Secure Multi-Party Quantum Summation Based on Quantum Homomorphic Encryption

Secure multi-party computation has been playing a fundamental role in terms of classical cryptography. Quantum homomorphic encryption (QHE) could compute the encrypted data without decryption. At present, most protocols use a semi-honest third party (TP) to protect participants’ secrets. We use a quantum homomorphic encryption scheme instead of TP to protect the privacy of parties. Based on quantum homomorphic encryption, a secure multi-party quantum summation scheme is proposed in which N participants can delegate a server with strong quantum computing power to assist computation. By delegating the computation and key update processes to a server and a semi-honest key center, participants encrypt their private information data using Pauli operators to get the sum. Besides, the server can design and optimize the summation lines itself, and the correct results can be obtained even if the secret information is negative. The correctness analysis showed that the participants could correctly obtain the results of the calculation. The security analysis proves the scheme is resistant to both outside attack and participant’s attack, and is secure against collusive attack by up to N-2 participants. From the theoretical point of view, our protocol can extend to other secure multi-party computing problems.


Introduction
Secure multi-party computation (SMC) means that two or more users who do not trust each other want to cooperate to complete a certain computing task without disclosing their input information in a distributed network environment. The initial SMC protocol was proposed in Yao's millionaire problem [1], which compares the property of two millionaires without knowing others' any private information. The secure multi-party summation is an elementary aspect of SMC that enables multiple parties to calculate their private inputs without revealing any private inputs information. It is extensively applied to solve some privacy preservation problems in the classical background [2] and is developed to the quantum related region [3][4][5][6][7][8]. In 2010, Chen et al. [9] proposed a quantum summation protocol by using Greenberger-Horne-Zeilinger (GHZ) states. In 2015, Zhang et al. [10] designed a quantum three-party summation protocol based on the genuinely maximally entangled six-qubit states. Then Liu et al. [11] presented a quantum summation protocol using Pauli matrices operations to encode information for extracting information, and a quantum summation protocol based on the commutative encryption [12] was proposed. In 2017, Zhang et al. [13] put forward a multi-party quantum summation protocol based on single particles without a trusted third party.
Most secure multi-party computation needs to consider semi-honest parties to the protocol, but homomorphic encryption does not. Some researchers use homomorphic encryption [14,15] (HE) algorithm to solve SMC's problem. HE is utilized for users to process and calculate encrypted information without decryption. As an essential branch of quantum cryptography, QHE allows the client to delegate quantum data to the server for computation. Boykin et al. [16] proposed a quantum encryption algorithm and quantum one-time pad (QOTP). They also proved that it is perfect security. Based on QOTP, Liang [17] proposed three symmetric quantum homomorphic encryption schemes and a symmetric quantum fully homomorphic encryption (QFHE), but this novel scheme requires the private key, and the untrusted server can steal client information. In their subsequent studies, a QFHE scheme with the universal quantum circuit (UQC) was proposed [18], and the decryption key depends on the structure of the UQC. When a T-gate occurs for the UQC, the client and server need interact once. In 2014, Fisher et al. [19] proposed a QHE scheme for performing universal set of quantum gates on untrusted servers. However, when the server performs T-gate evaluation, an S-error will occur, requiring the client to prepare auxiliary quantum states to communicate with the server to eliminate the S-error. Broadbent et al. [20] prepared two QHE schemes to handle S-error, namely entanglement-based scheme and auxiliary-qubit scheme. These two schemes are based on a classical quantum homomorphic encryption scheme suitable for low complexity quantum circuit, and the efficiency will be low when the circuit has enormous complexity. Recently, Liang [21] proposed two QHE schemes that are based on gate teleportation and its modified version. Both are non-interactive schemes. Then, Zhou et al. [22] propose a homomorphic search protocol based on QHE, in which a client with limited quantum ability can implement a search job on the encrypted superposition state with the help of a powerful but untrusted quantum server.
However, some of the existing protocols need to perform the exclusive-OR (XOR) operation, which is too difficult to apply on applications. Motivated by the works of References [19,22], we propose a secure multi-party quantum summation protocol based on QHE. Our protocol implements the addition of the integers to the participants, even if there are negative integers. A third party is required to assist the calculation in the protocol. In order to separate computing and key management in third party, it is divided into servers with strong computing power and semi-honest key centers. In addition, Yu et al. [23] prove the no-go result: A perfectly secure QFHE scheme requires exponential overhead. QFHE with nointeraction consumes more resources than one with interaction. Hence, we use Fisher et al.'s key update scheme in our protocol.
The rest of our paper is organized as follows. In Section 2, we summarize the preliminary knowledge of quantum computation, QHE and quantum full adder circuit. In Section 3, we propose a novel multi-party quantum summation protocol based on QHE. In Section 4, we give the security analysis of our protocol. In Section 5, we conclude this paper with a brief conclusion.

