughout the entire protocol execution, Eve is unable to infer Bob₁’s master secret key $k_1$ based on the hash function h and the values of $r_0,r_1, \dots , r_m$.

5.2. Internal Attack

In the PSI protocol, not all participants are honest. There may be one or more dishonest participants attempting to eavesdrop on secret information from other honest participants. Moreover, due to the involvement of internal participants in the protocol execution process, they may possess greater advantages than external attackers in eavesdropping on secret information. Generally speaking, internal participants pose a more significant threat compared to external attackers [31,32] and cannot be ignored. On the other hand, for the proposed protocol, it is evident that the attack launched by one dishonest participant is similar to that of an external attacker like Eve, which has been shown to be ineffective in the previous section. Therefore, in the following, we will focus on a more powerful internal attack, a collusion attack by two specific dishonest participants.

In this attack, two adjacent participants of an honest participant are dishonest, and they collaborate to steal the honest participant’s secret information. Assume ${\mathrm{Bob}}_{i-1}$ and ${\mathrm{Bob}}_{i+1}$ are dishonest, denoted as ${\mathrm{Bob}}_{i-1}^{*}$ and ${\mathrm{Bob}}_{i+1}^{*}$. They try to eavesdrop on Bob_i’s private data set by performing the following attack action.

First, instead of applying the encoding operation on the signal state $|{\varphi }_{i-1}^j\rangle$, ${\mathrm{Bob}}_{i-1}^{*}$ prepares two fake particles in $|{\phi }_0\rangle ={\sum }_{k=0}^{d-1}|k\rangle |k\rangle$. Then, he replaces the signal particle with the first fake particle and sends it to Bob_i. In Step II.3, Bob_i applies his operation $S_{y_i^j}^d{E}_{x_i^j}^d$ to this fake particle and sends it to ${\mathrm{Bob}}_{i+1}^{*}$. In this case, these two fake particles are in the state $|{\phi }_0\rangle ={\sum }_{k=0}^{d-1}{\omega }^{k(x_i^j+y_i^{j}k)}|k\rangle |k\rangle$. ${\mathrm{Bob}}_{i-1}^{*}$ and ${\mathrm{Bob}}_{i+1}^{*}$ wish to exploit this state to obtain Bob_i’s secret input $x_i^j$. $y_i^j$ is known only to Bob_i and Trent, and has not been disclosed throughout the protocol. Thus, to obtain $x_i^j$, two dishonest participants must distinguish the following sets: $({\Omega }_0,{\Omega }_1, \dots , {\Omega }_{d-1})$, where ${\Omega }_u=\{{\sum }_{k=0}^{d-1}{\omega }^{ku}|k\rangle |k\rangle ,{\sum }_{k=0}^{d-1}{\omega }^{k(u+k)}|k\rangle |k\rangle , \dots , {\sum }_{k=0}^{d-1}{\omega }^{k(u+(d-1\left)k\right)}|k\rangle |k\rangle \}$. However, these states are non-orthogonal and cannot be distinguished by any projective measurement. Furthermore, these states are linearly dependent and cannot be deterministically distinguished [33]. This implies that their attack actions will inevitably introduce errors during the eavesdropping detection process. Therefore, the proposed protocol is secure against this attack.

5.3. Semi-Honest Third Party’s Attack

In the protocol, Trent is semi-honest, which means that she cannot collude with other participants to engage in malicious activities. However, she may attempt to exploit her involvement in the protocol to eavesdrop on the secret information $x_i^j$ of participant Bob_i. To achieve this, Trent can intercept the particles transmitted by ${\mathrm{Bob}}_{i-1}$ and forward a fake particle to Bob_i. Similarly to the external attacker Eve, Trent’s attack fails to obtain Bob_i’s secret input. Thus, the proposed protocol is resistant to attacks from a semi-honest third party.

