METHOD FOR SECURELY COMPUTING A LOGICAL AND BETWEEN TWO BITS USING QUANTUM COMMUNICATION

20230162076 · 2023-05-25

Inventors

Marc KAPLAN (MONTROUGE, FR)

Cpc classification

International classification

Abstract

Method for computing a logical AND between two chosen bits, xi, xj, held by first and second participants, including a first phase comprising a step in which said first and second participants determine a first correlation variable and a second correlation variable, each determine a random bit, p and q, and transmit, to said server, a value dependent on said random bit p, q, a step in which the server prepares a photon in a first state; a step in which said first participant applies a first transformation V Up to said photon; a step in which the second participant applies a second transformation V Uq to said photon, and a step in which the server performs a third transformation (U*)p+q, measures the state of the photon and determines a third correlation variable; and a second phase comprising a step in which said first and second participants exchange a value u1, u2 dependent on the sum of the random bit, p, q and the chosen bit, xi, xj; and a step in which said first participant computes and delivers a first value a=+xiΛu2, said second participant computes and delivers a second value b=+xjΛu1+u1Λu2 and said server delivers the third correlation value, so that the result of the computation of the logical “and” between said chosen bits may be obtained by summing said first and second values and said third correlation variable.

Claims

1. A method for calculating a logical AND between two chosen bits, x.sub.i, x.sub.j held by a first and a second participants, C.sub.i, C.sub.j respectively, connected to each other and to a server (C.sub.1), by at least one quantum communication channel (Lq) and one conventional communication channel (Lc), comprising a first phase using said quantum communication channel and comprising a first step (S1) wherein said first and second participants randomly determine, respectively, a first aα and second β correlation variable; they each determine a random bit, respectively p and q, and transmit to said server (C.sub.1), a value dependent on said respective random bit p, q; a second step (S2) wherein said server (C.sub.1) prepares a photon in a first state in an orthonormal basis, and transmits it to said first participant (Ci); a third step (S3) wherein said first participant (C.sub.i) applies a first transformation V.sup.αU.sup.p to said photon, and transmits it to said second participant (C.sub.j), the logic gate V transforming a state into an orthogonal state and the logic gate U being a square root of the logic gate V; a fourth step (S4) wherein said second participant (C.sub.j) applies a second transformation V.sup.βU.sup.q to said photon, and transmits it to said server; a fifth step (S5) wherein the server C.sub.1 performs a third transformation (U*).sup.p+q, measures the state of said photon and determines a third correlation variable γ based on said state, so as to form a correlation between said correlation variables; and, a second phase comprising a sixth step (S6) wherein said first and second participants exchange a value u1, u2 depending on the sum between the random bit, p, q, and the chosen bit, x.sub.i, x.sub.j, they hold, respectively; a seventh step (S7) wherein said first participant calculates and provides a first value a=α+x.sub.iΛu2, said second participant calculates and provides a second value b=β+x.sub.jΛu1+u1Λu2 and said server provides the third correlation variable γ, so that the result of the computation of the logical “and” between said chosen bits can be obtained by summing said first and second values and said third correlation variable.

2. The method according to claim 1, wherein said first phase is carried out before said chosen bits are known to said participants

3. The method according to claim 1, wherein in said first step (S1) said first and second participants transmit respective values t1=p+r and t2=q+r, where r is a bit secretly shared by said first and second participants;

4. The method according to claim 1, wherein said first state is the |+> state

5. The method according to claim 1, wherein said conventional communication channel (Lc) is a secure channel.

6. A device for calculating a logical AND between two chosen bits, x.sub.i x.sub.j held by a first and a second participants (C.sub.i, C.sub.j respectively), connected to each other and to a server (C.sub.1), by at least one quantum communication channel (Lq) and one conventional communication channel (Lc), comprising means for implementing the method according to claim 1.

7. The device according to claim 6, wherein said first and second participants belong to a chain of participants, wherein the two participants at the ends (C.sub.1, C.sub.N respectively) implement said server, an upstream participant being able to emit a photon, and a downstream participant (C.sub.N) being able to receive a photon and measure its state.

