Privacy-preserving Quantum Sealed-bid Auction Based on Grover's Search Algorithm.

Sealed-bid auction is an important tool in modern economic especially concerned with networks. However, the bidders still lack the privacy protection in previously proposed sealed-bid auction schemes. In this paper, we focus on how to further protect the privacy of the bidders, especially the non-winning bidders. We first give a new privacy-preserving model of sealed-bid auction and then present a quantum sealed-bid auction scheme with stronger privacy protection. Our proposed scheme takes a general state in N-dimensional Hilbert space as the message carrier, in which each bidder privately marks his bid in an anonymous way, and further utilizes Grover's search algorithm to find the current highest bid. By O(lnn) iterations, it can get the highest bid finally. Compared with any classical scheme in theory, our proposed quantum scheme gets the lower communication complexity.

Introduction

Nowadays, quantum computations and quantum communications[1] have received extensive attention and gained lots of promising achievements, e.g., quantum cryptography[2], quantum teleportation[3] and quantum artificial intelligence[4,5].

Early 70s in the last century, Stephen Wiesner first presented the idea of quantum cryptography (e.g., quantum money). However, unfortunately, his innovative idea could not be immediately accepted at that time. Until 1984, C. H. Bennett and G. Brassard[6] revived the research of quantum cryptography by presenting famous quantum key distribution (QKD) protocol, later called BB84 protocol.

The security of quantum cryptography is guaranteed by the physical principles of quantum mechanics, so it can provide unconditional security in theory. Since Bennett and Brassard presented the first quantum key distribution (i.e., BB84 QKD) protocol, quantum cryptography has been widely studied and rapidly developed. Nowadays, many results have been reported, such as quantum secret sharing[7], quantum secure direct communication[8-10], quantum encryption[11], quantum signature[12-14], quantum authentication[15,16], and blind quantum computation[17,18].

In addition, there are also many well-known issues involving the protection of privacy in classical setting such as electronic voting, electronic auction, electronic payment, and so on. Furthermore, these issues have also been studied extensively in quantum setting, and accordingly there have appeared the corresponding quantum protocols, such as quantum voting[19], quantum auction[20], quantum e-payment[21], and so on.

In this paper, we focus on quantum auction, especially a specific type of quantum auction, i.e., quantum sealed-bid auction (QSA). In currently existing QSA schemes, there is only one winning bidder, who will win the auction finally, but the auctioneer needs to know all bids of all bidders, including the non-winning bidders. That is, even if the non-winning bidder cannot win the auction, he still needs to privately send his bid to the auctioneer. In certain settings, these QSA schemes do not meet the higher secure requirements, because the non-winning bidders lack the privacy protection, which has been the focus of everyone’s attention in modern society. In this paper, we mainly consider how to further protect the privacy of the non-winning bidders in QSA.

Related Works

Electronic auction plays an important role in modern economy especially concerned with networks. Generally, electronic auction can be mainly classified into three categories: English auction, Dutch auction and Sealed-bid auction. The traditional English auction is a public ascending price auction. In this auction, the auctioneer first gives a base price, and then some bidder bids a higher price than the base price. Furthermore, the next bidder outbids the last bidder, and the process continues until no one else bids a higher price. Finally, the item is sold to the highest bidder at the highest bid. On the contrary, the Dutch auction is a public descending price auction. The auctioneer in Dutch auction begins with a high asking price which is lowered until some bidder is willing to accept the auctioneer’s price. Difference from the former two auctions, the sealed-bid auction needs to protect the privacy of the bids and ensure the fairness among the bidders. That is, any eavesdropper cannot get any private information about the bids, and the auctioneer cannot help any bidder to win the auction unfairly. During traditional sealed-bid auction, the bidder does not know the bids of others. After all bids are transmitted privately to the auctioneer, the auctioneer selects out the highest bid and announces it and the corresponding winner.

