Introduction

Nowadays, quantum computations and quantum communications1 have received extensive attention and gained lots of promising achievements, e.g., quantum cryptography2, quantum teleportation3 and quantum artificial intelligence4,5.

Early 70s in the last century, Stephen Wiesner first presented the idea of quantum cryptography (e.g., quantum money). However, unfortunately, his innovative idea could not be immediately accepted at that time. Until 1984, C. H. Bennett and G. Brassard6 revived the research of quantum cryptography by presenting famous quantum key distribution (QKD) protocol, later called BB84 protocol.

The security of quantum cryptography is guaranteed by the physical principles of quantum mechanics, so it can provide unconditional security in theory. Since Bennett and Brassard presented the first quantum key distribution (i.e., BB84 QKD) protocol, quantum cryptography has been widely studied and rapidly developed. Nowadays, many results have been reported, such as quantum secret sharing7, quantum secure direct communication8,9,10, quantum encryption11, quantum signature12,13,14, quantum authentication15,16, and blind quantum computation17,18.

In addition, there are also many well-known issues involving the protection of privacy in classical setting such as electronic voting, electronic auction, electronic payment, and so on. Furthermore, these issues have also been studied extensively in quantum setting, and accordingly there have appeared the corresponding quantum protocols, such as quantum voting19, quantum auction20, quantum e-payment21, and so on.

In this paper, we focus on quantum auction, especially a specific type of quantum auction, i.e., quantum sealed-bid auction (QSA). In currently existing QSA schemes, there is only one winning bidder, who will win the auction finally, but the auctioneer needs to know all bids of all bidders, including the non-winning bidders. That is, even if the non-winning bidder cannot win the auction, he still needs to privately send his bid to the auctioneer. In certain settings, these QSA schemes do not meet the higher secure requirements, because the non-winning bidders lack the privacy protection, which has been the focus of everyone’s attention in modern society. In this paper, we mainly consider how to further protect the privacy of the non-winning bidders in QSA.

Related Works

Electronic auction plays an important role in modern economy especially concerned with networks. Generally, electronic auction can be mainly classified into three categories: English auction, Dutch auction and Sealed-bid auction. The traditional English auction is a public ascending price auction. In this auction, the auctioneer first gives a base price, and then some bidder bids a higher price than the base price. Furthermore, the next bidder outbids the last bidder, and the process continues until no one else bids a higher price. Finally, the item is sold to the highest bidder at the highest bid. On the contrary, the Dutch auction is a public descending price auction. The auctioneer in Dutch auction begins with a high asking price which is lowered until some bidder is willing to accept the auctioneer’s price. Difference from the former two auctions, the sealed-bid auction needs to protect the privacy of the bids and ensure the fairness among the bidders. That is, any eavesdropper cannot get any private information about the bids, and the auctioneer cannot help any bidder to win the auction unfairly. During traditional sealed-bid auction, the bidder does not know the bids of others. After all bids are transmitted privately to the auctioneer, the auctioneer selects out the highest bid and announces it and the corresponding winner.

The first quantum sealed-bid auction protocol was proposed by Naseri in 200920. The auction protocol introduced a multi-party quantum secure direct communication protocol to privately transmit the bids. However, Qin et al.22 and Yang et al.23 independently pointed out that there was a secure flaw in Naseri’ protocol, i.e., a malicious bidder could obtain all private bids without being found by performing double Controlled NOT attack or using fake entangled particles. Then they improved Naseri’s original protocol by inserting some decoy particles into the transmitted particles. In addition to the detecting strategy of the decoy particles, there still appeared other defense strategies24,25 to prevent these attacks. Furthermore, Zhao et al.26 found that these previously proposed protocols were unfair, i.e., a malicious bidder could collude the dishonest auctioneer to perform a collusion attack to win the auction unfairly. Accordingly, they presented a security protocol for QSA with post-confirmation26. Subsequently, in order to enhance the security of QSA or ensure the feasibility of QSA, many quantum protocols with post-confirmation were proposed27,28,29,30,31,32,33. In 2017, we presented an economic and feasible quantum sealed-bid auction protocol based on single photons in both the polarization and the spatial-mode degrees of freedom34. In our protocol, the post-confirmation mechanism uses single photons instead of entangled EPR pairs, and it does not require quantum memory. Therefore, our protocol is a practical and feasible quantum sealed-bid auction.

In all previously proposed quantum sealed-bid auction (QSA) protocols, it requires all bidders to send their real bids to the auctioneer. Even if the bidder can not win the auction, the auctioneer also knows his or her real bid. However, in practical settings, the bidders who will not be able to win the auction don’t want to reveal their real bids. That is, the non-winning bidders lack the privacy protection in current QSA schemes. In this paper, we present a strong privacy-preserving QSA model. In our model, anyone cannot get the real bid of other bidders, even for the auctioneer. So the privacy of the bidders can be better protected in our model. In addition, the bids of the bidders are anonymous, i.e., no one can discern who these bids belong to. Furthermore, we design a novel privacy-preserving QSA scheme based on Grover’s search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society.