8. The device according to claim 6, wherein said first and second participants belong to a ring of participants, such that a given participant (C.sub.1) implements said server and is able to emit a photon, receive a photon, and measure its state.

9. The device according to claim 6, wherein said server comprises a laser adapted to generate photons and an initial modulator adapted to modulate a degree of freedom of a photon generated by said laser.

10. The device according to claim 6, wherein said first and second participants comprise modulators capable of modulating an electromagnetic field through which the photons pass in order to change a degree of freedom thereof.

Description

DESCRIPTION OF THE FIGURES

[0031] FIGS. 1a and 1b show two variations of an example architecture of a device for secure multi-party computation according to an embodiment of the invention.

[0032] FIG. 2 shows in table form several examples of degrees of freedom for quantum bit encoding.

[0033] FIG. 3 shows an embodiment of the method, or protocol, for secure multi-party computation of the logical “AND” in which the main steps are shown.

DESCRIPTION OF IMPLEMENTATIONS OF THE INVENTION

[0034] As discussed in the introduction, one of the purposes of the invention is to enable secure multi-party computation between a set of participants.

[0035] According to one embodiment, these participants can be organized in a chain as shown in FIG. 1b or in a ring as shown in FIG. 1a.

[0036] The N participants C.sub.1, C.sub.2, C.sub.3 . . . C.sub.N can communicate with their immediate neighbors only and through at least two communication channels: a quantum communication channel Lq and a classical, or conventional, communication channel LC.

[0037] This conventional communication channel Lc can be secured. The security can be achieved for example through the quantum communication channel which allows the exchange of encryption keys with unconditional security. It can be of different types, depending on the embodiments. Typically, it can be a digital communication channel compliant with the TCP/IP protocol stack. It can be a wired channel (Ethernet, etc.) or wireless (WiFi, cellular, etc).

[0038] According to another embodiment, the conventional communication channel Lc can be of the “broadcast” type. Thus, all participants receive data from all participants. However, the security by exchanging encryption keys can be peer-to-peer, so that the conventional “physical” communication channel Le supports a set of peer-to-peer “logical” communication channels, connecting each of the participants to its neighbors.

[0039] In practice, the participants can be of various types: they can be computers connected to a communication network, or virtual machines deployed on a server or on a server farm, etc.

[0040] The quantum communication channel Lq can be implemented in different ways as well.

[0041] According to one embodiment, the quantum communication channel Lq is provided to allow the transmission of light signals enabling the transport of quantum bits, generally called “qubits”. It is typically an optical fiber.

[0042] Quantum bits can be encoded with photons according to their degree of freedom. “Photon degree of freedom” refers to a physical property described by quantum mechanics and usable for quantum communications. Examples of photon degrees of freedom are phase, phase difference, frequency, polarization or temporal location. In this description, we use the formalism that represents a quantum state as a vector |α> in a d-dimensional Hilbert vector space. The concept of Hilbert vector space extends the methods of linear algebra by generalizing the notions of Euclidean space (like the Euclidean plane or the usual space of dimension 3) and Hermitian space to spaces of any dimension (finite or infinite). A vector |α> of a d-dimensional Hilbert vector space can be described via a basis of the d-dimensional Hilbert vector space.

[0043] FIG. 2 gives examples of photon degrees of freedom, in a 2-dimensional Hilbert vector space.

[0044] A first participant C.sub.1 is intended to emit the photons, which will be transmitted from one to the next along the chain.

[0045] According to a chain embodiment, as shown in FIG. 1b, this transmission is performed to the most downstream participant C.sub.N in the chain which may be provided to perform measurements of the photon states and thus read the states of the associated qubits. This participant C.sub.N is intended to communicate with participant C.sub.1 through a secure communication channel L.sub.s.

[0046] According to a ring embodiment, as shown in FIG. 1a, the transmission is performed up to the first participant C.sub.1. As we shall see, this first participant thus plays the roles of sender and receiver.

[0047] The first participant C.sub.1 can be called the “sender”. In practice, it can be implemented in different ways. For example, it may comprise a laser capable of generating photons and an initial modulator capable of modulating a degree of freedom of a generated photon.