The first quantum sealed-bid auction protocol was proposed by Naseri in 2009[20]. The auction protocol introduced a multi-party quantum secure direct communication protocol to privately transmit the bids. However, Qin et al.[22] and Yang et al.[23] independently pointed out that there was a secure flaw in Naseri’ protocol, i.e., a malicious bidder could obtain all private bids without being found by performing double Controlled NOT attack or using fake entangled particles. Then they improved Naseri’s original protocol by inserting some decoy particles into the transmitted particles. In addition to the detecting strategy of the decoy particles, there still appeared other defense strategies[24,25] to prevent these attacks. Furthermore, Zhao et al.[26] found that these previously proposed protocols were unfair, i.e., a malicious bidder could collude the dishonest auctioneer to perform a collusion attack to win the auction unfairly. Accordingly, they presented a security protocol for QSA with post-confirmation[26]. Subsequently, in order to enhance the security of QSA or ensure the feasibility of QSA, many quantum protocols with post-confirmation were proposed[27-33]. In 2017, we presented an economic and feasible quantum sealed-bid auction protocol based on single photons in both the polarization and the spatial-mode degrees of freedom[34]. In our protocol, the post-confirmation mechanism uses single photons instead of entangled EPR pairs, and it does not require quantum memory. Therefore, our protocol is a practical and feasible quantum sealed-bid auction.

In all previously proposed quantum sealed-bid auction (QSA) protocols, it requires all bidders to send their real bids to the auctioneer. Even if the bidder can not win the auction, the auctioneer also knows his or her real bid. However, in practical settings, the bidders who will not be able to win the auction don’t want to reveal their real bids. That is, the non-winning bidders lack the privacy protection in current QSA schemes. In this paper, we present a strong privacy-preserving QSA model. In our model, anyone cannot get the real bid of other bidders, even for the auctioneer. So the privacy of the bidders can be better protected in our model. In addition, the bids of the bidders are anonymous, i.e., no one can discern who these bids belong to. Furthermore, we design a novel privacy-preserving QSA scheme based on Grover’s search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society.

Results and Discussion

Privacy-preserving quantum sealed-bid auction

System model

Here we first present our system model for privacy-preserving quantum sealed-bid auction (PQSA), in which there are two kinds of participants, i.e., an auctioneer (Alice) who wants to sell an item at the highest possible price and n bidders (Bob1, Bob2, …, Bob) who want to buy the item alone at the lowest possible price. In our PQAS model, suppose that there is a circle quantum channel among the auctioneer and all bidders (see the solid line in Fig. 1) and there is a classical channel between any two participants (see the dashed line in Fig. 1).

Figure 1

A system model of QAS.

Initially, Alice has a valuation price (x) of the item, and each bidder (Bob) has a private bid (x) for the item. Furthermore, we assume that the valuation price and all bids are not changed during the whole auction. Finally, Alice can select out the highest bid. If the highest bid is greater than or equal to her initial valuation price, then she will announce the winner and the highest bid. Otherwise, she will declare the failure to all bidders. In addition, our PQSA should meet the following secure and privacy requirements:

The auctioneer’s privacy: All bidders can not get any private information about the auctioneer’s initial valuation price (x) before announcing the winner or the failure of the auction.

The bidder’s privacy: No one can get the private bid of the bidder without risking the auctioneer’s detection.

Anonymity: The bidder’s bid is anonymous for all participants, including the auctioneer. That is, even if a dishonest participant or an outsider attacker gets a bid, he or she cannot identify whose bid it is.

Public verifiability: When the winner is announced, anyone can verify the authenticity of the winning bid. This attribute can defend the collusion attack between the malicious bidder and the dishonest auctioneer.

Fairness: The auctioneer cannot help a malicious bidder to win the auction illegally without being found by other bidders.

Proposed scheme

In the following scheme, we mainly consider the honest-but-curious model, which is similar to the semi-honesty model in the classical setting. That is, the parties honestly execute the protocol, but they try to find out as much as possible about the other inputs despite following the protocol. Furthermore, suppose that the initial valuation price and all bids lie in Z = {0, 1, 2, …, N − 1}. For simplicity, we assume that all bids are distinct. In addition, we assume that there is a public hash H(·).