Results and Discussion

Privacy-preserving quantum sealed-bid auction

System model

Here we first present our system model for privacy-preserving quantum sealed-bid auction (PQSA), in which there are two kinds of participants, i.e., an auctioneer (Alice) who wants to sell an item at the highest possible price and n bidders (Bob1, Bob2, …, Bobn) who want to buy the item alone at the lowest possible price. In our PQAS model, suppose that there is a circle quantum channel among the auctioneer and all bidders (see the solid line in Fig. 1) and there is a classical channel between any two participants (see the dashed line in Fig. 1).

Figure 1
figure 1

A system model of QAS.

Full size image

Initially, Alice has a valuation price (x) of the item, and each bidder (Bobi) has a private bid (xi) for the item. Furthermore, we assume that the valuation price and all bids are not changed during the whole auction. Finally, Alice can select out the highest bid. If the highest bid is greater than or equal to her initial valuation price, then she will announce the winner and the highest bid. Otherwise, she will declare the failure to all bidders. In addition, our PQSA should meet the following secure and privacy requirements:

The auctioneer’s privacy: All bidders can not get any private information about the auctioneer’s initial valuation price (x) before announcing the winner or the failure of the auction.

The bidder’s privacy: No one can get the private bid of the bidder without risking the auctioneer’s detection.

Anonymity: The bidder’s bid is anonymous for all participants, including the auctioneer. That is, even if a dishonest participant or an outsider attacker gets a bid, he or she cannot identify whose bid it is.

Public verifiability: When the winner is announced, anyone can verify the authenticity of the winning bid. This attribute can defend the collusion attack between the malicious bidder and the dishonest auctioneer.

Fairness: The auctioneer cannot help a malicious bidder to win the auction illegally without being found by other bidders.

Proposed scheme

In the following scheme, we mainly consider the honest-but-curious model, which is similar to the semi-honesty model in the classical setting. That is, the parties honestly execute the protocol, but they try to find out as much as possible about the other inputs despite following the protocol. Furthermore, suppose that the initial valuation price and all bids lie in ZN = {0, 1, 2, …, N − 1}. For simplicity, we assume that all bids are distinct. In addition, we assume that there is a public hash H(·).

Step 1. Each bidder Bobj (j = 1, 2, …, n) randomly selects an integer rjZN and computes \({b}_{j}=H({r}_{j}\oplus H({r}_{j}\oplus {x}_{j}))\). Then the bidder Bobj sends bj to all other participants by the classical channel. That is, the bidder Bobj commits xj to all other participants, but no participant can get xj only from bj without rj. In addition, the auctioneer Alice also needs to commit x to all bidders, i.e., she selects a random number rZN, computes \(b=H(r\oplus H(r\oplus x))\) and sends b to all bidders by the classical channel.

Step 2. Repeat the following procedures p + q times, including the normal procedure (to find the highest bid) p times and the test procedure (to detect the dishonesty or attacks) q times, where p = lnn, and q is a secure parameter, e.g., q = p. That is, Alice randomly selects to execute the following normal procedure with the probability of \(\frac{p}{p+q}\) or the following test procedure with the probability of \(\frac{q}{p+q}\).

The normal procedure: (1.1) Alice first prepares a general state \({|\psi }_{h}=\frac{1}{\sqrt{N}}\sum _{i=0}^{N-1}|i{\rangle }_{h}\) and a basis state |0〉t, which are both logN qubits. Furthermore, Alice performs logN CNOT gate operators35 on the product state \(|\psi {\rangle }_{h}|0{\rangle }_{{\rm{t}}}\), where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit (see Fig. 2). Here we call the resultant state |ψ0〉, which is written as

$$\begin{array}{ccc}|{\psi }_{0}\rangle & = & CNO{T}^{\otimes {\rm{l}}{\rm{o}}{\rm{g}}N}|\psi {\rangle }_{h}|0{\rangle }_{t}\\ & = & CNOT(1,\,{\rm{l}}{\rm{o}}{\rm{g}}\,N+1)\otimes CNOT(2,\,{\rm{l}}{\rm{o}}{\rm{g}}\,N+2)\ldots \\ & & \otimes CNOT({\rm{l}}{\rm{o}}{\rm{g}}\,N,2\,{\rm{l}}{\rm{o}}{\rm{g}}\,N)(\frac{1}{\sqrt{N}}\sum _{i+0}^{N-1}{|i\rangle }_{h}|0{\rangle }_{t})\\ & = & \frac{1}{\sqrt{N}}\sum _{i=0}^{N-1}{|i\rangle }_{h}|i{\rangle }_{t.}\end{array}$$
(1)

Clearly, |ψ0〉 is an entangled state. Here, the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob1 through the quantum channel.

Figure 2
figure 2

Quantum circuit for the preparation of the initial state.