Quantum Computation
QHE is a way of delegating computation. The client sends the encrypted data to a powerful server to perform general quantum computation. As for quantum computation, the single qubit gates are Pauli operation X, Y, Z; the Hadamard gate H; the phase gates T and S, where, Also, the double-qubits gate is CNOT gate; the triple-qubits gate is Toffoli gate, where, The CNOT gate implements the following quantum transformation CNOT ðjci jtiÞ ¼ jci jc È ti, where |c〉 is control qubit, |t〉 is target qubit.
The Toffoli gate implements the following quantum transformation Toffoliðjai jbi jtiÞ ¼ jai jbi jt È a Á bi, where |a〉 and |b〉 is control qubit, |t〉 is target qubit.
To realize universal quantum computation, one element of non-Clifford gate must be composed. Therefore, two different quantum gate sets to make up universal quantum computation can be obtained. The first set is {H, S, CNOT, T}, and the second set is {H, S, CNOT, Toffoli}. And in the second set, the T-gate and T y -gate in non-Clifford gate should be evaluated. Because of T y ¼ T 7 , the T y -gate can be implemented by seven T-gates.

Quantum Homorphic Encryption Basedon Quantum One-Time Pad
A quantum homomorphic encryption scheme includes four algorithms [18], and the process of each algorithm is described below.
(1) Key generation algorithm. The client uses the unary representation of security parameters as the algorithm's input to obtain a set of keys, i.e., a classical public encryption key pk, a classical secret decryption key sk and a quantum evaluation key ρ evk . (2) Encryption algorithm. According to the value of the encryption key pk, the client encrypts the plaintext information M and sends the encrypted information C to the server. (3) Homomorphic evaluation algorithm. The server performs unitary operator U on the received encrypted information C, and sends the evaluation information E to the client. This process will consume the quantum evaluation key. (4) Decryption algorithm. Due to the unitary operator U executed by the server, the client updates the decryption key sk to decrypt the received evaluation information E. The client's decryption information is essentially the unitary operator U acting on the plaintext information M.
According to the perfect secure QOTP and proved by Boykin et al. [16], there is Eq. (5) where σ is an arbitrary quantum state, and I 2 n 2 n is the complete maximum mixed state of n qubits. Because a and b are randomly selected from {0, 1}, this encryption method is perfectly secure.
In the homomorphic evaluation algorithm, Clifford gate set {X, Z, H, S, CNOT} evaluates the encrypted qubit, and the evaluation results are as follows.
It can be found that only by executing the new combination of X and Z on the evaluation results, the decryption results can be obtained that Clifford gate set {X, Z, H, S, CNOT} acts on the plaintext qubit respectively.
When the server performs the evaluation of a T or T y gate, it will occur an unexpected S-error.
If only X and Z are executed on the evaluation result, they cannot be completely obtained T|φ〉, and there may be a S-error. In order to eliminate S-error, based on the idea of U-rotated Bell measurement, Gong et al. [24] designed the quantum circuit shown in Fig. 1 to complete the homomorphic evaluation process of T-gate.
In Fig. 1, according to the value of the encryption key a, the client performs S a -rotated Bell measurement to obtain the values of r and t. Based on the key-updating algorithm, the client updates the decryption key to a È r and a È b È t, which will be used in the decryption algorithm to accomplish the evaluation of T-gate.

The Quantum Full Adder Circuit
In this section, we describe how to construct a quantum full adder circuit based on classical binary addition. Suppose there are two unsigned binary digits, A ¼ ða 0 ; a 1 ; . . . ; a nÀ1 Þ and B ¼ ðb 0 ; b 1 ; . . . ; b nÀ1 Þ. The sum of these two numbers is C = (c 0 , c 1 , …, c n ), where q is the carry qubit. (13) Binary addition involves exclusive-OR and AND operations. CNOT and Toffoli gates in the quantum circuits that do these two operations. A full adder circuit of the two participants consisting of CNOT gate and Toffoli gate, a two-bit quantum full adder circuit is shown in Fig. 2.
The Toffoli gate can be decomposed into two H gates, one S gate, six CNOT gates, three T-gates and four T y -gates, and the detailed circuit is shown in Fig. 3.
The detailed decomposition circuit of the Toffoli gate is the basic element to realize a two-bit quantum full adder. It transforms the realization of a three-qubit gate into a combination of single-qubit and two-qubit gates, which is to some extent easy to implement experimentally and technically.

