Secure multi-party computation has been playing a fundamental role in terms of classical cryptography. Quantum homomorphic encryption (QHE) could compute the encrypted data without decryption. At present, most protocols use a semi-honest third party (TP) to protect participants’ secrets. We use a quantum homomorphic encryption scheme instead of TP to protect the privacy of parties. Based on quantum homomorphic encryption, a secure multi-party quantum summation scheme is proposed in which

Secure multi-party computation (SMC) means that two or more users who do not trust each other want to cooperate to complete a certain computing task without disclosing their input information in a distributed network environment. The initial SMC protocol was proposed in Yao’s millionaire problem [

Most secure multi-party computation needs to consider semi-honest parties to the protocol, but homomorphic encryption does not. Some researchers use homomorphic encryption [

However, some of the existing protocols need to perform the exclusive-OR (XOR) operation, which is too difficult to apply on applications. Motivated by the works of References [

The rest of our paper is organized as follows. In Section 2, we summarize the preliminary knowledge of quantum computation, QHE and quantum full adder circuit. In Section 3, we propose a novel multi-party quantum summation protocol based on QHE. In Section 4, we give the security analysis of our protocol. In Section 5, we conclude this paper with a brief conclusion.

QHE is a way of delegating computation. The client sends the encrypted data to a powerful server to perform general quantum computation. As for quantum computation, the single qubit gates are Pauli operation

Also, the double-qubits gate is CNOT gate; the triple-qubits gate is Toffoli gate, where,

The CNOT gate implements the following quantum transformation

The Toffoli gate implements the following quantum transformation

To realize universal quantum computation, one element of non-Clifford gate must be composed. Therefore, two different quantum gate sets to make up universal quantum computation can be obtained. The first set is {

A quantum homomorphic encryption scheme includes four algorithms [

_{evk}.

Like many QHE schemes [

According to the perfect secure QOTP and proved by Boykin et al. [

where

In the homomorphic evaluation algorithm, Clifford gate set {

It can be found that only by executing the new combination of

When the server performs the evaluation of a

In ^{a}

In this section, we describe how to construct a quantum full adder circuit based on classical binary addition. Suppose there are two unsigned binary digits, _{0}, _{1}, …, _{n}), where

Binary addition involves exclusive-OR and AND operations. CNOT and Toffoli gates in the quantum circuits that do these two operations. A full adder circuit of the two participants consisting of CNOT gate and Toffoli gate, a two-bit quantum full adder circuit is shown in

The Toffoli gate can be decomposed into two

The detailed decomposition circuit of the Toffoli gate is the basic element to realize a two-bit quantum full adder. It transforms the realization of a three-qubit gate into a combination of single-qubit and two-qubit gates, which is to some extent easy to implement experimentally and technically.

In our protocol, the participant’s message to be encrypted is classical binary data that can be represented by utilizing horizontal and vertical polarization. The vertically polarized photon |1〉 represents one and the horizontally polarized photon |0〉 represents zero. Before transmitting those photons, all the photons are encrypted by using QOTP. Note that if the encrypted message is classic, it is possible to use QOTP to generate the perfectly secure ciphertext.

Suppose that there are _{1}, _{2}, …, _{n}), each holding a _{i}(_{i} with the help of the server and a trusted key center, and the communication model between them and TP is shown in _{2}(

Step 1: The key center randomly generates _{i} through a secure key distribution protocol, such as the BB84 protocol.

Step 2: If the number of the participant’s secret information _{i} is positive or zero, the participants don’t have to do anything on their 0–1 code. Otherwise, they convert their 0–1 code into a two’s complement. And then they prepare the photon sequence

Step 3: To prevent the eavesdropping, the participants prepare ^{i} decoy photons and randomly insert them in their photon sequence, each photon is selected from {|0〉, |1〉, | +〉, | −〉}, and send the new photon sequence to the sever.

Step 4: Once the server gets their photon sequences, the participants announce the position ^{i} and basis ^{i} of the inserted decoy photons. If the insert decoy is |0〉 or |1〉, the measurement basis is {|0〉, |1〉}; If the insert decoy is

Step 5: The server constructs a quantum full adder circuit, with each participant’s photon sequence as input to the circuit. In the evaluation operation, the key center updates the key based on the quantum gates performed by the server and the key update algorithm of quantum gates. After the server has performed all the quantum gates in the quantum circuit, the key center obtains the final updated

Step 6: The key center uses the decryption key to decrypt and measure all the photons in the photon sequence, and then releases the measurements to all participants. Then participants calculate the bits sequence to get the summation of their secret information.

