Secure multiparty quantum computation based on Lagrange unitary operator.

As an important subtopic of classical cryptography, secure multiparty quantum computation allows multiple parties to jointly compute their private inputs without revealing them. Most existing secure multiparty computation protocols have the shortcomings of low computational efficiency and high resource consumption. To remedy these shortcomings, we propose a secure multiparty quantum computation protocol by using the Lagrange unitary operator and the Shamir (t, n) threshold secret sharing, in which the server generates all secret shares and distributes each secret share to the corresponding participant, in addition, he prepares a particle and sends it to the first participant. The first participant performs the Lagrange unitary operation on the received particle, and then sends the transformed particle to the next participant. Until the last participant's computation task is completed, the transformed particle is sent back to the server. The server performs Lagrange unitary operation on the received particle by using a secret message, and then measures the transformed particle to obtain the sum of the calculations of multiple participants. Security analysis shows that the proposed protocol can resist intercept-measurement attack, intercept-resend attack, entanglement-swapping attack, entanglement-measurement attack and collusion attack. Performance comparison shows that it has higher computation efficiency and lower resource consumption than other similar protocols.

As an important part of classical cryptography, classical secure multiparty computation (CSMC) allows two or more participants cooperate to calculate a relevant function without disclosing their private input information to each other, and finally output a calculation result. The CSMC comes from the millionaire problem of Yao 1 . Based on this problem, many CSMC protocols were proposed 2 . Nowadays, CSMC is widely applied to electronic transactions, information retrieval, data mining and other fields. With the rapid development of quantum communication and quantum computation, the security of classical cryptography has been greatly challenged, and CSMC is no exception. Quantum secure multi-party computation (QSMC) [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17] is the expansion of CSMC to the quantum field. It overcomes the security defects of CSMC in theft detection and has the advantages beyond the reach of CSMC.
To date, many researchers have investigated QSMC. In 2002, Crepeau et al. 18 proposed a multiparty quantum computation which can get right results as long as the number of dishonest players is less than n/6. In 2006, Ben-Or et al. 19 studied how many participants must remain honest in order for the right results in QSMC. In 2008, Ivan et al. 20 proposed the first general protocol for QSMC, in which the total workload required by n players to compute a function f only relates with the growth of n. In 2010, Dominique 21 proposed quantum universal composability model (UC) secure protocol for general multiparty computation can be constructed from commitment. In 2012, Li et al. 22 proposed a secure two-party scalar product protocol which takes advantage of quantum entanglement, quantum measurement and trusted third party (TP). In 2013, Li et al. 23 proposed a QSMC protocol via quantum entanglement states. In 2019, Shi 24 proposed a generic quantum protocol for one-sided secure two-party classical computations, in which two parties can privately compute any classical function theoretically without the help of any third party.
In the process of investigate secure multiparty computation, secure multiparty quantum summation is also being investigated as a branch of secure multiparty quantum computation. In 2002, Heinrich et al. 25 studied the summation of sequences in the quantum computation model. In 2004, Heinrich et al. 26 continued to study the quantum summation algorithm in quantum multiparty computation. In 2007, Du et al. 27 proposed a protocol of www.nature.com/scientificreports www.nature.com/scientificreports/ secure quantum multiparty addition modulo + ≥ n n 1 ( 6) by using non-orthogonal states. In 2010, Chen et al. 28 proposed a quantum addition protocol based on GHZ states. In 2014, Zhang et al. 29 proposed a quantum summation protocol by the particles in both polarization and spatial-mode degrees of freedom. In 2015, Zhang et al. 30 proposed a quantum summation protocol base on the genuinely maximally entangled six-qubit states.
