Secure dynamic multiparty quantum private comparison

We propose a feasible and efficient dynamic multiparty quantum private comparison protocol that is fully secure against participant attacks. In the proposed scheme, two almost-dishonest third parties generate two random keys and send them to all participants. Every participant independently encrypts their private information with the encryption keys and sends it to the third parties. The third parties can analyze the equality of all or some participants’ secrets without gaining access to the secret information. New participants can dynamically join the protocol without the need for any additional conditions in the protocol. We provide detailed correctness and security analysis of the proposed protocol. Our security analysis of the proposed protocol against both inside and outside attacks proves that attackers cannot extract any secret information.


The Proposed DMQPC Protocol
Here, we will discuss the DMQPC protocol for three different scenarios, namely two-party QPC with two rounds, DMQPC with two rounds and DMQPC with B-block. Before the comparison of data, there are two main processes: (1) validation check process; (2) the initial preparation and encryption process. The two processes are similar in the three scenarios. So, they will be described in detail only for two-party QPC with two rounds. Two-party QPC with two rounds. Suppose that Alice and Bob intend to compare the equality of their secrets X and Y, respectively, with the help of two almost-dishonest TPs. The binary representation of X in F 2n is (x 0 , x 1 , ..., x n−1 ), and the binary representation of Y in F 2n is (y 0 , y 1 , ..., y n−1 ) where X i , Y i ∈ {0, 1} n and n ≥ 2 is the number of secret bits. In general, a protocol with two TPs has many advantages such as: (1) improving load balance performance since we can distribute the workload to two TPs (servers) instead of only one; (2) increasing availability that ensures continuity of communication; (3) ensuring security since one TP can monitor the performance of the other one 31 . The idea of adopting two TPs to execute the comparison task in QPC was first suggested by Hung et al. 31 . In our work, the advantage of using two TPs is that one can generate two independent random keys by two different TPs. More specifically, the first third-party (TP 1 ) computes the comparison result of the first round. The second third-party (TP 2 ) computes the comparison result of the second-round. Both TP 1 and TP 2 prepare a random secret key and send it to both Alice and Bob.
Validation check process. Firstly, X and Y must have the same length. Secondly, to correctly execute the proposed QPC protocol, secret data must be checked as follows; If the length of X(Y) is odd, then Alice (Bob) must replace the last bit with two bits; Initial Preparation and Encryption Process. TP 1 and TP 2 prepare two random secret keys K rand TP1 and K rand TP2 , respectively, and send them through quantum channels to both Alice and Bob 16,47  . Then Alice and Bob split K rand into two equal parts K rand 1 and K rand 2 , where K rand ∈ {0, 1} n and ∈ K K , { 0, 1} rand rand n 1 2 2 . To reduce the communication cost, Alice also divides X into two equal parts X part_1 and X part_2 . Alice then computes The encrypted parts X 1 and X 2 can be represented as follows. ..
n n n 2 2 , 2 2, 2 1 2, ( 1) where X 1 and X 2 are the first and second parts of X encrypted with K rand 1 and K rand 2 , respectively. Similarly, Bob computes Y 1 and Y 2 just as Alice does.  where Y 1 and Y 2 are the first and second parts of Y encrypted with K rand 1 and K rand 2 , respectively. Also, we have X 12 = X 1 ⊕ X 2 and Y 12 = Y 1 ⊕ Y 2 . Here, ⊕ is the exclusive-OR operation.
As shown in Table 1, Alice generates new encoded parts ′ X 1 and ′ X 12 from X 1 , X 2 , and X 12 according to the following rule: If the bit value of X 1 = X 12 = 0(X 1 = X 12 = 1) then . Otherwise, = ′ X X 1 1 and X X 12 12 = ′ , where ′ X 1 and ′ X 12 are updated parts of X 1 and X 12 . The purpose of this process is to relate the secret message parts to each other so that we can reduce the communication cost. That is to say, it is possible to only compare one part of the secret messages in some situations to get the final result.
