Secure and Efficient Two-Party Quantum Scalar Product Protocol With Application to Privacy-Preserving Matrix Multiplication

Secure two-party scalar product (S2SP) is a promising research area within secure multiparty computation (SMC), which can solve a range of SMC problems, such as intrusion detection, data analysis, and geometric computations. However, existing quantum S2SP protocols are not efficient enough, and the complexity is usually close to exponential level. In this paper, a novel secure two-party quantum scalar product (S2QSP) protocol based on Fourier entangled states is proposed to achieve higher efficiency. Firstly, the definition of unconditional security under malicious models is given. And then, an honesty verification method called Entanglement Bondage is proposed, which is used in conjunction with the modular summation gate to resist malicious attacks. The property of Fourierentangled states is used to calculate the scalar product with polynomial complexity. The unconditional security of our protocol is proved, which guarantees the privacy of all parties. In addition, we design a privacy-preserving quantum matrix multiplication protocol based on S2QSP protocol. By transforming matrix multiplication into a series of scalar product processes, the product of two private matrices is calculated without revealing any privacy. Finally, we show our protocol’s feasibility in IBM Qiskit simulator.


I. INTRODUCTION
S ECURE Multi-party Computation (SMC) enables multiple parties who do not trust each other to collaboratively compute a target function using their respective private data, while preserving the privacy of all participants.Since Yao [1] first proposed this concept in 1982, the main solutions for SMC proposed by classical cryptographers include Garbled Circuit [2], Oblivious Transfer [3], [4], [5], Secret Sharing [6], [7], [8], [9], Homomorphic Encryption [10], [11], [12], etc.However, protocols with higher generality typically exhibit greater complexity.As a result, researchers often focus on developing specialized SMC protocols tailored to specific problems.Secure Two-party Scalar Product (S2SP) is a research area that investigates how two parties can securely compute the scalar product of their respective private vectors.Many SMC problems, such as intrusion detection [13], [14], [15], data analysis [16], [17], [18], [19], and geometry computation [20], [21], [22], can be reduced to S2SP, which makes it a crucial building block for general secure computation.However, current classical S2SP schemes either exhibit high complexity or rely on the Computational Hardness Assumption for their security.Thus, there is an urgent requirement for a novel scheme that achieves both high security and computational efficiency.
In recent years, there has been a growing interest in utilizing quantum mechanisms with potential for unconditional security to achieve secure multiparty computation (SMC), which is referred to as quantum SMC (QSMC) [23], [24], [25], [26], [27].However, existing Secure Two-party Quantum Scalar Product (S2QSP) protocols are not efficient enough.In 2012, He et al. [28] pioneered a S2QSP protocol, which requires a non-colluding third party to distribute entangled states among the two participants.Furthermore, it demands significant entanglement resources, which may exceed the required level when operating on sparse private input vectors.In 2018, Wang et al. [29] proposed a new S2QSP scheme using classical cryptography and continuous-variable clusters.Their scheme no longer needs a third party, but still needs massive redundant quantum resources and measurement operations.In 2019, Shi et al. [30] proposed a strong privacypreserving S2QSP protocol using Grover's algorithm [31] with constant communication complexity.However, while Grover's algorithm provides a quadratic speedup, its computational complexity remains close to exponential.As a result, existing S2QSP protocols only offer unconditional security with limited improvement in computational efficiency.
Compared with S2QSP, people have more fully studied two QSMC problems, i.e., Secure Multi-party Quantum Summation or Multiplication (SMQS or SMQM), where several parties can secretly add or multiply up their private integers.In 2013, Yang et al. [32] proposed a secret sharing scheme based on Quantum Fourier Transform QFT .It takes advantage of a property of d-level cat state [33], i.e., the ability to keep the sum unchanged after applying the Modular Summation Gate SUM.Based on this scheme, people have proposed several SMQS protocols [34], [35], [36], [37], [38], [39].However, these protocols are limited to SMQS.In 2016, Shi et al. [40] provided another way.They transformed the calculation from the bit domain to the phase domain, then used the Rotation Gate ROT to perform the addition.This idea is inspired by Draper's Transform Adder [41].Here, SMQM is implemented by using the Modular Multiplication Gate MUL.In addition, they used Bitwise XOR Gate X OR (or CN OT gate) to con-struct the d-level cat state, and applied again when returning to untie the entanglement, and check the honesty of the other party.Considering that the states appearing in the protocol have exceeded the category of cat states, we define them as a more generalized state called Fourier Entangled (FE) State.
Although SMQS and SMQM protocols using FE states are efficient, they cannot be directly applied to scalar product computations due to the interference between addition and multiplication in such calculations.However, we discover the following insight: Shi et al.'s method [40] allows both addition and multiplication to be performed simultaneously without interference, as addition is performed in the phase domain and multiplication is performed in the bit domain.In this paper, we propose a novel secure quantum scalar product protocol based on this nature, to achieve higher computational efficiency.To transform this idea into a sufficiently secure S2QSP protocol, we first use SUM to impose several random number in the bit domain to prevent the measurement attack.What's more, we apply a bi-particle version of SUM (BSU M) to entangle all particles, so as to prevent verify the honesty of the sender.We refer to this operation as Entanglement Bondage, and design an corresponding honesty test to check the sender's honesty.In this way, the two parties will get an almost fair position, and can resist against forgery attacks without the assistance of a third party.It is worth noting that since QFT is one of the few quantum algorithms that can achieve exponential acceleration, our S2QSP scheme can calculate scalar products with the highest known efficiency, namely polynomial complexity.
Our contributions in this paper are summarized below.
1) Based on the conceptions of Leakage Degree and Negligibility, the definition of unconditional security under the malicious model is given in detail.