Step 1. Each bidder Bob (j = 1, 2, …, n) randomly selects an integer r ∈ Z and computes . Then the bidder Bob sends b to all other participants by the classical channel. That is, the bidder Bob commits x to all other participants, but no participant can get x only from b without r. In addition, the auctioneer Alice also needs to commit x to all bidders, i.e., she selects a random number r ∈ Z, computes and sends b to all bidders by the classical channel.

Step 2. Repeat the following procedures p + q times, including the normal procedure (to find the highest bid) p times and the test procedure (to detect the dishonesty or attacks) q times, where p = lnn, and q is a secure parameter, e.g., q = p. That is, Alice randomly selects to execute the following normal procedure with the probability of or the following test procedure with the probability of .

The normal procedure: (1.1) Alice first prepares a general state and a basis state |0〉, which are both logN qubits. Furthermore, Alice performs logN CNOT gate operators[35] on the product state , where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit (see Fig. 2). Here we call the resultant state |ψ0〉, which is written asClearly, |ψ0〉 is an entangled state. Here, the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob1 through the quantum channel.

Figure 2

Quantum circuit for the preparation of the initial state.

(1.2) After receiving the register t, the bidder Bob1 prepares a basis state |0〉 in an auxiliary register, and applies an oracle operator to the register t and the auxiliary register, where the oracle operator is defined bywithLet (i.e., the state of the whole quantum system). Obviously, . That is, the oracle operator is utilized to mark the item x1.

(1.3) Furthermore, the bidder Bob1 sends the two registers (i.e., ) to the second bidder Bob2 through the quantum channel.

(1.4) After receiving , similarly, the bidder Bob2 applies an oracle operator to , where the oracle operator is defined by his bid x2 as follows:withLet . Furthermore, the bidder Bob2 sends two transmitted registers (i.e.,) to the next bidder Bob3 though the quantum channel. Afterward, the bidder Bob3 executes the similar process of the bidder Bob2, and so on. This process is repeated n times in total, so that every bidder has marked his bid by an oracle operator. Then, the final quantum state will be in

(1.5) Finally, the bidder Bob sends all remaining qubits of the marked state |ψ〉 back to the auctioneer Alice through the quantum channel.

(1.6) After receiving the whole state |ψ〉, Alice again applies on two registers h and t, i.e., the first 2logN qubits of |ψ〉, where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit. Call the resultant state . That is,

(1.7) Furthermore, Alice measures the second register t, i.e., the second logN qubits of the whole quantum system, in the computational basis. If the measured result is |0〉, then she will continue to execute the next step; Otherwise she will believe that there is at least one dishonest bidder or outsider attacker and end this auction.

(1.8) Let . Alice prepares another auxiliary state |0〉, and then applies an oracle operator U to , where the oracle operator U is defined bywith

Let . Please note that the subscript h is omitted in |ϕ〉, because all qubits are held by Alice at this moment. Clearly,

(1.9) Alice applies the Grover’s search algorithm[36] to |ϕ〉 for finding a marked state |j〉|1〉|1〉, which implies j ∈ {x1, x2…, x} and j ≥ x (i.e., finding a bid x greater than or equal to x). Alice makes a measurement on the first register. Let the result of the measurement be y. If y > x and satisfy |y〉|1〉|1〉), then replace x with y.

The test procedure: (2.1) Alice first prepares a quantum state , where i ∉ {x1, x2…, x} (Note. i may be selected by Alice’s experience and the valuation price, e.g., i could be a large enough number in ), and another quantum basis state |0〉. Similarly, Alice further performs logN CNOT gate operators on the product state |ψ〉|0〉 to generate an entangled state . Here the subscript h and t denote two registers, where the register h will stay at home and the register t will be transmitted through the quantum channel. Then Alice sends the register t to the first bidder Bob1 through the quantum channel.

