Quantum Inf Process (2014) 13:71–84DOI 10.1007/s11128-013-0708-4

Differential phase shift quantum private comparison

Xing-tong Liu · Bo Zhang · Jian Wang ·Chao-jing Tang · Jing-jing Zhao

Received: 10 May 2013 / Accepted: 26 November 2013 / Published online: 17 December 2013© Springer Science+Business Media New York 2013

Abstract A novel quantum private comparison protocol based on a differential phaseshift scheme is presented in this paper. In our protocol, two distrustful participantscan compare the equality of information with the help of a semi-honest third party.Taking advantages of differential phase shift scheme, this protocol employs weakcoherent pulses instead of single photons and can be implemented without expen-sive and impractical quantum devices, such as entangled photon source and quantummemory. Therefore, it is simpler and more flexible than previous protocols. More-over, in principle, nearly 100 % qubit efficiency can be achieved because all photoncounts obtained by TP contribute to the comparison. The correctness and security ofthe protocol are also discussed.

Keywords Quantum private comparison · Differential phase shift · Weak coherentpulse · Qubit efficiency

1 Introduction

Secure multiparty computation (SMC) has long been the object of intensive study inclassical cryptography. It originated in the millionaire problem introduced by Yao [1],in which two millionaires wish to determine who is richer without knowing theiractual property. As a special and important branch of SMC, private comparison wasproposed to solve an important variant of the millionaire problem, which is to comparethe equality of two parties’ secret information privately, without disclosing any actual

X. Liu (B) · B. Zhang · J. Wang · C. Tang · J. ZhaoSchool of Electronic Science and Engineering, National University of Defense Technology,Changsha 410073, Hunan, People’s Republic of Chinae-mail: liuxingtong@nudt.edu.cn; xingtongliu.nudt@gmail.com

123

72 X. Liu et al.

information [2]. It has wide application in private bidding and auctions, secret ballotelections, e-commerce and data mining.

However, the security of SMC is based on the computational complexity assump-tions. Nowadays, with the rapid development of quantum mechanics, the applicationsof quantum mechanics in many aspects of information technology have been paidmore and more attention; especially, the presentation of quantum algorithms [3] madepeople aware of that security of classical cryptography systems can be seriously men-aced by the construction of a quantum computer. Fortunately, up to now, quantumcryptography, which guarantees unconditionally security of the information by quan-tum mechanics, is regarded as one promising way to solve this security problem. Sincethe pioneer work of quantum cryptography was proposed by Bennett et al. [4], varioussecure protocols have been proposed, such as quantum key distribution [4–6], quantumsecret sharing [7–9], quantum secure direct communication [10–13], quantum privatequeries (QPQ) [14–16] and so on.

Under the circumstances, protocols for some special secure multiparty quantumcomputation problems have been presented, such as quantum voting [17,18], quan-tum auction [19–21], protocols for millionaire [22,23] and so on. In these quantumcomputation scenarios, quantum private comparison (QPC) can be used to privatelycompare the equality of player’s information without any complex computation. For itsimportance and wide applicability, recently, many protocols for QPC were proposed[24–40]. Summarizing all of the methods for QPC, some principles should be fol-lowed in constructing QPC protocols, as described in Ref. [31]. Firstly, if the protocolreferred to the Mayers-Lo-Chau no-go theorem [41], an honest or semi-honest thirdparty (TP) is an essential participant to help the two parties accomplish the comparisonprocedure securely. The concept of semi-honest means that the TP will always followthe procedure of the protocol and never be corrupted by outside attackers, but he willbe curious about the secrets and try to disclose them through intermediate computa-tions. Secondly, the result of comparison and positions of different bit values in privateinformation might be known by TP, but he will never know the actual bit values ofthe private information. Thirdly, other participants should not know the positions ofdifferent bit values.

Following the above principles, many protocols have been presented to solve theQPC problem, and these protocols can be roughly classified into two categories, pro-tocols based on entanglement [24,26–32,34–36,38–40] and protocols using singlephotons [25,33,37]. The earliest QPC protocol using EPR pairs is designed by Yangand Wen [24]. In that protocol, a semi-honest TP takes responsibility for prepare pho-tons and sends them to the two players, and both players encode their informationby performing local unitary operations. To enhance the security, decoy photons andoptical filters are also used to avoid QND and Trojan horse attacks. Chen et al. [26]proposed a QPC protocol via GHZ state. One of the nice features of their protocol isthat after distributing GHZ states for the two parties, they can accomplish the com-parison by classical information exchange. To increase the qubit efficiency, Tseng etal. [31] proposed a new QPC protocol by using EPR pairs, in which nearly 50 % qubitefficiency can be achieved. Recently, W-state, cluster state, X-type state, chi-type stateand d-dimensional Bell states are also used to construct QPC protocols. On the otherhand, protocols using single photons demonstrate that QPC can be completed without

123

Differential phase shift quantum private comparison 73

entanglement. The first QPC protocols involving only single photons is presented byYang et al. [25,33]. In their protocol, the TP prepares an ordered polarized singlephoton sequence into one of the four nonorthogonal states randomly and sends it totwo parties: Alice and Bob. The two parties perform unitary operations on the singlephoton sequence in turn to encode their secret information, and then, the TP measuresthe photons to obtain the information and completes the comparison. Decoy photonsequence and quantum memory are also employed for security. Other two protocolswere proposed by Liu et al. [37], employing single photons and collective detection.To reduce the cost of practical realization, in these protocols, both two parties neednot to afford expensive quantum devices, and all high cost devices such as qubit gen-erating machine, quantum memory and quantum measuring machine are paid by thesemi-honest TP.

