Cryptanalysis and improvement of several quantum private comparison protocols
本站小编 Free考研考试/2022-01-02
Zhao-Xu Ji, Pei-Ru Fan, Huan-Guo Zhang, Hou-Zhen Wang,Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
Abstract Recently, Wu et al (2019 Int. J. Theor. Phys.58 1854) found a serious information leakage problem in Ye and Ji's quantum private comparison protocol (2017 Int. J. Theor. Phys.56 1517), that is, a malicious participant can steal another's secret data without being detected through an active attack means. In this paper, we show that Wu et al's active attack is also effective for several other existing protocols, including the ones proposed by Ji et al and Zha et al (2016 Commun. Theor. Phys.65 711; 2018 Int. J. Theor. Phys.57 3874). In addition, we propose what a passive attack means, which is different from Wu et al's active attack in that the malicious participant can easily steal another's secret data only by using his own secret data after finishing the protocol, instead of stealing the data by forging identities when executing the protocol. Furthermore, we find that several other existing quantum private comparison protocols also have such an information leakage problem. In response to the problem, we propose a simple solution, which is more efficient than the ones proposed by Wu et al, because it does not consume additional classical and quantum resources. Keywords:quantum information security;quantum cryptography;quantum private comparison;information leakage problem;passive attack
PDF (240KB)MetadataMetricsRelated articlesExportEndNote|Ris|BibtexFavorite Cite this article Zhao-Xu Ji, Pei-Ru Fan, Huan-Guo Zhang, Hou-Zhen Wang. Cryptanalysis and improvement of several quantum private comparison protocols. Communications in Theoretical Physics, 2020, 72(8): 085101- doi:10.1088/1572-9494/ab8a0c
1. Introduction
Quantum cryptography is a wide concern because of its unconditional security [1–3]. A main difference between quantum cryptography and classical cryptography is that the security of the former is based on some principles of quantum mechanics, while the latter is based on some assumptions of computational complexity. quantum cryptography enables users to detect whether there is an eavesdropper in quantum channels during communications, which cannot be done by classical cryptography [2, 3]. With the rapid development of quantum computers and quantum algorithms, the security of classical cryptography has been severely challenged, which makes the role of quantum cryptography in modern cryptography more and more important [2, 3].
Since the birth of quantum cryptography, quantum key distribution (QKD) has been one of the main research directions in the quantum cryptography domain [2]. Indeed, the first quantum cryptography protocol is the QKD protocol proposed by Bennett et al in 1984, which is known as BB84 protocol. QKD aims to generate random shared keys between different users; combined with one-time pad encryption, it can provide unconditional security for users. Moreover, the decoy photon technology derived from QKD has become one of the effective means for eavesdropping checking [4–6].
Quantum private comparison (QPC), originated from the famous ‘millionaires' problem' [5–7], aims to judge whether the date of at least two users who do not trust each other are the same or not while maintaining data privacy using some quantum mechanics laws. The comparison of the equality of data is widely used in real life, including secret bidding and auctions, secret ballot elections, e-commerce, and data mining [2]. One of the common applications is the identification of a system for users, which aims to judge whether the users' secret information (e.g., password and fingerprint) is the same as that stored in the system. QPC can also solve the ‘Tiercé problem', which is also known as the ‘socialist millionaires' problem' [8].
After about ten years of development, QPC has attracted extensive attention in academia. Many protocols have been proposed based on different quantum states or different quantum technologies [12, 9–11, 13–35]. Unfortunately, information leakage often occurs; many existing QPC protocols have been proved to be insecure [42, 36–41]. Recently, Wu et al [42] pointed out that there is a serious information leakage problem in Ye et al's QPC protocol [43]; they showed that a malicious participant in the protocol can steal another's secret information through an active attack means. To solve this problem, they put forward two solutions: one is to use a QKD protocol to establish two new key sequences, and use hash functions to complete a mutual authentication process; the other is to use a QKD protocol to establish a new key sequence and adopt unitary-operation-based symmetric encryption technology. Although the two solutions ensure the security, they both greatly reduce the efficiency of the protocol. On the one hand, both of the solutions use QKD to prepare additional keys, which obviously increases resource consumption. On the other hand, the hash functions and unitary operations need additional quantum devices and technologies, which greatly reduces the feasibility of the protocol. After all, Ye et al's protocol does not use any other quantum technology except for the necessary ones such as preparing quantum states and quantum measurement.
