Secure Multiparty Quantum Computation for Summation and Multiplication

As a fundamental primitive, Secure Multiparty Summation and Multiplication can be used to build complex secure protocols for other multiparty computations, specially, numerical computations. However, there is still lack of systematical and efficient quantum methods to compute Secure Multiparty Summation and Multiplication. In this paper, we present a novel and efficient quantum approach to securely compute the summation and multiplication of multiparty private inputs, respectively. Compared to classical solutions, our proposed approach can ensure the unconditional security and the perfect privacy protection based on the physical principle of quantum mechanics.

In addition, another multi-qubit quantum logic gate, which will be used later in proposed protocols, is the controlled-NOT or CNOT gate: → 00 00 , → 01 01 , → 10 11 and → 11 10 , where the first qubit is the control qubit, and the second qubit is the target qubit. That is, if the control qubit is set to 0, then the target qubit is left alone. If the control qubit is set to 1, then the target qubit is flipped.

Results
Proposed protocols. Secure multiparty quantum summation. Assume that there are n parties: P 1 , P 2 , …, P n (n > 2), where each party P k (1 ≤ k ≤ n) has a secret integer ∈ , , …, − x N {0 1 1 } k ( = ) N 2 m , and further all n parties want to jointly compute the summation ∑ = x modN k n k 1 without revealing their respective secret x k s. In the following Protocol I, we suppose that P 1 is the initiator party.
Protocol I (Secure multiparty quantum summation) Step 1. The initiator P 1 first prepares an m-qubit basis state x h 1 , where = m N log and x 1 is his private secret. Then P 1 applies a quantum Fourier transform to the state x h 1 and gets the resultant state ψ 1 . That is, Step 2. P 1 prepares another m-qubit ancillary state 0 t and further performs m CNOT gate operators on the product state ψ 0 t 1 , where each qubit of the first m qubits is the control qubit and the corresponding qubit of the second m qubits is the target qubit. Here we call the resultant state ψ 2 , which is written as Clearly, ψ 2 is an entangled state, where the subscript h or t denotes that the qubits will stay at home or be transmitted through the quantum channel.
Step 3. P 1 sends the second m qubits (i.e., the ancillary state ) j t to P 2 through the authenticated quantum channel.
Step 4. After receiving the ancillary state j t , P 2 first prepares his secret state x 2 . Then he applies an oracle . After applying the oracle operator C j , the whole composite quantum systems of P 1 and P 2 are in the following state  Step 5. Furthermore, P 2 passes the ancillary state j t to P 3 through the authenticated quantum channel and keeps x 2 in secret. Afterward, P 3 executes the similar process of P 2 , and so on. This process is repeated − n 1 times, so that, if everyone honestly executes the protocol, the composite quantum systems of all n parties are in the following state Step 6. Finally, P n sends the ancillary state j t back to P 1 . After receiving the ancillary state j t , P 1 again applies ⊗ CNOT m on his m 2 qubits, where each qubit of the first m qubits is the control qubit and the corresponding qubit of the second m qubits is the target qubit. Call the resultant state ψ 5 . That is, Step 7. Furthermore, P 1 measures the second m qubits (i.e., ) 0 t in the computational basis. If the measured result is 0 , then he continues to execute the next step; otherwise he believes that there is at least one dishonest party and ends this protocol.
Step 8. Finally, P 1 applies   Therefore, if all parties honestly execute this protocol, P 1 will rightly get ∑ = x modN k n k 1 .
Secure multiparty quantum multiplication. Assume that there are n parties P 1 , P 2 , …, P n ( > ) n 2 , each party with a private secret ∈ , , …, − , where all s s k are odd integers. Similarly, in the following Protocol II, we suppose that P 1 is the initiator.
Protocol II (Secure multiparty quantum multiplication) Step 1. The initiator P 1 randomly chooses an odd integer ∈ , …, − r N {1 3 1 } and further prepares two m qubits in the original state ∑ , where the preparation process is the same as that of Step 1 and 2 in Protocol I. Then P 1 sends j t 1 to P 2 through the authenticated quantum channel and keeps j t 2 in hand.
Step 2. After receiving j t 1 , P 2 applies an oracle operator U 2 on j t 1 by his private secret s 2 , where U 2 is defined by, Please note that s 2 is an odd integer and = N 2 m , thus there exists its modulo-N multiplicative inverse − s 2 1 , which implies that U 2 is inverse. Furthermore, P 2 sends − js modN t 2 1 1 to P 3 through the authenticated quantum channel. Afterward, P 3 executes the similar process of P 2 (i.e., , and so on. This process is repeated − n 1 times, so that, if everyone honestly executes the protocol, the final quantum states of the qubits of the subscripts t 1 and t 2 are in, , P 1 continues to send j t 2 to P 2 through the authenticated quantum channel.
Step 4. After receiving the state ⟩ j t 2 , P 2 again applies the oracle operator U 2 on j t 2 by his private input s 2 , i.e., . Furthermore he sends it to P 3 through the authenticated quantum channel, and so on. This process is repeated − n 1 times, so that, if everyone honestly executes the protocol, the final quantum states of the 2 m qubits are in, , P 1 performs m CNOT gate operators on the two returned states, such that the quantum systems of the subscripts t 1 and t 2 will be disentangled. That is, Furthermore, P 1 measures the qubits of the subscript t 2 in the computation basis. If the measured result is 0 t 2 , then he continues to execute the next step. Otherwise, he believes that there is at least one dishonest party and ends this protocol.

