Quantum Secure Multi-party Private Set Intersection Cardinality

As we know that data sharing, a critical element in social networks, has the benefits of exploring important information, while also has the disadvantage of information leakage. Therefore, without the reliable third party arbitration agency, it is impossible to share information privately by distrustful multi-party. In this paper, we proposed a protocol called Quantum Secure Multi-party Private Set Intersection Cardinality (QSMS-IC), which has the capability of resisting quantum attacks. QSMS-IC, the extension of two-parity private set intersection cardinality which was proposed in Information Sciences(2016,147-158), utilizes quantum transformation, quantum measurements and quantum parallelism to solve multi-party private set intersection cardinality problems. Compared with two-party PSI-CA protocols, our proposed protocol can solve the data sharing among multi-party without the reliable third party arbitration agency. It also can be used in numerous applications and more suitable to the actual cases. For instance, large-scale social networks and privacy-preserving data ming.


Introduction
Secure multi-party computation (SMC) [1][2][3] enables three or more clients to evaluate the function without disclosing any private information about their privacy information. Since it was proposed by Yao [25], SMC had attracted wide attention from the scholars, which was used in numerous scenarios such as information-sharing [19,20] and privacy preserving [4,5].
Private set intersection (PSI) [9,21], a typical application of information-sharing, enables two parties with privates sets to participate in calculation of the intersection without revealing any private inputs information. however, in some higher privacy-preserving scenarios, such as in medical systems and social networks, private set intersection reveals too much private personal information which may be exposed in part or in whole. In this case, Private Set Intersection Cardinality (PSI-CA) [6,7] was introduced, which can meet the requirements on prevention of revealing the specific content, and make the outputting be the cardinality. In addition, in network circumstances, PSI-CA has huge practical application value in safeguarding users's privacy [22]. For example, in social networks, users can privately calculate the common hobbies and interesting by using the PSI-CA protocol, so that they can determine whether to become good friends or not [15]. In this situation, they use the elements of private sets on behalf of the hobbies and interesting. What's more, users can also privately calculate the distance of two physically independent parties. i.e. the Hamming distance which was proposed in literature [23]. Furthermore, there are other applications, such as anonymous authentication [8], location privacy [26], and privacy-preserving data mining [24] etc.
Due to the extensive and important application, there were some secure private set intersection cardinality protocols had been proposed [11][12][13]. In these existed protocols, most of them are classical cryptography. However, the increasing capability of quantum computing or algorithms has posed huge challenge to the security of these classical PSI-CA protocols which depend on some unconfirmed arduous hypothesis [14]. It means that if there were not strict constraint condition, it is impossible for two-party computations to fulfill the unconditional security e.g., a large integer factoring problem, which can be easily got over by fast quantum algorithms [14]. In addition, with the advent of quantum computer, these classical PSI-CA protocols are vulnerable to attack by quantum computers. Therefore, quantum cryptography which is the combination of quantum computer and cryptography is draw attention to the scholars. For instance, quantum sealed auction protocol [27], quantum anonymous voting protocol [28], quantum signature [29] and identity-based quantum signature [30].
The quantum protocols of PSI-CA [7,8,10] with unconditional security was also proposed. Compared with classical cryptography, the most important advantage of quantum cryptography is that an eavesdropper can easily be identified by using the characteristics of quantum mechanics. To the best of our knowledge, these proposed quantum PSI-CA protocols are all about two-party computation [8][9][10]. In order to solve the data sharing among multi-party, we, based on the ideas of quantum PSI-CA [8] and quantum counting [16,17], presented an unconditionally quantum secure multi-party set intersection cardinality (QSMS-IC) protocol, which is extended two parties to multi-party. Unlike the existed protocols, our proposed QSMS-IC protocols has two clear advantages: for classical protocols it has higher security, and for existed quantum protocols, it is a real multi-party protocol, has wider applications and more practical.
In this paper, we present a practical and feasible quantum secure multi-party set intersection cardinality protocol, which can privately compute the intersection cardinality. The organization of the paper is following, the second section is the basic knowledge about quantum and the definition of QSMS-IC. We present a quantum secure multi-party set intersection cardinality protocol in Section 3. In addition, the security analysis and correctness are shown in Section 4. Finally, in Section 5, we give the conclusion of the paper.

