1 Introduction

Secure multiparty computation (SMC) is a technology where multiple individuals, each having their own set of confidential data, can calculate a function f that is open to the public without unveiling any details about their data to the other participants. SMC has practical applications in real-life scenarios, such as vehicular networks [1, 2], genomics data mining [3], and secure voting [4]. Despite the wide range of applications, classical SMC implementations confront security and efficiency challenges. These implementations rely on public-key cryptography, which often leads to significant computational and communication overheads. Furthermore, classical SMC protocols that rely on prime number factorization or discrete logarithms are vulnerable to quantum computers attacks, as a consequence of Shor’s algorithm [5].

The concept of SMC was initially introduced by Yao [6], to address the millionaire’s problem within the realm of two-party secure computation. Later, classical SMC solutions with more than two parties [7,8,9,10,11,12] were introduced. After the achievement of Quantum Key Distribution [13, 14], significant strides have been taken to enhance the security and efficiency of the classical SMC protocols by utilizing quantum technology. A number of quantum-based SMC protocols have been proposed to carry out computations on various types of functions, such as Boolean functions [15, 16], polynomials [17], and arithmetic operations [18,19,20,21]. Despite the remarkable accomplishments of quantum protocols leveraging single qubits or entangled states across various computational scenarios, the use of Measurement-Based Quantum Computing (MBQC) [22,23,24] remains a relatively unexplored domain. The concept of MBQC was initially introduced by Raussendorf and Briegel [25]. In this quantum computing model, computations are accomplished through a sequence of measurements performed on a highly entangled quantum state, referred to as a cluster state or a resource state. This type of quantum computing is different from the traditional circuit model that involves the manipulation of qubits using quantum gates, similar to how classical computers employ logic gates for bit processing. The MBQC provides a number of advantages as it inherits certain characteristics that make it more fault-tolerant compared to the circuit model. For instance, if the quantum state prepared in the initial step is too imprecise, we can simply discard this state before the computation is carried out and re-prepare it to make sure the output of the computation is accurate [26]. There are two MBQC schemes [22]: One-Way Quantum Computer (1WQC), also referred to as the cluster state model [27], and Teleportation Quantum Computation (TQC) [28]. The 1WQC method utilizes one-qubit measurements on a highly entangled state while the teleportation-based model requires joint (entangled) measurements [23]. It has been demonstrated that the 1WQC offers promising security features, as it leverages Blind Quantum Computation techniques [29]. In [30], authors demonstrate that any quantum algorithm can be implemented using single-qubit measurements on a cluster state. Furthermore, authors discuss how this approach can be used to implement various quantum algorithms, including Shor’s and Grover’s algorithms. In [31], a series of quantum schemes that exploit quantum entanglements in Greenberger–Horne–Zeilinger (GHZ) states to compute symmetric Boolean functions are proposed. In [32], the security of one of the schemes (scheme C) outlined in [31], which claimed to achieve secure multiparty computation for dishonest majority with a threshold of \(n-1\), was disproved. In [33], an refined SMC protocol based on [31] was proposed that rectifies the security flaws and offers enhanced efficiency.

Building upon the foundations outlined in scheme A from Loukopoulos and Browne [31], we propose a quantum-based two-party protocol in which the correlation of the GHZ state is exploited to compute binary Boolean functions, with the help of a third party. Our method introduces an additional random Z-phase rotation to the GHZ qubits to increase the protocol’s security. The security and efficiency analyses show that this method achieves a higher security level while utilizing the same quantum resources and preserving the existing complexity. We implemented the proposed scheme on the IBM Qiskit platform and validated its feasibility through consistent and reliable results.

In the reminder of the paper, Sect. 2 overviews the computation of the logical NAND using the entanglement of the GHZ state. In Sect. 3, the computation of Boolean functions based on the AND operation is explained, providing the background for the contribution of the study. In Sect. 4, a quantum-based two-party protocol to compute binary Boolean functions is proposed. In Sect. 5, we implement our protocol on the IBM QisKit platform. In Sect. 6, we conduct analyses on the privacy, security, and efficiency aspects of the proposed approach. Lastly, Sect. 7 provides the conclusion for the paper.

