A protocol for the secure two-party quantum scalar product

A protocol for the secure two-party quantum scalar product

Physics Letters A 376 (2012) 1323–1327 Contents lists available at SciVerse ScienceDirect Physics Letters A www.elsevier.com/locate/pla A protocol ...
Download PDF
200KB Sizes 10 Downloads 93 Views
Report

Physics Letters A 376 (2012) 1323–1327

Contents lists available at SciVerse ScienceDirect

Physics Letters A www.elsevier.com/locate/pla

A protocol for the secure two-party quantum scalar product Li-Bao He a,b,∗ , Liu-Sheng Huang a,b , Wei Yang a,b , Rui Xu a,b a b

National High Performance Computing Center, Department of Computer Science and Technology, USTC, Hefei 230027, China Suzhou Institute for Advanced Study, USTC, Suzhou 215123, China

a r t i c l e

i n f o

Article history: Received 2 December 2011 Received in revised form 23 February 2012 Accepted 24 February 2012 Available online 28 February 2012 Communicated by P.R. Holland Keywords: Quantum scalar product Quantum cryptography Quantum entanglement Secure multi-party computation

a b s t r a c t Secure scalar product serves as an important primitive for secure multi-party computation and has a wide application in different areas, such as statistical analysis, data mining, computational geometry, etc. How to collaboratively compute the correct scalar product result without leaking any participants’ private information becomes the primary principle of designing secure scalar product schemes. In this Letter, we present a secure two-party quantum scalar product scheme via quantum entanglement and quantum measurement with the help of a non-colluding third party (TP). Furthermore, the scheme is proven to be secure under various kinds of outside attacks and participant attacks. © 2012 Elsevier B.V. All rights reserved.

1. Introduction Secure multi-party computation (SMC) has become an important and fruitful area of research in recent years since it was introduced by Yao [1] and further extended by Goldreich, Micali, and Wigderson [2], and by many other researchers. The basic idea of SMC is that a computation is secure at the end of the cooperative computation, no party knows anything except its private input and the results. As fundamental primitives of SMC, protocols of secure summation [3,4], secure comparison [5,6], secure scalar product [7–9], secure division [10], and so on, can be applied extensively to many areas [11] including privacy-preserving statistical analysis, privacy-preserving data mining, privacy-preserving computational geometry, etc. With the development of quantum information, SMC has been extended to the quantum field [13–23], which combines quantum theory with information theory, uses the law of physics to provide unconditional security of participants’ private data, in contrast to classical methods based on certain computational complexity assumptions. On the one hand, lots of researchers focused on the limitations of secure multi-party quantum computation (SMQC) [13–17]. Salvail et al. [13] studied quantum protocols among two distrustful parties and provided a framework for quantifying the information leakage of a given two-party protocol. Lo [14] proved that

*

Corresponding author at: National High Performance Computing Center, Department of Computer Science and Technology, USTC, Hefei 230027, China. Tel.: +86 551 3602445; fax: +86 551 3602475. E-mail address: [email protected] (L.-B. He). 0375-9601/$ – see front matter © 2012 Elsevier B.V. All rights reserved. doi:10.1016/j.physleta.2012.02.048

all one-sided two-party computations (which allow only one of the two parties to learn the result) including quantum one-out-oftwo oblivious transfer are insecure and simultaneously constructed a class of functions that cannot be computed securely in any two-sided two-party computation. Mayers [15] and Lo et al. [16] showed that secure quantum bit commitment is impossible. Colbeck [17] proposed attacks to show that unconditionally secure two-party classical computation is impossible for many classes of functions even in quantum computing environment. On the other hand, many secure multi-party quantum computation protocols [18–23] have been constructed in recent years. Chau [18] proposed a secure multi-party scheme for computing a classic function using a specially designed fault-tolerant random polynomial 1 quantum error correction code that can tolerate at most  n−  6 cheating players (out of n). Smith [19] and Crépeau et al. [20] used the new tool verifiable quantum secret sharing (VQSS) to establish any multi-party quantum computation which can be securely performed as long as the number of dishonest players is less than n/6, after that Ben-Or et al. [21] investigated how much trust is necessary in a distributed secure multi-party computation, and presented a general secure multi-party quantum computation 1 protocol using the same technique which can tolerate any  n−  2 cheaters. Unruh [22] proposed a quantum version of the Universal Composability model (UC), and concluded that quantum UC secure protocols for general multi-party computation can be constructed from commitments. Dupuis et al. [23] addressed the problem of privately evaluating some unitary transform U upon a joint quantum input state held by two parties, and proposed a scheme for privately implementing any two-party quantum computation

