Hybrid Quantum Protocols for Secure Multiparty Summation and Multiplication

Abstract

The summation and multiplication are two basic operations for secure multiparty quantum computation. The existing secure multiparty quantum summation and multiplication protocols have (n, n) threshold approach and their computation type is bit-by-bit, where n is total number of players. In this paper, we propose two hybrid (t, n) threshold quantum protocols for secure multiparty summation and multiplication based on the Shamir’s secret sharing, SUM gate, quantum fourier transform, and generalized Pauli operator, where t is a threshold number of players that can perform the summation and multiplication. Their computation type is secret-by-secret with modulo d, where d, n ≤ d ≤ 2n, is a prime. The proposed protocols can resist the intercept-resend, entangle-measure, collusion, collective, and coherent quantum attacks. They have better computation as well as communication costs and no player can get other player’s private input.

Introduction

The secure multiparty quantum computation is an essential component in quantum cryptography. The summation and multiplication are two basic operations for secure multiparty quantum computation. The secure multiparty quantum summation and multiplication include a list of secrets, which is shared among a set of players and the players jointly perform summation or multiplication without revealing their secrets. The classical summation and multiplication protocols cannot provide the unconditional secure communications. However, the quantum summation and multiplication protocols can provide the unconditional security as they are based on the principles of quantum mechanics like quantum correlation¹, entanglement for bipartite system², Heisenberg XYZ model³. In 2007, Du et al.⁴ discussed a secure multiparty quantum addition modulo n + 1 protocol based on the non-orthogonal states, where n is total number of players. In 2010, Chen et al.⁵ introduced a secure multiparty quantum addition modulo 2 protocol based on multi-particle entangle. In 2014, Zhang et al.⁶ presented a protocol with addition modulo 2 based on both polarization of a single photon. In 2010, a three-party quantum addition modulo 2 protocol was discussed by Zhang et al.⁷. These protocols have some limitations, for example, they cannot perform addition correctly if one player is dishonest as these protocols have (n, n) threshold approach, and the modulo of these protocols is very small. They have high communication and computation costs due to the bit-by-bit computation. In 2015, Shi et al.⁸ discussed a secure multiparty quantum summation and multiplication protocol. This protocol is efficient, but it has (n, n) threshold approach. In 2017, Shi and Zhang⁹ introduced a two-party quantum protocol for summation. This protocol cannot perform summation correctly if one party is dishonest. In the same year, a multiparty quantum summation modulo 2 protocol was discussed by Zhang et al.¹⁰. This protocol is efficient but its modulo is too small. Then, Liu et al.¹¹ discussed a secure multiparty quantum summation protocol based on two particle Bell States. This protocol is efficient but its modulo is 2 and it has (n, n) threshold approach. In 2018, Yang and Ye¹² introduced a secure multiparty quantum protocol for summation based on the quantum Fourier transform. The computation type of this protocol is secret-by-secret, but it has (n, n) threshold approach. Recently, Jiao et al.¹³ have discussed a secure multiparty quantum summation and multiplication protocol with mutually unbiased bases. This protocol is efficient, but the computation type of this protocol is secret-by-secret and it has (n, n) threshold approach. Most of the existing secure multiparty summation and multiplication protocols have (n, n) threshold approach and bit-by-bit computation type. Further, they are not practically feasible as they require high communication as well as computation costs.

In this paper, we propose two hybrid (t, n) threshold quantum protocols for secure multiparty summation and multiplication. In order to incorporate the advantages of both quantum and classical multiparty summation and multiplication, we apply the quantum methods in a secure multiparty computation. The novelty of the proposed work can be summarized as follows. Our protocols have (t, n) threshold approach, where t players can perform the quantum summation and multiplication systematically and efficiently without revealing their privacy. They require less communication and computation costs as their computation type is secret-by-secret. Further, our proposed protocols possess all the benefits(i.e., they use qudit instead of qubit, do not require the secret information to be passed through the transmitted particles, do not require to perform entanglement measurement, and the quantum attacks cannot be performed) of the existing secure multiparty quantum summation and multiplication.

Preliminaries

Here, we introduce the Shamir’s secret sharing, quantum state, SUM gate, quantum Fourier transform (QFT), and generalized Pauli operator, which will be used in our work.

Shamir’s secret sharing

In the Shamir’s secret sharing, there is a set of players $\mathcal{P}=\{P_1,P_2,\dots ,P_n\}$ and a dealer¹⁴. This secret sharing scheme consists of two phases: secret sharing and secret reconstruction. In secret sharing phase, the dealer shares a secret among n players using a (t − 1) degree polynomial f(y); each player knows only his share. In secret reconstruction phase, the t players reconstruct the secret using the Lagrange interpolation. The Lagrange Interpolation is defined as follows.

$$f\left(y\right)=\sum _{k=1}^{t}f\left(y_k\right)\prod _{1\le j\le t,j\ne k}\frac{y-y_j}{y_k-y_j}$$ 1

For y = 0, Eq.(1) can be written as follows.

$$\begin{array}{lll}\hfill f\left(0\right)& \hfill =\hfill & \sum _{k=1}^{t}f\left(y_k\right)\prod _{1\le j\le t,j\ne k}\frac{-y_j}{y_k-y_j}\hfill \\ \hfill & \hfill =\hfill & \sum _{k=1}^{t}f\left(y_k\right)\prod _{1\le j\le t,j\ne k}\frac{y_j}{y_j-y_k}\hfill \end{array}$$ 2

Quantum State

In quantum computing, the d-level quantum state is defined as follows¹⁵.

$$|\mathit{\varphi }\rangle =\sum _{l=0}^{d-1}{C}_l|l\rangle$$ 3

It must satisfy ${\sum }_{l=0}^{d-1}|C_l{|}^2=1$, where C_l represents complex number.