Quantum Computing
Quantum computing [17], a theory of physics, can also be used in computer science. In this section we give the basics of quantum computing that we will use.

Quantum Bits
Quantum bit is just like the classical bit, 0 or 1 in classical computation are corresponding to the states |0 and |1 in quantum, and |0 and |1 are two orthogonal unit vectors in 2dimensional Hilbert space, these two states form a perfect complete orthogonal basis, which is also called computational basis. The qubits also is a linear combination state, namely superpositions: (1) Here, α, β are complex numbers, and |α 2 + |β 2 = 1. Similarly, multiple qubits can be expressed, such as n-qubit can be in any superposition of the 2 n basis states | = α 0 |00...00 + α 1 |00...01 + . . .

Quantum Measurement
The measurement will use Hermitian operator, M = m mP m , P m is the projector onto the eigenspace of M with eigenvalue m. After measurement, we will get the state p m | √ p(m) with probability p(m) = |P m | .

Quantum Transformation
In quantum mechanics, unitary transformation is used to describe the evolution of a closed system, | = U |φ , (|φ is the input state, U |φ is the output state, | is the final state that is using unitary transformation U , and U + U = I , I is the identity operator, U + is the conjugate transpose of U . NOT gate is the simplest one-qubit quantum logical gate, it maps |0 to |1 and |1 to |0 . The Hadamard gate is another one-qubit quantum logical gate, it is following, CNOT gate is multi-qubit quantum logic gate, CNOT gate: |00 → |00 , |01 → |01 , |10 → |11 and |11 → |10 , the first qubit in CNOT gate is called control qubit, and the second qubit is called target qubit. In this regard, if the control qubit is 0, the target qubit remain unchanged, if the control qubit is 1, then the target qubit need change.
Besides, we also need to use the quantum Fourier transform which is the standard discrete Fourier transform. For x ∈ {0, 1, . . . M − 1}, the definition of quantum Fourier transform and the inverse quantum Fourier transform is shown as follows [9]:

Quantum Parallelism
Quantum parallelism allows quantum computers to perform multiple computations simultaneously. In classical computer, parallel computing means that there are some processors that do the different computation simultaneously. In quantum compute, multiple computations are realized by the superposition of multiple states with a single quantum processor. It means that a quantum computer has more computation ability than a classical computer. For example, If there is a 2-qubit quantum circuit, then we can make a quantum transformation U f on it, U f is following: 1} is a function, ⊕ is the operator of module 2. When y = 0, the second qubit is just the value f (x). It means U f : |x |0 → |x |f (x) , Furthermore, when |x = |0 +|1 √ 2 , then U f computes f (0) and f (1) simultaneously. It can generalize a more general function, , the qubit lengths of |x and |y are n and 1, respectively. Similarly, consider |x = H ⊗n and |y = |0 . Then So we know that the quantum transformation U f can computes f (i) for all values of i simultaneously by (13).

quantum Secure Multi-Party Set Intersection Cardinality
Here, we give the definition of quantum secure multi-party set intersection cardinality (QSMS-IC). Definition 1. QSMS-IC, there are n−1 clients U i , i = 2, . . . , n with the input are private set A i , (i = 2, 3, . . . , n) and a server U 1 with the set A 1 = {1, . . . , 1}. After running QSMS-IC protocol, the clients U i can get nothing except the cardinality of the intersection |A 1 ∩A 2 ∩· · ·∩A n |. In addition, QSMS-IC should meet the following privacy requirements: Clients U i privacy: The clients U i learn no information about the sets of other clients except about the set size |A i |.
Fairness: All the clients U i are peer entities, and no one can get the private information by deceiving from the others. Finally, all the clients get the result of cardinality with equal chance.