In this paper, we will show that the active attack means proposed by Wu et al is also effective for the protocols presented in [44, 46, 45]. That is, these protocols are insecure under the attack. However, we will propose a passive attack means to show that a malicious participant can easily steal another's secret data without using Wu et al's active attack means. Specifically, after the end of the protocol, the malicious participant can steal another's secret data only by using his own secret data. Moreover, we will point out that the passive attack is effective not only for the protocols presented in [43, 44, 46, 45], but also for the protocols presented in [47, 48]. Finally, we will propose a simple and effective solution to the information leakage problem. The rest of the paper is arranged as follows: in section 2, we review briefly the protocol proposed by Ji and Ye [44]. In section 3, we first take Ji and Ye's protocol as an example to show that Wu et al's active attack is also effective to the protocols presented in [44, 46, 45], and then we describe our passive attack means. Section 4 introduces our solution to the information leakage problem. Section 5 summarizes this paper.
2. Review on Ji and Ye's protocol
Let us review the QPC protocol proposed by Ji and Ye [44]. Their protocol uses the highly entangled six-qubit genuine state as information carriers, whose form is given by $ \begin{aligned}|\Upsilon\rangle=& \frac{1}{\sqrt{32}}[|000000\rangle+|111111\rangle+|000011\rangle\\&+|111100\rangle+|000101\rangle+|111010\rangle \\&+|000110\rangle+|111001\rangle+|001001\rangle \\&+|110110\rangle+|001111\rangle+|110000\rangle \\&+|010001\rangle+|101110\rangle+|010010\rangle \\&+|101101\rangle+|011000\rangle+|100111\rangle \\&+|011101\rangle+|100010\rangle-(|010100\rangle\\&+|101011\rangle+|010111\rangle+|101000\rangle \\&+|011011\rangle+|100100\rangle+|001010\rangle \\&+|110101\rangle+|001100\rangle+|110011\rangle \\&+|011110\rangle+|100001\rangle)]\end{aligned}$which is rewritten as $ \begin{eqnarray}\begin{array}{rcl}\left|{\rm{\Upsilon }}\right\rangle & = & \displaystyle \frac{1}{4}\left[\left(\left|0000\right\rangle -\left|0101\right\rangle -\left|1010\right\rangle +\left|1111\right\rangle \right)\otimes \left|{\phi }^{+}\right\rangle \right.\\ & & +\left(\left|0001\right\rangle +\left|0100\right\rangle +\left|1011\right\rangle +\left|1110\right\rangle \right)\otimes \left|{\psi }^{+}\right\rangle \\ & & +\left(\left|0110\right\rangle -\left|0011\right\rangle -\left|1001\right\rangle +\left|1100\right\rangle \right)\otimes \left|{\phi }^{-}\right\rangle \\ & & \left.+\left(\left|0010\right\rangle +\left|0111\right\rangle -\left|1000\right\rangle -\left|1101\right\rangle \right)\otimes \left|{\psi }^{-}\right\rangle \right],\end{array}\end{eqnarray}$where$ \begin{eqnarray}\left|{\phi }^{\pm }\right\rangle =\displaystyle \frac{1}{\sqrt{2}}\left(\left|00\right\rangle \pm \left|11\right\rangle \right),\quad \left|{\psi }^{\pm }\right\rangle =\displaystyle \frac{1}{\sqrt{2}}\left(\left|01\right\rangle \pm \left|10\right\rangle \right),\end{eqnarray}$are four Bell states.