A Protocol of Multi-Party Quantum Summation Based on QHE
In our protocol, the participant's message to be encrypted is classical binary data that can be represented by utilizing horizontal and vertical polarization. The vertically polarized photon |1〉 represents one and the horizontally polarized photon |0〉 represents zero. Before transmitting those photons, all the photons are Suppose that there are N participants (P 1 , P 2 , …, P n ), each holding a M-length secret information I i (i = 1, 2, …, n) known only to themselves. They can calculate the summation of I i with the help of the server and a trusted key center, and the communication model between them and TP is shown in Fig. 4. A security parameter K is required to prevent computation overflow, where K = [log 2 (N)] + 2. In Fig. 5 we show the flow chart of this scheme.
Step 1: The key center randomly generates N secret keys of 2M-length, and sends Key 0 i to the participant P i through a secure key distribution protocol, such as the BB84 protocol.
Step 2: If the number of the participant's secret information I i is positive or zero, the participants don't have to do anything on their 0-1 code. Otherwise, they convert their 0-1 code into a two's complement. And then they prepare the photon sequence j' i And then they use the Key 0 i to encrypt the photon sequence and obtain jw i j' i M i based on QOTP. Finally, the key center adds 2K zero key according to the security parameter K. The participants whose The participants whose information is negative add K-length |1〉 photons in front of the photon sequence, the new photon sequence is Step 3: To prevent the eavesdropping, the participants prepare D i decoy photons and randomly insert them in their photon sequence, each photon is selected from {|0〉, |1〉, | +〉, | −〉}, and send the new photon sequence to the sever.
Step 4: Once the server gets their photon sequences, the participants announce the position Po i and basis Ba i of the inserted decoy photons. If the insert decoy is |0〉 or |1〉, the measurement basis is {|0〉, |1〉}; If the insert decoy is jþi or | −〉, the measurement basis is fjþi; jÀig. The server calculates the accuracy rate based on the measurement results, and if the accuracy is less than the threshold they preset, that indicates the presence of eavesdroppers, then terminate the protocol. Otherwise, the server discards these decoy photons and continues to the next step.
Step 5: The server constructs a quantum full adder circuit, with each participant's photon sequence as input to the circuit. In the evaluation operation, the key center updates the key based on the quantum gates performed by the server and the key update algorithm of quantum gates. After the server has performed all the quantum gates in the quantum circuit, the key center obtains the final updated Key final i , which is the decryption key. The server sends the calculated results to the key center.
Step 6: The key center uses the decryption key to decrypt and measure all the photons in the photon sequence, and then releases the measurements to all participants. Then participants calculate the bits sequence to get the summation of their secret information.
In Step 5, in the homomorphic evaluation algorithm, when the server performs Clifford gates operation on ciphertext, according to the commutation rules between Clifford gate and Pauli matrices, the new intermediate keys can be obtained without any additional classical or quantum resources. Suppose the i-th Clifford gate operation performed by the server is defined as G i , which acts on the k-th in the photon sequence G i X a k ðjÞ Z b k ðjÞ j'i, (if G i = CNOT and the input qubit are k-th and l-th then G i ðX a k ðjÞ Z b k ðjÞ j'i X a l ðjÞ Z b l ðjÞ j'iÞ, where G i ∈ {X, Y, Z, H, T, S, CNOT}, a k (j), b k (j) are (j+1)-th intermediate keys. As for the operation G i and key update algorithm, the calculation procedure of the (j+1)-th intermediate key is as follows: (1) If G i = X, Y, Z, then (a k (j + 1), b k (j + 1)) = (a k (j), b k (j)); (2) If G i = H, then (a k (j + 1), b k (j + 1)) = (b k (j), a k (j)); (3) If G i = S, then ða k ðj þ 1Þ; b k ðj þ 1ÞÞ ¼ ða k ðjÞ; a k ðjÞ È b k ðjÞÞ; Any arbitrary unitary operator can be composed of H, S, CNOT and T gates, and a T-gate key update is required for the client to perform any unitary operation on the server. But when a T-gate apply on the encrypted qubit, an S-error occurs: if a = 1, TX a k ðjÞ Z b k ðjÞ j'i ¼ X a k ðjÞ Z b k ðjÞÈa k ðjÞ S a k ðjÞ T j'i. Fisher et al. used an auxiliary qubit to solve the error caused by T-gate in the evaluation algorithm, which is a basis of the protocol in this paper. Before the server starts doing its calculations, the key center needs to prepare and send the same number of auxiliary photons as the T-gate in the quantum circuit. These photons are encrypted as Y y Z d | + 〉, with y, d ∈ {0, 1}. When the server performs a T-gate on the k-th qubit. The server first performs a CNOT gate on the k-th qubit and t-th auxiliary photons (Suppose this is the k-th T-gate that the server performs), where the control qubit is the auxiliary qubit. Then, according to the intermediate key (a k (j), b k (j)) of the k-th qubit and the encryption key for t-th auxiliary qubit, the key center sends a classic message a k ðjÞ È yðtÞ to the server. The server performs a S a k ðjÞÈyðtÞ gate on the auxiliary, measures the k-th qubit and sends the measurement result c(t) to the key center. The key center performs the key update algorithm to obtain a new intermediate key Key jþ1 i . In order to prevent the eavesdropping in the evaluation algorithm, the server and key center convert the classical information bits a k ðjÞ È yðtÞ and c(t) into qubit transmission and insert some decoy photons in them.
The key center (the sever) prepares D ′ photons which are randomly selected from four photon states, and randomly insert the photon ja k ðjÞ È yðtÞi (|c(t)〉) into the decoy photon sequence to send the new photon sequence to the sever (the key center). When the server (the key center) receives the photon sequence, it first checks the sequence for eavesdroppers. If there is no eavesdropper, proceed to the next step, otherwise abort the protocol.
Two examples are given to verify that the calculation of the protocol is correct. Without loss of generality, after ignoring the eavesdropper checking and evaluating algorithm process, suppose there are three participants named P 1 , P 2 , P 3 who have a secret integer information I 1 , I 2 , I 3 , respectively. We convert their secret information into binary and give some examples to illustrate the correctness of our protocol.