SUM gate

In quantum computing, the SUM gate is defined as follows¹⁶.

$$SUM\left(|u\rangle ,|v\rangle \right)=\left(|u\rangle ,|u+v\mathrm{mod}d\rangle \right),$$ 4

where |u〉 and |v〉 denote control and target particles, respectively, and $u,v\in \{0,1,\dots ,d-1\}$.

Quantum Fourier Transform (QFT)

The discrete Fourier transform is the foundation of QFT. The d-level QFT is defined as follows⁸.

$$QFT|p\rangle =\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{\omega }^{p.l}|q\rangle$$ 5

where, ω represents e^2πi.

Generalized Pauli operator

In quantum computing, the d-level generalized Pauli operator is defined as follows¹⁷.

$$U_{\gamma ,\delta }=\sum _{l=0}^{d-1}{\omega }^{l.\delta }|l+\gamma \rangle \langle l|,$$ 6

where, $\gamma ,\delta \in \{0,1,\dots d-1\}$.

Proposed Protocols

In this section, we propose two hybrid (t, n) threshold secure multiparty quantum summation and multiplication protocols. Let X and Y have two secrets a and b, respectively, and want to perform (a + b) or (a × b) without revealing their secrets. In these proposed protocols, we assume that the set of players $\mathcal{P}=\{P_1,P_2,\dots ,P_n\}$, a qualified subset $\mathbb{S}=\{P_1,P_2,\dots ,P_t\}$, each qualified subset containing t players and player P₁ is an initiator.

Hybrid secure multiparty quantum summation protocol

Here, we discuss our proposed hybrid (t, n) threshold secure multiparty quantum summation, whose procedure is given as follows.

Step 1: The X and Y choose two different polynomials $f\left(y\right)=a+c_{1}y+c_2{y}^2+\dots +c_{t-1}{y}^{t-1}\mathrm{mod}d$ and $g\left(y\right)=b+{\overline{c}}_{1}y+{\overline{c}}_2{y}^2+\dots +{\overline{c}}_{t-1}{y}^{t-1}\mathrm{mod}d$, where $c_1,c_2,\dots ,c_{t-1}$ and ${\overline{c}}_1,{\overline{c}}_2,\dots ,{\overline{c}}_{t-1}$ are coefficients and a and b are the secrets of X and Y, respectively. Then, they compute the classical shares f(y_i) and g(y_i), respectively, using the Shamir’s Secret Sharing¹⁴ and distribute these shares among the set of players $\mathcal{P}=\{P_1,P_2,\dots ,P_n\}$. Player P_i, $i=1,2,\dots ,n$, possesses only his shares f(y_i) and g(y_i).

Step 2: Player P_i, $i=1,2,\dots ,$ computes $h\left(y_i\right)=f\left(y_i\right)+g\left(y_i\right)\mathrm{mod}d$ and keeps h(y_i) secret.

Step 3: Player P_k, $k=1,2,\dots ,t$, computes the shadow of his shares, denoting as A_k, as follows.

$$A_k=h\left(y_k\right)\prod _{1\le j\le t,j\ne k}\frac{y_j}{y_j-y_k}\mathrm{mod}d$$ 7

Step 4: Initiator P₁ prepares t single qudit particles |0〉₁, |0〉₂, …, |0〉_t and applies QFT on the first particle |0〉₁. The resultant state |ϕ₁〉 is given as follows.

$$|{\varphi }_1\rangle =\left(QFT{|0\rangle }_1\right)=\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{|l\rangle }_1$$ 8

Here, |ϕ₁〉 and |0〉_k’s, $k=2,3,\dots ,t$, are control and target qudits, respectively.

Step 5: Player P₁ performs (t − 1) SUM operations to produce the entangled state |ϕ₂〉 as follows.

$$|{\varphi }_2\rangle =\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{|l\rangle }_1{|l\rangle }_2\dots {|l\rangle }_k.$$ 9

Initiator P₁ sends the particle |l〉_k to each player P_k, $k=2,3,\dots ,t$.

