Quantum preprocessing for information-theoretic security in two-party computation
Li Yu

TL;DR
This paper introduces quantum protocols for generating bipartite correlations that enable information-theoretic security in two-party computation, even with noise and aborts, advancing secure quantum and classical computing methods.
Contribution
It proposes bipartite quantum protocols for approximately generating secure correlations without a third party, with methods to handle noise and achieve high success probability.
Findings
Protocols can generate useful one-time tables with high probability in noiseless conditions.
Security depends on noise levels but can be maintained with proposed noise mitigation methods.
Generated correlations can implement no-signaling correlations like PR-boxes with communication.
Abstract
In classical two-party computation, a trusted initializer who prepares certain initial correlations, known as one-time tables, can help make the inputs of both parties information-theoretically secure. We propose some bipartite quantum protocols with possible aborts for approximately generating such bipartite classical correlations with varying degrees of privacy, without introducing a third party. Under some weak requirements for the parties, the security level is nontrivial for use in bipartite computation. We show that the security is sometimes dependent on the noise level, but we propose a method for dealing with noise. The security is "forced security", which implies that the probability that some useful one-time tables are generated can approach in the noiseless case under quite weak assumptions about the parties, although the protocols allow aborts. We show how to use the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsQuantum Information and Cryptography · Quantum Mechanics and Applications · Quantum Computing Algorithms and Architecture
Quantum preprocessing for information-theoretic security in two-party computation
Li Yu
Department of Physics, Hangzhou Normal University, Hangzhou, Zhejiang 311121, China
Abstract
In classical two-party computation, a trusted initializer who prepares certain initial correlations, known as one-time tables, can help make the inputs of both parties information-theoretically secure. We propose some bipartite quantum protocols with possible aborts for approximately generating such bipartite classical correlations with varying degrees of privacy, without introducing a third party. Under some weak requirements for the parties, the security level is nontrivial for use in bipartite computation. We show that the security is sometimes dependent on the noise level, but we propose a method for dealing with noise. The security is “forced security”, which implies that the probability that some useful one-time tables are generated can approach in the noiseless case under quite weak assumptions about the parties, although the protocols allow aborts. We show how to use the generated one-time tables to achieve nontrivial information-theoretic security in generic two-party classical or quantum computation tasks, including (interactive) quantum homomorphic encryption. Our methods provide check-based implementations of some no-signaling correlations, including the PR-box type, with the help of communication which carry no information about the inputs in the generated correlations.
I Introduction
The security of two-party computation is a main research topic in classical cryptography. The goal is usually to correctly compute some function of the inputs from the two parties, while keeping the inputs as private from the opposite party as possible. This has been studied using classical homomorphic encryption techniques Gentry09 ; brakerski2011efficient or through implementing Yao’s “Garbled Circuit” solution Yao86 . Another possibility is to introduce a trusted third party, who may sometimes interact with the two parties for multiple rounds. To lower the requirement on the trusted third party, a “trusted initializer” has been proposed Beaver98 . Such trusted initializer only prepares some initial correlations between the two parties, and does not interact with any party afterwards. A trusted initializer who prepares certain initial correlations, referred to as “one-time tables”, can help make the bipartite computation secure.
Secure two-party quantum computation is the corresponding problem in quantum computing and quantum cryptography. The two parties wish to correctly compute an output according to some public or private program while keeping their (quantum) inputs as secure as possible. Special cases of this general problem include quantum homomorphic encryption (QHE) rfg12 ; MinL13 ; ypf14 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; Mahadev17 ; ADSS17 ; Newman18 ; TOR18 , secure assisted quantum computation Ch05 ; Fisher13 , computing on shared quantum secrets Ouyang17 , and physically-motivated secure computation (e.g. OTF19 ). In the study of QHE, it is found that secure computation of the modulo- inner product of two bit strings provided by the two parties is a key task, and the one-time tables mentioned above turn out to be helpful for this task.
In this work, we propose two-party quantum protocols with aborts as replacements for the trusted initializer in preparing the one-time tables, and show that the prepared one-time tables can help achieve nontrivial degrees of information-theoretic security in bipartite classical or quantum computation. Our main protocols are based on Protocol 1 which implements the following task with partial privacy: it takes as input two locally-generated uniformly random bits and from Alice and Bob, respectively, and outputs on Alice’s side and on Bob’s side, where is a uniformly random bit. The one-time table contains four bits: two input bits and two output bits. By putting the possible aborts in the preprocessing which does not involve useful data, we partly avoid the problem of data leakage in those aborted runs in other possible protocols with aborts.
