Hybrid Quantum Protocols for Secure Multiparty Summation and Multiplication

The summation and multiplication are two basic operations for secure multiparty quantum computation. The existing secure multiparty quantum summation and multiplication protocols have (n, n) threshold approach and their computation type is bit-by-bit, where n is total number of players. In this paper, we propose two hybrid (t, n) threshold quantum protocols for secure multiparty summation and multiplication based on the Shamir’s secret sharing, SUM gate, quantum fourier transform, and generalized Pauli operator, where t is a threshold number of players that can perform the summation and multiplication. Their computation type is secret-by-secret with modulo d, where d, n ≤ d ≤ 2n, is a prime. The proposed protocols can resist the intercept-resend, entangle-measure, collusion, collective, and coherent quantum attacks. They have better computation as well as communication costs and no player can get other player’s private input.

The secure multiparty quantum computation is an essential component in quantum cryptography. The summation and multiplication are two basic operations for secure multiparty quantum computation. The secure multiparty quantum summation and multiplication include a list of secrets, which is shared among a set of players and the players jointly perform summation or multiplication without revealing their secrets. The classical summation and multiplication protocols cannot provide the unconditional secure communications. However, the quantum summation and multiplication protocols can provide the unconditional security as they are based on the principles of quantum mechanics like quantum correlation 1 , entanglement for bipartite system 2 , Heisenberg XYZ model 3 . In 2007, Du et al. 4 discussed a secure multiparty quantum addition modulo n + 1 protocol based on the non-orthogonal states, where n is total number of players. In 2010, Chen et al. 5 introduced a secure multiparty quantum addition modulo 2 protocol based on multi-particle entangle. In 2014, Zhang et al. 6 presented a protocol with addition modulo 2 based on both polarization of a single photon. In 2010, a three-party quantum addition modulo 2 protocol was discussed by Zhang et al. 7 . These protocols have some limitations, for example, they cannot perform addition correctly if one player is dishonest as these protocols have (n, n) threshold approach, and the modulo of these protocols is very small. They have high communication and computation costs due to the bit-by-bit computation. In 2015, Shi et al. 8 discussed a secure multiparty quantum summation and multiplication protocol. This protocol is efficient, but it has (n, n) threshold approach. In 2017, Shi and Zhang 9 introduced a two-party quantum protocol for summation. This protocol cannot perform summation correctly if one party is dishonest. In the same year, a multiparty quantum summation modulo 2 protocol was discussed by Zhang et al. 10 . This protocol is efficient but its modulo is too small. Then, Liu et al. 11 discussed a secure multiparty quantum summation protocol based on two particle Bell States. This protocol is efficient but its modulo is 2 and it has (n, n) threshold approach. In 2018, Yang and Ye 12 introduced a secure multiparty quantum protocol for summation based on the quantum Fourier transform. The computation type of this protocol is secret-by-secret, but it has (n, n) threshold approach. Recently, Jiao et al. 13 have discussed a secure multiparty quantum summation and multiplication protocol with mutually unbiased bases. This protocol is efficient, but the computation type of this protocol is secret-by-secret and it has (n, n) threshold approach. Most of the existing secure multiparty summation and multiplication protocols have (n, n) threshold approach and bit-by-bit computation type. Further, they are not practically feasible as they require high communication as well as computation costs.
In this paper, we propose two hybrid (t, n) threshold quantum protocols for secure multiparty summation and multiplication. In order to incorporate the advantages of both quantum and classical multiparty summation and multiplication, we apply the quantum methods in a secure multiparty computation. The novelty of the proposed work can be summarized as follows. Our protocols have (t, n) threshold approach, where t players can perform the quantum summation and multiplication systematically and efficiently without revealing their privacy. They require less communication and computation costs as their computation type is secret-by-secret. Further, our proposed protocols possess all the benefits(i.e., they use qudit instead of qubit, do not require the secret information to be passed through the transmitted particles, do not require to perform entanglement measurement, and the quantum attacks cannot be performed) of the existing secure multiparty quantum summation and multiplication.