(2.2) All bidders cannot distinguish the quantum states from the normal procedure and the test procedure, so they continue to execute the same oracle operators as the normal procedure (i.e., (1.2–1.5)) to mark their respective bids in the transmitted quantum state |ψ〉. However, i ∉ {x1, x2…, x}, so . Finally, the bidder Bob sends all remaining qubits of the state |ψ〉 back to the auctioneer Alice through the quantum channel.

(2.3) After receiving the state |ψ〉, Alice again applies on two registers h and t, i.e., the first 2logN qubits of |ψ〉, where each qubit of the first logN qubits is the control qubit and the corresponding qubit of the second logN qubits is the target qubit. Then Alice should get .

(2.4) Furthermore, Alice measures the first register by a von Neumann measurement {P+, P−}, where P+ and P− are defined by[37],

Obviously, P+ + P− = I and P+P− = 0. If the measurement result is in , then she will further measure the latter two registers in computational basis. If three measurement results are in , |0〉 and |0〉, respectively, then she will continue to execute the next step. Otherwise Alice will believe that there is at least one dishonest bidder or outsider attacker and end this auction.

Step 3. After executing the procedures of Step 2 (p + q) times, including the normal procedure p times and the test procedure q times, if the return result y is greater than or equal to her initial valuation price, Alice will announce y, i.e., the current highest bid (y ∈ {x1, x2, …, x}). Otherwise Alice will open her commitment x (i.e., the initial valuation price) by opening the random number r simultaneously, declare the failure of the auction and terminate this auction. That is, there is not a bid greater than or equal to her initial valuation price, so this auction is fail. Of course, all participants may verify its truth by comparing H(r ⊕ H(r ⊕ x)) with the corresponding value b committed in Step 1.

Step 4. If there is a bid x greater than the current highest bid y, the bidder Bob will broadcast a complaint about the incorrectness of the current highest bid. Furthermore, if there is a complaint, Alice will ask for the bid of the complainer, and then she will update the current highest bid with it. But if there are two or more complaints, Alice will think there are dishonest bidders or outsider attackers and accordingly terminate this auction.

Step 5. Furthermore, if each bidder does not further receive any complaint, then he will believe that the current highest bid is highest. Suppose y = x, i.e., the bidder Bob should be the winner of the auction. Finally, in order to win the auction successfully, the bidder Bob must publish his random number r and his bid x, i.e., open his commitment. All participants will compute H(r ⊕ H(r ⊕ x)) and verify its authenticity by comparing it with the corresponding value b committed in Step 1. In addition, Alice also needs to open her commitment x and accepts the verification of all bidders. If there is no error, the auctioneer Alice and all bidders will believe the auction is fair.

Analysis

Correctness

Our PQSA scheme is based on Grover’s search algorithm, which can find a solution with a high probability[1,36]. Assume the failure probability of Grover’s search algorithm is , where δ ≥ e (Note. e is the Euler’s constant, which is the base of natural logarithms (approximately 2.7183)). Let E(N, t) be the expectation value of the number of iterations (i.e., the number of repeating Grover’s search algorithm in Step 2) for finding the highest bid of N items in which t items are marked[38]. Then we write a recurrence equation for E(N, t) as:So we get

Subtracting Eqs (16) from (15) and rearranging, we get

Writing the same equation for (t − 1), …, 2 and adding all of them, we get,Obviously, E(N, 1) = 1. That is, there is only one marked item in the general state of N items, so it only needs to execute Grover’s search algorithm once to get the highest bid with the high probability of . Furthermore, it will give,From Eq. (19) we can get,In our PQSA scheme, there are at most n marked item, i.e., all bids are greater than the initial valuation price. So an upper bound is achieved for t = n, when we get,Therefore, we can repeat Grover’s search algorithm to obtain the highest bid with a probability of after lnn repetitions of this algorithm. That is, the failure probability ε of Step 2 to obtain the highest bid is . When δ ≥ e, we can getThe failure probability of is very small, so we only tolerate a complaint in Step 4. Therefore, if all participants honestly execute the procedures, our PQSA scheme is correct.

