Three-party quantum private computation of cardinalities of set intersection and union based on GHZ states

Abstract

Private Set Intersection Cardinality (PSI-CA) and Private Set Union Cardinality (PSU-CA) are two cryptographic primitives whereby two or more parties are able to obtain the cardinalities of the intersection and the union of their respective private sets, and the privacy of their sets is preserved. In this paper, we propose a three-party protocol to finish these tasks by using quantum resources, where every two, as well as three, parties can obtain the cardinalities of the intersection and the union of their private sets with the help of a semi-honest third party (TP). In our protocol, GHZ states play a role in encoding private information that will be used by TP to compute the cardinalities. We show that the presented protocol is secure against well-known quantum attacks. In addition, we analyze the influence of six typical kinds of Markovian noise on our protocol.

Introduction

Quantum key distribution is one kind of important cryptographic protocols based on quantum mechanics, in which any outside eavesdropper attempting to obtain the secret key shared by two users will be detected. The successful detection comes from Heisenberg’s uncertainty principle: the measurement of a quantum system, which is required to obtain information of that system, will generally disturb it. The disturbances provide two users with the information that there exists an outside eavesdropper, and they can therefore abort the communication. Nowadays, most people need to share some of their private information for certain services such as products recommendation for online shopping and collaborations between two companies depending on their comm interests. Private Set Intersection Cardinality (PSI-CA) and Private Set Union Cardinality (PSU-CA), which are two primitives in cryptography, involve two or more users who intend to obtain the cardinalities of the intersection and the union of their private sets through the minimum information disclosure of their sets^1–3.

The definition of Private Set Intersection (PSI), also called Private Matching (PM), was proposed by Freedman⁴. They employed balanced hashing and homomorphic encryption to design two PSI protocols and also investigated some variants of PSI. In 2012, Cristofaro et al.¹ developed several PSI-CA and PSU-CA protocols with linear computation and communication complexity based on the Diffie-Hellman key exchange which blinds the private information. Their protocols were the most efficient compared with the previous classical related ones. There are also other classical PSI-CA or PSU-CA protocols^5–8. Nevertheless, the security of these protocols relies on the unproven difficulty assumptions, such as discrete logarithm, factoring, and quadratic residues assumptions, which will be insecure when quantum computers are available^9–11.

For the sake of improving the security of PSI-CA protocols for two parties, Shi et al.³ designed a probabilistic protocol where multi-qubit entangled states, complicated oracle operators, and measurements in high N-dimensional Hilbert space were utilized. And the same method in Ref.³ was later used to develop a PSI-CA protocol for multiple parties¹². For easy implementation of a protocol, Shi et al.¹³ leveraged Bell states to construct another protocol for PSI-CA and PSU-CA problems that was more practical than that in Ref.³. In both protocols Ref.³ and Ref.¹³, only two parties who intend to get the cardinalities of the intersection and the union of their private sets are involved. Although Ref.¹² works for multiple parties, it only solves the PSI-CA problem and requires multi-qubit entangled states, complicated oracle operators, and measurements. It then interests us that how we could design a more practical protocol for multiple parties to simultaneously solve PSI-CA and PSU-CA problems. Inspired by Shi et al.’s work, we are thus trying to design a three-party protocol to solve PSI-CA and PSU-CA problems, where every two and three parties can obtain the cardinalities of the intersection and the union of their respective private sets with the aid of a semi-honest third party (TP). TP is semi-honest means that he loyally executes the protocol, makes a note of all the intermediate results, and might desire to take other parties’ private information, but he cannot collude with dishonest parties. We then give a detailed analysis of the presented protocol’s security. Besides, the influence of six typical kinds of Markovian noise on our protocol is also analyzed.

Preliminaries

First of all, we introduce the properties of GHZ states, and then give a detailed description of our protocol.

The standard GHZ three-qubit state is usually given by

$$\begin{array}{c}\hfill |{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|000⟩+|111⟩).\end{array}$$ 1

Let $U=ZX$, where $X=|0⟩⟨1|+|1⟩⟨0|$ and $Z=|0⟩⟨0|-|1⟩⟨1|$. Combining U and $I=|0⟩⟨0|+|1⟩⟨1|$, we can deduce the following equations:

$$\begin{array}{c}(U\otimes I\otimes I)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|011⟩-|100⟩)=|{\phi }_{100}⟩,\\ (I\otimes U\otimes I)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|101⟩-|010⟩)=|{\phi }_{010}⟩,\\ (I\otimes I\otimes U)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|110⟩-|001⟩)=|{\phi }_{001}⟩,\\ (U\otimes U\otimes I)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|001⟩+|110⟩)=|{\phi }_{110}⟩,\\ (U\otimes I\otimes U)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|101⟩+|010⟩)=|{\phi }_{101}⟩,\\ (I\otimes U\otimes U)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|011⟩+|100⟩)=|{\phi }_{011}⟩,\\ (U\otimes U\otimes U)|{\phi }_{000}⟩=\frac{1}{\sqrt{2}}(|000⟩-|111⟩)=|{\phi }_{111}⟩.\\ \end{array}$$ 2

Note that Eqs. (1)–(2) form a basis (we call it GHZ basis hereafter) for the space of the three-qubit quantum system.