preliminaries
Here, we introduce the Shamir's secret sharing, quantum state, SUM gate, quantum Fourier transform (QFT), and generalized Pauli operator, which will be used in our work.
Shamir's secret sharing. In the Shamir's secret sharing, there is a set of players and a dealer 14 . This secret sharing scheme consists of two phases: secret sharing and secret reconstruction. In secret sharing phase, the dealer shares a secret among n players using a (t − 1) degree polynomial f(y); each player knows only his share. In secret reconstruction phase, the t players reconstruct the secret using the Lagrange interpolation. The Lagrange Interpolation is defined as follows.  SUM gate. In quantum computing, the SUM gate is defined as follows 16 .
where |u〉 and |v〉 denote control and target particles, respectively, and Quantum fourier transform (QFT). The discrete Fourier transform is the foundation of QFT. The d-level QFT is defined as follows 8 .
Generalized pauli operator. In quantum computing, the d-level generalized Pauli operator is defined as follows 17 .

proposed protocols
In this section, we propose two hybrid (t, n) threshold secure multiparty quantum summation and multiplication protocols. Let X and Y have two secrets a and b, respectively, and want to perform (a + b) or (a × b) without revealing their secrets. In these proposed protocols, we assume that the set of players P P P { , , , } , each qualified subset containing t players and player P 1 is an initiator.
Hybrid secure multiparty quantum summation protocol. Here, we discuss our proposed hybrid (t, n) threshold secure multiparty quantum summation, whose procedure is given as follows.
www.nature.com/scientificreports www.nature.com/scientificreports/ … − are coefficients and a and b are the secrets of X and Y, respectively. Then, they compute the classical shares f(y i ) and g(y i ), respectively, using the Shamir's Secret Sharing 14 and distribute these shares among the set of players = … P P P { , , , } n 1 2

P
. Player P i , i n 1, 2, , = … , possesses only his shares f(y i ) and g(y i ).
and keeps h(y i ) secret.
Step 3: Player P k , k t 1, 2, , = … , computes the shadow of his shares, denoting as A k , as follows.
Step 6: Each player P k , k t 2, 3, , = … , applies the QFT operation on his particle |l〉 k and then executes the generalized Pauli operator U A ,0 k , k t 1, 2, , = … . The quantum state |φ 2 〉 is evolved as the quantum state |φ 3 〉, which is obtained as follows: Step 7: In computational basis, each player P k , k t 2, 3, , = … , measures his particle + m A k k and broadcasts his measurement result m k + A k , k t 1, 2, , = … .
Step 8: Finally, they jointly compute the summation by adding their measurement results. The summation of the secrets is computed as: Hybrid secure multiparty quantum multiplication protocol. Here, we discuss our proposed quantum protocol for secure multiparty multiplication, whose procedure is given as follows.
Step 1: Initially, X and Y select two different polynomials f y a c y c y c y d ( ) mod … − and c c c , , , t … − are coefficients of polynomials f(y) and g(y), respectively. Then, they compute the classical shares f(y i ) and g(y i ), respectively, and distribute them among n players. Player P i , i n 1, 2, , = … , knows his shares f(y i ) and g(y i ) only.
Step 2: The total polynomial, denoted as T i , is computed by each player P i , i n 1, 2, , = … , using the Vandermonde matrix 18 .
Step 3: Each player P k , k t 1, 2, , = … , computes the shadow B k of his share as follows.
Step 8: Finally, they compute the multiplication by adding their measurement results. The multiplication of the secrets is computed as:

correctness
In this section, we prove the correctness of our proposed protocols. We discuss the correctness proof of the secure multiparty quantum summation protocol only. The correctness proof of the secure multiparty quantum multiplication protocol is very much similar to that of the secure multiparty quantum summation protocol.
proof 1 On Applying QFT and Pauli operators by each player P k , k t 1, 2, , = … , on his particle gives the quantum state as follows. Each player P k , = … k t 1, 2, , , measures his particle in computational basis. The compute the sum after receiving others players' measurement results. example Here, we illustrate our proposed secure multiparty quantum summation and multiplication protocols using an example. Suppose X and Y have two secrets 4 and 2, respectively, and want to compute their sum and multiplication without revealing their secrets. The X and Y share these secrets among 7 players = … P P P P { , , , } 1 2 7 and the qualified subset P P P { , , } 1 2 3  = computes the summation and multiplication. The X and Y select prime as 11. Thus, prime d = 11, threshold t = 3, and total number of players n = 7.