1324

L.-B. He et al. / Physics Letters A 376 (2012) 1323–1327

whose security relies on the ideal functionalities: a private SWAP between registers held by the two parties and a classical private AND-box equivalent to oblivious transfer. In addition, many special SMC problems have been studied in quantum setting, for instance, secure multi-party quantum summation [24–28], secure multi-party quantum division [29], quantum protocols for anonymous voting and surveying [30,31], quantum protocols for private comparison [32–39], quantum boolean product computation [40], etc. Secure scalar product plays an important role in secure multiparty computation. The problem of secure two-party scalar product  and Bob has a vector Y , Alis as follows: Alice has a vector X  · Y + v where ice (but not Bob) is to get the result of u = X v is a random scalar known to Bob only. A myriad of secure scalar product protocols [7–9] in classic setting built upon certain computational complexity assumptions will be broken in the quantum computing environment [12], thus it is necessary to design an unconditionally secure scalar product protocol even under the quantum computers in the future. Each of the general secure multi-party computation protocols [18–21] mentioned above can be securely performed means that the number of honest players 1 must be more than  n+ , thus they cannot achieve the purpose of 2 secure two-party computation if any of the two players is dishonest. Similar to the no-go theorem on quantum bit commitment [15, 16], Dupuis et al. [13] showed that unitaries cannot be used to implement classical cryptographic primitives, from which we know that any secure two-party quantum protocol implemented by unitaries without giving any additional assumptions and providing any ideal functionalities will necessarily leak information toward one party. That’s why the construction of Unruh’s SMQC protocol [22] requires ideal commitments and why Dupuis et al. [23] introduced two ideal functionalities (private SWAP and classical private ANDbox) to their secure two-party quantum computation protocol in order to ensure privacy. In this Letter, we proposed a novel protocol for the secure two-party quantum scalar product via quantum entanglement and quantum measurement with the help of a noncolluding TP. Our protocol has the following features: (1) Both of the two players could be fully dishonest, and the TP could be dishonest but never collude with any other participant; (2) Based on the assumption that TP is non-colluding, two players can obtain no more information except their private data and the computation result by using any malicious attack, and the TP cannot obtain any information about the two players’ secrets and their computation results; (3) Our protocol can achieve the purpose of secure two-party scalar product computation with a success probability polynomially close to 1 once the corresponding parameters are appropriately chosen. Moreover, even under the assumption that the first and second priority for every participant is to steal others’ private information and to learn the correct result, our protocol is also incentive compatible. To the best of our knowledge, this is the first quantum version of secure scalar product protocol. The rest of this Letter is organized as follows. Section 2 gives some necessary definitions and notations. Section 3 describes the details of the proposed secure two-party quantum scalar product protocol (STQSPP). Section 4 proves the correctness of our STQSPP and at the time analyzes the security and efficiency of the proposed scheme. Finally, further discussions and conclusions are drawn in Section 5. 2. Preliminaries We present the precise definition of the secure two-party scalar product problem and the notations necessary for reading the protocol and its analysis in this Letter. For a more detailed explanation of the relevant background, see [19] or a text book such as [41].