In above analysis, we assume that Grover’s search algorithm has some probability of failure, i.e., the probability of finding the marked item is not exactly 1. Furthermore, Long[39] presented a modified version of Grover’s search algorithm that searches a marked state with full successful rate. So, if we use Long’s algorithm in our proposed protocol, it can get the better result theoretically.

Security

First, we analysis the proposed scheme can resist all kinds of outsider attacks. For an outsider attacker, he can intercept the transmitted messages, including classical messages and quantum messages. If the outsider attacker wants to get x from without r, it is equivalent to break Hash function. At present, there is still not efficient method to break secure Hash function (e.g., SHA-1, SHA-2) by quantum computers or quantum algorithms. So, in the following we main analysis the possible attack to the transmitted quantum messages.

Firstly, the outsider attacker may perform an intercept-and-resend attack, i.e., he can intercept the transmitted quantum messages, and resend a fake quantum messages back to Alice. For example, the attacker intercepts the partial qubits of the state in the normal model. Clearly, the state |ψ〉 held by Alice and the attacker is an entangled state, where the reduced density matrixes of the subsystem held by them are and , respectively. Though the reduced density matrix held by the attacker hides all private bids, the attacker cannot extract all by the principle of quantum mechanics. That is, even if the attacker measures his intercepted subsystem, he cannot get all private bids (i.e., all marked items). In fact, he can get at most one bid (i.e., one marked item) with a low probability because n ≪ N, and the bid does not reveal any identity of the bidder. However, if the attacker intercepts the partial qubits of the state in the test model, then the reduced density matrix of the subsystem held by himself is , which is independent of all bids. That is, the intercepted subsystem cannot contain any private information about any private bid.

However, the attacker cannot distinguish the transmitted quantum states from the normal model and the test model. So, if the attacker measures his intercepted subsystem to get a bid, then he will be found later by Alice with great risk. For example, if the attacker measures the state of the test model in the computation basis, the state |ψ〉 will be collapsed into |0〉|0〉|0〉 or |i〉|i〉|0〉 with the probability of , respectively. Later, Alice performs the test procedure in (2.4) of Step 2, so she can easily find this attack.

Of course, if the attacker sends a fake quantum system back to Alice, instead of the true subsystem intercepted by him, it will be easily found by Alice in (1.7) or (2.4) of Step 2. Therefore, our scheme can resist the intercept-and-resend attack.

Secondly, we analyze a more complicated attack, that is, the outsider attacker performs an entangle-and-measure attack that he first prepares an ancillary quantum system and further entangles his ancillary quantum system and the intercepted subsystem by a local unitary operator, and afterward he can measure the ancillary quantum system to get the partial information about the private bids. The attacker’s dishonest action can be described by a local unitary operator , which is simply defined by,where |V(j)〉 is a vector orthogonal to |j〉|ξ(j)〉, i.e.,In order to completely pass the honest test (see (1.7) or (2.4) of Step 2), it can easily deduce that η = 1. That is, the whole quantum system sent back to Alice in the normal model should be in the following state after performing the operator :After successfully passing the honest test, the state of the whole quantum system is in,After performing U in (1.8) of Step 2, the state of the quantum system becomes,

At this moment, if the attacker measures his ancillary quantum system, then he will get ξ(i, 0) with a higher probability or ξ(j, 1) with a lower probability, because n ≪ N actually, where the latter includes a bid. However, if Alice further executes Grover’s search algorithm to find a marked state , then the attacker will get ξ(j, 1) with a high probability. Now, he can get a bid, but he cannot distinguish his identity.

However, our scheme still has another model, i.e., the test model. If the attacker performs the entangle-and-measure attack in the test model, the whole quantum system sent back to Alice should be in the following state after performing the operator :

After Alice executes the procedure of (2.3) in Step 2, the quantum system will become . At this moment, if Alice continues to execute the test procedure of (2.4), i.e., she performs a von Neumann measurement {P+, P−} on the first register, then she will get the following results,

That is, she will get or with the probability of , respectively. Obviously, Alice will detect the attack with the probability of .