The prerequisites of the protocol are:1. Suppose that Alice and Bob have the secret data X and Y respectively, and that the binary representations of X and Y are $\left({x}_{1},{x}_{2},\ldots ,{x}_{N}\right)$ and $\left({y}_{1},{y}_{2},\ldots ,{y}_{N}\right)$ respectively, where ${x}_{j},{y}_{j}$ ∈$\{0,1\}\forall j\in \{1,2,\ldots ,N\}$, hence $X\,={\sum }_{j=1}^{N}{x}_{j}{2}^{j-1}$, $Y={\sum }_{j=1}^{N}{y}_{j}{2}^{j-1}$. 2. Alice(Bob) divides the binary representation of X(Y) into $\lceil N/2\rceil $ groups:$ \begin{eqnarray}{G}_{A}^{1},{G}_{A}^{2},\ldots ,{G}_{A}^{\lceil \tfrac{N}{2}\rceil }({G}_{B}^{1},{G}_{B}^{2},\ldots ,{G}_{B}^{\lceil \tfrac{N}{2}\rceil }).\end{eqnarray}$Each group ${G}_{A}^{i}({G}_{B}^{i})$ includes two bits, where $i=1,2,\ldots ,\lceil N/2\rceil $ throughout this protocol. If N mod 2=1, Alice (Bob) adds one 0 into the last group ${G}_{A}^{\lceil N/2\rceil }({G}_{B}^{\lceil N/2\rceil })$. 3. Alice and Bob generate the shared key sequences $\{{K}_{A}^{1},{K}_{A}^{2},\ldots ,{K}_{A}^{\lceil N/2\rceil }\}$ and $\{{K}_{B}^{1},{K}_{B}^{2},\ldots ,{K}_{B}^{\lceil N/2\rceil }\}$ through a QKD protocol, where ${K}_{A}^{i}$, ${K}_{B}^{i}\in \{00,01,10,11\}$. Similarly, Alice(Bob) and TP generate the shared key sequence $\{{K}_{{AC}}^{1},{K}_{{AC}}^{2},\ldots ,{K}_{{AC}}^{\lceil N/2\rceil }\}$ ($\{{K}_{{BC}}^{1},{K}_{{BC}}^{2},\ldots ,{K}_{{BC}}^{\lceil N/2\rceil }\}$), where ${K}_{{AC}}^{i},{K}_{{BC}}^{i}\in \{00,01,10,11\}$. 4. Alice, Bob and TP agree on the following coding rules: $\left|0\right\rangle \leftrightarrow 0,\left|1\right\rangle \leftrightarrow 1,\left|{\phi }^{+}\right\rangle \leftrightarrow 00,\left|{\phi }^{-}\right\rangle \leftrightarrow 11,\left|{\psi }^{+}\right\rangle \leftrightarrow 01$, and $\left|{\psi }^{-}\right\rangle \leftrightarrow 10$.
The steps of the protocol are as follows:1. TP prepares $\lceil N/2\rceil $ copies of the highly entangled six-qubit genuine state $\left|{\rm{\Upsilon }}\right\rangle $, and marks them by$ \begin{eqnarray}\begin{array}{l}\left|{\rm{\Upsilon }}({p}_{1}^{1},{p}_{1}^{2},{p}_{1}^{3},{p}_{1}^{4},{p}_{1}^{5},{p}_{1}^{6})\right\rangle ,\\ \left|{\rm{\Upsilon }}({p}_{2}^{1},{p}_{2}^{2},{p}_{2}^{3},{p}_{2}^{4},{p}_{2}^{5},{p}_{2}^{6})\right\rangle ,\ldots ,\\ \left|{\rm{\Upsilon }}({p}_{\lceil N/2\rceil }^{1},{p}_{\lceil N/2\rceil }^{2},{p}_{\lceil N/2\rceil }^{3},{p}_{\lceil N/2\rceil }^{4},{p}_{\lceil N/2\rceil }^{5},{p}_{\lceil N/2\rceil }^{6})\right\rangle ,\end{array}\end{eqnarray}$in turn to generate an ordered sequence, where the subscripts $1,2,\ldots ,\lceil N/2\rceil $ denote the order of the highly entangled six-qubit genuine states in the sequence, and the superscripts 1, 2, 3, 4, 5, 6 denote six particles in one state. Then TP takes the first two particles out from $\left|{\rm{\Upsilon }}({p}_{i}^{1},{p}_{i}^{2},{p}_{i}^{3},{p}_{i}^{4},{p}_{i}^{5},{p}_{i}^{6})\right\rangle $ to construct the new sequence$ \begin{eqnarray}{p}_{1}^{1},{p}_{1}^{2},{p}_{2}^{1},{p}_{2}^{2},\ldots ,{p}_{\lceil N/2\rceil }^{1},{p}_{\lceil N/2\rceil }^{2},\end{eqnarray}$and denotes it as SA. Similarly, he takes out the third and