Definition 1 (Secure two-party scalar product problem). Alice has a  = (x1 , x2 , . . . , xn ) and Bob has a vector Y = ( y 1 , y 2 , . . . , vector X  · Y + v = yn ). Alice (but not Bob) is to get the result of u = X  n x ∗ y + v where v is a random scalar known to Bob i i i =1 only. Definition 2 (Transversal operations). The following gates will be used in our protocol: (1) (2) (3) (4) (5)

Pauli-X operator: X = |1 0| + |0 1|, Hadamard operator: H = |+ 0| + |− 1|, Controlled not operator: CNOT: |c |t  → |c |t ⊕ c , Shift: SftcN : |a → |a + c (mod N ), Toffoli (Multiplication): Mult N : |a|b|c  →

|a|b|c + ab (mod N ),

where |0 ≡ | + z and |1 ≡ | − z are √ the spin eigenstates along the z-direction, and |+ ≡ (|0 + |1)/ 2 ≡ | + x and |− ≡ (|0 − √ |1)/ 2 ≡ | − x are the spin eigenstates along the x-direction. 3. Secure two-party quantum scalar product scheme For simplicity, we consider that there are three participants, Al = (x1 , x2 , . . . , xn ) ice, Bob, and Trent. Alice has a private vector X  and Bob has a private vector Y = ( y 1 , y 2 , . . . , yn ), where xi , y i ∈  · Y {0, 1, . . . , 2d − 1}. They want to determine the scalar product X with a help of the TP Trent who may be dishonest but never collude with Alice and Bob. At the end of the computation, Al · Y + ice obtains no information about Y except the result u = X  except the random v (mod N ), and Bob learns nothing about X scalar v (mod N), where N is the largest possible value of the scalar product. The concrete steps of our STQSPP are described as follows: Table 1 Secure Two-party Quantum Scalar Product Protocol (STQSPP). Input: Output:

Step 1: Step 2:

 = (x1 , x2 , . . . , xn ) and Alice holds X Bob holds Y = ( y 1 , y 2 , . . . , yn ), where xi , y i ∈ {0, 1, . . . , 2d − 1}.  · Y + v (mod N) and Alice ← u = X Bob ← v (mod N), where v is a random scalar. Alice and Bob share two secret keys (K A → B and K B → A ) using quantum key distribution protocols [42–44]. Trent prepares pn systems each of which comprises (2d + 2log N ) spin-1/2 particles in the entangled state (e.g., see Fig. 1) given in Eq. (1) where the keys of the form |x, y  means that the particles at Alice’s (Bob’s) site are described by the bit string “x” (“ y”), here p is a positive integer respecting to the successful execution rate of the protocol.

|Ψ a1 b1 a2 b2 =

d 2 −1 N −1 

  |i , j a1 b1 ⊗ |k, N − k + i · j a2 b2 .

(1)

i , j =0 k=0

Whereafter, she arranges these states into two sequences:









a1 a2 , S A ← Ψ1a1 , Ψ1a2 , Ψ2a1 , Ψ2a2 , . . . , Ψ pn , Ψ pn

SB ←

b1 b2 Ψ1b1 , Ψ1b2 , Ψ2b1 , Ψ2b2 , . . . , Ψ pn , Ψ pn

,

(2) (3)

where Ψia1 , Ψib1 , Ψia2 , Ψib2 represent four parts of spin-1/2 particles

Ψ a1 , Ψ b1 , Ψ a2 , Ψ b2 (see Fig. 1) in one |Ψ a1 b1 a2 b2 state, respectively, and the subscript i (1  i  pn) indicates the i-th |Ψ a1 b1 a2 b2 state in the sequences. Trent prepares two groups of decoy photons D A and D B randomly in photon states: |0, |1, |+, and |−. Here, {|0, |1} can be measured with Z -basis, and {|+, |−} could be measured with X-basis. Trent randomly inserts D A into S A and D B into S B . Later, he sends the two new formed sequences S ∗A and S ∗B to Alice and Bob, respectively.

