Additive-to-Multiplicative Conversion

• Additive-to-multiplicative conversion protocols are techniques that transform linear secret shares into multiplicative ones using random multiplication triples and quantum methods.
• They utilize specially-prepared quantum graph states to establish secure correlations among parties while minimizing interactive communication.
• The approach elevates MPC security by ensuring information-theoretic privacy with reduced reliance on trusted dealers and efficient local operations.

Additive-to-multiplicative conversion protocols are foundational primitives for secure multi-party computation (MPC), enabling parties to convert simple linear (additive) secret shares into multiplicative shares that support private evaluation of Boolean conjunctions. The paradigm leverages specially-prepared random triples—multiplication triples—where the correlation $r = p q$ (mod 2) is shared among participants, ensuring that private multiplications can be performed without leaking input data. Recent developments show that such primitives can be generated nonclassically via entangled quantum resources, offering new efficiency and security properties.

1. Multiplication Triples and Their Role in Secret-Sharing MPC

In the preprocessing model of information-theoretic MPC, a central functionality is the distribution of a random multiplication triple $(p, q, r) \in \mathbb{Z}_2^3$ where $r = p q$. A "dealer" (or preprocessing functionality $\mathcal{F}_{\rm TD}$) samples $p, q \in \mathbb{Z}_2$ uniformly, computes $r = p q$, and distributes additive shares: $[p]_\A,\, [q]_\B,\, [r]_\A,\, [r]_\B,\, [r]_\R$ where $p = [p]_\A$, $q = [q]_\B$, and $r = [r]_\A \oplus [r]_\B \oplus [r]_\R$.

With these resources, two parties (Alice and Bob), holding private inputs $a, b \in \mathbb{Z}_2$, can securely compute an additive sharing of their product $ab$:

• Parties broadcast $c_a = a \oplus p$, $c_b = b \oplus q$.
• Locally, each sets (for $X \in \{\A, \B\}$):

$$[ab]_X = c_a\,c_b \oplus c_b\,[q]_X \oplus c_a\,[p]_X \oplus [r]_X,$$

so that $\sum_X [ab]_X = ab$. Uniformity and secrecy of $p, q$ ensure that the openings $(c_a, c_b)$ reveal nothing about $a, b$.

2. Generation of Multiplication Triples from Quantum Graph States

Classical triple generation with information-theoretic security typically requires a trusted dealer, secure channels, and interactive protocols. By contrast, a quantum approach constructs these triples using a specially designed tripartite 12-qubit graph state $\ket{G_\wedge}$, partitioned among three parties $(\A, \B, \R)$:

• $V_{\rm Arm\,A} = \{1,2,3\}$,
• $V_{\rm Arm\,B} = \{4,5,6\}$,
• $V_{\rm Tail} = \{7,8\}$,
• $V_{\rm Fork} = \{9,10,11,12\}$.

Edges are defined such that paths and complete bipartite subgraphs intertwine the parties' qubits, and cross-links inject correlations required for extracting the multiplication triple. The adjacency matrix $\Gamma$ determines the stabilizer generators: $$K_i = X_i \prod_{j: \Gamma(i,j) = 1} Z_j,\quad i=1,\ldots,12.$$ The resource state is prepared as: $$\ket{G_\wedge} = \Bigl(\prod_{(i,j) \in E} CZ_{i,j} \Bigr) \ket{+}^{\otimes 12}.$$

3. Measurement-Based Extraction of Additive and Multiplicative Shares

Each party holds a disjoint subset of the 12 qubits. The protocol for extracting shares $(p, q, pq)$ is a non-interactive sequence of local projective measurements and basis rotations:

