Three-party quantum private computation of cardinalities of set intersection and union based on GHZ states

Private Set Intersection Cardinality (PSI-CA) and Private Set Union Cardinality (PSU-CA) are two cryptographic primitives whereby two or more parties are able to obtain the cardinalities of the intersection and the union of their respective private sets, and the privacy of their sets is preserved. In this paper, we propose a three-party protocol to finish these tasks by using quantum resources, where every two, as well as three, parties can obtain the cardinalities of the intersection and the union of their private sets with the help of a semi-honest third party (TP). In our protocol, GHZ states play a role in encoding private information that will be used by TP to compute the cardinalities. We show that the presented protocol is secure against well-known quantum attacks. In addition, we analyze the influence of six typical kinds of Markovian noise on our protocol.


Scientific Reports
| (2020) 10:22246 | https://doi.org/10.1038/s41598-020-77579-w www.nature.com/scientificreports/ by Shi et al. 's work, we are thus trying to design a three-party protocol to solve PSI-CA and PSU-CA problems, where every two and three parties can obtain the cardinalities of the intersection and the union of their respective private sets with the aid of a semi-honest third party (TP). TP is semi-honest means that he loyally executes the protocol, makes a note of all the intermediate results, and might desire to take other parties' private information, but he cannot collude with dishonest parties. We then give a detailed analysis of the presented protocol's security. Besides, the influence of six typical kinds of Markovian noise on our protocol is also analyzed.

Results
The proposed protocol. Our protocol will satisfy the following requirements: (1) Correctness The respective cardinalities of the intersection and the union of every two and three parties' sets are correct. (2) Privacy TP and dishonest parties cannot learn about the elements of any party's set.
(3) Fairness All the parties are perfect peer entities and they can get the cardinalities with equal opportunities.
In our protocol, TP is assumed to be semi-honest which means that he honestly follows the protocol, writes down all the intermediate results and might attempt to obtain the elements of any party's private set, but he cannot be collusive with any dishonest party.
(Step 3) TP prepares p GHZ states ( G A0 , G B0 , G C0 ), ( G A1 , G B1 , G C1 ), . . . , ( G A(p−1) , G B(p−1) , G C(p−1) ), with each GHZ state being in the state |ϕ 000 � . These GHZ states are referred to as encoding states. Next, TP divides all particles into three ordered sequences: (G A0 , G A1 , . . . , G A(p−1) ) , (G B0 , G B1 , . . . , G B(p−1) ) , and (G C0 , G C1 , . . . , G C(p−1) ) , which are denoted as T A , T B , and T C , respectively. (|0� − |1�) . Afterwards, TP randomly inserts d decoy particles into to Alice (Bob, Charlie) through a quantum channel. (Step 5) Confirming that Alice (Bob, Charlie) has successfully received T ′ A ( T ′ B , T ′ C ), TP announces the inserted positions of all the d decoy particles in T ′ A ( T ′ B , T ′ C ) and their corresponding measurement bases. Then, Alice (Bob, Charlie) measures all the decoy particles in the correct bases and announces the measurement results to TP. Next, TP compares the measurement results with their corresponding initial states. If the error rate is higher than the threshold determined by the channel noise, this protocol will be aborted. Otherwise, the protocol will continue to the next step.