Security in quantum key distribution BB84 is dependent on verifications. Inspired by this, we propose some protocols that verify the correctness of Protocol 1. We propose Protocol 3 to select some one-time tables generated by Protocol 1. It allows Bob to abort during the protocol when he finds that Alice is cheating. When Protocol 3 is used in a generic interactive bipartite classical computation with the roles of Alice and Bob switched, the data leakage of Alice is asymptotically vanishing for noiseless physical systems, but for noisy physical systems, the leakage is linearly related to the noise level. The data privacy of Bob is partial: the leakage is about half of his input bits, but the privacy is better in the case that the function is a many-to-one map for Bob’s input, including the case that the function effectively evaluates universal circuits.
We then propose Protocol 4 which includes checks from both sides to ensure that the average rate of cheating by any party is asymptotically vanishing. For the bipartite computation task, the data leakage of any party is asymptotically vanishing for noiseless systems, while for noisy systems, the leakage of both parties are linearly related to the noise level.
We then propose Protocol 5 which combines several one-time tables generated by Protocol 3 or 4 into one. When Protocol 5 based on Protocol 3 is used in bipartite classical computation, the data leakage of Alice is exponentially small, so it is almost independent of the physical noise, while some polynomial overhead is needed to make the data privacy of Bob comparable to that in Protocol 3. But such polynomial overhead is not too bad, since the function to be computed can be recompiled in general, as discussed in Sec. VII. To deal with noise, we propose Protocol 6 which has enhanced correctness. It detects the errors (from noise and possible malicious activity) with some good chance, such that the error rate in the output is polynomially small, while the security level is similar to that of Protocol 4 at the cost of a polynomial-factor increase in resources. It also has a variant of combining one-time tables in the similar way as in Protocol 5. The resource overhead in Protocol 6 is exponentially large if the output error rate is required to be exponentially small. However, we think that polynomially small error in the output is sometimes acceptable, since the circuit to be evaluated is usually of polynomial length.
All the protocols are secure if both parties are honest-but-curious. An honest-but-curious party is one who follows the protocol while possibly making measurements which do not affect the final computation result. In our protocols, an honest-but-curious party does not learn anything about the other party’s data, no matter whether the other party cheats or not.
In our protocols, when one party is honest-but-curious and the other party is malicious, the privacy of the data of the honest-but-curious party is guaranteed to reach the targeted level even if the other party cheats. In Protocol 3, we assume that Bob is conservative, meaning that he values the privacy of his data higher than the possibility to learn Alice’s data. Operationally, this means he always performs the checking and aborts when the number of wrong instances exceeds the threshold that he had chosen. Alice needs to be weakly cooperating for the protocols not to abort, meaning that she does not cheat much in some batch of the instances of Protocol 1. For Alice’s data security to be enhanced by her verifications in Protocol 4, she should be conservative in the sense described above. But partly due to the possible aborts, it actually suffices to assume one of the parties is conservative in Protocol 4, since then the other party might as well be conservative to reach a better security level for himself (herself). Although Protocol 5 is quite effective when there is no noise (including errors), it may not be better than Protocol 3 or 4 when there is some non-negligible level of noise. In the noisy case, we propose using Protocol 4 or Protocol 6, where the latter is for performing some error detection while not harming security too much.
The security of the protocols is “forced security”, which means Alice is forced by Bob’s checks to not cheat in some batches of Protocol 1. It implies that the probability that some one-time tables with targeted (partial) security are generated would approach in the noiseless case under quite weak assumptions about the parties (that Alice weakly cooperates by not cheating in some batches of Protocol 1, and Bob indeed does the checks due to that he is conservative), although the protocols allow aborts.
We show some applications in general two-party classical computation, and the check-based implementations of 1-out-of-2 oblivious transfer and bit commitment under some assumptions mentioned above. To enjoy some quantum speedup together with the security benefit brought about by our preprocessing, we propose an interactive QHE scheme with costs polynomial in circuit size, as well as a constant-round QHE scheme with exponential cost, which use the precomputed one-time tables as a resource, but both schemes have more rounds of communication than in the original definition of QHE. Such scheme is then generalized to general two-party quantum computation with a publicly known circuit and private inputs on both parties, and to the case of private circuit provided by one party and private inputs on both parties. Our protocols provide check-based implementations of some no-signaling correlations with the help of classical communication which do not carry information about the inputs in the generated correlations.