L.-B. He et al. / Physics Letters A 376 (2012) 1323–1327

4. Analysis

Table 1 (continued) Step 3:

Step 4:

After S ∗A and S ∗B have been received by Alice and Bob, Trent will announce the positions and the measurement bases of D A and D B . Later, Alice and Bob will extract the particles in D A and D B , respectively, then measure the particles in D A and D B using the corresponding measurement bases (Z -basis and X-basis) to obtain the two sequences of measurement results (R A and R B ) and publish them. Afterwards, Trent publish the initial states of D A and D B (IS A and IS B ), then Alice and Bob can evaluate the error rate during the transmission of S ∗A and S ∗B by comparing R A with IS A and comparing R B with IS B , respectively. If the error rate exceeds the threshold they preset, they abort the protocol. Otherwise, they continue to the next step. Alice and Bob recover S A and S B by discarding the decoy photons (D A and D B ), respectively. Hereafter, they divide remaining |Ψ a1 b1 a2 b2 states into n groups. The groups sequence owned by Alice (Bob) is denoted by G A (G B ).



G A = G 1A , G 2A , . . . , G nA

=





  a1 a2  a1 a2 a1 a2 a1 a2 Ψ11 , . . . , Ψn1 , , Ψ11 , . . . , Ψ1p , Ψ1p , Ψn1 , . . . , Ψnp , Ψnp

4.1. Correctness Theorem 1 (Correctness). Suppose all the entities (Alice, Bob and Trent) involved in our STQSPP follow the protocol and the protocol is normally finished, then Alice and Bob would receive u and v respectively, where  · Y . (u − v ) (mod N ) = X Proof. From the description of our STQSPP mentioned in Table 1 we know that





b2 r a2 jp j + r jp j (mod N ) = x j · y j

=



G 1B , G 2B , . . . , G nB

u − v (mod N ) =

(5) For each j, 1  j  n, Alice measures the particles in group procedure is described as follows: (1) Alice initializes the set

j Pos A

and

j MS A

j G A,

= X · Y .

to ∅.

= =

j

(3) If r a1 = x j , then Alice adds the number k into the set Pos A and jk j MS A .

=

In the same way, Bob uses the above method to calculate the set j

j

Alice uses one time pad to encrypt Pos A (1  j  n) with K A → B , and sends the ciphertext K A → B {Pos1A , Pos2A , . . . , PosnA } to Bob. j Pos A

Bob extracts (1  After receiving j  n) using the key K A → B shared with Bob. Afterwards, Bob comj j j putes the intersection set Pos A ∩ Pos B (hereafter called IS A B ). If there exists τ (1  τ  n), which satisfies that ISτA B = ∅, then Bob aborts the protocol. Otherwise, he chooses a random number from each j

IS A B to form an n-tuple ordered sequence, which is denoted by

PS = ( p 1 , p 2 , . . . , pn ) and further searches out the 2-tuple ( p j , r b2 jp ) from

Step 7:

j MS B .

Then Bob computes v = −

1−

j =1

K A → B {Pos1A , Pos2A , . . . , PosnA },

n

b2 j =1 r jp j

j

(mod N). Finally, Bob

=

j

j

n

a2 j =1 r jp j

j



j

n 

1−

j =1 n 

P



j =1

r a1 jk

= x j or

1− P

k =1



1− 1−





p   k =1 p



= 1− 1−

1

1



r a1 jk

r b1 jk

= y j

= x j and



r b1 jk

= yj



p

4d

p n .

4d

2

(8)

Remark. Let p be equal to λ · 4d · log n, then we have:





p n

1

P (STQSPP succeed) = 1 − 1 −

encrypts PS with K B → A using one time pad and sends the ciphertext K B → A {PS} to Alice. Once receives K B → A {PS} from Bob, Alice obtains p j (1  j  n) by decrypting the ciphertext with K B → A and further searches out the 2-

) from MS A . Then she computes u = tuple ( p j , r a2 jp

(7)

P Pos A ∩ Pos B = ∅

j =1

sult |r a2 , where 0  r a2  N − 1. jk jk

Step 6:

n  

n 

j

2

4

r a1  2d − 1. After that, she uses the basis {|0, |1, . . . , | N − 1} jk

Pos B and MS B .

xj · y j

j =1

P (STQSPP succeed)

a2 to measure the particle Ψ jk and records the measurement re-

Step 5:

n 

Theorem 2. Suppose all the entities involved in the STQSPP are honest, then the protocol can be normally finished with a probability equal to (1 − (1 − 1d ) p )n .

