Quantum protocol for millionaire problem

Optics Communications 284 (2011) 545–549

Contents lists available at ScienceDirect

Optics Communications j o u r n a l h o m e p a g e : w w w. e l s ev i e r. c o m / l o c a t e / o p t c o m

Quantum protocol for millionaire problem Heng-Yue Jia a,b,⁎, Qiao-Yan Wen a, Ting-Ting Song a, Fei Gao a a b

State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an 710071, China

a r t i c l e

i n f o

Article history: Received 16 April 2010 Received in revised form 2 September 2010 Accepted 2 September 2010 Keywords: Quantum secure computation Comparison Phase shifting operator Privacy

a b s t r a c t We present a quantum protocol for the solution of a two-party comparison task with the help of a semihonest third party, which can be used to solve the millionaire problem. The secrets are coded into the phases of d-level entangled states by local operations and read by the third party's collective measurements. The two parties can deduce the results of comparisons based on the secret bits shared between them beforehand and the announcement of the third party. Moreover, others will learn no information of the comparison results, even the third party. Our scheme is private and fair, and the security has also been discussed. © 2010 Elsevier B.V. All rights reserved.

1. Introduction With the development of quantum mechanics, quantum cryptography attracts more and more attention, and many secure protocols have been design for quantum key distribution (QKD)[1–5], quantum secret sharing (QSS)[6–11], quantum secure direct communication (QSDC)[12–15], quantum teleportation (QT)[16–19], and so on. As an important field, secure multi-party computation (SMC, also called secure function computation) has also been discussed in quantum cryptography. However, unlike the brilliant theoretical and practical achievement of QKD, there have been some difficulties in designing quantum SMC protocol. Especially, in 1990's Mayers [20] and Lo-Chau [21] pointed independently that previous quantum multi-party computation protocols are not secure because of the unreliable quantum bit commitment schemes. However, it does not hold back people's researching on this topic [22–24]. For examples, quantum bit commitment [25,26], quantum coin flipping protocols [27,28] and quantum oblivious transfer [29,30], which are referred to as primitives in SMC, have received special attentions under different background conditions. Considering a unified view, SMC is that m participants compute the value of a given function f(x1, x2, ⋯, xm), which xi(1 ≤ i ≤ m) is the participant Pi's private input. The purpose of the protocol is to design a scheme for participants to complete the computation task with cooperation, and everyone's private value is kept from unduly disclosing to others. A secure protocol should reveal no more information than the output of the function itself. And the security should be preserved in the case of malicious behavior. ⁎ Corresponding author. E-mail address: [email protected] (H.-Y. Jia). 0030-4018/$ – see front matter © 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.optcom.2010.09.005

The SMC has wide application, especially in electronic information era, such as the e-auction, the e-commerce, and the data mining. Some secure quantum multiparty computation protocols for particular problems have been proposed so far, for instance, quantum multiparty summation [32], quantum inner product computation [33], and quantum comparison of equal information [34,35]. In a sense, the voting and the surveying [36,37] also can be considered as SMC. The millionaire problem introduced by Yao [31] was the origin of secure multi-party computation, in which two millionaires wish to know who is richer without revealing the precise amount of their fortunes. In scientific computation, the comparison is a basic problem, so the millionaire problem is an important issue in secure multi-party computation, and well-studied in classical cryptography. Recently, Yang and Wen proposed a protocol [34] for private comparison with the help of a third party based on Bell states and a secret hash function. After that, Chen et al. designed another efficient protocol based on GHZ states and single-particle measurements [35]. Both of them are designed for testing information equivalence. Besides, quantum protocols were proposed for anonymous voting and surveying in Refs.[36,37]. In their protocols, each vote is made by translating the phase value of a entangled state which is shared between voters and tallyman. Because of the physical properties, the secret information stored in the entangled state's phase is only accessible by the collection of the particles. At the end of the protocol, the sum of all votes can be calculated without leaking information about what individuals voted. Enlightened by the works of [36,37], we propose a scheme which can solve millionaire problem. Specifically speaking, it is a private protocol for a more general situation which two parties compare n pairs of numbers (for the millionaire problem, n = 1). In this protocol,