Results

The proposed protocol

Our protocol will satisfy the following requirements:

1. Correctness The respective cardinalities of the intersection and the union of every two and three parties’ sets are correct.

2. Privacy TP and dishonest parties cannot learn about the elements of any party’s set.

3. Fairness All the parties are perfect peer entities and they can get the cardinalities with equal opportunities.

In our protocol, TP is assumed to be semi-honest which means that he honestly follows the protocol, writes down all the intermediate results and might attempt to obtain the elements of any party’s private set, but he cannot be collusive with any dishonest party.

Suppose that Alice, Bob and Charlie have private sets $A=\{a_1,a_2,\dots ,a_l\}$, $B=\{b_1,b_2,\dots ,b_m\}$ and $C=\{c_1,c_2,\dots ,c_n\}$, respectively, and each element of these sets lies in $Z_p$, where $Z_p=\{0,1,2\dots ,p-1\}$ and p is a large prime number. TP helps compute the cardinalities $|A\cap B|$ ($|A\cup B|$), $|A\cap C|$ ($|A\cup C|$), $|B\cap C|$ ($|B\cup C|$), and $|A\cap B\cap C|$ ($|A\cup B\cup C|$). Our protocol works as follows:

• (Step 1) Alice, Bob and Charlie run a Quantum Key Agreement (QKA) protocol^14–16 to share a secret non-zero binary key k that corresponds to a secret integer over $Z_p$. Then, Alice, Bob and Charlie compute

  $$\begin{array}{c}\hfill A^{\ast }=\left\{k,a_1,,(modp),,,\dots ,,,k,a_l,,(modp)\right\},\\ \hfill B^{\ast }=\left\{k,b_1,,(modp),,,\dots ,,,k,b_m,,(modp)\right\},\end{array}$$

  and

  $$\begin{array}{c}\hfill C^{\ast }=\left\{k,c_1,,(modp),,,\dots ,,,k,c_n,,(modp)\right\},\end{array}$$

  respectively.

• (Step 2) Alice, Bob and Charlie encode their respective sets $A^{\ast }$, $B^{\ast }$ and $C^{\ast }$ into three private vectors over $Z_p^2$ as follows: Alice constructs a private vector $(x_0,x_1,\dots ,x_{p-1})\in Z_2^p$, where $x_i=1$ if $i\in A^{\ast }$ and $x_i=0$, otherwise, for $i=0,1,\dots ,p-1$; Bob produces a private vector $(y_0,y_1,\dots ,y_{p-1})\in Z_2^p$, where $y_i=1$ if $i\in B^{\ast }$ and $y_i=0$, otherwise, for $i=0,1,\dots ,p-1$; Charlie generates a private vector $(z_0,z_1,\dots ,z_{p-1})\in Z_2^p$, where $z_i=1$ if $i\in C^{\ast }$ and $z_i=0$, otherwise, for $i=0,1,\dots ,p-1$.

• (Step 3) TP prepares p GHZ states ($G_{A0},G_{B0},G_{C0}$), ($G_{A1},G_{B1},G_{C1}$), $\dots$, ($G_{A(p-1)},G_{B(p-1)},G_{C(p-1)}$), with each GHZ state being in the state $|{\phi }_{000}⟩$. These GHZ states are referred to as encoding states. Next, TP divides all particles into three ordered sequences: $(G_{A0},G_{A1},\dots ,$ $G_{A(p-1)})$, $(G_{B0},G_{B1},\dots ,G_{B(p-1)})$, and $(G_{C0},G_{C1},\dots ,$ $G_{C(p-1)})$, which are denoted as $T_A$, $T_B$, and $T_C$, respectively.

• (Step 4) TP generates 3d decoy particles, each of which is randomly chosen from the set $\{|0⟩,|1⟩,|+⟩,|-⟩\}$, where $|+⟩=\frac{1}{\sqrt{2}}(|0⟩+|1⟩)$ and $|-⟩=\frac{1}{\sqrt{2}}(|0⟩-|1⟩)$. Afterwards, TP randomly inserts d decoy particles into $T_A$ ($T_B$, $T_C$) to form a new sequence $T_A^{\prime }$ ($T_B^{\prime }$, $T_C^{\prime }$). TP then sends $T_A^{\prime }$ ($T_B^{\prime }$, $T_C^{\prime }$) to Alice (Bob, Charlie) through a quantum channel.

