Privacy-preserving Quantum Sealed-bid Auction Based on Grover’s Search Algorithm

Sealed-bid auction is an important tool in modern economic especially concerned with networks. However, the bidders still lack the privacy protection in previously proposed sealed-bid auction schemes. In this paper, we focus on how to further protect the privacy of the bidders, especially the non-winning bidders. We first give a new privacy-preserving model of sealed-bid auction and then present a quantum sealed-bid auction scheme with stronger privacy protection. Our proposed scheme takes a general state in N-dimensional Hilbert space as the message carrier, in which each bidder privately marks his bid in an anonymous way, and further utilizes Grover’s search algorithm to find the current highest bid. By O(lnn) iterations, it can get the highest bid finally. Compared with any classical scheme in theory, our proposed quantum scheme gets the lower communication complexity.

outbids the last bidder, and the process continues until no one else bids a higher price. Finally, the item is sold to the highest bidder at the highest bid. On the contrary, the Dutch auction is a public descending price auction. The auctioneer in Dutch auction begins with a high asking price which is lowered until some bidder is willing to accept the auctioneer's price. Difference from the former two auctions, the sealed-bid auction needs to protect the privacy of the bids and ensure the fairness among the bidders. That is, any eavesdropper cannot get any private information about the bids, and the auctioneer cannot help any bidder to win the auction unfairly. During traditional sealed-bid auction, the bidder does not know the bids of others. After all bids are transmitted privately to the auctioneer, the auctioneer selects out the highest bid and announces it and the corresponding winner.
The first quantum sealed-bid auction protocol was proposed by Naseri in 2009 20 . The auction protocol introduced a multi-party quantum secure direct communication protocol to privately transmit the bids. However, Qin et al. 22 and Yang et al. 23 independently pointed out that there was a secure flaw in Naseri' protocol, i.e., a malicious bidder could obtain all private bids without being found by performing double Controlled NOT attack or using fake entangled particles. Then they improved Naseri's original protocol by inserting some decoy particles into the transmitted particles. In addition to the detecting strategy of the decoy particles, there still appeared other defense strategies 24,25 to prevent these attacks. Furthermore, Zhao et al. 26 found that these previously proposed protocols were unfair, i.e., a malicious bidder could collude the dishonest auctioneer to perform a collusion attack to win the auction unfairly. Accordingly, they presented a security protocol for QSA with post-confirmation 26 . Subsequently, in order to enhance the security of QSA or ensure the feasibility of QSA, many quantum protocols with post-confirmation were proposed [27][28][29][30][31][32][33] . In 2017, we presented an economic and feasible quantum sealed-bid auction protocol based on single photons in both the polarization and the spatial-mode degrees of freedom 34 . In our protocol, the post-confirmation mechanism uses single photons instead of entangled EPR pairs, and it does not require quantum memory. Therefore, our protocol is a practical and feasible quantum sealed-bid auction.
In all previously proposed quantum sealed-bid auction (QSA) protocols, it requires all bidders to send their real bids to the auctioneer. Even if the bidder can not win the auction, the auctioneer also knows his or her real bid. However, in practical settings, the bidders who will not be able to win the auction don't want to reveal their real bids. That is, the non-winning bidders lack the privacy protection in current QSA schemes. In this paper, we present a strong privacy-preserving QSA model. In our model, anyone cannot get the real bid of other bidders, even for the auctioneer. So the privacy of the bidders can be better protected in our model. In addition, the bids of the bidders are anonymous, i.e., no one can discern who these bids belong to. Furthermore, we design a novel privacy-preserving QSA scheme based on Grover's search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society.

Results and Discussion
privacy-preserving quantum sealed-bid auction. System model. Here we first present our system model for privacy-preserving quantum sealed-bid auction (PQSA), in which there are two kinds of participants, i.e., an auctioneer (Alice) who wants to sell an item at the highest possible price and n bidders (Bob 1 , Bob 2 , …, Bob n ) who want to buy the item alone at the lowest possible price. In our PQAS model, suppose that there is a circle quantum channel among the auctioneer and all bidders (see the solid line in Fig. 1) and there is a classical channel between any two participants (see the dashed line in Fig. 1).