2) An honesty verification method called Entanglement
Bondage is proposed, which is used in conjunction with the modular summation gate to resist various malicious attacks.3) Based on the property of Fourier Entangled state and the methods in 2), we propose a S2QSP protocol with polynomial complexity.and prove its unconditional security.4) Based on the proposed S2QSP protocol, we present a privacy-preserving matrix multiplication protocol, as an extended application of it.5) Finally, we verify the feasibility of the proposed S2QSP protocol in IBM Qiskit simulator.
The rest of this paper is arranged as follows.In Section II, we define the notations we used, give the quantum operations to be used, and introduce the Fourier entangled state.In Section III, we define unconditional security in the malicious model, propose the entanglement bondage, then present our protocol.We analyze our protocol in Section IV, and give an application of it in Section V. We conclude in Section VI.

A. Definitions of Notations
Table I shows the definitions of notations used.
Output's bit number and modulus Joint entropy, mutual information and conditional Privacy of Alice, Bob respectively I A , I B Leakage degree of Alice, Bob's privacy respectively

B. Quantum Operations
Taking two d-qubits as example, the quantum gates used in this paper are as follows (where addition and multiplication are all performed mod D). 1) Quantum Fourier Transform QFT and its inverse: 2) Rotation Gate ROT (b) where b ∈ [D]: 3) Modular Summation Gate SUM(b) where b ∈ [D]: Note that b is odd, so it is coprime with D = 2 d and then has a unique multiplicative inverse b −1 mod D.
Given two quantum systems P, Q with l 1 , l 2 qubits respectively, and one D = 2 d -dim FE state is as: where We call the systems P and Q local systems.We generally consider attacks on Q, not P .The function h(x, c) is called Phase domain, correspondingly, the functions f (j, x, c), g(j, x, c) are Bit domain.The information these functions contain are called Phase-information and Bitinformation respectively.
Assume an FE state 1 o , and it has the following properties: Property 1 (Addition-Multiplication Independence).If using ROT (b 1 ) on Q 1 , it will be attached a phase factor ω ja1b1 .If using ROT (b 2 ) on Q 2 , there is a new factor ω ja2b2 .Therefore, the total phase is ω j(a1b1+a2b2) .
Property 2 (Addend's Disappearance).Apply SUM(c) on Q 1 , then apply ROT (b) on |ja 1 + c⟩ Q1 .Since the global phase factor ω bc does not affect any measurement results [42], it can be omitted, i.e., the addend c does not affect the phase.

