Dec 19, 2013 - Jiangsu Engineering Center of Network Monitoring, Nanjing University of ... School of Computer and Software, Nanjing University of Info...

0 downloads 0 Views 160KB Size

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

arXiv:1312.5577v1 [quant-ph] 19 Dec 2013

Wen-Jie Liu · Chao Liu · Hai-bin Wang · Jing-Fa Liu · Fang Wang · Xiao-Min Yuan

Received: date / Accepted: date

Abstract Recently, Liu et al. [Opt. Commun. 284, 3160, 2011] proposed a protocol for quantum private comparison of equality (QPCE) based on symmetric W state. However, Li et al. [Eur. Phys. J. D. 66, 110, 2012] pointed out that there is a flaw of information leak, and they proposed a new protocol based on EPR pairs. While examining these two protocols, we find that there exists a same flaw: the third party (TP) can know the comparison result. In this paper, through introducing and constructing a special class of asymmetric W state, a secure QPCE protocol based on this asymmetric W state is presented. Analysis shows the present protocol can not only effectively avoid the information leak found by Li et al, but also ensure TP would not get any information about the comparison result. Keywords Quantum cryptography · Quantum private comparison of equality · Asymmetric W state · Information leak 1 Introduction Secure multi-party computation (SMC) is an important and fundamental branch in cryptographic field, and it deals with computing a function in a distributed network where each participant holds one of the secret inputs, and guarantees no information about one participants secret inputs is leaked to others. In the scientific computation, comparison is a basic problem, so the private comparison is an important issue in SMC, and well-studied in classical W.-J. Liu · H.-B. Wang · J.-F. Liu Jiangsu Engineering Center of Network Monitoring, Nanjing University of Information Science & Technology, Nanjing 210044, China E-mail: [email protected] W.-J. Liu · C. Liu · F. Wang · X.-M. Yuan School of Computer and Software, Nanjing University of Information Science & Technology, Nanjing 210044, China

2

Wen-Jie Liu et al.

cryptography. In 1982, Yao [1] proposed a famous protocol for the millionaires’ problem, in which two millionaires wish to know who is richer without revealing the precise amount of their fortunes. Following the idea of Yao’s millionaires’ problem, Boudot et al. [2] subsequently proposed a protocol to decide whether two millionaires are equally rich or not. Since then, the private comparison has drawn more and more attentions [3-5]. However, the security of classical private comparison is based on the computation complexity, which is susceptible to the strong ability of quantum computation. Unlike classical private comparison, the security of quantum private comparison relies on the laws of physics, such as the Heisenberg uncertainty principle, the quantum nocloning theorem, rather than computational assumptions. So, quantum private comparison is able to guarantee the unconditional security of the information by quantum mechanics. The first protocol for quantum private comparison of equality (QPCE) was proposed by Yang et al. [6] in 2009, in which a one-way hash function was used to calculate the hash values of two participants’ secret inputs firstly, and then these hash values were encoded into the photons of EPR pairs. In essence, its security is guaranteed by the hash function. Since then, many other QPCE protocols have been proposed, such as the QPCE protocols with nonentangled state (i.e., single photon) [7, 8], the QPCE protocols with maximally entangled state (Bell state, GHZ state, etc.) [9-13], and the QPCE protocols with non-maximally entangled state (W state, cluster state, χ-type state, etc.) [14-18]. Recently, Liu et al. [18] proposed an efficient QPCE protocol with three-particle symmetric W state √13 (|100i + |010i + |001i) (referred to as the LWJ11 protocol hereafter). To our knowledge, this is the only one that utilized W state as quantum resource in the QPCE protocol. Unfortunately, in 2012, Li et al. [19] pointed out that a flaw of information leak is existent in the LWJ11 protocol: one participant can estimate the other’s private bit successfully with probability 2/3, rather than 1/2. Subsequently, they presented a new protocol with EPR pairs (referred to as the LWG12 protocol hereafter). Thus, strictly speaking, there has been no secure QPCE protocol based on W state to be published by far. On the other hand, we find that there exists a same flaw in the LWJ11 and LWG12 protocols, i.e., the third party (TP) can know the comparison result, which is contrary to what they claimed: “TP cannot know the comparison result”. In this paper, we aim to propose a secure QPCE protocol based on W state to avoid all of these flaws discussed above. Firstly, we introduce a special class of asymmetric W state, and give its construction framework from the perspective of quantum reversible logic circuits. And then, by utilizing the W states, a new secure QPCE protocol is presented. The new protocol not only holds the same efficiency as the LWJ11 protocol, but also avoids the information leak pointed out in Ref. [19]. What is more, the present protocol can ensure TP cannot know any information about the comparison result, which avoids the flaw existent in the LWJ11 and LWG12 protocols. The structure of this paper is organized as follows. In Section 2, we briefly review and analyze the LWJ11 and LWG12 protocols. In Section 3, the asym-