In recent years, Shi et al. 31 proposed a multiparty quantum summation and multiplication by quantum Fourier transform. We focus on the first protocol of quantum multiparty summation in the paper. The first participant prepares two initial particle and then he performs QFT and CNOT operations on the two initial particle to generate a 2-particle entangled state, further he sends a particle of entangled state to the next participant. After receiving the particle, the participant prepares a new particle embedding the private information, and then he performs the unitary operations on the received particle and the prepared particle. The transformed particle is sent to the next participant. After all participants have completed their computation tasks, the first participant uses − QFT 1 operation to obtain the sum of the privacy data of all participants. In this protocol, each participant needs to prepare initial particles, so it has a high resource consumption problem. Clementi et al. 32 proposed a protocol to perform multiparty computing among parties with limited quantum computation resources. In this protocol, all participants used only classical linear computations and finite quantum resources to jointly compute a nonlinear multivariable function f( ). The protocol is on two level Hilbert space, so it has a insufficient universality and practicability problem. Yang et al. 33 propose secure multiparty quantum summation protocol based on quantum Fourier transform. In this protocol, The first participant prepares n entangled states, each of which has n particles. Each participant has n privacy data and receives n quantum sequences from dealer, and then he embeds the n privacy data into the received quantum sequence by performing QFT operation and unitary operation. After all participants have completed their computation tasks, each participant performs a measurement operations on the particle of entangled states to obtain the computation result. The protocol needs to prepare many initial particles and performs many QFT operations and unitary operations, so it has a high resource consumption cost and high computation cost problem.
In order to reduce the resource cost and the computation cost, increase universality and practicality, this paper proposes a d-dimensional security multiparty quantum computation protocol based on Lagrange unitary operator, which completes summation of computational result of multiple participants. Shamir's t n ( , ) threshold scheme is used to enhance the security of the proposed protocol. Finally, the server obtains the summation result of multiple participants by mesuring the particle. On the one hand, the correctness of the proposed protocol has proved theoretically, on the other hand, simulation experiments further verify the correctness of the proposed protocol.
Compared with other similar protocols, the proposed protocol is on the d-dimensional ( ≥ d 2) quantum space. When the quantum environment is free space, it has better universality and practicability than the 2-dimensional QSMC protocol. What's more, each participant only needs to perform an unitary operation, which means the proposed protocol is higher computation efficiency than other similar protocols. At last, only one quantum measurement is performed, and an initial particle is prepared in the proposed protocol, which means the proposed protocol is lower resource consumption cost than other similar protocols.
The rest of this paper is organized as follows. In preliminaries, we introduce the preliminary knowledge used in this paper. In results, we describe the proposed protocol. In correctness proof, we prove the correctness of the proposed protocol; In simulation, we prove the proposed protocol's correctness by simulation. In security analysis, we analyze the security of the proposed protocol. In performance analysis and comparison, we analyze and compare the proposed protocol with other similar protocols. Finally, conclusion is given.

preliminaries
In this section, the related preliminaries are introduced including Lagrange unitary operator and Shamir's (t n , ) threshold scheme, which will be used in presenting proposed protocol.

Lagrange unitary operator
Suppose that q is a × n n unitary matrix, any of the set q q q q { , , , , } … − is not equal to unit matrix u, and q 0 is a × n n unit matrix u. The set q q q q { , , , , } {0, 1, , 1}. For example, when q is a 3 × 3 matrix, the set {q q q , , 0 1 2 } is constructed as follows Let us substitute q q q , , 0 1 2 into Eq. (2), the Lagrange unitary operator θ m( ) can be represented as

Shamir's (t, n) threshold scheme
Suppose that there is a trusted server and n participants | = … P i n { (1, 2, , )} i , Shamir's (t n , ) threshold scheme consists of the following two stages.
Step 1. Secret distribution stage. The server first generates randomly a polynomial with degree − t 1: , and a 0 is a secret message. Then he computes n secret share {f(x i ) i = 1, 2, …, n}, and further he sends each secret share f(x i ) for ( = … i n 1, 2, , ) to the corresponding to participants P i via a secure channel.