2 Secure NAND computation

This section recalls the idea initially proposed by Anders and Browne [34], to compute the universal NAND function using the entanglements of the GHZ state \(\left| {G\!H\!Z} \right\rangle = {{\left( {\left| {001} \right\rangle - \left| {110} \right\rangle } \right) } / {\sqrt{2} }}\). The computation is accomplished in a secure manner which means that three parties (say, Alice, Bob, and Charlie) with input bits ab, and c compute the \(N\!A\!N\!D(a,b)\), while ensuring that no information about the individual inputs is disclosed to the other parties. Let us consider a scenario where the three qubits of the GHZ state are divided among three parties with each party holding one qubit of the entangled state. The parties measure the qubits in either \(\sigma _x\) or \(\sigma _y\) according to the input bits \(a,\,b,\,c \in \{ 0,1\}\). The third input is defined as \(c = a \oplus b\). If the input bit is 0, they measure the qubit in \(\sigma _x\) basis, and if the bit is 1, the measurement is done in \(\sigma _y\). There are four independent choices of inputs that form the following stabilizer equations for the GHZ state, initially outlined in [35]:

$$\begin{aligned}{} & {} {\sigma _x} \otimes {\sigma _x} \otimes {\sigma _x}\left| G\!H\!Z \right\rangle = -\left| G\!H\!Z \right\rangle , \nonumber \\{} & {} {\sigma _x} \otimes {\sigma _y} \otimes {\sigma _y}\left| G\!H\!Z \right\rangle = -\left| G\!H\!Z \right\rangle , \nonumber \\{} & {} {\sigma _y} \otimes {\sigma _x} \otimes {\sigma _y}\left| G\!H\!Z \right\rangle = -\left| G\!H\!Z \right\rangle , \nonumber \\{} & {} {\sigma _y} \otimes {\sigma _y} \otimes {\sigma _x}\left| G\!H\!Z \right\rangle = + \left| G\!H\!Z \right\rangle . \end{aligned}$$
(1)

The four equations can be expressed in a more concise way as:

$$\begin{aligned} {\sigma _a} \otimes {\sigma _b} \otimes {\sigma _{(a \oplus b)}}\left| G\!H\!Z \right\rangle = {( - 1)^{N\!A\!N\!D(a,b)}}\left| G\!H\!Z \right\rangle . \end{aligned}$$
(2)

Equation (2) implies that the output of \(N\!A\!N\!D(a, b)\) is encoded into the eigenvalues of Eq. (1). If we assign the eigenvalues \(+1\) and \(-1\) with bit values 0 and 1, respectively, we obtain:

$$\begin{aligned} N\!A\!N\!D(a,b) = {M_a} \oplus {M_b} \oplus {M_{(a \oplus b)}}, \end{aligned}$$
(3)

where \(\oplus \) is addition modulo 2; \(M_a, M_b\), and \(M_{(a \oplus b)} \in \{ 0,1\}\) are the measurement outcome of parties. This result implies that if three parties share the GHZ state and perform measurements determined by their inputs, the parity of their measurement outcomes is equal to \(N\!A\!N\!D(a,b)\). In [36], the idea of Anders and Browne [34] was expanded so that instead of using different measurement bases (\(\sigma _x\) and \(\sigma _y\)), parties can perform a pre-rotation operation to the GHZ qubits, based on the values of a, b, and \(a \oplus b\). Afterwards, by performing the \(\sigma _x\) measurement on the three qubits of the GHZ state, \(N\!A\!N\!D(a,b)\) is computed. In other words, if we represent the \({\pi / 2}\) rotation along the Z-axis of the Bloch sphere by

$$\begin{aligned} U = {R_z}(\pi /2) = {e^{{{ - i\pi \,{\sigma _z}} / 4}}}, \end{aligned}$$
(4)

then, performing the \(U^\dag \) rotation on the GHZ state will encode the parties’ inputs in the resource state, leading to

$$\begin{aligned} \left| {\psi } \right\rangle ={U^{\dag a}} {U^{\dag b}}{U^{\dag (a \oplus b)}}\left| {GHZ} \right\rangle . \end{aligned}$$
(5)

The execution of the \(U ^\dag \) operation on each qubit relies on the inputs of the respective parties (either \(a, b, a \oplus b\)). Specifically, if the input of a party is 1, the \(U ^\dag \) operation is performed on the corresponding qubit. Conversely, if the input is 0, \(U ^\dag \) is skipped for the corresponding qubit, resulting in the qubit retaining its initial state. This flexibility allows each party to decide whether or not to rotate its qubit based on the corresponding input. Afterwards, by measuring the three qubits of the GHZ state in \(\sigma _x\) basis and performing XOR among the measurement results, \(N\!A\!N\!D(\textbf{a}, \textbf{b})\) is obtained as shown in Eq. (3).