(Step 6) Alice (Bob, Charlie) removes all the decoy particles from the sequence T ′ Step 7) Alice (Bob, Charlie) prepares d decoy particles to detect eavesdropping. Each decoy states is randomly chosen from the set {|0�, |1�, |+�, |−�} . Later, Alice (Bob, Charlie) randomly inserts these d decoy particles , and writes down the positions and the states of these inserted states. At last, Alice (Bob, Charlie) sends T * A ( T * B , T * C ) to TP through a quantum channel.
and their corresponding measurement bases. TP measures all decoy particles in the correct bases and announces the measurement results. Alice (Bob, Charlie) then compares the measurement results with their corresponding initial states. If the error rate is higher than the threshold determined by the channel noise, the protocol will be aborted. Otherwise, the protocol will continue to the next step.
(Step 9) TP discards all decoy particles from T * A ( T * B , T * C ) to attain T A ( T B , T C ). TP then selects eight variables S 000 , S 100 , S 010 , S 001 , S 110 , S 101 , S 011 and S 111 as the counters and sets them all to zero. Next, TP measures each trio ( G Ai G Bi G Ci ) ( i = 0, 1, . . . , p − 1 ) in the GHZ basis. If the measurement result is |ϕ r � ( r ∈ {0, 1} 3 ), TP computes S r = S r + 1 . Finally, TP can calculate the cardinalities |A ∩ B| = S 110 + S 111 , |A ∩ C| = S 101 + S 111 , Correctness and security analyzes. In this section, we will analyze the correctness and the security of our protocol. Let us first give the analysis of the correctness.
Correctness. On the one hand, for any x, y ∈ Z p and k ∈ Z P − {0} , x = y if and only if kx = ky (mod p) . It is easy to deduce that On the other hand, by the coding rules in (Step 2) and (Step 6), for any , then x i = y i = z i = 0 , and Alice (Bob, Charlie) does nothing on the particle G Ai ( G Bi ,G Ci ) when she (he, he) receives it. TP will get the measurement result |ϕ 000 � in step 9. Clearly, S 000 is used to count the number of GHZ trios whose states are the same as their original states. The cardinality of the union of the sets A * , B * and C * therefore equals p − S 000 . Namely, |A ∪ B ∪ C| = |A * ∪ B * ∪ C * | = p − S 000 . Similarly, we Furthermore, the relationships among A * , B * , C * and Z p can be illustrated by a Venn Diagram in Fig. 1, where red, blue, and green circles represent the sets A * , B * and C * , respectively, and Z p is the universal set. According to the Venn Diagram, we obtain the following equations:  Security. In this subsection, we move on to the analysis of our protocol's security. Two kinds of attacks, outside and participant attacks, on our protocol will be considered. Outside attacks come from an outside eavesdropper, Eve. Participant attacks can be launched by TP or dishonest parties. Outside attacks In our protocol, TP and three parties employ decoy particles to prevent eavesdropping, which is derived from the BB84 QKD protocol 17 . And it has been proven to be unconditionally secure 18 . As we know, BB84 protocol remains secure even if the quantum channel is noisy, and our protocol can thus work on the noisy channels as well. Any eavesdropping will be detected in (Step 5) or (Step 8). Concretely, since the decoy state is randomly chosen from the set {|0�, |1�|+�|−�} , it is in the state ρ = I 2 . For any trio ( G Ai , G Bi , G Ci ) ( i = 0, 1, . . . , p − 1 ), we have ρ Ai = ρ Bi = ρ Ci = I 2 = ρ . Eve thus cannot distinguish these two states. Without loss of generality, the most general strategy for Eve is that she performs an operation U E which causes the encoding states to interact coherently with an auxiliary quantum system |e� , which can be described as follows: where |α| 2 + |β| 2 = 1 and |γ | 2 + |δ| 2 = 1 . In what follows, we will show that in order to pass the detection, Eve's ancillary state and the encoding state should be product states.