• (Step 5) Confirming that Alice (Bob, Charlie) has successfully received $T_A^{\prime }$ ($T_B^{\prime }$, $T_C^{\prime }$), TP announces the inserted positions of all the d decoy particles in $T_A^{\prime }$ ($T_B^{\prime }$, $T_C^{\prime }$) and their corresponding measurement bases. Then, Alice (Bob, Charlie) measures all the decoy particles in the correct bases and announces the measurement results to TP. Next, TP compares the measurement results with their corresponding initial states. If the error rate is higher than the threshold determined by the channel noise, this protocol will be aborted. Otherwise, the protocol will continue to the next step.

• (Step 6) Alice (Bob, Charlie) removes all the decoy particles from the sequence $T_A^{\prime }$ ($T_B^{\prime }$, $T_C^{\prime }$) to obtain the initial sequence $T_A$ ($T_B$, $T_C$). For each particle in $T_A$ ($T_B$, $T_C$), Alice (Bob, Charlie) performs U on $G_{\mathit{Ai}}$ ($G_{\mathit{Bi}}$, $G_{\mathit{Ci}}$) ($i=0,1,\dots ,P-1$) if $x_i=1$ ($y_i=1,z_i=1$); otherwise, Alice (Bob, Charlie) does nothing on $G_{\mathit{Ai}}$ ($G_{\mathit{Bi}}$, $G_{\mathit{Ci}}$).

• (Step 7) Alice (Bob, Charlie) prepares d decoy particles to detect eavesdropping. Each decoy states is randomly chosen from the set $\{|0⟩,|1⟩,$ $|+⟩,|-⟩\}$. Later, Alice (Bob, Charlie) randomly inserts these d decoy particles into $T_A$ ($T_B,T_C$) to form a new sequence $T_A^{\ast }$ ($T_B^{\ast },T_C^{\ast }$), and writes down the positions and the states of these inserted states. At last, Alice (Bob, Charlie) sends $T_A^{\ast }$ ($T_B^{\ast },T_C^{\ast }$) to TP through a quantum channel.

• (Step 8) Confirming that TP has successfully received $T_A^{\ast }$ ($T_B^{\ast }$, $T_C^{\ast }$), Alice (Bob, Charlie) announces the inserted positions of all d decoy particles in $T_A^{\ast }$ ($T_B^{\ast }$, $T_C^{\ast }$) and their corresponding measurement bases. TP measures all decoy particles in the correct bases and announces the measurement results. Alice (Bob, Charlie) then compares the measurement results with their corresponding initial states. If the error rate is higher than the threshold determined by the channel noise, the protocol will be aborted. Otherwise, the protocol will continue to the next step.

• (Step 9) TP discards all decoy particles from $T_A^{\ast }$ ($T_B^{\ast }$, $T_C^{\ast }$) to attain $T_A$ ($T_B$, $T_C$). TP then selects eight variables $S_{000}$, $S_{100}$, $S_{010}$, $S_{001}$, $S_{110}$, $S_{101}$, $S_{011}$ and $S_{111}$ as the counters and sets them all to zero. Next, TP measures each trio ($G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}$) ($i=0,1,\dots ,p-1$) in the GHZ basis. If the measurement result is $|{\phi }_r⟩$ ($r\in {\{0,1\}}^3$), TP computes $S_r=S_r+1$. Finally, TP can calculate the cardinalities $|A\cap B|=S_{110}+S_{111}$, $|A\cap C|=S_{101}+S_{111}$, $|B\cap C|=S_{011}+S_{111}$, $|A\cap B\cap C|=S_{111}$, $|A\cup B|=p-S_{000}-S_{001}$, $|A\cup C|=p-S_{000}-S_{010}$, $|B\cup C|=p-S_{000}-S_{100}$, and $|A\cup B\cup C|=p-S_{000}$.

Correctness and security analyzes

In this section, we will analyze the correctness and the security of our protocol. Let us first give the analysis of the correctness.

Correctness

On the one hand, for any $x,y\in Z_p$ and $k\in Z_P-\{0\}$ , $x=y$ if and only if $kx=ky(modp)$. It is easy to deduce that

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill |A\cap B|& =|A^{\ast }\cap B^{\ast }|,\hfill \\ \hfill |A\cap C|& =|A^{\ast }\cap C^{\ast }|,\hfill \\ \hfill |B\cap C|& =|B^{\ast }\cap C^{\ast }|,\hfill \\ \hfill |A\cap B\cap C|& =|A^{\ast }\cap B^{\ast }\cap C^{\ast }|,\hfill \\ \hfill |A\cup B|& =|A^{\ast }\cup B^{\ast }|,\hfill \\ \hfill |A\cup C|& =|A^{\ast }\cup C^{\ast }|,\hfill \\ \hfill |B\cup C|& =|B^{\ast }\cup C^{\ast }|,\hfill \\ \hfill |A\cup B\cup C|& =|A^{\ast }\cup B^{\ast }\cup C^{\ast }|.\hfill \end{array}\end{array}$$ 3

