IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO.

5, MAY 2023 1223

Quantum Secret Permutating Protocol

Run-Hua Shi and Yi-Fei Li

Abstract—In modern cryptography, distributing a private and unique index number to each participant is an important cryptographic
task, which can be adopted to efficiently solve many complicated secure multiparty computations. In this paper, we define this
cryptographic primitive, called Secret Permutating, in which every one of n participants can get a random but unique secret ki 2
f1; 2; . . . ; ng. Furthermore, we focus on the unconditional security of Secret Permutating based on laws of quantum mechanics.
Accordingly, by local Pauli operators and entanglement swapping of Bell states, we design novel quantum Secret Permutating
protocols. What’s more, to reduce the communicational complexity, we exploit the uniform, random and independent properties of
quantum measurements to evenly divide all participants into many secret groups with the small approximate sizes. Finally, the analysis
results and simulated experiments show that the proposed protocols have the unconditional security and the good feasibility.

Index Terms—Entanglement swapping, quantum cryptography, quantum secret permutating, quantum secret sharing, secure multiparty
computation

1. INTRODUCTION unconditional security, i.e., the information-theoretical secu-

rity, is to introduce quantum cryptography, whose security is
ITH quantum supremacy being demonstrated [1], [2],
W classical cryptography is facing enormous threats and
challenges. Fortunately, quantum cryptography [3] brings a
based on laws of quantum mechanics. Accordingly, some mul-
tiparty quantum cryptographic protocols have emerged [11],
[12], [13], [14], [15], [16], [17], [18], [26], [27], [29], [30].
new dawn for information security, which is one of the
What’s more, like QKD, the feasibility of multiparty quan-
most important applications of quantum physics in infor-
tum cryptographic protocols is always the focus of research.
mation fields [4], [5], [6], [7]. As an important and useful
However, there are two intractable issues to implement
complement of classical cryptography, theoretically, quan-
many previously proposed multiparty quantum crypto-
tum cryptography can not only ensure data security [8], [9],
graphic protocols: one is that it is difficult to implement some
[10] but also protect user privacy [11], [12], [13], [14], [15],
complicated oracle operators and quantum measurements in
[16], [17], [18]. Though current research of quantum cryp-
high-dimensional Hilbert space and the other is that it is hard
tography is mainly focused on two-party key distributions,
to find a fully trusted third party in the real world. As a con-
e.g., Measurement-Device-Independent Quantum Key Dis-
sequence, the designing of feasible multiparty cryptographic
tribution (MDI-QKD) [19], [20] and Twin-field Quantum
protocols without any trusted third party has become a hot
Key Distribution (TF-QKD) [21], [22], quantum cryptogra-
research topic in quantum cryptography.
phy covers a wide range of fields, such as quantum secret
Recently, we investigate the privacy protection in some
sharing [13], quantum conference key agreement [14], [15],
multiparty cryptographic tasks, e.g., private set intersection/
quantum private set operations [12], [16], quantum sealed-
union cardinality, secure multiparty summation and anony-
bid auction [17], quantum anonymous voting [18] and so
mous voting. Through these preliminary studies, we find an
on. These cryptographic tasks involving multiple partici-
interesting conclusion that it is very efficient to complete
pants are collectively called secure multiparty computation,
these tasks mentioned above if each participant can own a
which is an important branch of modern cryptography.
unique but private index number in advance, which is used
In classical settings, there are lots of well-known crypto-
to later encode or hide private information into the desig-
graphic protocols to solve various problems of secure
nated location. Furthermore, in order to satisfy this condition,
multiparty computations [23], [24], [25] by mainly using homo-
we build a new cryptographic primitive, i.e., Secret Permu-
morphic encryptions or other public key cryptographic algo-
tating. After Secret Permutating, every one of n participants
rithms, whose security is based on unproven computational
(n > 2) can get a random but unique secret ki 2 f12; . . . ; ng.
assumptions. Furthermore, an efficient way to ensure the
Clearly, the secret set of {k1 ; k2 ; . . . ; kn } are a random permu-
tation of the set of f12; . . . ; ng, i.e., ki ¼ pðiÞ for i ¼
 The authors are with the School of Control and Computer Engineering, 12; . . . ; n, where pðÞ is a secret permutation function. Of
North China Electric Power University, Beijing 102206, China. course, if there is a trusted third party who can be responsible
E-mail: [email protected], [email protected].
for generating and distributing all secrets, then Secret Permu-
Manuscript received 17 April 2022; revised 11 July 2022; accepted 5 September
2022. Date of publication 15 September 2022; date of current version 7 April
tating will become an easy task. However, in the real world
2023. there is no one who is absolutely trusted. So, we do not ask
This work was supported by the National Natural Science Foundation of for any help of a third party in our Secret Permutating.
China (No.61772001). When designing Secret Permutating protocols, we
(Corresponding author: Run-Hua Shi.)
Recommended for acceptance by M. Ka?niche. mainly consider two factors: the unconditional security and
Digital Object Identifier no. 10.1109/TC.2022.3207121 the good feasibility. In order to ensure the unconditional
0018-9340 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tps://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1224 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

security, i.e., the information-theoretical security, we exploit i.e., satisfying the following XOR equation:
quantum cryptographic approach to deal with Secret Per-    
mutating. Accordingly, we take multi-qubit entanglement ni ¼ 1 s½it½i ¼ ni¼1 s½it½i  ni ¼ 1 p½iq½i : (9)
states as quantum resources to exchange private informa-
tion by local unitary operators and entanglement swapping. Here, we give a simple example to further illustrate the
Furthermore, to achieve the good feasibility, we select Bell theorem as follows:
states as information carriers, which have better feasibility Suppose that there are two Bell states initially in jf00 i12 ¼
in various multi-qubit entanglement states. p1ffiffi ðj00i þ j11iÞ and jf i ¼ p1ffiffi ðj01i þ j10iÞ , i.e.,
2 12 10 34 2 34
Our contributions in this paper are summarized below.
1 1
1) We define a cryptographic primitive of secure multi- jf00 i12  jf10 i34 ¼ pffiffiffi ðj00i þ j11iÞ12  pffiffiffi ðj01i þ j10iÞ34
2 2
party computations, called Secret Permutating, in
1
which every one of n participants can get a random ¼ ðj0001i þ j0010i þ jj1101i þ j1110iÞ1234
but unique secret ki 2 f12; . . . ; ng. 2
1
2) We design a novel quantum Secret Permutating ¼ ðj0001i þ j0100i þ j1011i þ j1110iÞ1324
(QSP) protocol, where each participant transmitting 2
one photon can bring two bits of classical informa- (10)
tion by local Pauli operators and entanglement Furthermore, if we apply Pauli operators U 01 (i.e., s z ) and
swapping of Bell states. U 10 (i.e., s x ) to the particles 1 and 4, respectively, then we
3) We further create a pre-grouping idea to reduce the will get
complexity by entanglement swapping and present
 
