New Quantum Private Comparison Using Hyperentangled GHZ State

In this paper, we propose a new protocol designed for quantum private comparison (QPC). This new protocol utilizes the hyperentanglement as the quantum resource and introduces a semi-honest third party (TP) to achieve the objective. This protocol’s quantum carrier is a hyperentangled three-photon GHZ state in 2 degrees of freedom (DOF), which could have 64 combinations. The TP can decide which combination to use based on the shared key information provided from a quantum key distribution (QKD) protocol. By doing so, the security of the protocol can be improved further. Decoy photon technology is also used as another means of security and checks if the transmission in the quantum channel is secure or not before sending the quantum carrier. The proposed protocol is proved to be able to fend off various kinds of eavesdropping attacks. In addition, the new QPC protocol also can compare secret inputs securely and efficiently.


Introduction
The research on quantum computing has been escalating in recent years. This, in turn, benefits quantum cryptography advancements as new quantum technologies are discovered and applied to improve existing quantum cryptography systems. The field of quantum cryptography was first established by Bennett et al. [1] in 1984, who came up with the first quantum key distribution (QKD) protocol called BB84. They proved that using a quantum channel as a means of transmission could provide unconditional security. Since then, quantum cryptography has been getting more and more attention from researchers because of its potential. Up until now, the field of quantum cryptography has been divided into several branches, namely: QKD, quantum multi-party computation (QSMC), quantum secret sharing (QSS), quantum secure direct communication (QSDC), and others.
Quantum private comparison (QPC) has also been getting attention which led to QPC becoming a vital subfield of quantum cryptography. The general idea of a private comparison protocol is to compare the equality of private information of n (n ≥ 2) mutual parties without the disclosure of their secret information. The example usage of a private comparison protocol is to solve problems such as the famous "millionaires" problem, introduced by Yao et al. [2]. QPC realizes this idea of private comparison by applying quantum mechanics to the classical protocol, which vastly improves its security. The first QPC protocol was introduced by Yang et al. [3] in 2009, which uses single photons. Soon afterward, many researchers have been proposing QPC designs by utilizing different quantum states and quantum technologies. In the same year, Chen et al. [4] proposed another QPC protocol that uses a triplet entangled state called the Greenberger-Horne-Zeilinger (GHZ) state. Later in 2011, Tseng et al. [5] proposed a QPC protocol which makes use of entanglement of Bell states. Liu et al. [6] proposed a QPC protocol that uses triplet W state with single-particle measurement, and Jia et al. [7] proposed a QPC protocol which is based on χ-type state.
However, almost all of the existing QPC protocols only use quantum resources in only one degree of freedom (DOF) as their information carrier. Except for a QPC protocol proposed by Xu et al. [13] in 2019. The quantum resource used in their QPC protocol is a Bell state that possesses three different DOFs. By using this state, they were able to achieve QPC protocol with higher capacity and efficiency. The concept of using simultaneous entanglement of multiple DOFs is called hyperentanglement [14]. Some researchers [15] stated that hyperentanglement could significantly improve the channel capacity of quantum communication and speed up quantum computation. Thus, using the hyperentangled state as a quantum resource is beneficial in designing not only QPC protocol but also other quantum cryptography protocols. However, it has to be noted that distinguishing the different forms of hyperentangled state in different DOFs requires the use of a hyperentangled state analysis (HSA) scheme. Fortunately, other experts have also been coming up with new HSA schemes for different states with hyperentangled bell state analysis (HBSA) and hyperentangled GHZ state analysis (HGSA) schemes at the forefront of the research [16][17][18][19].
This paper proposes a QPC protocol using a three-photon hyperentangled GHZ state as the quantum resource. GHZ state is a maximally entangled state with m (m > 2) subsystems and having extremely nonclassical property. But specific measurements done on the GHZ state could make the state collapse into a mixture or a pure state. The simplest form of a GHZ state is the 3-qubit GHZ state which has the form of | ⟩ = 1 √2 (|000⟩ + |111⟩). The three-photon hyperentangled GHZ state makes use of entanglement in 2 kinds of DOFs, polarization and spatial-mode. References [20][21] show that some researchers have developed schemes that could generate the hyperentangled GHZ state using current technology. This structure of the paper is as follows: Section 2 introduces the prior knowledge related to the QPC protocol; Section 3 describes the proposed QPC protocol and the main steps of the protocol; Section 4 describes the analysis of the proposed QPC protocol; Section 5 concludes the content of the paper.

