Secure Private Comparison of Equality using Quantum Resources

Private comparison of equality is an essential task in secure multiparty computation. In this paper, we investigate such a task in quantum settings. Particularly, we design a comparison protocol using quantum resources. The protocol allows three users to verify whether the private inputs of three users are identical and preserve their inputs’ privacy without an extra third party who can help the verifying process. The proposed protocol does not require unitary operations for the information encoding, which, to some extent, facilitates the protocol’s implementation. In addition, the Trojan horse attacks are invalid to the proposed protocol as it only employs one-step quantum transmissions. We also show that the presented protocol is secure against some well-known attacks.


Introduction
The protocol for the millionaires' problem was presented by Yao [1] for the first time in 1998. This protocol aims at determining who is richer between two users and keeping the privacy of their wealth. Since then, many researchers have been investigating how to compare private information. Reference [2] showed a protocol to verify whether two users' private inputs are the same. Lo [3] proved that twoparty equality evaluation in quantum settings is not secure. Yang et al. [4] used Einstein-Podolsky-Rosen pairs and a hash function for the design of the protocol of quantum private comparison (QPC). Reference [5] gave an efficient protocol to check if the users' inputs are the same using triplet states. Tseng et al. [6] presented a protocol with high efficiency for equality comparison. In their protocol, it is not necessary to utilize EPR pairs. References [7][8][9][10] investigated QPC protocols that employ various entangled states like triplet W states and -type states. Huang et al. [11] proposed a protocol to privately compare the inputs between users and investigated the effect of collective noise on their protocol. In reference [12], single photons are used to design a QPC protocol in which collective detection is involved. In reference [13], a quantum research algorithm is utilized for the construction of a QPC protocol. Ji et al. [14] presented several QPC protocols, in each of which entanglement and dense coding are employed. Note that these protocols are for the private comparison in a two-party scenario. One may be interested in private comparison among multiple parties. Reference [15] gave one of such protocols using GHZ class states. Reference [16] presented another one depending on d-dimensional basis states and in this protocol, entanglement swapping is not required. We were interested in other quantum states that can be employed to devise multiparty QPC protocols. Finally, based on the genuinely maximally entangled six-qubit state, we devise a three-party QPC protocol without an extra third party. Our contributions are: (1) presenting a novel three-party protocol for equality comparison which does not require unitary operations for encoding; (2) and giving a method to 1 This six-qubit state is denoted by φ hereafter and it will be employed to construct a secure three-party QPC protocol.
|10〉 , | 〉 √ |0〉 |1〉 , and | 〉 √ |0〉 |1〉 , are needed to detect the honesty of the user who generates and distributes the particles of φ . We adopt the assumption that the classical channels in our protocol are authenticated and that the quantum channels are also authenticated. Three users in our protocol can be denoted by , and , respectively. Suppose that 1, 2, 3 has a secret bit string with length of as his/her private input. They intend to verify whether the equation holds, and meanwhile keep their private inputs secret. The protocol works on the assumption that is the user who prepares the state φ . Three users in advance agree on the following encoding: | is encoded as bits 00; | is encoded as bits 10; | is encoded as bits 10; | is encoded as bits 11. This encoding rule will be used to generate users' private keys according to their measurement results. The whole process of our protocol is in the following: (I) generates ( represents the ceiling function) φ . He/she then selects particles 3 and 4 (particles 6 and 5) from each φ to construct an ordered sequence ( ). Next, generates 2 decoy particles to detect outside eavesdropping. The quantum state of each of the decoy particles is chosen from |0 , |1 , | , | randomly. After that he/she at random puts the first (second) decoy particles into ( ) to produce a new sequence * ( * ). Note that the initial states of the decoy particles and their positions in * and * should not be revealed to anyone at this step. Finally, sends * and * to and , respectively, and holds the sequence that orderly consists of particles 1 and 2 from each Ψ in his/her own lab. (II) After and have received * and * , respectively, the information of the decoy states and their positions in * and * is sent to and , respectively. ( ) then performs appropriate measurements on the decoy particles with the basis |0 , |1 (C-basis) or the basis | , | (Dbasis) depending on 's information. Specifically, given that a decoy particle's initial state is in |0 or |1 (| or | ), the measurement with the C-basis (the D-basis) will be performed on this particle. ( ) then announces his/her measurement results. Based on these results and the decoy particles' initial states, calculates a rate of errors occurred. A high error rate exceeding the threshold will lead to an abortion of the protocol, and the protocol will then restart from Step (I). The low error rate below the threshold allows the protocol to proceed. (III) In this step, collaborates with to detect the honesty of , namely ( ) should exactly receive ( ). First, ( ) takes out the decoy particles from * ( * ) to obtain ( ). Next, they select states of φ (sample states) randomly for detection and announce the sample states' positions to . and then request to perform measurement with a random basis from |0 , |1 , | , | on particles 1 and 2 of each sample state. Given that carries out a measurement with the C-basis (the D-basis) on particles 1 and 2, does a measurement with the C-basis (the D-basis) on particle 3, and and perform a measurement with the basis Β (Β ) on particles (4,5,6). At last, and compute a rate of errors occurred by comparing their measurement results. A high rate of errors which exceeds the threshold will give rise to an abortion of the protocol, and the protocol will then restart from Step (I). The low error rate below the threshold suggests that ( ) exactly receives ( ) and it allows the protocol to proceed to the next step. (IV) After discarding the sample states, ( , ) performs a measurement with the Bell basis | 〉, | 〉, | 〉 , | 〉 on particles 1 and 2 (particles 3 and 4, particles 6 and 5)) of the -th φ