The rest of the paper is organized as follows. Sec. II contains some introduction of the background. In Sec. III we introduce the quantum protocols for generating the one-time tables. Sec. IV shows applications in general two-party classical computation. Sec. V shows applications in general two-party quantum computation. Sec. VI shows applications in check-based implementations of some no-signaling correlations with the help of classical communication. Sec. VII contains some discussions about the security in the noisy case, and physical implementations. Sec. VIII contains the conclusion and some open problems.
II Preliminaries
On computing two-party classical functions with quantum circuits, Lo Lo97 studied the data privacy for publicly known classical functions with the output on one party only. Buhrman et al bcs12 studied the security of two-party quantum computation for publicly known classical functions in the case that both parties know the outcome, although with some limitations in the security notions. These and other results in the literature Colbeck07 suggest that secure bipartite classical computing cannot be generally done by quantum protocols where the two parties have full quantum capabilities. In the current work, the protocols allow aborts in the quantum preprocessing (Bob may abort when he detects that Alice has cheated), and local randomness is used, so the scenario considered here does not fit into the assumptions in the works mentioned above. We assume that one party values the privacy of his data higher than the possibility to learn the other party’s data. Under such assumption, we do not require the parties in the main bipartite computation stage to be entirely classical.
Next, we introduce the simplest case in the one-time tables Beaver98 . Actually the type of table discussed below is known as precomputed oblivious transfer, although our usage of such table is not in the form of transferring a bit. Rather, it is more like implementing a gate. The bipartite AND gate with distributed output is a gate that takes as input two distant bits and , and outputs and on the two parties, respectively, where is a uniformly random bit. (XOR is denoted as ; AND is denoted as the symbol.) It is sufficient for secure two-party classical computation, although there may be other constructions. Theoretically, the bipartite AND gate with distributed output on two distant input bits and can be computed while keeping both input bits completely private, with the help of a precomputed ideal one-time table of the nonlocal-AND type. Such one-time table has two locally-generated uniformly random bits and on Alice’s and Bob’s side, respectively, and also has and on Alice’s and Bob’s side, respectively, where is a uniformly random bit. The steps for the bipartite AND-gate computation with distributed output are as follows:
-
Alice announces . Bob announces .
-
Each party calculates an output bit according to the one-time table and the received message. Alice’s output is . Bob’s output is .
The XOR of the two output bits is , while each output bit is a uniformly random bit when viewed alone, because is a uniformly random bit. Since the messages and do not contain any information about and , the desired bipartite AND gate is implemented while and are still perfectly private.
Some notations are as follows. By “forced security”, we mean that the security in a protocol is guaranteed by verifications where failure to pass them would cause the protocol to abort. By saying that a protocol is “cheat-sensitive”, we mean that any cheating will probably cause the protocol to abort. Our protocols starting from Protocol 3 are in fact cheat-sensitive, but to avoid confusion with protocols in the literature (e.g. HK04 ) which have different levels of security and effectiveness from ours, we do not use the term in the titles of the protocols.
Denote , and . The Hadamard gate satisfies and . The random bits are unbiased and independent of other variables by default. An EPR pair is two qubits in the state .
III The quantum protocols for generating one-time tables
The main quantum protocols to be introduced later are based on Protocol 1, which is the revised version of a subprocedure of a protocol from Yu18 . The Protocol 1 effectively computes an AND function on two remote classical bits from the two parties, with the output being a distributed bit, i.e. the XOR of two bits on the two parties. The security is not ideal: the plain use of such protocol would give rise to non-ideal security in (interactive) quantum homomorphic encryption Yu18 , and the security is such that some additional verification need to be added in the protocol for it to be nontrivial. Later we propose protocols that check and sometimes combine the one-time tables generated from Protocol 1, to be used as a preprocessing stage for a bipartite classical or quantum computation task.
The Protocol 1 involves direct sending of states, while the Protocol 11 in Appendix A is the corresponding entanglement-based variant. The Protocol 11 uses prior shared entanglement to remotely prepare some state on Bob’s side via Alice’s local measurements, and it also involves a step of teleportation bbc93 from Bob to Alice with partial information about the corrections withheld by the sending party. The teleportation approach allows Alice and Bob to do operations simultaneously, see the discussions in Secs. VI and VII. These two protocols crucially depend on the property of the gate: it is equivalent to a gate in the reverse direction in an unbiased basis (the basis on both qubits).