Hyperentangled GHZ State in 2 DOF
Generally, an N-photon hyperentangled GHZ state in polarization and spatial-mode DOFs can be written in the following form [16]: Here, the subscript A, B, …Z denotes the N photons, and the subscript P denotes the polarization DOF while S denotes the spatial-mode DOF. In each of the DOF, there are 2 N maximally entangled GHZ states. These GHZ states can be written in a universal form of [16] �δ … Here the , , … ∈ {0,1} denotes the bit information, and ̅ = 1 − , ( ̅ ∈ � � … ̅ ). Based on Eqs. (1) and (2), three-photon hyperentangled GHZ state in polarization DOF can be written as one of the following 8 GHZ states [17][18][19]: Here, | ⟩ and | ⟩ denote the horizontal and vertical polarization modes of the photons where | ⟩ ≡ |0⟩ and | ⟩ ≡ |1⟩. And the three-photon hyperentangled GHZ state in spatial-mode DOF can be written as one of the following 8 GHZ states [17][18][19]: Here | 1 ⟩ and | 2 ⟩ denote the different spatial modes for each photon where | 1 ⟩ ≡ |0⟩, | 2 ⟩ ≡ |1⟩, and ∈ , , . Because of Eqs. (3) and (4), a hyperentangled three-photon GHZ state can have 64 different combinations of GHZ states in polarization and spatial-mode DOF. An example of one of the combinations of the hyperentangled state is shown in Eq. (5)

Bell Measurement in 2 DOF
In this paper, we also utilize Bell measurement (BM) to get the Bell states of each photon, but the form of the Bell states is somewhat different because of the nature of a hyperentangled state. The Bell states in polarization and spatial-mode DOF in this paper will follow the form of [16] Here, ∈ , , … and ∈ , , … . These indicate which of the photon is being measured. Using BM on each of the photons of hyperentangled GHZ state will yield one of the following results from Eq. (6). However, each of 64 combinations of the hyperentangled three-photon GHZ state could yield different results based on the measured combination. For example, performing BM on | ⟩ = |δ 000 + ⟩ ⊗ |δ 000 + ⟩ will result in |γ⟩ = |δ 000 + ⟩ ⊗ |δ 000 while performing BM on | ⟩ = |δ 000 + ⟩ ⊗ |δ 001 + ⟩ will result in |γ⟩ = |δ 000 + ⟩ ⊗ |δ 000 This property will be exploited in the QPC protocol to improve the security of the protocol.

The Proposed QPC Protocol
In this section, we present the QPC protocol with a hyperentangled three-photon GHZ state.

Prerequisites
For simplicity, it is assumed that there are two parties which are conventionally called Alice and Bob. Alice and Bob want to compare the equality of their private information. Alice has the private information X while Bob has the private information Y. The binary representations of X and Y in 2 are (x1,x2,…,xN) and (y1,y2,…,yN), respectively, where , ∈ {0,1}, ∈ {1,2, … , }. They employ a third party (TP) who is assumed to be semi-honest which means that the TP may misbehave but will not plot with either party.

Alice (Bob) then divides the binary representation of
. Each of the group ( ) contains two bits. If N mod 2 = 1, Alice (Bob) adds one 0 into the last group Through a secure QKD protocol, Alice and TP generate a shared key sequence . Besides that, Bob and TP also generate the secret key . Here, , ∈ {000, 001, 010, 011, 100, 101, 110, 111}. The key sequence is used to determine which of the initial states will be prepared by the TP.