an improved QSP protocol by privately pre-group- ðU 01 ½1  U 10 ½4Þ jf00 i12  jf10 i34 ¼ ðU 01 ½1  U 10 ½4Þ
ing, which can achieve the linear rounds of quantum  
1
communications. ðj0001i þ j0100i þ jj1011i þ jj1110iÞ1324
2
4) Finally, we verify the correctness and the feasibility
of the proposed/improved QSP protocols by circuit 1
¼ ðj0000i þ j0101i  j1010i  j1111iÞ1324
simulations in IBM Qiskit. 2
1 1 1
¼ pffiffiffi ðj00i þ j11iÞ13  pffiffiffi ðj00i  j11iÞ24
2. PRELIMINARIES 2 2 2
1 1
We will utilize local Pauli operators and entanglement þ pffiffiffi ðj00i  j11iÞ13  pffiffiffi ðj00i þ j11iÞ24
swapping of Bell states to exchange private information. So, 2 2
we first introduce the related Theorem [26], [27]. In this 1 1
þ pffiffiffi ðj01i þ j10iÞ13  pffiffiffi ðj01i  j10Þ24
paper, four Bell states are defined by 2 2

1 1
1 þ pffiffiffi ðj01i  j10iÞ13  pffiffiffi ðj01i þ j10iÞ24
jf00 i ¼ pffiffiffi ðj00i þ j11iÞ (1) 2 2
2 1
1 ¼ ½jf00 i13  jf01 i24 þ jf01 i13  jf00 i24
jf01 i ¼ pffiffiffi ðj00i  j11iÞ (2) 2
2 þ jf10 i13  jf11 i24 þ jf11 i13  jf10 i24  (11)
1
jf10 i ¼ pffiffiffi ðj01iþj10iÞ (3)
2
1 According to Eq. (11), if we perform Bell-basis measure-
jf11 i ¼ pffiffiffi ðj01i  j10iÞ (4) ments on the particle pairs (1, 3) and (2, 4), respectively,
2
then all possible XORs of the classical features of measured
Please note that the subscript of Bell state jfs½it½i i, i.e., results are equal to 01, e.g., 10  11 ¼ 01. In addition, the
s½it½i 2 f00; 01; 10; 11g, is called the feature of the Bell state XOR of the corresponding features of two initial Bell states
jfs½it½i i. In addition, four Pauli operators are described as and two applied Pauli operators is equal to 01, i.e., 00  10 
follows: 01  10 ¼ 01. Clearly, the XORs before and after Bell-state
measuring are equal, i.e., it verifies the correctness of the
U 00 ¼ I ¼ j0ih0jþj1ih1j (5) equation of (9).
U 01 ¼ s z ¼ j0ih0jj1ih1j (6)
U 10 ¼ s x ¼ j0ih1jþj1ih0j (7) 3. QUANTUM SECRET PERMUTATING
U 11 ¼ is y ¼ j0ih1jj1ih0j (8) Here we first give a formal definition of Secret Permutating.
Definition 1 (Secret Permutating). Suppose that there are n
Theorem 1 [26], [27]. For any n two-photon Bell states (i.e., distributed participants P 1 , P 2 , . . ., P n , where n > 2. After
jfs½it½i i for i ¼ 12; . . . ; n), if we apply an arbitrary number of executing this protocol, each participant P i gets a random
Pauli operators (i.e., U p½iq½i for i ¼ 12; . . . ; n) to any photons secret ki 2 f12; . . . ; ng for i ¼ 12; . . . ; n, but it must satisfy
of these Bell states and randomly measure any two photons in the following requirements:
Bell basis, then the parity of the features of all measured Bell
states (i.e., jfs½it½i i for i ¼ 12; . . . ; n) is entirely determined 1) Privacy. No one learns any private information about
by those of all initial Bell states and all applied Pauli operators, ki except the participant P i .
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1225

Fig. 1. Schematic diagram of entanglement swapping with local Pauli

operators. (a) Before Bell-state measuring; (b) After Bell-state measur- Fig. 2. Anonymous voting based on Secret Permutating.
ing. Note. Bold line denotes the entanglement of two photons in Bell
state and dotted box represents Bell-state measurement.
e.g., ð0 þ 0 þ 1 þ 0 þ 0 þ 0Þmod2 ¼ 0  0  1  0  0 
0 ¼ 1 for the first column, which can be easily realized by
2) Uniqueness. The secrets ki and kj of any two differ- using a quantum protocol for secure multiparty summation
ent participants P i and P j are different, i.e., ki 6¼ in 2-demension Hilbert space [29]. Finally, all voters can
kj if i 6¼ j. count the number of the voters of voting “for the proposal”
by the public computation results of each column, as listed
Please note that unlike Secret Sharing, there is no dealer
in the last row of Fig. 2, i.e., 10,10,01. So, the final output is
to distribute the secrets to all participants in Secret
3. That is, there are three voters of voting “for the proposal”,
Permutating.
but no one knows who votes “ for the proposal” due to
Furthermore, from the above definition, we can see that
Secret Permutating.
the secret set fk1 ; k2 ; . . . ; kn g is a random but private permu-
To the best of our knowledge, there is still no quantum
tation of f12; . . . ; ng. In Ref. [28], T. Nakai, et al. introduced
protocol for Secret Permutating. In this paper, we first
a new operation called Private Permutation, which was uti-
attempt and employ a quantum approach to solve the secret
lized to design card-based cryptographic protocols for the
permutating problem and design novel Quantum Secret
millionaires’ problem. In their definition, Private Permuta-
Permutating (QSP) protocols. In the following QSP protocol,
tion is a private operation for each player with t cards, i.e.,
we only consider the honest-but-curious participants, like
private shuffling, where the order of t cards will be pri-
the semi-honesty model in the classical settings, where
vately changed if he performs a private permutation opera-
adversaries may try to learn as much information as possi-
tion. Obviously, there is a distinct difference between the
ble from a given protocol execution but are not able to devi-
two. Like Secret Sharing, here we call the new primitive
ate from the protocol steps. That is, in the semi-honest
Secret Permutating, instead of Private Permutation. Simi-
model, each participant follows the protocol specification
larly, there are many promising applications of Secret Per-
but tries to deduce some private information about the other
mutating as building blocks for computing other more
participants. Furthermore, we assume that there are authen-
complicated cryptographic tasks, e.g., secure multiparty
ticated quantum channels between any two neighbor partic-
shuffling [24], secure multiparty summation [29], multi-
ipants P i and P iþ1 . In addition, for simplicity, we assume
party private set union [30] and anonymous voting [18].
that there are an even number of participants in total, i.e.,
Here, we illustrate an application example of Secret Per-
the number n is even.
mutating, i.e., anonymous voting based on Secret Permutat-
We can refer to Fig. 3 to briefly see the main processes of
ing, as shown in Fig. 2. Assume that there are six voters,
proposed Quantum Secret Permutating (QSP) protocol,
labeled V 1 , V 2 ,. . ., and V 6 , and each voter will vote “for the
which are described in detail as follows:
proposal” (i.e., vi ¼ 1) or “against the proposal” (i.e.,
Quantum Secret Permutating Protocol
vi ¼ 0), where the proposal is an important business/mili-
Step 1. Each participant P i (i ¼ 12; . . . ; n) randomly
tary decision. After this voting protocol, all voters can get
generates a 0/1 vector xi with n components, where only
the number of the voters of voting “for the proposal”. But it
one of the components is equal to 1, and all the other com-
should guarantee the privacy and the anonymity of each
ponents are equal to 0, e.g., ð00; 01; 00; 00Þ, ð01; 00; 00; 00Þ,
voter. That is, no one knows who votes “ for the proposal”
ð00; 00; 01; 00Þ or ð00; 00; 00; 01Þ. Accordingly,
or “against the proposal”, unless all voters vote “for the
proposal” or all voters vote “against the proposal”. In the
above example, the private inputs of V 1 , V 2 , V 3 , V 4 , V 5 , and xi ½1 þ xi ½2 þ . . . þ xi ½n ¼ 1; (12)
V 6 are 1, 0, 1, 1, 0, and 0, respectively, i.e., v1 ¼ 1, v2 ¼ 0,
v3 ¼ 1, v4 ¼ 1, v5 ¼ 0, and v6 ¼ 0, respectively. First, all vot- where xi ½j 2 f01g denotes the jth component of the vec-
ers executes a Secret Permutating protocol, so that each tor xi .
voter gets a unique secret ki , e.g., k1 ¼ 3, k2 ¼ 5, k3 ¼ 1, k4 ¼ Step 2. All participants execute the following procedures
6, k5 ¼ 2, and k6 ¼ 4 in Fig. 2. Second, each voter generates to compute x1  x2 . . .  xn : {
a private vector vi by the secret ki and his private willing- Set label ¼ 0;
ness vi , where the ki -th component of vi is equal to vi , and For j ¼ 1 to n=2 do {
all other components are equal to 0. Then, all voters pri- (1) Each participant P i (i ¼ 12; . . . ; n) privately prepares
vately compute the modulo-2 summation of each column, a Bell state jfs½it½i ia½2i1;a½2i , where the subscripts s½it½i
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1226 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