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

3

metric W state is introduced, and a new secure QPCE protocol is proposed. And the security of the present protocol is analyzed in Section 3, and a brief discussion and conclusion is given finally in Section 4.

2 Review of the LWJ11 and LWG12 protocols and their flaw 2.1 Review of the LWJ11 and LWG12 protocols In Ref. [18], Liu et al. proposed a QPCE protocol based on symmetric W state. In the protocol, Alice Bob are supposed PN −1 as two participants, who have the Pand N −1 secret inputs X = i=0 xi 2i , Y = i=0 yi 2i , respectively, where xi , yi ∈ {0, 1}, 2N −1 ≤ max{X, Y } ≤ 2N . Obviously, the binary representations of X and Y are (x0 , x1 , ..., xN −1 ), (y0 , y1 , ..., yN −1 ), respectively. And the main procedures of the LWJ11 protocol are as follows, Step 1. Alice and TP (Bob and TP), use a QKD protocol to establish a common secret key KAC (KBC ). Alice and Bob agree that |01i, |10i, |1i (|00i, |0i) represent information ‘1’ (‘0’). Step 2. Alice (Bob) prepares N symmetric W states, each of which is randomly chosen from |φ1 i = √13 (|100i + |010i + |001i)123 , |φ2 i = √13 (|10+i + |01+i+|00−i)123. Then Alice (Bob) performs iσy = |0ih1|−|1ih0| operation on the third photon of ith W state when xi = 1 (yi = 1), where i = 0, 1, . . . , N −1. ′ After that, Alice (Bob) prepares N W states from one of the two states |φ1 i, |φ2 i randomly, and inserts them into her (his) N W states at the same positions. Then Alice and Bob exchange the third photons of all W states and remain the other photons on hand. Subsequently, Alice (Bob) announces ′ publicly the N + N initial states prepared by her (him). If the initial state is |φ2 i, Bob (Alice) performs a Hadamard operation (H) on the third photons arrived from Alice (Bob). 1 H = √ (|0ih0| + |1ih0| + |0ih1| − |1ih1|), 2

(1) ′

Otherwise, he (she) does nothing. Finally, Alice and Bob take out those 2N W states and perform the eavesdropping checking, respectively. The detailed procedures are omitted here. Step 3. If there is no eavesdropper, Alice (Bob) makes single-particle measurement in the Z-basis{|0i, |1i} on every photon on her (his) hand. The measurement outcome about the first and second photons of every W state prepared by Alice (Bob) is denoted by MiA1 (MiB1 ). If MiA1 (MiB1 ) is |01i or |10i, then CiA1 (CiB1 ) = 1; if MiA1 (MiB1 ) is |00i, then CiA1 (CiB1 ) = 0. And the outcome about the third photons of every W states prepared by Alice (Bob) is represented as MiA2 (MiB2 ). When MiA2 (MiB2 ) is |0i, then CiA2 (CiB2 ) = 0; When MiA2 (MiB2 ) is |1i, then CiA2 (CiB2 ) = 1. Finally, Alice (Bob) calculates A CiA = CiA1 ⊕ CiB2 , (CiB = CiB1 ⊕ CiA2 ), and gets CA = (C0A , C1A , . . . , CN −1 ) B B B (CB = (C0 , C1 , . . . , CN −1 )). Here i = 0, 1, · · · N − 1.