|2d − 1} and records the measurement result |ra1 , where 0  jk

to the set



b2 r a2 jp j + r jp j (mod N ) =

Proof. Known from Steps 5, 6 and 7 of the protocol, we have:

a1 (2) Alice measures the particle Ψ jk using the basis {|0, |1, . . . ,

adds the 2-tuple

(6)

the

For each k, 1  k  p, execute the following two steps:

(k, ra2 ) jk

n   j =1



  b1 b2   b1 b2 b1 b2 b1 b2 , . . . , Ψn1 . , Ψ1p , Ψn1 , . . . , Ψnp , Ψnp Ψ11 , Ψ11 , . . . , Ψ1p

(1  j  n).

Therefore, we have:

(4) GB =

1325

4d

λ·4d ·log n 1 1−n 1− d 4

(mod N).

=1−n 1−n

1+λ·log (1− 1+λ·(−

= 1 − n1−λ .

1 4d

1 4d

)·4d

)·4d

(9)

Therefore, as long as λ > 1, our protocol STQSPP can be normally finished with a probability polynomially close to 1. 4.2. Security

Fig. 1. Quantum circuit of Trent’s making entangled system |Ψ a1 b1 a2 b2 from spin1/2 particles |0⊗2d+2s (s = log N ).

4.2.1. Outside attack Similar to [34], after Trent delivers photons to Alice and Bob, they will start to check the existence of an eavesdropper. Trent announces the positions and the measurement bases of two decoy photons sequences D A and D B . Later, Alice and Bob publish the

1326

L.-B. He et al. / Physics Letters A 376 (2012) 1323–1327

measurement results, and Trent publishes the initial states of the decoy photons. They can determine whether an eavesdropper exists or not by comparing these results. Suppose Eve is an eavesdropper, as Eve does not know the positions of the decoy photons, she has to randomly select measurement bases between X -basis and Z -basis, which makes some well-known attacks such as intercept–resend attack, entanglement– measure attack, and measurement–resend attack be detected via checking mechanism [32]. If Eve measures an X -basis decoy photon with Z -basis or measures a Z -basis decoy photon with X basis, she will be detected with a probability equal to 12 . Obviously, Eve has a probability of

1 2

to choose the wrong measurement ba-

sis. Therefore, the detection rate for one decoy photon is

( 34 )n ,

1 . 4

For

n decoy photons, the detection rate is 1 − which is exponentially close to 1 if n is large enough. Actually, even Eve is not j be detected, as she knows nothing about Pos A (1  j  n) and PS, neither Alice’s nor Bob’s private information will be leaked to Eve. Furthermore, since there exists no two-way quantum communication in our STQSPP, the Trojan horse attack [45–47] can be automatically prevented. Therefore, our protocol has the ability to resist outside attacks. 4.2.2. Participant attack As we have assumed before that Trent never colludes with any other participant, there only exist two cases of participant attacks:

Therefore, the attack from one of two players is invalid to this protocol. 4.3. Efficiency Once Alice and Bob receive the reliable particles sequences from Trent, they only have to perform single photon measurement and simple addition operation to obtain their results. In other words, our protocol has low computational complexity if these entanglements are prepared off-line by Trent. In order to achieve the correct results, O (4d · n · log2 n) entanglements are needed to be transferred from Trent to Alice and Bob, which means that efficiency decreases sharply if the elements of participants’ private vectors are too sparse. However, for some special applications that only need small integer product such as secure size of set intersection computation and secure size of set union computation [51], communication cost is still acceptable. That is to say, our protocol has practical use if and only if the elements of participants’ private vectors are not too sparse. Furthermore, parts of the initial entanglements will be lost when particles travel in noise quantum channel. Fortunately, the reliably shared entanglement can be obtained by using the quantum-repeater technique which contains the entanglement purification and teleportation [48–50]. Thus our protocol can also work well in a noisy environment. 5. Summary