546

H.-Y. Jia et al. / Optics Communications 284 (2011) 545–549

the secret numbers are coded into the phases of entangled states by local operations, but the phase information is only read by a collective measurement. Similar to Refs.[34,35], a third party is needed. For the two-party comparison problem, the third party plays an important role in protocol. Because he is usually enabled to prepare quantum states, measure them, and announce the measurement results. In addition, he is helpful for increasing efficiency and providing a fair environment. So it is difficult to avoid revealing partial information of comparison results to the third party as in [35]. It is especially worth noting that our scheme is designed to make the conclusions only known by the owner of secrets without any classical cryptography tools. The results are confidential to outsiders, even to the third party. The structure of this paper is as follows. Section 2 is devoted to the descriptions of the model and specific protocol. In Section 3, the security of this protocol and the comparison between the previous protocols [34,35] and our protocol are discussed. Finally, we conclude in Section 4. 2. Our protocol

2.1. Preparation for the protocol In Yao's protocol [31], two millionaires, Alice and Bob, possess a millions and b millions respectively, where 1 b a, b b 10. Alice and Bob want to know who is richer. In this paper, we consider a more general comparison case: Alice has a vector α = (a1, ⋯, an) and Bob has a vector β = (b1, ⋯, bn), where 1 b ai, bi b N for i = 1, ⋯, n are integers and N is a larger number. Then they want to learn the relative ordering of each pair ai, bi (i.e., whether ai b bi or not). Similar to Chen et al.'s protocol [35], our protocol completes the task by the aid of a semi-honest (also called honest but curious) third party, Trent. It means that he executes the protocol faithfully, but he might try to deduce other parties' private secrets according to his all intermediate data. In semi-honest model, it is supposed that the party will never be corrupted by an adversary. In other words, Trent cannot collaborate with Alice or Bob. This model is widely used in current classical cryptographic literature and well-justified in practical application especially in data mining [38–40]. Our protocol has the following properties: • Security: after the execution, the correct comparison results can be known by Alice and Bob. However, any information about the value of individual ai / bi will not be exposed, except that revealed by the conclusion. And all malicious behaviors during the process could be discovered. • Privacy: the results of the comparisons are private. Although the protocol is implemented with the help of the semi-honest Trent, he cannot know the comparison results. In other words, no one can deduce the results from the outcomes announced by Trent, except Alice and Bob. • Fairness: our protocol is fair, because Alice and Bob get the conclusions at same time with Trent's assistance. It is more reasonable than the protocol in Ref. [31] which enabled Bob to get the answer and then tell Alice. Next we introduce the quantum state used in our protocol. For the d-level quantum system, ( d−1 = 0

and B2 =

1 d−1 jφ0 〉 = pffiffiffi ∑ jk〉 jk〉jk〉: d k=0

ð1Þ

Suppose x is an integer, and the local operator of phase shifting corresponding x is denoted by d−1

Ux = ∑ expðiθk⋅xÞjk〉〈k j:

ð2Þ

k=0

After performing Ux on any one of the particles in state |φ0 〉, the state becomes 1 d−1 jφx 〉 = pffiffiffi ∑ expðiθk⋅xÞjk〉jk〉jk〉: d k=0

ð3Þ d−1

Before presenting the protocol, we firstly give a description of our model and quantum resources.

B1 = f jj〉gj

The carrier state adopted in this paper is a d-level entangled state in the following form

)d−1 1 d−1 pffiffiffi ∑ expðiθk⋅jÞjk〉 d k=0 j = 0

are two common non-orthogonal bases, where θ =

2π . d

It is not difficult to find that the states f jj〉jj〉jj〉gj = 0 form an orthonormal basis for a d-dimensional subspace, and the f j φx 〉gd−1 x = 0 can compose another one. As is well known, the phase information stored in the state is not available at any one particle but only in the collection of all particles. Similar to Refs. [36,37], the information which is encoded in the phase ˆ of |φ0 〉 can be extracted by the following operator T: d−1

Tˆ = ∑ t jTt 〉〈Tt j

ð4Þ

t=0

where jTt 〉 =

d−1

1 pffiffiffi ∑ expðiθm⋅t Þjm〉jm〉jm〉 d m=0

and 〈Ts|Tt〉 = δst. In fact,

the states in Eq. (3) for x = 0, ⋯, d − 1 are all eigenstates of the ˆ and |Tt〉〈Tt| is the projector onto the eigenspace of Tˆ with observable T, eigenvalue t. ˆ When a state in An example is given for better understanding T. ˆ the value of the measurement is given by Eq. (3) is measured with T, D