Fig. 4. A successful example of computing the XOR.

If xi ½j ¼ 1, then the participant P i sets ki ¼ j, where xi ½j

denotes the jth component of the vector xi generated pri-
vately by the participant P i in Step 1.
}
Fig. 3. QSP protocol.
3.1. Correctness
In the above QSP protocol, each participant continuously
(s½it½i2R f00; 01; 10; 11g) denote the feature of Bell state and
and randomly generates the private vector xi until satisfy-
the subscripts a½2i  1 and a½2i represent two photons.
ing the successful condition:
(2) Each participant P i (i ¼ 12; . . . ; n) sends the photon
a½2i to the next participant P iþ1 through the authenticated
n
quantum channel (Note. P nþ1 ¼ P 1 ), while he keeps the zfflfflffl}|fflfflffl{
photon a½2i  1 in hands, as shown in Fig. 1a. x1  x2  . . .  xn ¼ 11 . . . 1 (15)
(3) At this moment, each participant P i still owns two
photons: a½2ði  1Þ received from the previous participant where only one of the components of each xi is equal to 1,
P i1 and a½2i  1 prepared by himself. Furthermore, each and all the other components are equal to 0. In total, there
participant P i (i ¼ 12; . . . ; n) randomly selects one of the are n components of “1” among all private vectors: x1 ,
two photons: a½2ði  1Þ and a½2i  1, and applies the Pauli n
zfflfflffl}|fflfflffl{
operator U xi ½2j1xxi ½2j to the selected photon, as shown in x2 ,. . ., xn . Clearly, if x1  x2  . . .  xn ¼ 11 . . . 1 , it implies
Fig. 1a, where the subscripts xi ½2j  1 and xi ½2j denote the that the position indexes of n components of “1” are exactly
ð2j  1Þ-th and 2j-th components of the private vector xi , different, i.e., x1 ½j  x2 ½j  . . .  xn ½j ¼ 1 for any j. So, it
respectively. can ensure ki1 6¼ ki2 for any i1 6¼ i2 . Here, we give a simple
(4) Each participant P i (i ¼ 12; . . . ; n) measures the pho- example to illustrate the successful condition, as shown in
ton pair (a½2ði  1Þ, a½2i  1) in Bell basis. Suppose that the Fig. 4. In this example, we assume that there are eight par-
measured result is jfs½it½i ia½2ði1Þ;a½2i1 , as shown in Fig. 1b. ticipants. According to the QSP protocol, all participants
(5) Each participant P i (i ¼ 12; . . . ; n) calculates repeatedly generate their private and random vectors and
compute the corresponding XOR bitwise, until it satisfies
y½i ¼ s½it½i  s½it½i (13) the successful condition, i.e., x1  x2  x3  x4  x5  x6 
and announces y½i on a bulletin board or in a public block- x7  x8 ¼ 11111111.
chain. Please note that the bit length of y½i is equal to 2 and As shown in Fig. 4, all private vectors meet the successful
 denotes bitwise XOR. condition, i.e., x1  x2  . . .  x8 ¼ 11111111. Furthermore,
(6) By the public information, each participant P i according to their respective vectors, each participant finally
(i ¼ 12; . . . ; n) calculates gets a unique secret, where the secrets of all participants are
4, 6, 8, 5, 2, 7, 3, and 1, respectively.
Y ½j ¼ y½1  y½2  . . . y½n: (14) Therefore, the correctness of proposed QSP protocol is
mainly guaranteed by that of the computation of exclusive-
OR (XOR) with Bell states and Bell measurements, which
(7) If Y ½j ¼ 11, then set label ¼ 1 will be proved by the following Theorem 2.
else set label ¼ 0 and exit.
Theorem 2. The proposed procedures of multiparty computing
}//end For
XOR (i.e., ) with Bell states and Bell measurements are
If label ¼ 1 then goto Step 3
correct.
else goto Step 1.
} Proof. By the proposed procedures in Step 2, it needs to
Step 3. Each participant P i (i ¼ 12; . . . ; n) executes the execute at most n=2 rounds of For loop, where each round
following procedures: (i.e., for each j) is to compute the XOR result of two bits
For j ¼ 1 to n do { among all n participants. Since the basic principle is
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1227