In Protocol 1, Alice’s input bit has partial privacy even for a cheating Bob, while Bob’s input bit is secure for an honest-but-curious Alice, but is not secure at all for a cheating Alice. The privacy of Alice’s input bit can be quantified using the accessible information or the trace distance. The accessible information, i.e. the maximum classical mutual information corresponding to Bob’s possible knowledge about Alice’s input, is exactly bits, which happens to be equal to the Holevo bound in the current case. For a cheating Bob to get the maximum amount of information, his best measurement strategy in the current case is to use a fixed projective measurement: to measure the first qubit in the basis, and the second qubit in the basis. The trace distance of the two density operators for Alice’s two possible input values is , by direct calculation. Thus, the probability that Bob guesses Alice’s input bit correctly is . Note that with this particular measurement just mentioned, he cannot make the distributed output of the one-time table correct. In other words, Bob cannot learn the other party’s input without consequences.
To learn about Bob’s input bit, a cheating Alice may use an entangled state . From Bob’s returned state, Alice may find out Bob’s input bit with certainty. But in such case Alice has no effective input to speak of, and she does not know Bob’s output bit , so even if she chooses an input bit for herself later, she cannot determine her output bit for making the distributed output correct.
The entanglement-based version for Protocol 1 is Protocol 11 in Appendix A. Note that in Protocols 1 and 11, Alice may cheat by declaring that she did not receive some qubits in some instances. In such case she may be certain about one of the three bits: , or , depending on her measurement strategy, but she cannot learn both and one of and (near) perfectly. Since this is a somewhat non-conventional way of cheating (as there is significant ratio of failed instances noticeable to Bob), we discuss this case near the end of Appendix A.
The Protocol 1 has two stages of communication. The following Protocol 2 has only one stage of communication. It is derived from the entanglement-based Protocol 11. Instead of using prior entanglement, Bob prepares some pure state on four qubits dependent on his private keys and a private input bit . Bob sends such state to Alice. Since there are some different choices of such pure state, Alice receives a mixed state in her view. She does some single-qubit measurements in some bases of her choice to obtain some classical correlation (one-time table) shared with Bob.
In Protocol 2, Bob’s input is partly secure. For an honest Bob, Alice can know Bob’s input with probability , since the two density operators of Bob’s have trace distance . On the other hand, Alice’s input in the one-time table, , is completely insecure in the worst case for a cheating Bob, but it is completely secure for an honest Bob. A cheating Bob could prepare some state such that the is determined, such as preparing on the first two qubits, but then the output of the one-time table would be completely random (due to that Alice would measure one of the first two qubits with an unbiased basis compared to the basis for the state of the qubit), hence it is incorrect with large probability. Overall, the security characteristics of Protocol 2 is analogous to that of Protocol 1 but with the roles of the two parties switched. But the fewer rounds of communication makes Protocol 2 potentially interesting in other applications. In later parts of the paper, we take Protocol 1 as the example in analyzing some composed protocols.
In the following we present protocols which check or combine the one-time tables generated in Protocol 1. The first one has partial security for Alice and near-perfect security for Bob, while the second one involves checking by both parties, and aims for near-perfect security for both parties. The third one aims for near-perfect security for both parties with emphasis on the security of one party.
In Protocol 3, Alice’s input bit has partial privacy, which is the same as in the analysis of Protocol 1 above. When the ratio is near one, the nonlocal correlations in the remaining unchecked one-time tables can be regarded as almost surely correct. This is because of Bob’s checking. We require Alice to be weakly cooperating, that is, she does not cheat in some of the batches of instances, since otherwise no one-time table may pass the test. Some degree of weak cooperation is required for two parties to perform a computation anyway, and the above assumption of Alice has no effect on the data security of any party when Bob satisfies the assumption below, thus we may ignore the assumption above and just state the following assumption on Bob as the requirement of our protocols. In the following we assume that Bob is conservative, which means that he values the privacy of his data higher than the possibility to learn Alice’s data. Later in Sec. IV we will see that it effectively implies that he indeed does the checking. For an honest-but-curious Alice, the resulting correlation is correct, and she does not learn anything about Bob’s input bit (using the notations in Protocol 1, same below). In the following we discuss the case that Alice cheats.
If Alice cheats and gets at least partial information about Bob’s input bit , the state sent from Alice to Bob must be different from what is specified in the protocol; her best choice of state for cheating is mentioned previously. To pass Bob’s test while learning about Bob’s input , she should know both and , or know both and . (The two conditions are equivalent in the exact case, but not necessarily equivalent in the partial-information case.) In the following, let denote the classical mutual information learnable by Alice about Bob’s bit (with uniform prior distribution) if she uses the measurement on the received two qubits (possibly a POVM measurement), in an instance of Protocol 1. The and are defined similarly, but note that they are conditioned on the uniform distribution for , similar to the case of .