From Table 1, we can get the sequences X 1 ′ , X 12 , and ′ X 12 , with length n 2 : Alice uses the XOR function to encrypt X 1 with X 1 ′ getting C a1 , Similarly, Bob performs the same processes as Alice does, Alice computes X 12 = X 1 ⊕ X 2 : n n n n 12 1,0 2 , 2 1,1 2 ,( 2 1) 1, 2 1 2 , ( 1) In our protocol, we have three options to compute and announce the comparison result. The first option would be for TP 1 to compute and announce (in the first and second rounds) the comparison result. The second option would be for TP 2 to compute and announce the comparison result. These two options can be used when availability of at least one TP is the most important requirement. The third option would be for the two TPs to collaborate to compute and announce the final result. The steps for executing the two rounds to compare the equality of parties' secrets are similar in the three options. The choice of which of the three options to use depends on whether the priority is availability, workload or security. The two rounds are described as follows.
Step 3. For the eavesdropping check, Alice randomly prepares a sequence of decoy photons l a1 in one of the states {|0〉, |1〉, |+〉, |−〉}. At random positions, she inserts l a1 into S a1 producing a new sequence ′ S a1 . Then, Alice transmits S a1 ′ to the TP 1 .
Step 4. Alice announces the random positions and the measurement bases of l a1 to TP 1 for performing single photon measurements. TP 1 then reveals the measurement outcomes. Hence, TP 1 and Alice analyze the error rate. If the rate is higher than a predetermined threshold, then they terminate the protocol and restart the process again. Otherwise, TP 1 discards l a1 from ′ S a1 and extracts S a1 . Then TP 1 can restore C a1 , where S a1 represents C a1 . Step 5. Bob and TP 1 perform the same Steps 2-4 as Alice and TP 1 to send C b1 to TP 1 .
Step 6. TP 1 performs a comparison between the first part of Alice's and Bob's secrets by computing R 1 = C a1 ⊕ C b1 . If R 1 = 0, this indicates that X and Y may be equal. In this case, they move to the next round to check whether Alice's and Bob's secrets are equal or not. Otherwise, X and Y are not equal, so there is no need to continue to the second-round to check the equality of the second parts.
The second-round. Step 7. TP 1 informs TP 2 that the first-round comparison result may be equal. Then TP 2 asks Alice and Bob to prepare X 12 and Y 12 , respectively.
Step 8. Alice and Bob perform the same processes described in Steps 2-4 to send X 12 and Y 12 to TP 2 .
Step 9. TP 2 computes R 2 = X 12 ⊕ Y 12 . If R = R 1 + R 2 = 0 then X and Y are equal. Otherwise, X and Y are not equal. A detailed example to check the equality of X = {001100110010} and Y = {011100110010} is shown in Tables 2 and 3.
Adding new participants. One of the main features of this protocol is the ease of joining of one or more participants. Without loss of generality, suppose a new participant called Charlie want to joint the old participants (Alice and Bob). The steps for adding a new participant are described as follows.
The first-round. Step 1. Charlie asks TP 1 and TP 2 to join the protocol.
Step 2. TP 1 asks Charlie to prepare C Z Z c1 1 1 = ⊕ ′ using the same protocol as Alice and Bob to prepare C a1 and C b1 , respectively.

Validity check
Length check for equality X_length = Y_length = 12 Length check for 2 blocks = 6 12 2 Initial preparation . Else, X X 12 12 The same process for Y Deleting old participants. Without loss of generality, suppose we have three participants Alice, Bob, and Charlie. TP 1 and TP 2 are allowed to delete one or more participants (e.g., Charlie) for several reasons. For example, they may want to compare just Bob's and Alice's private information. The detailed steps for deleting Charlie are as follows.
The first-round. Step 1. TP 1 and TP 2 agree to delete Charlie. TP 1 then discards C c1 .
Step 2. TP 1 updates the comparison process, to be only between Alice and Bob, TP 1 then recomputes R 1 . In that case, TP 1 computes and considers the result of If the result of R 1 = 0, this indicates that X and Y may be equal. In this case, they move to the next round to check whether Alice's and Bob's secrets are equal or not. Otherwise, X and Y are not equal and the final result is announced.