similar, we only analyze the correctness of the j-th round, P i . Furthermore, after the participant P i performs the Pauli
as shown in Fig. 1. u
t operator U xi ½2j1xxi ½2j on the photon a½2i  2 or a½2i  1 ran-
domly, the corresponding Bell state jfs½i1t½i1 ia½2i3;a½2i2Þ
For the j-th round in For loop, each party P i
or jfs½it½i ia½2i1;a½2i will be changed as another Bell state.
(i ¼ 12; . . . ; n) calculates Y ½j ¼ y½1  y½2  . . . y½n,
However, the reduced density matrix of the photon a½2i
where y½i ¼ s½it½i  s½it½i. Furthermore, we can get
kept by the participant P iþ1 or intercepted by the outsider
remains unchanged, i.e., it is still the totally mixed state as
Y ½j ¼ y½1  y½2  . . . y½n
the same of Eq. (19). So, the participant P iþ1 or the outsider
¼ s½1t½1  s½1t½1  s½2t½2  s½2t½2 cannot yet get any private information of the participant P i ,
. . .  s½nt½n  s½nt½n e.g., s½it½i and xi ½2j  1x xi ½2j.
 n 
¼ i¼1 s½it½i  ðni¼1 s½it½iÞ (16) In short, the attacker cannot get each complete Bell state,
and accordingly he cannot extract out the global informa-
By Theorem 1, i.e., Eq. (9), accordingly we can get, tion (i.e., private information) from the partial qubits of the
entangled quantum systems.
Y ½j ¼ ni ¼ 1 xi ½2j  1x
xi ½2j; (17) On the other hand, the participant P i opens the classical
information y½i, where y½i ¼ s½it½i  s½it½i. It is obvious that
where xi ½2j  1x xi ½2j is the feature of the corresponding
anyone else, including the next participant P iþ1 , cannot get
Pauli operator U xi ½2j1xxi ½2j . For example, if j ¼ 1, then Y ½1
any private information about xi ½2j  1x xi ½2j only from y½i,
¼ x1 ½1x
x1 ½2  x2 ½1x x2 ½2 . . .  xn ½1x
xn ½2 ¼ ðx
x1 ½1 x
x2 ½1 . . . 
because s½it½i is selected randomly and privately by the par-
xn ½1Þðx
x1 ½2  x2 ½2 . . .  xn ½2Þ, i.e., bitwise getting the XOR
ticipant P i and s½it½i is subject to the uniform distribution by
result of two bits.
the property of quantum measurements (i.e., random and
Therefore, our proposed procedures are correct.
independent), and accordingly they are completely unknown
to anyone else except for the participant P i . That is, individual
3.2 Security
xi ½2j  1x xi ½2j is completely independent of s½it½i and s½it½i.
Theorem 3. The proposed QSP protocol can perfectly Therefore, any one including the participant P iþ1 cannot
ensure the privacy of each participant, i.e., the secret of get any private information of the participant P i , though all
each participant is unconditionally secure. participants can successfully compute Y ½j ¼ ni ¼ 1 xi ½2j
Proof. By the proposed QSP protocol, the participants only xi ½2j. That is, the proposed QSP protocol achieves the per-
1x
exchange quantum and classical messages in Step 2. So there fect privacy, i.e., the information-theoretical security.
is no private information revealed in both Step 1 and Step 3.
Here, we focus on Step 2. In each round of For loop in Step 4. IMPROVED QSP PROTOCOL
2, each participant exchanges one photon and announces a In the above section, we have analyzed the correctness and
2-bit classical information. Furthermore, we will prove that the security of proposed QSP protocol. However, the com-
any one cannot get any private information from one trans- municational rounds of the proposed QSP protocol are rela-
mitted photon and the 2-bit public information. u
t tively large due to the completely disordered randomness
On the one hand, the initial state of jfs½it½i ia½2i1;a½2i is of the private input of each participant, where the successful
unknown to anyone else except for the participant P i , where probability of executing this protocol in one round is
the Bell state is defined by n!
pn ¼
E 1 E nn
fs½it½i ¼ pffiffiffi ðj0s½ii þ ð1Þt½i 0s½i Þ 1 n
a½2i1;a½2i 2 a½2i1;a½2i ¼o (20)
e
(18)
Accordingly, we can easily get the reduced density For example, if n ¼ 2, then p2 ¼ 0:5; if n ¼ 4, then p4 ¼
matrix of the photon a½2i sent to the participant P iþ1 0:0938; if n ¼ 5, then p5 ¼ 0:0384; if n ¼ 6, then p6 ¼
through the authenticated quantum channel as follows: 0:0154; if n ¼ 7, then p7 ¼ 0:0061; if n ¼ 10, then p10 ¼
D E D E 0:0004. That is, the proposed QSP protocol will consume
ra½2i ¼a½2i1 0jfs½it½i fs½it½i j0 lots of quantum resources.
a½2i1;a½2i a½2i1 In order to improve the successful probability (i.e., to
D E D E
þa½2i1 1jfs½it½i fs½it½i j1 enhance the feasibility), we further present an improved
a½2i1;a½2i a½2i1
strategy, in which we try to privately divide all participants
j0ia½2i h0jþj1ia½2i h1j into multiple groups with the small sizes, independently
ra½2i ¼ generate the corresponding private vectors by their respec-
2
I tive groups, and finally compute the XOR results to verify
ra½2i ¼ (19)
the correctness group by group. For simplicity, in the fol-
2
lowing improved QSP protocol, we assume that all partici-
Given from Eq. (19), we can see that the reduced density pants can be divided into four groups.
matrix is the totally mixed state (i.e., maximally mixed Similarly, we can refer to Fig. 5 to briefly see the main
state), so the participant P iþ1 or any outsider cannot learn processes of improved QSP protocol, which are described in
any private information about s½i and t½i of the participant detail as follows:
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1228 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

 i and ai;j 2R GF ðpÞ.

where f i ð0Þ ¼ w
(2) Each participant P i (i ¼ 12; . . . ; n) computes the
shares of all participants:

si;j ¼ f i ðjÞ for j ¼ 1; 2; . . . ; n (22)

(3) Each participant P i (i ¼ 12; . . . ; n) sends the share

si;j to the participant P j for j ¼ 12; . . . ; i  1; i þ 1; . . . ; n
through secure classical channels.
(4) Each participant P i (i ¼ 12; . . . ; n) computes and
opens the summation of his owned shares:
Xn Xn
sðiÞ ¼ j¼1
sj;i ¼ f ðiÞ
j¼1 j
(23)

(5) Each participant P i (i ¼ 12; . . . ; n) can recover the

following secret by using the Lagrange interpolation
method:
!
Xn Xn Y ð 0  jÞ
1jn
f i ð0Þ ¼ sðiÞ ; (24)
i¼1 i¼1 j6¼i
ði  jÞ