Initially, Alice has a valuation price (x) of the item, and each bidder (Bob i ) has a private bid (x i ) for the item. Furthermore, we assume that the valuation price and all bids are not changed during the whole auction. Finally, Alice can select out the highest bid. If the highest bid is greater than or equal to her initial valuation price, then she will announce the winner and the highest bid. Otherwise, she will declare the failure to all bidders. In addition, our PQSA should meet the following secure and privacy requirements: Proposed scheme. In the following scheme, we mainly consider the honest-but-curious model, which is similar to the semi-honesty model in the classical setting. That is, the parties honestly execute the protocol, but they try to find out as much as possible about the other inputs despite following the protocol. Furthermore, suppose that the initial valuation price and all bids lie in Z N = {0, 1, 2, …, N − 1}. For simplicity, we assume that all bids are distinct. In addition, we assume that there is a public hash H(·).
Step 1. Each bidder Bob j (j = 1, 2, …, n) randomly selects an integer r j ∈ Z N and computes Then the bidder Bob j sends b j to all other participants by the classical channel. That is, the bidder Bob j commits x j to all other participants, but no participant can get x j only from b j without r j . In addition, the auctioneer Alice also needs to commit x to all bidders, i.e., she selects a random number r ∈ Z N , computes = ⊕ ⊕ b H r H r x ( ( )) and sends b to all bidders by the classical channel.
Step 2. Repeat the following procedures p + q times, including the normal procedure (to find the highest bid) p times and the test procedure (to detect the dishonesty or attacks) q times, where p = lnn, and q is a secure parameter, e.g., q = p. That is, Alice randomly selects to execute the following normal procedure with the probability of + p p q or the following test procedure with the probability of and a basis state |0〉 t , which are both logN qubits. Furthermore, Alice performs logN CNOT gate operators 35 on the product state ψ | 〉 | 〉 0 h t , where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit (see Fig. 2). Here we call the resultant state |ψ 0 〉, which is written as Clearly, |ψ 0 〉 is an entangled state. Here, the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob 1 through the quantum channel.
(1.2) After receiving the register t, the bidder Bob 1 prepares a basis state |0〉 in an auxiliary register, and applies an oracle operator U Bob 1 to the register t and the auxiliary register, where the oracle operator U Bob 1 is defined by www.nature.com/scientificreports www.nature.com/scientificreports/ , the state of the whole quantum system). Obviously, That is, the oracle operator U Bob 1 is utilized to mark the item x 1 . (1.3) Furthermore, the bidder Bob 1 sends the two registers (i.e., to the second bidder Bob 2 through the quantum channel. (1.4) After receiving where the oracle operator U Bob 2 is defined by his bid x 2 as follows: 2 ) to the next bidder Bob 3 though the quantum channel. Afterward, the bidder Bob 3 executes the similar process of the bidder Bob 2 , and so on. This process is repeated n times in total, so that every bidder has marked his bid by an oracle operator. Then, the final quantum state will be in (1.5) Finally, the bidder Bob n sends all remaining qubits of the marked state |ψ n 〉 back to the auctioneer Alice through the quantum channel.
(1.6) After receiving the whole state |ψ n 〉, Alice again applies ⊗ CNOT N log on two registers h and t, i.e., the first 2logN qubits of |ψ n 〉, where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit. Call the resultant state ψ | ⟩ n . That is, (1.7) Furthermore, Alice measures the second register t, i.e., the second logN qubits of the whole quantum system, in the computational basis. If the measured result is |0〉, then she will continue to execute the next step; Otherwise she will believe that there is at least one dishonest bidder or outsider attacker and end this auction. ( . Alice prepares another auxiliary state |0〉, and then applies an oracle operator . Please note that the subscript h is omitted in |φ A 〉, because all qubits are held by Alice at this moment. Clearly, www.nature.com/scientificreports www.nature.com/scientificreports/ (1.9) Alice applies the Grover's search algorithm 36 to |φ A 〉 for finding a marked state |j〉|1〉|1〉, which implies j ∈ {x 1 , x 2 …, x n } and j ≥ x (i.e., finding a bid x i greater than or equal to x). Alice makes a measurement on the first register. Let the result of the measurement be y. If y > x and satisfy |y〉|1〉|1〉), then replace x with y.