The second-round. Step 3. TP 1 informs TP 2 that the first-round comparison result of Alice's and Bob's secrets may be equal.
Step 4. TP 2 discards the encrypted information of Charlie (Z 12 ) and only considers the private information of Alice and Bob, that is, X 12 and Y 12 , respectively.
Multi-party QPC with two rounds. The proposed two-party QPC protocol is easy to extend to M participants (see Fig. 1). In this scenario, there are M participants P i (i = 1, 2, ..., M), and each of them has secret information ⁎ X i with length n. Firstly, participants check the validity of their secrets according to the validation check Step 1: Preparation 〈Alice〉 Steps 2&4: Eavesdropping check 〈Alice, TP 1 〉 < error rate specified Threshold, TP 1 obtains C a1 . Else, the communication process is terminated.
Step 6: Check the equality The protocol will terminate and no need for a secondround. Otherwise, they continue to Round 2.
Otherwise, the communication process is terminated.
Otherwise, the communication process is terminated.
Step 9: Check the equality www.nature.com/scientificreports www.nature.com/scientificreports/ process. After they make sure that their secrets are valid for applying the proposed protocol, TP 1 and TP 2 send two random secret keys (K rand TP1 and K rand TP2 ) with length n to all participants. P i then perform the initial preparation and encryption process as shown in Eqs. (2)(3)(4)(5) for producing X i, 1 ⁎ and X i,2 ⁎ . From Table 1, each participant gets the sequences ⁎ X i,1 and ⁎ X i,2 , with length n 2 for each sequence. Also, each participant computes each participant has completed preparing encrypted secrets, and they are ready for checking the equality of their secrets using the QPC protocol.
The first-round.
Step 1. TP 1 asks each participant to prepare C i,1 .
Step 2. P i prepares a quantum sequence containing n 2 single photons corresponding to Step 3. For the eavesdropping check, P i randomly prepares a sequence of decoy photons l i,1 in one of the states {|0〉, |1〉, |+〉, |−〉}. At random positions, Step 4. Upon receiving ′ S i,1 , P i announces the random positions and the measurement bases of l i,1 to TP 1 for performing single photon measurements. TP 1 then announces the measurement outcomes. TP 1 and P i analyze the error rate. If the rate is higher than a predetermined threshold, they terminate the communication and restart the process again. Otherwise, TP 1 discards l i,1 from ′ S i,1 and extracts S i,1 . Then the TP 1 can restore C i,1 , where S i,1 represents C i,1 .
Step 5. TP 1 performs a comparison of the first part of P i 's secret, where for M = 3 may be equal. Hence, they move to the next round to compute the comparison check of Then it is not necessary to execute the second-round to check the equality of X i, 12 .
The second-round. Step 6. TP 1 informs TP 2 that the first-round comparison result may be equal. Then TP 2 asks P i to prepare X i,12 .
Step 7. P i performs the same processes as in Steps 2-4 to send X i,12 to TP 2 .
Step 8. TP 2 computes the comparison check of X i, 12 , are equal or not.
are not equal. Obviously, it is easy to add or remove any subset of participants to the protocol, where participants independently perform the required processes to prepare their secret for the final step of the protocol. Moreover, TP 1 and TP 2 can easily compare the equality of the secrets of any subset of M participants without any additional conditions.
Suppose there are M participants P i (i = 1, 2, ..., M). Each of them has secret information X i with a length of n, and they would like to check the equality of their secrets. Firstly, all participants check the validity of their secrets according to the previously described validation check. After they make sure that their secrets are valid for applying the proposed protocol, TP 1 and TP 2 send two random secret keys (K rand TP1 and K rand TP2 ) with length n to all participants. Based on the length of the secret data (n), TP 1 and TP 2 agree with participants on the value of B (see Fig. 2).
Subsequently, P i performs the initial preparations as previously indicated in Eq. (2) and Eq. (3) for generating X i j , 1 and X i j , 2 , where i = 1, 2, …, M. At this point, using Table 1, participants can easily prepare their encrypted secret information producing C i,j and X i j 12 , , and are ready to check the equality of their secrets using the following steps.