  E   φx  Tˆ φx = xðmod dÞ:

ð5Þ

If 0 ≤ x ≤ d − 1, the result is just the information which has been encoded into the phase. 2.2. The quantum protocol for comparison Now we give the specific steps of the protocol. (S1) Alice shares a string of random bits r1r2 ⋯ rn with Bob privately, where ri ∈ {0, 1} for i = 1, ⋯, n. These secret bits can be shared in different ways. For example, they could execute coin flipping protocols, or QKD protocol beforehand. (S2) Trent creates a sequence of n three-particle entangled states in the form of Eq. (1), 1 d−1 jφ0 〉i = pffiffiffi ∑ jk〉Ti jk〉Ai jk〉Bi d k=0 where the subscripts Ti, Ai and Bi correspond to Trent, Alice and Bob. In our protocol, the condition about d is d = 2N, which is necessary to determine the comparison results. Then Trent picks out the second particle from each state to form an ordered sequence SA= {A1, A2, ⋯, An}, the third particle to form sequence SB= {B1, B2, ⋯, Bn}, and the remaining particles compose sequence ST= {T1, T2, ⋯, Tn}. After that, Trent sends SA to Alice, SB to Bob and keeps ST. To prevent the eavesdropping, Trent inserts decoy photons, each randomly in one of the states set B1 ∪ B2, into the sequences SA and SB at random positions. (S3) Alice and Bob publicly confirm that they have received all particles. And then they need to check whether the particles are

H.-Y. Jia et al. / Optics Communications 284 (2011) 545–549

eavesdropped during the transmission. The procedures are completed as follow: Trent tells Alice and Bob the positions and the measuring bases of the decoy photons in SA and SB, respectively. Then Alice (Bob) uses the same bases as Trent announced to measure the particles. After that, Alice and Bob publish their outcomes of measurements. As Trent knows the states before measured, he can find whether an eavesdropper exists in communication. If there is no error, they can assure the security and proceed to the next step. Otherwise, Trent discards these particles and restarts from the second step. Till now, |φ0〉 states are shared securely as quantum channels by Trent, Alice and Bob, each of which can help them achieve a comparison for a pair numbers. (S4) For comparing, Alice and Bob need to input their secrets α = (a1, ⋯, an) and β = (b1, ⋯, bn) on the SA sequence and SB sequence respectively. Without loss of generality, we just take one pair of numbers ai, bi as an example. Alice inputs ai by applying the phase shifting operation

k=0

on particle Ai. Similarly, Bob performs his encoding operation   d−1 1−r UBi = Uð−1Þ1−ri bi = ∑ exp iθk⋅ð−1Þ i bi jk〉〈k j k=0

on his particle Bi. After the operations, the resulting state is   1 d−1 r jφai −bi 〉 = pffiffiffi ∑ exp iθk⋅ð−1Þ i ðai −bi Þ jk〉Ti jk〉Ai jk〉Bi : d k=0

ð6Þ

Using the same method, all secret components in α and β are encoded on corresponding particles, then Alice and Bob send SA and SB back to Trent. Before the transmission, they have to insert the decoy photons into sequences SA and SB randomly, which are necessary to guard against the eavesdropping in transmission. (S5) When all particles are collected, Trent should first check the transmission security with Alice and Bob, respectively. The checking procedure is similar to the third step. If they confirm no eavesdropping, Trent takes the collective measurement on each three-particle ˆ The measurement yields the result entangled state with the operator T.   D E   r Di = φai −bi  Tˆ φai −bi = ð−1Þ i ðai −bi Þðmod dÞ:

ð7Þ

d 2

If 0bDi b , Trent records Ri = 0; otherwise, he records Ri = 1. Afterwards he can get a bit string R1R2 ⋯ Rn, and he broadcasts them in order. (S6) According to the value of Ri and ri which is shared by Alice and Bob privately, Alice and Bob can know the relationship between ai and bi in size simultaneously. All cases are shown in Table 1 for 1 ≤ i ≤ n. Because the final bits are announced by Trent, and according to the rules, Alice and Bob can get the comparison results at the same time rather than by one in advance. Let us give an example for illustration. Suppose d = 10, r1 = 0, 9

a1 = 2 and b1 = 3. Alice performs UA1 = U2 = ∑ expðiθk⋅2Þjk〉〈k j on k=0 9

particle A1 and Bob performs UB1 = U3 = ∑ expðiθk⋅3Þjk〉〈kj on k=0

Table 1 The result of comparing ai, bi with the shared ri and the public Ri. 0 0 ai N bi