fourth particles to construct another new sequence$ \begin{eqnarray}{p}_{1}^{3},{p}_{1}^{4},{p}_{2}^{3},{p}_{2}^{4},\ldots ,{p}_{\lceil N/2\rceil }^{3},{p}_{\lceil N/2\rceil }^{4},\end{eqnarray}$and denotes it as SB. The remaining particles construct another new sequence$ \begin{eqnarray}{p}_{1}^{5},{p}_{1}^{6},{p}_{2}^{5},{p}_{2}^{6},\ldots ,{p}_{\lceil N/2\rceil }^{5},{p}_{\lceil N/2\rceil }^{6},\end{eqnarray}$denoted as SC. 2. TP prepares two sets of decoy photons in which each decoy photon is chosen randomly from the single-particle states $\left|0\right\rangle ,\left|1\right\rangle ,\left|+\right\rangle ,\left|-\right\rangle $, where $\left|\pm \right\rangle $ = $1/\sqrt{2}\left(\left|0\right\rangle \pm \left|1\right\rangle \right)$. Then he inserts randomly the two sets of decoy photons into SA and SB, respectively, and records the insertion positions. Finally, he denotes the two new generated sequences as ${S}_{A}^{* }$ and ${S}_{B}^{* }$, and sends them to Alice and Bob, respectively. 3. After receiving ${S}_{A}^{* }$ and ${S}_{B}^{* }$, TP and Alice(Bob) use the decoy photons in ${S}_{A}^{* }$ and ${S}_{B}^{* }$ to judge whether eavesdroppers exist in quantum channels. The error rate exceeding the predetermined threshold will lead to the termination and restart of the protocol, otherwise the protocol proceeds to the next step. 4. Alice(Bob) measures the two particles marked by ${p}_{i}^{1},{p}_{i}^{2}$ (${p}_{i}^{3},{p}_{i}^{4}$) in ${S}_{A}({S}_{B})$ with Z basis ($\{\left|0\right\rangle ,\left|1\right\rangle \}$), and denotes the binary numbers corresponding to the measurement results as ${M}_{A}^{i}({M}_{B}^{i})$. Then, Alice(Bob) calculates ${G}_{A}^{i}\,\oplus {M}_{A}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i}$ (${G}_{B}^{i}\oplus {M}_{B}^{i}\oplus {K}_{{BC}}^{i}\oplus {K}_{B}^{i}$), and marks the calculation results by ${R}_{A}^{i}({R}_{B}^{i})$. Finally, Alice(Bob) announces ${R}_{A}^{i}({R}_{B}^{i})$ to TP. 5. After receiving ${R}_{A}^{i}({R}_{B}^{i})$, TP performs Bell measurements on the particles marked by ${p}_{i}^{5},{p}_{i}^{6}$ in SC, and marks the binary numbers corresponding to the measurement results by MCi. Then, he calculates ${R}_{A}^{i}\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\,\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}$, and marks the calculation results by Ri. Finally, he announces Ri to Alice and Bob. 6. After receiving Ri, Alice and Bob calculate ${R}_{i}\oplus {K}_{A}^{i}\,\oplus {K}_{B}^{i}$, respectively, and mark the calculation results by ${R}_{i}^{{\prime} }$. If ${R}_{i}^{{\prime} }=00$ (i.e. each classical bits in ${R}_{i}^{{\prime} }$ is 0), they conclude that their data X and Y are the same. Otherwise, they conclude that X and Y are different and stop the comparison.
3. Information leakage problem
In this section, we will show that the protocol is insecure under Wu et al's active attack means: a malicious participant can steal the secret information of another by forging identities. We will then propose a passive attack means by which the malicious participant can also steal the secret information of another.