Case 1. Trent attempts to steal the participants’ secrets. Trent may be dishonest and prepares fake entanglements instead of |Ψ a1 b1 a2 b2 state in order to eavesdrop some information about Alice’s and Bob’s secrets, for instance, he uses entanglement state

|Ψ a1 ea b1 eb a2 b2 =

d 2 −1 N −1 



 |i , i , j , j  ⊗ |k, N − k + i · j 

(10)

i , j =0 k =0

instead. Trent can exactly obtain the value x j ( y j ) if and only if j

he knows Pos A or PS (PS). However, known from Steps 6 and 7 of our STQSPP, Alice and Bob use one time pad during the transj mission of Pos A and p j (1  j  n). Therefore, at the end of the protocol, Trent would acquire nothing about two participants’ private data except a set of random numbers located in integer range [0, 2d − 1]. Similarly, Trent can steal nothing from two participants if he uses other fake entanglement state. In addition, in order to prevent Trent from using fake particles, Alice and Bob can check the reliability of the shared |Ψ a1 b1 a2 b2 state between Step 3 and Step 4. If Trent is found to be dishonest, Alice and Bob abort the protocol. Otherwise, they go to the next step. Obviously, suppose Trent has prepared the reliable entanglements, he wouldn’t acquire more information about participants’ private data than an outside attacker. Therefore, Trent can steal nothing about participants’ secrets. Case 2. Alice or Bob attempt to eavesdrop the other’s secret. Without loss of generality, because the role of Alice is same as that of Bob, we assume Bob is dishonest and attempts to obtain Alice’s information. If Bob tries to intercept the transmitted photons from Trent to Alice, he will be caught as an outside attacker as described in Section 4.2.1. Thus, the only possible strategy for Bob is to use j Pos A (1  j  n) sent from Alice. However, for any c ∈ [0, 2d − 1], j

P (x j = c | Pos A ) = 1d , which means that Bob can obtain no infor2 mation about Alice’s secret.

In summary, we have presented a protocol for the secure twoparty quantum scalar product based on quantum entanglement and quantum measurement. With the help of a non-colluding TP, two parties can achieve the purpose of secure two-party scalar product with a success probability polynomially close to 1. Our protocol can not only withstand outside attacks and participant attacks except the collusion attack, but also preserve the unconditional privacy of participants’ secrets. Given the condition that Trent is non-colluding, Alice and Bob cannot learn any private information own by each other, and Trent also cannot obtain any private information own by the two parties. Furthermore, in our STQSPP, a TP is required to perform some unitary operations for preparing specific entanglements, but the players only have to perform single photon measurement. Thus, it can be easily applied in scenarios such as secure size of set intersection computation and secure size of set union computation [51], and so on. Compared with the previous SMQC protocols [18–23], our protocol has the following features: (1) Chau [18], Smith [19], Crépeau [20], and Dupuis [21] designed their SMQC protocols in the honest model (all participants carry out the protocol honestly), and further showed that they 1 can tolerate at most  n− ,  n−6 1 ,  n−6 1 , and  n−2 1  cheaters 6 among n players, respectively. Thus it follows that the corresponding two-party versions of these SMQC protocols can remain secure only if both of the two players are honest. Unlike these protocols, our STQSPP was designed in the malicious model (every participant can arbitrarily deviate from the protocol). By introducing an additional non-colluding TP, two players can achieve the purpose of secure two-party scalar product computation with a success probability polynomially close to 1, and at the time each of them will leak no information about their own private data and computation result to someone else. In fact, suppose the two players (Alice and Bob) perform the protocol honestly, let Alice (but not the TP Trent) prepare the entanglements with the form given in Eq. (1) and afterwards share them with Bob by teleportation, then our STQSPP can also remain secure. That is to say, our protocol can