0 1 a i b bi

particle B1. Under the operations, the state becomes jφ2−3 〉 =   9 1 0 pffiffiffi ∑ exp iθk⋅ð−1Þ ð2−3Þ jk〉T1 jk〉A1 jk〉B1 . After particles A1 and B1 d k=0

are sent to Trent, the outcome attained by Trent with Tˆ is D1 = D E φ−1 j Tˆ jφ−1 = ð−1Þðmod10Þ = 9ðmod10Þ N 5. As a result, R1 =1 will be announced publicly, and both Alice and Bob can deduce a1 b b1 which is the right order. It is clear that correctness and fairness are satisfied in this protocol. Moreover, our protocol keeps privacy. Because r1r2 ⋯ rn are only known by Alice and Bob, other person (including Trent) cannot learn the comparison results. 3. Security analysis and discussion Before comparing with previous private comparison protocols [34,35], we analyze the security of this protocol at first. 3.1. Security analysis

d−1   r UAi = Uð−1Þri ai = ∑ exp iθk⋅ð−1Þ i ai jk〉〈k j

ri Ri Result

547

1 0 a i b bi

In this paper, we focus on the comparison problem. Namely, for α = (a1, ⋯, an) and β = (b1, ⋯, bn), our protocol can decide which one is larger between each pair numbers without leaking the values. Without loss of generality, hereafter we just take account of one pair numbers, for example, ai and bi, to discuss the security. The purpose of someone's malicious behavior is trying to obtain ai or bi. As pointed out in Refs. [6,7,41], the participant can attain partial information legally, so he/she generally has more advantages in an attack than the outside eavesdropper. And then the security analysis of our protocol begins with the participant attack. On the one hand, Alice and Bob may be dishonest. Because the role of Alice is same as that of Bob, we might assume Alice is curious. In other words, she tries to learn the value of Bob's secret bi. As given in protocol, after Alice's and Bob's operations, the |φ0〉 becomes the state in form of Eq. (6). In this situation, the reduced density matrix of Alice's subsystem is   1 d−1 A TAB ρ i = trTiBi ρ i i i = ∑ jn〉Ai Ai 〈nj d n=0

ð8Þ

which is invariant under the operations. Hence, Alice cannot extract any information from Ai. For the same reason, she would also gain no information about bi from the particle Bi in transmission. In fact, the secret number stored in phase should be learn only when Ti, Ai and Bi are measured by a collective measurement. It means that no information would be disclosed even if Alice has particles Ai and Bi at the same time, because the reduced density matrix of their subsystem Ai Bi

ρ

  1 d−1 TAB = trTiBi ρ i i i = ∑ jn〉Ai jn〉Bi Ai 〈nj Bi 〈nj d n=0

ð9Þ

is independent of the phase. However, the particle Ti is never transmitted in the process, so Alice has no opportunity to implement the operator Tˆ on all three particles. Alternatively, it is assumed that Alice captures the particle Bi when it is transmitting from Trent to Bob, and resends the particle in the state d−1

1 pffiffiffi ∑ d k=0

jk〉 to Bob. After Bob encodes the particle, Alice intercepts it again

and makes a measurement with basis B2. Because after Bob's operation   d−1 1 UBi the fake particle becomes the state in pffiffiffi ∑ exp iθk⋅ð−1Þ1−ri bi jk〉 d k=0

1 1 a i N bi

which is one state of the basis B2, Alice can get the state exactly by measurement, then she learns the value of bi. However, this dishonest action must be discovered in (S3) by the eavesdropping check between Trent and Bob, because only Trent

548

H.-Y. Jia et al. / Optics Communications 284 (2011) 545–549

knows the positions of decoy photons and he keeps them secret until the transmission is completed. Note that all photons transmitted are in the maximally mixed state, and Alice cannot distinguish between decoy photons and carrier photons. Therefore, it is inevitable that some decoy photons are replaced by fake ones when Alice performs the above attack. In this condition, the measurement outcome of her fake photons will not be all consistent with the original decoy states. 1