3.1. Information leakage under Wu et al's active attack
Let us now show how a malicious participant steal another's secret information by using Wu et al's active attack. Without losing generality, we assume that Bob is malicious. He can steal Alice's secret data through the following steps:1. In the second step of Ji and Ye's protocol, when TP sends the particle sequence ${S}_{A}^{* }$ to Alice, Bob intercepts all the particles in the sequence, and then he pretends to be Alice and tells TP that he has received all the particles. 2. Bob continues to pretends to be Alice and completes eavesdropping checking with TP. Then he performs single-particle measurements on the particles marked by ${p}_{i}^{1},{p}_{i}^{2}$ in SA, and denotes the binary numbers corresponding to the measurement results as MABi. Finally, TP denotes the particle sequence after measurements as SA1. 3. Similar to the second step of Ji and Ye's protocol, Bob prepares a set of decoy photons, and then inserts them randomly into SA1. The new generated sequence is denoted as ${S}_{A}^{1* }$. Finally, Bob pretends to be TP and sends ${S}_{A}^{1* }$ to Alice. 4. After confirming that Alice has received ${S}_{A}^{1* }$, Bob continues to pretends to be TP and completes eavesdropping checking with Alice. If there is no eavesdropping, according to the protocol procedures, Alice measures each particle in SA1 with Z basis, and denotes the binary numbers corresponding to the measurement results as MAi (obviously, MAi is the same as MABi, i.e. ${M}_{A}^{i}={M}_{{AB}}^{i}$). Then she calculates ${G}_{A}^{i}\oplus {M}_{A}^{i}\oplus {K}_{{AC}}^{i}\,\oplus {K}_{A}^{i}$, and marks the calculation results by RAi. Finally, Alice announces RAi to TP. Similarly, Bob announces RBi to TP after completing measurements and calculations in accordance with the protocol procedures. 5. According to the protocol procedures, TP completes measurements, calculations, and publishes Ri to Alice and Bob. After receiving Ri, Bob can calculate$ \begin{eqnarray}\,\begin{array}{l}{R}_{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}\oplus {R}_{B}^{i}\oplus {K}_{A}^{i}\oplus {M}_{{AB}}^{i}\\ \,=\,({R}_{A}^{i}\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i})\oplus {K}_{{BC}}^{i}\\ \,\oplus \ {M}_{C}^{i}\oplus {R}_{B}^{i}\oplus {K}_{A}^{i}\oplus {M}_{{AB}}^{i}\\ \,=\,{R}_{A}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i}\oplus {M}_{{AB}}^{i}\\ \,=\,({G}_{A}^{i}\oplus {M}_{A}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i})\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i}\oplus {M}_{{AB}}^{i}={G}_{A}^{i}.\end{array}\,\end{eqnarray}$Note here that ${M}_{A}^{i}={M}_{{AB}}^{i}$, and Bob can deduce MCi from equation (1) based on MABi and MBi. From the above equation, Bob can obtain GAi through the calculation, thus he can deduce Alice's secret data X.
We have shown that Wu et al's active attack is also effective for Ji and Ye's protocol, that is, their protocol will leak information under Wu's active attack. In addition, we find that the protocols presented in [44, 46, 45] also have such an information leakage problem, because the process of these protocols is similar to that of Ji and Ye's protocol.
In what follows, we will present a passive attack means, by which we will show that a malicious participant can easily steal the secret data of another based on his own secret data after the end of the protocol, instead of using Wu et al's active attack means.