L.-B. He et al. / Physics Letters A 376 (2012) 1323–1327

only work well in the honest model if we did not introduce a non-colluding TP; (2) The protocols presented by Unruh [22] and Dupuis et al. [23] need no TP, but they require additional ideal commitments and two ideal functionalities (SWAP and AND-box) that cannot be implemented in reality, respectively. However, in order to make our protocol be practically feasible and ensure the security of it in the malicious model, we don’t need any extra assumptions except a non-colluding TP. The proposed STQSPP only considers the computation of twoparty scalar product with a non-colluding TP, and has high communication cost if the participants’ value range is large. Actually, we can generalize it into any two-party computation scheme by using the corresponding gate instead of multiplication Mult N . Furthermore, how to construct a statically secure two-party scalar product scheme without any TP, how to reduce the communication cost of our STQSPP, and how to generalize our protocol into multi-party quantum scalar product protocol are promising future research. Acknowledgements This work was supported by the Major Research Plan of the National Natural Science Foundation of China (No. 90818005), the National Natural Science Foundation of China (Nos. 60903217 and 60773032), and the China Postdoctoral Science Foundation funded project (No. 20090450701). References [1] Andrew C. Yao, Protocols for secure computations, in: Proc. of the 23rd Annual IEEE Symposium on Foundations of Computer Science, Chicago, 1982, pp. 160– 164. [2] O. Goldreich, S. Micali, A. Wigderson, How to play any mental game, in: Proceedings of the 19th Annual ACN Symposium on Theory of Computing, 1987, pp. 218–229. [3] B. Schneier, Applied Cryptography, 2nd edition, Wiley, 1995. [4] R. Sheikh, B. Kumar, D.K. Mishra, Int. J. Comput. Sci. Inform. Secur. 6 (2) (2009). [5] I. Ioannidis, A. Grama, An efficient protocol for Yao’s millionaires problem, in: Proceedings of the 36th Hawaii International Conference on System Sciences (HICSS-36), 2003. [6] H.-Y. Lin, W.-G. Tzeng, Appl. Cryptogr. Netw. Secur. 3531 (2005) 456. [7] Mikhail J. Atallah, Wenliang Du, Secure multi-party computational geometry, in: Proceedings of the 7th International Workshop on Algorithms and Data Structures, August 8–10, 2001, pp. 165–179. [8] Jaideep Vaidya, Chris Clifton, Privacy preserving association rule mining in vertically partitioned data, in: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, ACM Press, 2002, pp. 639–644. [9] Wenliang Du, Zhijun Zhan, A practical approach to solve secure multi-party computation problems, in: Carla Marceau, Simon Foley (Eds.), Proceedings of New Security Paradigms Workshop, Virginia Beach, Virginia, USA, September 23–26, ACM Press, 2002, pp. 127–135. [10] W.L. Du, M.J. Atallah, Privacy-preserving cooperative statistical analysis, in: Proc. of the 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, 2001, p. 103.

