# Quantum anonymous veto: a set of new protocols – EPJ Quantum Technology

#### BySandeep Mishra, Kishore Thapliyal, Abhishek Parakh and Anirban Pathak

May 20, 2022

A QAV scheme is expected to satisfy a few criteria of security listed in Sect. 2. Further, we may note that a QAV protocol is ϵ-secure if it is ϵ-indistinguishable from a perfectly secure (hypothetical) ideal QAV scheme following those listed conditions [53, 54]. In the following, we will explicitly show the security of our proposed schemes with regards to requirements for AV along these lines (which is summarized in Table 2).

### Eligibility

In all the protocols, we are using the scheme of quantum digital signatures for authentication of the voters irrespective of whether CA performs the authentication or the voters authenticate each other among themselves. In this way, only the eligible voters will be allowed to vote and thus the eligibility condition is satisfied for all the proposed protocols.

### Privacy

An eavesdropper attempts to access the information a voter is transmitting to CA. Her endeavor would result in a message encoded (by voter (V_{j})) joint state shared among CA and Eve (before a measurement performed by Eve and/or CA) which can be described as

$$rho^{V_{j}E}= p_{0} rho_{0}^{V_{j}} otimes rho_{0}^{E} +(1-p_{0}) rho_{1}^{V_{j}}otimes rho_{1}^{E},$$

(5)

where (p_{0}) is the probability that (V_{j}) supports the proposal. Eve will further discriminate (rho_{j}^{E}) to identify the secret value of j. However, the legitimate parties, i.e., voters and CA, would desire to adopt quantum cryptography tools, such as decoy state technique, to obtain the joint state in ideal situation as

$$rho^{V_{j}E}_{mathrm{ideal}}= sum_{i} p_{j} rho_{i}^{V_{j}}otimes rho^{E},$$

(6)

which ensures that Eve has no information about the choice of the voter. Thus, ϵ-privacy of a QAV scheme can be defined in the information theoretic description of security [53, 54] as (minlimits_{j} frac{1}{2}Vert rho^{V_{j}E}- rho^{V_{j}E}_{mathrm{ideal}}Vertleq epsilon). Here, we provide privacy of the voters for the proposed QAV schemes against some of the well-known individual attacks by an adversary as well as the collusion attacks by the legitimate parties.

To begin with, we consider the intercept and resend attack by a non-participant Eve. In the intercept and resend attack, Eve intercepts the travel particles from one legitimate user to another. Subsequently, Eve prepares a random state (known to him) and sends it to the party who was intended to receive the intercepted particles. For example, in QAV-2, Eve may perform this attack by intercepting the l copies of Bell state to be shared between all the pairs of voters by CA. She will be able to get the information about the shared symmetric keys used by the voter to cast their votes by sending the symmetric separable single qubit strings to both the voters. This will eventually give her access to all the secret information that voters were sharing. To prevent this attack, we can employ decoy qubit based eavesdropping checking (cf. Sect. 2), e.g., using the BB84 states ((vert 0 rangle, vert 1rangle, vert + rangle, vert – rangle)). Suppose l Bell states are to be securely distributed between a pair of voters by CA who inserts 2l decoy states randomly before sending. The pair of voters measure the 2l decoy qubits to obtain the error rate and attribute all these errors to the eavesdropping attempts. Since Eve is ignorant about the position of the decoy states as well as the choice of randomly used basis for preparation of the decoy states so the voters will detect the presence of Eve by comparison of the measurement outcomes with that of the prepared state. This allows the voters to obtain the bounds on the information accessible to Eve on the remaining l-bits key they obtain eventually. The probability to detect the presence of Eve is given by (1-frac{1}{4^{l/2}}). Similarly, in QAV-1, the decoy state based eavesdropping checking technique is effective to circumvent the intercept and resend attack as it is an integral part of the QKA/QKD protocols used in the generation of symmetric keys between the voters. Along the same lines, all the proposed protocols are free from the intercept and resend attack by using the decoy qubit based eavesdropping checking while transmission of the qubits between two parties.