However, aforementioned methods for QPC are not free from a number of draw-backs. On the one hand, almost all of the previous protocols rely on entangled quantumstates or quantum memory. So far, it is still quite inconvenient for preparing entangledstates, and it is even unrealistic to adopt quantum memory in practical quantum crypto-graphic protocols. This means, nowadays, previous protocols can be demonstrated inlaboratory only, but it still has a long way to go for practical applications. On the otherhand, the security of QPC protocols both in theoretical and practical conditions shouldbe further considered. Some of previous protocols have been proven to be vulnerableto some special attacks [23,42–44].

Focusing on practical implementations, in this paper, we present a novel andexperiment feasible quantum private comparison protocol. In Ref. [33], Yang etal. point out that QPC protocols can be constructed by adapting the currentquantum three-party secret sharing models properly. Following this idea, we pro-pose a new QPC scheme called differential phase shift quantum private com-parison (hereafter called DPS-QPC), which is constructed by adapting the dif-ferential phase shift quantum secret sharing (DPS-QSS) scheme [9]. Our QPCscheme has some intriguing features. Firstly, unlike the previous protocols, thepresent protocol does not require neither entanglement nor quantum memory. Itemploys weak coherent pulse train instead of individual photons, and the trans-mission distance is not limited by the PNS attack in practical fiber communi-cation. Secondly, in principle, nearly 100 % qubit efficiency can be achieved inDPS-QPC protocol, much higher than other protocols. At the aspect of qubit effi-ciency, the present scheme is an optimal one. Thirdly, the same as protocols inRef. [37], both the two players need not to equip expensive quantum devices, suchas qubit generating machine and quantum measuring machine, and only simpleoptical devices are required, such as phase modulator, beam splitter and monitordetector. This may help to reduce the cost of practical realization. Most impor-tantly, the proposed protocol can be seen as a slight deformation of DPS-QSS.Since lots of prior researches [45–58] have focused on the feasibility and theoret-ical security of differential phase shift quantum cryptography, the proposed DPS-QPC protocol can be implement easily, and former security analysis of the differ-ential phase shift quantum cryptography may help to analyze the security of ourprotocol.

123

74 X. Liu et al.

2 Differential phase shift quantum private comparison

In this section, a DPS-QPC protocol is described. TP is assumed to be a semi-honestTP. She will faithfully follow the procedure of this protocol and compare the equalityof two parties’ information, but she may try to derive their information from publicinformation and records of all intermediate results. Based on this QPC scenario, asimple diagram of the proposed DPS-QPC protocol is shown in Fig. 1, and the processof the protocol can be depicted as follows.

Quantum Phase:

Step 1. TP first sends a pulse train of weak coherent states, with a randomly selectedphase {0, π} for each pulse. The photon number in each pulse is less thanone photon on average. The coherence time of the pulse train is much longerthan the pulse interval �T . Then, she forms a binary string X , by record-ing each state with a binary variable xi , xi ∈ {0, 1}, according to the phaseshe modulated. In detail, she sets xi = 0 if the weak signal pulse is phase-modulated by 0 and xi = 1 if the weak signal pulse is phase-modulatedby π .

Step 2. When the signal comes to Alice, she first splits the signal by using a beamsplitter. Then, she checks the photon count rate by using monitor detec-

Fig. 1 Configuration of the proposed scheme. PM phase modulator, Det photon detector, MD monitordetector

123

Differential phase shift quantum private comparison 75

tor MD1. If the photon count rate is higher than normal, Alice aborts theprotocol. Otherwise, she generates a random bit sequence Y , yi ∈ {0, 1}and phase-modulates the i th received signal pulse by 0 if yi = 0 orby π if yi = 1. Finally, she sends the phase-modulated signal pulse toBob.

Step 3. When the signal comes to Bob, he performs the same operations as Alicedoes. He first checks the photon count rate by using monitor detector MD2.If the photon count rate is normal, he generates a random bit sequence Z ,zi ∈ {0, 1} and phase-modulates the i th pulse by 0 or π according to zi = 0or zi = 1, respectively. Then, he sends it to TP. Otherwise, Bob aborts theprotocol.