3.2. Information leakage under the proposed passive attack
At the end of the protocol, both Alice and Bob obtain ${G}_{A}^{i}\oplus {G}_{B}^{i}$ (i.e. ${R}_{i}^{{\prime} }$), that is,$ \begin{eqnarray}\begin{array}{rcl}{R}_{i}^{{\prime} } & = & {R}_{i}\oplus {K}_{A}^{i}\oplus {K}_{B}^{i}\\ & = & ({R}_{A}^{i}\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i})\oplus ({K}_{A}^{i}\oplus {K}_{B}^{i})\\ & = & \left[({G}_{A}^{i}\oplus {M}_{A}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i})\oplus ({G}_{B}^{i}\oplus {M}_{B}^{i}\oplus {K}_{{BC}}^{i}\oplus {K}_{B}^{i})\right.\\ & & \left.\oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}\right]\oplus ({K}_{A}^{i}\oplus {K}_{B}^{i})\\ & = & ({G}_{A}^{i}\oplus {G}_{B}^{i})\oplus ({M}_{A}^{i}\oplus {M}_{B}^{i}\oplus {M}_{C}^{i})={G}_{A}^{i}\oplus {G}_{B}^{i}.\end{array}\end{eqnarray}$In this case, Alice and Bob can easily steal each other's data. Specifically, Alice(Bob) can calculate ${R}_{i}^{{\prime} }\oplus {G}_{A}^{i}({R}_{i}^{{\prime} }\oplus {G}_{B}^{i})$, thus she(he) can get ${G}_{B}^{i}({G}_{A}^{i})$, that is, ${R}_{i}^{{\prime} }\oplus {G}_{A}^{i}\,=({G}_{A}^{i}\oplus {G}_{B}^{i})\oplus {G}_{A}^{i}={G}_{B}^{i}$ [${R}_{i}^{{\prime} }\oplus {G}_{B}^{i}=({G}_{A}^{i}\oplus {G}_{B}^{i})\oplus {G}_{B}^{i}={G}_{A}^{i}$]. In fact, for a cryptography protocol, the process, prerequisites, and coding rules of the protocol are all public, except that the keys generated in the protocol is confidential. Therefore, Alice and Bob, as participants in the protocol, obviously know that the final comparison result is ${G}_{A}^{i}\oplus {G}_{B}^{i}$.
We find that the protocols in [43, 47, 48, 45, 46] also have such an information leakage problem. In these protocols, both Alice and Bob obtain ${G}_{A}^{i}\oplus {G}_{B}^{i}$ at the end of the protocol, thus they can easily know each other's data.
4. New solution to the information leakage problem
We have proposed a passive attack means, and described the information leakage problem of several QPC protocols under this attack. Indeed, the information leakage problem is the same as that under Wu et al's active attack, i.e. two participants can steal each other's secret data. To solve this problem, Wu et al put forward two solutions, which has been mentioned in the introduction. In what follows, we will propose a new solution, and then briefly compare our solution with those of Wu et al.
4.1. The proposed solution
Let us now describe our solution. For simplicity and clarity, we change directly the steps 5 and 6 of Ji and Ye's protocol as follows (the first four steps of the protocol remain unchanged):1. After receiving ${R}_{A}^{i}({R}_{B}^{i})$, TP performs Bell measurements on the particles marked by ${p}_{i}^{5},{p}_{i}^{6}$, and marks the binary numbers corresponding to the measurement results by MCi. Subsequently, TP calculates ${R}_{A}^{i}\,\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\,\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}$, and marks the calculation results by ${a}_{i}^{1}{a}_{i}^{2}$ (note that each calculation result is a binary number which contains two bits, i.e. ${a}_{i}^{1}{a}_{i}^{2}\in \{00,01,10,11\}$). Then, TP calculates$ \begin{eqnarray}\sum _{i=1}^{\lceil N/2\rceil }\sum _{j=1}^{2}{a}_{i}^{j}.\end{eqnarray}$Marking the calculation result by S, TP announces S to Alice and Bob. 2. After receiving S, Alice and Bob calculate ${K}_{A}^{i}\oplus {K}_{B}^{i}$, respectively, and mark the calculation results by ${b}_{i}^{1}{b}_{i}^{2}$. Then, they calculate$ \begin{eqnarray}\sum _{i=1}^{\lceil N/2\rceil }\sum _{j=1}^{2}{b}_{i}^{j},\end{eqnarray}$and marks the calculation result by ${S}^{{\prime} }$. Finally, they calculate $S-{S}^{{\prime} }$. If $S-{S}^{{\prime} }=0$, they can conclude that their data X and Y are the same. Otherwise, they conclude that X and Y are different.