3 Computing boolean functions

In this section, we explain how binary Boolean functions can be computed using the secure NAND computation technique outlined in Sect. 2. We start by considering that any Boolean function \(f(\textbf{a},\textbf{b}):{\{ 0,1\} ^n} \times {\{ 0,1\} ^n} \rightarrow \{ 0,1\} \), which operates on two n-bit strings \(\textbf{a}\) and \(\textbf{b}\) as inputs and returns a single binary output, can be computed by taking the inner product of two polynomial vectors \({P_i}(\textbf{a})\) and \({K_i}(\textbf{b})\) as follows [37]:

$$\begin{aligned} f(\textbf{a},\textbf{b}) = \mathop \bigoplus \limits _{i = 1}^m {\hspace{0.55542pt}} {\hspace{0.55542pt}} {P_i}(\textbf{a}) \, \cdot \, {K_i}(\textbf{b}), \end{aligned}$$
(6)

where \(\textbf{a} = ({a_1},...,{a_n})\) and \(\textbf{b}= ({b_1},...,{b_n})\) correspond to Alice’s and Bob’s input data, respectively. Equation (6) implies that to compute the Boolean function \(f(\textbf{a},\textbf{b})\), m series of AND operations are required. Therefore, by resorting to the secure NAND computation technique outlined in Sect. 2 and subsequently converting it to an AND operation through a NOT operator, we can compute \(f(\textbf{a},\textbf{b})\). The maximum number of terms required for Eq. (6), denoted as m, is limited to \(2^n\), where n represents the input length.

According to Eq. (6), to compute \(f(\textbf{a},\textbf{b})\), three terms should be taken into account: \({P_i}(\textbf{a})\), \({K_i}(\textbf{b})\), and \({P_i}(\textbf{a}).{K_i}(\textbf{b})\). The first two polynomials \({P_i}(\textbf{a})\) and \({K_i}(\textbf{b})\) can be calculated locally by Alice and Bob, respectively. To compute the third term \({P_i}(\textbf{a}).{K_i}(\textbf{b})\), we use the scheme presented in Sect. 2. All that is needed is to find the result of \( N\!A\!N\!D\big ({P_i}(\textbf{a}),{K_i}(\textbf{b})\big )\) for each value of i. Afterwards, we obtain \({P_i}(\textbf{a})\cdot {K_i}(\textbf{b}) = \lnot N\!A\!N\!D({P_i}(\textbf{a}),{K_i}(\textbf{b}))\) by performing a NOT.

Note that the particular form of polynomials in Eq. (6) depend on the Boolean function being evaluated. For example, let us obtain the polynomials that are required to compute \(OR(\textbf{a}, \textbf{b})\). The 2-bit OR function can be represented as [37]:

$$\begin{aligned} OR(\textbf{a},\textbf{b}) = \textbf{a} + \textbf{b} + \textbf{a}\,\cdot \,\textbf{b} \,, \end{aligned}$$
(7)

leading to:

$$\begin{aligned} OR(\textbf{a},\textbf{b})&= ({a_1}\,OR\,\,{b_1}) \, \cdot \,({a_2}\,OR\,\,{b_2}) \nonumber \\&= ({a_1} + {b_1} + {a_1}.\,{b_1})\,\cdot \,({a_2} + {b_2} + {a_2}.\,{b_2}) \nonumber \\&= {a_1}{a_2} + {a_1}{b_2} + {a_1}{a_2}{b_2} + {b_1}{a_2} + {b_1}{b_2} + {b_1}{a_2}{b_2} + {a_1}{b_1}{a_2} + {a_1}{b_1}{b_2} \nonumber \\&\quad + {a_1}{b_1}{a_2}{b_2} \nonumber \\&= \underbrace{{a_1}{a_2}}_{{P_1}} \cdot \underbrace{1}_{{K_1}} + \underbrace{( {a_1} + {a_1}{a_2})}_{{P_2}} \cdot \underbrace{{b_2}}_{{K_2}} + \underbrace{(1+ {a_1}+{a_2} + {a_1}{a_2})}_{{P_3}} \cdot \underbrace{{b_1}{b_2}}_{{K_3}} \nonumber \\&\quad + \underbrace{({a_2} + {a_1}{a_2})}_{{P_4}} \cdot \underbrace{{b_1}}_{{K_4}} \nonumber \\&= \sum \limits _{i = 1}^4 {{P_i}} ({a_1},{a_2})\cdot {K_i}({b_1},{b_2}). \end{aligned}$$
(8)