[0048] According to one embodiment, a modulation is carried out on the time interval for which a photon is to be generated, the overall energy of which corresponds to a photon energy quantum.

[0049] According to another embodiment, the phase difference is used as a degree of freedom to encode the qubits. Also, the sender C.sub.1 generates the photons by modulating them according to two peaks, each in a half-interval of the interval corresponding to the photon to be generated. The total energy of this modulation being, by configuration, equal to the energy quantum of a photon, each photon thus generated is a superposition of a photon between these two half-intervals.

[0050] The laser can be provided with a wavelength of 1550 nm which corresponds to the minimum attenuation in optical fibers commonly used in telecommunications.

[0051] The N-2 participants besides the endpoint participants C.sub.1, C.sub.N are modulators. They are not designed to emit photons but only to modulate an electromagnetic field in which the photons pass in order to modify one of their degrees of freedom.

[0052] According to one embodiment (FIG. 1b), the most downstream participant C.sub.N in the chain can be called a receiver. According to another embodiment (FIG. 1a), the participant C.sub.1 is both a sender and a receiver.

[0053] The receiving participant, C.sub.1, C.sub.N, may comprise a single photon detector. Different mechanisms exist in the prior art. For example, there are detectors based on avalanche photodiodes (APDs).

[0054] It is possible to set up bidirectional communication channels, so that quantum bits (or qubits) can be transmitted in both directions of the chain. In such a case, the sender C.sub.1 can also be a receiver, that is it can have measuring means (single photon detector).

[0055] Depending on the type of degree of freedom, different types of modulators and detectors can be used by the participants C.sub.1, C.sub.2, C.sub.3 . . . C.sub.N.

[0056] When the degree of freedom of photons to encode quantum bits is the phase, the modulators can be phase modulators. For example, the LN53S-FC or LN65S-FC model marketed by Thorlabs can be used.

[0057] When the degree of freedom of photons to encode quantum bits is photon polarization, the modulators can be polarization modulators. For example, a model from the PSC-LN series of products marketed by iXblue Photonics can be used.

[0058] When the degree of freedom of the photons to encode the quantum bits is the temporal location of the photons, the modulators may each comprise a number d of delay lines and a number 2d of splitter plates, where d represents the dimension of the Hilbert vector space of representation of the quantum states. The superposition of temporal locations to be realized to create an incompatible base can be obtained by programming the splitter plates.

[0059] The same principle can be used for detection by the receiver C.sub.N. This can have only one single photon detector, downstream of a similar device allowing to separate the beams and to delay the beams differently so that after recombination of the beams, the instant of the detection of the photon makes it possible to determine the temporal location of that photon.

[0060] This architecture can be used for secure multi-party computation between participants.

[0061] It is known that any computation on binary data can be reduced to a combination of universal logical operators. These universal logical operators are “NAND” (for “Not And”) and “NOR” (for “Not Or”).

[0062] Carrying out a logical “NOT” operator does not pose any particular problem of security since it is a local operator. On the other hand, the logical operators AND OR can involve several participants and thus imply a security problem to make it possible to obtain the result of the operation without any of the participants knowing the value held by the other participants.

[0063] It is more common to use the “NOT AND” operator. Also, the invention addresses the particular sub-problem of computing a logical AND between multiple participants. More specifically, it deals with the computation of a logical AND between two participants, it being understood that switching to more than two participants amounts to combining several “AND” operators.

[0064] In the following we will denote x.sub.i Λ x.sub.j the logical “and” operation between the bits x.sub.i and x.sub.j.

[0065] The invention thus aims to calculate a logical AND between bits x.sub.i and x.sub.j held by two participants, C.sub.i and C.sub.j respectively, where 1<i<N and 1<j<N and, of course, i≠j, with the constraints that [0066] Participant C; should not be able to learn more information than the values of bit x.sub.i and x.sub.i Λ x.sub.j (indeed, it should not be able to know the value of bit x.sub.j), [0067] participant C.sub.j should not be able to learn more information than the values of bit x.sub.j and of x.sub.i Λ x.sub.j (indeed, it should not be able to know the value of bit x.sub.i), [0068] no other party to the computation should be able to know either x.sub.i or x.sub.j.