Another type of attack strategy is entangle and measure attack. In such type of attacks, Eve entangles her ancilla qubit with the travel qubit and measures her ancilla afterwards to get the information transmitted. Specifically, Eve prepares an ancilla qubit in a superposition state as (vert q rangle_{E}= alpha vert 0 rangle_{E} + beta vert 1 rangle_{E}) and then entangles it with the travel qubit using the CNOT gate with control on the ancilla and target on the travel qubit. It can be observed that the use of decoy qubits prepared in the BB84 states ((vert 0 rangle, vert 1rangle, vert + rangle, vert – rangle)) will result in the successful detection of Eve with success probability (vertbetavert^{2}) if Eve attacks the decoy states (vert 0 rangle) and (vert 1 rangle) while the state remains separable for the rest of the decoy states ((vert + rangle, vert – rangle)). Thus, the average probability of detecting Eve can be obtained as (frac{vertbetavert^{2}}{2}) assuming that all decoy states are prepared with an equal probability. Notice that if Eve prepares ancilla with (betarightarrow 0) then the detection probability of Eve will be vanishingly small as in that case Eve neither disturbs the decoy qubit nor gains any information.

Another significant attack is the man in the middle attack where Eve impersonates as a legitimate party. This attack can be prevented by the use of a secure authentication scheme [5557] before sending of the actual sequence of particles. Further, we are using the quantum digital signatures which would protect us from this attack.

Further, in a participant attack, a user or a group of users will either try to get some information about the voting pattern of the voters or try to influence the result of the voting without being detected. In QAV-1, QAV-3 and QAV-4, every voter (V_{i}) generates a l-bit symmetric key with the rest of the voters using a QKA/QKD protocol, which is followed by an application of some logical operations of those keys before publicly announcing the result. Thus, it is not possible for any voter to get the information about the voting pattern/preference of the other voters from the announced information. Similarly, it is applicable to the rest of the protocols, i.e., QAV-2, QAV-5, QAV-6 and QAV-7. However, in the collusion attack, (k< n) voters out of the total n voters collude to acquire the inaccessible information about the voting preferences of the rest of the (n-k) voters and then try to change the outcome. In all of proposed protocols, we can see that it is not possible to violate the secrecy of the vote as well as the outcome of the voting process. For instance, QAV-7 is prone to the collusion attack by an arbitrary voter and CA as they know the choices by all voters in the end if the operations applied by the voters are public knowledge. Specifically, CA has the information of the final result after measurement and (all) the voter(s) have encoding operations, and thus together they have all the pieces required to get all the voting preferences, i.e., to identify the parties vetoing the proposal. Here, this possibility is circumvented as the disjoint subgroups are assigned to every voter for voting in a random manner with neither CA nor the voters aware of the encoding operations used by the rest of the voters.

We have shown here that the privacy of the votes can be accomplished against some of the popular outsider’s and insider’s attacks, but a more rigorous security proof against collective and coherent attacks will be performed in our future works.

### Binding

In all the protocols proposed here, an outsider (or a participant other than the voter) cannot change the vote encoded by any voter, and the same is already established in the context of privacy against denial of service and disturbance attacks. Further, in the probabilistic and deterministic protocols (i.e., QAV-1–QAV-4 and QAV-7), even the voter cannot alter the vote as they only get one chance to encode it, but in the iterative protocols, a dishonest voter may change his vote in every iteration, e.g, in QAV-4–QAV-5. However, the voter’s change of the vote in the successive iterations neither allows him access to the partial tally of the votes nor compromises the privacy of the other voters. Thus, a voter cannot take advantage of changing the vote in every iteration to get a favourable final outcome of his choice.

### Correctness

The correctness of an ϵ-correct QAV scheme requires that the result bit is generated wrong with probability (operatorname{Pr}[mathcal{W}_{i}=0 forall ilongrightarrow mathcal{V}_{n}=1]leq epsilon ). The success probability of probabilistic protocols is given by (frac{1}{2^{l}}) where l represents the number of bits used by each voter. So, probabilistic QAV protocols are ϵ-correct with (epsilon geq 1-frac{1}{2^{l}}). In comparison to the probabilistic protocols, the iterative and deterministic QAV protocols can be implemented with a relatively small value ϵ.

### Verifiability

The AV scheme is ϵ-verifiable if every voter can confirm his vote with a probability of failing verifiability (operatorname{Pr}[mathcal{W}_{i}=j longrightarrow mathcal{V}_{n}=joplus 1]leq epsilon). Notice that a voter (say (V_{i})) can verify his veto ideally with unit probability, while any other voter may independently have supported the proposal which reduces the verifiability of the scheme as the voters supporting the proposal with input (mathcal{W}_{i}=0) would not be able to verify the outcome. Thus, as long as the scheme is (epsilon_{c})-correct it will lead to ϵ-verifiability ((epsilon>epsilon_{c} )). In our case, a party who vetoed the proposal can verify the outcome with unit probability in case of iterative (QAV-6) and deterministic (QAV-7) schemes. However, in case of probabilistic schemes, he will be able to verify the result as long as the correctness is ensured. Further, in case when the parties support the proposal, it does not appear possible to ensure verifiability without disclosing individual choices.