To be specific, Alice sends a pffiffiffi ∑kd−1 = 0 jk〉 state instead of a decoy state d

which is send by Trent. This trick will introduce an error with the d−1

. Thus, it is easy to see that the probability of passing probability of d the whole security check is near to 0. In fact, any effective eavesdropping will leave a mark in the decoy photons, so Alice cannot steal the secret without being detected. On the other hand, Trent in our protocol is a semi-honest third party. That is, Trent follows the protocol steps correctly. Nevertheless, he may try to extract more information from the steps than it is entitled to. For instance, Trent attempts to learn the secrets of other parties. Furthermore, he is not permitted to cooperate with Alice or Bob. Although Trent is semi-honest, the leakage of extra information to him can be prevented in this protocol. The reason is explained as follows. It can be seen that, when the protocol is finished, Trent gets the result Di = ð−1Þri ðai −bi Þðmod dÞ. Under the condition of 0 b ai, bi b N, Trent knows the difference between ai and bi. But there are l m l m N−2 N−2 2 (for Ri = 0) or 2 (for Ri = 1) pairs different (ai, bi)s Di

d−Di

satisfied the Eq. (7), he cannot determinate the values of ai and bi. Besides, the random ri is kept secret from Trent, so the result of comparison is unknown to him, i.e. he cannot learn whether ai N bi or not. Therefore, it can be seen that this protocol is robust against participants attack. As far as the outside attacks are concerned, because of the use of non-orthogonal decoy photons, the eavesdropper's several kinds of attacks, such as the intercept-resend attack, the measurement-resend attack, and the denial-of-service attack will be discovered with nonzero probability during the security checking process. After the participants ensure the security of the quantum channel, the eavesdropper cannot extract any information about Alice's and Bob's secret ai and bi from the particles transmitted in communication. The reason is that the way of encoding secrets keep the reduced density matrices of traveling particles unchanged. And based on the classical bits announced by Trent, outside eavesdropper cannot learn valuable information about ai and bi. Moreover, the comparison result cannot be deduced without Alice and Bob's ri. For some special attacks, such as the photon-number-splitting (PNS) attack, the decoy-photon Trojan horse attack and the invisiblephoton Trojan horse attack [42,43], participants can defeat these attacks by using some beam splitters to split the sampling signals chosen for eavesdropping check before their operations and inserting filters in front of their devices to filter out the photon signal with an illegitimate wavelength. In addition, if the particles of the entangled states travel in a noisy channel, it seems to threaten the entanglement over a long distance. As pointed out in Ref. [35], the quantum-repeater technique [44], containing the entanglement purification and teleportation, can help us to keep the reliably shared entanglement. 3.2. Comparison of our protocol with previous studies Following the ideas of the quantum private comparison protocols [34,35], we propose this protocol which can used to be solve the millionaire problem. This protocol meets the requirements on the fairness and security, which is similar to the protocols in Refs. [34,35]. In these protocols, with the help of the third party, the comparison result(s) can be known or deduced by the owners of secrets simultaneously, and the secret information will not be revealed. We show some differences between our protocol and related studies [34,35] in Table 2.

Table 2 The comparison of the proposed protocol and previous studies. Ref.[34]'s

Ref.[35]'s

Ours

Quantum resource

Bell states

GHZ states

j φ0 〉 = pffiffiffi ∑ j k〉 j k〉j k〉

Quantum operation

I, X, Z, iY

I, Z

Quantum measurement Object of the study Request for third party Need of hash function Privacy of result Cost of statesa

Bell-basis Equality Dishonest Yes Yes ⌈l2⌉

X-basis Equality Semi-honest No No λL

Ux(Eq. (2)) ˆ T(Eq. (4))

1

d−1

d k=0

Relationship in size Semi-honest No Yes 1

a Suppose a pair of numbers x, y (0 b x, y b N) need to compare without considering the particles for security check. Let X = (xn − 1, xn − 2, ⋯, x0) and Y = (yn − 1, yn − 2, ⋯, y0) be the binary representations of x and y, where n = ⌈log2N⌉. l is the length of X's and l Y's hash m log2 N values. L is the block size that X and Y divided into. λ is a integer and 1≤λ≤ .