Step 4. TP measures the phase difference between every two adjacent pulses withan unbalanced Mach–Zehnder interferometer whose path-length differenceis equal to the time interval �T of the incoming pulses. Then, she recordsmeasurement results with binary variables ui and vi . In detail, if TP gets aphoton count when the phase difference is zero, she sets ui = 1 and vi = 0;if she gets a photon count when the phase difference is π , she sets ui = 1 andvi = 1. Otherwise, she sets ui = 0 and vi = 0.

Classical Phase:

Step 5. After TP gets sufficient photon counts, she publishes the bit sequence for allui .

Step 6. TP, Alice and Bob generate x ′i = xi

⊕xi−1, y′

i = yi⊕

yi−1 and z′i =

zi⊕

zi−1 for i > 1, respectively.Step 7. In order to prevent eavesdropping, TP, Alice and Bob publish some value

of vi , x ′i , y′

i and z′i corresponding to ui = 1 in random order to test if

vi = x ′i

⊕y′

i

⊕z′

i . Then, they calculate the qubit error rate (QBER). If theQBER they suffer is higher than normal, they abort the protocol.

Step 8. The three parties discard both the vi , x ′i , y′

i and z′i that correspond to

ui = 0 and the values they have published before. Then, they perform errorcorrection and privacy amplification on the remaining sift bits. Thus, TPobtains two key bit strings, which are denoted as VT and XT. Alice andBob individually obtain one key bit string, denoted by YA and ZB, respec-tively.

Step 9. Alice and Bob pick up a portion of their secrets, denoted as MA and MB,which have the same length as YA and ZB. Then, they apply exclusive or(XOR) operation on their secret bit sequence and key bit sequence bit by bit.Later, they individually obtain a new bit sequence, denoted as CA and CB(i.e., CA = MA

⊕YA, CB = MB

⊕ZB), respectively. They send CA and

CB to TP via a public channel.Step 10. TP computes the XOR res4ult RC of VT, XT, CA and CB(i.e., RC =

VT⊕

XT⊕

CA⊕

CB). Then, TP can deduce comparison result by check-ing if all classic bits in RC are “0”. In detail, if there is a bit “1” in RC, TPpublishes the result that Alice’s and Bob’s information is different. Otherwise,TP announces that their secret information is identical.

123

76 X. Liu et al.

3 Analysis

3.1 Correctness

In the proposed DPS-QPC protocol, the three parties encode their key information inthe phase difference of adjacent pulses. When TP measures the received signal pulse,the measurement result is determined by the total differential phase. In detail, if the bitvalues of x ′

i , y′i and z′

i is {0,0,0}, {0,1,1}, {1,0,1} or {1,1,0}, the corresponding dif-ferential phases imposed by them are {0,0,0}, {0,π ,π}, {π ,0,π} or {π ,π ,0}. It meansthat the total differential phase in the i th time slot is 0 and detector 1 counts a photon.On the other hand, if the bit values of x ′

i , y′i and z′

i are {0,0,1}, {0,1,0}, {1,0,0} and{1,1,1}, the corresponding differential phases imposed by them are {0,0,π}, {0,π ,0},{π ,0,0} and {π ,π ,π}. It means that the total differential phase in the i th time slot isπ and detector 2 counts a photon. Thus, whatever the bit values of x ′

i , y′i and z′

i are,the final bit value which the TP gets in the i th time slot is XOR of the three parties’original bits (i.e.,vi = x ′

i

⊕y′

i

⊕z′

i ).If TP has got sufficient photon counts, the three parties can perform error correction

to correct the errors between their strings. One method for error correction in this QPCscenario is performing a modified Cascade protocol as in Ref. [9]: First, as in step 7,the three parties randomly publish some value of vi , x ′

i , y′i and z′

i corresponding toui = 1 to estimate QBER. After they have calculated the QBER, they discard thesepublished bits. Then, as in step 8, they also discard all the bits corresponding to ui = 0.For the remaining bits, they perform the error correction protocol as following. Forcorrecting all the errors in raw bit strings, the error correction protocol should be runn passes iteratively. Hence, they first determine the number n of passes according tothe QBER and divide their own bit strings into blocks with equal number of bits, eachblock contains one bit error on average. Then, they calculate the parity of each of theirown blocks. Alice and Bob tell TP their own parities. TP checks whether his own parityof the block formed by corresponding vi is the XOR of the parity of the three blocksformed by corresponding x ′

i , y′i and z′

i , respectively. If a parity mismatch happens, theycan conclude that there is an odd number of errors in this block. Then, they perform abinary search until TP finds an error bit. After all blocks have been checked, they starta new pass. In each new pass, they must agree on a random permutation which theyapply to their strings and divide their permuted strings into blocks with double size.After it has been run n passes, the task of error correction is accomplished. Then, theyperform privacy amplification to remove the information leakage induced by both theerror correction process and the eavesdropper.