In Eqs. (7) and (8), the symbols ‘+’ and ‘\(\cdot \)’ represent the XOR and the logical AND, respectively. Equation (8) indicates that a 2-bit \(OR(\textbf{a}, \textbf{b})\) function can be computed using the following vector of polynomials:

$$\begin{aligned} P (\textbf{a}) = \left[ \begin{array}{l} {a_1}{a_2}\\ {a_1}+{a_1}{a_2}\\ 1+{a_1}+{a_2}+{a_1}{a_2}\\ {a_2}+{a_1}{a_2} \end{array} \right] ,\quad K(\textbf{b}) = \left[ \begin{array}{l} 1\\ {b_2}\\ {b_1}{b_2}\\ {b_1} \end{array} \right] . \end{aligned}$$
(9)

4 The Z-phase rotation two-party protocol for binary boolean function computation

Built upon the methodology outlined in [31], we propose a quantum-based two-party protocol to compute binary Boolean functions, with the help of a third party. Using the proposed protocol, two parties, referred to as Alice and Bob, can compute a binary Boolean function without disclosing any information about their private inputs. In [38], it was proven that attaining unconditionally secure two-party computations is not feasible. Consequently, the participation of a third party, referred to as Charlie, becomes necessary [38]. To address this security requirement, our protocol, originally designed for two-party scenarios, is extended to include the collaborative participation of Charlie.

In [31], a nearly private computation protocol (Scheme A) was proposed in which three parties share a GHZ state to perform SMC. Their scheme is described as “nearly private” because there are certain circumstances in which the third party, Charlie, can acquire information about the inputs of other participants. The primary source of information leakage in this scheme is that Charlie can simultaneously learn about the parity of Alice and Bob’s inputs as well as the outcome of the protocol. The security of this protocol can be improved by preventing Charlie from gaining knowledge of the parity of Alice and Bob’s private inputs, or the final output of the protocol, or both. We utilize a technique where we introduce an additional random Z-phase rotation on the GHZ qubits to obscure the outcome from Charlie. Using this technique, we reach a higher level of security, while using the same quantum resources and maintaining the existing complexity.

The proposed protocol advances through the following steps. First, Alice and Bob agree on the specific Boolean function and compute the required polynomial vectors P and K locally, using their inputs. Afterwards, the protocol is executed over m rounds. The number of rounds corresponds to size of polynomial vectors P and K. In each round i (\(1 \le i \le m\)), the secure computation of the AND operation between \(P_i\) and \(K_i\) is carried out as follows. First, three qubits that form a GHZ state are distributed among the three parties. An intriguing characteristic of the GHZ state is that the computation can take place even when the qubits are located in different places, allowing for a secure computation among the distributed parties. Next, each party performs \(U^ \dag \) (i.e. a \(-\pi /2\) rotation around the Z axis of the Bloch sphere) on its qubit, considering \(P_i, K_i,\) and \((P_i \oplus K_i)\):

$$\begin{aligned} \left| \psi _i \right\rangle =&\,{U^{\dag P_i}}\otimes {U^{\dag K_i}}\otimes {U^{\dag {({P_i} \oplus {K_i})}}}\left| G\!H\!Z_i \right\rangle . \end{aligned}$$
(10)