The test procedure: (2.1) Alice first prepares a quantum state ψ i may be selected by Alice's experience and the valuation price, e.g., i could be a large enough number in ⁎ Z N ), and another quantum basis state |0〉 t . Similarly, Alice further performs logN CNOT gate operators on the product state |ψ〉 h |0〉 t to generate an entangled state ψ 〉 = Here the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob 1 through the quantum channel.
(2.2) All bidders cannot distinguish the quantum states from the normal procedure and the test procedure, so they continue to execute the same oracle operators as the normal procedure (i.e., (1.2-1.5)) to mark their respective bids in the transmitted quantum state |ψ i 〉.
. Finally, the bidder Bob n sends all remaining qubits of the state |ψ n 〉 back to the auctioneer Alice through the quantum channel.
i Obviously, P +i + P −i = I and P +i P −i = 0. If the measurement result is in | 〉 + | 〉 i 0 2 h h , then she will further measure the latter two registers in computational basis. If three measurement results are in | 〉 + | 〉 i 0 2 h h , |0〉 t and |0〉, respectively, then she will continue to execute the next step. Otherwise Alice will believe that there is at least one dishonest bidder or outsider attacker and end this auction.
Step 3. After executing the procedures of Step 2 (p + q) times, including the normal procedure p times and the test procedure q times, if the return result y is greater than or equal to her initial valuation price, Alice will announce y, i.e., the current highest bid (y ∈ {x 1 , x 2 , …, x n }). Otherwise Alice will open her commitment x (i.e., the initial valuation price) by opening the random number r simultaneously, declare the failure of the auction and terminate this auction. That is, there is not a bid greater than or equal to her initial valuation price, so this auction is fail. Of course, all participants may verify its truth by comparing H(r ⊕ H(r ⊕ x)) with the corresponding value b committed in Step 1.
Step 4. If there is a bid x j greater than the current highest bid y, the bidder Bob j will broadcast a complaint about the incorrectness of the current highest bid. Furthermore, if there is a complaint, Alice will ask for the bid of the complainer, and then she will update the current highest bid with it. But if there are two or more complaints, Alice will think there are dishonest bidders or outsider attackers and accordingly terminate this auction.
Step 5. Furthermore, if each bidder does not further receive any complaint, then he will believe that the current highest bid is highest. Suppose y = x k , i.e., the bidder Bob k should be the winner of the auction. Finally, in order to win the auction successfully, the bidder Bob k must publish his random number r k and his bid x k , i.e., open his commitment. All participants will compute H(r k ⊕ H(r k ⊕ x k )) and verify its authenticity by comparing it with the corresponding value b k committed in Step 1. In addition, Alice also needs to open her commitment x and accepts the verification of all bidders. If there is no error, the auctioneer Alice and all bidders will believe the auction is fair.

Analysis. Correctness.
Our PQSA scheme is based on Grover's search algorithm, which can find a solution with a high probability 1,36 . Assume the failure probability of Grover's search algorithm is δ 1 , where δ ≥ e (Note. e is the Euler's constant, which is the base of natural logarithms (approximately 2.7183)). Let E(N, t) be the expectation value of the number of iterations (i.e., the number of repeating Grover's search algorithm in Step 2) for finding the highest bid of N items in which t items are marked 38 . Then we write a recurrence equation for E(N, t) as: So we get Writing the same equation for (t − 1), …, 2 and adding all of them, we get, Obviously, E(N, 1) = 1. That is, there is only one marked item in the general state of N items, so it only needs to execute Grover's search algorithm once to get the highest bid with the high probability of − δ 1 1 . Furthermore, it will give, From Eq. (19) we can get, In our PQSA scheme, there are at most n marked item, i.e., all bids are greater than the initial valuation price. So an upper bound is achieved for t = n, when we get, Therefore, we can repeat Grover's search algorithm to obtain the highest bid with a probability of − δ ( ) When δ ≥ e, we can get The failure probability of n 1 is very small, so we only tolerate a complaint in Step 4. Therefore, if all participants honestly execute the procedures, our PQSA scheme is correct.