Full size image

(1.2) After receiving the register t, the bidder Bob1 prepares a basis state |0〉 in an auxiliary register, and applies an oracle operator \({U}_{Bo{b}_{1}}\) to the register t and the auxiliary register, where the oracle operator \({U}_{Bo{b}_{1}}\) is defined by

$${U}_{Bo{b}_{1}}:\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}\otimes |0\rangle \to \frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|0\oplus f(i,{x}_{1})\rangle ,$$
(2)

with

$$f(i,{x}_{1})=\{\begin{array}{ll}1 & if\,i={x}_{1}\\ 0 & else\end{array}.$$
(3)

Let \(|{\psi }_{1}=\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|i{\rangle }_{t}|f(i,{x}_{1})\rangle \) (i.e., the state of the whole quantum system). Obviously, \(|{\psi }_{1}=\frac{1}{\sqrt{N}}[|{x}_{1}{\rangle }_{h}|{x}_{1}{\rangle }_{t}|1\rangle +\)\(\sum _{i\ne {x}_{1}}|i{\rangle }_{h}|i{\rangle }_{t}|0\rangle ]\). That is, the oracle operator \({U}_{Bo{b}_{1}}\) is utilized to mark the item x1.

(1.3) Furthermore, the bidder Bob1 sends the two registers (i.e., \(\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\rangle \)) to the second bidder Bob2 through the quantum channel.

(1.4) After receiving \(\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\rangle \), similarly, the bidder Bob2 applies an oracle operator \({U}_{Bo{b}_{2}}\) to \(\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\rangle \), where the oracle operator \({U}_{Bo{b}_{2}}\) is defined by his bid x2 as follows:

$${U}_{Bo{b}_{2}}:\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\rangle \to \frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\rangle ,$$
(4)

with

$$f(i,{x}_{2})=\{\begin{array}{ll}1 & if\,i={x}_{2}\\ 0 & else\end{array}.$$
(5)

Let \(|{\psi }_{2}\rangle =\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|i{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\rangle \). Furthermore, the bidder Bob2 sends two transmitted registers (i.e.,\(\,\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\rangle \)) to the next bidder Bob3 though the quantum channel. Afterward, the bidder Bob3 executes the similar process of the bidder Bob2, and so on. This process is repeated n times in total, so that every bidder has marked his bid by an oracle operator. Then, the final quantum state will be in

$$\begin{array}{rcl}|{\psi }_{n}\rangle & = & \frac{1}{\sqrt{N}}\sum _{i=0}^{N-1}|i{\rangle }_{h}|i{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\oplus \cdot \,\cdot \,\cdot \oplus f(i,{x}_{n})\rangle \\ & = & \frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|i{\rangle }_{t}|0\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|j{\rangle }_{t}|1\rangle ]\end{array}.$$
(6)

(1.5) Finally, the bidder Bobn sends all remaining qubits of the marked state |ψn〉 back to the auctioneer Alice through the quantum channel.

(1.6) After receiving the whole state |ψn〉, Alice again applies \({{\rm{CNOT}}}^{\otimes \mathrm{log}N}\) on two registers h and t, i.e., the first 2logN qubits of |ψn〉, where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit. Call the resultant state \(|\mathop{\psi }\limits^{ \sim }{\rangle }_{n}\). That is,

$$\begin{array}{rcl}|\tilde{\psi }{\rangle }_{n} & = & CNO{T}^{\otimes {\rm{logN}}}|{\psi }_{n}\rangle \\ & = & CNO{T}^{\otimes \mathrm{log}N}{[\frac{1}{\sqrt{N}}\sum _{i=0}^{N-1}|i\rangle }_{h}|i{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\oplus \cdot \,\cdot \,\cdot \oplus f(i,{x}_{n})\rangle ]\\ & = & \frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|0{\rangle }_{t}|f(i,{x}_{1})\oplus f(i,{x}_{2})\oplus \cdot \,\cdot \,\cdot \oplus f(i,{x}_{n})\rangle .\end{array}$$
(7)

(1.7) Furthermore, Alice measures the second register t, i.e., the second logN qubits of the whole quantum system, in the computational basis. If the measured result is |0〉, then she will continue to execute the next step; Otherwise she will believe that there is at least one dishonest bidder or outsider attacker and end this auction.

(1.8) Let \(|{\varphi }_{n}\rangle =\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|f(i,{x}_{1})\oplus f(i,{x}_{2})\oplus \cdot \,\cdot \,\cdot \oplus f(i,{x}_{n})\rangle \). Alice prepares another auxiliary state |0〉, and then applies an oracle operator UAlice to \(|\varphi {\rangle }_{n}\otimes |0\rangle \), where the oracle operator UAlice is defined by

$${f}_{1}(i,{x}_{1},\ldots ,{x}_{n})=f(i,{x}_{1})\oplus f(i,{x}_{2})\oplus \cdots \oplus f(i,{x}_{n}),$$
(8)
$${U}_{Alice}:\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|{f}_{1}(i,{x}_{1},\ldots ,{x}_{n})\rangle \otimes |0\rangle \to \frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i{\rangle }_{h}|{f}_{1}(i,{x}_{1},\ldots ,{x}_{n})\rangle |0\oplus {f}_{2}(i,x)\rangle ,$$
(9)

with

$${f}_{2}(i,x)=\{\begin{array}{ll}1 & if\,{f}_{1}(i,{x}_{1},\ldots ,{x}_{n})=1\,and\,i\ge x\\ 0 & else\end{array}.$$
(10)

