An efficient simulation for quantum secure multiparty computation

The quantum secure multiparty computation is one of the important properties of secure quantum communication. In this paper, we propose a quantum secure multiparty summation (QSMS) protocol based on (t, n) threshold approach, which can be used in many complex quantum operations. To make this protocol secure and realistic, we combine both the classical and quantum phenomena. The existing protocols have some security and efficiency issues because they use (n, n) threshold approach, where all the honest players need to perform the quantum multiparty summation protocol. We however use a (t, n) threshold approach, where only t honest players need to compute the quantum summation protocol. Compared to other protocols our proposed protocol is more cost-effective, realistic, and secure. We also simulate it using the IBM corporation’s online quantum computer, or quantum experience.

• These protocols are not cost-efficient because they have bit-by-bit operations.
• These protocols have some security issues because their modulo is too small. Shi et al. 48 implemented a QSMS protocol, which can compute the summation efficiently with large modulo p, but it has the threshold approach of (n, n), where p = 2 q and q is number of qubits. Shi and Zhang 49 discussed a QSMS protocol, which can compute the summation efficiently, but it is not secure because it has only two-party. Zhang et al. 50 implemented a QSMS protocol based on quantum secure multiparty computation, but its modulo is 2 only. Liu et al. 51 discussed a QSMS protocol based on the threshold approach of (n, n) with modulo 2, and its form of computation is bit-by-bit. In 2018, Yang and Ye 52 discussed a QSMS protocol with modulo d. Its form of computation is secret-by-secret, but it has the threshold approach of (n, n). In 2019, Jiao et al. 53 discussed a QSMS protocol, which has the threshold approach of (n, n), and its form of computation is bit-by-bit. In the same year, Zhang et al. 54 have discussed a QSMS protocol. Its modulo is d, but it has the threshold approach of (n, n). In 2020, Sutradhar and Om introduced a quantum secret sharing 55 protocol. This protocol is efficient and has (t, n) threshold approach, but it has more computational cost because it uses CNOT gate and SHA1. This protocol does not discuss about the realistic implementation, collective and coherent attacks. In the same year, Sutradhar and Om 56 discussed a multiparty quantum summation protocol. This protocol is efficient and has (k, n) threshold approach, but it has more computational cost because it uses SUM gate, where k denotes the players of the qualified subset. This protocol does discuss about the collective and coherent attacks. Recently, Sutradhar and Om 57 introduced another quantum protocol for secure multiparty summation. This protocol is efficient and has (t, n) threshold approach, but it has more computational cost because it uses the SUM gate. This protocol does not discuss about the realistic implementation. Moreover, the proposed protocol is more secure, realistic and cost-effective as compared to the these protocols [55][56][57] . In this paper, we propose a QSMS protocol with a form of secret-by-secret computation. The proposed protocol has the threshold approach of (t, n), where only t honest players need to execute the secure multiparty quantum summation efficiently and cost-effectively without disclosing their secrets.

Preliminaries
In this section, we discuss the Shamir's Secret Sharing (SSS), Pauli operator, and Quantum Fourier Transform (QFT).
Shamir's secret sharing. The SSS 38 contains P = {P 1 , P 2 , . . . , P n } , a dealer, and n players. It is formed in two phases as discussed below.
Secret sharing phase. In this phase, the dealer uses (t − 1)-degree polynomial f(x) to share the secret and distribute those shares among n players, each player P i contains only f (x i ) , i = 1, 2, . . . , n.
Secret reconstruction phase. In this phase, reconstruction is performed by the threshold number of players using the Lagrange Interpolation, as discussed below.

Our contribution
In this section, we propose a (t,n) threshold QSMS protocol. Let the dealers A and B have two secrets (for simplicity, we only take two secrets but the secrets can be any number n or more than n, where n denotes total no of players) X and Y, respectively, and n players want to jointly perform the summation (S = X + Y ) without revealing their secrets. In this protocol, each qualified subset P = {P 1 , P 2 , . . . , P t } contains a k th player as an initiator. We assume that k th player is P 1 , which acts as an initiator. The initiator P 1 only contains his share value, nothing else. The process of quantum secure multiparty summation is given as follows.
Step 1: A and B choose two distinct (t − 1)-degree polynomials f (x) = X + α 1 x + α 2 x 2 + · · · + α t−1 x t−1 and g(x) = Y + β 1 x + β 2 x 2 + · · · + β t−1 x t−1 , X and Y are secrets and the symbol ′ + ′ is defined as addition modulo d, d is a prime such that n ≤ d ≤ 2n . The A and B use the Shamir's secret sharing to compute the shares f (x i ) and g(x i ) , respectively, which are distributed among n players using an authenticated classical channel. The player P i only knows the shares f (x i ) and g(x i ) , i = 1, 2, . . . , n.
Step 2: . . , n, and possesses the share h(x i ) only.
Step 4: Initiator player P 1 prepares t−particle entangled states as follows.
Step 5: Each player P u performs the QFT 52 on his particle |c� u as follows: Each player P u , (u = 1, 2, . . . , t) , also applies the Pauli operator U m u ,0 on his particle as follows: After performing the QFT and Pauli operator, the resultant state | 2 � is obtained as follows.
Step 7: Finally, the players in qualified subset calculate the summation jointly by summing their results of measurement: S = t u=1 a u + m u mod d.