After the key distillation process, they obtain four bit strings as VT = XT⊕

YA⊕ZB. Then, in the classical phase, the TP computes the XOR result RC of VT, XT,

CA and CB, notice that CA = MA⊕

YA, CB = MB⊕

ZB, we have

RC = VT

⊕XT

⊕CA

⊕CB

= VT

⊕XT

⊕ (MA

⊕YA

) ⊕ (MB

⊕ZB

)

= VT

⊕XT

⊕YA

⊕ZB

⊕MA

⊕MB

123

Differential phase shift quantum private comparison 77

= VT

⊕VT

⊕MA

⊕MB

= MA

⊕MB (1)

The final comparison result RC is equal to XOR of the two parties’ private information.If their private information is identical, all classical bits in RC are “0”. Otherwise,there is at least one bit “1” in RC. Through checking all the bits value in RC, QPC isaccomplished by TP.

3.2 Security analysis

Security of above DPS-QPC protocol is analyzed in this subsection. We firstly considerthe security of this protocol in the case that an external eavesdropper attempts to obtaininformation about their secrets. Secondly, we analyze the case that dishonest Alice orBob wants to learn the private information from the other one. Finally, the case thatthe semi-honest TP tries to get knowledge about their secrets is taken into account.

Case 1 External eavesdropper

For an external eavesdropper Eve, she may try to attack the protocol both in thequantum phase and the classical phase. On one hand, when Eve attacks in the quantumphase, two strategies may be performed to obtain the private information. One of themis an intercept and resend strategy. As depicted in Fig. 2, firstly, Eve intercepts thepulses from TP and stores them in his quantum memory. Then, she uses same apparatusas TP to send signal pulses to Alice and Bob, respectively. After they phase modulatethese pulses, Eve measures them to obtain private information. Finally, Eve phasemodulates pulses stored in her quantum memory according to the private informationshe obtained a moment ago and sends them to TP. When the average photon numberof each pulse which is sent to Alice and Bob by Eve is more than one, Eve can counta photon at every time slot and she may obtain all the private information withoutinducing errors. Fortunately, in our protocol, monitoring detectors are equipped byboth Alice and Bob. They can monitor the photon count rate of these detectors tocheck if the average photon number per pulse is less than one. Thus, Eve has nooption but to send pulse train with an average photon number per pulse less than one.Obviously, both Eve and TP cannot get photon count at every time slot. If both Eve andTP get a photon count at the i th time slot, Eve has obtained one bit private informationfrom Alice or Bob. However, if TP gets a photon count at the (i −1)th or (i +1)th timeslot, an additional 50 % error rate will be induced by Eve and no private informationis revealed. To sum up these two situation, an additional 25 % overall error rate willbe observed by TP. Therefore, Eve’s eavesdropping will be disclosed in the test bitchecking. In detail, if there is no eavesdropping behavior, the bit error rate e onlydepends on the communication system. It can be estimated by the expression [45]

e = ξ(n̄T + d) + d2

n̄T + d. (2)

where n̄ is the average photon number per pulse, T is the channel transmittance, d isthe detector dark count rate and ξ is the baseline error rate of the system due to imper-

123

78 X. Liu et al.

Fig. 2 Configuration of intercept-resend attack strategy. PM phase modulator, Det photon detector, MDmonitor detector, M.D. measurement devices, QM quantum memory

fections in state preparation, channel induced noise and imperfect detection apparatus.If the bit error rate is higher than e, they can judge that there is an eavesdropper inthe channel. However, for a powerful Eve, her capability can be out of reach for theforeseeable future, for example, she can replace a lossy fiber with her lossless fiber,or uses perfect detectors and so on. In any case, she will try her best to reduce thesystem errors and make the three participants believe that all of the bit errors inducedby her is caused by imperfect communication system. At the worst, all the systemerrors can be removed by Eve. Thus, if the bit error rate induced by her attack isless than e, Eve can avoid to be detected. In this case, the information she obtainedcan be estimated as follows. Defined μ as the average number of photons per pulse,according to Ref. [45,59], the probability that she obtains Alice’s or Bob’s differentialphase information at a certain time slot is 2μ, because Eve can adopt ideal apparatus,which make two corresponding pulses interfere with each other perfectly. Then, theprobability that Eve do not know Alice’s or Bob’s information at a certain time slot is1−2μ. Notice that only with probability (2μ)2, Eve can obtain both Alice’s and Bob’sinformation, and the probability that Eve do not know the total differential phase ata certain time slot is 1 − (2μ)2, and therefore, the bit error rate induced by Eve at acertain time slot is (1 − (2μ)2)/2. Given the system error rate e, the upper bound forthe allowable rate of Eve’s intercept–resend attack, α, is calculated as follows:

123

Differential phase shift quantum private comparison 79

α(

1 − (2μ)2)

/2 = e (3)

Then we have

α = 2e

1 − (2μ)2 (4)