[0069] We will call these two bits x.sub.i and x.sub.j, “chosen bits”.

[0070] Especially, the method according to the invention involves a third party, called server in the following. This server may know the final result x.sub.i Λ x.sub.j but must not know the value of x.sub.i nor the value of x.sub.j. This server also has the function of creating and emitting a photon in a given state, and can therefore be implemented, at least partially, by the sender C.sub.1.

[0071] According to a first embodiment based on a ring architecture (FIG. 1a), participant C.sub.1 is also a receiver, so that the server has all the information directly at its disposal as sender and receiver.

[0072] According to a second embodiment based on a chain architecture (FIG. 1b), the server can have the information received by the receiver C.sub.N via a secure communication channel L.sub.s. In a way, the server is then implemented by the pair C/C.sub.N formed by the two participants located at the ends of the chain of participants.

[0073] Even more implementations are possible. In the following, for simplicity, we will assign the reference C.sub.1 to the server.

[0074] In a very general way, this computation is based on correlation, known as “magic”, between three binary variables α, β γ each determined, respectively, by the two participants C.sub.i, C.sub.j and the server C.sub.1 and corresponding to a logical “and” between two bits b.sub.1, b.sub.2 held by the participants so that α+β+γ=b.sub.1 Λ b.sub.2. Furthermore, the marginal distributions of the three variables α, β γ must satisfy the uniformity criterion: when viewed individually, each bit can equiprobably take the value 0 or 1. In the following, we will call these three variables “correlation variables”.

[0075] A first phase consists of establishing a magic correlation corresponding to the logical “and” between two random bits and using the quantum communication channel L.sub.q and quantum computation. At the end of this first phase, we therefore determine the three variables α, β, γ forming the magic correlation.

[0076] A second phase is to use this magic correlation (α, β γ) to compute the logical “and” between the two chosen bits x.sub.i, x.sub.j, that is, the final result sought, using a conventional secure communication channel, Lc.

[0077] In the first phase, participants C.sub.i and C.sub.j will apply quantum gates, U and V, to input qubits in order to generate output qubits.

[0078] The quantum gate V transforms the state (or qubit) of a photon into an orthogonal state, in any orthonormal basis. The quantum gate U corresponds to a square root of the transformation performed by the quantum gate V.

[0079] On the Bloch sphere, these operations are therefore equivalent to saying that the whole quantum part is defined to within one rotation.

[0080] The qubit is generated by the server C.sub.1, in a first state, in an orthonormal basis.

[0081] According to an embodiment, this first state is denoted |+>. This notation is, however, arbitrary, since it is sufficient, according to the invention, to have any two orthogonal states, but it allows for clearer description.

[0082] In the following, we will denote as |0> and |1> two orthogonal states (that is perfectly distinguishable) among the quantum degrees of freedom of the emitted photon in this orthonormal basis.

[0083] We denote as |+> and |−> two states formed by the superposition of these two orthogonal qubits. We can write:

[00001] $.Math. + >= \frac{1}{\sqrt{2}} (.Math. 0 > + .Math. 1 >)$

[0084] We can also write

[00002] $.Math. -> = \frac{1}{\sqrt{2}} (.Math. 0 > - .Math. 1 >)$

[0085] The gate V is a Pauli-Z gate which is equivalent to a rotation around the Z-axis of the Bloch sphere by π radians. It can be represented by the Pauli-Z matrix:

[00003] $z = [\begin{matrix} 1 & 0 \\ 0 & - 1 \end{matrix}]$

[0086] In other words, such a gate V transforms the state |+> into the state |−>, and, reciprocally the state |−> into the state |+>

[0087] As said before, the gate U is a square root of the gate V. According to one embodiment, it may be a rotation about the Z axis of the Bloch sphere by π/2 radians. In other words, by applying the U gate twice, we obtain the equivalent of a V gate.

[0088] In an embodiment of encoding phase difference information, the qubit |+> may correspond to a photon in uniform superposition over these two half-intervals. In this case, the rotations U and V correspond to a phase shift of the 2nd half-interval of x and π/2, respectively.