Let \(|{\varphi }_{A}\rangle =\frac{1}{\sqrt{N}}{\sum }_{i=0}^{N-1}|i\rangle |{f}_{1}(i,{x}_{1},\ldots ,{x}_{n})\rangle |{f}_{2}(i,x)\rangle \). Please note that the subscript h is omitted in |ϕA〉, because all qubits are held by Alice at this moment. Clearly,

$$\begin{array}{rcl}|{\varphi }_{A}\rangle & = & \frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i\rangle |0\rangle |0\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}\wedge j < x}|j\rangle |1\rangle |0\rangle \\ & & +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}\wedge j\ge x}|j\rangle |1\rangle |1\rangle ]\end{array}.$$
(11)

(1.9) Alice applies the Grover’s search algorithm36 to |ϕA〉 for finding a marked state |j〉|1〉|1〉, which implies j {x1, x2…, xn} and j ≥ x (i.e., finding a bid xi greater than or equal to x). Alice makes a measurement on the first register. Let the result of the measurement be y. If y > x and satisfy |y〉|1〉|1〉), then replace x with y.

The test procedure: (2.1) Alice first prepares a quantum state \(|\psi {\rangle }_{h}=\frac{|0{\rangle }_{h}+{|i\rangle }_{h}}{\sqrt{2}}\), where i {x1, x2…, xn} (Note. i may be selected by Alice’s experience and the valuation price, e.g., i could be a large enough number in \({Z}_{N}^{\ast }\)), and another quantum basis state |0〉t. Similarly, Alice further performs logN CNOT gate operators on the product state |ψh|0〉t to generate an entangled state \(|{\psi }_{0}\rangle =\frac{{|0\rangle }_{h}{|0\rangle }_{t}+|i{\rangle }_{h}{|i\rangle }_{t}}{\sqrt{2}}\). Here the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob1 through the quantum channel.

(2.2) All bidders cannot distinguish the quantum states from the normal procedure and the test procedure, so they continue to execute the same oracle operators as the normal procedure (i.e., (1.2–1.5)) to mark their respective bids in the transmitted quantum state |ψi〉. However, i {x1, x2…, xn}, so \(|{\psi }_{n}\rangle =\frac{{|0\rangle }_{h}{|0\rangle }_{t}+|i{\rangle }_{h}|i{\rangle }_{t}}{\sqrt{2}}|0\rangle \). Finally, the bidder Bobn sends all remaining qubits of the state |ψn〉 back to the auctioneer Alice through the quantum channel.

(2.3) After receiving the state |ψn〉, Alice again applies \({{\rm{CNOT}}}^{\otimes \mathrm{log}N}\) on two registers h and t, i.e., the first 2logN qubits of |ψn〉, where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit. Then Alice should get \(|{\psi }_{n}^{\ast }\rangle =\frac{{|0\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}{|0\rangle }_{t}|0\rangle \).

(2.4) Furthermore, Alice measures the first register by a von Neumann measurement {P+i, Pi}, where P+i and Pi are defined by37,

$${P}_{+i}=\frac{1}{2}(|0\rangle \langle 0|+|0\rangle \langle i|+|i\rangle \langle 0|+|i\rangle \langle i|),$$
(12)
$${P}_{-i}=\frac{1}{2}(|0\rangle \langle 0|-|0\rangle \langle i|-|i\rangle \langle 0|+|i\rangle \langle i|).$$
(13)

Obviously, P+i + Pi = I and P+iPi = 0. If the measurement result is in \(\frac{|0{\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}\), then she will further measure the latter two registers in computational basis. If three measurement results are in \(\frac{|0{\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}\), |0〉t and |0〉, respectively, then she will continue to execute the next step. Otherwise Alice will believe that there is at least one dishonest bidder or outsider attacker and end this auction.

Step 3. After executing the procedures of Step 2 (p + q) times, including the normal procedure p times and the test procedure q times, if the return result y is greater than or equal to her initial valuation price, Alice will announce y, i.e., the current highest bid (y {x1, x2, …, xn}). Otherwise Alice will open her commitment x (i.e., the initial valuation price) by opening the random number r simultaneously, declare the failure of the auction and terminate this auction. That is, there is not a bid greater than or equal to her initial valuation price, so this auction is fail. Of course, all participants may verify its truth by comparing H(rH(rx)) with the corresponding value b committed in Step 1.

Step 4. If there is a bid xj greater than the current highest bid y, the bidder Bobj will broadcast a complaint about the incorrectness of the current highest bid. Furthermore, if there is a complaint, Alice will ask for the bid of the complainer, and then she will update the current highest bid with it. But if there are two or more complaints, Alice will think there are dishonest bidders or outsider attackers and accordingly terminate this auction.