Security Analysis.
We have analyzed the correctness of Protocol I and II, and further analyze their securities. In order to save space, please note that we mainly analyze the security of Protocol I, because the security of Protocol II is the same as that of Protocol I.
We first analyze that P 2 does not get any secret information about the initiator P 1 's input x 1 . In Protocol I, P 1 only sends the ancillary state j t to P 2 without any classical information. So, for a dishonest P 2 , if he wants to eavesdrop P 1 's secret, all possible attacks he can perform with the present technology are as follows: (1) P 2 directly measures the ancillary state j t in the computational basis. Obviously, he will get j ( ∈ , , …, − ) j N {0 1 1 } with the equal probability of N 1 , but the measured result j is independent of P 1 's secret x 1 . That is, this attack is infeasible. (2) After applying a unitary operator on the ancillary state j t , P 2 again measures it. Especially, P 2 has a knowledge that P 1 's secret state x 1 has evolved into the same state (i.e., ) j h as the ancillary state j t based on the quantum Fourier transform, so he may perform an inverse quantum Fourier transform − QFT 1 on the ancillary state j t to expect to extract out x 1 . That is, this attack can be described as follows:  By the above equation, if P 2 measures the ancillary state, he will get l t ( ∈ , , …, − ) l N {0 1 1 } with the equal probability of N 1 . It implies that P 2 cannot get any secret information about P 1 's private input, because he cannot extract out the global phase information from the partial qubits of the entangled quantum systems with the subscripts h and t. In fact, any local unitary operator on the partial qubits cannot fully disentangle the entanglement of the composite system unless directly measured. Therefore, even if P 2 performs this attack, he still cannot get any private information about P 1 's secret x 1 .
(3) P 2 performs a more complicated entangle-measure attack that he is able to prepare another ancillary system 0 P 2 and entangle the two ancillary systems by his local unitary operations, where one is transmitted from P 1 , and afterward he can measure the ancillary system prepared by himself to get the partial information about P 1 's private inputs. P 2 's dishonest action when he receives P 1 's ancillary j t can be described by a unitary operator ∼ U tP 2 , which acts on j t and 0 P 2 . We can describe it as follows: In order to completely pass the honest test (see Step 7), it can easily deduce that η = 1 j . That is, the whole quantum systems of P 1 and P 2 should be in the following state after performing ∼ U tP 2 : Then P 2 sends j t back to P 1 . After P 1 performing ⊗ CNOT m and further measuring the ancillary system t, the state of the remaining quantum system becomes Now if P 2 measures his ancillary state φ ( ) j P 2 , as the above analysis in the case of (2), he still cannot get any secret information about x 1 because of the entanglement of j h and φ ( ) j P 2 . If P 1 further applies − QFT 1 to the first m qubits, the state of the remaining quantum system will be updated into  This equation shows that if P 1 measures his remaining m qubits, he will get l h ( ∈ , , …, − ) l N {0 1 1 } with the equal probability of N 1 , which implies that the probability of getting x h 1 is also N 1 , unless φ ( ) j is independent of j. Similarly, P 2 cannot get the secret x 1 with the probability of more than N 1 due to their entanglement yet. It implies that P 2 cannot get any secret information about P 1 's private input x 1 . Therefore, the entangle-measure attack is infeasible.
From what we have analyzed above, we can see clearly that P 2 cannot get any secret information about x 1 . Furthermore, we can easily and naturally generalize that any party P k ( ≠ ) k 1 cannot obtain any secret information about P 1 's private input. Therefore, the initiator's private input is unconditionally secure against other dishonest parties. In turn, if all party honesty execute this protocol, P 1 only gets the final summation ∑ = x modN k n i 1 ( > ) n 2 , instead of single party's private secret x k . However, if the parties − P k 1 and + P k 1 are dishonest, they can collude to get P k 's private input x k . In order to overcome this weakness, we can use the communication model in a random order instead of the fixed order, that is, how to choose the next party is randomly determined by the party himself, not pre-determined by a designated party.
In addition, in order to full resist the collusion attack of any less − n 1 parties, we can design the following Protocol III, in which all parties are full parity.
Protocol III (to compute ∑ ) = x modN Because Protocol I can ensure the unconditional security of the private input of the initiator, every sub-secret x kk of P k ( ≤ ≤ ) k n 1 in Round 1 of Protocol III is unconditionally secure against any less − n 1 parties. Therefore, Protocol III is unconditional secure against any collusion attack, unless there are − n 1 cheating parties. As for Protocol II, obviously P 1 's secret s 1 is unconditionally secure because the transmitted quantum messages don't include any private information about s 1 . Conversely, if all parties honestly execute Protocol II, P 1 only gets the final multiplication ∏ = s modN k n i 1 ( > ) n 2 , instead of certain party's secret s k . In addition, the n-th party P n can easily perform an intercept-resend attack. That is, he intercepts all qubits passing through his hands, and then sends fake qubits back to P 1 . Accordingly, P n may finally obtain ϖ t 1 after applying m CNOT gate operators and an inverse quantum Fourier transform − QFT 1 to his intercepted qubits, where ϖ = … rs s modN n 2 . However, P n does not know r, so he still cannot get any secret information about other parties' private inputs. Therefore, this attack is infeasible. Furthermore, in order to resist the collusion attack, we can also use the communication model in a random order instead of the fixed order. Similarly, we can also design the unconditionally secure quantum protocol for Secure Multiparty Multiplication.
Protocol IV (to compute ∏ ) = x modN Step 2. Each party P k ( ≤ ≤ ) k n 1 as the initiator calls Protocol III to compute where m kk is P k 's the initial input.
Step 3. where s kk is P k 's the initial input.