[0089] In all the cases described above and in general, the implementations are carried out by applying an appropriate modulation.

[0090] Also of interest is the paper by Marco Clementi, Anna Pappa, Andreas Eckstein, Ian Walmsley, Elham Kashefi, et al, “Classical multiparty computation using quantum resources” in Physical Review A, American Physical Society, 2017, 96 (6), pp. 062317. (10.1103/PhysRevA.96.062317). (hal-02164423). In this paper, the states |+> and |−> are implemented using vertical and horizontal polarizations. The rotations U and V are implemented with half-wave plates.

[0091] FIG. 3 shows an embodiment of the method, or protocol, for secure multi-party computation of the logical “AND” in which the main steps are shown. FIG. 3 is a purely illustrative flowchart and the sequence of steps can be understood without recourse to this flowchart, just as other sequences, or other divisions into steps, are possible and accessible to the skilled person.

[0092] In this example, it is assumed that two participants C.sub.i and C.sub.j have, at a given time, two bits, respectively x.sub.i and x.sub.j whose logical “and” is to be calculated.

[0093] In a step S1, each participant C.sub.i, C.sub.j determines, for example randomly, a value for its respective correlation variable α, β intended to form a magic correlation. Each participant also determines the value of two other bits, p and q respectively, also at random. These 4 random bits α, β, p, q can be determined in this preliminary step S1 or later, before these bits are needed in the computations required by the subsequent steps of the protocol.

[0094] In a step S2, the server C.sub.1 prepares and sends a photon in a superposition state of orthogonal states in a given orthonormal basis.

[0095] According to one embodiment, the server C.sub.1 prepares and transmits a |+> state which is a uniform superposition of two |0> and |1> states, to the first participant C.sub.i. According to another embodiment, the server C.sub.1 prepares and sends a |−> state. As said above, the initial state itself does not matter, it is only important that the transformation V transforms this state into an orthogonal state.

[0096] Note that the two participants are interchangeable, since the logical “and” is a commutative operation. Therefore, the terms “first” and “second” participants are only used to distinguish them, for the clarity of the description, without establishing any order or hierarchy between them.

[0097] In a step S3, the first participant C.sub.i receives this state of the photon and applies to it a first quantum transformation formed by the succession of quantum gates performing a rotation of angle n around the Z-axis and the other a rotation of angle π/2 around the Z-axis, this transformation depending on the two random bits determined by this first participant, that is a et p.

[0098] More precisely, this first transformation can be written V.sup.aU.sup.p.

[0099] This notation T.sup.c means that if the exponent e is equal to 1, we apply the transformation T and if it is equal to 0, we do not apply it.

[0100] The first participant C.sub.1 can then send the qubit resulting from this transformation in the quantum communication channel L.sub.q to the second participant C.sub.j.

[0101] In a step S4, the second participant C.sub.j performs a similar transformation but based on the two random bits at its disposal: β and q. This second transformation can be written V.sup.βU.sup.q. The qubit resulting from this transformation can then be sent in the quantum communication channel L.sub.q to the server C.sub.1.

[0102] In a step S5, the server C.sub.1 performs a third transformation which can be written as (U*).sup.p+q, where U* is the inverse transformation of U.

[0103] According to the invention, the value p+q is transmitted to the server C.sub.1, without communicating the individual values of p and q.

[0104] According to a preferred mode of implementation of the invention, the protocol is secured by secretly sharing a bit r between the two participants C.sub.i and C.sub.j in order to encode the communication of bits p and q to the server C.sub.1. Also, during step S1 (which can be extended to this step S4), [0105] the participant C.sub.i sends to the server C.sub.1 the bit t1=p+r over a secure channel; [0106] the participant C.sub.j sends to the server C.sub.1 the bit t2=q+r over a secure channel.

[0107] Other secure methods can be used to transmit the value of t1+t2 to the server C.sub.1, as will be seen later.