System Model
Based on the quantum parallelism, quantum PSI-CA [7,8] and Grovers search algorithm [18], we proposed a new QSMS-IC protocol. First we assume that the system model has n entities which are one server and n − 1 clients, and the private set logN,). Moreover, assume that n i=1 n c i < N 2 , N and n c i are public. Figure 1 is the system model of QSMS-IC protocol.
As shown in Fig. 1, there are n − 1 clients and a server. In the protocol, we suppose all the clients and server are semi-honest: they are curious with the privacy of others, but are honest to carry out the operations of the scheme.

Operation Steps
The protocol consists nine steps as follows(also show in Fig. 2).
Step1. The server U 1 initializes the state |ϕ 0 in |0 ⊗n , then applies H ⊗n to |ϕ 0 , and gets the state |ϕ 1 , Step2. Then the server U 1 gives an ancillary state |r , r is a random number in set {0, 1}, and does a transformation U f s on |ϕ 1 ⊗ |r , U f s is defined as follows: Let . ⊕ is the operator of module 2. Then, we do the same transformation U f s on |ϕ 2 ⊗ |1 , as follow: Let Then the server U 1 sends |ϕ 2 , |ϕ 2 to the client U 2 through the quantum channel. Step3. When the client U 2 received the state |ϕ 2 , |ϕ 2 , then the client U 2 will do another transformation U f c on state |ϕ 2 , the transformation U f c is defined as follow: , × is an operator that is logical multiplication. Then does the transformation U f c on |ϕ 2 as follow: Let . Then client U 2 sends |ϕ 3 , |ϕ 3 to the client U 3 through the quantum channe2.
Step4. After client U 3 receives |ϕ 3 , |ϕ 3 , the client U 3 does the same transformation U f c on state |ϕ 3 . then we get the result: Here, we use state U f c (|ϕ 3 ) to expressed the results. Then the client U 3 does U f c transformation on |ϕ 3 . The result is U f c (|ϕ 3 Then send U f c (|ϕ 3 ), U f c (|ϕ 3 ) to the client U 4 through the quantum channe3, after the client U 4 receives U f c (|ϕ 3 ), U f c (|ϕ 3 ), and does U f c transformation on U f c (|ϕ 3 ), U f c (|ϕ 3 ) respectively, then send the results to the next client and until the last client U n , the last client U n does U f c transformation respectively, uses |ϕ , |ϕ as the last results which will be sent to the server U 1 .
Step5: when the server U 1 receives the state |ϕ , it will do the transformation U f s on |ϕ × |r .
Then does U f c on state U f s (|ϕ ) Let When the server U 1 receives the state |ϕ , it will do two U f s transformation on |ϕ Step6: Then the server U 1 does U f transformation on |ϕ 4 and |ϕ 4 . Then get  |y ⊗ |ϕ 5 . Then, the server U 1 does a quantum operator C F on |ϕ 6 , the result is state |ϕ 7 , C F is the following: |y ⊗ G y |ϕ 5 (26) G is defined by G = U ϕ 6 U f r , G is an operator of amplitude amplification .
I is the identity operator.
Step8: The server U 1 does QF T −1 on the first logM qubits of |ϕ 7 and then measures the first logM qubits to obtain |x , and outputs Nsin 2 ( x M π) as the estimation of t, t is the number of the items that the last one qubit of |ϕ 6 is in |1 , for example, just like |x |1 in |ϕ 6 . If t < N 2 , then server U 1 outputs ; otherwise (n c +n s +t)−N 2 , means, |A 1 ∩ A 2 ∩ · · · ∩ A n | = (n c +n s +t)−N 2 .
Step9: The server sends the result t to all the clients.
If we want to whether someone is intercepting in the channel, the bait technology can be used. That is, when qubit sequence are transmitted, the sender randomly inserts some bait particles which is prepared randomly with either Z-basis (i.e.,{|0 , |1 } or X-basis (i.e.,{ 1 When the receiver received the sequence, the sender would public the bait particles positions and the measurement basis. Then the receiver's measures the bait particles accord to the public and tells his measurement results to the sender. The sender compares the receiver results with the bait particles of the initial and then analyzes it. If the error is too much according to the channel noise, then drop the protocol and restart transmitting. Otherwise, it will continue to proceed next step.