Correctness
Lemma 1 If QFT and Pauli operators are honestly performed by all players in a qualified subset P = {P 1 , P 2 , . . . , P t } , then they can jointly compute the multiparty quantum summation ( t u=1 m u mod d) correctly.
Proof If QFT and Pauli operators are honestly performed by every player in the qualified subset P = {P 1 , P 2 , . . . , P t } , the quantum state is obtained as follows. www.nature.com/scientificreports/ Each player P u , u = 1, 2, . . . , t , performs the measurement operation on his own particle in computational basis |a u + m u � . The QSMS can be computed after receiving the measurement results of each player P u , u = 1, 2, . . . , t . The QSMS of secret can be calculated as follows.
Thus, the multiparty quantum summation of secrets equals to t u=1 m u mod d .

Illustration of secure multiparty quantum summation
Here, we use a numerical example to discuss the working of the proposed protocol. Let A and B hold two secrets 2 and 3, respectively and they want to perform the summation S = (2 + 3) . A and B choose threshold (t) = 3 , total number of players (n) = 7 , and prime (d) = 11 . Suppose A and B select two different polynomials f (x) = 2 + x + x 2 mod 11 and g(x) = 3 + x + x 2 mod 11 , respectively. They calculate the shares f (x i ) and g(x i ), i = 1, 2, . . . , 7 using the Shamir's secret sharing, and allocate these shares to 7 players. Each player P i , i = 1, 2, . . . , 7 , performs h(x i ) = f (x i ) + g(x i ) mod 11 . The calculation of shares h(x i ) is shown in Table 1. Each player P u , u= 1, 2, 3, computes the shadow of the shares m u , as m 1 = 9. 10 c=0 |c� 1 |c� 2 |c� 3 and sends the particle |c� u to player P u , u = 2, 3 . Each player P u , u = 1, 2, 3, applies the QFT and Pauli operator U 5,0 , U 4,0 , U 7,0 on his particle, respectively, (as per Eq. 9).

Simulation results
We simulate the proposed protocol using the IBM real quantum processor 39,40 , which is available at T.J.Watson lab, USA. We explain the circuit diagram (refer Fig. 1) of our QSMS protocol. The Hadamard gate is taken as the QFT in this circuit diagram of QSMS. On his particle, the player P u applies the QFT and also performs the Pauli operator on his particle. Then, each player P u performs measurement operations on his own particle, and broadcasts the measurement result. Finally, by summing their measurement results, the players jointly calculate the QSMS. The privacy of this protocol is guaranteed until a certain number of players disclose their shares. We have simulated this circuit of QSMS with 3 players, 5 qubits, and 8192 number of average shots. Initially, the player P u , u = 1, 2, 3 performs the QFT on his particle |c� u and also executes the Pauli operator on particle |c� u . Then, each player P u , u = 1, 2, 3, executes the measurement operation in computational basis on his particle. The players P 1 , P 2 , and P 3 broadcast the measurement results a 1 + 5 , a 2 + 4 , and a 3 + 7 , respectively. Finally, they get the summation of 2 and 3 by adding the measurement results as follows: The simulation result of the proposed summation protocol for 3 players, 5 qubits, and 8192 number of average shots. The state 101 (i.e., binary representation of 5) is calculated efficiently. The result of this simulation using the IBM real quantum processor is shown in Fig. 2.

Discussion
Here, we address the security and performance analysis based on some properties of the proposed QSMS protocol.