Proposition 1**.**
In Protocol 1, the following inequalities hold:
[TABLE]
where the two are the same in each equation. All the quantities on the left-hand-sides are also dependent on Bob’s received state . It is effectively prepared by Alice, and is a mixed state on two qubits (in numerical calculations, it is viewed as a pure state on two of Bob’s qubits and two imaginary ancillary qubits), and the two are the same in each equation. We abbreviate the symbol .
Note that the relationship between and is as follows: if Alice is honest, the is determined by the choice of according to Protocol 1 up to some Pauli operators (arising from the teleportations in Step 2 of Protocol 1). If Alice is dishonest, the is not necessarily related to (since the latter may be undefined), and it may be a mixed state in Bob’s view, but Alice may hold the purification for it, where the purification system needs to include two ancillary qubits at most. In defining , we use Bob’s received state instead of Alice’s input state before teleportation, since it is more general: Alice could cheat by changing her operations to deviate from the original operations in the teleportation, but she always effectively prepares a (mixed) state on Bob’s two qubits no matter what she does.
Proof.
Suppose is Bob’s received two-qubit mixed state. The overall communication from Bob to Alice in Protocol 1 is effectively only one classical bit, since if Bob randomly performs a gate on his first sent qubit, the sent two qubits would be in a maximally mixed state, containing no information for Alice. Also note that there are effectively no other prior correlations between the two parties besides the fixed entangled state, so the locking of information DHL04 does not occur here. The amount of information that Alice learns about the joint distribution of and is upper bounded by bit. The bits and are independent when Bob produces them, so the and are independent prior to Alice’s measurement. Thus the inequality (1) holds, where we have assumed that the two implicit in the information quantities are the same in this equation (same below). The bits and jointly determine and , and vice versa, so the amount of information that Alice learns about the joint distribution of and is upper bounded by bit. And since the bits and are independent prior to Alice’s measurement, we have that the inequality (2) holds. The inequalities (1) and (2) together imply (3). \sqcap$$\sqcup
The probability that Alice passes Bob’s test at a particular instance is related to the in Eq. (3). When the probability of passing approaches , such maximum approaches , then it must be that one of them approaches . Then, Prop. 1 implies that Alice can learn almost nothing about if she measured in the same basis, but in fact a cheating Alice knows which instances are remaining and will not be checked later (although it is conceivable that some checks may be done after the main computation, see Sec. VII below), so she can choose to do any measurement on the received states in these remaining instances. Such measurement may not be the same as in the other term in Eq. (3). This implies that Eq. (3) alone is not sufficient for proving the security of Protocol 3.
Theorem 1**.**
In Protocol 3, Bob’s input is asymptotically secure.
Proof.
We first consider the case that Alice’s operations are independent among different instances of Protocol 1, and at last comment that the non-independent case still satisfy the extreme case of the inequalities above, giving rise to the security of Protocol 3.
Due to the freedom of measurement basis choice mentioned above, the Holevo bounds, which are upper bounds of the information quantities, are more relevant for proving the security of Protocol 3. Under the condition that Alice’s operations are independent among the instances, we need only consider the Holevo bounds for a single instance of Protocol 1. Let be the Holevo quantity which is the upper bound for . It is defined as
[TABLE]
where is the density operator that Alice receives from Bob for the case of after Pauli corrections determined by Bob’s sent bit, and . The represents the von Neumann entropy. The definition of shows that it is conditioned on the uniform prior distribution for . The quantities and are defined similarly and are also conditioned on the uniform prior distribution for . We claim that the following inequality holds for small positive and a nonnegative continuous function ,
[TABLE]
The reason is as follows. The Holevo quantities in Eq. (III) satisfy uniform continuity, because of the combination of the following two reasons: the ancilla in Alice’s initial state (introduced in Prop. 1) is effectively at most dimensions due to the Schmidt decomposition, and note that such ancilla is also the ancilla for Alice’s final state; the Holevo quantity in (4) is continuous as a function of and and is therefore a continuous function of Alice’s initial state , and similarly, the Holevo quantities and are also continuous functions of Alice’s initial state . Given that the Holevo quantities satisfy uniform continuity, we obtain Eq. (III) by noting the fact that
[TABLE]
where Eq. (6) holds because implies that for some , and the latter implies due to the following argument: suppose (the case that is similar), and consider the four density operators on Alice’s side corresponding to four different combinations of and , then the two pairs corresponding to different must be orthogonal across the pairs. Then if the states in one pair are partially distinguishable, the left-hand-side of (3) would be greater than for some , which violates Prop 1. The above arguments shows that for some implies , hence Eq. (6) holds.