### Robustness

Decoherence is the major challenge in the implementation of quantum communication. In the absence of an adversary, an interaction of the qubits with the ambient environment is expected to reduce the correctness by leading to a wrong outcome. Any realistic physical implementation of the proposed protocols will always be noisy due to the presence of the surrounding environment. Further, the protocol will be practically useful only if it gives the correct result even in the presence of a limited amount of noise. Here, we will be comparing the feasibility of the proposed protocols under the presence of noise by considering that the noise affects the qubits only when they travel from one party to the other. Further, we assume that the qubits that do not travel are hardly affected by the noise. In quantum information theory, the effect of noise on the quantum state (rho_{i}) evolving to (rho_{f}) is described as an operator-sum representation in terms of Kraus operators as [40, 58]

begin{aligned} rho_{f}= sum_{i} E_{i}rho_{i} E_{i}^{dagger}, end{aligned}

(7)

where (E_{i})s are the Kraus operators with (sum_{i}E_{i}^{dagger} E_{i} = I).

To discuss the robustness of the proposed schemes, we study the effect of two of the most important noise channels, namely amplitude damping and phase damping, on the proposed protocols. The Kraus operators for amplitude damping are

$$E^{mathrm{AD}}_{0} = begin{pmatrix} 1 & 0 \ 0 & sqrt{1-eta_{a}} end{pmatrix} quad text{and} quad E^{mathrm{AD}}_{1} = begin{pmatrix} 0 & sqrt{eta_{a}} \ 0 & 0 end{pmatrix}$$

(8)

and those for phase damping are

$$E^{mathrm{PD}}_{0} = begin{pmatrix} 1 & 0 \ 0 & sqrt{1-eta_{p}} end{pmatrix} quad text{and} quad E^{mathrm{PD}}_{1} = begin{pmatrix} 1 & 0 \ 0 & sqrt{eta_{p}} end{pmatrix}.$$

(9)

These operators can be substituted in Eq. (7) to give us the final state with (eta_{j}) as the damping parameter.

Suppose an n qubit initial pure state (rho_{i}= vert Phi ranglelangle Phi vert) is used for the implementation of a protocol, with (m ( n-m )) home (travel) qubits denoted by (h ( t )), then the final state before measurement can be written as

$$rho_{f}^{k}= sum_{i_{j}} bigl{ I^{otimes m}_{h} otimes bigl( E^{k}_{i_{1}} otimes dots E^{k}_{i_{j}} dots otimes E^{k}_{i_{n-m}} bigr)_{t} bigr} rho_{i} bigl{ I^{otimes n}_{h} otimes bigl( E^{k}_{i_{1}}otimes dots E^{k}_{i_{j}} dots otimes E^{k}_{i_{n-m}} bigr)_{t} bigr} ^{dagger},$$

(10)

where (E^{k}_{i_{j}}) are the Kraus opertors of amplitude or phase damping with (kin {mathrm{AD,PD}}). The effect of the noise can be quantified by a distance based measure, known as the square of fidelity (henceforth referred to as fidelity), given by

$$F^{k}= bigllangle Phi^{f} biglvert rho_{f}^{k} bigrvert Phi^{f} bigrrangle ,$$

(11)

where (vert Phi^{f} rangle) represents the final state that the initial pure state (vert Phi rangle) should have been after performing all the encoding operations by every party in a decoherence free environment. In our case, we consider that all the encoding operations are equi-probable and hence calculate the average fidelity for each of the proposed QAV protocols. Before we proceed further, notice that the average fidelity quantifies the robustness of the scheme as the low fidelity corresponds to the wrong outcome.