Security Analysis
In this section, we analyze the security of our proposed secure multiparty quantum summation and multiplication protocols. We mainly focus on the security analysis of summation protocol because the security analysis of multiplication protocol is very much similar to that of summation protocol. (2020) 10:9097 | https://doi.org/10.1038/s41598-020-65871-8 www.nature.com/scientificreports www.nature.com/scientificreports/ intercept-resend attack. Suppose an eavesdropper E intercepts the particle |l〉 k and measures it in the computational basis | 〉 | 〉 … | − 〉 d { 1 , 2 , , 1 } to extract the information about the shadow of the share. The eavesdropper E prepares a fake particle l k and resends it to player P k , k t 2, 3, , = … . If E performs this attack, then he can compute l correctly with probability d 1 . But E cannot get any valuable information about the share of the shadow from l, because |l〉 k does not contain any valuable information about the shadow of the share. collusion attack. In our proposed protocols, each player P k measures his particle + m A k k and broadcasts his measurement result + m A k k , = … k t 1, 2, , . Thus, other players cannot obtain the shadow of the share (A k ). Suppose the dishonest players P r−1 and P r+1 collude together to obtain other players' shadow of the share A k . They cannot get any information about the shadow of the share because player P 1 only sends the particles |l〉 k to other players; nothing else, and the particles |l〉 k don't carry any valuable information about the shadow of the share. So, this attack is not possible in our proposed protocols. entangle-measure attack. In this attack, the eavesdropper E intercepts all the particles |l〉 k , when the initiator P 1 sends the particles |l〉 k to player P k , k t 2, 3, , = … . Further, E selects a intercepted particle |l〉 m and prepares an ancillary particle |c〉. The d-level SUM operation is performed by E on |l〉 m to entangle the ancillary particle |c〉. The quantum state |φ 2 〉 is evolved as |φ 2 〉′, which is given below.  The ancillary particle |c〉 is measured by E and gets the initial value |c〉. So, E concludes that the particles |l〉 m and |r〉 r are the same. Based on this conclusion, E assumes that all the particles |l〉 k 's are same. Thus, E cannot get any information about the shadow of the share from this attack. collective attack. In this attack, E interacts with each qudit by preparing an independent ancillary particle and jointly performs the measurement operation on all the ancillary qudit to get the shadow of the share. E prepares an independent ancillary particle |c〉 to interact with each qudit of player = … P k t , 1, 2, , k . After interacting, E gets the particle |l〉 k and jointly performs the measurement operation in the computational basis … − d { 1 , 2 , , 1 } to learn the shadow of the share. From this joint measurement, E cannot get any information about the shadow of the share because |l〉 k does not contain any information of the shadow of the share. coherent attack. In coherent attack, E jointly interacts with all qudit of player P k t , 1, 2, , k = … , by preparing an independent ancillary particle |c〉 and he gets each player's particle |l〉 k . E jointly performs the measurement operation in computational basis … − d { 1 , 2 , , 1 } on each player's particle |l〉 k . From this measurement of particle |l〉 k , E only gets l with probability d 1 . But, l does not contain any valuable information about the shadow of the share. Here, E only knows the interacting particle |l〉 k , nothing else. So, from this attack, E cannot learn the shadow of the share.

performance Analysis
Here, we analyze the performance of our proposed secure multiparty quantum summation and multiplication protocols and compare it with that of ten existing secure multiparty quantum summation and multiplication protocols:  8 are based on multiparty computation and computation type is secret-by-secret, but they have (n, n) threshold approach. In the Shi et al. 's protocols 8 , the QFT is applied on the first particle by initiator Bob 1 ,who sends second particle to next player. Then, the unitary operation is performed by each player Bob i , i = 2, 3, …, n. Initiator Bob 1 applies QFT −1 on his particle. So, the total computation and communication costs of these protocols are 1QFT + 1QFT −1 + (n − 1) unitary operations + 2 measure operation and n, respectively. The Shi's protocol 9 is based on multiparty computation but it has (n, n) threshold approach and its computation type is bit-by-bit. The Zhang et al. 's protocol 10 is based on multiparty computation but it has (n, n) threshold approach with bit-by-bit computation type and modulo of 2. The total computation cost of this protocol is n measure operations. The Liu et al. 's protocol 11 is based on multiparty computation but it has (n, n) threshold approach with bit-by-bit computation type and modulo of 2. The total computation and QFT Model (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (n, n) (t, n) (t, n)