III. PROPOSED PROTOCOL
In this section, we first define the unconditional security under the malicious model, then briefly introduce Entanglement Bondage we will use in the protocol.We provide the specific protocol process at the end.
A. Unconditional Security under the Malicious Model Definition 2 (Malicious adversary model).In this model, attacks other than a) forging input, b) not participating in the protocol, and c) terminating the protocol halfway should be all defensed or detected.
In addition, the following assumptions are also made to simplifies the analysis: 1) Malicious adversaries do not input, but only steal, since the information it inputs will interfere with its attack.2) Malicious adversaries are to obtain information, not just destroy.We mainly ensure the privacy of valid information.3) If either party is malicious, the other is not, since a protocol executed between malicious participants is meaningless.
Considering the particularity of quantum protocols, we use information theory language to define unconditional security under this model.Assume that in a two-party protocol Π, there is an honest party HP and a malicious party M P respectively.Denote the privacy of HP is a random variable X, with a Shannon entropy H(X) = m X .Denote the expected result M P should get as F .Then Definition 3 (Leakage Degree).Under an attack AT , the view obtained by M P is a random variable Z. Mutual information I = H(Z : X) measures the information increment to X when Z is known.Stipulate that if attack AT is detected by HP , H(Z : X) = 0, since the attack has failed.If M P cannot get F after its attack, then the leakage degree of X is defined as H(Z : X); Otherwise, it equals to the conditional mutual information [43] H(Z : X|F ), which measures how much information M P will obtain other than F .Definition 4 (Negligibility).A function µ(m X ) : N → [0, 1] is said to be negligible, if there is no positive polynomial poly(m X ) about m X so that µ(m X ) = Ω(1/poly(m X )).
Definition 5 (Unconditional Security under the Malicious Model).Protocol Π is said to has unconditional security under the malicious model, if in one run of Π, the leakage degree of any party's privacy is negligible under all known malicious attacks.

B. Entanglement Bondage
Assume that in a quantum protocol, M P should send several particles t 1 , t 2 , g to HP , which are FE-entangled as where o .This process is called Entanglement Bondage.If M P is dishonest, then this step will entangle the three particles.Under the entanglement, M P cannot steal information without being detected.
After the above steps, HP can perform an honesty test as follows.HP sends k 1 , k 2 , k 3 to M P , and M P will return an answer r = (k 1 + k 2 a 1 + k 3 a 2 ) −1 , since the add of any three odds is also an odd.HP applies MUL(r) on g, then braj( . HP can verify the correctness of the state prepared by M P by measuring g.If g is in state |0⟩, then M P passes; Otherwise, M P 's cheating is detected.This process is actually a zero-knowledge proof, through which HP can verify whether M P really prepared the correct quantum state as promised, without measuring the state itself.The effectiveness of this mechanism can be seen in Section IV-B.

C. Specific Protocol Process
Definition 6 (Secure Two-party Scalar Product (S2SP)).Alice and Bob each have an n-dim vector A secure protocol should meet the following requirements: • Alice's Privacy: Bob learns no information about x.
• Bob's Privacy: Alice learns no information about y, v other than u = x • y + v mod N .

1) Preparation Stage
Step 1 Alice and Bob set d = m + 2 and D = 2 d .
Step 2 Alice assigns

2) Operation Stage
For each i = 1, 2, • • • , n, do the following steps (all arithmetic operations are performed mod D here): Step 1 (Alice's Inputing) Alice prepares o randomly, then does the following: Now the particles h, t 1 , t 2 , g are in an FE state.Alice then sends t 1 , t 2 , g to Bob.
Step 2 (Entanglement Bondage) o randomly, then does the following: where Step 3 (Bob's Inputing) Bob does the following: where M i = s i + p i q i .We can omit the global phase ω and measures g.Alice passes only if he gets |0⟩ g .If the test is passed, then Bob returns t 1 , t 2 to Alice.Step 5 (Bob's Honesty Test A) Alice now verifies Bob's honesty as follows: and measures h to obtain the result M i = s i + p i q i .The quantum circuit of all the steps is shown in figure 1.

3) Output Stage Alice calculates as
where

B. Security
Since all the interactions occur in Operation stage, an attacker may try the following possible attacks.

1) Measurement Attack
Measurement attack is to directly perform a local general measurement on the attacker's own particles."General quantum measurement" is equivalent to a combination of introducing auxiliary systems, performing unitary operations and projective measurements [42].

2) Entangle-measure Attack
After receiving a particle t, the attacker can prepare an auxiliary particle e and perform a unitary operation where η is the probability that |j⟩ t is not changed.Then he sends t back, and monitors its movement by measuring e.