4

Wen-Jie Liu et al. ′

Step 4. Alice (Bob) prepares an L-length random sequence CA′ = (C0A , C1A ′

′

′

′

′

′

A B , . . . , CL−1 ) (CB ′ = (C0B , C1B , . . . , CL−1 )), where CiA , CiB ∈ {0, 1}, i = ′ ′ 0, 1, . . . , L − 1, and sends CA (CB ) to Bob (Alice). Alice inserts CA′ into CA to get CA′′ and sends the inserted positions sequence Sq to Bob. Bob inserts CB ′ into CB in terms of Sq to get CB ′′ . Then Alice and Bob use KAC , KBC to encrypt CA′′ , CB ′′ , get E(CA′′ ), E(CB ′′ ), respectively, and send both of them to TP. Step 5. After using KAC , KBC to decrypt E(CA′′ ), E(CB ′′ ) and getting ′ P −1 A PL−1 A′ ′ B B CA′′ , CB ′′ , TP calculates R = N i=0 (Ci ⊕ Ci ) + i=0 (Ci ⊕ Ci ), and ′ he sends R to Alice and Bob. ′ ′ Step 6. After receiving CA′ , CB ′ , R , Alice and Bob calculate R = R − ′ ′ PL−1 A ⊕ CiB ), respectively. If R = 0, they know X = Y ; otherwise, i=0 (Ci X 6= Y . In Ref. [19], Li et al. pointed out that a flaw of information leak is existent in the LWJ11 protocol, that is, a participant can estimate the other’s every private information correctly with probability 2/3. Then they proposed a new protocol using EPR pairs instead of the original symmetric W states. The whole protocol consists of six steps, whose main procedures are similar as those of LWJ11 protocol. The major modification is as follows,

(i) In the whole protocol, the EPR pairs |ϕ+ i = √12 (|01i + |10i) are utilized as information carrier instead of the original W states. (ii) In order to save quantum bits, decoy photons, rather than entangled W states, are utilized to perform eavesdropping checking.

2.2 The flaw In order to prevent TP from getting the comparison result, a mix-up solution is used in both of the LWJ11 and LWG12 protocols. More specifically, as depicted in Step 4, Alice (Bob) prepares the random sequence CA′ (CB ′ ), and sends it to Bob (Alice). Then Alice inserts CA′ into CA , and gets CA′′ . At the same time, Bob inserts CB ′ into CB at the same positions in terms of Alice’s notification, and gets CB ′′ . For simplicity, we denote CA′′ , CB ′′ as below, CA′′ = CA kCA′ , CB ′′ = CB kCB ′ (‘k’ denotes the collection of two sequences). Subsequently, CA′′ and CB ′′ will be sent to TP by utilizing QKD method in Step 4. And then, TP calculates the bit-wise exclusive-OR operation between ′ ′ PL−1 PN −1 ′ CA′′ and CB ′′ , and gets R = i=0 (CiA ⊕ CiB ) + i=0 (CiA ⊕ CiB ). On the P −1 A ′ B surface, TP only know the result of R rather than R = N i=0 (Ci ⊕ Ci ), so he cannot know the comparison result. But unfortunately, that is just not the case. As we all know, the classical information transmitted through public channel can be arbitrarily obtained without being detected. Since CA′ , CB ′ and Sq are sent through the classical channel in Step 4, that means TP can obtain them without be detected. There ′′ are two ways for TP to gain the comparison result. (1) TP calculates R =

′

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

0

H

5

H

0

W1

0

H

Fig. 1: The quantum circuit framework generating the |W1 i state. PL−1

′

′

(CiA ⊕CiB ) according to CA′ and CB ′ , and gets the result by calculating ′ ′′ R = R − R . (2) TP gets rid of the mix-up sequences CA′ , CB ′ from CA′′ , CB ′′ , respectively, and obtains CA , CB according to the position sequence Sq , PN −1 and then he calculates R = i=0 (CiA ⊕ CiB ) to get the comparison result. In a word, TP can gain the comparison result, which is contrary to what they claimed: “TP cannot know the comparison result”. i=0

3 The proposed protocol based on asymmetric W state 3.1 The asymmetric W state and its quantum circuits construction Unlike the maximally entangled state, the W state has some nice entanglement properties, it is maximally robust under disposal of any one of the three qubits. The class of states |Wn i is such one [20], √ √ 1 (|100i + neiγ |010i + n + 1eiδ |001i)123 , |Wn i = √ 2 + 2n

(2)

where n is a real number, γ and δ are phases. As we shall see, the asymmetric states can be used for perfect superdense coding in our protocol. In particular, if we take n = 1 for simplicity and set phases to zero (i.e., γ = 0, δ = 0), then the |W1 i state can be gotten, |W1 i =

√ 1 (|100i + |010i + 2|001i)123 . 2

(3)

From the perspective of quantum reversible logic circuits [21], we design a framework of quantum circuit by using NOT gate, controlled-NOT (CNOT) gate and Hadamard gate to construct the asymmetric W state |W1 i. The detailed circuit representation is shown in Fig. 1.