The other attack is a beamsplitter strategy, in which Eve uses beamsplitters to splitoff a fraction of signal pulses and then measures them to obtain private information. Alossless channel is also used to keep the communication rate unchanged. This strategywill not induce additional error rate, but only very little information will be stolenby Eve when the average number of photons per pulse is small. The revealed part ofsecret information can be estimated as follows: Eve inserts one beamsplitter in thechannel that connects the output port of Bob with the input port of TP. Assumingthe channel transmittance is T , the probability that TP observes a detection event ata certain time slot is μT . In order to keep TP’s count rate unchanged, Eve replacesthe lossy fiber with her lossless one and transmit one beam with an average photonnumber of μT to TP through it. Thus, she can split off the other beam with an aver-age photon number of μ(1 − T ). She stores these pulses in her quantum memory.After TP publishes the time slots of his detection events, Eve can measure corre-sponding split pulses in her quantum memory. Since Eve can adopt ideal apparatuswhich make two corresponding pulses interfere with each other perfectly, the prob-ability she observes a detection event at a certain time slot is 2μ(1 − T ). Then, ifTP gets a measurement result of N bits, only 2μ(1 − T )N bits may be obtained byEve. When μ is small, only a small amount of information can be revealed. We mustnotice that, under this attack, the revealed information is all about TP’s measurementresults, and Eve only knows the XOR of the three parties’ phase modulation data. IfEve wants to get knowledge about Alice’s or Bob’s private information, she shouldinsert more beamsplitters in the channel and splits the pulse train into three or moreparts. Only Eve gets photon counts from all split parts of the pulse train at the sametime slot as TP, and she can obtain Alice’s and Bob’s bit. Obviously, in this case, theinformation bits learned by Eve are always less than 2μ(1 − T )N . The three par-ties can remove the revealed part of secret information in the private amplificationphase.

In the terms of security, for an external eavesdropper Eve, the quantum phase ofthis protocol can be considered as a slight deformation of the original DPS-QKDprotocol. The security of this protocol also originates from the DPS scheme. To date,the unconditional security of the DPS scheme against individual attacks is proven inRef. [45]. It is also true for our protocol, so we discuss about the security of this protocolonly under two typical individual attacks here. Against more complicated and generalattacks, which are known as coherent or joint attacks, the proof of the unconditionalsecurity of DPS scheme is still uncompleted. To our knowledge, DPS-QKD protocolis proven to be secured only in the noiseless case or under the condition that perfectsingle photon source is used [48,54], so it is far beyond the scope of this paper todiscuss about this issue, but these previous security analyses can be utilized when weconsider the security of the DPS-QPC protocol against an external eavesdropper.

123

80 X. Liu et al.

On the other hand, in the classical phase, Eve can only infer the bit sequences CAand CB. Because the private information in the two bit sequences is encrypted by XORoperation with Alice’s and Bob’s own key generated in the quantum phase, Eve has noprobability to steal private information from the two published sequences when sheobtained no information in the quantum phase.

Case 2 Dishonest Alice or Bob

As the same as QSS, in the QPC scenario, Alice and Bob do not trust in each other.This means the QPC protocol must be secured against Alice’s or Bob’s betrayal. Thesecurity analysis of DPS-QPC against dishonest Alice or Bob is similar to DPS-QSS.The difference between the two protocols is that in the DPS-QSS protocol, Alice andBob use different attack strategies and initial signal pulses are send by Alice. However,in our DPS-QPC protocol, the attack strategies they used are the same and initial signalpulses are prepared by TP. Notice that Alice and Bob play the same role in the protocol,without loss of generality, we suppose Bob to be the dishonest one. Because there isno private information revealed in the classical phase, if Bob wants to obtain Alice’sprivate information, he must try to steal Alice’s secret key in the quantum phase.In order to pass test bit check in step 7, Bob needs to get knowledge about Alice’smodulation phase. However, in our protocol, the signal pulses are send by TP. If Bobperforms the same attack strategy used in the DPS-QSS, from the measurement resultshe obtained, he cannot distinguish the TP’s and Alice’s modulation phase, so he hasno idea about Alice’s secret bit. Because strategies used in DPS-QSS cannot work, ainstead one he may choose to do so is depicted in Fig. 3. Firstly, Bob makes the initialsignal pulse train bypass Alice and sends a pulse train which prepared by himself

Fig. 3 Schematic of eavesdropping by dishonest Bob. PM phase modulator, Det photon detector, MDmonitor detector, M.D. measurement devices, QM quantum memory

123

Differential phase shift quantum private comparison 81

directly to Alice. Then, Bob measures the output pulse train after Alice encodes hisphase information on it. According to the measurement result, Bob modulates theinitial signal pulse train, and then, he sends it to TP. If Bob gets photon counts atall time slots, he will know all of Alice’s modulation phases and he can pass the testbit check easily. However, due to the presence of Alice’s monitoring detector, Bobshould send a signal light which power is less than one photon per pulse. Thus, hecan only know partial information about Alice’s modulation phases. This will lead toan additional bit errors in test bit check phase, and his attack will be noticed. As thesame as the external eavesdropper Eve, dishonest Bob may use perfect technology to.For example, he can also replace the lossy fiber with her lossless one and use perfectdetectors to disguise his eavesdropping as system errors.