Step 5. Furthermore, if each bidder does not further receive any complaint, then he will believe that the current highest bid is highest. Suppose y = xk, i.e., the bidder Bobk should be the winner of the auction. Finally, in order to win the auction successfully, the bidder Bobk must publish his random number rk and his bid xk, i.e., open his commitment. All participants will compute H(rkH(rkxk)) and verify its authenticity by comparing it with the corresponding value bk committed in Step 1. In addition, Alice also needs to open her commitment x and accepts the verification of all bidders. If there is no error, the auctioneer Alice and all bidders will believe the auction is fair.

Analysis

Correctness

Our PQSA scheme is based on Grover’s search algorithm, which can find a solution with a high probability1,36. Assume the failure probability of Grover’s search algorithm is \(\frac{1}{\delta }\), where δ ≥ e (Note. e is the Euler’s constant, which is the base of natural logarithms (approximately 2.7183)). Let E(N, t) be the expectation value of the number of iterations (i.e., the number of repeating Grover’s search algorithm in Step 2) for finding the highest bid of N items in which t items are marked38. Then we write a recurrence equation for E(N, t) as:

$$E(N,t)=\frac{1}{t}[E(N,t-1)+\ldots +E(N,1)]+1.$$
(14)

So we get

$$tE(N,t)={\sum }_{i=1}^{t-1}E(N,i)+t,$$
(15)
$$(t-1)E(N,t-1)={\sum }_{i=1}^{t-2}E(N,i)+(t-1).$$
(16)

Subtracting Eqs (16) from (15) and rearranging, we get

$$E(N,t)=E(N,t-1)+\frac{1}{t}.$$
(17)

Writing the same equation for (t − 1), …, 2 and adding all of them, we get,

$$E(N,t)=E(N,1)+\frac{1}{2}+\frac{1}{3}+\cdots +\frac{1}{t}.$$
(18)

Obviously, E(N, 1) = 1. That is, there is only one marked item in the general state of N items, so it only needs to execute Grover’s search algorithm once to get the highest bid with the high probability of \(1-\frac{1}{\delta }\). Furthermore, it will give,

$$E(N,t)=1+\frac{1}{2}+\frac{1}{3}+\cdots +\frac{1}{t}.$$
(19)

From Eq. (19) we can get,

$$E(N,t)\le {\int }_{1}^{t}\frac{1}{t}dt=\,\mathrm{ln}\,t.$$
(20)

In our PQSA scheme, there are at most n marked item, i.e., all bids are greater than the initial valuation price. So an upper bound is achieved for t = n, when we get,

$$E(N,n)\le lnn.$$
(21)

Therefore, we can repeat Grover’s search algorithm to obtain the highest bid with a probability of \(1-{(\frac{1}{\delta })}^{\mathrm{ln}n}\) after lnn repetitions of this algorithm. That is, the failure probability ε of Step 2 to obtain the highest bid is \({(\frac{1}{\delta })}^{\mathrm{ln}n}\). When δ ≥ e, we can get

$$\varepsilon ={(\frac{1}{\delta })}^{\mathrm{ln}n}\le {(\frac{1}{e})}^{\mathrm{ln}n}\le \frac{1}{n}.$$
(22)

The failure probability of \(\frac{1}{n}\) is very small, so we only tolerate a complaint in Step 4. Therefore, if all participants honestly execute the procedures, our PQSA scheme is correct.

In above analysis, we assume that Grover’s search algorithm has some probability of failure, i.e., the probability of finding the marked item is not exactly 1. Furthermore, Long39 presented a modified version of Grover’s search algorithm that searches a marked state with full successful rate. So, if we use Long’s algorithm in our proposed protocol, it can get the better result theoretically.

Security

First, we analysis the proposed scheme can resist all kinds of outsider attacks. For an outsider attacker, he can intercept the transmitted messages, including classical messages and quantum messages. If the outsider attacker wants to get xi from \(H({r}_{i}\oplus H({r}_{i}\oplus {x}_{i}))\) without ri, it is equivalent to break Hash function. At present, there is still not efficient method to break secure Hash function (e.g., SHA-1, SHA-2) by quantum computers or quantum algorithms. So, in the following we main analysis the possible attack to the transmitted quantum messages.

Firstly, the outsider attacker may perform an intercept-and-resend attack, i.e., he can intercept the transmitted quantum messages, and resend a fake quantum messages back to Alice. For example, the attacker intercepts the partial qubits of the state \(|{\psi }_{n}\rangle =\frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|i{\rangle }_{t}|0\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|j{\rangle }_{t}|1\rangle ]\) in the normal model. Clearly, the state |ψn〉 held by Alice and the attacker is an entangled state, where the reduced density matrixes of the subsystem held by them are \(\frac{1}{N}{\sum }_{i=0}^{N-1}|i\rangle \langle i|\) and \(\frac{1}{N}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i,0\rangle \langle i,0|+{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j,1\rangle \langle j,1|]\), respectively. Though the reduced density matrix held by the attacker hides all private bids, the attacker cannot extract all by the principle of quantum mechanics. That is, even if the attacker measures his intercepted subsystem, he cannot get all private bids (i.e., all marked items). In fact, he can get at most one bid (i.e., one marked item) with a low probability because nN, and the bid does not reveal any identity of the bidder. However, if the attacker intercepts the partial qubits of the state \(|{\psi }_{n}\rangle =\frac{{|0\rangle }_{h}|0{\rangle }_{t}+|i{\rangle }_{h}{|i\rangle }_{t}}{\sqrt{2}}|0\rangle \) in the test model, then the reduced density matrix of the subsystem held by himself is \(\frac{|0,0\rangle \langle 0,0\,|+|i,0\rangle \langle i,0|}{2}\), which is independent of all bids. That is, the intercepted subsystem cannot contain any private information about any private bid.