3) Forgery Attack
Forgery attack is to send a particle in a forged rather than correct state to steal information, as a type of malicious attack.

4) Intercept-Resend Attack
Similar to forgery attack, intercept-resend attack means to obtain information from a particle after receiving it, and then return a forged particle back.

5) False Verification Information Attack
This attack may occur in Step 4 of Operation stage, which means to send fake verification information, such as k 1 , k 2 , k 3 and r 3 , r 4 .

6) External Attack
External attack means that any eavesdropper Eve wants to steal Alice or Bob's privacy.

7) Semi-honest attack
If the attacker is semi-honest, it may try to deduce information other than the expected result it should get, from all the values it can obtain during the protocol.
We has the following theorem.
Theorem 1. Protocol 1 holds unconditional security under the malicious model, i.e., it can resist the above attacks. Proof: 1) Measurement Attack First, we give the following Lemma 1.It is proved in Appendix A-A, relying on the use of partial trace trP (•).
Lemma 1 (Security of Phase-information).Under the entanglement of an FE state as Definition 1, any attacker who only owns local system Q cannot extract the phase-information.
• Alice's Privacy: Denote XA = xi.To steal the largest information, Bob can wait for r3, r4, then measure t1, t2, g.For the leakage degree of Alice's privacy IA = H(ZB : XA), we have the following Lemma 2. Its proof relies on the Holevo bound [44], see Appendix A-B for details.
Lemma 2 (Security of Bit-information).Under the measurement attack, IA = 0, i.e., Bob cannot obtain any valid information about XA.Besides, this effect cannot be achieved without particle g.
• Bob's Privacy: Denote XB = (yi, vi).Until Step 5, Bob owns a local system (t1, t2, g) of the FE state.By Lemma 1, Alice cannot obtain any information about qi, si, because they are all on the phase.I.e., The leakage degree of Bob's privacy IA = H(ZA : XB) = 0.

2) Entangle-measure Attack
• Alice's Privacy: Denote XA = xi.After Bob resent, it is possible to obtain information by measuring only in Step 6, since only now Alice carries on operations.Because Alice performs an honest test on the sent particles t1, t2 in Step 5, if they are no longer in their original states, the attack will be detected.Therefore, ηj should be set to 1, i.e., Uε : Assume that Bob owns all particles t1, t2, g, e to steal the largest information, and performs Uε.Note that the Holevo bound of Bob's particle now equals to that in measurement attack, i.e., H(ZB : XA) = 0 (see the proof of Lemma 2), because Uε is a local quantum operation and does not increase the Holevo bound (Chapter 12 Problem 12.1 of Ref. [42]).If he returns any particle, he cannot steal more, since discarding quantum systems is also a kind of quantum operations and does not increase the Holevo bound.Alice's any operations in Step 6 are equivalent to local quantum measurement, which doesn't affect Bob's measurement results by the principle of implicit measurement (Chapter 4.4 of Ref. [42]).Therefore, it also does not increase the Holevo bound of Bob's particles.In this way, we can immediately deduce that IA = 0, consistent with the measurement attack.
• Bob's Privacy: Alice cannot perform entangle-measure attacks, since she may only send particles once.

3) Forgery Attack
• Alice's Privacy: Since Alice won't return the particles sent by Bob, Bob cannot perform forgery attacks.
• Bob's Privacy: Denote XB = (yi, vi).Since Bob's information only exists on the phase domain, the only known way to obtain it is to use QFT † .By Lemma 1, it is impossible to obtain phaseinformation under entanglement, then particles t1, t2 must be nonentangled.Accordingly, we have the following Lemma 3. We prove it by using the Holevo bound [44] in Appendix A-C.

Lemma 3 (Security under Forgery Attack). Due to the entanglement bondage in
Step 2 and the test in Step 4, the leakage degree of Bob's privacy under the forgery attack is IB < 8 .This bound will soon approach 0 as d increases.

4) Intercept-Resend Attack
• Alice's Privacy: If Bob sends any forged particle back in Step 4, then as in the measurement attack, the leakage degree of Alice's privacy IA = 0.
• Bob's Privacy: Similar to forgery attacks, it is impossible for Alice to perform this attack.

5) False Verification Information Attack
• Alice's Privacy: If Bob did not send the correct k1, k2, k3, we have IA = 0, just like the measurement attack.