6

Wen-Jie Liu et al.

3.2 The QPCE protocol based on asymmetric W state In order to avoid the flaw of information leak which Li et al. pointed out, as well as prevent TP from getting the comparison result, we present a secure QPCE protocol based on asymmetric W state, and the detailed procedures are as below. Prerequisite. Alice and Bob use a QKD protocol to establish two common secret keys KAB ; Alice and TP (Bob and TP) get KAT (KBT ) in the same way. Alice and Bob agree that |01i, |10i, |1i represent the information ‘1’; |00i, |0i represent the information ‘0’. Step 1. Alice and Bob prepare an ordered N three-qubit asymmetric W states sequence, respectively, which are called SA , SB , SA = [P1A1 , P1A2 , P1A3 , P2A1 , P2A2 , P2A3 , . . . , PNA1 , PNA2 , PNA3 ] (4) SB = [P1B1 , P1B2 , P1B3 , P2B1 , P2B2 , P2B3 , . . . , PNB1 , PNB2 , PNB3 ]. Here, the subscripts 1, 2, ..., N indicate the orders of W states in the sequence and superscripts A1 , A2 , A3 (B1 , B2 , B3 ) represent three different particles in ′ one W state. And each W state is chosen from {|W1 i, |W1 i} randomly.

√ 1 (|100i + |010i + 2|001i)123 , (5) 2 √ ′ 1 (6) |W1 i = (|10+i + |01+i + 2|00−i)123 . 2 Then Alice (Bob) perform unitary operation I or σx on the third photon of ith W state in terms of her (his) secret inputs (x0 , x1 , ..., xN −1 ) ((y0 , y1 , ..., yN −1 )). If xi = 1(yi = 1), Alice (Bob) performs σx = |0ih1| + |1ih0| operation; otherwise, she (he) performs I = |0ih0| + |1ih1| operation, where i = 0, 1, . . . , N − 1. After that, Alice (Bob) takes particles 3 from each state in SA (SB ) to form an ordered particle sequence S3A (S3B ) A S3 = [P1A3 , P2A3 , . . . , PNA3 ] (7) S3B = [P1B3 , P2B3 , . . . , PNB3 ]. |W1 i =

For preventing eavesdropping, Alice (Bob) prepares a set of decoy photons DA (DB ) randomly in four nonorthogonal photon states {|0i,|1i,|+i,|−i}, and inserts DA (DB ) into the third photon sequence S3A (S3B ) at random positions to form a new sequences S3A∗ (S3B∗ ). Then Alice and Bob exchange S3A∗ and S3B∗ . Step 2. After receiving S3B∗ (S3A∗ ), Alice (Bob) announces publicly her (his) N initial asymmetric W states. If the initial state of Bob’s (Alice’s) is ′ |W1 i, Alice (Bob) will perform a Hadamard operation (see Eq. (1)) on the third photon on her (his) hand; if the state is |W1 i, they do nothing. To guarantee the security of the quantum channel, Alice (Bob) will perform the eavesdropping check. The checking procedure of Alice-Bob quantum channel is: (i) Alice informs Bob the positions and the measurement bases of the decoy photons. (ii) Bob performs single-photon measurement and publishes his measurement

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

7

outcomes. (iii) Alice analyzes the error rate, if the error rate is higher than the threshold they preset, she aborts the protocol and restarts from the preparing step; otherwise, the quantum channel of Alice-Bob is secure. On the same time, Bob utilizes the same method to check security of Bob-Alice quantum channel. Step 3. Alice (Bob) discards the decoy photons in S3A∗ (S3B∗ ) and makes the Z-basis measurement on every photon of her (his) hand. The measurement outcome of Alice’s (Bob’s) first and second photons in the ith W state is denoted as MiA1 (MiB1 ), then the value of CiA1 (CiB1 ) can be computed as follows, 0, MiA1 (MiB1 ) = |00i A1 B1 Ci (Ci ) = (8) 1, MiA1 (MiB1 ) = |01i or |10i. And CiB2 (CiA2 ) can be gotten according to Alice’s (Bob’s) outcome of the third photon MiB2 (MiA2 ), 0, MiB2 (MiA2 ) = |0i B2 A2 Ci (Ci ) = (9) 1, MiB2 (MiA2 ) = |1i. Then, Alice (Bob) continue to calculate CiA = CiA1 ⊕ CiB2 (CiB = CiB1 ⊕ CiA2 ), A B B B and denotes CA = (C0A , C1A , . . . , CN −1 ) (CB = (C0 , C1 , . . . , CN −1 )). ′ Step 4. Alice (Bob) prepares an L-length random binary sequence CA = ′