Step 6: Each player P_k, $k=2,3,\dots ,t$, applies the QFT operation on his particle |l〉_k and then executes the generalized Pauli operator $U_{A_k,0}$, $k=1,2,\dots ,t$. The quantum state |ϕ₂〉 is evolved as the quantum state |ϕ₃〉, which is obtained as follows:

$$\begin{array}{lll}\hfill |{\varphi }_3\rangle & \hfill =\hfill & U_{A_1\mathrm{,0}}QFT\otimes U_{A_2\mathrm{,0}}QFT\otimes \dots \otimes U_{A_k\mathrm{,0}}QFT|{\varphi }_2\rangle \hfill \\ \hfill & \hfill =\hfill & d^{-\frac{t+1}{2}}\sum _{0\le m_1,m_2,\dots ,m_k<d\mathrm{, }{m}_1+m_2+,\dots ,+m_k\mathrm{=0}modd}|m_1+A_1\rangle |m_2+A_2\rangle \dots |m_k+A_k\rangle \hfill \end{array}$$ 10

Step 7: In computational basis, each player P_k, $k=2,3,\dots ,t$, measures his particle $|m_k+A_k\rangle$ and broadcasts his measurement result m_k + A_k, $k=1,2,\dots ,t$.

Step 8: Finally, they jointly compute the summation by adding their measurement results. The summation of the secrets is computed as: $(a+b)={\sum }_{k=1}^t{m}_k+A_k\mathrm{mod}d$.

Hybrid secure multiparty quantum multiplication protocol

Here, we discuss our proposed quantum protocol for secure multiparty multiplication, whose procedure is given as follows.

Step 1: Initially, X and Y select two different polynomials $f\left(y\right)=a+c_{1}y+c_2{y}^2+\dots +c_{t-1}{y}^{t-1}\mathrm{mod}d$ and $g\left(y\right)=b+{\overline{c}}_{1}y+{\overline{c}}_2{y}^2+\dots +{\overline{c}}_{t-1}{y}^{t-1}\mathrm{mod}d$, where a and b are the secrets of X and Y, $c_1,c_2,\dots ,c_{t-1}$ and ${\overline{c}}_1,{\overline{c}}_2,\dots ,{\overline{c}}_{t-1}$ are coefficients of polynomials f(y) and g(y), respectively. Then, they compute the classical shares f(y_i) and g(y_i), respectively, and distribute them among n players. Player P_i, $i=1,2,\dots ,n$, knows his shares f(y_i) and g(y_i) only.

Step 2: Player P_i, $i=1,2,\dots ,n$, computes $h\prime \left(y_i\right)=f\left(y_i\right)\times g\left(y_i\right)\mathrm{mod}d$ and shares $h\prime \left(y_i\right)$ among n players using new random polynomial $z_i\left(x\right)=h\prime \left(y_i\right)+{\beta }_{1}x+{\beta }_2{x}^2+\dots +{\beta }_{t-1}{x}^{t-1}\mathrm{mod}d$. The total polynomial, denoted as T_i, is computed by each player P_i, $i=1,2,\dots ,n$, using the Vandermonde matrix¹⁸. Player P_i, $i=1,2,\dots ,n$, knows T_i only.

Step 3: Each player P_k, $k=1,2,\dots ,t$, computes the shadow B_k of his share as follows.

$$B_k=T_k\prod _{1\le j\le t,j\ne k}\frac{x_j}{x_j-x_k}\mathrm{mod}d$$ 11

Step 4: Initiator P₁ prepares t single qudit particles ${|0\rangle }_1,{|0\rangle }_2,\dots ,{|0\rangle }_t$ and applies QFT on the first particle 0₁. The resultant state |Φ₁〉 is given as follows.

$$|{\mathrm{\Phi }}_1\rangle =\left(QFT{|0\rangle }_1\right)=\frac{1}{\sqrt{d}}\sum _{r=0}^{d-1}{|r\rangle }_1.$$ 12

Here, |Φ₁〉 denotes control qudit and |0〉_k’s, $k=2,3,\dots ,t)$, denote target qudits.

Step 5: Initiator executes (t − 1) SUM operations to get the entangled state |Φ₂〉, as follows.

$$|{\mathrm{\Phi }}_2\rangle =\frac{1}{\sqrt{d}}\sum _{r=0}^{d-1}{|r\rangle }_1{|r\rangle }_2\dots {|r\rangle }_k.$$ 13

Initiator P₁ sends the particle |r〉_k to each player P_k, $k=2,3,\dots ,t$.

Step 6: Each player P_k, $k=2,3,\dots ,t$, applies QFT on his particle |r〉_k, followed by the generalized Pauli operator $U_{B_k,0}$. The quantum state |Φ₂〉 is evolved as the resultant state |Φ₃〉,which is given below:

$$\begin{array}{lll}\hfill |{\mathrm{\Phi }}_3\rangle & \hfill =\hfill & U_{B_1,0}QFT\otimes U_{B_2,0}QFT\otimes \dots \otimes U_{B_k,0}QFT|{\mathrm{\Phi }}_2\rangle \hfill \\ \hfill & \hfill =\hfill & d^{-\frac{t+1}{2}}\sum _{0\le w_1,w_2,\dots ,w_k<d,w_1+w_2+,\dots ,+w_k=0\mathrm{mod}d}|w_1+B_1\rangle |w_2+B_2\rangle \dots |w_k+B_k\rangle \hfill \end{array}$$ 14

Step 7: Each player P_k, $k=2,3,\dots ,t$, measures his particle $|w_k+B_k\rangle$ in computational basis and broadcasts his measurement result w_k + B_k.