In this case, the probability that Bob knows Alice’s modulation phase is 2μTab,where μ is the average photon number per pulse sent from Bob and Tab is the trans-mittance from Alice to Bob’s output. Then, the bit error rate induced by Bob’s attackis (1−2μTab)

2 . Because a bit error is disclosed only when Bob publish his bit first in the

test bit checking phase, the overall bit error rate is (1−2μTab)2

12 . Therefore, if the system

error rate is e, the upper bound for the allowable rate of Bob’s attack α is given by

α

(1 − 2μTab

2

)1

2= e. (5)

Then we have

α = 4e

1 − 2μTab. (6)

Thus, the upper bound for Alice’s key allowable for Bob is 2μα, which is much smallerthan DPS-QSS.

Case 3 TP’s attack

As in the previous QPC protocols, we suppose TP to be semi-honest. The only wayfor a semi-honest TP to get knowledge about secrets of the participants is to learninformation from intermediate information recorded by herself in the procedure of theprotocol. However, from all the intermediate information, she can only obtain XORvalues of Alice’s and Bob’s information, so she cannot deduce the value of their secret.

4 Discussion and conclusions

In this paper, we present a novel quantum private comparison protocol based on thedifferential phase shift scheme, which uses weak coherent pulse train instead of indi-vidual photons. Compared with previous QPC protocols, our protocol employs onlyoff-the-shelf optical devices and photon detectors, and it can be implemented easily.Moreover, 100 % qubit efficiency can be achieved in our protocol in principle, muchhigher than other protocols (at most near 50 %). We hope that our work can offer somenew insights into the problem of quantum private comparison and can be extended tosolve the multiparty comparison and millionaires’ problem in the future.

123

82 X. Liu et al.

Acknowledgments This work was sponsored by the National Natural Science Foundation of China(Project No. 61101073) and the Graduate Innovation Funds for the National University of Defense Tech-nology.

References

1. Yao, A.C.: Protocols for secure computations. In: Proceedings of the 23rd Annual Symposium onFoundations of Computer Science, pp. 160–164 (1982)

2. Boudot, F., Schoenmakers, B., Traore, J.: A fair and efficient solution to the socialist millionaires’problem. Discrete Appl. Math. 111(1), 23–36 (2001)

3. Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantumcomputer. SIAM Rev. 41(2), 303–332 (1999). doi:10.1137/S0036144598347011

4. Bennett, C., Brassard, G., et al.: Quantum cryptography: public keydistribution and coin tossing. In:Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, vol.175. Bangalore, India (1984)

5. Inoue, K., Waks, E., Yamamoto, Y.: Differential phase shift quantum key distribution. Phys. Rev. Lett.89(3), 37902 (2002)

6. Noh, T.: Counterfactual quantum cryptography. Phys. Rev. Lett. 103(23), 230501 (2009)7. Hillery, M., Bužek, V., Berthiaume, A.: Quantum secret sharing. Phys. Rev. A 59(3), 1829 (1999)8. Karlsson, A., Koashi, M., Imoto, N.: Quantum entanglement for secret sharing and secret splitting.

Phys. Rev. A 59, 162–168 (1999). doi:10.1103/PhysRevA.59.1629. Inoue, K., Ohashi, T., Kukita, T., Watanebe, K., Hayashi, S., Honjo, T., Takesue, H.: Differential-phase-

shift quantum secret sharing. Opt. Express 16(20), 15469–15476 (2008)10. Long, G.L., Liu, X.S.: Theoretically efficient high-capacity quantum-key-distribution scheme. Phys.

Rev. A 65, 032302 (2002). doi:10.1103/PhysRevA.65.03230211. Boström, K., Felbinger, T.: Deterministic secure direct communication using entanglement. Phys. Rev.

Lett. 89(18), 187902 (2002)12. Deng, F.G., Long, G.L.: Secure direct communication with a quantum one-time pad. Phys. Rev. A 69,

052319 (2004). doi:10.1103/PhysRevA.69.05231913. Wang, J., Zhang, Q., Tang, Cj: Quantum secure direct communication based on order rearrangement

of single photons. Phys. Lett. A 358(4), 256–258 (2006). doi:10.1016/j.physleta.2006.05.03514. Giovannetti, V., Lloyd, S., Maccone, L.: Quantum private queries. Phys. Rev. Lett. 100(23), 230502

(2008)15. De Martini, F., Giovannetti, V., Lloyd, S., Maccone, L., Nagali, E., Sansoni, L., Sciarrino, F.: Experi-

mental quantum private queries with linear optics. Phys. Rev. A 80(1), 010302 (2009)16. Gao, F., Liu, B., Wen, Q.Y., Chen, H.: Flexible quantum private queries based on quantum key distri-

bution (2011). arXiv:1111.1511 (arXiv, preprint)17. Hillery, M., Ziman, M., Bužek, V., Bieliková, M.: Towards quantum-based privacy and voting. Phys.

Lett. A 349(1), 75–81 (2006)18. Vaccaro, J.A., Spring, J., Chefles, A.: Quantum protocols for anonymous voting and surveying. Phys.