Correctness Analysis
We now analyse the presented protocol's correctness. The properties of the state and the encoding rule give ⊕ ⊕ 0 (0 here denotes a bit string that has 0 ) in Step (V) of our protocol. Upon receiving and from and , respectively, could compute

Analysis of Security
3.2.1. Analysis of Security Against Outside attacks. Decoy particles are usually used to detect eavesdropping attacks like intercept-resend and entanglement-measurement attacks. This similar idea was first used in the BB84 protocol [24]. The outside adversary Eve who intends to eavesdrop will be caught in Step (II) of the protocol. Here we analyse the case where Eve starts an attack by intercepting and resending particles. Suppose that a decoy particle's state is |0 . As Eve knows nothing about all the quantum states of decoy particles, she may perform the measurement with the C-basis or the D-basis randomly on this decoy particle, and transmit a fake one generated by her own relying on the result after measurement to or . In Step (II), the probability that the attack will be detected is 1/4. such decoy particles give the probability of being caught 1 .
will be approaching to 1 as goes large enough. Therefore, this attack started by Eve will be invalid to our protocol. Obviously, Eve can easily obtain , , and . However, these ciphertexts are encrypted by the keys that are in users' hands. Eve thus cannot derive users' private bit strings without the keys from these ciphertexts. There exists delay-photon Trojan horse attack as well as invisible photon Trojan horse attack in quantum cryptographic protocols which involve relaying quantum communication [25][26][27]. Hence these attacks are invalid to the proposed protocol as it only uses one-step quantum communications.

Attacks from either or .
Let us move on to the analysis of the case where either or wants to learn the others' private inputs. Without loss of generality, is assumed to be a dishonest user who intends to obtain 's and 's private bit strings. To finish this task, has to learn the values of and . He will, however, fail to do that. We now study the attacks launched by who wishes to learn 's and 's private inputs. In our protocol, is equipped with more quantum devices than and as he/she is in charge of the preparation and distribution of the quantum state . may produce fake particles and pass them to and . After that, derives the exact values of 's and 's keys according to the fake particles. Consequently, he/she obtains 's and 's private bit strings and by using and to decrypt and , respectively. For example, deliberately transmits particles that form a Bell state | (| ) to or if he wants some two bits in to be 11 (10). can also be honest to prepare instead of fake particles. then transmits particular particles to ( ) in such a way that he later derives others' keys based on their measurement results and the encoding rule. However, these attacks are also invalid to our protocol as and can learn the dishonesty of in Step (III) by using quantum states of .
's most general attack can be characterized as a unitary operator . performs on qubits that contain and a probe state whose initial state is |0 before sending and the particles. One can prove that final quantum state of would be unentangled with 's probe state if he/she passes the detection in Step (III). This implies that will obtain nothing about 's and 's measurement results through the probe. Hence cannot learn anything about and . Note that any two users can work together to obtain the third one's key relying on the equation ⊕ ⊕ =0, and therefore steal his/her private bit string. Designing practical multi-party QPC protocols secure against this attack will be our future work.

Conclusion
This study has presented a secure three-party QPC protocol using the quantum state for the comparison of equality. Three users can verify whether their private bit stings are the same and protect their inputs' privacy. Quantum unitary operations are not needed in our protocol for information coding due to the great properties of . We have also analysed the protocol's security in details and shown that the outside and participant attacks are invalid to the presented protocol.