However, the attacker cannot distinguish the transmitted quantum states from the normal model and the test model. So, if the attacker measures his intercepted subsystem to get a bid, then he will be found later by Alice with great risk. For example, if the attacker measures the state \(|{\psi }_{n}\rangle =\frac{|0{\rangle }_{h}{|0\rangle }_{t}+{|i\rangle }_{h}|i{\rangle }_{t}}{\sqrt{2}}|0\rangle \) of the test model in the computation basis, the state |ψn〉 will be collapsed into |0〉h|0〉t|0〉 or |ih|it|0〉 with the probability of \(\frac{1}{2}\), respectively. Later, Alice performs the test procedure in (2.4) of Step 2, so she can easily find this attack.

Of course, if the attacker sends a fake quantum system back to Alice, instead of the true subsystem intercepted by him, it will be easily found by Alice in (1.7) or (2.4) of Step 2. Therefore, our scheme can resist the intercept-and-resend attack.

Secondly, we analyze a more complicated attack, that is, the outsider attacker performs an entangle-and-measure attack that he first prepares an ancillary quantum system and further entangles his ancillary quantum system and the intercepted subsystem by a local unitary operator, and afterward he can measure the ancillary quantum system to get the partial information about the private bids. The attacker’s dishonest action can be described by a local unitary operator \(\tilde{U}\), which is simply defined by,

$$\tilde{U}|j\rangle |0\rangle =\sqrt{{\eta }_{j}}|j\rangle |\xi (j)\rangle +\sqrt{1-{\eta }_{j}}|V(j)\rangle ,$$
(23)

where |V(j)〉 is a vector orthogonal to |j〉|ξ(j)〉, i.e.,

$$\langle j|\langle \xi (j)|V(j)\rangle =0$$
(24)

In order to completely pass the honest test (see (1.7) or (2.4) of Step 2), it can easily deduce that ηj = 1. That is, the whole quantum system sent back to Alice in the normal model should be in the following state after performing the operator \(\tilde{U}\):

$$\begin{array}{rcl}\tilde{U}|{\psi }_{n}\rangle |0\rangle & = & \tilde{U}\frac{1}{\sqrt{N}}[\sum _{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|i{\rangle }_{t}|0\rangle +\sum _{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|j{\rangle }_{t}|1\rangle ]|0\rangle \\ & = & \frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|i{\rangle }_{t}|0\rangle |\xi (i,0)\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|j{\rangle }_{t}|1\rangle |\xi (j,1)\rangle .\end{array}$$
(25)

After successfully passing the honest test, the state of the whole quantum system is in,

$$\frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|0\rangle |\xi (i,0)\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|1\rangle |\xi (j,1)\rangle .$$
(26)

After performing UAlice in (1.8) of Step 2, the state of the quantum system becomes,

$$\frac{1}{\sqrt{N}}[{\sum }_{i\notin \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|i{\rangle }_{h}|0\rangle |0\rangle |\xi (i,0)\rangle +{\sum }_{j\in \{{x}_{1},{x}_{2},\ldots {x}_{n}\}}|j{\rangle }_{h}|1\rangle |{f}_{2}(j,x)|\xi (j,1)\rangle .$$
(27)

At this moment, if the attacker measures his ancillary quantum system, then he will get ξ(i, 0) with a higher probability or ξ(j, 1) with a lower probability, because nN actually, where the latter includes a bid. However, if Alice further executes Grover’s search algorithm to find a marked state \(|j\rangle |1\rangle |1\rangle |\xi (j,1)\rangle \), then the attacker will get ξ(j, 1) with a high probability. Now, he can get a bid, but he cannot distinguish his identity.

However, our scheme still has another model, i.e., the test model. If the attacker performs the entangle-and-measure attack in the test model, the whole quantum system sent back to Alice should be in the following state after performing the operator \(\tilde{U}\):

$$\begin{array}{rcl}\tilde{U}|{\psi }_{n}\rangle & = & \tilde{U}\frac{{|0\rangle }_{h}|0{\rangle }_{t}|0\rangle +{|i\rangle }_{h}{|i\rangle }_{t}|0\rangle }{\sqrt{2}}|0\rangle \\ & = & \frac{{|0\rangle }_{h}|0{\rangle }_{t}|0\rangle |\xi (0,0)\rangle +{|i\rangle }_{h}{|i\rangle }_{t}|0\rangle |\xi (i,0)\rangle .}{\sqrt{2}}\end{array}$$
(28)