1327

[11] Wenliang Du, Mikhail J. Atallah, Secure multiparty computation problems and their applications: A review and open problems, in: Proceedings of New Security Paradigms Workshop, New Mexico, USA, 2001, pp. 11–20. [12] P.W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring, in: Proceedings of the Symposium on the Foundations of Computer Science, Los Alamitos, California, IEEE Computer Society Press, New York, 1994, pp. 124–134. [13] L. Salvail, C. Schaffner, M. Sotáková, On the power of two-party quantum cryptography, in: The Annual International Conference on Theory and Application of Cryptology and Information Security, Tokyo, Japan, 2009, pp. 70–87. [14] H.-K. Lo, Phys. Rev. A 56 (1997) 1154. [15] D. Mayers, Phys. Rev. Lett. 78 (1997) 3414. [16] H.-K. Lo, H.F. Chau, Phys. Rev. Lett. 78 (17) (1997) 3410. [17] R. Colbeck, Phys. Rev. A 76 (2007) 062308. [18] H.F. Chau, Phys. Rev. A 61 (2000) 032308. [19] A. Smith, Multi-party quantum computation, arXiv:quant-ph/0111030, 2001. [20] C. Crépeau, D. Gottesman, A. Smith, Secure multi-party quantum computation, in: Proceedings of 34th Annual ACM Symposium on Theory of Computing, Montréal, Québec, Canada, May 19–21, ACM Press, New York, 2002, pp. 643– 652. [21] M. Ben-Or, C. Crépeau, D. Gottesman, A. Hassidim, Secure multiparty quantum computation with (only) a strict honest majority, in: Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2006, 2006. [22] D. Unruh, Universally composable quantum multi-party computation, in: J. Kilian (Ed.), TCC 2005, in: Lecture Notes in Comput. Sci., vol. 3378, Springer, Heidelberg, 2005, pp. 407–425. [23] F. Dupuis, J.B. Nielsen, L. Salvail, Secure two-party quantum evaluation of unitaries against specious adversaries, in: The 30th International Cryptology Conference, Santa Barbara, California, USA, 2010, pp. 685–706. [24] S. Heinrich, J. Complexity 18 (2002) 1. [25] S. Heinrich, E. Novak, J. Complexity 19 (2003) 1. [26] S. Heinrich, M. Kwas, H. Wozniakowski, ´ Quantum Boolean summation with repetitions in the worst-average setting, arXiv:quant-ph/0311036, 2003. [27] J. Z Du, X.B. Chen, Q.Y. Wen, F.C. Zhu, Acta Phys. Sin. 56 (2007) 6214. [28] X.B. Chen, G. Xu, Y.X. Yang, Q.Y. Wen, Int. J. Theor. Phys. 49 (2010) 2793. [29] W. Yang, L.S. Liu, et al., Eur. Phys. J. D 60 (2010) 429. [30] J.A. Vaccaro, J. Spring, A. Chefles, Phys. Rev. A 75 (2007) 012333. [31] Y. Li, G.H. Zeng, Opt. Rev. 15 (2008) 219. [32] Y.G. Yang, Q.Y. Wen, J. Phys. A.: Math. Theor. 42 (2009) 055305. [33] Y.G. Yang, W.F. Cao, Q.Y. Wen, Phys. Scr. 80 (2009) 065002. [34] X.B. Chen, G. Xu, X.X. Niu, Q.Y. Wen, Y.X. Yang, Opt. Commun. 283 (2010) 1561. [35] W. Liu, Y.B. Wang, Z.T. Jiang, Y.Z. Cao, Int. J. Theor. Phys. (2011), doi:10.1007/s10773-011-0878-8. [36] J. Lin, H.-Y. Tseng, T. Hwang, Opt. Commun. 284 (2011) 2412. [37] W. Liu, Y.-B. Wang, Z.-T. Jiang, Opt. Commun. 284 (2011) 3160. [38] H.-Y. Jia, Q.-Y. Wen, T.-T. Song, F. Gao, Opt. Commun. 284 (2011) 545. [39] H.-Y. Tseng, J. Lin, T. Hwang, Quantum Inf. Process. (2011), doi:10.1007/s11128011-0251-0. [40] K. Loukopoulos, D.E. Browne, Phys. Rev. A 81 (2010) 062336. [41] M. Nielsen, I. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, 2000. [42] C.H. Bennett, G. Brassard, in: Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India, IEEE Press, New York, 1984, p. 175. [43] C.H. Bennett, Phys. Rev. Lett. 68 (1992) 3121. [44] X.B. Wang, Phys. Rev. Lett. 92 (2004) 077902. [45] Q.-Y. Cai, Phys. Lett. A 351 (2006) 23. [46] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, G. Ribordy, Phys. Rev. A 022320 (2006). [47] X.-H. Li, F.-G. Deng, H.-Y. Zhou, Phys. Rev. A 74 (2006) 054302. [48] S.J. van Enk, J.I. Cirac, P. Zoller, Phys. Rev. Lett. 78 (1997) 4293. [49] H.-J. Briegel, W. Dür, J.I. Cirac, P. Zoller, Phys. Rev. Lett. 81 (1998) 5932. [50] W. Dür, H.-J. Briegel, J.I. Cirac, P. Zoller, Phys. Rev. A 59 (1999) 169. [51] C. Clifton, M. Kantarcioglu, X.D. Lin, M.Y. Zhu, ACM SIGKDD Explor. Newsl. 4 (2) (2002).