As shown in the above analysis, the proposed protocol can defend against some common internal and external attacks, making it theoretically secure. Notably, despite using classical hash functions, the security of this protocol isn’t compromised since their output isn’t publicly disclosed. To obtain the hash value $h\left(x\right)$, the signal particles that contain $h\left(x\right)$ information should be attacked, which inevitably introduces errors and is detected by the participants. This means that even if advanced quantum algorithms could break the hash function, the lack of $h\left(x\right)$ prevents computing x. Thus, the protocol can use common classical hash functions, e.g., SHA-1 and MD5, and the master keys held by the participants can be reused. However, these analyses are idealized, and practical applications may face some physical attacks, such as side-channel [34,35], photon number splitting [36], and Trojan horse attacks [37]. Fortunately, technologies like quantum teleportation, measurement-device-independent, the decoy method, and wavelength quantum filters can counteract these threats [38,39,40,41]. In practical protocol applications, integrating these technologies can ensure their security.

6. Simulation Experiment

In this section, the feasibility of the multi-party QPSI protocol is verified through an example simulation. The experimental circuit was constructed based on the proposed protocol described in Section 3 and simulated on IBM quantum experience.

For convenience, the experimental data are taken from Table 3 and Table 4. Two rounds of the protocol, based on the primes $d_1=2$ and $d_2=3$, were executed to obtain the private set intersection of four participants. Since external attacks and eavesdropping are considered independent processes in quantum protocol design, the quantum circuit in this simulation excludes identity authentication and eavesdropping detection. Therefore, the quantum simulation here focuses solely on implementing Phase II of the protocol. In the first round, the system is initialized as a quantum system with $\lceil log{d}_1\rceil =1$ qubit. Based on this quantum system, the operations in the protocol can be simplified. Specifically, the Fourier transform corresponds to the Hadamard gate (H), the operations $E_0$ and $S_0$ correspond to the identity gate I, whereas $E_1$, $S_1$ and $S_{-1}$ correspond to the Pauli-Z gate Z. According to Table 3, Trent prepares ten particles in the protocol, and each participant applies different operations to each particle. To maintain clarity, the circuit diagram depicting the evolution of the first particle is provided in Figure 2. The measurement results, including those of the first particle and the others, are given as ‘0101110100’, as illustrated in Figure 3. Then, we can obtain Z = ‘0101110010’ using $z^j=(o^j-X_0^j)mod{d}_1$.

In the second round, the system is initialized as a quantum system consisting of $\lceil log{d}_2\rceil =2$ qubits. According to the protocol, a three-dimensional Fourier transform

$$F{T}_3={\displaystyle \frac{1}{\sqrt{3}}}\left[\begin{array}{ccc}1& 1& 1\\ 1& \omega & {\omega }^2\\ 1& {\omega }^2& \omega \end{array}\right],$$

(18)

is required to prepare the initial state, where $\omega =e^{2\pi \mathrm{i}/3}$. Since Qiskit supports quantum gates only in dimensions that are powers of two, the transform matrix $F{T}_3$ is embedded into a four-dimensional space, denoted as matrix $QFT=\left[\begin{array}{cc}F{T}_3& 0\\ 0& 1\end{array}\right]$. The corresponding circuit implementation is shown in Figure 4a. Furthermore, the circuits for the operations $E_1$, $S_1$, and $S_{-1}$ are shown in Figure 4b, Figure 4c, and Figure 4d, respectively. Figure 4e illustrates the circuit for the operations performed on the first particle. The measurement outcomes of this particle and the others are ‘2102200212’, as displayed in Figure 5. Based on these measurement results, the value Z = ‘1121102212’ can be obtained by calculating $z^j=(o^j-X_0^j)mod{d}_2$.

In summary of the above simulation results, the results are consistent with the theoretical descriptions in Table 3 and Table 4. This confirms the feasibility of the proposed protocol through a concrete example.

7. Discussion and Summary

Before drawing a conclusion, it is worthwhile to discuss the performance of the proposed protocol. To better demonstrate the performance of our proposed protocol, we compare it with two existing state-of-the-art QPSI protocols, the HZZ protocol [21] and the WSW protocol [24]. The comparison presented in

Table 5. Comparison of the proposed protocol with existing QPSI protocols.