Step 2. Secret reconstruction stage. There are n distinct and nonzero points {f( . If at least t points {(x r , f(x r ))| = … r t 1, 2, , } are given, the polynomial f(x) can be reconstructed by using the Lagrange interpolation formula as follows If any t out of the n participants, denoted by = … P P P P { , , , } where 0 is an initial particle, R is a quantum state with summation result.
To ensure the security of the proposed protocol, each participant's share angle θ = … where R n is a quantum state with the summation result after blindness.
protocol description. Based on Shamir's (t n , ) threshold scheme, there is a trusted server and n participants = … P P P P { , , , } , any t of n participants want to complete joint computation. The proposed protocol can be divided into three stage: initialization stage, privacy computational stage and result output stage, as is shown in Fig. 1. initialization stage. First, the server computes all secret shares and distribute each secret share to the corresponding participant, in addition prepares an initial particle and sends it to the first participant. This stage consists of the following two steps: Step 1. The server randomly chooses t privacy integers … − a a a , , , t Step 2. The server prepares an initial particle 0 and sends it to the first participant P 1 , corresponding to step ①-② in the Fig. 1. privacy computation stage. After the current participant P r ( ∈ … r t {1, 2, , }) receives the particle sent by the previous participant − P r 1 , he performs the Lagrange unitary operation on the received particle, and then sends the transformed particle to the next participant. This stage consists of the following two steps: Step on 0 to obtain the result R 1 and sends it to the participant P 2 , corresponding to step ③-⑤ in the Fig. 1.
Step 2. Similar to P 1 , each of the remaining participants on − R r 1 to obtain the result R r and sends it to the participant + P r 1 . Until P t 's computational task is completed, the particle R t is sent to the server, corresponding to step ⑥-⑪ in the Fig. 1.
Result output stage. The server performs a Lagrange unitary operation on the received particle, and measures the transformed particle to obtain the summation result of multiple participants. This stage consists of the following two steps: Step 1. The server computes θ π = π ′ mod 2 v a d 2 0 , and then performs a Lagrange unitary operation m θ − ′ ( ) v on R t to obtain the particle R , corresponding to step ⑫-⑭ in the Fig. 1.
Step 2. The server measures the particle R to obtain the summation result of multiple participants and sends it to all participants via a secure channel.
A quantum circuit diagram is drawn to describe the execution process of the proposed protocol, as shown in Fig. 2. Here, we omit the shares distribution processes.  www.nature.com/scientificreports www.nature.com/scientificreports/ In Fig. 2, the server prepares an initial particle, and sends it to the first participant P 1 . Then, P 1 performs the Lagrange unitary operation m(θ 1 ) 1 1 on the received particle to obtain R 1 , and then sends it to the next participant. Until the last participant completes his computational task, the particle R t is sent to the server. Finally, the server performs the Lagrange unitary operation m θ − ′ ( ) v on the received particle, and then measures the transformed particle to obtain the summation result of multiple participants. correctness proof Theorem 1. Suppose that m(θ 1 ), m(θ 2 ) are any two d-dimensional Lagrange unitary operators. They have the following properties: , where u is the unit matrix. The proof process is shown in literature 34 .
Lemma 1. According to Theorem 1, when each participant honestly follows the steps in the proposed protocol, the correct collaborative computation result can be obtained ultimately.
Proof. In the multiparty privacy computation stage, after each participant has performed the Lagrange unitary on the received particle − R r 1 , the Eq. (7) can be obtained According to Theorem 1, the Eq. (7) can be rewritten as: is the sum of private information of all participants, and θ ∑ = r t v 1 r is the sum of share angle of all participants. Therefore, in the multiparty privacy computation stage, t participant's private information and their share angle are correctly embedded in the phase of a particle.
In the result output stage, the server computes with his own secret message a 0 . According to can be obtained. Thus, when the server performs When all participants honestly perform the proposed protocol steps, the correctness of the proposed protocol can be proved.