Finally, we consider that the attacker tries to add some false marked items in the returned state |ψ〉 by the oracle operators to manipulate the auction. On the one hand, if the false marked items are smaller than the highest bid, it will not affect the correctness of the auction; On the other hand, if a certain false marked item is greater than the highest bid, it will be easily found because no bidder claims the false bid. Even if a collusion bidder claims the false bid, obviously he will not successfully pass the public verification.

In a word, no matter which attack the outsider attacker performs, he cannot get any private information without risking Alice’s detection, and cannot manipulate the auction yet. That is, our scheme can resist the outsider attacks.

In addition, by the system model defined in the section of 3.1, PQSA should meets five secure and privacy requirements. In the following section, we will prove that our proposed PQSA scheme can meet all these secure and privacy requirements.

(1) The auctioneer’s privacy: From the scheme proposed above, we can easily see that the transmitted quantum messages do not include any information about Alice’s initial valuation price x. In addition, among all quantum oracle operators utilized by our proposed scheme, it is only the oracle operator U concerning x. However, U only is performed in Alice’s registers, and these quantum states transferred by the operator U will be measured timely by Alice. So, if a dishonest bidder (or an outsider attacker) wants to steal Alice’s private information, he can only perform the entangle-and-measure attack. However, we have analyzed the infeasibility of this attack above, because he cannot yet discern the normal model and the test model. If he performs the entangle-and-measure attack in the test model, his dishonesty will be found by Alice with the probability of .

(2) The bidder’s privacy: As we have analyzed above, any outsider attacker cannot get any private bid without risking the auctioneer’s detection. In fact, for a bidder, he cannot get more information from the transmitted quantum messages than the outsider. If a dishonest bidder performs an attack, no matter concerned with measurement or entanglement, similarly, he will risk to be found later by the auctioneer. In short, no one can get the private bid of the bidder without risking the auctioneer’s detection.

(3) Anonymity: By the proposed scheme, each bidder marks his bid in the transmitted quantum state |ψ〉. However, each bidder marks his bid in an anonymous way, i.e., the marked item in |ψ〉 does not leave any identity.

For a dishonest bidder, e.g., Bob2, if he wants to get the specific bid of Bob1 when receiving |ψ1〉, he can perform Grover’s search algorithm to find |x1〉|1〉 because Bob2 knows that there is only one marked item (i.e., x1) in |ψ1〉. However, if Alice selects the test model in Step 2, she can easily find this dishonesty because the final measurement result will be |0〉 or |i〉, instead of . That is, the dishonest bidder Bob2 cannot get the bid of the first bidder Bob1 without risking Alice’s detection. In addition, after performing Grover’s search algorithm, if Bob2 directly sends a fake state to the next bidder, not |x1〉|1〉, obviously it will be easily found by Alice in (1.7) or (2.4) of Step 2.

As for the other bidder Bob, even if he performs the similar attack to get |x1〉|1〉 by Grover’s search algorithm, he still cannot get the specific identity of x because of j ∈ {1, 2, …, i − 1}. Even if multiple bidders collude to perform this attack, it will be found later by Alice with the probability of . In addition, this attack also brings a risk of the failure of the auction, because our proposed scheme only permits at most one complaint when announcing the highest bid.

At present, we only assume that there is a circle quantum channel among the auctioneer and all bidders in our PQAS model. For the current technical conditions, obviously this model is more feasible. In fact, if there is a quantum channel between any two parties, the quantum messages can be transmitted in a random order, i.e., from Bob to random Bob, not Bob, such that it can provide the perfect anonymity of the bids.

For the auctioneer Alice, she can receive the returned state |ψ〉, in which all bids have be marked in an anonymous way. Furthermore, she can get a marked item |y〉|1〉|1〉 by Grover’s search algorithm, but she cannot know y belongs to who because of y ∈ {1, 2, …, n}.