The first-round. Step 1. TP 1 asks each participant to prepare C i,j .
Step 2. P i prepares a sequence of n B 2 single photons for each block, called S i,j , corresponding to C i,j , in the Step 3. To prevent eavesdropping, P i randomly prepares a sequence of decoy photons l i,j in one of the states {|0〉, |1〉, |+〉, |−〉}. At random positions, Step 4. Upon receiving ′ S i j , , P i announces the random positions and the measurement bases of l i,j to TP 1 for performing single photon measurements. TP 1 then announces the measurement outcomes. TP 1 and P i analyze the error rate. For any error rate above a predetermined threshold, they cancel the communication and restart all over again. Otherwise, TP 1 discards l i,j from ′ S i j , and extracts S i,j . TP 1 then can construct C i,j , where S i,j represents C i,j .
Step 5. TP 1 computes the comparison check of C i,j , where for M = 3  www.nature.com/scientificreports www.nature.com/scientificreports/    ) and if R 2 1 = 0 they continue to check the next block and so on until they reach the last block; otherwise, TP 2 announces that the secrets are not equal.

correctness
From Table 4, according to our initial preparation and encryption method, for every two bits we get two different encrypted bits, that is to say, we get C a1 = 1 and X 12 = 0 only when X 1 = 0 and X 2 = 0. So, the bit values of C a1 and X 12 together are decisive in determining the bit values of X 1 and X 2 . Assume we have two participants Alice and Bob, and each participant has two bits X = 00 and Y = 10, respectively, and K rand = 00. Alice computes = ⊕ = ⊕ ⊕ ′ ′ C X X K X X a r and p art 1 1 1 1 1 1 g e t t i n g 1 , a n d s e n d s i t t o T P 1

. B o b a l s o c o mp u t e s
r and p art 1 1 1 1 1 1 getting 1, and sends it to TP 1 . When TP 1 computes R 1 = C a1 ⊕ C b1 he gets R 1 = 0, which means that the secrets of Alice and Bob may be equal or unequal (note if R 1 = 1, TP 1 announces that the secrets of Alice and Bob are not equal). So, they should move to the second-round to compare X 12 and Y 12 .
In the second-round, Alice and Bob send X to TP 2 , respectively. TP 2 computes R 2 = X 12 ⊕ Y 12 = 0 ⊕ 1 getting R 2 = 1. TP 1 then computes R = R 1 + R 2 getting R = 1, which means that X and Y are not equal. Thus, X and Y are equal if and only if R = R 1 = R 2 = 0. For example, suppose we have X = 0000 and K rand = 0000. Then X 1 = 00 and X 2 = 00. As shown in Table 5, we must get C a1 = X 1 ⊕ X 1 ′ = 11 and X 12 = 00 only when X 1 = 00 and X 2 = 00. Also, if we have Y = 0000 and K rand = 0000, then Y 1 = 00 and Y 2 = 00. Hence, we get C b1 = Y 1 ⊕ Y 1 ′ = 11 and Y 12 = 00. Now the two TPs can announce that the two inputs are equal by computing R = (C a1 ⊕ C b1 ) + (X 12 ⊕ Y 12 ) = 0, which proves the correctness of this protocol. Note that if we proposed that C a1 = X 2 ⊕ ′ X 2 and C b1 = Y 2 ⊕ ′ Y 2 instead of C a1 = X 1 ⊕ X 1 ′ and C b1 = Y 1 ⊕ ′ Y 1 respectively, we also get the same correct comparison result.
Here, we provide the necessary equations to verify the equality check by TP 1 and TP 2 for the various suggested protocols.