The correctness of our solution is easy to verify. In Step 5, TP calculates ${R}_{A}^{i}\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}$, hence we get$ \begin{eqnarray}\begin{array}{l}{R}_{A}^{i}\oplus {R}_{B}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}\\ =({G}_{A}^{i}\oplus {M}_{A}^{i}\oplus {K}_{{AC}}^{i}\oplus {K}_{A}^{i})\\ \oplus ({G}_{B}^{i}\oplus {M}_{B}^{i}\oplus {K}_{{BC}}^{i}\oplus {K}_{B}^{i})\\ \oplus {K}_{{AC}}^{i}\oplus {K}_{{BC}}^{i}\oplus {M}_{C}^{i}\\ ={G}_{A}^{i}\oplus {G}_{B}^{i}\oplus {K}_{A}^{i}\oplus {K}_{B}^{i}.\end{array}\end{eqnarray}$Obviously, $S={\sum }_{i=1}^{\lceil N/2\rceil }{\sum }_{j=1}^{2}{b}_{i}^{j}$ (i.e. $S={S}^{{\prime} })$ if and only if ${G}_{A}^{i}={G}_{B}^{i}$. Otherwise, $S\ne {S}^{{\prime} }$. Note here that KAi and KBi are random keys generated by QKD, thus KAi and KBi are not all the same (the probability that they are all the same can be ignored because it is very small).
Similar improvements can be made to the protocols presented in [43, 47, 48, 45, 46]. For simplicity, we would not like to review these protocols and describe their amendments.
4.2. Comparison
Let us make a brief comparison between our solution and the ones proposed by Wu et al. In our solution, we just change slightly the algorithm without using any additional quantum technology and resources. In contrast, both the solutions proposed by Wu et al need to consume additional quantum technology and resources (see the introduction). We show these differences in table 1.
Table 1. Table 1.Comparison with Wu et al's solutions.
We have shown that several QPC protocols have the same information leakage problem under Wu et al's active attack. We have proposed a passive attack means, and shown that several QPC protocols are insecure under this attack: a malicious participant can easily steal another's secret data after the end of the protocol. We have proposed a simple and effective solution to this problem, which is more efficient than the ones proposed by Wu et al. We believe that our solution is constructive to the design of a QPC protocol.
Acknowledgments
This work is supported by the State Key Program of National Natural Science Foundation of China under grant 61332019, the Major State Basic Research Development Program of China (973 Program) under grant 2014CB340601, the National Science Foundation of China under grant 61202386 and grant 61402339, and the National Cryptography Development Fund of China under grant MMJJ201701304.
JiZ XFanP RZhangH G2019 Entanglement swapping of Bell states and a special class of Greenberger-Horne-Zeilinger states (arXiv:1911.09875) [Cited within: 1]
YangY GWenQ Y2009 An efficient two-party quantum private comparison protocol with decoy photons and two-photon entanglement J. Phys. A: Math. Theor. 42 055305 DOI:10.1088/1751-8113/42/5/055305 [Cited within: 1]
ChenX B2010 An efficient protocol for the private comparison of equal information based on the triplet entangled state and single-particle measurement Opt. Commun. 283 15611565 DOI:10.1016/j.optcom.2009.11.085 [Cited within: 1]
JiZ XZhangH GFanP R2019 Two-party quantum private comparison protocol with maximally entangled seven-qubit state Mod. Phys. Lett. A 34 1950229 DOI:10.1142/S0217732319502298
JiZ XFanP RZhangH G2019 Several two-party protocols for quantum private comparison using entanglement and dense coding Opt. Commun. 459 124911 DOI:10.1016/j.optcom.2019.124911 [Cited within: 1]
JiZ XZhangH GWangH Z2019 Quantum private comparison protocols with a number of multi-particle entangled states IEEE Access 7 4461344621 DOI:10.1109/ACCESS.2019.2906687 [Cited within: 1]
LiuWWangY B2012 Quantum private comparison based on GHZ entangled states Int. J. Theor. Phys. 51 35963604 DOI:10.1007/s10773-012-1246-z
LinS2013 Quantum private comparison of equality with χ-type entangled states Int. J. Theor. Phys. 52 41854194 DOI:10.1007/s10773-013-1731-z
LiJ2014 An efficient protocol for the private comparison of equal information based on four-particle entangled W state and Bell entangled states swapping Int. J. Theor. Phys. 53 21672176 DOI:10.1007/s10773-013-1983-7