On the other hand, by the coding rules in (Step 2) and (Step 6), for any $i\in Z_p$, if $i\notin A^{\ast }\wedge i\notin B^{\ast }\wedge i\notin C^{\ast }$ ($i\in \overline{A^{\ast }\cup B^{\ast }\cup C^{\ast }}$), then $x_i=y_i=z_i=0$, and Alice (Bob, Charlie) does nothing on the particle $G_{\mathit{Ai}}$ ($G_{\mathit{Bi}}$,$G_{\mathit{Ci}}$) when she (he, he) receives it. TP will get the measurement result $|{\phi }_{000}⟩$ in step 9. Clearly, $S_{000}$ is used to count the number of GHZ trios whose states are the same as their original states. The cardinality of the union of the sets $A^{\ast }$, $B^{\ast }$ and $C^{\ast }$ therefore equals $p-S_{000}$. Namely, $|A\cup B\cup C|=|A^{\ast }\cup B^{\ast }\cup C^{\ast }|=p-S_{000}$. Similarly, we can analyze other cases where i belonging to different sets corresponds to three parties’ different operations; see Table 1. From step 9, we have

$$\begin{array}{cc}\hfill S_{100}=& |A^{\ast }\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|,\hfill \\ \hfill S_{010}=& |\overline{A^{\ast }}\cap B^{\ast }\cap \overline{C^{\ast }}|,\hfill \\ \hfill S_{001}=& |\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap C^{\ast }|,\hfill \\ \hfill S_{110}=& |A^{\ast }\cap B^{\ast }\cap \overline{C^{\ast }}|,\hfill \\ \hfill S_{101}=& |A^{\ast }\cap \overline{B^{\ast }}\cap C^{\ast }|,\hfill \\ \hfill S_{011}=& |\overline{A^{\ast }}\cap B^{\ast }\cap C^{\ast }|,\hfill \\ \hfill S_{111}=& |A^{\ast }\cap B^{\ast }\cap C^{\ast }|,\hfill \end{array}$$ 4

where $\overline{A^{\ast }}=Z_p-A^{\ast }$, $\overline{B^{\ast }}=Z_p-B^{\ast }$, and $\overline{C^{\ast }}=Z_p-C^{\ast }$.

Table 1.

The relationship between i and three parties’ operations.

$i\in Z_p$	Alice’s operations	Bob’s operations	Charlie’s operations	TP’s measurment results
$i\in \overline{A^{\ast }}\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}$	I	I	I	$|{\phi }_{000}⟩$
$i\in A^{\ast }\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}$	U	I	I	$|{\phi }_{100}⟩$
$i\in \overline{A^{\ast }}\cap B^{\ast }\cap \overline{C^{\ast }}$	I	U	I	$|{\phi }_{010}⟩$
$i\in \overline{A^{\ast }}\cap \overline{B^{\ast }}\cap C^{\ast }$	I	I	U	$|{\phi }_{001}⟩$
$i\in A^{\ast }\cap B^{\ast }\cap \overline{C^{\ast }}$	U	U	I	$|{\phi }_{110}⟩$
$i\in A^{\ast }\cap \overline{B^{\ast }}\cap C^{\ast }$	U	I	U	$|{\phi }_{101}⟩$
$i\in \overline{A^{\ast }}\cap B^{\ast }\cap C^{\ast }$	I	U	U	$|{\phi }_{011}⟩$
$i\in A^{\ast }\cap B^{\ast }\cap C^{\ast }$	U	U	U	$|{\phi }_{111}⟩$

Furthermore, the relationships among $A^{\ast }$, $B^{\ast }$, $C^{\ast }$ and $Z_p$ can be illustrated by a Venn Diagram in Fig. 1, where red, blue, and green circles represent the sets $A^{\ast }$, $B^{\ast }$ and $C^{\ast }$, respectively, and $Z_p$ is the universal set. According to the Venn Diagram, we obtain the following equations:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill |A^{\ast }\cap B^{\ast }|& =|A^{\ast }\cap B^{\ast }\cap \overline{C^{\ast }}|+|A^{\ast }\cap B^{\ast }\cap C^{\ast }|\hfill \\ \hfill & =S_{110}+S_{111},\hfill \\ \hfill |A^{\ast }\cap C^{\ast }|& =|A^{\ast }\cap \overline{B^{\ast }}\cap C^{\ast }|+|A^{\ast }\cap B^{\ast }\cap C^{\ast }|\hfill \\ \hfill & =S_{101}+S_{111},\hfill \\ \hfill |B^{\ast }\cap C^{\ast }|& =|\overline{A^{\ast }}\cap B^{\ast }\cap C^{\ast }|+|A^{\ast }\cap B^{\ast }\cap C^{\ast }|\hfill \\ \hfill & =S_{011}+S_{111},\hfill \\ \hfill |A^{\ast }\cup B^{\ast }|& =|Z_p|-|\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap C^{\ast }|-|\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|\hfill \\ \hfill & =p-S_{001}-S_{000},\hfill \\ \hfill |A^{\ast }\cup C^{\ast }|& =|Z_p|-|\overline{A^{\ast }}\cap B^{\ast }\cap \overline{C^{\ast }}|-|\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|\hfill \\ \hfill & =p-S_{010}-S_{000},\hfill \\ \hfill |B^{\ast }\cup C^{\ast }|& =|Z_p|-|A^{\ast }\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|-|\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|\hfill \\ \hfill & =p-S_{100}-S_{000},\hfill \\ \hfill |A^{\ast }\cup B^{\ast }\cup C^{\ast }|& =|Z_p|-|\overline{A^{\ast }}\cap \overline{B^{\ast }}\cap \overline{C^{\ast }}|\hfill \\ \hfill & =p-S_{000}.\hfill \end{array}\end{array}$$ 5