Two-party QPC with two rounds. From Eqs. (11) and (12), TP 1 computes To be sent to TP 1 To be sent to TP 2 rand part rand part part part From Eqs. (13) and (14), In the proposed protocol, computing only R 2 is not sufficient for getting the comparison result. For example, if we have X 1 = X 2 = 0, Y 1 = Y 2 = 1, and K K 0 rand rand 1 2 = = . Then R 2 = 0 ⊕ 0 ⊕ 1 ⊕ 1 = 0. This means that X and Y are equal in contrast to the correct comparison result (R = R 1 + R 2 = 1 + 0 = 1). In such a case, R 1 guarantees the correctness of the final result.

Security analysis.
Here, we will show the robustness of the proposed QPC protocol against insider and outsider attacks. If the length of the secrets is odd, it should be modified. This process not only contributes to correctly executing the proposed protocol but also assists in enhancing the security of the protocol by altering the original secret bits without affecting the final comparison result. Moreover, two random keys are generated and distributed between TPs and participants to encrypt the private information of parties. As discussed in 30,48 , for improving the efficiency of the proposed DMQPC protocol, the private information of parties can be divided into several blocks of data. If the comparison result of a particular block is not equal, TP 1 announces that the outcome of the comparison is not similar; hence there is no need to execute the remaining rounds. The three protocols in subsections 2.1, 2.4, and 2.5 are similar. Also, in the two-party QPC with two rounds, the quantum channel in the first-round is similar to the quantum channel in the second-round, so here we only analyze the quantum communication in the first-round between the participants and TP 1 .
Outside attack. In the two-party situation, Alice (Bob) sends ′ S a (S b ′ ) to TP 1 , protected by single decoy photons l a1 (l b1 ). Alice (Bob) then announces the measurement bases and the positions of all inserted decoy particles. Subsequently, the TP 1 announces the measurement results of all embedded decoy particles. Alice (Bob) then checks the security of the communication by checking whether the measurement results of the decoy particles are correct. Since the outside attacker does not learn the measurement bases of the decoy particles and their positions ahead of time, the well-known attacks such as entangle-resend attacks 32 , correlation-elicitation attacks 49 , and intercept-resend attacks 50 can be detected with nonzero probability 51 . For instance, if the eavesdropper, Eve, attempts to measure the decoy photons |0〉 or |1〉 in ′ S a ( ′ S b ) with the correct basis (e.g., Z-basis), she successfully passes the public eavesdropping check. But, If Eve attempts to measure the decoy photons |0〉 or |1〉 in S a ′ (S b ′ ) with an incorrect basis (e.g., X-basis), she will be detected with a probability of 50%. The probability of choosing the wrong measuring basis is 50%. Thus, the rate of detecting Eve for each single decoy photon is 25% (i.e., 50% × 50%). Hence, the rate of detecting Eve for l single decoy photon is 1−(3/4) l , where |l| = |l a1 | = |l b1 |. This rate approaches 1 when l is large enough. Furthermore, a Trojan-horse attack 52 is prevented since photons are transmitted only once from participants to the TP 1 . So, our two-party QPC protocol is fully secure against outsider attacks. Since the proposed DMQPC protocol uses the same strategy as the two-party process, it is also secure against outsider attacks.
Participant's attack. A significant advantage of our three different scenarios is that participant attacks such as collusion attack and cheating attack are not possible for the proposed protocols. Each participant receives two random keys from TP 1 and TP 2 for encrypting her/his secret without the participation or assistance of other parties. Therefore, there is no exchange of information or even communication among participants, and each participant sends the private information directly to the TP 1 and TP 2 through quantum channels. Thus, to steal confidential information, dishonest participants must adopt Eve's attack strategies because they act as outside attackers. As discussed above, the protocol is secure against outside attacks.