SunZLongD2013 Quantum private comparison protocol based on cluster states Int. J. Theor. Phys. 52 212218 DOI:10.1007/s10773-012-1321-5
XuG A2012 An efficient protocol for the quantum private comparison of equality with a four-qubit cluster state Int. J. Quantum Inf. 10 1250045 DOI:10.1142/S0219749912500451
TsengH YLinJHwangT2012 New quantum private comparison protocol using EPR pairs Quantum Inf. Process. 11 373384 DOI:10.1007/s11128-011-0251-0
HeG P2018 Device-independent quantum private comparison protocol without a third party Phys. Scr. 93 095001 DOI:10.1088/1402-4896/aad0fa
LiY B2013 Fault-tolerate quantum private comparison based on GHZ states and ECC Int. J. Theor. Phys. 52 28182825 DOI:10.1007/s10773-013-1573-8
LiC2019 Efficient quantum private comparison protocol based on the entanglement swapping between four-qubit cluster state and extended Bell state Quantum Inf. Process. 18 158 DOI:10.1007/s11128-019-2266-x
HuangW2013 Robust and efficient quantum private comparison of equality with collective detection over collective-noise channels Sci. China Phys. Mech. 56 16701678 DOI:10.1007/s11433-013-5224-0
LiLShiR H2019 A novel and efficient quantum private comparison scheme J. Korean Phys. Soc. 75 1521 DOI:10.3938/jkps.75.15
GuoF Z2013 Quantum private comparison protocol based on entanglement swapping of d-level Bell states Quantum Inf. Process. 12 27932802 DOI:10.1007/s11128-013-0536-6
PanH M2017 Quantum private comparison based on χ-type entangled states Int. J. Theor. Phys. 56 33403347 DOI:10.1007/s10773-017-3499-z
XuLZhaoZ W2019 High-capacity quantum private comparison protocol with two-photon hyperentangled Bell states in multiple-degree of freedom Eur. Phys. J. D 73 58 DOI:10.1140/epjd/e2019-90374-y
JiaH Y2012 Quantum private comparison using genuine four-particle entangled states Int. J. Theor. Phys. 51 11871194 DOI:10.1007/s10773-011-0994-5
JiZ XYeT Y2017 Multi-party quantum private comparison based on the entanglement swapping of d-level cat states and d-level Bell states Quantum Inf. Process. 16 177 DOI:10.1007/s11128-017-1628-5
SongXWenA2019 Multiparty quantum private comparison of size relation based on single-particle states IEEE Access 7 142507142514 DOI:10.1109/ACCESS.2019.2944785
AbulkasimH2019 Improved dynamic multi-party quantum private comparison for next-generation mobile network IEEE Access 7 1791717926 DOI:10.1109/ACCESS.2019.2894101
HuangS L2015 Multi-party quantum private comparison with an almost-dishonest third party Quantum Inf. Process. 14 42254235 DOI:10.1007/s11128-015-1104-z
WangQ L2014 Multi-party quatum private compariso protocol with n-level etagled states Quantum Inf. Process. 13 23752389 DOI:10.1007/s11128-014-0774-2
YeT YJiZ X2017 Multi-user quantum private comparison with scattered preparation and one-way convergent transmission of quantum states Sci. China Phys. Mech. 60 090312 DOI:10.1007/s11433-017-9056-6 [Cited within: 1]
JiS2015 Twice-Hadamard-CNOT attack on Li et al's fault-tolerant quantum private comparison and the improved scheme Front. Phys. 10 192197 DOI:10.1007/s11467-015-0460-6 [Cited within: 1]
PanH M2018 Intercept-Resend-Measure attack towards quantum private comparison protocol using genuine four-particle entangled states and its improvement Int. J. Theor. Phys. 57 20342040 DOI:10.1007/s10773-018-3729-z
LiuW J2014 Cryptanalysis and improvement of quantum private comparison protocol based on Bell entangled states Commun. Theor. Phys. 62 210 DOI:10.1088/0253-6102/62/2/07
WangC2013 Cryptanalysis and improvements for the quantum private comparison protocol using EPR pairs Int. J. Quantum Inf. 11 1350039 DOI:10.1142/S0219749913500391
LiuX T2013 Cryptanalysis of the secure quantum private comparison protocol Phys. Scr. 87 065004 DOI:10.1088/0031-8949/87/06/065004
JiZ XYeT Y2016 Quantum private comparison of equal information based on highly entangled six-qubit genuine state Commun. Theor. Phys. 65 711 DOI:10.1088/0253-6102/65/6/711 [Cited within: 6]
,Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, 