L

It can be seen that the third party included in Yang and Wen's protocol [34] is dishonest but not semi-honest, and the protocol in Ref. [35] only needs single particle measurements. However, our protocol also has the distinct advantages. First and foremost, this protocol can determine which one is larger between two secret numbers, while the protocols in Refs.[34,35] are designed to compare the equality of the private information. Furthermore, our protocol does not compare the secret information by hash values or groups of the secrets' binary representations. The parties code their secret values into the phases of the entangled states by local operations, but only the collective measurements can extract the phase information. Different from Ref. [35], the comparison result in this protocol will not be made public under the protection of random numbers shared by Alice and Bob. When the protocol is over, no one, except Alice and Bob, can deduce the relationship between the secrets in size from the bits announced by the third party. Moreover, our protocol has a excellent performance on efficiency. Actually, in order to compare a pair of numbers without considering the particles for security check, our protocol can complete the task with only one three-particle entangled state. 4. Conclusion We present a quantum protocol which can be used to solve millionaire problem. In our protocol, the numbers are input by translating the phase of the entangled state with local operations. Because of the nature of the shared state, the actual value of the phase is protected from all participants, so it can be kept secret. After the particles are collected by Trent, he exploits a collective measurement to extract the phase information and make an announcement in conformity with the rules. According to this protocol, the two parties can achieve comparisons based on Trent's announcement and private bits shared beforehand, but the semi-honest Trent cannot know the results. In conclusion, we propose a protocol with the performance of fairness and privacy. And the security of the protocol with respect to different kinds of attack is discussed. The advantage of the quantum comparison protocol is that the security relies on the laws of quantum mechanics rather than assumptions about computational complexity. Nevertheless, in this paper we just consider the case that the comparison between two parties. This method is not efficient to directly employed in the case of multi-party sorting, which remains an open question in quantum cryptography. Besides, in this protocol the third party Trent is semi-honest, and he can obtain the difference between Alice's and Bob's secrets. As a result, a question arises. That is, whether the restriction on Trent can be relaxed, or whether the information obtained by Trent can be reduced? We hope that our work will inspire the further study. Moreover, it can be seen that the previous protocols Ref.[34,35] and our protocol all cannot fulfill their own mission without the help of the third party. The use of a third party may become a weakest point of the protocols. Therefore, to

H.-Y. Jia et al. / Optics Communications 284 (2011) 545–549

investigate whether a no-go theorem for pure two-party secure comparison protocol exists, as in the case of Bit Commitment [20,21,25,26], is an issue which is difficult but also is worth studying. We will attempt to discuss this problem in the future works. Acknowledgments This work is supported by NSFC (Grant Nos. 60873191, 60903152, 61003286, 60821001), SRFDP (Grant Nos. 200800131016, 20090005110010), Beijing Nova Program (Grant No. 2008B51), Key Project of Chinese Ministry of Education (Grant No. 109014). References [1] C.H. Bennett, G. Brassard, Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing (Bangalore, India, IEEE press, New York, 1984, p. 175. [2] C.H. Bennett, Phys. Rev. Lett. 68 (1992) 3121. [3] X.B. Wang, Phys. Rev. Lett. 92 (2004) 077902. [4] Q. Zhang, J. Yin, T.Y. Chen, S. Lu, J. Zhang, X.Q. Li, T. Yang, X.B. Wang, J.W. Pan, Phys. Rev. A 73 (2006) 020301. [5] Y. Sun, Q.Y. Wen, F. Gao, F.C. Zhu, Phys. Rev. A 80 (2009) 032321. [6] A. Karlsson, M. Koashi, N. Imoto, Phys. Rev. A 59 (1999) 162. [7] M. Hillery, V. Buzĕk, A. Berthiaume, Phys. Rev. A 59 (1999) 1829. [8] G.P. Guo, G.C. Guo, Phys. Lett. A 310 (2003) 247. [9] S.J. Qin, F. Gao, Q.Y. Wen, F.C. Zhu, Phys. Rev. A 76 (2007) 062324. [10] L.F. Han, Y.M. Liu, H. Yuan, Z.J. Zhang, Chin. Phys. Lett. 24 (2007) 3312. [11] T.Y. Wang, Q.Y. Wen, F. Gao, S. Lin, F.C. Zhu, Phys. Lett. A 373 (2008) 65. [12] K. Bostroem, T. Felbinger, Phys. Rev. Lett. 89 (2002) 187902. [13] F.G. Deng, G.L. Long, X.S. Liu, Phys. Rev. A 68 (2003) 042317. [14] S. Lin, Q.Y. Wen, F. Gao, F.C. Zhu, Phys. Rev. A 78 (2008) 064304. [15] F. Gao, S.J. Qin, Q.Y. Wen, F.C. Zhu, Opt. Commun. 283 (2010) 192. [16] C.H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, W.K. Wootters, Phys. Rev. Lett. 70 (1993) 1895.