TP's attack. TP's attack is another type of participant's attack which could threaten the security of the protocol. Here we prove that our scheme is secure against dishonest or malicious TPs. Firstly, with the assumption that the two TPs are not allowed to collude together or with participants, our protocol is secure since the encrypted data is distributed to two independent TPs for computing the final comparison result. To clarify, assume we have a secret a and an encryption key b and c = a ⊕ b. The probability of an attacker to know a is 1 2 n , where n is the length of the secret a 53 . In the proposed protocol, from TP 2 's point of view, as shown in Table 4, 2 where X part_1 is the first part of the secret message (X) and X part_2 is the second part of X. The probability of TP 2 to know X is 1 2 n 2 , where n is the length of the secret X, and n 2 is the length of X 12 . When n is large enough, the probability of getting the secret data is negligible. In addition, according to Table 4, TP 2 can obtain X 12 = 1 ⊕ ′ X 1 . Hence, if X 12 = 0 then TP 2 can learn that X 1 ′ = 1, otherwise ′ X 1 = 0. However, the private information of Alice is still secure against TP 2 's attack for two reasons: (1) TP 2 cannot learn any private information of Alice using ′ X 1 ; (2) the private information of Alice (X part_1 and X part_2 ) is protected by two random keys (K rand 1 and K rand 2 ). From TP 1 's point of view, Alice sends her encrypted secret (i.e., C a1 = X 1 ⊕ X 1 ′ (C a2 = X 2 ⊕ X 2 ′ )) to TP 1 . TP 1 cannot reveal any useful information without knowing X 1 or X 1 ′ (X 2 or ′ X 2 ). The probability of knowing the original secret is 1 2 n 2 , where n is the length of the secret X, and n 2 is the length of C a1 (C a2 ). When n is large enough, the probability of TP 1 to know the original secret is negligible. Also, when participants' secret data is divided into B www.nature.com/scientificreports www.nature.com/scientificreports/ Abulkasim et al. 57 showed that the Liu-Wang protocol suffers from participant attack. In our proposed protocol, participant attack is not possible. Thus, our protocol is safe not only against well-known participant attacks but also against potential participant attacks. Both the Liu-Wang protocol and our protocol use single photon states as a quantum resource and perform single photon measurements. The Liu-Wang protocol uses one TP who performs single photon measurements. In our protocol, two TPs are adopted and they also perform single photon preparation and measurements.
Like the Liu-Wang protocol, in our scheme, both the TP and the participants prepare single photons for deducing the comparison result. Like the Liu-Wang protocol, our protocol is dynamic so that any new subset of M parties can join or leave the protocol at any time. However, in the Liu-Wang protocol, new participants have to participate in the protocol before the quantum states are measured. Unlike the Liu-Wang protocol, in our scheme, the TPs can compare the private information of any subset of M parties without any assistance from other parties. In contrary to the Liu-Wang protocol, our scheme reduces the cost of communication by half, in some situations, where the protocol can be executed in one round to get the final comparison result.
From Table 7, like the protocols in refs. 31,40,[42][43][44][45]58 , our protocol is secure against participant attack. In contrast with the proposed protocols in refs. 31,[40][41][42][43][44][45][46] , which suppose that there is a semi-honest TP who executes the QPC protocol loyally, our proposed protocol allows for almost-dishonest TPs. Unlike the protocols in refs. 31,[40][41][42][43][44][45][46]58 , our protocol is secure against a malicious TP 1 (TP 2 ). Like the protocols in refs. 31,46 , our protocol works in an environment where participants and TPs could be strangers, where there is no need for authenticated channels to prevent secret information from leaking. Compared to previous work, our main contribution is that participant attack is not possible in this work, since there is no exchange of information or even communication among participants. In addition, our scheme reduces the cost of communication.

conclusion
This work proposes a novel dynamic multiparty quantum private comparison protocol that does not allow participant attack. The proposed protocol divides the private information into equal parts, and every participant independently encrypts her/his secrets using two random keys before sending them to two third parties using quantum channels. The protocol is executed in one or more rounds depending on the result of the previous round. The private information can also be divided into a number of blocks, with each block containing two equal parts of the secret. The dynamic nature of the proposed protocol enables the two TPs to compare the private information of any subset of M parties without any assistance from other parties. Any subset of M parties can join in or leave the protocol at any time without any extra conditions. Our analysis proves that the proposed protocol is correct and fully secure against outside attack. Furthermore, the scheme is not open to participant attacks. Compared to existing schemes, our protocol is more efficient, more secure and more feasible. Thus, our scheme is an ideal choice for comparing private information of M parties.