Since all the information is encoded in the phase of the quantum state, performing an additional Pauli-Z rotation on the one of the qubits will obscure the outcome of the computation. Therefore, if Alice and Bob intend to obscure the output from Charlie, one of them (say Alice) has to perform a Pauli-Z rotation on its qubit considering a random bit. To share a random bit, a Bell state \(\left| \varphi _i \right\rangle = {{\left( {\left| {00} \right\rangle + \left| {11} \right\rangle } \right) } / {\sqrt{2} }}\) is distributed between the two parties. Afterwards, each of them measures a qubit of the Bell state and stores the result in \(r_i\). Next, Alice performs the Z-rotation on the first qubit leading to

$$\begin{aligned} \left| \psi '_i\right\rangle =&\, {\sigma _z}^r \, {U^{\dag {P_i}}}\otimes {U^{\dag {K_i}}}\otimes {U^{\dag {({P_i} \oplus {K_i})}}}\left| G\!H\!Z_i \right\rangle . \end{aligned}$$
(11)

If \(r_i=0\), the \(\sigma _z\) operator is not applied to the qubit, whereas if \(r=1\), \(\sigma _z\) is applied to the qubit. The additional Z rotation enhances security by concealing the protocol outcome from Charlie. However, Alice and Bob can easily decode the actual output by executing a bit-flip. In the next step, parties measure their qubit in Pauli-X basis and store the results in classical bits \({m_{P_i}}\), \({m_{K_i}}\), and \({m_{{\scriptscriptstyle (P_i \oplus K_i)}}}\). Subsequently, the parties apply a NOT operator to their results and proceed to the next round. Once the protocol is executed for m rounds, the three parties compute \({M_1} = \mathop \oplus \limits _{i = 1}^m \,\, \lnot {m_{\scriptscriptstyle {P_i}}}\), \({M_2} = \mathop \oplus \limits _{i = 1}^m \,\,\lnot {m_{\scriptscriptstyle {K_i}}}\) and \(M_3 = \mathop \oplus \limits _{i = 1}^m \,\,\lnot {m_{\scriptscriptstyle {(P_i \oplus K_i)}}}\). Alice and Bob send their result to Charlie, who sums up all the classical bits as

$$\begin{aligned} f'(\textbf{a},\textbf{b})= {M_1} \oplus {M_2} \oplus {M_3}, \end{aligned}$$
(12)

and sends the results to Alice and Bob. Following this, Alice and Bob derive the actual output by executing XOR between the random bit \(r=\mathop \oplus \nolimits _{i = 1}^m \,\,{r_i}\) and the classical bit received from Charlie, as follows:

$$\begin{aligned} {f(\textbf{a},\textbf{b})} = r \oplus f'(\textbf{a},\textbf{b}). \end{aligned}$$
(13)

As outlined in the protocol description, the demand for quantum resources increases with n, which means that as the length of the parties’ input bits extends, a greater amount of quantum resources becomes necessary. Protocol 1 provides an overview of these procedures. In the next section, the computation of a 2-bit OR function is explained through an implementation in the IBM QisKit to illustrate the protocol.

figure a

5 QisKit implementation

Universal fault-tolerant quantum computers are not available. Therefore, simulation platforms such as IBM QisKit [39] and Paddle Quantum [40] are employed for the design and implementation of quantum algorithms. Qiskit is a software framework developed by IBM that enables users to simulate and execute quantum programs on both simulation platforms and real quantum computers. In [41], authors utilized Qiskit to implement several quantum gates, such as the Hadamard gate, the Controlled-Not (CNOT) gate, and the \(\pi /2\)-phase gate, based on MBQC approach. In this section, we design a circuit for the proposed protocol and explain its implementation in the Qiskit IBM platform for a particular scenario involving a 2-bit \(OR(\textbf{a},\textbf{b})\) function.Footnote 1

Fig. 1
figure 1

Quantum circuit for the proposed protocol in each round i. The \(q_0, q_1\), and \(q_2\) are three initial qubits with state \(\left| 0 \right\rangle \). The label A represents the preparation of the GHZ state. Label B indicates the rotation of qubits with respect to the bits r, \(P_i\), \(K_i\), and \(P_i \oplus K_i\). Note that the rotation gates in label B are exclusively applied when the bit values are equal to 1; otherwise, they are omitted from the circuit. Label C represents qubit measurements in the Hadamard basis. Labels ‘H’, ‘+’, Z, ‘X’, and ‘\(R_z\)’ identify the Hadamard, controlled-X, Pauli-Z, Pauli-X, and Z-rotation gates, respectively