Step 8: Finally, they compute the multiplication by adding their measurement results. The multiplication of the secrets is computed as: $(a\times b)={\sum }_{k=1}^t{w}_k+B_k\mathrm{mod}d$.

Correctness

In this section, we prove the correctness of our proposed protocols. We discuss the correctness proof of the secure multiparty quantum summation protocol only. The correctness proof of the secure multiparty quantum multiplication protocol is very much similar to that of the secure multiparty quantum summation protocol.

Correctness Proof

lemma 1

If all players in a qualified subset $\mathbb{S}=\{P_1,P_2,\dots ,P_t\}$ act honestly, then they can perform summation $(a+b)={\sum }_{k=1}^t{A}_k\mathrm{mod}d$.

proof 1

On Applying QFT and Pauli operators by each player P_k, $k=1,2,\dots ,t$, on his particle gives the quantum state as follows.

$$\begin{array}{lll}\hfill |{\varphi }_3\rangle & \hfill =\hfill & U_{A_1,0}QFT\otimes U_{A_2,0}QFT\otimes \dots \otimes U_{A_t,0}QFT\left(\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{|l\rangle }_1{|l\rangle }_2\dots {|l\rangle }_t\right)\hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{U}_{A_1,0}QFT{|l\rangle }_1\otimes U_{A_2,0}QFT{|l\rangle }_2\otimes \dots \otimes U_{A_t,0}QFT{|l\rangle }_t\hfill \\ \hfill & \hfill =\hfill & \begin{array}{l}\frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}\left(U_{A_1,0}\frac{1}{\sqrt{d}}\sum _{m_1=0}^{d-1}{\omega }^{m_{1}l}|m_1\rangle \right)\otimes \left(U_{A_2,0}\frac{1}{\sqrt{d}}\sum _{m_1=0}^{d-1}{\omega }^{m_{2}l}|m_2\rangle \right)\\ \otimes \dots \otimes \left(U_{A_t,0}\frac{1}{\sqrt{d}}\sum _{m_1=0}^{d-1}{\omega }^{m_{t}l}|m_t\rangle \right)\end{array}\hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{d}^{\frac{-t}{2}}\sum _{0\le m_1,m_2,\dots ,m_t<d}{\omega }^{(m_1+\dots +m_t)l}|m_1+A_1\rangle \otimes |m_2+A_2\rangle \otimes \dots \otimes |m_t+A_t\rangle \hfill \\ \hfill & \hfill =\hfill & d^{-\frac{t+1}{2}}\sum _{0\le m_1,m_2,\dots ,m_t<d}\sum _{l=0}^{d-1}{\omega }^{(m_1+\dots +m_t)l}|m_1+A_1\rangle \otimes |m_2+A_2\rangle \otimes \dots \otimes |m_t+A_t\rangle \hfill \\ \hfill & \hfill =\hfill & d^{-\frac{t+1}{2}}{s}_{0}d\sum _{0\le m_1,m_2,\dots ,m_t<d,m_1+m_2+,\dots ,+m_t=0\mathrm{mod}d}|m_1+A_1\rangle \otimes |m_2+A_2\rangle \otimes \dots \otimes |m_t+A_t\rangle \hfill \end{array}$$

Each player P_k, $k=1,2,\dots ,t$, measures his particle in computational basis. The compute the sum after receiving others players’ measurement results.

$$\sum _{k=1}^t{m}_k+A_k\stackrel{d}{\equiv }\sum _{k=1}^t{m}_k+\sum _{k=1}^t{A}_k\stackrel{d}{\equiv }\sum _{k=1}^t{A}_k\mathrm{mod}d$$ 15

From Eq. (15), we get sum of the secrets $(a+b)={\sum }_{k=1}^t{A}_k\mathrm{mod}d$.

Example

Here, we illustrate our proposed secure multiparty quantum summation and multiplication protocols using an example. Suppose X and Y have two secrets 4 and 2, respectively, and want to compute their sum and multiplication without revealing their secrets. The X and Y share these secrets among 7 players $\mathcal{P}=\{P_1,P_2,\dots ,P_7\}$ and the qualified subset $\mathbb{S}=\{P_1,P_2,P_3\}$ computes the summation and multiplication. The X and Y select prime as 11. Thus, prime d = 11, threshold t = 3, and total number of players n = 7.

Summation example

Example.

Consider that X and Y choose their respective polynomials $f\left(y\right)=4+2y+3y^2\mathrm{mod}11$ and $g\left(y\right)=2+3y+y^2\mathrm{mod}11$. They compute their classical shares f(y_i) and g(y_i) and distribute these shares among 7 players $\mathcal{P}=\{P_1,P_2,\dots ,P_7\}$. Each player P_i, $i=1,2,\dots ,7$, computes $h\left(y_i\right)=f\left(y_i\right)+g\left(y_i\right)\mathrm{mod}11$. The computation of share and h(y_i) are shown in Table 1. Each player P_k, k = 1, 2, 3, (of qualified subset $\mathbb{S}=\{P_1,P_2,P_3\}$) computes the shadow of his share A_k as follows:

$$A_k=h\left(y_k\right)\prod _{1\le j\le t,j\ne k}\frac{y_j}{y_j-y_k}\mathrm{mod}d$$

$$A_1=4\times \left(\frac{2}{2-1}\times \frac{3}{3-1}\right)\mathrm{mod}11=1$$

$$A_2=10\times \left(\frac{1}{1-2}\times \frac{3}{3-2}\right)\mathrm{mod}11=3$$

$$A_3=2\times \left(\frac{1}{1-3}\times \frac{2}{2-3}\right)\mathrm{mod}11=2$$

Table 1.