Rev. A 75(1), 012333 (2007)19. Piotrowski, E.W., Sładkowski, J.: Quantum auctions: facts and myths. Phys. A Stat. Mech. Appl.

387(15), 3949–3953 (2008)20. Hogg, T., Harsha, P., Chen, K.Y.: Quantum auctions. Int. J. Quantum Inf. 5(05), 751–780 (2007)21. Patel, N.: Quantum games: states of play. Nature 445(7124), 144–146 (2007)22. Jia, H.Y., Wen, Q.Y., Song, T.T., Gao, F.: Quantum protocol for millionaire problem. Opt. Commun.

284(1), 545–549 (2011)23. Zhang, W.W., Zhang, K.J.: Cryptanalysis and improvement of the quantum private comparison pro-

tocol with semi-honest third party. Quantum Inf. Process. 12(5), 1981–1990 (2013). doi:10.1007/s11128-012-0507-3

24. Yang, Y.G., Wen, Q.Y.: An efficient two-party quantum private comparison protocol with decoy photonsand two-photon entanglement. J. Phys. A Math. Theor. 42(5), 055,305 (2009). http://stacks.iop.org/1751-8121/42/i=5/a=055305

25. Yang, Y.G., Cao, W.F., Wen, Q.Y.: Secure quantum private comparison. Phys. Scr. 80(6), 065002(2009). http://stacks.iop.org/1402-4896/80/i=6/a=065002

123

Differential phase shift quantum private comparison 83

26. Chen, X.B., Xu, G., Niu, X.X., Wen, Q.Y., Yang, Y.X.: An efficient protocol for the private comparisonof equal information based on the triplet entangled state and single-particle measurement. Opt. Com-mun. 283(7), 1561–1565 (2010) doi:10.1016/j.optcom.2009.11.085, http://www.sciencedirect.com/science/article/pii/S0030401809012668

27. Liu, W., Wang, Y.B., Jiang, Z.T.: An efficient protocol for the quantum private comparison of equalitywith w state. Opt. Commun. 284(12), 3160–3163 (2011). doi:10.1016/j.optcom.2011.02.017

28. Liu, W., Wang, Y.B.: Quantum private comparison based on ghz entangled states. Int. J. Theor. Phys.51(11), 3596–3604 (2012). doi:10.1007/s10773-012-1246-z

29. Wen, L., Yong-Bin, W., Wei, C.: Quantum private comparison protocol based on bell entangled states.Commun. Theor. Phys. 57(4), 583–588 (2012). doi:10.1088/0253-6102/57/4/11

30. Jia, H.Y., Wen, Q.Y., Li, Y.B., Gao, F.: Quantum private comparison using genuine four-particle entan-gled states. Int. J. Theor. Phys. 51(4), 1187–1194 (2012). doi:10.1007/s10773-011-0994-5

31. Tseng, H.Y., Lin, J., Hwang, T.: New quantum private comparison protocol using epr pairs. QuantumInf. Process. 11(2), 373–384 (2012). doi:10.1007/s11128-011-0251-0

32. Liu, W., Wang, Y.B., Jiang, Z.T., Cao, Y.Z.: A protocol for the quantum private comparison of equalitywith chi-type state. Int. J. Theor. Phys. 51(1), 69–77 (2012). doi:10.1007/s10773-011-0878-8

33. Yang, Y.G., Xia, J., Jia, X., Shi, L., Zhang, H.: New quantum private comparison protocol withoutentanglement. Int. J. Quantum Inf. 10(6) (2012). doi:10.1142/S0219749912500657

34. Xu, G.A., Chen, X.B., Wei, Z.H., Li, M.J., Yang, Y.X.: An efficient protocol for the quantum privatecomparison of equality with a four-qubit cluster state. Int. J. Quantum Inf. 10(4) (2012). doi:10.1142/S0219749912500451

35. Liu, W., Wang, Y.B., Jiang, Z.T., Cao, Y.Z., Cui, W.: New quantum private comparison protocol usingx-type state. Int. J. Theor. Phys. 51(6), 1953–1960 (2012). doi:10.1007/s10773-011-1073-7

36. Li, J., Jin, H., Jing, B.: Improved eavesdropping detection strategy based on four-particle cluster statein quantum direct communication protocol. Chin. Sci. Bull. 57(34), 4434–4441 (2012)

37. Liu, B., Gao, F., Jia, H., Huang, W., Zhang, W., Wen, Q.: Efficient quantum private comparisonemploying single photons and collective detection. Quantum Inf. Process. 12(2), 887–897 (2013).doi:10.1007/s11128-012-0439-y

38. Chang, Y.J., Tsai, C.W., Hwang, T.: Multi-user private comparison protocol using GHZ class states.Quantum Inf. Process. 12(2), 1077–1088 (2013). doi:10.1007/s11128-012-0454-z

39. Sun, Z., Long, D.: Quantum private comparison protocol based on cluster states. Int. J. Theor. Phys.52(1), 212–218 (2013). doi:10.1007/s10773-012-1321-5