According to Eqs. (3)–(5), TP will finally obtain

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill |A\cap B|& =S_{110}+S_{111},\hfill \\ \hfill |A\cap C|& =S_{101}+S_{111},\hfill \\ \hfill |B\cap C|& =S_{011}+S_{111},\hfill \\ \hfill |A\cap B\cap C|& =S_{111},\hfill \\ \hfill |A\cup B|& =p-S_{001}-S_{000},\hfill \\ \hfill |A\cup C|& =p-S_{010}-S_{000},\hfill \\ \hfill |B\cup C|& =p-S_{100}-S_{000},\hfill \\ \hfill |A\cup B\cup C|& =p-S_{000},\hfill \end{array}\end{array}$$ 6

which are the correct results.

Figure 1.

The relationships among $Z_p$, $A^{\ast }$, $B^{\ast }$ and $C^{\ast }$.

Security

In this subsection, we move on to the analysis of our protocol’s security. Two kinds of attacks, outside and participant attacks, on our protocol will be considered. Outside attacks come from an outside eavesdropper, Eve. Participant attacks can be launched by TP or dishonest parties.

Outside attacks In our protocol, TP and three parties employ decoy particles to prevent eavesdropping, which is derived from the BB84 QKD protocol¹⁷. And it has been proven to be unconditionally secure¹⁸. As we know, BB84 protocol remains secure even if the quantum channel is noisy, and our protocol can thus work on the noisy channels as well. Any eavesdropping will be detected in (Step 5) or (Step 8). Concretely, since the decoy state is randomly chosen from the set $\{|0⟩,|1⟩|+⟩|-⟩\}$, it is in the state $\rho =\frac{I}{2}$. For any trio ($G_{\mathit{Ai}},G_{\mathit{Bi}},G_{\mathit{Ci}}$) ($i=0,1,\dots ,p-1$), we have ${\rho }_{\mathit{Ai}}={\rho }_{\mathit{Bi}}={\rho }_{\mathit{Ci}}=\frac{I}{2}=\rho$. Eve thus cannot distinguish these two states. Without loss of generality, the most general strategy for Eve is that she performs an operation $U_E$ which causes the encoding states to interact coherently with an auxiliary quantum system $|e⟩$, which can be described as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill U_E|0⟩|e⟩& =\alpha |0⟩\left|e_{00}\right.〉+\beta |1⟩\left|e_{01}\right.〉,\hfill \\ \hfill U_E|1⟩|e⟩& =\gamma |0⟩\left|e_{10}\right.〉+\delta |1⟩\left|e_{11}\right.〉,\hfill \end{array}\end{array}$$ 7

where ${|\alpha |}^2+{|\beta |}^2=1$ and ${|\gamma |}^2+{|\delta |}^2=1$. In what follows, we will show that in order to pass the detection, Eve’s ancillary state and the encoding state should be product states.

From Eq. (7), if the decoy state is $|0⟩$ or $|1⟩$ and Eve introduces no error in the eavesdropping check, the following condition should be satisfied:

$$\begin{array}{c}\hfill \beta =\gamma =0.\end{array}$$ 8

If the decoy state is $|+⟩$ or $|-⟩$ and Eve introduces no error in the eavesdropping check, we should have

$$\begin{array}{c}{U}_E|+⟩|e⟩\\ =\frac{1}{\sqrt{2}}\left(\alpha |0⟩\left|e_{00}\right.〉+\beta |1⟩\left|e_{01}\right.〉+\gamma |0⟩\left|e_{10}\right.〉+\delta |1⟩\left|e_{11}\right.〉\right)\\ =\frac{1}{2}\left(|+⟩\left(\alpha \left|e_{00}\right.〉+\beta \left|e_{01}\right.〉+\gamma \left|e_{10}\right.〉+\delta \left|e_{11}\right.〉\right)\right)\\ +\frac{1}{2}\left(|-⟩\left(\alpha \left|e_{00}\right.〉-\beta \left|e_{01}\right.〉+\gamma \left|e_{10}\right.〉-\delta \left|e_{11}\right.〉\right)\right)\\ =\frac{1}{2}\left(|+⟩\left(\alpha \left|e_{00}\right.〉+\beta \left|e_{01}\right.〉+\gamma \left|e_{10}\right.〉+\delta \left|e_{11}\right.〉\right)\right),\\ \end{array}$$ 9