Share Computation for Summation and Multiplication.

Players		P1	P2	P3	P4	P5	P6	P7
Shares	f(yi)	9	9	4	5	1	3	0
	g(yi)	6	1	9	8	9	1	6
	h(yi) = f(yi) + g(yi)	4	10	2	2	10	4	6
	h′(yi) = f(yi) × g(yi)	10	9	3	7	9	3	0
Polynomials: zi(x)		10 + x + 2x2	9 + 3x + x2	3 + 2x + 2x2	7 + 2x + 3x2	9 + 5x + x2	3 + 2x + x2	0 + x + 5x2
Shares	z1(xi)	2	9	9	2	10	0	5
	z2(xi)	2	8	5	4	5	8	2
	z3(xi)	7	4	5	10	8	10	5
	z4(xi)	1	1	7	8	4	6	3
	z5(xi)	4	1	0	1	4	9	5
	z6(xi)	8	8	3	4	0	2	10
	z7(xi)	6	0	4	7	9	10	10
	Ti	7	9	3	0	0	3	9

Initiator P₁ computes $|{\varphi }_2\rangle =\frac{1}{\sqrt{11}}{\sum }_{l=0}^{10}{|l\rangle }_1{|l\rangle }_2{|l\rangle }_3$ and sends the particle |l〉_k to each player P_k, k = 2, 3. Each player P_k (of qualified subset $\mathbb{S}=\{P_1,P_2,P_3\}$) applies QFT and generalized Pauli operators U_1,0, U_3,0, U_2,0 on his particle. Hence,

$$\begin{array}{lll}\hfill |{\varphi }_3\rangle & \hfill =\hfill & U_{1,0}QFT\otimes U_{3,0}QFT\otimes U_{2,0}QFT\left(\frac{1}{\sqrt{11}}\sum _{l=0}^{10}{|l\rangle }_1{|l\rangle }_2{|l\rangle }_3\right)\hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{11}}\sum _{l=0}^{10}{U}_{1,0}QFT{|l\rangle }_1\otimes U_{3,0}QFT{|l\rangle }_2\otimes U_{2,0}QFT{|l\rangle }_3\hfill \\ \hfill & \hfill =\hfill & \begin{array}{l}\frac{1}{\sqrt{11}}\sum _{l=0}^{10}{U}_{1,0}\left(\frac{1}{\sqrt{11}}\sum _{m_1=0}^{10}{\omega }^{m_{1}l}|m_1\rangle \right)\otimes U_{3,0}\left(\frac{1}{\sqrt{11}}\sum _{m_2=0}^{10}{\omega }^{m_{2}l}|m_2\rangle \right)\\ \otimes U_{2,0}\left(\frac{1}{\sqrt{11}}\sum _{m_3=0}^{10}{\omega }^{m_{3}l}|m_3\rangle \right)\end{array}\hfill \\ \hfill & \hfill =\hfill & \frac{1}{11}\sum _{l=0}^{10}\sum _{0\le m_1,m_2,m_3\le 10}{\omega }^{(m_1+m_2+m_3)l}|m_1+1\rangle |m_2+3\rangle |m_3+2\rangle \hfill \\ \hfill & \hfill =\hfill & \frac{1}{11}\sum _{0\le m_1,m_2,m_3\le 10}\sum _{l=0}^{10}{\omega }^{(m_1+m_2+m_3)l}|m_1+1\rangle |m_2+3\rangle |m_3+2\rangle \hfill \\ \hfill & \hfill =\hfill & 11s_1\sum _{0\le m_1,m_2,m_3\le 10,m_1+m_2+m_3=0\mathrm{mod}11}|m_1+1\rangle |m_2+3\rangle |m_3+2\rangle \hfill \end{array}$$

Finally, the players measure (computational basis) their particles and broadcast their respective measurement results m₁ + 1, m₂ + 3, m₃ + 2. They get the sum by adding their measurement results as follows:

$$m_1+1+m_2+3+m_3+2\stackrel{11}{\equiv }{m}_1+m_2+m_3+6\stackrel{11}{\equiv }6\mathrm{mod}11=6$$

Example of multiplication

Example.