40. Lin, S., Sun, Y., Liu, X.F., Yao, Z.Q.: Quantum private comparison protocol with d-dimensional bellstates. Quantum Inf. Process. 12(1), 559–568 (2013). doi:10.1007/s11128-012-0395-6

41. Lo, H.K.: Insecurity of quantum secure computations. Phys. Rev. A 56(2), 1154 (1997)42. Li, Y.B., Wen, Q.Y., Gao, F., Jia, H.Y., Sun, Y.: Information leak in Liu et al.’s quantum private

comparison and a new protocol. Eur. Phys. J. D 66(4) (2012). doi:10.1140/epjd/e2012-30065-943. Yang, Y.G., Xia, J., Jia, X., Zhang, H.: Comment on quantum private comparison protocols with a semi-

honest third party. Quantum Inf. Process. 12(2), 877–885 (2013). doi:10.1007/s11128-012-0433-444. Liu, X.T., Zhao, J.J., Wang, J., Tang, C.J.: Cryptanalysis of the secure quantum private comparison

protocol. Phys. Scr. 87(6), 065004 (2013). http://stacks.iop.org/1402-4896/87/i=6/a=06500445. Waks, E., Takesue, H., Yamamoto, Y.: Security of differential-phase-shift quantum key distribution

against individual attacks. Phys. Rev. A 73(1), 012344 (2006)46. Curty, M., Tamaki, K., Moroder, T.: Effect of detector dead times on the security evaluation of

differential-phase-shift quantum key distribution against sequential attacks. Phys. Rev. A 77(5, Part a)(2008). doi:10.1103/PhysRevA.77.052321

47. Chen-Xu, F., Rong-Zhen, J., Wen-Han, Z.: Performance of differential-phase-shift keying protocolapplying 1310 nm up-conversion single-photon detector. Chin. Phys. Lett. 25(9), 3135–3137 (2008)

48. Zhao, Y.B., Fung, C.H.F., Han, Z.F., Guo, G.C.: Security proof of differential phase shift quantum keydistribution in the noiseless case. Phys. Rev. A 78, 042330 (2008). doi:10.1103/PhysRevA.78.042330

49. Gomez-Sousa, H., Curty, M.: Upper bounds on the performance of differential-phase-shift quantumkey distribution. Quantum Inf. Comput. 9(1–2), 62–80 (2009)

50. Rong-Zhen, J., Chen-Xu, F., Hai-Qiang, M.: Analysis of the differential-phase-shift-keying protocolin the quantum-key-distribution system. Chin. Phys. B 18(3), 915–917 (2009)

51. Ma, L., Nam, S., Xu, H., Baek, B., Chang, T., Slattery, O., Mink, A., Tang, X.: 1310 nm differential-phase-shift qkd system using superconducting single-photon detectors. New J. Phys. 11 (2009). doi:10.1088/1367-2630/11/4/045020

123

84 X. Liu et al.

52. Zhang, H., Wang, J., Liu, X., Wei, Z., Liu, S.: A fiber-based differential phase shift quantum keydistribution scheme with higher key creation efficiency. Opt. Commun. 282(14), 3037–3039 (2009).doi:10.1016/j.optcom.2009.03.066

53. Jindong, W., Xiaojuan, Q., Huani, Z., Zhengjun, W., Changjun, L., Songhao, L.: A free-space-baseddifferential phase shift quantum key distribution scheme with higher key creation efficiency. Opt.Commun. 282(16), 3379–3381 (2009). doi:10.1016/j.optcom.2009.05.020

54. Wen, K., Tamaki, K., Yamamoto, Y.: Unconditional security of single-photon differential phase shiftquantum key distribution. Phys. Rev. Lett. 103(17) (2009). doi:10.1103/PhysRevLett.103.170503

55. Kawahara, H., Inoue, K.: Differential-phase-shift quantum key distribution with segmented pulse trains.Phys. Rev. A 83(6) (2011). doi:10.1103/PhysRevA.83.062318

56. Kawahara, H., Oka, T., Inoue, K.: Differential-phase-shift quantum key distribution with phase mod-ulation to combat sequential attacks. Phys. Rev. A 84(5) (2011). doi:10.1103/PhysRevA.84.052311

57. Namekata, N., Takesue, H., Honjo, T., Tokura, Y., Inoue, S.: High-rate quantum key distribution over100 km using ultra-low-noise, 2-ghz sinusoidally gated ingaas/inp avalanche photodiodes. Opt. Express19(11), 10632–10639 (2011)

58. Xiao-Lin, Y., Jin-Dong, W., Zheng-Jun, W., Bang-Hong, G., Song-Hao, L.: A new multi-wavelengthtwo-way quantum key distribution system with a single optical source. Acta Phys. Sin. 61(18) (2012).doi:10.7498/aps.61.184215

59. Lütkenhaus, N.: Security against individual attacks for realistic quantum key distribution. Phys. Rev.A 61(5), 052304 (2000)

123