Alice may cheat in some instances of Protocol 1 so we may define a rate of cheating. Partial cheating in a instance is converted into a fractional number of cheating instances in calculating such rate. Alice’s cheating probabilities among different instances may be correlated, but that does not affect the following argument since Bob randomly chooses which instances to check. It is sort of subjective for Bob to determine the average rate of cheating from the number of wrong results and the total number of tests in Protocol 3, since it depends on the a priori knowledge about the probability distribution for Alice’s average rate of cheating, and also depends on the correlations between rates of cheating among different instances of Protocol 1. Suppose that after some checking, Bob estimates that Alice’s average rate of cheating is , which is a small positive constant near [math], then the following estimate holds for the uniform distribution of and (the uniform distribution of can be imposed by Bob since he wants to make Alice’s cheating be detected, and the has uniform distribution according to Protocol 1): . Hence, according to Eq. (III). This shows that the expected amount of information about learnable by a cheating Alice in the remaining instances of Protocol 1 is arbitrarily near zero for sufficiently small , even if she measures in different bases from those for the tested instances. The word “expected” means that even if , where is the total number of one-time tables to be used for the main computation, Alice may sometimes learn about one or a few bits of Bob’s input by chance, but on average, she learns not more than bits. Since the information about is linearly related to the information learnable by Alice in the later main computation stage (see the bipartite AND-gate computation method in Sec. II), this shows the security of Protocol 3 in the case that Alice’s operations are independent among instances of Protocol 1.
In the following we consider the general case that Alice’s operations are not necessarily independent among instances of Protocol 1. If Alice initially prepares some correlated quantum states among instances, the generalization of Eq. (6) should hold, due to the similar reason as that after Eq. (6). Then the generalization of Eq. (III) for the corresponding Holevo bounds should hold approximately near such extreme point, due to the uniform continuity of the Holevo bounds (as functions of the joint state on Bob’s side on multiple subsystems). Since Bob’s variables and are independent among the instances, the generalizations of Eq. (III) just mentioned have the same scaling near the extreme point (as the number of instances of Protocol 1 grows) as in the case that Alice’s operations are independent. The last point can be seen from that Alice’s states in other instances of Protocol 1 serve as auxiliary systems in considering Holevo quantities of the form (4), so the one-copy tradeoff curve of the Holevo quantities still holds, i.e. Eq. (III) for one instance still holds with the same quantitative levels (including near the extreme point). This shows that the argument for the security for the case of independent operations of Alice can be extended to the general case.
Finally we consider the “restarts” of the protocol mentioned in the end of Protocol 3. Since Bob’s inputs among different runs are independent, Alice has no way of using joint initial states or making joint measurements to take advantage of the possibility of restarts. Hence the probability that a cheating Bob would pass Alice’s test adds up at most additively. Similar statement can be said for Alice’s cheating. And since practically there can only be a polynomial number of restarts, due to resource constraints, either party can set appropriate thresholds in his or her checking to make the overall probability of cheater passing the tests upper bounded by any small positive constant. \sqcap$$\sqcup
Some numerical results are in Appendix B.
To improve Alice’s security in the protocol above, we propose the following Protocol 4, in which Alice also does some checking about Bob’s behavior.
By noting that there is effectively only one bit of classical communication from Alice to Bob in Protocol 1, the analysis for Protocol 3 about Bob’s data privacy can provide hints for analyzing Alice’s data privacy in Protocol 4. There are analogues of Prop. 1 and Theorem 1 for Alice instead of Bob, see Prop. 2 and Theorem 2 below. To draw an analogy to the analysis of Protocol 3, note that the output bits of Protocol 1 can alternatively be written as on Alice’s side and on Bob’s side, respectively, where is a uniformly random bit. We state the following results. The is the classical mutual information learnable by Bob about Alice’s input using measurement , in an instance of Protocol 1, where the incorporates his possible gate, some Pauli corrections or equivalently some classical postprocessing, and Bell-state measurement with withheld masks. And the other quantities are defined similarly.
Proposition 2**.**
In Protocol 1, the follows inequalities hold:
[TABLE]
where the two are the same in each equation.
Proof.