Clearly,
X
n X
n
i ¼
w f i ð0Þ: (25)
i¼1 i¼1
P
Step 5. Let w ¼ ni¼1 w
 i . As an n-base integer, w can be
decoded into a vector (w½1; w½2; w½3; w½4), where w ¼
w½1 n3 þ w½2 n2 þ w½3 n1 þ w½4 n0 . In fact, we can
easily deduce that
Fig. 5. Improved QSP protocol.
w½t ¼ w1 ½t þ w2 ½t þ . . . þ wn ½t; (26)
Improved QSP Protocol for t ¼ 12; 34. That is, w½t denotes the number of the par-
(1) Pre-grouping ticipants in the t-th group. So, n ¼ w½1 þ w½2 þ w½3 þ
Step 1. Each participant P i (i ¼ 12; . . . ; n) prepares a w½4. Please note all w½ts are public. Obviously, each partici-
two-photon Bell state randomly in one of four Bell states pant knows the sequence number of his group but no one
{jf00 i, jf01 i, jf10 i, jf11 i}, and sends one of the two photons to knows which group he belongs to except himself.
the next participant P iþ1 , where P nþ1 ¼ P 1 . (2) Main-computing
Step 2. Each participant P i (i ¼ 12; . . . ; n) performs a Step 1. Initially, set label½t ¼ 0 for t ¼ 12; 34. Further-
Bell-state measurement on his particle pair. Suppose that more, each participant P i (i ¼ 12; . . . ; n) randomly gener-
his measured result is jfs½it½i i. Furthermore, if s½it½i ¼ 00, ates a 0/1 vector xi with n P components, where only one of
01, 10 and 11, respectively, then he will be accordingly ð t1
w½t
Pt components from the l ¼ 1 w½l þ 1Þ-th component to
divided into the first group, the second group, the third
l ¼ 1 w½l-th component is equal to 1, and all the other com-
group and the fourth group. ponents are equal to 0. Here, suppose that he belongs to the
// The following procedure from Step 3 to Step 5 is to t-th group with w½t participants.
count the number of the participants in each group, while it Step 2. All participants execute the following procedures
can protect the privacy about which group each participant to compute x1  x2 . . .  xn :{
belongs to. For j ¼ 1 to n=2 do{
Step 3. Each participant P i (i ¼ 12; . . . ; n) randomly (1) Each participant P i (i ¼ 12; . . . ; n) privately prepares
generates a 0/1 vector wi with 4 components, where the t-th a Bell state jfs½it½i ia½2i1;a½2i , where the subscripts s½it½i
components is equal to 1 if he belongs to the t-th group, denote the feature of Bell state and the subscripts a½2i  1
and all other components are equal to 0. Furthermore, each and a½2i represent two photons.
participant P i (i ¼ 12; . . . ; n) encodes his private vector wi (2) Each participant P i (i ¼ 12; . . . ; n) sends the photon
into an n-base integer w  i , e.g., if wi ¼ ð01; 00Þ and n ¼ 8, a½2i to the next participant P iþ1 through the authenticated
then w  i ¼ 64. quantum channel, while he keeps the photon a½2i  1 in
PnStep 4. All participants compute the summation of hands.
i¼1w  i by using classical Shamir’s Secret Sharing proto- (3) Furthermore, each participant P i (i ¼ 12; . . . ; n) ran-
cols [31], which is information-theoretically secure. domly selects one of the two photons: a½2ði  1Þ and
(1) Each participant P i (i ¼ 12; . . . ; n) privately gener- a½2i  1, and applies the Pauli operator U xi ½2j1xxi ½2j to the
ates a polynomial of degree (n  1) over GF ðpÞ (p > n4 ): selected photon, where the subscripts xi ½2j  1 and xi ½2j
denote the ð2j  1Þ-th and 2j-th components of the private
 i þ ai;1 x þ ai;2 x2 þ . . . þ ai;n1 xn1 ;
f i ð xÞ ¼ w (21) vector xi , respectively.
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1229

Fig. 7. Improved QSP protocol in the worst case.

experiments later). In practical applications, we can execute

the procedures of Step 1 and Step 2 in Pre-grouping multi-
ple times to subdivide all participants into more groups. For
Fig. 6. A successful example of computing the XOR in four groups. example, it can divide all participants into eight groups by
first three bits of measured results of two Bell states, and it
(4) Each participant P i (i ¼ 12; . . . ; n) measures the pho- also can divide all participants into sixteen groups by all
ton pair (a½2ði  1Þ, a½2i  1) in Bell basis. Suppose that the four bits of measured results of two Bell states.
measured result is jfs½it½i ia½2ði1Þ;a½2i1 . Furthermore, since different groups are independent, the
(5) Each participant P i (i ¼ 12; . . . ; n) calculates and participant can randomly select the location of “1” in his
opens y½i ¼ s½it½i  s½it½i on a bulletin board or in a public private vector (i.e., as the index number) and verify its cor-
blockchain. rectness group by group, P where the rangePt of the location of
(6) By the public information, each participant P i “1” is restricted in ½ lt1 ¼1 w½l þ 1Þ; l ¼ 1 w½l. That is, it
(i ¼ 12; . . . ; n) calculates Y ½j ¼ y½1  y½2  . . . y½n. only needs each participant in a group to select a random
}//end For number restricted in the group as his private index number
For t ¼ 1 to 4 do { and verify the successful condition of the group.
If the w½t-bit XOR results corresponding to the t-th Accordingly, in the main-computing phase, the success-
group are equal to “111. . .1”, which can be decided by all ful probability will be improved due to partitioning many
Y ½j s in this group, then label½t ¼ 1. That is, the private vec- groups with the small sizes. For example, there are 8 partici-
tors in the t-th group satisfy the uniqueness requirement. pants, evenly divided into four groups in Pre-grouping, as
For example, there are 3 participants in the first group and shown in Fig. 6, where the participants P 1 and P 5 , the par-
it satisfies the condition that “Y ½1 ¼ 11” and “Y ½2 ¼ 11 or ticipants P 2 and P 8 , the participants P 3 and P 6 , and the par-
Y ½2 ¼ 10”, i.e., the XOR results of the first group are equal ticipants P 4 and P 7 are privately divided into the 1-st
to 111, so label½1 ¼ 1. group, the 2-nd group, 3-rd and the 4-th group, respectively.
}//end For Accordingly, the probability of successfully generating pri-
If all label½t ¼ 1 for t ¼ 1; 2; 3; 4 then goto Step 3. vate vectors satisfying the uniqueness in each group is 12 and
else execute the following procedures { different groups are independent. Therefore, after executing
Each participant P i (i ¼ 12; . . . ; n) decides whether to the procedures of Step 2 in Main-computing at most 8 times,
regenerate his private vector xi by the sequence number it can always output the right results.
(i.e., t) of his group and the corresponding value of label½t. By Eq. (20), the successful probability of outputting a ran-
That is, if label½t ¼ 1, he retains his private vector dom permutation in one round is nn!n . In turn, the number of
unchanged; Otherwise he will regenerate a new and ran- necessary rounds for n participants to successfully get a
n
dom final permutation is nn! . Furthermore, we assume that there
P vector xi , where only one ofP w½t components from the
ð t1l¼1 w½l þ 1Þ-th component to t
l ¼ 1 w½l-th component is
n
are m groups in our improved QSP protocol, where each
equal to 1, and all the other components are equal to 0. group has about m participants. Since each group is inde-
Goto Step 2. pendent, the total number of necessary rounds is at most
m n
} Oðmm!  m Þ (i.e., it is equivalent to implement it from parallel
Step 3. Each participant P i (i ¼ 12; . . . ; n) executes the computing of all groups to serial computing one group after
following procedures: another, please refer to Fig. 7). Obviously, when m ¼ 1 or
For j ¼ 1 to n do { 2, it achieves asymptotically optimal rounds, i.e., OðnÞ. Of
If x i ½j ¼ 1, then the participant P i sets ki ¼ j, where xi ½j course, it is difficult to divide n participants into n different
denotes the jth component of the vector xi generated pri- groups, where each group has exactly one participant. In
2
vately by the participant P i . fact, if m ¼ 2, then Oð22!  n2 Þ ¼ OðnÞ; if m ¼ 4, then
4
} Oð44!  n4 Þ ¼ Oð83 nÞ ¼ OðnÞ.
Therefore, theoretically, the communicational complexity
of improved QSP protocol can achieve the worst-case linear
4.1 Analysis rounds, i.e., OðnÞ.
In the above improved QSP protocol, we utilize the unifor- In the Pre-grouping phase, it needs Oð1Þ rounds of
mity and randomness of quantum measurements to pri- exchanging photons to evenly divide all participant into
vately divide all n participants into four groups with the many groups, which transmits OðnÞ qubits in total, and one
approximate sizes, i.e., w½t n=4 (please see the simulated round of performing n secret sharing protocols to compute
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1230 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