After Alice executes the procedure of (2.3) in Step 2, the quantum system will become \(|{\psi }_{n}^{\ast }\rangle =\frac{|0{\rangle }_{h}|0{\rangle }_{t}|0\rangle |\xi (0,0)\rangle +{|i\rangle }_{h}{|0\rangle }_{t}|0\rangle |\xi (i,0)\rangle }{\sqrt{2}}\). At this moment, if Alice continues to execute the test procedure of (2.4), i.e., she performs a von Neumann measurement {P+i, Pi} on the first register, then she will get the following results,

$${p}_{+i}=\langle {\psi }_{n}^{\ast }|{P}_{+i}\otimes I\otimes I\otimes I|{\psi }_{n}^{\ast }\rangle =\frac{1}{2},$$
(29)
$${p}_{-i}=\langle {\psi }_{n}^{\ast }|{P}_{-i}\otimes I\otimes I\otimes I|{\psi }_{n}^{\ast }\rangle =\frac{1}{2},$$
(30)
$$\frac{{P}_{+i}\otimes I\otimes I\otimes I|{\psi }_{n}^{\ast }\rangle }{\sqrt{{p}_{+i}}}=\frac{|0{\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}\otimes {|0\rangle }_{t}\otimes |0\rangle \otimes \frac{|\xi (0,0)\rangle +|\xi (i,0)\rangle }{\sqrt{2}},$$
(31)
$$\frac{{P}_{-i}\otimes I\otimes I\otimes I|{\psi }_{n}^{\ast }\rangle }{\sqrt{{p}_{-i}}}=\frac{|0{\rangle }_{h}-|i{\rangle }_{h}}{\sqrt{2}}\otimes {|0}_{t}\rangle \otimes |0\rangle \otimes \frac{|\xi (0,0)\rangle -|\xi (i,0)\rangle }{\sqrt{2}}.$$
(32)

That is, she will get \(\frac{|0{\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}\) or \(\frac{|0{\rangle }_{h}-|i{\rangle }_{h}}{\sqrt{2}}\) with the probability of \(\frac{1}{2}\), respectively. Obviously, Alice will detect the attack with the probability of \(\frac{1}{2}\).

Finally, we consider that the attacker tries to add some false marked items in the returned state |ψn〉 by the oracle operators to manipulate the auction. On the one hand, if the false marked items are smaller than the highest bid, it will not affect the correctness of the auction; On the other hand, if a certain false marked item is greater than the highest bid, it will be easily found because no bidder claims the false bid. Even if a collusion bidder claims the false bid, obviously he will not successfully pass the public verification.

In a word, no matter which attack the outsider attacker performs, he cannot get any private information without risking Alice’s detection, and cannot manipulate the auction yet. That is, our scheme can resist the outsider attacks.

In addition, by the system model defined in the section of 3.1, PQSA should meets five secure and privacy requirements. In the following section, we will prove that our proposed PQSA scheme can meet all these secure and privacy requirements.

(1) The auctioneer’s privacy: From the scheme proposed above, we can easily see that the transmitted quantum messages do not include any information about Alice’s initial valuation price x. In addition, among all quantum oracle operators utilized by our proposed scheme, it is only the oracle operator UAlice concerning x. However, UAlice only is performed in Alice’s registers, and these quantum states transferred by the operator UAlice will be measured timely by Alice. So, if a dishonest bidder (or an outsider attacker) wants to steal Alice’s private information, he can only perform the entangle-and-measure attack. However, we have analyzed the infeasibility of this attack above, because he cannot yet discern the normal model and the test model. If he performs the entangle-and-measure attack in the test model, his dishonesty will be found by Alice with the probability of \(\frac{1}{2}\).

(2) The bidder’s privacy: As we have analyzed above, any outsider attacker cannot get any private bid without risking the auctioneer’s detection. In fact, for a bidder, he cannot get more information from the transmitted quantum messages than the outsider. If a dishonest bidder performs an attack, no matter concerned with measurement or entanglement, similarly, he will risk to be found later by the auctioneer. In short, no one can get the private bid of the bidder without risking the auctioneer’s detection.

(3) Anonymity: By the proposed scheme, each bidder marks his bid in the transmitted quantum state |ψi〉. However, each bidder marks his bid in an anonymous way, i.e., the marked item in |ψi〉 does not leave any identity.

For a dishonest bidder, e.g., Bob2, if he wants to get the specific bid of Bob1 when receiving |ψ1〉, he can perform Grover’s search algorithm to find |x1t|1〉 because Bob2 knows that there is only one marked item (i.e., x1) in |ψ1〉. However, if Alice selects the test model in Step 2, she can easily find this dishonesty because the final measurement result will be |0〉h or |ih, instead of \(\frac{|0{\rangle }_{h}+|i{\rangle }_{h}}{\sqrt{2}}\). That is, the dishonest bidder Bob2 cannot get the bid of the first bidder Bob1 without risking Alice’s detection. In addition, after performing Grover’s search algorithm, if Bob2 directly sends a fake state to the next bidder, not |x1t|1〉, obviously it will be easily found by Alice in (1.7) or (2.4) of Step 2.