The overall communication from Alice to Bob in Protocol 1 is effectively only one classical bit, since Alice could apply an arbitrary Pauli operator to the qubit not encoding , while applying a to the qubit encoding if it is encoded in the basis, or a to the qubit encoding if it is encoded in the basis. The protocol still works under these changes, with Alice’s recording of the value of changed. Then, if Alice further applies a Pauli operator, the two qubits sent to Bob would be in a maximally mixed state, containing no information for Bob. This shows that the overall communication from Alice to Bob in Protocol 1 is effectively only one classical bit. Thus the amount of information that Bob learns about the joint distribution of and is upper bounded by bit. (As mentioned below, the value of is dependent on , so it is not decided by Bob.) The bits and are independent, because is an independent uniformly random bit, by the construction of Protocol 1: she takes the XOR of some intermediate result and a uniformly random bit (generated by herself and independent from ) in the last step of Protocol 1. Thus the inequality (7) holds. The bits and jointly determine and , and vice versa, so the amount of information that Bob learns about the joint distribution of and is upper bounded by bit. And since the bits and are independent, we have that the inequality (8) holds. The inequalities (7) and (8) together imply (9). \sqcap$$\sqcup
Theorem 2**.**
In Protocol 4, Alice’s input is asymptotically secure.
Proof.
Similar to the proof of Theorem 1, we may define the Holevo quantities , and , which are conditioned on the uniform prior distribution for . For the similar reasons as in the proof of Theorem 1, the following inequality holds for small positive and a nonnegative continuous function ,
[TABLE]
Note that to show the inequality (III) is correct, we need the following implication:
[TABLE]
The implication in Eq. (11) holds because implies that for some measurement of Bob’s, and the latter implies due to the following argument. Suppose (the case that is similar), and consider the four density operators on Bob’s side corresponding to four different combinations of and , then the two pairs corresponding to different must be orthogonal across the pairs. Then if the states in a pair are partially distinguishable, the left-hand-side of (9) would be greater than for some , which violates Prop 2. This shows that for some implies , hence Eq. (11) holds.
In the case that Bob’s operations are independent among instances of Protocol 1, the security of Alice’s input in Protocol 3 then follows, for the similar reasons as in the proof of Theorem 1.
In the following we consider the general case that Bob’s operations are not independent among instances of Protocol 1. In such case, the generalization of Eq. (11) should hold, due to the similar reason as that after Eq. (11). Then the generalization of Eq. (III) for the corresponding Holevo bounds should hold approximately near such extreme point, due to the uniform continuity of the Holevo bounds (as functions of Bob’s operations and his messages sent to Alice), and the argument in the proof of Theorem 1 which asserts that the systems in other instances serve as auxiliary systems so the one-copy tradeoff curve of the Holevo quantities still holds. This shows that the argument for the security for the case of independent operations of Bob can be extended to the general case.
For the “restarts” of the protocol, the argument is exactly similar to that in the proof of Theorem 1, so we abbreviate it here. \sqcap$$\sqcup
It should be noted that when is near [math], there is still some exponentially small probability that Bob may learn quite a significant portion of the information about in the remaining unchecked instances. The quantitative security level is different from that obtainable by directly adapting Theorem 1 with the roles of two parties switched, at least on the following two points. First, Alice’s data privacy has a nonzero lower bound here, see the analysis below Protocol 1. Second, with the same resource cost, Bob’s data privacy is somewhat weaker than that in Protocol 3, since some of the one-time tables are used for Alice’s checking now. Bob effectively checks about half of the instances as in Protocol 3, and Alice checks the other half. But the security should not be much worse since Bob randomly chooses which instances to check.
In Protocol 4, if any one party is conservative, his (her) data privacy is guaranteed. But partly due to the possible aborts, it actually suffices to assume either one of the parties is conservative in Protocol 4, since then the other party might as well be conservative to reach a better security level for himself (herself).
When one party’s data privacy is very important, and the other party’s data privacy is not too important, we propose the following Protocol 5. It improves the privacy of Alice’s input in the later main computation task, while that of Bob’s input is somewhat compromised.
In Protocol 5, the privacy of Alice’s bit for the combined one-time table is quite good: The accessible information for Bob is exactly bits, where is the size of in protocol description. It is because the different one-time tables from the first step are independent. The Holevo bound coincides with the accessible information in the current case.
For the privacy of Bob’s input bit in the combined one-time table, it is possible for a cheating Alice to do a joint measurement on received states from Bob, to learn the information about and simultaneously as much as possible (or and ). Bob can deal with this by testing more one-time tables. The resource usage (the amount of entanglement needed and the amount of communication) is estimated to be about times that of Protocol 3, to achieve the similar level of privacy for Bob, where is the total number of one-time tables required for the later main computation, and is the size of in Protocol 5. In such factor , one is for the size of , and the additional factor means that about one-time tables are used in the instance of Protocol 3 in the first step of Protocol 5. This factor appears because Alice may use techniques similar to Grover’s algorithm to increase the amount of information she may learn about , and the same input variable of Bob’s may appear in the original circuit for at most times. But in the case that the function to be evaluated is for evaluating a program provided by Bob on Alice’s data, it is possible that each variable of Bob’s appears only once, then the factor can be omitted, so that the overhead becomes only compared to the plain use of Protocol 3.