Security analysis.
In this section, we analyze the security of QSMS protocol based on the intercept-resend, entangle-measure, intercept, collective, coherent, and collusion attacks.
Intercept-resend attack Suppose an attacker Mallory intercepts the particle |c� u . It measures the quantum particle |c� u in the computational basis to get the useful data about the share's shadow ( m u ). Mallory produces the clone quantum particle |c� u and resends this clone particle to player P u , u = 2, 3, . . . t . If Mallory applies this method to attack, then it can get c accurately with probability 1 d . But, from this attack, Mallory cannot get any useful data about the share's shadow m u , because the intercepted particle |c� u does not contain any useful data about the share's shadow m u .
Entangle-Measure attack After the intercept attack, Mallory performs the complex entangle-measure attack on the entangled quantum particle |c� u . In this attack, Mallory performs the measurement operation on the intercepted entangled quantum particle |c� u in the computational basis to get the useful data about the share's shadow m u . If Mallory applies the entangle-measure attack, then it can get c accurately with probability 1 d . But, from this attack, Mallory cannot get useful data about the share's shadow m u , because the intercepted entangled quantum particle |c� u does not contain any useful data about the share's shadow m u . a 1 + 5 + a 2 + 4 + a 3 + 7 = 16 mod 11 = 5. www.nature.com/scientificreports/ Intercept attack Suppose Mallory intercepts the particle |c� u and measures the quantum particle |c� u in the computational basis to reveal the useful data about the share's shadow m u . If Mallory measures the quantum particle |c� u in the computational basis, then it can get c correctly with probability 1 d . But, from the measurement result c, it cannot get any useful data about the share's shadow m u , because the intercepted particle |c� u does not carry any useful data about the share's shadow m u .
Collective attack In a collective attack, Mallory prepares an autonomous ancillary particle to communicate with each qudit to get the shadow of share and they perform the joint measurement operation on every ancillary qudit. Suppose Mallory communicates with every qudit of all players by preparing an autonomous ancillary particle |e� . After successful interaction, Mallory gets the particle |o� x . Then, Mallory wants to know the shadow of share by performing a computational basis {|1�, |2�, . . . , |d − 1�} joint measurement operation. Mallory cannot get any useful data about the share's shadow from this joint measurement operation because |o� x does not contain any useful data about the share's shadow.
Coherent attack In this attack, Mallory prepares an autonomous ancillary particle |c� to communicate with the qudits of each player. After interacting, Mallory gets each player's particle |o� x and performs a joint measurement operation on all players particle c in computational basis {|1�, |2�, . . . , |d − 1�} . Mallory only gets o from the joint measurement result of particle |o� x with probability 1 d . But, the joint measurement result o does not contain any useful data about the share's shadow. From this attack, Mallory only gets the interacting particle |o� x , but it cannot learn any useful data about the share's shadow.
Collusion attack In this protocol, each player P u performs the measurement on his own particle |a u + m u � and broadcasts his result of the measurement a u + m u , u = 1, 2, . . . , t . From this broadcast, other players cannot get any useful data about the share's shadow m u . If some rational players P l−1 and P l+1 jointly want to get the data about the share's shadow but they cannot get any useful data about the share's shadow m u because the initiator P 1 transmits only particles |c� u to all other players and unfortunately |c� u does not contain any useful data about the share's shadow m u . Performance analysis. We analyze and compare the performance of the proposed (t, n) threshold summation protocol with the existing summation protocols [44][45][46][47][48][49][50][51][52][53][54] . The protocols [44][45][46][47] are multiparty, but they have the threshold approach of (n, n) and their type of computation is bit-by-bit. The protocol 48 is multiparty and its type of computation is secret-by-secret, but it is based on the threshold approach of (n, n). The protocols 49,50 perform bit-by-bit computation, but they are based on the threshold approach of (n, n). The protocol 51 is multiparty, but its type of computation is bit-by-bit and it has the threshold approach of (n, n) with modulo is 2. The protocol 52 is multiparty and its type of computation is secret-by-secret, but it is based on the threshold approach of (n, n). The protocol 53 is based on quantum multiparty computation, but its type of computation is bit-by-bit and it has the threshold approach of (n, n). The protocol 54 is multiparty and its type of computation is secret-by-secret, but it has the threshold approach of (n, n), where all honest players need to perform the multiparty quantum summation. This protocol cannot be performed correctly if any player is dishonest. However, our proposed protocol has the threshold approach of (t, n), in which only honest players of t can securely compute the multiparty quantum summation with modulo d. In addition, the proposed protocol has secret-by-secret computation type. This protocol can be performed correctly if any t players are honest. So, Compared to other protocols, our proposed protocol is more cost-effective, efficient, realistic, and secure, as shown in Table 2

Conclusion
In this paper, we have discussed a secret sharing based (t, n) threshold QSMS protocol. This protocol can be executed efficiently if any t number of players are honest. It is secure and efficient because its type of computation is secret-by-secret and its communication type is linear. It can also compute the QSMS if the total number of secrets is more than the total number of players because the linear secret sharing is used to compute the share of secrets. This QSMS protocol is more realistic as compared to the existing multiparty quantum summation protocols because we have simulated this protocol efficiently using IBM quantum computer that provides efficient result after increasing the number of shots.