or

$$\begin{array}{cc}& U_E|-⟩|e⟩\hfill \\ \hfill & =\frac{1}{\sqrt{2}}\left(\alpha |0⟩\left|e_{00}\right.〉+\beta |1⟩\left|e_{01}\right.〉-\gamma |0⟩\left|e_{10}\right.〉-\delta |1⟩\left|e_{11}\right.〉\right)\hfill \\ \hfill & =\frac{1}{2}\left(|+⟩\left(\alpha \left|e_{00}\right.〉+\beta \left|e_{01}\right.〉-\gamma \left|e_{10}\right.〉-\delta \left|e_{11}\right.〉\right)\right)\hfill \\ \hfill & +\frac{1}{2}\left(|-⟩\left(\alpha \left|e_{00}\right.〉-\beta \left|e_{01}\right.〉-\gamma \left|e_{10}\right.〉+\delta \left|e_{11}\right.〉\right)\right)\hfill \\ \hfill & =\frac{1}{2}\left(|-⟩\left(\alpha \left|e_{00}\right.〉-\beta \left|e_{01}\right.〉-\gamma \left|e_{10}\right.〉+\delta \left|e_{11}\right.〉\right)\right).\hfill \\ \hfill \end{array}$$ 10

Namely, the following equations

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \alpha \left|e_{00}\right.〉-\beta \left|e_{01}\right.〉+\gamma \left|e_{10}\right.〉-\delta \left|e_{11}\right.〉& =0,\hfill \\ \hfill \alpha \left|e_{00}\right.〉+\beta \left|e_{01}\right.〉-\gamma \left|e_{10}\right.〉-\delta \left|e_{11}\right.〉& =0,\hfill \end{array}\end{array}$$ 11

should hold, with 0 denoting a column zero vector. Depending on Eqs. (8) and (11), we can deduce that

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \alpha =& \delta =1,\hfill \\ \hfill \beta =& \gamma =0,\hfill \\ \hfill |e_{00}⟩& =|e_{11}⟩.\hfill \end{array}\end{array}$$ 12

Finally, we have

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill U_E|0⟩|e⟩& =|0⟩\left|e_{00}\right.〉,\hfill \\ \hfill U_E|1⟩|e⟩& =|1⟩\left|e_{00}\right.〉,\hfill \\ \hfill U_E|+⟩|e⟩& =|+⟩\left|e_{00}\right.〉,\hfill \\ \hfill U_E|-⟩|e⟩& =|-⟩\left|e_{00}\right.〉.\hfill \end{array}\end{array}$$ 13

That is to say, Eve introduces no error in the eavesdropping only when her ancillary state and the encoding states are product states. Eve therefore cannot obtain useful information without being detected.

Note that our protocol involves two-way quantum transmission that may incur Trojan horse attacks^19,20. We do not even need the photon number splitter and the optical wavelength filter devices^21,22 to detect such an attack because the attacker knows nothing about three parties’ share key k that are employed to encrypt their private information.

Dishonest parties’ attacks Note that TP cannot collude with these dishonest parties. Suppose that Alice and Bob are the dishonest parties who intend to learn about Charlie’s set C. After they remove their respective decoy particles and do nothing on their particles, they may try to figure out what operations Charlie has perform on his particles to obtain $(z_0,z_1,\dots ,z_{p-1})$. If Alice and Bob can get $(z_0,z_1,\dots ,z_{p-1})$, they can easily steal Charlie’s private information because they share the same key k. Let’s consider the i-th trio of GHZ state. If $i\in C^{\ast }$, Charlie performs $U=ZX$ on the particle $G_{\mathit{Ci}}$ and then the state of $(G_{\mathit{Ai}},G_{\mathit{Bi}},G_{\mathit{Ci}})$ turns into ${\left|{\phi }_{001}\right.〉}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}}=\frac{1}{\sqrt{2}}{(|110⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}}-{|001⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}})$; otherwise, the the state of $(G_{\mathit{Ai}},G_{\mathit{Bi}},G_{\mathit{Ci}})$ remains ${\left|{\phi }_{000}\right.〉}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}}=\frac{1}{\sqrt{2}}{(|000⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}}+{|111⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}{G}_{\mathit{Ci}}})$. In both case, ${\rho }_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}}=\frac{1}{\sqrt{2}}{(|00⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}}⟨00|+{|11⟩}_{G_{\mathit{Ai}}{G}_{\mathit{Bi}}}⟨11|)$, which means Alice and Bob cannot extract any private information from partial qubits of GHZ states. Thus, this attack by Alice and Bob is also invalid to our protocol.

TP’s attacks In our protocol, TP is assumed to be semi-honest, which means he will loyally execute the protocol, and he may use all the intermediate results to derive the other parties’ private information. However, he cannot collude with other dishonest parties.