6) External Attack
According to the analysis above, if Eve intercepts the particles sent by Alice to Bob, obviously she will get nothing.Similarly, if she intercepts the particles returned by Bob to Alice, she cannot get Bob's privacy.

7) Semi-honest Attack
• Alice's Privacy: If Bob is semi-honest, then all he can learn are r3, r4.He won't obtain any information, as well as in the measurement attack.
• Bob's Privacy: Denote XB = (y, v).If Alice is semi-honest, all she can learn are Mi ≡ piqi + si ≡ 4xiyi + 4vi( mod D).She may try to learn any information other than u = n i=1 xiyi + v mod N .We have the following Lemma 4, and prove it in Appendix A-D, by directly calculate the Shannon entropy.
Lemma 4 (Security under Semi-honest Attack).Even if Alice knows all Mi, the leakage degree of Bob's privacy IB = 0.
In total, Protocol 1 has unconditional security under the malicious model.□

C. Performance
We take the basic 1-, 2-and 3-qubit quantum gates as the measurement unit of computational complexity, such as Hadamard Gate We use m, n to represent the bit number and dimension of input vectors respectively.See Table II for the comparison between our protocol and the previous.In Ref. [28], O 4 m n log 2 n entanglements should have been prepared and sent.In Ref. [29], for real vectors x, y, ⟨x|y⟩ was evaluated with accuracy ϵ.Its computational and communication complexity are O(nϵ −2 ) and O(2ϵ −2 + n 2 ) respectively.Let |x|, |y| = Θ (2 m ), then ϵ = Θ(2 −2m ) is needed for the error of x•y to be less than 1.Grover's algorithm was used in Ref. [30], with complexity O √ 2 m .It can be seen that our protocol is polynomial in terms of computational and communication complexity, while the previous protocols have at least one complexity close to exponential.In addition, our protocol does not require a third party.The above proves its advantages.

D. Experiment
We verify the correctness and the feasibility of our protocol by circuit simulation experiments in IBM Qiskit simulator (Qiskit-0.41.0;Python-3.7;OS-Windows).Without loss of generality, let's set m = 2 (i.e., d = 4).The circuits of all quantum gates we used are described in figure 2. Because the complexity of classical simulation is sensitive to qubits' number, we use Draper's adder [41], as shown in figure 2c and 2e.It requires no auxiliary qubits, but has higher complexity O(d 2 ).
Besides, we design a special circuit for module multiplication on [D] as shown in figure 2d to further reduce qubits.See Appendix B-B for details of this design.Finally, we omit the measurement of particles t 1 , t 2 , g and only focus on the output results on particle h.The total circuit of Protocol 1 is shown in figure 3. We execute the experiment two times.Table III shows the first input and output, with the selection of the intermediate parameters Similarly, table IV describe the second experiment.Each quantum program for i = 1, 2, 3, 4 is executed 1000 times, and figure 4 shows the results.It can be seen that our protocol can be run successfully with 100% probability, so it is correct and feasible.

V. APPLICATION
In this section, we present an application of Protocol 1, i.e., a Privacy-preserving Two-party Matrix Multiplication (P2MM) protocol.This problem has been extensively studied in classical SMC.The complex matrix computation is mainly realized by generating product triples, among which cryptographic techniques such as oblivious transfer [45], [46], homomorphic encryption [47], [48], [49] and so on are widely used.We point out that since we have implemented a highly efficient twoparty scalar product protocol, we no longer need to perform these computationally expensive processes.To our knowledge, this is the first quantum solution to solve this problem.

A. Proposed P2MM Protocol
Firstly, we provide a precise definition of the problem.
Definition 7 (Privacy-preserving Two-party Matrix Multiplication (P2MM)).Alice and Bob have two k × n matrix and B = (b ij ) k×n , respectively, where [N ] is a random matrix known only by Bob.Neither Alice nor Bob can get more information.Here we omit " mod N ".
The main scheme for calculating the matrix product of two participants is as follows: By using the formula of matrix multiplication, the calculation of k ×n matrices is transformed into kn times vector scalar product process, which are solved using our proposed S2QSP protocol.