Proof. The Pre-grouping phase includes five steps, where

the procedures of Step 1 and Step 2 is to divide all the par-
ticipants into four groups by their respective measure-
ment results, while the procedures from Step 3 to Step 5
is to count the number of the participants in each group
by using Shamir’s Secret Sharing. It is well-known that
Shamir’s Secret Sharing is information-theoretically
secure. So, we mainly analyze the security of Step 1 and
Step 2. u
t
Fig. 8. Two collusion attacks.
If all participants honestly execute the procedures of Step
1 and Step 2, then the result of Bell-state measurement of
each participant is completely unknown (i.e., ensuring the
perfect privacy) due to the true randomness of quantum
measurements. Furthermore, we mainly analyze the possi-
ble collusion attacks of dishonest participants. By the circu-
lar communication model, the previous participant P i1
and the next participant P iþ1 have the most possible oppor-
tunity to perform the collusion attack to eavesdrop on the
grouping information of the participant P i .
The first collusion attack is illustrated as Fig. 8(I), that is,
the previous participant P i1 sends a photon in a known
state, e.g., j 0 > , to the participant P i , and the next partici-
pant P iþ1 directly measures the received photon sent from
the participant P i in the computational basis. Later, the par-
Fig. 9. Quantum circuits of Bell-state identifications. ticipant P i measures his two photons in Bell basis. Though
two dishonest participants can exactly get the states of two
of three photons, they still cannot know whether the
the summation, which sends Oðn2 Þ classical messages in remaining one kept by P i in hand is in j 0 > or j 1 > because
total. the two photons prepared initially by P i are randomly in
In the Main-computing phase, it needs to execute at most one of {jf00 i, jf01 i, jf10 i, jf11 i}. Accordingly, the measure-
OðnÞ rounds of For loops in Step 2, where each round of For ment result of P i will be one of {jf00 i, jf01 i, jf10 i, jf11 i} ran-
loop transmits n n2 photons, i.e., Oðn2 Þ qubits. domly. That is, the final measurement result of P i is still
Furthermore, for the privacy of each participant’s group- random and unknown due to the unknown of the initial
ing, it is unconditionally (i.e., information-theoretically) Bell state prepared by P i .
secure, which is proved as follows: The second collusion attack is illustrated as Fig. 8 (II),
that is, the previous participant P i1 sends one of two pho-
Theorem 4. The privacy of each participant in the Pre-grouping tons in Bell state to the participant P i and the other to the
phase is information-theoretically secure. next participant P iþ1 . Furthermore, the participant P i and

Fig. 10. Quantum circuits of an instance of grouping.

Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1231

TABLE 1
Definitions of Notations
Notations Definitions
n The number of the participants
Pi The i-th participant
ki The secret of the i-th participant
xi An n-component vector generated by P i
m The group size
Part. Participants
In-BS Initial Bell states
PO Pauli operators
MR Measured results
Id-BS Identified Bell states Fig. 11. Statistical results of 1000 experiments.

TABLE 3
Experimental Results of an Instance of Verifying Eq. (9)
TABLE 2
Experimental Results of an Instance Part. P1 P2 P3 P4 P5 P6 P7 P8
In-BS jf11 i jf01 i jf01 i jf01 i jf00 i jf10 i jf11 i jf11 i
Part. P1 P2 P3 P4 P5 P6 P7 P8 PO U 10 U 01 U 10 U 11 U 00 U 11 U 00 U 10
In-BS jf10 i jf11 i jf01 i jf11 i jf00 i jf11 i jf00 i jf01 i MR 00 11 11 01 11 01 11 11
MR 11 10 00 11 10 01 01 01 Id-BS jf00 i jf11 i jf11 i jf01 i jf11 i jf01 i jf11 i jf11 i
Id-BS jf11 i jf10 i jf00 i jf11 i jf10 i jf01 i jf01 i jf01 i
Note. Part., In-BS, PO, MR and Id-BS denote Participants, Initial Bell states,
Note. Part., In-BS, MR and Id-BS denote Participants, Initial Bell states, Pauli operators, Measured results and Identified Bell states, respectively.
Measured results and Identified Bell states, respectively (please refer to Table 1
for details).
can ensure that the privacy of each participant in the Pre-
grouping phase is information-theoretically secure.
the next participant P iþ1 measure their respective photons In addition, the perfect privacy of each participant’s ini-
in Bell basis. Though the XOR result of their measured tial Bell state and measured result can still guarantee uncon-
results are fully determined by the XOR result of the initial ditional security of the Main-computing phase of the
states, the single measured result of the participant P i is still improved QSP protocol, as analyzed in Theorem 3.
random and unknown due to the unknown of the initial Bell In short, our improved QSP protocol can ensure uncondi-
state prepared by P i . tional security, i.e., information-theoretical security. In Ref.
Therefore, the collusion attacks are infeasible to our pre- [23], the authors presented a classical scheme to generate
grouping because all initial Bell states are completely secret permutations by performing OðnÞ re-encryptions per
unknown. In a word, the true randomness of quantum participant based on ElGamal’s homomorphic encryptions,
measurements and the perfect unknown of the initial states which is computational security, instead of unconditional

Fig. 12. Quantum circuits of an instance of verifying Eq. (9).

Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1232 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

Fig. 13. Quantum circuits of computing the XOR result of all public information for the 1st group.

security. In addition, there are two specially designated par- improved QSP protocols, and all participants are complete
ticipants in their scheme, i.e., the first participant and the peer entities and synchronously execute the protocols.
last participant, who can collude each other to deceive other In this paper, we only consider the semi-honesty partici-
participants, e.g., they are able to select their final secrets pants. We have proven that any dishonest participant or a
according to their respective willingness. However, there is possible malicious attacker cannot get any private informa-
no specially designated participant in our QSP and tion of each participant in our protocols. However, an

Fig. 14. Quantum circuits of computing the XOR result of all public information for the 2nd group.
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1233

Fig. 15. Quantum circuits of computing the XOR result of all public information for the 3rd group.

malicious attacker can break the successful execution of the Besides quantum resources and quantum operators, it is
protocols. Furthermore, like verifiable secret sharing, we crucial to implement the corresponding measurements, i.e.,
can use classical/quantum bit commitment, zero-knowl- Bell-state measurements. There are also great implementa-
edge proof, and other verifiable technologies to ensure that tion achievements in Bell-state measurements by the newest
the participants honestly execute the protocol and rightly reports [32], [33], [34]. However, it may not directly imple-
verify the final results. In addition, when transmitting the ment Bell-state measurement in some quantum simulation
photons through quantum channels, we also can introduce development environments or platforms, e.g., Qiskit of
checking technologies with decoy photons to actively detect IBM. So, in our simulated experiments of improved QSP
any eavesdropper. protocol, we adopt the quantum circuits of identifying Bell
states to verify the correctness of proposed protocols, as
shown in Fig. 9. According to the quantum circuits of Fig. 9,
4.2 Simulated Experiments clearly we can identify which Bell state the input qubits are
Nowadays, it is widely known that preparing Bell states in by two single-qubit measured results in the computa-
and performing local Pauli operators are feasible with the tional basis, which are corresponding to the output bits
present quantum information processing technologies. labled as 0 and 1 in Fig. 9. That is, if the input Bell states are

Fig. 16. Quantum circuits of computing the XOR result of all public information for the 4th group.
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
1234 IEEE TRANSACTIONS ON COMPUTERS, VOL. 72, NO. 5, MAY 2023

TABLE 4 whether it will satisfy the successful condition of the j-th

. The Verification of an Example of Main-Computing group. For example, in Fig. 13, the first group includes two
participants P 1 and P 5 . According to Fig. 13, the participant
Part. Group P1 P2 P3 P4 P5 P6 P7 P8
P 1 prepares the initial Bell state jf10 i and performs the Pauli
1 11 00 00 10 00 01 01 10 operator U 01 (i.e., x1 ½1xx1 ½2 ¼ 01), and later his measured
2 00 01 00 10 00 00 10 10
results are “01”, so y½1 ¼ 11. Similarly, the participant P 5
3 00 01 00 10 01 00 00 01
4 11 01 00 01 01 11 11 01 prepares the initial Bell state jf00 i and performs the Pauli
operator U 10 (i.e., x5 ½1x
x5 ½2 ¼ 10), and accordingly his mea-
sured results are “00”, so y½5 ¼ 00. Furthermore, the public
p1ffiffi ðj00i
y½is of all participants for every group are listed in Table 4,
2
þ j11iÞ, p1ffiffi2 ðj00i  j11iÞ, p1ffiffi2 ðj01i þ j10iÞ and p1ffiffi2 ðj01i 
which can easily verify that the XOR result of each group is
j10iÞ, respectively, then the measured results will be 00, 01, equal to “11”. That is, it satisfies the successful condition of
10 and 11, respectively. In turn, if the measured results are each group. In addition, we can easily see that the XOR
10, then we can infer that the input state should be in result of the features of Pauli operators of all participants is
p1ffiffi ðj01i þ j10iÞ.
2 also equal to “11” in Fig. 13.
We first perform 1000 simulated experiments of group- In a word, our simulated experiments verify the correct-
ing in Qiskit of IBM (Qiskit-0.35.0; Python-3.8.13; OS-Linux). ness and the feasibility of the improved QSP protocol.
In our grouping experiments, we assume that there are 8
participants who will be divided into four groups, where
each participant randomly prepares a two-qubit Bell state
5. CONCLUSION
and sends a qubit to the next participant. Here, we give the In this paper, we defined a new cryptographic primitive, i.e.,
detailed quantum circuits of an instance of grouping, as Secret Permutating. Furthermore, we attempted the designing
shown in Fig. 10, where the first phase is to prepare Bell idea of sacrificing a lot of relatively simple quantum resources
states and the second phase is to identify Bell states. The for the unconditional security and the good feasibility of the
corresponding inputs and measured results are listed in designed protocol. Accordingly, we designed a novel Quan-
Table 2. According to the measured results, there are 1, 3, 2, tum Secret Permutating protocol with Bell states and Bell
and 2 participants in the 1st, 2nd, 3rd, and 4th group, measurements. One of the greatest advantages of this protocol
respectively. For example, two participants P 2 and P 5 is that there is no any third party to distribute the secrets.
belong to the 3rd group. What’s more, to reduce the communicational rounds, we
The statistical results of 1000 experiments are shown in adopted the strategy of privately and evenly pre-grouping
Fig. 11, where the probabilities of the measured results of by using entanglement swapping, and further proposed the
00, 01, 10 and 11 are 0.258, 0.248, 0.246 and 0.247, respec- improved QSP protocol, which can achieve the worst-case
tively. Accordingly, there are 2.064, 1.984, 1.968 and 1.976 linear rounds of quantum communications. Like Secret Shar-
participants on average in the 1st, 2nd, 3rd, and 4th group, ing, there are also many promising applications of Secret Per-
respectively. That is, it verifies that all participants can be mutating as building blocks to compute other more
uniformly divided into four groups with approximate sizes complicated cryptographic tasks, e.g., secure multiparty
by using our Pre-grouping procedures. summation, private set operation and anonymous voting.
Furthermore, we carry out simulated experiments of In a word, we offer an innovative idea to solve some com-
Main-computing, whose correctness is based on Eq. (9). plicated cryptographic tasks based on quantum mechanics.
Here, we first verify its correctness by a large number of Especially, we believe that uniform and private grouping
experiments, where the quantum circuits of an instance is based on quantum measurements will play an important role
shown in Fig. 12, where the first phase, the second phase in distributed computations with the protection of privacy.
and the third phase are corresponding to preparing Bell
states, performing Pauli operators and identifying Bell REFERENCES
states (i.e., measurements), respectively. Accordingly, the [1] F. Arute et al., “Quantum supremacy using a programmable super-
measured results are listed Table 3. conducting processor,” Nature, vol. 574, no. 7779 pp. 505–510, 2019.
Fortunately, all our experiments verify that Eq. (9) is cor- [2] H. S. Zhong et al., “Quantum computational advantage using
photons,” Science, vol. 370, no. 6523, pp. 1460–1463, 2020.
rect, i.e., the XOR result of all measured results of any
[3] C. H. Bennett and G. Brassard, “Quantum cryptography: Public-
instance is equal to that of the features of all initial Bell key distribution and coin tossing,” in Proc. IEEE Int. Conf. Comput.
states and all applied Pauli operators. Syst. Signal Process., 1984, pp. 175–179.
Finally, we do a group of successful experiments of [4] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quan-
tum Information, Cambridge, U.K.: Cambridge Univ. Press, 2000.
Main-computing. Here, we utilize the same example as [5] H. Kwon and J. Bae, “A hybrid quantum-classical approach to
shown in Fig. 6, i.e., we adopt the same grouping situation mitigating measurement errors in quantum algorithms,” IEEE
and the same input of each participant. The detailed quan- Trans. Comput., vol. 70, no. 9, pp. 1401–1411, Sep. 2021.
tum circuits of computing the XOR results of the 1st, 2nd, [6] E. Mu~ noz-Coreas and H. Thapliyal, “Quantum circuit design of a
t-count optimized integer multiplier,” IEEE Trans. Comput.,
3rd, and 4th group are shown in Figs. 13, 14, 15, and 16, vol. 68, no. 5, pp. 729–739, May 2019.
respectively. [7] C. Wei, X. Cai, B. Liu, T. Wang, and F. Gao, “A generic construc-
When computing the XOR results of the j-th group, only tion of quantum-oblivious-key-transfer-based private query with
ideal database security and zero failure,” IEEE Trans. Comput.,
the participants in the group perform the corresponding vol. 67, no. 1, pp. 2–8, Jan. 2018.
Pauli operators U xi ½2j1xxi ½2j , while other participants per- [8] P. O. Boykin and V. Roychowdhury, “Optimal encryption of
form the operator U 00 , i.e., I, so that it only needs to verify quantum bits,” Phys. Rev., vol. 67, no. 4, 2003, Art. no. 042317.
Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.
SHI AND LI: QUANTUM SECRET PERMUTATING PROTOCOL 1235