′

′

′

′

′

′

′

′

B A B A B B (C0A , C1A , . . . , CN ∈ {0, 1}, −1 ) (CB = (C0 , C1 , . . . , CN −1 )), where Ci , Ci ′ ′ i = 0, 1, . . . , L − 1, After that, Alice (Bob) uses KAB to encrypt CA (CB ), ′ ′ ′ and sends the result E(CA ) (E(CB )) to Bob (Alice). Having received E(CB ) ′ ′ ′ ′ ′ (E(CA )), Alice (Bob) uses KAB to decrypt E(CB ) (E(CA )) and gets CB (CA ). ′ Then Alice inserts CA into CA at random positions to obtain a new sequence ′′ named CA , she also records the inserted positions sequence Sq . Then Alice uses KAB to encrypt Sq and sends the result E(Sq ) to Bob. Bob decrypt E(Sq ) to ′ ′′ get Sq , and inserts CB into CB in terms of Sq for getting CB . Subsequently, ′′ ′′ ′′ ′′ Alice and Bob use KAT , KBT to encrypt CA , CB , get E(CA ), E(CB ), and send them to TP, respectively. ′′ ′′ ′′ Step 5. TP decrypts E(CA ), E(CB ) by using KAT , KBT , and gets CA , ′ ′ P P ′′ ′ L−1 N −1 CB . Then he calculates R = i=0 (CiA ⊕CiB )+ i=0 (CiA ⊕CiB ), and sends ′ R to Alice and Bob, respectively. ′ ′ ′ ′ Step 6. After receiving CA , CB , R , Alice and Bob calculate R = R − ′ ′ PL−1 A B i=0 (Ci ⊕ Ci ), respectively. If R = 0, Alice and Bob will know X = Y ; otherwise, they get X 6= Y . An example is given for better understanding the presented protocol. Suppose that the ith secret inputs of binary representations of X and Y are ‘0’ ′ and ‘0’. The asymmetric W state of Alice (Bob) prepared is |W1 i (|W1 i). After performing unitary operations and the Hadamard√operation, |W1 i and ′ |W1 i evolve to a same state |W 1 i0 = 21 (|100i + |010i + 2|001i). so CiA1 = 1, B2 Ci = 0, CiB1 = 1, CiA2 = 0 can be calculated according to the single-particle measurement outcomes. Thus, CiA = CiA1 ⊕ CiB2 = 1, CiB = CiB1 ⊕ CiA2 = 1,

8

Wen-Jie Liu et al.

Ri = CiA ⊕CiB = 1⊕1 = 0. According to Ri , Alice and Bob know that xi = yi . For i = 0 to N − 1, Alice and Bob use same method to compare whether xi , yi are equal or not. In Tabel 1, we give all different cases of xi , yi ’s values in the proposed QPCE protocol. Table 1: All different cases of xi , yi ’s values xi

yi

MiA1

MiB2

MiB1

MiA2

CiA1

CiB2

CiB1

CiA2

CiA

CiB

Ci

0

0

0

1

1

0

1

1

|01ior|10i |01ior|10i |00i |00i |01ior|10i |01ior|10i |00i |00i |01ior|10i |00i |00i |01ior|10i |01ior|10i |01ior|10i |00i |00i

|0i |1i |0i |1i |1i |0i |0i |1i |0i |0i |1i |1i |1i |0i |1i |0i

|01ior|10i |00i |01ior|10i |00i |01ior|10i |00i |00i |01ior|10i |01ior|10i |01ior|10i |00i |00i |01ior|10i |00i |01ior|10i |00i