• Step 1 (Arm A): $\A$ measures $Z_1 \mapsto m_1$, $\B$ measures $X_2 \mapsto m_2$, $\R$ measures $Z_3 \mapsto m_3$; define $p \gets m_1$. Stabilizer constraints yield $m_1 = m_2 \oplus m_3$.
• Step 2 (Arm B): $\B$ measures $Z_4 \mapsto m_4$, $\A$ measures $X_5 \mapsto m_5$, $\R$ measures $Z_6 \mapsto m_6$; define $q \gets m_4$.
• Step 3 (Tail): $\R$ measures $X_7 \mapsto m_7$, $\B$ measures $Z_8 \mapsto m_8$; set $s \gets m_7 = m_8$.
• Step 4 (Phase-encoding): $\B$ applies $Z_9^{m_2}$, $\A$ applies $Z_{11}^{m_5}$.
• Step 5 (Conditional Fork measurements):
  • $\B$ measures $W_9^s Z_9 (W_9^\dagger)^s \rightarrow m_9$, with $W = \sqrt{iX}$.
  • $\A$ measures $$W_{10}^p Z_{10} (W_{10}^\dagger)^p \rightarrow m_{10}$$, $$(W_{11} X_{11})^p Z_{11} (X_{11} W_{11}^\dagger)^p \rightarrow m_{11}$$.
  • $\R$ measures $$U_{12}^s X_{12}(U_{12}^\dagger)^s \rightarrow m_{12}$$, with $U = \sqrt{-iZ}$.
• Step 6 (Share assignment):
  • $[pq]_\A = m_{10} \oplus m_{11}$,
  • $[pq]_\B = m_9$,
  • $[pq]_\R = m_{12}$.

Correctness is assured by explicit stabilizer analysis, guaranteeing that $[pq]_\A \oplus [pq]_\B \oplus [pq]_\R = pq$.

4. Security Model and Perfect Privacy

Security holds under an honest-pair assumption: at least two of $\{\A, \B, \R\}$ are honest, while the third party may act maliciously. No classical messages are exchanged during the quantum phase. The protocol's security proof employs a simulation argument: for any attack by the corrupt party $\mathcal{X}^*$, its post-measurement quantum-classical state is independent of $p$, $q$, and $pq$, as these are one-time padded by random bits from the honest parties. Any partial measurement outcome remains uniform upon tracing out the pads, yielding statistical privacy.

A simulator $\text{Sim}$, with only the functionality output $(p, [pq]_X)$, can sample an indistinguishable view for the adversary by synthesizing the unique stabilizer state from fresh random bits, thus achieving perfect simulation.

5. Efficiency, Round Complexity, and Resource Assumptions

In the proposed protocol, all quantum operations—measurements and unitary rotations—are local and non-interactive, and the quantum resource $\ket{G_\wedge}$ can be prepared in advance. The online MPC phase, involving the conversion of shares or computation of function outputs, requires only a single round of broadcast per triple. Resource-wise, one ideal copy of $\ket{G_\wedge}$ is consumed per multiplication triple; correctness depends upon verified preparation, feasible with current graph-state verification protocols (e.g., McKague ’14, Unnikrishnan ’22).

Classical triple generation demands either a trusted dealer or secure channels and requires at least two rounds of private-channel interaction to achieve comparable information-theoretic security. The quantum approach eliminates these requirements via entanglement and local operation.

6. Higher-Level Constructions: 1-out-of-2 OT and $N$-Party Boolean MPC

The quantum triple-delivery protocol $\Pi_{\rm QTD}$ realizes the ideal preprocessing functionality $\mathcal{F}_{\rm TD}$. This enables construction of standard MPC primitives:

• 1-out-of-2 Oblivious Transfer (OT): Two triples are generated for messages $a_0, a_1$ and selection bit $b$. Parties broadcast masked versions of their inputs combined with triple shares. Computations using both triples allow only the receiver to recover $a_b$; neither sender nor referee learns the selection or transferred message.
• $N$-party Boolean MPC: Any Boolean function with algebraic-normal form $f = \bigoplus_i \prod_{k \in S_i} x_k$ can be evaluated using induction over multiplicative shares. To compute a conjunction $\prod_{k=1}^N x_k$, share conversion is iterated: the referee opens its share (uniform random bit), this is absorbed by a participant, and the $\mathcal{F}_{\rm TD}$-based pairwise share conversion protocol is applied recursively. Each monomial of degree $N$ consumes ${N \choose 2}$ triples and requires two rounds of broadcast per conjunction. All privacy guarantees reduce to the perfect security of each triple extraction.

This scheme ensures malicious security for any Boolean MPC task, requiring only an honest pair within each triple extraction session.

7. Comparative Summary

Method	Offline Communication	Assumptions	Security
Classical dealer/triples	Multi-round, interactive	Trusted dealer, private channels	Information-theoretic
Quantum graph-state protocol	None (local only)	Entanglement, honest pair	Information-theoretic, perfect

Quantum entanglement-driven additive-to-multiplicative conversion protocols provide round-optimal, information-theoretically secure MPC primitives under minimal trust assumptions, marking a distinct shift from classical dealer-based approaches. The central trade-off is the reliance on physically verified quantum state distribution, offset by a reduction in communication complexity and setup requirements.