Full size image

Figure 1 depicts the quantum circuit implementing the proposed protocol. Circuit preparation includes three steps: A, B, and C. In the first step, A, a GHZ state is prepared starting from three qubits \(q_0\), \(q_1\), and \(q_2\) with the initial state \(\left| 0 \right\rangle \). In step B, the qubits are rotated according to the parties’ private inputs and a random bit r. The rotational operations \(R_z(\pi )\) and \(R_z(- \pi /2)\) correspond to the V and \(U ^\dag \) operations, respectively. Next, in step C, qubits are measured in the Hadamard basis. The default measurement in QisKit is performed in the Z-basis. However, by incorporating an H gate prior to the measurement operator, we can measure the qubit in the X-basis. The measurement result of each qubit is stored in a classical register of the QisKit environment. To store the measurement outcomes, three classical registers, \(C_0, C_1\), and \(C_2\), are used to store the measurement results of \(q_0\), \(q_1\), and \(q_2\), respectively.

In our simulated experiments, we assume with no loss of generality that the three parties, Alice, Bob, and Charlie, with 2-bit inputs \( \textbf{a}=(1,0)\), \(\textbf{b}=(1,0)\), and \( \textbf{a} \oplus \textbf{b}=(0, 0)\) intend to compute , which yields to output 1. Alice and Bob share random bits \(\mathbf {\textbf{r}} = (0, 1, 1, 0)\) leading to \(r=\mathop \oplus \limits _{i = 1}^4 \,\,{r_i} =0\). Considering Eq. (8), Alice and Bob compute the polynomials \(\textbf{P}=(1, 0, 1, 0)\) and \(\textbf{K}=( 0, 1, 1, 0)\), which correspond to the OR function. Figure 2 illustrates the measurement outcomes in four rounds of execution. For a three-qubit GHZ state, the possible measurement outcomes are 000, 001, 010, 011, 100, 101, 110, 111. Note that by performing measurement, the qubits collapse from a superposition state into a classical state with the highest probability (either 0 or 1). The eight potential outcomes occur with nearly equal probabilities, a logical outcome of the randomness of quantum measurement. To compute 2-bit OR, four rounds of computation are carried out, and within each round 1000 shots are executed. As shown in Fig. 2, the measurement outcomes with the highest probabilities for rounds 1 to 4 are 001, 011, 110, and 000, respectively, leading to following outcomes for each party:

$$\begin{aligned} Outcomes\left\{ \begin{array}{ll} M_1 = \lnot 0 \oplus \lnot 0 \oplus \lnot 1 \oplus \lnot 0 =1&{}\,\,\,\,\,\hbox {Alice}\,\,\,\\ M_2 = \lnot 0 \oplus \lnot 1 \oplus \lnot 1 \oplus \lnot 0 = 0&{}\,\,\,\,\,\hbox {Bob}\\ M_3 = \lnot 1 \oplus \lnot 1 \oplus \lnot 0 \oplus \lnot 0 = 0&{}\,\,\,\,\,\hbox {Charlie} \end{array} \right. \end{aligned}$$
(14)

Alice and Bob send their summation bits to Charlie, who then performs an XOR operation on the obtained bits, resulting in \(f'(\textbf{a}, \textbf{b}) = 1 \oplus 0 \oplus 0 = 1\). This outcome is then transmitted to Alice and Bob, who calculate the final result by performing an XOR operation between the received classical bit and the shared random bit, yielding \(f(\textbf{a}, \textbf{b})= 1 \oplus 0 =1\). The obtained result confirm the correctness of the protocol. The simulation results were performed on the ’qasm_simulator’ within Google Colab, Ubuntu 20.04.6 LTS, Python 3.10.12, and QisKit-0.43.2. Implementations are carried out on the ASUS Zenbook 14 UX425E laptop with 4 cores and an 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80 GHz processor, and 16 GB of RAM.

Fig. 2
figure 2

Measurement results of the quantum circuit demonstrated in Fig. 1, considering a particular scenario involving a 2-bit \(OR(\textbf{a},\textbf{b})\) function. The simulation are performed on ’qasm_simulator’ simulator. The circuit is run over 4 rounds with 1000 shots

Full size image

6 Result and discussion

In this section, we provide security, privacy, and efficiency analyses of the proposed protocol. Additionally, we provide a comparative analysis between quantum SMC protocols and the protocol proposed in this work.