Detailed Steps of the Protocol
Step 1. TP prepares to generate N number of initial states | ⟩ , which are chosen from the 64 combinations of hyperentangled three-photon GHZ state based on the shared key sequence and for the polarization DOF and spatial-mode DOF, respectively, according to Tab. 1. TP will then form a quantum sequence using the states | ⟩ . : Next, TP divides the quantum sequence into three new quantum sequences , , and . consists of the first photon of every | ⟩ in quantum sequence and is intended to be sent to Alice.
consists of the second photon of every | ⟩ in quantum sequence and is intended to be sent to Bob. consists of the third photon of every | ⟩ in quantum sequence and will be kept by TP. Step 2. After preparing the quantum sequences, TP prepares two sets of decoy photons and selected randomly from the single-photon states | ⟩ ⊗ | ⟩ where | ⟩ ∈ �| ⟩, | ⟩, Then, the sets of decoy photons and are randomly inserted into the quantum sequence and respectively to form a new quantum sequence ′ and ′ . TP records each of the decoy photons' positions and measurement bases in each of the quantum sequences. And then, TP sends the quantum sequence ′ ( ′ ) to Alice (Bob).
Step 3. After receiving the quantum sequence ′ ( ′ ), Alice (Bob) notify TP that she (he) has received the quantum sequence, and TP informs Alice (Bob) of the positions and bases of each decoy photons in quantum sequence ′ ( ′ ). According to TP information, Alice (Bob) measures every decoy photons' quantum state with their corresponding measurement bases. Alice and Bob could check the security of the transmission in the quantum channel with the decoy photons' measurement results. If the error rate exceeds the error threshold, they can assume that the quantum channel is compromised, abort the protocol, and retry the protocol from the first step. Otherwise, they continue the protocol to the next step.     Step 5. When TP has received both ( ), TP perform BM on the quantum sequence . TP encodes the measurement result according to Tab. 2. And finally, TP calculates each of = ⊕ ⊕ . If all of the computation result = ∑ =1 = 00, then X and Y are equal; otherwise, X and Y are not equal. TP announces the comparison result to Alice and Bob.
The graphical representation of the QPC protocol steps are shown in Fig. 1.

Security
This section will discuss the security of the proposed protocol from two types of attacks: external attacks and participants attacks. First, we show the protocol can withstand attacks from outside of the quantum transmission. Second, we prove that any participants (Alice, Bob, and TP) cannot obtain Alice or Bob's private information.

External Attacks
We assume an external attacker called Eve is trying to get Alice or Bob's private information in every step of the protocol when given the opportunity. The only step with any transmissions of quantum particle sequences is Step 2 of the protocol, which means that this step is the only time Eve could implement the attacks. Other security measures in the protocol are decoy photons technology and QKD protocol. The decoy photons technology is used in the protocol to perform eavesdropping check. This technology has been proven to work against some well-known attacks such as intercept-resend attacks, measurementresend attacks, and entanglement measurement attacks [22]. The key sequences generated through the QKD protocol are used to select the initial states and used as encodings that could thwart some of the attacks. The following sections will describe some possible attacks that Eve could implement to get the participants' private information.
Intercept-Resend Attack. The intercept-resend attack is an attack in which the attacker intercepts the transmission to get the particles and then resends fake particles prepared beforehand to conceal the interception. In the proposed protocol, Eve can only intercept the transmission of Step 2. Meaning that what Eve can try to do is to obtain the quantum sequences ′ and ′ which are filled with decoy photon particles. Eve has to select the measurement basis from {| ⟩, | ⟩} , (| 1 ⟩ − | 2 ⟩)� to measure the decoy photons. Thus, she will have a probability of 3 4 to choose the wrong basis for every photon. The detection rate of this protocol for n decoy photons is 1 − � 1 4 � which approaches 1 if n is large enough. This detection rate means that the eavesdropper will inevitably be exposed during the eavesdropping check. Not to mention that Eve will be unable to generate a fake quantum sequence that could reproduce the decoy photon's quantum states due to the rules of the no-cloning theorem for quantum information. In a minimal chance that Eve can bypass the detection, Eve can get the measurement result and . However, during Step 4, the computation results are encrypted through the encoding of the shared key sequence ( and ) generated through QKD. As such, Eve can only get ⊕ and ⊕ and since the shared keys are unknown to Eve, Eve would not be able to get either and . Thus, this type of attack would not work on the proposed protocol. Measurement-Resend Attack. The measurement-resend attack is an attack in which the attacker intercepts the transmission similar to the previous type of attack and then perform quantum measurements on the intercepted particles. Afterwards, Eve will prepare the same quantum states based on the measurement result and resend the states to Alice and Bob. In this attack, Eve can only intercept the quantum sequences ′ and ′ which are filled with decoy photons. Eve cannot differentiate which intercepted particles are decoy photons or particles in the actual hyperentangled GHZ state, resulting in Eve consistently choosing different measurement bases for each particle. By doing so, Eve will be detected during the eavesdropping check, and thus this type of attack will also fail to work against the proposed protocol.
Man in the Middle Attack. In the man in the middle attack, Eve will try to get useful information by pretending to be the participants in the protocol. For example, during Steps 2 and 3, when TP sends the quantum sequence ′ to Alice, Eve intercepts the particles. Eve then pretends to be Alice and completes the eavesdropping check with TP resulting in Eve being able to get the quantum sequence . Next, Eve replaces the quantum sequence ′ with a fake quantum sequence by fabricating new hyperentangled GHZ states and decoy photons. Eve then pretends to be TP, sends the fake quantum sequence to Alice, and completes the eavesdropping check with Alice to prevent being detected. Eve could do the same thing to Bob to receive the quantum sequence . By doing so, Eve can get both the measurement result and . However, similar to the result of the intercept-resend attack, Eve can only get ⊕ and ⊕ and she does not know the value of the shared keys generated through QKD. Therefore, Eve will fail to get either and . Trojan Horse Attack. In the Trojan horse attack, the proposed protocol adopts the entanglement swapping approach to QPC. Because of this approach, the transmissions used in the protocol are one-way qubit transmissions. Thus Trojan horse attack would not be effective, and the attack will also fail. In conclusion, based on the analysis, our protocol has no problem withstanding known external attacks.