Theorem 1 [16]. For ∀M ∈ Z, |t − t| ≤ 2π Then we know the relations between t and |A 1 ∩ A 2 ∩ · · · ∩ A n | In Step 8, we can get the estimation of t with the high probability p, and p ≥ 8 π 2 , error is ε, error is very small, and ε ≤ 2π ; so the QSMS-IC protocol can get the estimation of |A 1 ∩ A 2 ∩ · · · ∩ A n | with high probability p ≥ 8 π 2 and small error ε. Then analyze the security. Theorem 2 (client Privacy). In QSMS-IC protocol, the client U i can not get the information about the elements of A 1 except the set size, and the server U 1 also can not get the information about the elements of A i except the set size.
Proof. In QSMS-IC protocol, the server U 1 sends a quantum state |ϕ 2 to the server U 2 , without revealing the elements of the set. Though the state |ϕ 2 including the information of f A 1 (x), the client U 2 cannot extract f A 1 (x) from |ϕ 2 . Supposed that the quantum state |ϕ 2 consists of two subsystems: the n-qubit system C and the 1-qubit system S , S is ancillary system. Suppose the clients are half a honest client which is curious about other client's information and actually transmits personal information. The client makes a projective measurement on |ϕ 2 , it can get |x |r ⊕f A 1 (x) with probability 1 n . Thus, S can be characterized by quantum ensemble ξ ≡ {p x , ρ S (x)}, and p x = 1 n , For |ϕ 2 = 1 N N−1 x=0 |x |r ⊕f A 1 (x) , so S can also be described by the following density operator, ρ S (x) = T r c |ϕ 2 ϕ 2 | = 0|ϕ 2 ϕ 2 |0 + 1|ϕ 2 ϕ 2 |1 + . . .
Thus, ρ S is the average state of S. based on Holevo bound [14], we can get Get the maximum value at t = N 2 . namely It is the upper bound that the clients can get from S through the measurement. But the client U 2 does not know the random r which is selected by the server U 1 , so H (r) = 1 (H (.)is Shannon entropy and S(.)is Von Neumann entropy). Namely, it encrypts f A 1 (x) by using the random R in one-time pad method. So, from |ϕ 2 , U 2 cannot get the information of f A 1 (x).
In addition, if the client does not honestly execute this protocol, he can send a fake state |X to the server, instead of the state |ϕ 1 . Accordingly, the returned state from the server will be |x |r ⊕ f A 1 (x) , not |ϕ 2 . Due to the random number r obviously the client can still not get any information about f A 1 (x) . So, the client A i can't get the information of f A 1 (x), due to the random r. Therefore, in QSMS-IC protocol, the client A i can't get the set elements of A 1 except the set size n c i . similarly the client A 1 also can't get the information of the elements of A i set except the set size.

Conclusion
In this paper, we proposed a protocol called Quantum Secure Multiparty Set Intersection Cardinality Protocol to privately compute the cardinality of set intersection. Unlike the classical PSI-CA protocols, the proposed QSMS-IC protocol achieves the unconditional security, because it is guaranteed by the basic principle of quantum mechanics; compared with quantum PSI-CA protocol for two-party set Intersection, the proposed protocol can achieve multi-party set intersection. In addition, our proposed scheme is very simple to deal with dynamic updating, because it only needs to compute some set operations if adding or deleting a new client. What's more, the applications of the protocol is frequently used in large-scale social networks, for instance, users can privately calculate the common hobbies.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommonshorg/licenses/by/4.0/.