|0i |0i |1i |1i |0i |0i |1i |1i |1i |0i |0i |1i |1i |1i |0i |0i

1 1 0 0 1 1 0 0 1 0 0 1 1 1 0 0

0 1 0 1 1 0 0 1 0 0 1 1 1 0 1 0

1 0 1 0 1 0 0 1 1 1 0 0 1 0 1 0

0 0 1 1 0 0 1 1 1 0 0 1 1 1 0 0

1 0 0 1 0 1 0 1 1 0 1 0 0 1 1 0

1 0 0 1 1 0 1 0 0 1 0 1 0 1 1 0

0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0

4 Security Analysis The proposed protocol holds the same security as the LWJ11 and LWG12 protocols, and it is secure against the well-known attacks (e.g., intercept-resend attack, measurement-resend attack, and entanglement-measure attack, etc.). Moreover, the protocol can avoid the flaw of information leak pointed out by Li et al., and ensure TP cannot get comparison result. Here, we just have a brief analysis on these two aspects. (1) The information leak Li et al. pointed out can be avoided Without loss of generality, we suppose that Bob is a dishonest participant who attempts to obtain Alice secret inputs. The only way for Bob is to use the third particles of Alice’s asymmetric W states (i.e., S3A ) sent to him. The detailed description is as follows, √ ′ In Step 1, Alice prepares |W1 i = 12 (|100i + |010i + 2|001i)123 , |W1 i = √ 1 2 (|10+i+|01+i+ 2|00−i)123 randomly. For simplicity, we take the first state |W1 i as an example. After Alice’s encoding operation on the third particle, |W1 i evolves |W 1 i0 or |W 1 i1 in terms of Alice’s secret inputs. √ xi = 0 |W 1 i0 = 21 (|100i + |010i +√ 2|001i)123 (10) |W 1 i1 = 12 (|101i + |011i + 2|000i)123 xi = 1. As specified in Step 3, Bob will perform a single-particle measurement on the third particle. As shown in Eq. (10), if Bob can deduce the final state is |W 1 i0

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

9

or |W 1 i1 , he will know the Alice secret input (xi = 0 or xi = 1). At the same time, the reduced density operator of Bob’s photon is √ √ |100i + |010i + 2|001i h100| + h010| + 2h001| ⊗ ) ρB = tr ( 12 0 2 2 (11) 1 1 1 0 2 = |0ih0| + |1ih1| = xi = 0 0 12 2 2

ρB 1

√ √ |101i + |011i + 2|000i h101| + h011| + 2h000| = tr12 ( ⊗ ) 2 2 1 1 1 0 = |0ih0| + |1ih1| = 2 1 xi = 1 0 2 2 2

(12)

To estimate Alice’s ith private bit, Bob must estimate whether the system B in his possession is described by ρB 0 or ρ1 . Using the optimal measurement [22, 23], the maximum probability that Bob estimates Alice’s ith private bit correctly is 1 1 1 B (13) P max = + T r|ρB 0 − ρ1 | = 2 4 2 p B † B B B † B B where |ρB (ρB 0 − ρ1 | = 0 − ρ1 ) (ρ0 − ρ1 ), and (ρ0 − ρ1 ) is the Hermitian B B conjugate of the (ρ0 − ρ1 ) matrix. That is, Bob can estimate Alice’s private bit successfully with 1/2 probability. For instance, if MiA2 is |0i, Bob would guess xi = 0 with the 1/2 probability; if MiA2 is |1i, he would guess xi = 1 with the 1/2 probability, too. That means, Bob cannot get Alice’s secret inputs by measuring the third particles S3A . So, in our protocol, there is no flaw of information leak presented in Ref.[19] (2) TP cannot know the comparison result As analyzed in Section 2.2, the only chance for TP to know the comparison ′ ′ result is to get the mix-up sequences CA , CB or the inserted positions sequence ′ ′ Sq . In our scenario, these sequences CA , CB and Sq are encrypted by the QKD key (KAB ), which is only shared with Alice and Bob. And the QKD protocol has already been proven to be unconditionally secure [24, 25], that means, ′ ′ none can get any information about CA , CB and Sq . Let us check the feasibility of two possible ways for TP to gain the com′ ′ parison result. (1) TP tries to intercept CA and CB from the public channel ′ ′ PL−1 ′′ between Alice and Bob, then calculates R = i=0 (CiA ⊕ CiB ), and finally ′ ′′ gets the result by calculating R = R − R . However, in our new protocol, ′ ′ ′ ′ CA and CB are encrypted into E(CA ), E(CB ) by using the QKD key (KAB ) before they are sent to the counterpart through the public channel. So, TP ′ ′ ′ ′ cannot get CA and CB from E(CA ) and E(CB ), and then he cannot calculate ′′ the result of R , that means TP will not get the comparison result R. (2) TP ′ ′ attempts to get rid of the mix-up sequence CA and CB according to the posiPN −1 tion sequence Sq , gets CA and CB , and then calculates R = i=0 (CiA ⊕ CiB ).