Clearly, in 3.1, TP is able to derive $(x_0,x_1,\dots ,x_{p-1})$, $(y_0,y_1,\dots ,y_{p-1})$ and $(z_0,z_1,\dots ,z_{p-1})$ according to the original GHZ states and the measurement results in the GHZ basis. Namely, TP knows what operations Alice, Bob and Charlie have done on their particles. Even though TP can then deduce whether or not $i\in A^{\ast }$ ($i\in B^{\ast }$,$i\in C^{\ast }$), he can still not learn any information about the elements in A (B, C). For example, suppose TP knows that $i\in A^{\ast }$ (i.e. $i=k{a}_j(modp)\in A^{\ast }$), he knows nothing about $a_j\in A$ because he does not have the secret key k, whose security is guaranteed by Quantum Key Agreement. Hence, TP cannot steal three parties’ private information.

Influence of Markovian Noise on the Protocol

In this section, assuming that the quantum state generator, quantum memories, and measurement devices in our protocol are perfect, we analyze the influence of six typical sorts of Markovian noise on our protocol. The effect of quantum noise on a tripartite quantum state ${\rho }_{123}$ can be characterized as follows:

$$\begin{array}{c}\hfill {\rho }_{123}^{\prime }=\sum _{i,j,k}{K}_1^{(i)}\otimes K_2^{(j)}\otimes K_3^{(k)}{\rho }_{123}{K}_1^{(i)†}\otimes K_2^{(j)†}\otimes K_3^{(k)†},\end{array}$$ 14

where $\{K^i\}$ are Kraus operators characterizing quantum noise²³ .

Flip channels

The flip channels have the following Kraus operators²³

$$\begin{array}{c}\hfill K^{(0)}=\sqrt{1-q}I,K^{(1)}=\sqrt{q}{\sigma }_i,\end{array}$$ 15

where $i=1,2,3$ represents the bit flip (${\sigma }_1=|0⟩⟨1|+|1⟩⟨0|$) , bit-phase flip (${\sigma }_2=i(|1⟩⟨0|-|0⟩⟨1|)$) and phase flip (${\sigma }_3=|0⟩⟨0|-|1⟩⟨1|$) channels, respectively, and $q\in [0,1]$ denotes the noise strength.

Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. We first consider the bit flip channel. For a GHZ state ${\rho }_{\mathit{ABC}}=|{\phi }_{000}{⟩}_{\mathit{ABC}}⟨{\phi }_{000}|$ used for computation, after three particles arrived at Alice, Bob, and Charlie, respectively, the state of this tripartite system ABC becomes

$$\begin{array}{c}\hfill {\rho }_{\mathit{ABC}}^{\prime }=\sum _{i,j,k=0}^1{K}_A^{(i)}\otimes K_B^{(j)}\otimes K_C^{(k)}{\rho }_{\mathit{ABC}}{K}_A^{(i)†}\otimes K_B^{(j)†}\otimes K_C^{(k)†},\end{array}$$ 16

where $K_s^{(0)}=\sqrt{1-q}I,K_s^{(1)}=\sqrt{q}{\sigma }_1$ ($s\in \{A,B,C\}$).

Later, Alice, Bob, and Charlie perform unitary operations $U_A$, $U_B$ and $U_C$ on particle A, B, C, respectively, as described in (Step 6) of the proposed protocol, with $U_A$, $U_B$, $U_C$ $\in \{I,U=ZX\}$. We denote $U_{\mathit{ABC}}=U_A\otimes U_B\otimes U_C$, the state after Alice’s, Bob’s, and Charlie’s operations turns into

$$\begin{array}{c}\hfill {\rho }_{\mathit{ABC}}^{″}=U_{\mathit{ABC}}{\rho }_{\mathit{ABC}}^{\prime }{U}_{\mathit{ABC}}^{†}.\end{array}$$ 17

When TP receives these three particles from Alice, Bob, Charlie, the state of this system ABC is

$$\begin{array}{c}\hfill {\rho }_{\mathit{ABC}}^{″\prime }=\sum _{i,j,k=0}^1{K}_A^{(i)}\otimes K_B^{(j)}\otimes K_C^{(k)}{\rho }_{\mathit{ABC}}^{″}{K}_A^{(i)†}\otimes K_B^{(j)†}\otimes K_C^{(k)†}.\end{array}$$ 18

When TP measures the system ABC in the GHZ basis, he expects to obtain the measure result $U_{\mathit{ABC}}{\rho }_{\mathit{ABC}}{U}_{\mathit{ABC}}^{†}$, through which he can compute the cardinalities of intersections and unions, as described in 3.1 of our protocol. In this case, TP succeeds in the computation. We found that for all possible choices of $U_{\mathit{ABC}}$, the success probability is

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{BF}}=1-6q+18q^2-24q^3+12q^4.\end{array}$$ 19

Similarly, for bit-phase and phase channels, the success probabilities are

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{BPF}}={(1-2q+2q^2)}^3,\end{array}$$ 20

and

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{PF}}=1-6q+30q^2-80q^3+120q^4-96q^5+32q^6,\end{array}$$ 21

respectively.