Protocol 2. Privacy-preserving Two-party Quantum Matrix Multiplication Protocol (P2QMMP).
For each 1 ≤ i ≤ k, 1 ≤ j ≤ n, Alice and Bob do the following steps: Step 1 Alice separately extracts the i-th n-dimensional row vector of matrix A, i.e., as her input vector.
Step 2 Similarly, Bob separately extracts the j-th ndimensional column vector of matrix B, i.e., Then he takes out the element v ij in the i-th row and j-column of matrix V.The vector y j and integer v ij are his inputs.
Step 3 Now the two vectors x i , y j , and the random integer v ij are valid inputs of Protocol 1. Alice and Bob execute Protocol 1, where parameter N , m and n are all set to the same as here.
Step 4 After all the steps of Protocol 1 are completed, Alice can obtain a corresponding result After executing m × n times the above steps, Alice now has m × n integers Output ij , for 1 ≤ i ≤ k, 1 ≤ j ≤ n.She now assembles the result matrix by these integers as

B. Protocol Analysis 1) Correctness
2) Security Theorem 2. Protocol 2 has unconditional security under the malicious model.

VI. CONCLUSION
In this paper, we propose a secure and efficient two-party quantum scalar product protocol, where several special properties of Fourier entangled states are used for calculation and security.Our protocol does not require any third parties, and has unconditional security under the malicious adversary model.It has polynomial level computational and communication complexity, which is the most efficient than the state-ofthe-art protocols.Furthermore, based on the proposed S2QSP protocol, we present a privacy-preserving matrix multiplication protocol as its extended application.However, because our protocol involves high-dimensional entangled states, it will be relatively fragile under noise.The transmission error may be reduced by high-dimensional error correction code.Besides, there is a future research direction on how to extend the protocol to multi-party scenario, which can achieve a wider application.

DECLARATIONS
• Conflict of interest The authors declare that they have no conflict of interest.
• Ethical statement Articles do not rely on clinical trials.
• Data availability Data sharing does not applicable to this article as no datasets were generated or analysed during the current study.

APPENDIX A PROOF OF LEMMAS A. Proof of Lemma 1
Let's assume that there is an attacker who dose not know the values of X, C.He may perform any type of measurement on local system Q to obtain a measure result Z. First, we calculate the global density operator as Remember ⟨f (j ′ , x, c)|f (j, x, c)⟩ = δ j ′ j .Then In this formula functions h(x, c), f (j, x, c) disappear.Thus the attacker cannot obtain any phase-information.□

B. Proof of Lemma 2
We first deduce a general upper bound of information disclosure.Follow Definition 1 and Lemma 1, then we have Proposition 1 (Upper Bound of Information Disclosure).
Under the attack described in Section A-A, where Remember that g : Then we can get its Von Neumann entropy where b∈ Similar, its entropy is where b∈ By the Holevo bound [44].□ Now we can prove Lemma 2.

Proof of Lemma 2:
For convenience, we take the classical information r3 = r −1 1 , r4 = c1 − r2r3 as quantum information |r3⟩ e 1 |r4⟩ e 2 .Denote c = (c1, c2, c3, c4).Now Bob owns system Q = (t1, t2, g, e1, e2), and we have a function Take c1, c2, c3, c4 as unknowns.We have its augmented matrix as It can be Gaussian eliminated to In order for the equation system to have a solution, there must be 40) is satisfied, then the general solution of ( 36) is We have we can uniquely identify a solution of c as above.Therefore, if b ∈ Im(gB), then Therefore, we prove that IA = H(ZB : XA) = 0, i.e., no information about xi can be stolen.On the other hand, if particle g is not involved, i.e., c3 = c4 = 0, then Bob has k1 + pik2 = r is: Proof: where k is an integer.If d3 = d, then w3 = 1, and If d2 = d3 − d1, we need i.e., 1 No matter how much w −1 1 w3 equals, we can assume that where l is an integer.Then, we can deduce that Note that there are half odd integers in In total, we prove this proposition.□ Now we can prove Lemma 3.