10

Wen-Jie Liu et al.

This attack strategy does not work either. As described in Step 4 of our protocol, “Alice uses (KAB ) to encrypt Sq and sends the result E(Sq ) to Bob”. That means TP cannot get Sq , and undoubtedly he cannot obtain the result R. In summary, our protocol can prevent TP from knowing the comparison result.

5 Discussion and Conclusion Up to now, many QPCE protocols based on maximally entangled states (e.g., Bell state, GHZ state, GHZ-like state) have been proposed. Comparing with the maximally entangled states, the non-maximally entangled states (e.g., W state, cluster state, χ-type state) have the stronger non-classicality, and they are more robust against particle losses than the corresponding maximally entangled states. Moreover, since we can directly use these non-maximally entangled states and do not need to distill maximally entangled states from them, it is more convenient and economical in the practical experiment. From the perspective of the robustness and the physical implementation, using the nonmaximally entangled state as the quantum resource to design QPCE protocol may be a best choice. To guarantee the security of quantum channel, the eavesdropping checking is indispensable. As we all know, there are two common methods, the first is to utilize the correlation of entangled states, and the second is to use the decoy photons. In the LWJ11 protocol, they utilize the W states to perform eavesdropping checking, while decoy photons are used to replace W states for eavesdropping checking in the LWG12 protocol. From the view of qubit efficiency, using decoy photons to perform eavesdropping checking is obviously better than using entangled states. Similar to the LWG12 protocol, we choose the decoy photons to check the channel security. On the other hand, many QPCE protocols, including the LWJ11 and LWG12 protocols, adopt the QKD method to enhance the security of quantum private comparison. Undoubtedly, this will cost more quantum resource, but it is the price we have to pay for the higher safety requirements. In this paper, based on the asymmetric W state |W1 i and the QKD encryption method, a new secure QPCE protocol is proposed. Compared with other analogous protocols, it not only holds the same security as that in Ref. [18], but also can avoid the information leak pointed out in Ref. [19]. In addition, the protocol can ensure that TP cannot know the comparison result. On the other hand, the protocol inherits the efficiency of W state, which is discussed in Ref. [18]. What is more, TP is only to do some exclusive-OR operations, the two participants are only required to perform the simpler single-particle measurement, which is more economical and feasible to be implemented within present technologies. Our two-party protocol is a simple QPCE model, which can be generalized to the case of multi-party and be extended to solve the Yao’s millionaires’ problem.

Secure Quantum Private Comparison of Equality Based on Asymmetric W State

11

Acknowledgements This work is supported by the National Nature Science Foundation of China (Grant Nos. 61103235, 61170321, 61373016 and 61373131), the Priority Academic Program Development of Jiangsu Higher Education Institutions (PAPD), the Natural Science Foundation of Jiangsu Province, China (BK2010570), and the Practice Inovation Trainng Program Projects for the Jiangsu College Students (201310300018Z).