6.1 Privacy analysis

To evaluate the privacy of the proposed protocol, we examine the data leakage in each step as follows:

  1. 1.

    Computation of \(P(\textbf{a})\) and \(K(\textbf{b})\): as the computation is conducted locally, there is no disclosure of any information regarding the inputs.

  2. 2.

    Qubit measurement by parties: no information is leaked.

  3. 3.

    Transmission of (\(P_i \oplus r_i\)) and (\(K_i \oplus r_i\)) to Charlie: resorting to the random bit r ensures that Charlie remains unaware of any details regarding the inputs. Despite using a random bit, Charlie gains knowledge about the parity of the inputs, at this stage.

  4. 4.

    Qubit rotation by parties: no information is leaked.

Once the value of the function is announced, participating parties remain uninformed regarding each other’s inputs.

6.2 Security analysis

The security of our protocol is derived directly from the principles of secure NAND computation outlined in [34] which rely on fundamental principles of quantum mechanics, such as the no-cloning theorem and the inability to measure certain quantum properties without disturbing the system. These features make it extremely difficult for an adversary to extract information from quantum systems without leaving detectable traces. As a result, entangled states and their quantum correlations offer unique opportunities for achieving secure communication. Consider the security against the attack from a party (for example Alice). If Alice wants to learn about Bob’s input, she needs to intercept the bit value \(K_i(\textbf{b}) \oplus r_i\) that is transmitted between Bob and Charlie at the step 4 of Protocol 1. However, since the transmission occurs over a secure classical channel, Alice fails to acquire any information about the bit value. Furthermore, if Charlie aims to retrieve the function output, his attempt will be unsuccessful due to his lack of knowledge concerning the random classical bits \(r_i\).

The protocol lacks security against a coalition attack because Charlie possesses knowledge of the parity of input bits at each stage. This implies that if Charlie forms a coalition with either Alice or Bob, they can acquire information about the input of the other party. Consequently, the protocol can only be considered secure with a threshold of \(th=1\). The protocol is passively secure, which means that while the adversary can attempt to gather information from others, they are not permitted to deviate from the specified protocol execution.

6.3 Efficiency analysis

Efficiency analysis involves three factors: quantum resources, communication complexity, and round complexity of the protocol. To compute Boolean functions as described in Eq. (6), two types of quantum resources are required: Bell and GHZ states. The application of Bell states can be substituted with a standard Quantum Key Distribution protocol to enable the sharing of random bits between Alice and Bob. The necessity for these quantum resources aligns with the requirements of the SMC protocol introduced in [31], which similarly emphasizes Boolean function evaluation. However, our scheme surpasses security level compared to the protocol outlined in [31] due to the use of an additional Z-phase rotation technique, concealing the output from Charlie. The communication cost, that is the number of bits transmitted among parties, is 2n bits, for each rounds of protocol execution. The round complexity of our protocol which refers to the number of rounds required for the execution of the protocol is 4.

Table 1 shows the functions to be computed, the required quantum resources, and the communication and the round complexity for various SMC protocols. While some SMC protocols listed in Table 1 utilize fewer quantum resources (single qubit), this research focuses on a different and more general type of functions. Furthermore, the use of single qubit resulted in increased communication costs when compared to the GHZ state. Although the use of quantum resources, such as GHZ state, can increase with the input size n, the communication cost remains minimal.

Table 1 Comparison of different quantum SMC protocols
Full size table

7 Conclusions

We have addressed the challenges faced by classical Secure Multiparty Computation in terms of security and efficiency. By leveraging the entanglements of the GHZ state, we proposed a quantum-based two-party protocol to compute binary Boolean functions, with the help of a third party. Although this work primarily focuses on the scenarios involving three parties, the prospect of extending the protocol to accommodate an arbitrary number of n participants holds considerable promise, contributing to the development of SMC protocols in quantum computing. We conducted privacy, security, and efficiency analyses for the proposed protocol. Our results demonstrate the robust security offered by our quantum-based approach, while also highlighting its communication efficiency. Furthermore, we have implemented our protocol on the IBM QisKit platform and obtained experimental results confirming the feasibility and practicality of our approach.