Therefore, our proposed scheme can ensure that the bidder’s bid is anonymous for all participants, including the auctioneer.

(4) Public verifiability: On the one hand, when the highest bid x is announced publicly, it needs to accept the comparisons of all other bidders to decide whether it is greater than their respective bids. On the other hand, to further win the auction successfully, the highest bidder Bob requires to open his commitment x to accept the verifications of the authenticity of the bid x. As you know, there is not a perfect secure quantum bit commitment based on the No-Go Theorem[40-42]. So we utilizes a practical and efficient classical bit string commitment, in which it can not get x only from without r, unless cracking the secure hash function, e.g., SHA-1, SHA-2. By the opening information r, anyone can verify the authenticity of the winning bid x. Even if the auctioneer wants to help a malicious bidder Bob to win this auction, but they cannot revise the hash value , which was published in advance, so the fake bid (implying ) cannot pass the verification finally. That is, this attribute can defend the collusion attack between the malicious bidder and the dishonest auctioneer. In fact, bit string commitments ensures that the initial valuation price and all bids can not changed during the whole auction, otherwise the cheating will be found easily.

(5) Fairness: Since all bidders and the auctioneer need to commit their bids and the valuation price at the beginning of the auction, and the successfully winning bid needs to be verified publicly by all participants finally, no one can manipulate the auction, even for the auctioneer. That is, the auctioneer cannot help a malicious bidder to win the auction illegally without being found by other bidders. Therefore, our proposed scheme can guarantee the fairness of the auction.

We have analyzed the security of proposed scheme in ideal settings. However, in practical settings, there may be some faults (e.g., noise and error) in the quantum channels and quantum measurements. In order to ensure its security in practical settings, one can use the fault tolerant technologies, such as decoherence-free states and error-correcting code. In addition, we can use classical authenticated channels and quantum authenticated channels to ensure the correctness of distributing messages.

Performance

The proposed scheme is mainly based on Grover’s search algorithm. By the previous analysis, the number of iterations (i.e., the number of repeating Grover’s search algorithm in Step 2) for finding the highest bid is less than or equal to lnn, which is its upper bound, so both the computational complexity and the communicational complexity are O(lnn), i.e., to execute O(lnn) Grover’s search algorithms and to distribute O(lnn) quantum messages. To complete the task, any classical scheme needs to distribute O(n) messages in theory, where each message gets a bid in an anonymous way, and then finds the highest bid by comparing O(n) times. Obviously, our proposed quantum scheme gets the lower communicational complexity than any classical scheme.

In addition, to make our scheme work, the key step is to construct the efficient circuits implementing the oracle operators. In our scheme, we define two kinds of oracle operators to mark items in a general state. Similarly, using the techniques of reversible computation[1], we can construct a classical reversible circuit which takes (x, y) - representing an input register initially set to x and a one bit output register initially set to y - to (x, y ⊕ f(x)), by modifying the usual (irreversible) classical circuit for doing the classical function f(x).

At present, Grover’s search algorithm and its variants have been implemented by the newest reports[43-45], especially in IBM quantum cloud[46]. So, with the rapid development of quantum computing and quantum information processing, we believe that our proposed PQSA scheme is feasible in the near future.

Conclusions

In this paper, we define a new privacy-preserving quantum sealed-bid auction model, and further present a novel privacy-preserving quantum sealed-bid auction scheme based on Grover’s search algorithm. The proposed scheme not only guarantees the correctness and fairness of the auction, but also ensures the privacy and anonymity of the bidders, even for the auctioneer. Compared with the current existing quantum sealed-bid auction, our proposed scheme can provide stronger privacy protections, which are urgently requirements in modern network society. So the proposed scheme has wider popularization and application prospects.

In addition, we actually give an efficient quantum approach to privately find the optimal solution under the constraint conditions among multiple distributed participants, which can also be generalized into other secure applications, e.g., an election satisfying more than half of votes.