The QAV-1 protocol is dependent upon the choice of QKA/QKD protocol used for the initial key generation. Without loss of generality, we consider BB84 protocol in this case for the analysis. It involves the sending of BB84 states from one voter to the other voters for creating a l-bit keys between every pair of voters. The average fidelity for generation of l-bit keys for every pair of voters under amplitude damping noise is computed to be (frac{1}{4^{l}} (sqrt{1-eta_{a} }-eta_{a} +3 )^{l} ) while under phase damping noise it is found to be (frac{1}{4^{l}} (sqrt{1-eta_{p} }+3 )^{l} ). Thus, the fidelity depends on the noise parameter values as well as the number of key bits required for working of the protocol as can be seen from Fig. 2(a). Specifically, the protocol is robust for the small values of noise parameters ((eta_{p}) or (eta_{a})), and a higher value of noise reduces the fidelity significantly and thus rendering the protocol practically ineffective. Since QAV-1 is a probabilistic AV protocol and for (l=10) we get a conclusive outcome with probability 99.9%, which can be further improved by increasing the number of key bits l. However, with an increase in the key size the robustness decreases and thus a trade-off between correctness and robustness of the probabilistic QAV schemes is observed. Further, we can observe that the amplitude damping noise has a greater impact on the average fidelity in comparison to that for the phase damping noise due to the presence of fast decaying term (-eta_{a}) in the former case. Similarly, in QAV-2 protocol based on the Bell states shared among two voters, the average fidelity for generation of l-bit keys among every pair of voters under amplitude damping noise is ((1+ frac{1}{2} (eta_{a} -2) eta_{a} )^{l}) while under phase damping noise is ((1 – frac{eta_{p}}{2})^{l} ). Interestingly, as QAV-5 protocol is similar to QAV-2 (with differences in the encoding and measurement stages), the average fidelity is the same as that for QAV-2. Along the same lines, the average fidelity for QAV-3 (orthogonal state based protocol) under amplitude damping noise is found to be ((1 – frac{eta_{a}}{2})^{l}) while under phase damping noise it is computed as ((1 – frac{eta_{p}}{2})^{l/2} ) for only even values of l. Further, average fidelity for QAV-4 (semi-quantum protocol) is obtained to be the same as QAV-2 as the communication complexity is same in both the schemes. Among these schemes, QAV-2 (and QAV-4 and QAV-5, too) is the least robust against noise (cf. Fig. 2(b)).

We further obtain the average fidelity of the transmitted states in QAV-6 and QAV-7 implemented by the four voters with the help of CA as

begin{aligned}& begin{gathered} begin{aligned} F^{mathrm{AD}}_{text{QAV-6}} ={}& {-}frac{eta_{a} ^{5}}{4}+ frac{5 eta_{a} ^{4}}{4}-frac{5 eta_{a} ^{3}}{2}+frac{1}{2} sqrt{1- eta_{a} } eta_{a} ^{2}+ frac{5 eta_{a} ^{2}}{2}\ &{}-sqrt{1-eta_{a} } eta_{a} – frac{5 eta_{a} }{4}+frac{sqrt{1-eta_{a} }}{2}+frac{1}{2} , end{aligned} \ F^{mathrm{PD}}_{text{QAV-6}} = frac{1}{2} sqrt{1- eta_{p} } eta_{p} ^{2}-sqrt{1- eta_{p} } eta_{p} +frac{sqrt{1-eta_{p} }}{2}+ frac{1}{2} , \ begin{aligned} F^{mathrm{AD}}_{text{QAV-7}} = {}&frac{eta_{a} ^{10}}{4}- frac{19 eta_{a} ^{9}}{8}+10 eta_{a} ^{8}- frac{197 eta_{a} ^{7}}{8}+frac{315 eta_{a} ^{6}}{8}\ &{}-frac{349 eta_{a} ^{5}}{8}+ frac{289 eta_{a} ^{4}}{8}-frac{195 eta_{a} ^{3}}{8}+frac{107 eta_{a} ^{2}}{8}-5 eta_{a} +1, end{aligned} \ F^{mathrm{PD}}_{text{QAV-7}} = -frac{eta_{p} ^{5}}{2}+ frac{5 eta_{p} ^{4}}{2}-5 eta_{p} ^{3}+5 eta_{p} ^{2}-frac{5 eta_{p} }{2}+1, end{gathered} end{aligned}

(12)

respectively. In QAV-6, one of the qubits of the Bell states is transmitted five times through the noisy environment. Therefore, the effect of amplitude damping is more severe than that of phase damping. In QAV-7 protocol, a deterministic scheme among the four voters with two travel qubits has twice more travel qubits than that in QAV-6. The expressions for average fidelity are along the expected lines with amplitude damping having more adverse effect. Figure 2(c) shows a comparison of average fidelity for QAV-6 and QAV-7 for the case of four voters. We can see that the robustness of the protocol is dependent upon the noise parameters. In the case of practical implementation, all the protocols may be observed robust up to moderate decoherence rates and the robustness decrease as the noise parameters increase.

### Efficiency of the protocols

The performance of a quantum communication scheme can be quantified in terms of qubit efficiency, given by [59]

$$eta = frac{c}{q+b},$$

(13)

where c is the number of classical bits transmitted, q is the minimum number of qubits required, while b is the additional classical bits of information required for secure transmission. It is to be noted here that we do not consider the classical bits exchanged during eavesdropping checking while computing η. Further, the number of qubits required can be written as (q=Q+delta t), where Q represents the total Q qubits used in the protocol, while t represents the number of travel qubits in the corresponding protocol. The factor of (delta neq 0) is decided to achieve the desired level of security of t travel qubits by using δt decoy qubits. In QAV protocols, (c=1) as we require only one bit of information (mathcal{V}_{n}) after the completion of the protocol. Let us now compare the efficiency of the existing QAV protocols along with that of our proposed QAV protocols.