549

[17] D. Bouwmeester, J.W. Pan, K. Mattle, M. Eibl, H. Weinfurter, A. Zeilinger, Nature 390 (1997) 575 London. [18] Z.J. Zhang, Y.M. Liu, Z.X. Man, Commun. Theor. Phys. 44 (2005) 847. [19] X.B. Chen, Q.Y. Wen, F.C. Zhu, Int. J. Quant. Inf. 5 (2007) 717. [20] D. Mayers, Phys. Rev. Lett. 78 (1997) 3414. [21] H.K. Lo, H.F. Chau, Phys. Rev. Lett. 78 (1997) 3410. [22] C. Crépeau, D. Gottesman, A. Smith, STOC02 (2002) 643. [23] J. Mueller-Quade, H. Imai, arXiv:quant-ph/0010112. [24] M. Ben-Or, C. Crépeau, D. Gottesman, A. Hassidim, A. Smith, FOCS'06 (2006) 249. [25] G.M. D'Ariano, D. Kretschmann, D. Schlingemann, R.F. Werner, Phys. Rev. A 76 (2007) 032328. [26] R.W. Spekkens, T. Rudolph, Phys. Rev. A 65 (2001) 012310. [27] G. Molina-Terriza, A. Vaziri, R. Ursin, A. Zeilinger, Phys. Rev. Lett. 94 (2005) 040501. [28] R. Colbeck, Phys. Lett. A 362 (2007) 390. [29] I.C. Chen, T. Hwang, C.M. Li, Phys. Scr. 78 (2008) 035005. [30] K.Y. Cheong, Min-Hsiu Hsieh, Takeshi Koshiba, arXiv:1004.1871. [31] A.C. Yao, Proc. of the 23rd Annual IEEE Symposium on Foundation of Computer Science, Chicago, 1982, p. 160. [32] J.Z. Du, X.B. Chen, Q.Y. Wen, F.C. Zhu, Acta Phys. Sin. 56 (2007) 6214. [33] K. Loukopoulos, D.E. Browne, arXiv:0906.2297. [34] Y.G. Yang, Q.Y. Wen, J. Phys. A: Math. Theor. 42 (2009) 055305. [35] X.B. Chen, G. Xu, X.X. Niu, Q.Y. Wen, Y.X. Yang, Opt. Commun. 283 (2010) 1561. [36] J.A. Vaccaro, J. Spring, A. Chefles, Phys. Rev. A 75 (2007) 012333. [37] Y. Li, G.H. Zeng, Opt. Rev. 15 (2008) 219. [38] Y. Lindell, B. Pinkas, J. Cryptol. 15 (2002) 177. [39] J. Wullschleger, Advances in Cryptology—EUROCRYPT'07, Lecture Notes in Computer Science, Springer, Verlag, 2007, p. 555. [40] F. Giannotti, D. Pedreschi, Mobility, data mining, and privacy: geographic knowledge discovery, Springer, New York, 2008. [41] F. Gao, S.J. Qin, Q.Y. Wen, F.C. Zhu, Quantum Inf. Comput. 7 (2007) 329. [42] F.G. Deng, X.H. Li, H.Y. Zhou, Z.J. Zhang, Phys. Rev. A 72 (2005) 044302. [43] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, G. Ribordy, Phys. Rev. A 73 (2006) 022320. [44] Z.B. Chen, B. Zhao, Y.A. Chen, J. Schmiedmayer, J.W. Pan, Phys. Rev. A 76 (2007) 022329.