Security Analysis
In this section, the security of the proposed protocol is analyzed from five aspects: intercept-measurement attack, intercept-resend attack, entangle-swapping attack, entangle-measurement attack and collusion attack.
intercept-measurement attack. Suppose that there is a malicious attacker Eve who wants to perform interception-measurement attack among t participants. When participant ∈ … P r t ( {1, 2, , }) r completes his calculation task and sends the calculation result R r to the next participant + P r 1 , Eve intercepts the calculation result. Then, Eve tries to measure the particle R r and steal the privacy information θ * ( ) z u r r of participant P r . For example, in the multi-party privacy computation stage of the proposed protocol, the attacker Eve wants to obtain the privacy information θ * ( ) z u 1 1 of the participant P 1 through interception-measurement attack. Suppose that the participant P 1 completes his calculation task, when he sends the calculation result R 1 to the next participant P 2 , Eve intercepts the particle R 1 on the transmission route from P 1 to P 2 . She measures the particle by using the base  www.nature.com/scientificreports www.nature.com/scientificreports/ intercept-resend attack. Suppose that there is a malicious attacker Eve who wants to perform an interception-resend attack among t participants. When participant ∈ … P r t ( {1, 2, , }) r completes his calculation task and sends the calculation result R r to the next participant + P r 1 , Eve intercepts the calculation result. Then, Eve prepares a new particle and sends it to the next participant + P r 1 . After + P r 1 completes the operation task and sends the particle to + P r 2 , Eve intercepts the particle and try to steal the privacy information θ * + + ( ) z u r 1 r 1 of participant + P r 1 . For example, in the multiparty privacy computation stage of the proposed protocol, suppose that the participant P 1 completes his calculation task, when he sends the calculation result R 1 to the next participant P 2 , Eve intercepts the particle R 1 on the transmission route from P 1 to P 2 . Then, she prepares a new particle 0 and sends it to P 2 . Suppose that the participant P 2 completes his calculation task, when he sends the calculation result R 2 to the next participant P 3 , Eve intercepts the particle R 2 on the transmission route from P 2 to P 3 . She measures the particle by using the base { } . Since the attacker does not know the privacy share f x ( ) 2 , she cannot obtain the value of θ v 2 , let alone the privacy information θ * ( ) entanglement-swapping attack. The entanglement-swapping is a joint measurement, which is to swapping entanglement states by measuring between different particles. This requires that the particle containing the privacy information is a multi-particle entangled state. But in the proposed protocol, a single particle is used for privacy information storage, not an entangled particles. Thus, the proposed protocol can resist entanglement-swapping attacks.

entanglement-measurement attack.
Suppose that the attacker Eve attempts to carry out an entanglement-measurement attack among t participants. Suppose that the participant ∈ … P r t ( {1, 2, , }) r completes his calculation task, when he sends the calculation result R r to the next participant + P r 1 , Eve intercepts the calculation result R r on the transmission route from P r to + P r 1 . Then, she prepares an ancilla particle and performs the CNOT operation on the intercepted particle and the ancilla particle to generate a 2-particle entangled state. Finally, Eve measures the ancilla particle to obtain the privacy information θ * ( ) z u r r of participant P r . For example, the attacker Eve wants to obtain the privacy information θ * ( ) z u 1 1 of the participant P 1 . suppose that the participant P 1 completes his calculation task, when he sends the calculation result R 1 to the next participant P 2 , Eve intercepts the particle R 1 on the transmission route from P 1 to P 2 . Then, she prepares a d-dimensional ancilla particle ∈ … − c c d ( { 0, 1, , 1 }) and uses R 1 as the control particle and c as the target particle to perform CNOT operation to obtain + R c R after the operation task is completed, then he sends the particle R 1 to the next participant P 2 . After P 2 operation task is completed, P 2 sends the particle R 2 to P 3 . After the colluder P 3 receiving the particle, he records the information of θ θ * + ( ) on the particle R 2 to obtain a particle that contains the privacy information of the participant P 2 . P 3 measures the particle by using the base { } of the participant P 2 . θ v 2 is computed by the participant P 2 's privacy share f x ( ) 2 , however, P P , 1 3 does not know , he can not deduce the privacy information θ * ( ) z u 2 2 from it. In the result output stage, after 4 participants receive the calculation results, the participants P 1 , P 3 want to collude and obtain private information θ * z ( ) u of other 2 participants P 2 , P 4 . Because the calculation result is calculated by the privacy information of four participants, even if participants P 1 and P 3 collude, they can only obtain the sum of the privacy information of the participants P 2 and P 4 , and they cannot deduce the private information of any one participant. Thus, the proposed protocol can resist collusion attack.