In above analysis, we assume that Grover's search algorithm has some probability of failure, i.e., the probability of finding the marked item is not exactly 1. Furthermore, Long 39 presented a modified version of Grover's search algorithm that searches a marked state with full successful rate. So, if we use Long's algorithm in our proposed protocol, it can get the better result theoretically.
Security. First, we analysis the proposed scheme can resist all kinds of outsider attacks. For an outsider attacker, he can intercept the transmitted messages, including classical messages and quantum messages. If the outsider attacker wants to get i i i without r i , it is equivalent to break Hash function. At present, there is still not efficient method to break secure Hash function (e.g., SHA-1, SHA-2) by quantum computers or quantum algorithms. So, in the following we main analysis the possible attack to the transmitted quantum messages.
Firstly, the outsider attacker may perform an intercept-and-resend attack, i.e., he can intercept the transmitted quantum messages, and resend a fake quantum messages back to Alice. For example, the attacker intercepts the partial qubits of the state ψ in the normal model. Clearly, the state |ψ n 〉 held by Alice and the attacker is an entangled state, where the reduced density matrixes of the subsystem held by them are , respectively. Though the reduced density matrix held by the attacker hides all private bids, the attacker cannot extract all by the principle of quantum mechanics. That is, even if the attacker measures his intercepted subsystem, he cannot get all private bids (i.e., all marked items). In fact, he can get at most one bid (i.e., one marked item) with a low probability because n ≪ N, and the bid does not reveal any identity of the bidder. However, if the attacker intercepts the partial qubits of the state ψ in the test model, then the reduced density matrix of the subsystem held by himself is 〉〈 | + 〉〈 | i i 0, 0 0, 0 , 0 , 0 2 , which is independent of all bids. That is, the intercepted subsystem cannot contain any private information about any private bid.
However, the attacker cannot distinguish the transmitted quantum states from the normal model and the test model. So, if the attacker measures his intercepted subsystem to get a bid, then he will be found later by Alice with great risk. For example, if the attacker measures the state ψ of the test model in the computation basis, the state |ψ n 〉 will be collapsed into |0〉 h |0〉 t |0〉 or |i〉 h |i〉 t |0〉 with the probability of 1 2 , respectively. Later, Alice performs the test procedure in (2.4) of Step 2, so she can easily find this attack.
Of course, if the attacker sends a fake quantum system back to Alice, instead of the true subsystem intercepted by him, it will be easily found by Alice in (1.7) or (2.4) of Step 2. Therefore, our scheme can resist the intercept-and-resend attack.
Secondly, we analyze a more complicated attack, that is, the outsider attacker performs an entangle-and-measure attack that he first prepares an ancillary quantum system and further entangles his ancillary quantum system and the www.nature.com/scientificreports www.nature.com/scientificreports/ intercepted subsystem by a local unitary operator, and afterward he can measure the ancillary quantum system to get the partial information about the private bids. The attacker's dishonest action can be described by a local unitary operator ∼ U, which is simply defined by, where |V(j)〉 is a vector orthogonal to |j〉|ξ(j)〉, i.e., In order to completely pass the honest test (see (1.7) or (2.4) of Step 2), it can easily deduce that η j = 1. That is, the whole quantum system sent back to Alice in the normal model should be in the following state after performing the operator ∼ U: After successfully passing the honest test, the state of the whole quantum system is in, That is, she will get | 〉 + | 〉 Finally, we consider that the attacker tries to add some false marked items in the returned state |ψ n 〉 by the oracle operators to manipulate the auction. On the one hand, if the false marked items are smaller than the highest bid, it will not affect the correctness of the auction; On the other hand, if a certain false marked item is greater www.nature.com/scientificreports www.nature.com/scientificreports/ than the highest bid, it will be easily found because no bidder claims the false bid. Even if a collusion bidder claims the false bid, obviously he will not successfully pass the public verification.