Protocols	WSW Protocol	HZZ Protocol	Our Protocol
Application scenario	Two-party	Multi-party	Multi-party
Communication complexity	$O\left(6n\right)$	$O\left(\lambda m^{2}n\right)$	$O\left(mn{log}_{2}m\right)$
Cost of eavesdropping detection	$O\left(6\xi \right)$	$O\left(3\xi m\right)$	$O\left(\xi ({log}_{2}m+m)\right)$
Quantum resource	GHZ states	Single particles	Single particles
Quantum operation	H operation	Rotation operation	Phase operation
Identity authentication	Yes	No	Yes
Deterministic or probabilistic	Deterministic	Probabilistic	Deterministic
Quantum storage	Yes	Yes	No

m = number of parties, n = cardinality of the data set.

is based on various factors, including communication complexity, quantum resources, quantum operations, etc.

Communication cost is an important indicator when analyzing the efficiency of QPSI protocols. As shown in Figure 1, the protocol involves the transmission of n qudits between Trent and m participants. Additionally, from Table 1, it is deduced that $2mn$ classical bits are required. In total, the communication overhead includes $(m+1)n\left({log}_{2}d\right)$ qubits and $2mn$ classical bits. Given that $d=m+1$, the overall communication complexity of the proposed protocol is $O\left(nm{log}_{2}m\right)$. Additionally, in the proposed protocol, there are $\xi$ particles used as the test samples. Here, the security parameter $\xi$ is determined by various factors, such as the amount of information, channel noise, and security level. To better compare the eavesdropping detection efficiency of different protocols, we can assume that each detection uses $\xi$ test samples. In addition to these $\xi$ qudits, each participant needs to transmit $\xi$ classical bits to Trent during the eavesdropping detection phase. Thus, the communication cost for the entire eavesdropping detection process is $O\left(\xi ({log}_{2}m+m)\right)$. In the HZZ protocol, the TP is required to share m rotation angle information with each participant, and it requires the transmission of $\lambda$ copies of particle sequences to ensure the correctness of the protocol. Therefore, its communication complexity is $O\left(\lambda m^{2}n\right)$. In addition, the HZZ protocol does not provide identity authentication, exposing it to impersonation risks. In the WSW protocol, which only considers the case of two parties, n three-particle GHZ states are prepared by the TP who sends each participant n particles. Thus, its quantum communication complexity is $2n$. In order to calculate the result, two participants are required to send the $2n$ classical bits message to the TP, which means that its classical communication complexity is $4n$. Therefore, the overall communication complexity of the WSW protocol is $6n$. Furthermore, to ensure the security of the transmitted particles, both the HZZ protocol and the WSW protocol require the insertion of decoy states in the quantum communication, which mandates quantum storage capabilities for all participants. In the proposed protocol, its implementation does not require quantum memory, and only single particles are employed, which makes it more feasible with current technology.

In summary, we propose a multi-party QPSI protocol with identity authentication, by which multiple participants can concurrently obtain the intersection of their private data sets with the help of a semi-honest third party. In the protocol, the TP shares a master key with each participant beforehand, which is used to authenticate their identity. The single particles randomly located in one of the MUB states are prepared by the TP and transmitted among these participants, who respectively encode their private inputs into them. The security of the proposed protocol against some common attacks has been analyzed, which shows that it is secure in the zero-error case. In the protocol, eavesdropping detection and identity authentication are ingeniously integrated, thereby enhancing the protocol’s practical detection efficiency. Moreover, since no explicit identity authentication information is disclosed, the master key can be reused, which improves the applicability of the protocol. Additionally, there is no need for participants to store the traveling particles in the proposed protocol. Thus, the implementation of this protocol does not require quantum memory, which is still difficult to achieve directly at present. Furthermore, the use of only single particles in the proposed protocol makes it more feasible with current technology. Certainly, there are other practical issues during the application of the protocol. For instance, each particle transmission among the participants inevitably incurs optical loss and phase shift. Thus, how to design an effective error recovery strategy in real-world settings will be a focal point of our future work.