Simulation
In this section, the proposed protocol is simulated by a specific example on the classical computer. The simulation mainly focouses on the privacy computation stage and result output stage.
Suppose that all quantum states are on 7-dimensional Hilbert space. In the proposed protocol, there are 5 participants P P P P P , , , , 1  . Further, the server distributes each secret share f (x r )( = … r 1, 2, , 5) to the corresponding participant via a secure channel. Now three participants P P P , , 1 to obtain the particle R 1 and sends it to the the participant P 2 . Untill participants P 2 , P 3 have completed their computational tasks, the private information of three participants have been embedded into the particle R 3 .
In result output stage, the server uses the secret message a 0 to perform Lagrange unitary operation on the received particle R 3 . According to Shamir (t n , ) threshold scheme, Owing to  Table 1. Simulation processes of multiparty privacy computation stage.
Ref. 31 Ref. 32 Ref. 33 The proposed protocol   In order to verify the correctness of the simulation results, we performs the Lagrange unitary operator with the private information θ * ( ) z u r r ( = r 1, 2, 3) on particle 0 to obtain result ′ R . We compare R and ′ R to judge whether the result of the collaborative computation is correct or not.
( (1 1 79519 From the above calculation results, the particle R is the same as the particle ′ R . Thus, the results of the collaborative computation of the three participants are correct.

performance Analysis and comparison
In this section, the performance of the proposed protocol is analyzed and compared with the three other similar protocols(refs. 31,33 and the first protocol of multiparty summation computation in ref. 32 ). We suppose that all protocols have n participants and when ref. 32 is compared to the proposed protocol, all quantum states are on 2 -dimensional Hilbert space. When ref. 31  number of initial particles. In ref. 31 , the first participant prepares two initial particle and the other participants prepare an initial particle, so the number of initial particles in ref. 31 is + n 1. In ref. 32 and the proposed protocol, the server prepares an initial particle to carry privacy information of all participants, so the number of particles in ref. 32 and the proposed protocol are 1. In ref. 33 , the first participant prepares n entangled states, each of which has n particle, so the number of initial particles in ref. 33 is n 2 .