[0108] The sign “+” indicates binary addition. Since we are only interested in a single bit, this operation is equivalent to an “exclusive or”

[0109] The server C.sub.1 can then calculate the third transformation (U*).sup.t1+t2

[0110] After this transformation, the state of the qubit is: (U*).sup.t1+t2.Math.V.sup.β U.sup.q V.sup.α U.sup.p|+>

[0111] This expression can be simplified, depending on the different values that the random bits p and q can take (due to the commutativity of the ports U, V and U*) into: [0112] V.sup.β V.sup.α|+> if p=0 and q=0 [0113] V.sup.β V.sup.α|+> if p=0 and q=1 [0114] V.sup.β V.sup.α|+> if p=1 and q=0 [0115] V.sup.β V.sup.α|−> if p=1 and q=1

[0116] Here we can recall that the gate V amounts to swapping the |+> and |−> states, so that the number of swaps depends on the value of the correlation values α and β.

[0117] We can therefore write the following truth table:

TABLE-US-00001 α β V.sup.β V.sup.α |+> α + β 0 0 |+> 0 0 1 |−> 1 1 0 |−> 1 1 1 |+> 0

[0118] The server C.sub.1 then measures the received qubit in the {|+>, |−>} base, and determines the value of its correlation variable γ as follows: [0119] if the measure is |+>, then γ=0 [0120] if the measure is |−>, then γ=1

[0121] From then on, we can notice that γ=α+β+(pΛq).

[0122] In other words, α+β+γ=pΛq

[0123] This expression is that of a magic correlation between the three correlation variables α, β, γ, the binary sum of which is used to calculate the logical “and” of the two bits p and q.

[0124] Once this correlation is established, it allows us to calculate, in a second phase, the logical “and” for other bits, and in particular the chosen bits x.sub.i, x.sub.j.

[0125] It is noteworthy that this first phase is independent of the chosen bits x.sub.i, x.sub.j.

[0126] According to one embodiment, the first steps S1, S2, S3, S4, S5 constituting a first phase, can be carried out upstream of the moment when the participants C.sub.i and C.sub.j have the respective bits x.sub.i, x.sub.j whose logical “and” is to be calculated. In other words, this first phase can be precomputed, so as to reduce the computations to be performed between the moment when the bits x.sub.i and x.sub.j are known and the result is made available, x.sub.i Λ x.sub.j.

[0127] This type of implementation allows significant gains in performance and security.

[0128] In a step S6, the participants C.sub.i, C.sub.j exchange a value depending on the sum between the random bit, respectively p, q, and the chosen bit, respectively x.sub.i, x.sub.j.

[0129] For example, [0130] the first participant C; calculates u1=p+x.sub.i and sends it to the second participant C.sub.j. [0131] the second participant C.sub.j calculates u2=q+x.sub.j and sends it to the first participant C.sub.i.

[0132] In a step S7, both participants C.sub.i, C.sub.j and the server C.sub.1 each separately provide a value, a, b, c, respectively, such that a+b+c=x.sub.i Λ x.sub.j.

[0133] More precisely, [0134] the first participant computes and provides a=α+x.sub.i Λ u2 [0135] the second participant computes and provides b=0+x.sub.j Λ u1+u1 Λ u2 [0136] the server provides c=γ

[0137] The values of u1 and u2 are random and are shared among the participants beforehand. This sharing can be done through the conventional secure communication channel Lc.

[0138] It may then be verified that a+b+c=x.sub.i Λ x.sub.j, which is the desired result.

[0139] Indeed,

[00004] $\begin{matrix} a + b + c = α + x_{i} Λ u 2 + β + xj Λ u 1 + u 1 Λ u 2 + γ \\ = α + x_{i} Λ (q + x_{j}) + β + x_{j} Λ (p^{+} x_{i}) + \\ (p^{+} x_{i}) Λ (q^{+} x_{j}) + γ \\ = α + β + γ + x_{i} Λ q + x_{i} Λ x_{j} + x_{j} Λ p + \\ x_{j} Λ x_{i} + p Λ q + p Λ x_{j} + x_{j} Λ q + x_{i} Λ x_{j} \\ = p Λ q + x_{i} Λ q + x_{i} {Λx}_{j} + x_{j} Λ p + x_{j} Λ x_{i} + \\ p Λ q + p Λ x_{j} + x_{j} Λ q + x_{i} Λ x_{j} \end{matrix}$