Proof of Lemma 3:
There are three possible cases: a) Using t1 to steal si and t2 to steal qi simultaneously.
Assume that Alice prepares 1 For convenience, we set h, g in |0⟩, since they are used to protect herself, not Bob.In Step 2 of Operation stage, the state will be Now t1, t2, g are entangled.In Step 4 of Operation stage, no matter what value r3, r4 she sends are, the total state will be Now Bob will measure g.For each j ∈ [D], we have Thus, he will find Alice's attack easily, with probability 1 − 1 D .b) Using t1 to steal si only.
Similarly, Alice prepares and in Step 4 of Operation stage, it will be When Bob measure g, he will get Bob can find the cheating with probability 1 − |S J | D , and ignore it with If he ignores, the state of t1 will be t1 will return to Alice in Step 5 of Operation stage.Now the density operator is Otherwise, I.e., if j ∈ SJ then j + D 2 mod D ∈ SJ .Now we can calculate the eigenvalue of ρ.By (57), we have I.e., ρ has If Alice measures t1 to obtain any result ZA, then Since the probability she pass Bob's honesty test is |S J | D , then the leakage degree of Bob's privacy, i.e., the average information Alice obtains is Now by (65), we have c) Using t2 to steal qi only.This case is almost identical to b).We can calculate the total density operator ρ = y i ∈[N ] 1 N ρy, and find that the upper bound in this case equals to the one in b) if 1 − k2r3 ̸ ≡ 0( mod D), because if j − j ′ ≡ odd( mod D), then j, j ′ cannot satisfy j(1 − k2r3) ≡ r4( mod D) at the same time.In this case, we have D , we can deduce a new upper bound d, since at most d bits of classical information can be extracted from the d-qubit state [42].Considering the probability 1  2 d−1 , the average upper bound is In total, the leakage degree of Bob's privacy is IB = O d 2 2 d , where the asymptotic coefficient is 1  2 .□
Since u is a function of XB (and M , since Alice can calculate u only with M ), we have H(XB : u) = H(u), H(u|XB) = 0 and H(M, u) = H(M ) (Theorem 11.3 of Ref. [42]).By the chaining rule for conditional entropies (Theorem 11.4 of Ref. [42]), Generally, it requires an auxiliary qubit as a carrier.4) To realize MUL, introduce an auxiliary register |0⟩ t , then where k is integer.Note that a c1si+c2qi .Step 4 (Alice's Honesty Test) Bob now verifies Alice's honesty as follows: a) (Question) Bob tells Alice the values of k 1 , k 2 , k 3 .b) (Answer) Alice calculates r 3 = r −1 1 and r 4 = c 1 − r 2 r 3 , then tells Bob the values of r 3 , r 4 .c) (Verification) Bob does the following:
CN OT : |a⟩ |b⟩ → |a⟩ |b ⊕ a⟩, Z-axis Rotation Gate P(i) : |a⟩ → e ı2π2 i D a |a⟩ (i ∈ [d]), it's controlled version CP(i) : |a⟩ |b⟩ → e ı2π2 i D ab |a⟩ |b⟩, and Toffoli Gate T : |a⟩ |b⟩ |c⟩ → |a⟩ |b⟩ |c ⊕ a • b⟩, etc.In general, the complexity of the gates in Section II-B are all below O(d 2 ) (see Appendix B-A for details).Since d = O(m), the total complexity of Protocol 1 is O(nm 2 ).Since there are only 4 d-qubit particles are sent for each i = 1, 2, • • • , n, the communication complexity is O(nm).

Fig. 3 .
Fig. 3.The total circuit of our protocol.

TABLE III
[41]e SUM hi means SUM is controlled by qubit h i .We denote the above gate as BMU L(b) (h,t) .To realize MUL, use SWAP (h,t) = X OR (h,t) X OR (t,h) X OR (h,t) :|a⟩ h |b⟩ t → |b⟩ h |a⟩ t .Then|a⟩ .Implementation of Quantum GatesTo save valuable qubit resources, we use Draper's Transform Adder[41]to implement SUM and BSU M. It need no auxiliary qubits, but increases the complexity.In this method, we have SUM(b) = QFT † ROT (b)QFT and BSU M (h,t) = QFT † t BROT (h,t) QFT t , with complexity O(d 2 ).The gate BROT is defined as BROT (h,t) : |a⟩ h |b⟩ t → ω ab |a⟩ h |b⟩ t , by replacing P(i + k) bi hi with CP(i + k) (hi,ti) in ROT h [50]⟩ t BMU L(b) (h,t) −→ |a⟩ h |ab⟩ t BMU L(−b −1 ) (t,h)as Shor described[50].Its complexity is O(d 2 ).5)Obviously, an X OR gate can decomposed into d CN OT gates, as shown in figure2f.Thus its complexity is O(d).B