number of entangled states. In ref. 31 , the first participant performs the QFT and CNOT operations on the two initial particle to generate a 2-particle entangled state, so the number of entangled states in ref. 31 is 1. In ref. 33 , the first participant prepares n entangled states, each of which has n particles, so the number of entangled states in ref. 33 is n. In ref. 32 and the proposed protocol, entangled states is not being used, so the number of entangled states in ref. 32 and the proposed protocol are 0. number of QFT operations. In ref. 31 , the first participant performs one QFT operations on two particle to prepare an entangled state, so the number of QFT operations in ref. 31 is 1. In ref. 33 , each participant has n privacy data and receives n quantum sequence from dealer, and then he embeds the n privacy data in the received quan-(2020) 10:7921 | https://doi.org/10.1038/s41598-020-64538-8 www.nature.com/scientificreports www.nature.com/scientificreports/ tum sequence by performing QFT operations and unitary operations, so the number of QFT operations in ref. 33 is n. In ref. 32 and the proposed protocol, QFT operations is not being used, so the number of QFT operations in ref. 32 and the proposed protocol are 0. number of unitary operations. In ref. 31 , the previous participant sends a particle of the entangled state to the next participant. After the current participant receives the particle, a new particle containing the private information is prepared. He performs the unitary operations on the received particle and the prepared particle. The transformed particle is sent to the next participant until all participants have completed their operational task. Thus, the number of unitary operations in ref. 31 is n. In ref. 32 , the server prepares a particle send it to the first participant. The first participant performs two unitary operations on the received particle to embed the privacy input and the secret input into the phase of the particle. He sends the transformed particle to the next participant, untill all participant have completed her computational tasks. Thus, the number of unitary operations in ref. 32 is + n 2 1. In ref. 33 , each participant has n privacy data and receives n quantum sequence from dealer. Each participant performs QFT and unitary operations on n particles of entangled states to embed their own n privacy data into the phases of n particles. Thus, the number of unitary operations in ref. 33 is n 2 . In the proposed protocol, all participants and the server performs the Lagrange unitary operation on the particle, so the number of unitary operations in the proposed protocol is + n 1. number of measurement operations. In ref. 32 and the proposed protocol, the server measures a particle to obtain the computation result, so the number of measurement operations in ref. 32 and the proposed protocol are 1. In ref. 33 , each participant measures particle of the entangled states to obtain the computation result, so the number of measurement operations in ref. 33 is n 2 . In ref. 31 , the measurement operations is not being used, so the number of measurement operations in ref. 31 is 0.
Summary. From the performance analysis and comparison as mentioned above, we draw conclusions from three aspects: universality and practicability, computation cost, resource cost.
Compared the ref. 32 with the proposed protocol, the ref. 32 is a 2-dimensional protocol and the proposed protocol is d-dimensional protocols on the Hilbert space, so the proposed protocol has better universality and practicality. In the computation efficiency aspect, the total number of QFT operations, − QFT 1 operations and number of unitary operations in the proposed protocol is smaller than that in ref. 32 , so it has higher computation efficiency. In the resource consumption cost aspect, the total number of initial particles, entangled states and number of measurement operations in the proposed protocol is same as that in ref. 32 , so they have same resource consumption cost.
Compared the refs. 31,33 with the proposed protocol, suppose that the number of participants n = 3, and the dimensions of Hilbert space, the three protocols are same. In the three protocols, the numbers of initial particles are 4, 9, 1, respectively, and the numbers of entangled states are 1, 3, 0, respectively, and the numbers of QFT operations are 1, 9, 0, respectively, and the numbers of unitary operations are 3, 9, 4, respectively, and the numbers of − QFT 1 operations are 1, 0, 0, respectively, and the numbers of measurement operations are 0, 9, 1, respectively. As shown in Fig. 3, in the computational efficiency aspect, the number of QFT operations, the number of − QFT 1 operations and the number of unitary operations in the proposed protocol is the same as that in ref. 31 , but higher than that in refs. 33 . In the resource consumption cost aspect, the number of initial particles, the number of entangled states and the number of measurement operations in the proposed protocol is smaller than that in refs. 31 and 33 , so it has lower resource consumption cost.

conclusion
In this paper, we propose a secure multiparty quantum computation protocol based on Lagrange unitary operator, which performs Lagrange unitary operator on the single particle to obtain the summation of the computational results of multiple participants. In addition, the Shamir t n ( , ) threshold scheme is employed to the proposed protocol to ensure its security. The security analysis shows that the proposed protocol can resist interception-measurement attack, intercept-resend attack, entanglement-swapping attack, entanglement-measurement attack, collusion attack. The simulation experiment proves the correctness of the result of the proposed protocol. Compared with other existing similar protocols, the proposed protocol has lower resource consumption cost and higher computational efficiency.