[0140] Identical terms cancel each other out since they are binary additions on a single bit (without a carry), thus equivalent to an exclusive “or”. Therefore, this expression can be simplified, effectively, into a+b+c=x.sub.i Λ x.sub.j

[0141] One can thus obtain, by this simple binary sum of independent terms, the value of the logical “and” between the bits x.sub.i and x.sub.j chosen respectively by the first participant C.sub.i, and the second participant C.sub.j without their value being known by another entity than the one that chose it. Thus, the desired property of secure multi-party computation is ensured.

[0142] Moreover, in the case where the first phase (quantum) is carried out in advance, the phase of effective computation of this “logical and” (second phase) is very effective since it only involves a double exchange between the two participants (step S6), bit additions and the provision of the values a, b, c which can simply be summed to obtain the result.

[0143] According to one embodiment of the invention, the security of the method can be enhanced in various ways.

[0144] The conventional communication channel Lc can be secured by conventional or quantum means.

[0145] As previously described, a bit r can be shared secretly between the participants and the server. This bit can be shared using a quantum key distribution, for example.

[0146] Quantum key security mechanisms are known per se, and there are various commercial devices to perform this step. Among others, mention may be made of the devices “Cerberis3 QKD System” marketed by ID Quantique, “QKD System” marketed by Toshiba, or “Quantum Key Distribution (QKD)” from Quintessence Labs.

[0147] Another example is the patent application FR1909839 entitled “Method for secure transmission of quantum state sequences between multiple online participants over a quantum communication channel”.

[0148] Also, a different bit, r1, r2, r3 can be shared between each pair of the set constituted by the participants and the server. Thus, the first participant C; and the server C.sub.1 exchange a first bit r1; the second participant C.sub.j and the server C.sub.1 exchange a second bit r2, and the first and second participants exchange a third bit r3.

[0149] During the initialization phase S1, it is then possible to have: [0150] The first participant C.sub.i send to the server C.sub.1 the value t1′=p+r1+r3 [0151] The second participant C.sub.j send to the server C.sub.1 the value t2′=q+r2+r3 [0152] The server C.sub.1 can then form the values t1=t1′+r1 and t2=t2′+r2

[0153] The computation of a binary logical “and” can be applied to solve any computational problem distributed between the two participants C.sub.i, C.sub.j.

[0154] In the case of an application to an auction mechanism, it is assumed that each of the participants C.sub.i, C.sub.j holds two numbers, respectively x.sub.i, x.sub.j, of n bits each and representing a bid value: x.sub.jj ∈{0,1}.sup.n

[0155] For two binary inputs a, b, we define the function f(a,b)=1+aΛ(1+b). This function takes the value 1 if b≥a, and 0 otherwise.

[0156] This function can be calculated, for one bit, according to the method previously described. Indeed, noting that 1+b is a logical NOT, this function is calculated as f(a,b)=NOT(a and (NOT b))

[0157] It is then possible to determine the winner between two bids in the auction by performing a bit-by-bit comparison of the two values x.sub.i, x.sub.j starting from the most significant bit, and using this comparison function f for each bit.

[0158] If f returns 0 for one bit, then x.sub.i>x.sub.j and C.sub.i carries the bid over C.sub.j; otherwise x.sub.j≥x.sub.i and the bid is either carried by C.sub.j or both participants have made the same bid.

[0159] By doing this computation in both directions, that is also by swapping x.sub.i and x.sub.j for the second computation, it can be determined in all situations which of the participants won the auction.

METHOD FOR SECURELY COMPUTING A LOGICAL AND BETWEEN TWO BITS USING QUANTUM COMMUNICATION

Inventors

Cpc classification

Classification Explorer

G06N10/20

PHYSICS

Classification Explorer

H04L2209/46

ELECTRICITY

Classification Explorer

H04L9/0852

ELECTRICITY

International classification

Classification Explorer

G06N10/20

PHYSICS

Abstract

Claims

Description