References 1. Yao, A.C.: Protocols for secure computations. In: Foundations of Computer Science, 1982. SFCS ’08. 23rd Annual Symposium on, 3-5 Nov. 1982 1982, pp. 160-164 2. Boudot, F., Schoenmakers, B., Traore, J.: A fair and efficient solution to the socialist millionaires’ problem. Discrete Appl. Math. 111(1-2), 23-36 (2001). doi:10.1016/s0166218x(00)00342-5 3. Li, R.H., Wu, C.K., Zhang, Y.Q.: A Fair and Efficient Protocol for the Millionaires’ Problem. Chin. J. Electron. 18(2), 249-254 (2009). 4. Luo, Y.L., Huang, L.S., Yang, W., Xu, W.J.: An Efficient Protocol for Private Comparison Problem. Chin. J. Electron. 18(2), 205-209 (2009). 5. Li, S.D., Wang, D.S., Dai, Y.Q.: Symmetric cryptographic protocols for extended millionaires’ problem. Sci. China Ser. F-Inf. Sci. 52(6), 974-982 (2009). doi:10.1007/s11432009-0109-6 6. Yang, Y.G., Wen, Q.Y.: An efficient two-party quantum private comparison protocol with decoy photons and two-photon entanglement. J. Phys. A: Math. Theor. 42(5) (2009). doi:10.1088/1751-8113/42/5/055305 7. Yang, C.-W., Kao, S.-H., Hwang, T.: Comment on Efficient and feasible quantum private comparison of equality against the collective amplitude damping noise. Quantum Inf. Process. 12(8), 2871-2875 (2013). doi:10.1007/s11128-013-0569-x 8. Liu, B., Gao, F., Jia, H.Y., Huang, W., Zhang, W.W., Wen, Q.Y.: Efficient quantum private comparison employing single photons and collective detection. Quantum Inf. Process. 12(2), 887-897 (2013). doi:10.1007/s11128-012-0439-y 9. Chen, X.B., Xu, G., Niu, X.X., Wen, Q.Y., Yang, Y.X.: An efficient protocol for the private comparison of equal information based on the triplet entangled state and single-particle measurement. Opt. Commun. 283(7), 1561-1565 (2010). doi:10.1016/j.optcom.2009.11.085 10. Liu, W., Wang, Y.B.: Quantum Private Comparison Based on GHZ Entangled States. Int. J. Theor. Phys. 51(11), 3596-3604 (2012). doi:10.1007/s10773-012-1246-z 11. Liu, W.J., Liu, C., Liu, Z.H., Liu, J.F., Geng, H.T.: Same Initial States Attack in Yang et al.s Quantum Private Comparison Protocol and the Improvement. Int. J. Theor. Phys., 1-6 (2013). doi:10.1007/s10773-013-1807-9 12. Tseng, H.Y., Lin, J., Hwang, T.: New quantum private comparison protocol using EPR pairs. Quantum Inf. Process. 11(2), 373-384 (2012). doi:10.1007/s11128-011-0251-0 13. Chang, Y.J., Tsai, C.W., Hwang, T.: Multi-user private comparison protocol using GHZ class states. Quantum Inf. Process. 12(2), 1077-1088 (2013). doi:10.1007/s11128-012-0454z 14. Jia, H.Y., Wen, Q.Y., Li, Y.B., Gao, F.: Quantum Private Comparison Using Genuine Four-Particle Entangled States. Int. J. Theor. Phys. 51(4), 1187-1194 (2012). doi:10.1007/s10773-011-0994-5 15. Liu, W., Wang, Y.B., Jiang, Z.T., Cao, Y.Z.: A Protocol for the Quantum Private Comparison of Equality with chi-Type State. Int. J. Theor. Phys. 51(1), 69-77 (2012). doi:10.1007/s10773-011-0878-8 16. Liu, W., Wang, Y.B., Jiang, Z.T., Cao, Y.Z., Cui, W.: New Quantum Private Comparison Protocol Using X-Type State. Int. J. Theor. Phys. 51(6), 1953-1960 (2012). doi:10.1007/s10773-011-1073-7 17. Sun, Z.W., Long, D.Y.: Quantum Private Comparison Protocol Based on Cluster States. Int. J. Theor. Phys. 52(1), 212-218 (2013). doi:10.1007/s10773-012-1321-5 18. Liu, W., Wang, Y.B., Jiang, Z.T.: An efficient protocol for the quantum private comparison of equality with W state. Opt. Commun. 284(12), 3160-3163 (2011). doi:10.1016/j.optcom.2011.02.017

12

Wen-Jie Liu et al.

19. Li, Y.B., Wen, Q.Y., Gao, F., Jia, H.Y., Sun, Y.: Information leak in Liu et al.’s quantum private comparison and a new protocol. Eur. Phys. J. D 66(4) (2012). doi:10.1140/epjd/e2012-30065-9 20. Agrawal, P., Pati, A.: Perfect teleportation and superdense coding with W states. Phys. Rev. A 74(6) (2006). doi:10.1103/PhysRevA.74.062320 21. Nielsen, M.A., Chuang, I.L.: Quantum computation and quantum information. Cambridge university press (2010) 22. Helstrom, C.W.: Quantum detection and estimation theory, vol. 84. Academic press New York, (1976) 23. Fuchs, C.A.: Information gain vs. state disturbance in quantum theory. Fortschr. Phys. 46(4-5), 535-565 (1998). 24. Shor, P.W., Preskill, J.: Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85(2), 441-444 (2000). doi:10.1103/PhysRevLett.85.441 25. Lo, H.K.: A simple proof of the unconditional security of quantum key distribution. J. Phys. A: Math. Gen. 34(35), 6957-6967 (2001). doi:10.1088/0305-4470/34/35/321