Similar to summation, X and Y select their respective polynomials $f\left(y\right)=4+2y+3y^2\mathrm{mod}11$ and $g\left(y\right)=2+3y+y^2\mathrm{mod}11$ and compute their respective classical shares f(y_i) and g(y_i). They distribute these shares among 7 players $\mathcal{P}=\{P_1,P_2,\dots ,P_7\}$. Each player P_i, $i=1,2,\dots ,7$, computes $h\prime \left(y_i\right)=f\left(y_i\right)\times g\left(y_i\right)\mathrm{mod}d$ and these $h\prime \left(y_i\right)$ shares are shared among n players using new random polynomial $z_i\left(x\right)=h\prime \left(y_i\right)+{\beta }_{1}x+{\beta }_2{x}^2+\dots +{\beta }_{t-1}{x}^{t-1}\mathrm{mod}d$. The shares of total polynomial, denoted as T_i, are computed by each player P_i, $i=1,2,\dots ,7$, using the Vandermonde matrix¹⁸. The computation of T_i is shown in Table 1. Each player P_k, k = 1, 2, 3, (of qualified subset $\mathbb{S}=\{P_1,P_2,P_3\}$) computes the shadow of his shares B_k as follows.

$$B_k=T_k\prod _{1\le j\le t,j\ne k}\frac{y_j}{y_j-y_k}\mathrm{mod}d$$

$$B_1=7\times \left(\frac{2}{2-1}\times \frac{3}{3-1}\right)\mathrm{mod}11=10$$

$$B_2=9\times \left(\frac{1}{1-2}\times \frac{3}{3-2}\right)\mathrm{mod}11=6$$

$$B_3=3\times \left(\frac{1}{1-3}\times \frac{2}{2-3}\right)\mathrm{mod}11=3$$

Initiator P₁ computes $|{\mathrm{\Phi }}_2\rangle =\frac{1}{\sqrt{11}}{\sum }_{r=0}^{10}{|r\rangle }_1{|r\rangle }_2{|r\rangle }_3$, sends the particle |r〉_k to player P_k, k = 2, 3. Each player P_k (of qualified subset $\mathbb{S}=\{P_1,P_2,P_3\}$) applies QFT operation and generalized Pauli operators U_10,0, U_6,0, U_3,0 on his particles as follows.

$$\begin{array}{lll}\hfill |{\mathrm{\Phi }}_3\rangle & \hfill =\hfill & U_{\mathrm{10,0}}QFT\otimes U_{\mathrm{6,0}}QFT\otimes U_{\mathrm{3,0}}QFT\left(\frac{1}{\sqrt{11}}\sum _{r\mathrm{=0}}^{10}{|r\rangle }_1{|r\rangle }_2{|r\rangle }_3\right)\hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{11}}\sum _{r\mathrm{=0}}^{10}{U}_{\mathrm{10,0}}QFT{|r\rangle }_1\otimes U_{\mathrm{6,0}}QFT{|r\rangle }_2\otimes U_{\mathrm{3,0}}QFT{|r\rangle }_3\hfill \\ \hfill & \hfill =\hfill & \begin{array}{l}\frac{1}{\sqrt{11}}\sum _{r\mathrm{=0}}^{10}{U}_{\mathrm{10,0}}\left(\frac{1}{\sqrt{11}}\sum _{w_1\mathrm{=0}}^{10}{\omega }^{w_{1}r}|w_1\rangle \right)\otimes U_{\mathrm{6,0}}\left(\frac{1}{\sqrt{11}}\sum _{w_2\mathrm{=0}}^{10}{\omega }^{w_{2}r}|w_2\rangle \right)\\ \otimes U_{\mathrm{3,0}}\left(\frac{1}{\sqrt{11}}\sum _{w_3\mathrm{=0}}^{10}{\omega }^{w_{3}r}|w_3\rangle \right)\end{array}\hfill \\ \hfill & \hfill =\hfill & \frac{1}{11}\sum _{r\mathrm{=0}}^{10}\sum _{0\le w_1,w_2,w_3\le 10}{\omega }^{(w_1+w_2+w_3)r}|w_1+10\rangle |w_2+6\rangle |w_3+3\rangle \hfill \\ \hfill & \hfill =\hfill & \frac{1}{11}\sum _{0\le w_1,w_2,w_3\le 10}\sum _{r\mathrm{=0}}^{10}{\omega }^{(w_1+w_2+w_3)r}|w_1+10\rangle |w_2+6\rangle |w_3+3\rangle \hfill \\ \hfill & \hfill =\hfill & 11s_1\sum _{0\le w_1,w_2,w_3\le \mathrm{10, }{w}_1+w_2+w_3\mathrm{=0}mod11}|w_1+10\rangle |w_2+6\rangle |w_3+3\rangle \hfill \end{array}$$

Finally, players measure (computational basis) their particle and broadcasts their measurement results w₁ + 10, w₂ + 6, w₃ + 3. They get the multiplication by adding measurement results as follows:

$$w_1+10+w_2+6+w_3+3\stackrel{11}{\equiv }{w}_1+w_2+w_3+19\stackrel{11}{\equiv }19\mathrm{mod}11=8$$

Security Analysis

In this section, we analyze the security of our proposed secure multiparty quantum summation and multiplication protocols. We mainly focus on the security analysis of summation protocol because the security analysis of multiplication protocol is very much similar to that of summation protocol.

Intercept-resend attack

Suppose an eavesdropper E intercepts the particle |l〉_k and measures it in the computational basis $\left\{|1\rangle ,|2\rangle ,\dots ,|d-1\rangle \right\}$ to extract the information about the shadow of the share. The eavesdropper E prepares a fake particle ${\overline{l}}_k$ and resends it to player P_k, $k=2,3,\dots ,t$. If E performs this attack, then he can compute l correctly with probability $\frac{1}{d}$. But E cannot get any valuable information about the share of the shadow from l, because |l〉_k does not contain any valuable information about the shadow of the share.