[9] G. L. Long and H. Zhang, “Drastic increase of channel capacity in [27] R. H. Shi and Y. F. Li, “A feasible quantum sealed-bid auction
quantum secure direct communication using masking,” Sci. Bull., scheme without an auctioneer,” IEEE Trans. Quantum Eng., vol. 3,
vol. 66, no. 13, pp. 1267–1269, 2021. pp. 1–12, 2022.
[10] X. Liu et al., “Practical decoy-state quantum secure direct [28] T. Nakai et al., “Efficient card-based cryptographic protocols for
communication,” Sci. China: Phys. Mechanics Astron., vol. 64, millionaires’ problem utilizing private permutations,” in Proc. Int.
no. 12, 2021, Art. no. 120311. Conf. Cryptol. Netw. Secur., 2016, pp. 500–517.
[11] R. H. Shi et al., “Quantum oblivious set-member decision proto- [29] R. H. Shi, B. Liu, and M. Zhang, “Measurement-device-indepen-
col,” Phys. Rev., vol. 92, no. 2, 2015, Art. no. 022309. dent quantum secure multiparty summation,” Quantum Inf. Pro-
[12] R. H. Shi et al., “Quantum private set intersection cardinality and cess., vol. 21, 2022, Art. no. 122.
its application to anonymous authentication,” Inform. Sci., [30] R. H. Shi, “Quantum private computation of cardinality of set
vol. 370–371, pp. 147–158, 2016. intersection and union,” Eur. Phys. J. D, vol. 72, no. 12, 2018,
[13] J. Gu, X. Y. Cao, H. L. Yin, and Z. B. Chen, “Differential phase shift Art. no. 221.
quantum secret sharing using a twin field,” Opt. Exp., vol. 29, [31] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
no. 6, pp. 9165–9173, 2021. pp. 612–613, 1979.
[14] Z. Li et al., “Finite-key analysis for quantum conference key agree- [32] S. Welte et al., “A nondestructive Bell-state measurement on two
ment with asymmeric channels,” Quantum Sci. Technol., vol. 6, distant atomic qubits,” Nature Photon., vol. 15, pppp. 504–509,
no. 4, 2021, Art. no. 045019. 2021.
[15] X. Y. Cao, J. Gu, Y. S. Lu, H. L. Yin, and Z. B. Chen, “Coherent one- [33] B. P. Williams, R. J. Sadlier, and T. S. Humble, “Superdense cod-
way quantum conference key agreement based on twin field,” ing over optical fider links with complete bell-state meas-
New J. Phys., vol. 23, 2021, Art. no. 043002. urements,” Phys. Rev. Lett., vol. 118, 2017, Art. no. 050501.
[16] R. H. Shi, “Quantum multiparty privacy set intersection [34] W. H. Zhang et al., “Experimental realization of robust self-testing
cardinality,” IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 68, no. 4, of bell state measurements,” Phys. Rev. Lett., vol. 122, 2019,
pp. 1203–1207, Apr. 2021. Art. no. 090402.
[17] R. H. Shi, “Quantum sealed-bid auction without a trusted third
party,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 68, no. 10, Run-Hua Shi received the PhD degree in infor-
pp. 4221–4231, Oct. 2021. mation security from the University of Science
[18] Q. L. Wang, C. H. Yu, F. Gao, H. Y. Qi, and Q. Y. Wen, “Self-tally- and Technology of China, Hefei city, China, in
ing quantum anonymous voting,” Phys. Rev. A, vol. 94, 2016, 2011. He is currently a professor with North
Art. no. 022333. China Electric Power University. His current
[19] H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent research interest includes classical/quantum
quantum key distribution,” Phys. Rev. Lett., vol. 108, 2012, cryptographic algorithms/protocols and their
Art. no. 130503. applications.
[20] F. Xu, B. Qi, Z. Liao, and H.-K. Lo, “Long distance measurement-
device-independent quantum key distribution with entangled
photon sources,” Appl. Phys. Lett., vol. 103, 2013, Art. no. 061101.
[21] M. Lucamarini et al., “Overcoming the rate-distance limit of quan-
tum key distribution without quantum repeaters,” Nature,
vol. 557, pp. 400–403, 2018. Yi-Fei Li received the bachelor degree in infor-
[22] X. B. Wang, Z. W. Yu, and X. L. Hu, “Twin-field quantum key dis- mation security from North China Electric Power
tribution with large misalignment error,” Phys. Rev. A, vol. 98, University, Beijing city, China, in 2019. He is cur-
2018, Art. no. 062323. rently working toward the master’s degree in
[23] C. Studholme and I. F. Blake, “Multiparty computation to gener- computer science and technology with North
ate secret permutations,” IACR Cryptol. ePrint Arch., vol. 2007, China Electric Power University. His main works
2007, Art. no. 353. are quantum computing and quantum circuits.
[24] D. Mardi, S. Tanwar, and J. Howlader, “Multiparty protocol that
usually shuffles,” Secur. Privacy, vol. 4, no. 6, 2021, Art. no. e176.
[25] I. Damgrd, Y. Ishai, and M. Krigaard, “Perfectly secure multiparty
computation and the computational overhead of cryptography,”
in Proc. Annu. Int. Conf. Theory Appl. Cryptographic Techn., 2010,
pp. 445–465.
[26] R. H. Shi, “Useful equations about bell states and their applica-
" For more information on this or any other computing topic,
tions to quantum secret sharing,” IEEE Commun. Lett., vol. 24,
no. 2, pp. 386–390, Feb. 2020. please visit our Digital Library at www.computer.org/csdl.

Authorized licensed use limited to: National Institute of Technology. Downloaded on April 25,2025 at 08:29:49 UTC from IEEE Xplore. Restrictions apply.