In a word, no matter which attack the outsider attacker performs, he cannot get any private information without risking Alice's detection, and cannot manipulate the auction yet. That is, our scheme can resist the outsider attacks.
In addition, by the system model defined in the section of 3.1, PQSA should meets five secure and privacy requirements. In the following section, we will prove that our proposed PQSA scheme can meet all these secure and privacy requirements.
(1) The auctioneer's privacy: From the scheme proposed above, we can easily see that the transmitted quantum messages do not include any information about Alice's initial valuation price x. In addition, among all quantum oracle operators utilized by our proposed scheme, it is only the oracle operator U Alice concerning x. However, U Alice only is performed in Alice's registers, and these quantum states transferred by the operator U Alice will be measured timely by Alice. So, if a dishonest bidder (or an outsider attacker) wants to steal Alice's private information, he can only perform the entangle-and-measure attack. However, we have analyzed the infeasibility of this attack above, because he cannot yet discern the normal model and the test model. If he performs the entangle-and-measure attack in the test model, his dishonesty will be found by Alice with the probability of 1 2 .
(2) The bidder's privacy: As we have analyzed above, any outsider attacker cannot get any private bid without risking the auctioneer's detection. In fact, for a bidder, he cannot get more information from the transmitted quantum messages than the outsider. If a dishonest bidder performs an attack, no matter concerned with measurement or entanglement, similarly, he will risk to be found later by the auctioneer. In short, no one can get the private bid of the bidder without risking the auctioneer's detection.
(3) Anonymity: By the proposed scheme, each bidder marks his bid in the transmitted quantum state |ψ i 〉. However, each bidder marks his bid in an anonymous way, i.e., the marked item in |ψ i 〉 does not leave any identity.
For a dishonest bidder, e.g., Bob 2 , if he wants to get the specific bid of Bob 1 when receiving |ψ 1 〉, he can perform Grover's search algorithm to find |x 1 〉 t |1〉 because Bob 2 knows that there is only one marked item (i.e., x 1 ) in |ψ 1 〉. However, if Alice selects the test model in Step 2, she can easily find this dishonesty because the final measurement result will be |0〉 h or |i〉 h , instead of | 〉 + | 〉 i 0 2 h h . That is, the dishonest bidder Bob 2 cannot get the bid of the first bidder Bob 1 without risking Alice's detection. In addition, after performing Grover's search algorithm, if Bob 2 directly sends a fake state to the next bidder, not |x 1 〉 t |1〉, obviously it will be easily found by Alice in (1.7) or (2.4) of Step 2.
As for the other bidder Bob i , even if he performs the similar attack to get |x 1 〉 t |1〉 by Grover's search algorithm, he still cannot get the specific identity of x j because of j ∈ {1, 2, …, i − 1}. Even if multiple bidders collude to perform this attack, it will be found later by Alice with the probability of + q p q . In addition, this attack also brings a risk of the failure of the auction, because our proposed scheme only permits at most one complaint when announcing the highest bid.
At present, we only assume that there is a circle quantum channel among the auctioneer and all bidders in our PQAS model. For the current technical conditions, obviously this model is more feasible. In fact, if there is a quantum channel between any two parties, the quantum messages can be transmitted in a random order, i.e., from Bob i to random Bob j , not Bob i+1 , such that it can provide the perfect anonymity of the bids.
For the auctioneer Alice, she can receive the returned state |ψ n 〉, in which all bids have be marked in an anonymous way. Furthermore, she can get a marked item |y〉|1〉|1〉 by Grover's search algorithm, but she cannot know y belongs to who because of y ∈ {1, 2, …, n}.