Collusion attack

In our proposed protocols, each player P_k measures his particle $|m_k+A_k\rangle$ and broadcasts his measurement result $m_k+A_k$, $k=1,2,\dots ,t$. Thus, other players cannot obtain the shadow of the share (A_k). Suppose the dishonest players P_r−1 and P_r+1 collude together to obtain other players’ shadow of the share A_k. They cannot get any information about the shadow of the share because player P₁ only sends the particles |l〉_k to other players; nothing else, and the particles |l〉_k don’t carry any valuable information about the shadow of the share. So, this attack is not possible in our proposed protocols.

Entangle-measure attack

In this attack, the eavesdropper E intercepts all the particles |l〉_k, when the initiator P₁ sends the particles |l〉_k to player P_k, $k=2,3,\dots ,t$. Further, E selects a intercepted particle |l〉_m and prepares an ancillary particle |c〉. The d-level SUM operation is performed by E on |l〉_m to entangle the ancillary particle |c〉. The quantum state |ϕ₂〉 is evolved as |ϕ₂〉′, which is given below.

$$\begin{array}{lll}\hfill |{\varphi }_2\rangle \prime & \hfill =\hfill & \left(SUM\left({|l\rangle }_m,|c\rangle \right)\right)|{\varphi }_2\rangle \hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{|l\rangle }_1,{|l\rangle }_2,\dots ,{|l\rangle }_t|l\oplus c\rangle \hfill \end{array}$$

E prepares another secret particle |l〉_o and performs d-level SUM operation on |c〉. The quantum state |ϕ₂〉′ is evolved as |ϕ₂〉″, which is given below.

$$\begin{array}{lll}\hfill |{\varphi }_2\rangle ″& \hfill =\hfill & \left(SUM\left({|l\rangle }_o,|l\oplus c\rangle \right)\right)|{\varphi }_2\rangle \hfill \\ \hfill & \hfill =\hfill & \frac{1}{\sqrt{d}}\sum _{l=0}^{d-1}{|l\rangle }_1,{|l\rangle }_2,\dots ,{|l\rangle }_t|l\oplus l\oplus c\rangle \hfill \\ \hfill & \hfill =\hfill & |{\varphi }_2\rangle |c\rangle \hfill \end{array}$$

The ancillary particle |c〉 is measured by E and gets the initial value |c〉. So, E concludes that the particles |l〉_m and |r〉_r are the same. Based on this conclusion, E assumes that all the particles |l〉_k’s are same. Thus, E cannot get any information about the shadow of the share from this attack.

Collective attack

In this attack, E interacts with each qudit by preparing an independent ancillary particle and jointly performs the measurement operation on all the ancillary qudit to get the shadow of the share. E prepares an independent ancillary particle |c〉 to interact with each qudit of player $P_k,k=1,2,\dots ,t$. After interacting, E gets the particle |l〉_k and jointly performs the measurement operation in the computational basis $\left\{|1\rangle ,|2\rangle ,\dots ,|d-1\rangle \right\}$ to learn the shadow of the share. From this joint measurement, E cannot get any information about the shadow of the share because |l〉_k does not contain any information of the shadow of the share.

Coherent attack

In coherent attack, E jointly interacts with all qudit of player $P_k,k=1,2,\dots ,t$, by preparing an independent ancillary particle |c〉 and he gets each player’s particle |l〉_k. E jointly performs the measurement operation in computational basis $\left\{|1\rangle ,|2\rangle ,\dots ,|d-1\rangle \right\}$ on each player’s particle |l〉_k. From this measurement of particle |l〉_k, E only gets l with probability $\frac{1}{d}$. But, l does not contain any valuable information about the shadow of the share. Here, E only knows the interacting particle |l〉_k, nothing else. So, from this attack, E cannot learn the shadow of the share.