Round 2
Finally, all parties designate an agent who could be one of them to again call Protocol II to compute = ∏ = S s modN k n k 1 and to further announce As for the security of the quantum channel, we can use the decoy technology to check eavesdropping in all proposed protocols. That is, the initiator randomly inserts enough decoy particles into the qubit sequence to be transmitted, where every decoy particle is prepared randomly with either Z-basis (i.e. . After confirming that the receiver has received the transmitted sequence, the initiator announces the positions of partial decoy particles and the corresponding measurement basis. The receiver measures these decoy particles according to the initiator's announcements and tells the initiator his measurement results. Then the initiator compares the measurement results of the receiver with the initial states of these corresponding decoy particles in the transmitted sequence and analyzes the security of the transmissions. If the error rate is higher than the threshold determined by the channel noise, they cancel this protocol and restarts; or else they continue to the next step. In addition, the authenticated quantum channel can further ensure the security of quantum communications. Like most existing secure multiparty quantum computations, our protocols need there is an authenticated quantum channel. This is the only assumption we need to have for proposed protocols to work. In principle, we may use a quantum authentication scheme (QAS) 18 based on Clifford operators introduced in 19 to implement it. We may also use quantum encryptions combined with classical authenticated keys 20,21 . In addition, we may still ensure the authentication by sharing the entangled quantum resources in advance 22 or using the detecting (or decoy) particle technologies 23 .

Discussion
In this paper, we presented a novel and efficient quantum approach to systematically compute secure multiparty summation and multiplication. In our approach, there is an initiator who prepares an entangled state and further transmits the partial qubits of the entangled state to every party in turn through the quantum channel. According to the different computations, there are two specific processing ways: the receiver in computing the summation adds his secret into the global phase of the entangled state by an oracle operator, while the receiver in computing the multiplication embeds his secret into the received basis state by another oracle operator. Finally, the initiator takes the transmitted qubits back and subtly extracts out the corresponding summation and multiplication from the phase information by an inverse quantum Fourier transform. More specifically, we proposed several quantum protocols for secure multiparty summation and multiplication, where Protocol I and II have higher efficiency due to the linear communication complexity, and Protocol III and IV provide the unconditional security and the perfect privacy protection with ( ) O n 2 communication complexity. In conclusion, our approach securely implements the fundamental arithmetic operations (i.e., summation and multiplication) in secret-by-secret way instead of bit-by-bit way, which may give some good references for solving other SMC problems. In theory, it can be generalized to compute lots of secure multiparty numerical computations.