Therefore, our proposed scheme can ensure that the bidder's bid is anonymous for all participants, including the auctioneer.
(4) Public verifiability: On the one hand, when the highest bid x k is announced publicly, it needs to accept the comparisons of all other bidders to decide whether it is greater than their respective bids. On the other hand, to further win the auction successfully, the highest bidder Bob k requires to open his commitment x k to accept the verifications of the authenticity of the bid x k . As you know, there is not a perfect secure quantum bit commitment based on the No-Go Theorem [40][41][42] . So we utilizes a practical and efficient classical bit string commitment, in which it can not get x k only from k k k without r k , unless cracking the secure hash function, e.g., SHA-1, SHA-2. By the opening information r k , anyone can verify the authenticity of the winning bid x k . Even if the auctioneer wants to help a malicious bidder Bob j to win this auction, but they cannot revise the hash value j j j , which was published in advance, so the fake bid ⁎ r j (implying > ⁎ r r j k ) cannot pass the verification finally. That is, this attribute can defend the collusion attack between the malicious bidder and the dishonest auctioneer. In fact, bit string commitments ensures that the initial valuation price and all bids can not changed during the whole auction, otherwise the cheating will be found easily.
(5) Fairness: Since all bidders and the auctioneer need to commit their bids and the valuation price at the beginning of the auction, and the successfully winning bid needs to be verified publicly by all participants finally, no one can manipulate the auction, even for the auctioneer. That is, the auctioneer cannot help a malicious bidder to win the auction illegally without being found by other bidders. Therefore, our proposed scheme can guarantee the fairness of the auction.
We have analyzed the security of proposed scheme in ideal settings. However, in practical settings, there may be some faults (e.g., noise and error) in the quantum channels and quantum measurements. In order to ensure its security in practical settings, one can use the fault tolerant technologies, such as decoherence-free states and error-correcting code. In addition, we can use classical authenticated channels and quantum authenticated channels to ensure the correctness of distributing messages. www.nature.com/scientificreports www.nature.com/scientificreports/ Performance. The proposed scheme is mainly based on Grover's search algorithm. By the previous analysis, the number of iterations (i.e., the number of repeating Grover's search algorithm in Step 2) for finding the highest bid is less than or equal to lnn, which is its upper bound, so both the computational complexity and the communicational complexity are O(lnn), i.e., to execute O(lnn) Grover's search algorithms and to distribute O(lnn) quantum messages. To complete the task, any classical scheme needs to distribute O(n) messages in theory, where each message gets a bid in an anonymous way, and then finds the highest bid by comparing O(n) times. Obviously, our proposed quantum scheme gets the lower communicational complexity than any classical scheme.
In addition, to make our scheme work, the key step is to construct the efficient circuits implementing the oracle operators. In our scheme, we define two kinds of oracle operators to mark items in a general state. Similarly, using the techniques of reversible computation 1 , we can construct a classical reversible circuit which takes (x, y) -representing an input register initially set to x and a one bit output register initially set to y -to (x, y ⊕ f(x)), by modifying the usual (irreversible) classical circuit for doing the classical function f(x).
At present, Grover's search algorithm and its variants have been implemented by the newest reports [43][44][45] , especially in IBM quantum cloud 46 . So, with the rapid development of quantum computing and quantum information processing, we believe that our proposed PQSA scheme is feasible in the near future.

Conclusions
In this paper, we define a new privacy-preserving quantum sealed-bid auction model, and further present a novel privacy-preserving quantum sealed-bid auction scheme based on Grover's search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society. So the proposed scheme has wider popularization and application prospects.
In addition, we actually give an efficient quantum approach to privately find the optimal solution under the constraint conditions among multiple distributed participants, which can also be generalized into other secure applications, e.g., an election satisfying more than half of votes.

Data Availability
Data sharing is not applicable as no datasets were used during the current study.