As for the other bidder Bobi, even if he performs the similar attack to get |x1t|1〉 by Grover’s search algorithm, he still cannot get the specific identity of xj because of j {1, 2, …, i − 1}. Even if multiple bidders collude to perform this attack, it will be found later by Alice with the probability of \(\frac{q}{p+q}\). In addition, this attack also brings a risk of the failure of the auction, because our proposed scheme only permits at most one complaint when announcing the highest bid.

At present, we only assume that there is a circle quantum channel among the auctioneer and all bidders in our PQAS model. For the current technical conditions, obviously this model is more feasible. In fact, if there is a quantum channel between any two parties, the quantum messages can be transmitted in a random order, i.e., from Bobi to random Bobj, not Bobi+1, such that it can provide the perfect anonymity of the bids.

For the auctioneer Alice, she can receive the returned state |ψn〉, in which all bids have be marked in an anonymous way. Furthermore, she can get a marked item |y〉|1〉|1〉 by Grover’s search algorithm, but she cannot know y belongs to who because of y {1, 2, …, n}.

Therefore, our proposed scheme can ensure that the bidder’s bid is anonymous for all participants, including the auctioneer.

(4) Public verifiability: On the one hand, when the highest bid xk is announced publicly, it needs to accept the comparisons of all other bidders to decide whether it is greater than their respective bids. On the other hand, to further win the auction successfully, the highest bidder Bobk requires to open his commitment xk to accept the verifications of the authenticity of the bid xk. As you know, there is not a perfect secure quantum bit commitment based on the No-Go Theorem40,41,42. So we utilizes a practical and efficient classical bit string commitment, in which it can not get xk only from \(H({r}_{k}\oplus H({r}_{k}\oplus {x}_{k}))\) without rk, unless cracking the secure hash function, e.g., SHA-1, SHA-2. By the opening information rk, anyone can verify the authenticity of the winning bid xk. Even if the auctioneer wants to help a malicious bidder Bobj to win this auction, but they cannot revise the hash value \(H({r}_{j}\oplus H({r}_{j}\oplus {x}_{j}))\), which was published in advance, so the fake bid \({r}_{j}^{\ast }\) (implying \({r}_{j}^{\ast } > {r}_{k}\)) cannot pass the verification finally. That is, this attribute can defend the collusion attack between the malicious bidder and the dishonest auctioneer. In fact, bit string commitments ensures that the initial valuation price and all bids can not changed during the whole auction, otherwise the cheating will be found easily.

(5) Fairness: Since all bidders and the auctioneer need to commit their bids and the valuation price at the beginning of the auction, and the successfully winning bid needs to be verified publicly by all participants finally, no one can manipulate the auction, even for the auctioneer. That is, the auctioneer cannot help a malicious bidder to win the auction illegally without being found by other bidders. Therefore, our proposed scheme can guarantee the fairness of the auction.

We have analyzed the security of proposed scheme in ideal settings. However, in practical settings, there may be some faults (e.g., noise and error) in the quantum channels and quantum measurements. In order to ensure its security in practical settings, one can use the fault tolerant technologies, such as decoherence-free states and error-correcting code. In addition, we can use classical authenticated channels and quantum authenticated channels to ensure the correctness of distributing messages.

Performance

The proposed scheme is mainly based on Grover’s search algorithm. By the previous analysis, the number of iterations (i.e., the number of repeating Grover’s search algorithm in Step 2) for finding the highest bid is less than or equal to lnn, which is its upper bound, so both the computational complexity and the communicational complexity are O(lnn), i.e., to execute O(lnn) Grover’s search algorithms and to distribute O(lnn) quantum messages. To complete the task, any classical scheme needs to distribute O(n) messages in theory, where each message gets a bid in an anonymous way, and then finds the highest bid by comparing O(n) times. Obviously, our proposed quantum scheme gets the lower communicational complexity than any classical scheme.

In addition, to make our scheme work, the key step is to construct the efficient circuits implementing the oracle operators. In our scheme, we define two kinds of oracle operators to mark items in a general state. Similarly, using the techniques of reversible computation1, we can construct a classical reversible circuit which takes (x, y) - representing an input register initially set to x and a one bit output register initially set to y - to (x, yf(x)), by modifying the usual (irreversible) classical circuit for doing the classical function f(x).

At present, Grover’s search algorithm and its variants have been implemented by the newest reports43,44,45, especially in IBM quantum cloud46. So, with the rapid development of quantum computing and quantum information processing, we believe that our proposed PQSA scheme is feasible in the near future.

Conclusions

In this paper, we define a new privacy-preserving quantum sealed-bid auction model, and further present a novel privacy-preserving quantum sealed-bid auction scheme based on Grover’s search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society. So the proposed scheme has wider popularization and application prospects.

In addition, we actually give an efficient quantum approach to privately find the optimal solution under the constraint conditions among multiple distributed participants, which can also be generalized into other secure applications, e.g., an election satisfying more than half of votes.