To begin with, let us look at the efficiency of WQAV protocol. In this protocol, CA has to establish a l qubit key with all the n voters using BB84 protocol, which requires the exchange of a minimum (4nl) qubits. Thereafter, CA would share ((1+delta_{0})l) ordered copies of n-qubit GHZ state with the voters, which will require an additional (nl(1+delta_{0})delta_{1}) decoy qubits. Here, (delta_{0}) and (delta_{1}) are the security parameters for checking the GHZ correlations and eavesdropping checking, respectively. Thus, (q=nl(5+delta_{0}+delta_{1}+delta_{0}delta_{1})). The voters further require an exchange of a total of (b=nl) classical bits to CA, and hence the efficiency is given by ({nl(6+delta_{0}+delta_{1}+delta_{0}delta_{1})}^{-1}). Though a detailed security of the RKQAV protocol was not reported we can calculate its qubit efficiency in the similar manner to that of WQAV protocol. This also requires the transfer of ((1+delta_{0})nl) GHZ particles (qubits) from CA to the n voters. After preforming some operations on their GHZ particles, the voters will then return back a total nl particles to CA. To ensure the detection of Eve during transfer of qubits, we require additional (nl(2+delta_{0})delta_{1}) decoy qubits. Thus, qubit efficiency is ({nl(1+delta_{0}+2delta_{1}+delta_{0}delta_{1})}^{-1}) as (b=0).

Similarly, we can compute the qubit efficiency of the proposed probabilistic QAV protocols. QAV-1 protocol is based on the generation of l bit key among all pairs of n voters using any of the QKD or QKA protocol. For instance, considering l bit key shared among arbitrary two voters using the BB84 QKD protocol, which involves (q={}^{n} C_{2}, 4l). Further, after generation of the symmetric keys every voter has to publicly announce the l bits of classical information, which makes (b=nl) and the efficiency is calculated as ({(2n-1))nl }^{-1}). Similarly, QAV-2 requires the sharing of the l Bell states, among all pairs of voters. The total number of qubits used are (q={^{n}C_{2}}, 2l(delta_{1}+1)), and nl classical bits are required. Hence, the qubit efficiency of QAV-2 can be calculated as ({((n-1)(delta_{1}+1)+1) nl}^{-1}). QAV-3 uses an orthogonal state based QKA to generate l bit key between any pair of voters. The total number of qubits required (q={^{n}C_{2}}, l(delta_{1}+1)) with (b=4nl) classical bits are required. This results in qubit efficiency as ({(frac{(n-1)(delta_{1}+1)}{2}+4)nl}^{-1}). In QAV-4, semi-QKD is employed by the parties which requires (q={^{n}C_{2}}, 8l) with (b=nl) to generate l bit keys. This leads to the efficiency of protocol as ({nl(4n-3)}^{-1}) by including classical communication post QKD step.

Along the same lines, the qubit efficiency of the proposed iterative QAV protocols can also be obtained. The efficiency of protocol QAV-5 is similar to that of QAV-2. Let’s now look at efficiency analysis of QAV-6. In this protocol a Bell state is generated and then one qubit is kept by the CA while the other qubit will be travelling among the n voters for casting the vote and will return back to CA. In this case, (q=((n+1)(1+delta_{1}) +2)l) and (c=0) which leads to efficiency calculated as ({((n+1)(1+delta_{1}) +2)l }^{-1}). Here, l refers to the number of iterations required to get a conclusive outcome and its maximum value is given by (1+log_{2}n). In QAV-7, we are using the dense coding scheme to arrive at the voting outcome. Here, CA generates a m-qubit entangled state and then l qubits of that state are transferred to all the voters one by one and finally returned back to CA which leads to (q=m+(n+1)l). Finally the revealing of outcome results in use of (b=1) classical bit of information which leads to efficiency as ({m + (n+1)(1+delta_{1})l +1}^{-1}). The comparison of the efficiencies is presented in Table 3. Without loss of generality, we further calculated the efficiency in a special case of 4 voters. We can see that some of our proposed protocols fare better than the RKQAV and WQAV protocols. Interestingly, we can clearly observe that for 4-party voting example of all the mentioned protocols, QAV-6 and QAV-7 have the best efficiency. In fact, this is true for voting with higher number of voters too.

## Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.