Performance Analysis

Here, we analyze the performance of our proposed secure multiparty quantum summation and multiplication protocols and compare it with that of ten existing secure multiparty quantum summation and multiplication protocols: Du et al.’s protocol⁴, Chen et al.’s protocol⁵, Zhang et al.’s protocol⁶, Zhang et al.’s protocol⁷, Shi et al.’s protocol⁸, Shi’s protocol⁹, Zhang et al.’s protocol¹⁰, Liu et al.’s protocol¹¹, Yang’s protocol¹² and Jiao et al.’s protocol¹³ based on three parameters: cost, universality, and attack. The Du et al.’s protocol⁴ is based on multiparty computation but it has (n, n) threshold approach and its modulo is n + 1 and computation type is bit-by-bit. The Chen et al.’s⁵, Zhang et al.s⁶, Zhang et al.’s⁷ protocols are based on multiparty computation but they have (n, n) threshold approach; their modulo are 2 and computation type is bit-by-bit. The protocols of Chen et al.⁵ and Zhang et al.⁶ perform 1 Unitary operation. Both the protocols of Shi et al.⁸ are based on multiparty computation and computation type is secret-by-secret, but they have (n, n) threshold approach. In the Shi et al.’s protocols⁸, the QFT is applied on the first particle by initiator Bob₁,who sends second particle to next player. Then, the unitary operation is performed by each player Bob_i, i = 2, 3, …, n. Initiator Bob₁ applies QFT⁻¹ on his particle. So, the total computation and communication costs of these protocols are 1QFT + 1QFT⁻¹ + (n − 1) unitary operations + 2 measure operation and n, respectively. The Shi’s protocol⁹ is based on multiparty computation but it has (n, n) threshold approach and its computation type is bit-by-bit. The Zhang et al.’s protocol¹⁰ is based on multiparty computation but it has (n, n) threshold approach with bit-by-bit computation type and modulo of 2. The total computation cost of this protocol is n measure operations. The Liu et al.’s protocol¹¹ is based on multiparty computation but it has (n, n) threshold approach with bit-by-bit computation type and modulo of 2. The total computation and computation costs of this protocol is n and n, respectively. The Yang’s protocol¹² is based on multiparty computation but it has (n, n) threshold approach. The total computation and communication costs of this protocol are nQFT + n measure operation and (n − 1), respectively. The Jiao et al.’s protocol¹³ is based on multiparty computation but it has (n, n) threshold approach with bit-by-bit computation type. The total computation and communication costs of this protocol is n unitary operation + n measure operations and n, respectively. However, our proposed summation and multiplication protocols are based on multiparty computation with modulo d, have (n, n) threshold approach, and their computation type is secret-by-secret. The total computation and communication costs of these protocols are 1QFT + (t − 1) unitary operation + t measure operation and (t − 1), respectively. So, our protocols are more secure, flexible, and practical as compared to the existing summation and multiplication protocols. The comparison of cost, universality, and attack are shown in Table 2. In this table, IR, EM, Comt, Com, s-by-s, b-by-b, Summ. and Multi. denote intercept-resend attack, entangle-measure attack, computation cost, communication cost, secret-by-secret, bit-by-bit, summation and multiplication, respectively.

Table 2.

Comparison in terms of Cost, Universality, and Attack.

Protocols				Du4	Chen5	Zhang6	Zhang7	Shi8		Shi9	Zhang10	Liu11	Yang12	Jiao13		Proposed
Operation				Summ.	Summ.	Summ.	Summ.	Summ.	Multi.	Summ.	Summ.	Summ.	Summ.	Summ.	Multi.	Summ.	Multi.
Performance Parameters	Costs	Comt.	QFT	—	—	—	—	1	1	—	—	—	n	—	—	1	1
			QFT−1	—	—	—	—	1	1	—	—	—	—	—	—	—	—
			Unitary Operation	—	1	1	—	n − 1	n − 1	—	—	—	—	n	n	t − 1	n − 1
			Measure Operation	—	—	—	—	2	2	—	n	n	n	n	n	t	t
		Com.	Message Particle	—	—	—	—	—	—	—	—	—	—	—	—	t − 1	t − 1
			Decoy Particle	—	—	—	—	n	n	—	—	n	n − 1	n	n	—	—
	Univ.	Model		(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(n, n)	(t, n)	(t, n)
		Modulo		n + 1	2	2	2	N	N	—	2	2	d	N	N	d	d
		Qubits		—	—	—	—	$\lceil {log}_2^d\rceil n$	$\lceil {log}_2^d\rceil n$	$2\lceil {log}_2^d\rceil n$	—	2	—	—	—	—	—
		Type of Computation		b-by-b	b-by-b	b-by-b	b-by-b	s-by-s	s-by-s	b-by-b	b-by-b	b-by-b	s-by-s	b-by-b	b-by-b	s-by-s	s-by-s
	Attacks	IR		—	Yes	Yes	Yes	Yes	Yes	—	Yes	Yes	Yes	Yes	Yes	Yes	Yes
		Collusion		—	Yes	No	No	—	—	—	Yes	—	Yes	—	—	Yes	Yes
		EM		—	—	Yes	—	Yes	Yes	—	—	Yes	Yes	Yes	Yes	Yes	Yes
		Collective		—	—	—	—	—	—	—	—	—	—	—	—	Yes	Yes
		Coherent		—	—	—	—	—	—	—	—	—	—	—	—	Yes	Yes

Conclusion

In this paper, we have presented the hybrid (t, n) threshold quantum protocols for multiparty summation and multiplication. They have better communication and computation costs as the type of computation is secret-by-secret. They can resist the quantum attacks, i.e., intercept-resend, entangle-measure, collusion, collective, and coherent. No player cannot get other players’ private information. Our protocols are more secure, flexible, and practical as compared to the existing summation and multiplication protocols. Further, they possess all the benefits (i.e., use qudit instead of qubit, do not pass any secret information through the transmitted particles, do not perform entanglement measurement, and quantum attacks are not possible) of the existing secure multiparty quantum summation and multiplication.

Author contributions

Study conception, design, and writing of the manuscript: K.S. Analysis: H.O. All authors reviewed the manuscript.

Competing interests

The authors declare no competing interests.