Outside Attack
In our protocol, outside attackers can attack during key distribution, ciphertext transmission and evaluation algorithm execution.
Firstly, in step 1 of our protocol, the key center and the participants use the BB84 protocol to distribute the key, which is a secure protocol from which the attacker cannot obtain the key information.
Secondly, the participants encrypt their secret information using QOTP, which is a perfectly secure encryption scheme where outside attackers cannot recover secret information from the ciphertext without knowing the encrypt key. During ciphertext transmission, the outside attacker might attack the quantum channel when the participants send their encrypted photon sequence to the sever in Step 3. Because of the participants insert some decoys into the photon sequence, the attacker cannot distinguish decoy photons from signal photons without knowing the position and bases of decoy photons insertion.
Thirdly, in the evaluation algorithm, the key center needs to communicate with the server once quantum and twice classical when the server performs a T or T y gate evaluation. We use qubit instead of bit and insert it into decoy photon sequence in the evaluation communication, the outside attacker cannot get effective information.

Participant's Attack
In this type of attack, the dishonest participants, server and semi-honest key center involved in the protocol try to steal secret information from other participants. In our protocol, a collusive attack by N-2 dishonest participants is secure. If there are N-1 dishonest participants, they can calculate the secret information of the last participant according to the summation and their secret information. We initially analyze the case that P i desires to know the secret information of other N-1 participants. Secondly, we analyze the case that the key center and the sever want to learn the secret information of N participants.
Case 1: P i wants to steal the secret information of other N-1 participants.
There is no communication between dishonest participant P i and other honest participants in our scheme, and he cannot get any information from other participants. Suppose a dishonest server cooperates with P i to attack other participants, P i cannot decrypt and measure these encrypted photon sequences without the decrypt key. Hence, arbitrary dishonest P i cannot infer secret information about other N-1 participants. If a dishonest participant in the protocol with virtual secret information, only he can get the final summation, but he still cannot infer the secret information of other participants.
Case 2: The semi-honest key center and the server desire to steal the secret information of N participants.
The participant N interact with the key center who is semi-honest in our protocol. This means that key center must faithfully implement the protocol and cannot cooperate with anyone participants or the sever, but it can use the key data it obtains to try to get the participant's secret information.
In Step 1, the key center generates the initial key with the participants by the BB84 protocol, and it does not obtain any secret information of participants in this process.

In
Step 4, the server receives the ciphertext data of the participants. Without the decryption key, it cannot decrypt and measure the secret information of the participants.

In
Step 5, the key center communicates with the server to generate the intermediate key in this process, there is only the interaction of the key information and no interaction of the secret information. The server only obtains a k ðjÞ È yðtÞ, the intermediate key cannot be inferred without knowing the specific values of a k (j) and y(t).

Conclusion
In summary, we propose a secure multi-party quantum summation protocol based on quantum homomorphic encryption. In our scheme, N participants utilize the QOTP to encrypt their photon sequences which are qubit forms of their secret information. The server and the semi-honest key center work together to complete the calculation, and then the key center publishes the decryption and measurement results P N i¼1 I i . Our protocol allows participants to have not only a positive integer secret information but also a negative integer. Meanwhile, the proposed protocol can also prevent outside attacks and protect the secret information of participants. Theoretically, our works can be applied to many other secure multi-party quantum computing problems.

Conflicts of Interest:
We declare that we have no conflicts of interest to report regarding the present study.