Participant Attacks
Compared with the previous type of attack, participant attack is more threatening as the participants have more opportunities to attack the protocol. This kind of attack was first introduced by Gao et al. [23]. In this section, we will discuss the possibility of attacks from each party. Case 1. Alice's (or Bob's) attack: Since Alice and Bob have the same role, analysis on any party would yield the same result. We assume that Alice is trying to get Bob's private information Y. The first attack that Alice could try is to intercept the quantum sequence ′ and extract Bob's private information. However, since she does not know the decoy photons' location and measurement bases, she will be detected as an outside attacker during the eavesdropping check. The second attack that she could try is to intercept and try to infer from but since she does not know , she will fail to get any helpful information. Case 2. TP's attack: The TP in this protocol is assumed to be semi-honest, meaning that the TP will execute the protocol and prepare the initial states. TP can only infer the private information from , , and . Because of not knowing the value of and and the measurement results from BM have the same probability; TP cannot know the definite value of and . Therefore, TP cannot learn of the private information X, Y.

Performance & Efficiency
In this section, we will analyze the performance as well as the efficiency of the proposed protocol. Firstly, there are advantages regarding the protocol's performance: 1) The protocol does not employ unitary operations, which means it doesn't require additional quantum devices. The protocol only uses Bell measurement, which has an easier implementation than unitary operations. 2) The protocol uses decoy photon technology instead of using entangled states for eavesdropping check.
3) The transmissions for quantum particles in the protocol are one-way quantum transmission which improves the security and efficiency of the protocol. 4) Our protocol utilizes the property of entanglement swapping, which produces nonlocal entanglement remotely, reducing the number of required transmissions and providing an easier implementation.
Secondly, to discuss the efficiency of the protocol, let us first define qubit efficiency, which is commonly used to determine the efficiency of a QPC protocol. Generally, the qubit efficiency of a QPC protocol is defined using the following equation, = . In this equation, denotes qubit efficiency, denotes the compared classical bits, and denotes the total number of photons consumed in each comparison phase [10]. The proposed protocol's quantum carrier are three-photon hyperentangled GHZ states. In each comparison, three photons in the hyperentangled state are used to compare 2 bits of classical information. On that account, the qubit efficiency of the proposed protocol is 2 3 or about 66%. The comparison of this protocol with other previously proposed QPC protocols is shown in Tab. 5. Note: SPM (single-particle measurements), SAM (single-atom measurements), BM (Bell measurements).

Discussion and Conclusion
In this paper, the QPC protocol with a hyperentangled three-photon GHZ state in 2 DOFs is proposed. The protocol utilizes a hyperentangled three-photon GHZ state in 2 DOF as a quantum resource. Using a hyperentangled state saves more quantum resources because only one kind of quantum state is needed to be prepared. The hyperentangled state also offers higher capacity and efficiency when compared to regular quantum states. The security analysis shows that the proposed protocol could withstand both external attacks and participant attacks. With the ongoing research on hyperentangled states, there will undoubtedly be more quantum technologies that could make hyperentangled states more accessible, which gives more options in handling hyperentangled states. Hopefully, by introducing this protocol, this paper could inspire other researchers to use hyperentanglement as a quantum resource.