The variation of these three success probabilities for flip channels are depicted in Fig. 2.

Figure 2.

The variations of the success probabilities $P_{\mathit{suc}}$ using three kinds of flip channel with noise strength q.

Depolarizing

The depolarizing channel can be characterized by the following Kraus operators²³

$$\begin{array}{ccc}& K^{(1)}=\sqrt{1-\frac{3}{4}q}I,\hfill & \hfill K^{(2)}=\frac{\sqrt{q}}{2}{\sigma }_1,\\ \hfill & K^{(3)}=\frac{\sqrt{q}}{2}{\sigma }_2,\hfill & \hfill K^{(4)}=\frac{\sqrt{q}}{2}{\sigma }_3,\end{array}$$ 22

where ${\sigma }_1=|0⟩⟨1|+|1⟩⟨0|$, ${\sigma }_2=i(|1⟩⟨0|-|0⟩⟨1|)$, ${\sigma }_3=|0⟩⟨0|-|1⟩⟨1|$, and $q\in [0,1]$ is the noise strength.

Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{Dep}}=\frac{1}{8}(8-36q+78q^2-92q^3+63q^4-24q^5+4q^6),\end{array}$$ 23

for all different choices of $U_{\mathit{ABC}}$.

Amplitude damping

The amplitude damping channel is used for the description of energy dissipation, which contains the Kraus operators²³ as follows

$$\begin{array}{c}\hfill K^{(1)}=\left[\begin{array}{cc}1& 0\\ 0& \sqrt{1-q}\end{array}\right],K^{(2)}=\left[\begin{array}{cc}0& \sqrt{q}\\ 0& 0\end{array}\right],\end{array}$$ 24

where $q\in [0,1]$ is the noise strength.

Suppose that the channel between TP and Alice, the channel between TP and Bob and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill P_{\text{suc}}^{\text{AD1}}=& \frac{1}{4}(4-12q+21q^2+(-22+8\sqrt{1-q})q^3\hfill \\ \hfill & +(15-8\sqrt{1-q})q^4-6q^5+q^6),\hfill \end{array}\end{array}$$ 25

for the cases where $U_{\mathit{ABC}}=I\otimes I\otimes I$ and $U_{\mathit{ABC}}=U\otimes U\otimes U$. For other cases, the success probability changes to

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{AD2}}=-\frac{1}{4}(-1+q)(4-8q+9q^2+(-5+4\sqrt{1-q})q^3+q^4).\end{array}$$ 26

Phase damping

The phase damping channel is characterized by the Kraus operators²³ as follows

$$\begin{array}{c}\hfill K^{(1)}=\left[\begin{array}{cc}1& 0\\ 0& \sqrt{1-q}\end{array}\right],K^{(2)}=\left[\begin{array}{cc}0& 0\\ 0& \sqrt{q}\end{array}\right],\end{array}$$ 27

where $q\in [0,1]$ is the noise strength.

Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is

$$\begin{array}{c}\hfill P_{\text{suc}}^{\text{PD}}=\frac{1}{2}(2-3q+3q^2-q^3),\end{array}$$ 28

for all sorts of choices of $U_{\mathit{ABC}}$.

The variations of the success probabilities of depolarizing, amplitude damping and phase damping channels are depicted in Fig. 3.

Figure 3.

The variations of the success probabilities $P_{\mathit{suc}}$ on the depolarizing, amplitude damping, and phase damping channels with noise strength q.

Discussion and Conclusions

We presented a three-party protocol to compute the cardinalities of the intersection and the union between any two sets and among three sets with the help a semi-honest party TP. The security analysis showed that our protocol can resist some well-known quantum attacks. In addition, we analyzed the influence of six typical sorts of Markovian noise on the success probabilities of a GHZ state used for computation. The analysis showed that among three kinds of flip channels, the bit-phase flip channel affects our protocol most. It is interesting to see that on the amplitude damping channel, the success probabilities of the cases where $U_{\mathit{ABC}}=I\otimes I\otimes I$ and $U_{\mathit{ABC}}=U\otimes U\otimes U$ are the same, but for other cases, they share another success probabilities.

In practice, quantum error correction codes are usually employed to protect quantum states from errors induced by noise. There is also research on designing robust quantum cryptographic protocols based on some specific quantum states over special noisy channels (e.g. collective noise channels)¹⁶. Note that imperfect devices, such as quantum state generators and measurement devices, may also affect the robust of quantum cryptographic protocol, we will further conduct research on these topics in the future.

Author contributions

Study conception, design, and writing of the manuscript: C.Z., Z.S. and Q.H. Analysis and discussion: Y.L., Z.S. and Q.L. All authors reviewed the manuscript.

Competing interests

The authors declare no competing interests.