In Step 5, in the homomorphic evaluation algorithm, when the server performs Clifford gates operation on ciphertext, according to the commutation rules between Clifford gate and Pauli matrices, the new intermediate keys can be obtained without any additional classical or quantum resources. Suppose the _{i}, which acts on the _{i} = _{i} ∈ {_{k}(_{k}(_{i} and key update algorithm, the calculation procedure of the (

If _{i} = _{k}(_{k}(_{k}(_{k}(

If _{i} = _{k}(_{k}(_{k}(_{k}(

If _{i} =

If _{i} =

Any arbitrary unitary operator can be composed of ^{y}^{d}| + 〉, with _{k}(_{k}(

In order to prevent the eavesdropping in the evaluation algorithm, the server and key center convert the classical information bits ^{′} photons which are randomly selected from four photon states, and randomly insert the photon

Two examples are given to verify that the calculation of the protocol is correct. Without loss of generality, after ignoring the eavesdropper checking and evaluating algorithm process, suppose there are three participants named _{1}, _{2}, _{3} who have a secret integer information _{1}, _{2}, _{3}, respectively. We convert their secret information into binary and give some examples to illustrate the correctness of our protocol.

Suppose that participants _{1}, _{2}, _{3} have positive integer information _{1} = 145, _{2} = 201, _{2} = 78, respectively. The security parameter is _{2}(3)] + 2 = 2. The 0–1 code of length _{2}(_{i})), _{1} = (1, 0, 0, 1, 0, 0, 0, 1), _{2} = (1, 1, 0, 0, 1, 0, 0, 1), _{3} = (0, 1, 0, 0, 1, 1, 1, 0). According to the security parameter

Suppose that participants _{1}, _{2} have positive integer information _{1} = 138, _{2} = 49, and _{3} have _{3} = −223. The security parameters are _{2}(3)] + 2 = 2. The 0–1 code of length _{2}(_{i})), _{1}| = (1, 0, 0, 0, 1, 0, 1, 0), |_{2}| = (0, 0, 1, 1, 0, 0, 0, 1), |_{3}| = (1, 1, 0, 1, 1, 1, 1, 1). According to the two’s complement rule and the security parameter

In our protocol, outside attackers can attack during key distribution, ciphertext transmission and evaluation algorithm execution.

Firstly, in step 1 of our protocol, the key center and the participants use the BB84 protocol to distribute the key, which is a secure protocol from which the attacker cannot obtain the key information.

Secondly, the participants encrypt their secret information using QOTP, which is a perfectly secure encryption scheme where outside attackers cannot recover secret information from the ciphertext without knowing the encrypt key. During ciphertext transmission, the outside attacker might attack the quantum channel when the participants send their encrypted photon sequence to the sever in Step 3. Because of the participants insert some decoys into the photon sequence, the attacker cannot distinguish decoy photons from signal photons without knowing the position and bases of decoy photons insertion.

Thirdly, in the evaluation algorithm, the key center needs to communicate with the server once quantum and twice classical when the server performs a

In this type of attack, the dishonest participants, server and semi-honest key center involved in the protocol try to steal secret information from other participants. In our protocol, a collusive attack by _{i} desires to know the secret information of other

Case 1: P_{i} wants to steal the secret information of other

There is no communication between dishonest participant _{i} and other honest participants in our scheme, and he cannot get any information from other participants. Suppose a dishonest server cooperates with _{i} to attack other participants, _{i} cannot decrypt and measure these encrypted photon sequences without the decrypt key. Hence, arbitrary dishonest _{i} cannot infer secret information about other

Case 2: The semi-honest key center and the server desire to steal the secret information of

The participant

In Step 1, the key center generates the initial key with the participants by the BB84 protocol, and it does not obtain any secret information of participants in this process.

In Step 4, the server receives the ciphertext data of the participants. Without the decryption key, it cannot decrypt and measure the secret information of the participants.

In Step 5, the key center communicates with the server to generate the intermediate key in this process, there is only the interaction of the key information and no interaction of the secret information. The server only obtains _{k}(

In summary, we propose a secure multi-party quantum summation protocol based on quantum homomorphic encryption. In our scheme,