Finally, we have
That is to say, Eve introduces no error in the eavesdropping only when her ancillary state and the encoding states are product states. Eve therefore cannot obtain useful information without being detected. Note that our protocol involves two-way quantum transmission that may incur Trojan horse attacks 19,20 . We do not even need the photon number splitter and the optical wavelength filter devices 21,22 to detect such an attack because the attacker knows nothing about three parties' share key k that are employed to encrypt their private information.
Dishonest parties' attacks Note that TP cannot collude with these dishonest parties. Suppose that Alice and Bob are the dishonest parties who intend to learn about Charlie's set C. After they remove their respective decoy particles and do nothing on their particles, they may try to figure out what operations Charlie has perform on his particles to obtain (z 0 , z 1 , . . . , z p−1 ) . If Alice and Bob can get (z 0 , z 1 , . . . , z p−1 ) , they can easily steal Charlie's private information because they share the same key k. Let's consider the i-th trio of GHZ state. If i ∈ C * , Charlie performs U = ZX on the particle G Ci and then the state of (G Ai , G Bi , G Ci ) turns into , which means Alice and Bob cannot extract any private information from partial qubits of GHZ states. Thus, this attack by Alice and Bob is also invalid to our protocol.
TP's attacks In our protocol, TP is assumed to be semi-honest, which means he will loyally execute the protocol, and he may use all the intermediate results to derive the other parties' private information. However, he cannot collude with other dishonest parties.
Clearly, in 3.1, TP is able to derive (x 0 , x 1 , . . . , x p−1 ) , (y 0 , y 1 , . . . , y p−1 ) and (z 0 , z 1 , . . . , z p−1 ) according to the original GHZ states and the measurement results in the GHZ basis. Namely, TP knows what operations Alice, Bob and Charlie have done on their particles. Even though TP can then deduce whether or not i ∈ A * ( i ∈ B * ,i ∈ C * ), he can still not learn any information about the elements in A (B, C). For example, suppose TP knows that i ∈ A * (i.e. i = ka j (mod p) ∈ A * ), he knows nothing about a j ∈ A because he does not have the secret key k, whose security is guaranteed by Quantum Key Agreement. Hence, TP cannot steal three parties' private information.
Influence of Markovian Noise on the Protocol. In this section, assuming that the quantum state generator, quantum memories, and measurement devices in our protocol are perfect, we analyze the influence of six typical sorts of Markovian noise on our protocol. The effect of quantum noise on a tripartite quantum state ρ 123 can be characterized as follows: where {K i } are Kraus operators characterizing quantum noise 23 .
Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. We first consider the bit flip channel. For a GHZ state ρ ABC = |ϕ 000 � ABC �ϕ 000 | used for computation, after three particles arrived at Alice, Bob, and Charlie, respectively, the state of this tripartite system ABC becomes s = √ qσ 1 ( s ∈ {A, B, C}). Later, Alice, Bob, and Charlie perform unitary operations U A , U B and U C on particle A, B, C, respectively, as described in (Step 6) of the proposed protocol, with U A , U B , U C ∈ {I, U = ZX} . We denote U ABC = U A ⊗ U B ⊗ U C , the state after Alice's, Bob's, and Charlie's operations turns into When TP receives these three particles from Alice, Bob, Charlie, the state of this system ABC is When TP measures the system ABC in the GHZ basis, he expects to obtain the measure result U ABC ρ ABC U † ABC , through which he can compute the cardinalities of intersections and unions, as described in 3.1 of our protocol. In this case, TP succeeds in the computation. We found that for all possible choices of U ABC , the success probability is Similarly, for bit-phase and phase channels, the success probabilities are and respectively.
The variation of these three success probabilities for flip channels are depicted in Fig. 2.
Depolarizing. The depolarizing channel can be characterized by the following Kraus operators 23 (15)  Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is for all different choices of U ABC .
Amplitude damping. The amplitude damping channel is used for the description of energy dissipation, which contains the Kraus operators 23 as follows where q ∈ [0, 1] is the noise strength.
Suppose that the channel between TP and Alice, the channel between TP and Bob and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is for the cases where U ABC = I ⊗ I ⊗ I and U ABC = U ⊗ U ⊗ U . For other cases, the success probability changes to Phase damping. The phase damping channel is characterized by the Kraus operators 23 as follows where q ∈ [0, 1] is the noise strength.
Suppose that the channel between TP and Alice, the channel between TP and Bob, and the channel between TP and Charlie are the same. Using the similar method in Flip channels analysis, the success probability of TP obtaining the correct measurement result is for all sorts of choices of U ABC . The variations of the success probabilities of depolarizing, amplitude damping and phase damping channels are depicted in Fig. 3.

Discussion and Conclusions
We presented a three-party protocol to compute the cardinalities of the intersection and the union between any two sets and among three sets with the help a semi-honest party TP. The security analysis showed that our protocol can resist some well-known quantum attacks. In addition, we analyzed the influence of six typical sorts of Markovian noise on the success probabilities of a GHZ state used for computation. The analysis showed that among three kinds of flip channels, the bit-phase flip channel affects our protocol most. It is interesting to see that on the amplitude damping channel, the success probabilities of the cases where U ABC = I ⊗ I ⊗ I and U ABC = U ⊗ U ⊗ U are the same, but for other cases, they share another success probabilities.
In practice, quantum error correction codes are usually employed to protect quantum states from errors induced by noise. There is also research on designing robust quantum cryptographic protocols based on some specific quantum states over special noisy channels (e.g. collective noise channels) 16 . Note that imperfect devices, such as quantum state generators and measurement devices, may also affect the robust of quantum cryptographic protocol, we will further conduct research on these topics in the future. qI, K (2) = √ q 2 σ 1 ,