The Protocol 5 differs from the previous protocols in that it has an extra step of combining the one-time tables, and its usage in the later bipartite computation task may be different by a switch of the roles of Alice and Bob. The success of the quantum protocols is not guaranteed in the presence of cheating, but this does not cause much problem since cheating is caught with high probability, and these protocols are in the preprocessing stage for the overall computation, so the useful data is not leaked. The failures in the quantum gates, measurements, and entanglement generation or qubit transmissions in the preprocessing stage can be tolerated by trial-and-error. The failures in Protocol 1 are required to be reported in the protocols, so they have no effect for the testing and later computations. In some experimental implementations the failures might not be reported and might appear as errors, and this would affect the security.
To deal with noise and errors, we propose the following Protocol 6, which has some polynomial resource overhead, and there is a polynomial reduction in error rate in the output.
A remark on the method to analyze the security of Protocol 6 is as follows. The classical mutual information rather than the Holevo bound is essential in analyzing the security of Protocol 6, which is because the final quantum state of Alice for each instance of the one-time table is measured for performing checkings, while in some other protocols such as Protocol 3, the states for the actually used one-time tables are not measured during the checking.
A strategy for Alice to cheat in Protocol 6 is that she could guess the and , and confirms her guesses via whether the instance is rejected or not after she sent some bits to Bob for him to check. This way of cheating requires her to also know both and , however, she can only guess but not deterministically learn both those bits, because of the checking in Step 2. (As a side remark, Alice cannot take advantage of the fact that some are equal to redesign her attacks in Steps 1 or 2, since the choice of which of them are equal is unknown to Alice.) Hence, such strategy of Alice is impractical. Bob may cheat by partially learning about some through his measurements on quantum states, and then deduce from the sent bit . To deal with this strategy of Bob’s, Alice could check for more instances of one-time tables in the initial stage, or combine some target instances, similar to the method in Protocol 5.
It is estimated that the above-mentioned cheating method of Bob requires , where is the target error level in output (assuming the original error level is a constant). This is because if were larger, Bob would have good chance to cheat while making the outcomes approximately correct. The overall resource costs are not only related to the value of , but also on the number of the one-time tables remaining after Step 2, and the latter is higher than in Protocol 4 because of the presence of errors and the need to detect them. The cost overhead compared to Protocol 4 (in terms of the number of initial one-time tables) is estimated to be , for Bob’s privacy to stay comparable to that in Protocol 4. The cost overhead compared to Protocol 5 should be similar.
From the above, we see that the resource overhead may be exponentially large if the output error rate is required to be exponentially small, while security stays comparable to that in Protocol 4. A possible explanation is that Protocol 6 does not involve active error correction. We suspect that polynomially small error in the output is sometimes acceptable, since the circuit to be evaluated is usually of polynomial length; and some embedded checks in the two-party computation could be adopted so that the computation rewinds to a previous point when some error is detected.
IV Applications in two-party classical computation
The following Protocol 7 is for evaluating a linear polynomial with distributed output using the quantum preprocessing protocols introduced above. The linear polynomial is of the form , where is a constant bit known to Bob, and and are bits on Alice and Bob’s side, respectively. The output is the XOR of two bits on different sides.
If Protocol 3 is used in Protocol 7, the data privacy of one party is partial. The leakage is about half of his or her input bits. See also the comments after Protocol 8 below. Generally, we suggest using Protocol 4 or Protocol 6 in Protocol 7, since they at least aim for near-perfect security.
For a generic boolean circuit, we propose Protocol 8. The main computation after the preprocessing does not include any aborts, and only requires the number of communication rounds to be about equal to the circuit depth. The circuit is assumed to be known to both parties, except for some initial local gates, which may be known only to the local party.
If Protocol 3 is used in Protocol 8 with the roles of Alice and Bob switched in the preprocessing only, the data privacy of Bob is partial. The leakage is about half of his input bits in each polynomial. But the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result. In the case that the function effectively evaluates a universal circuit with data given by Alice and the logical circuit given by Bob, his input has partial privacy which is acceptable due to possible recompilations of Bob’s logical circuit. If Protocol 5 is used instead of Protocol 3, it is suggested that Alice always be the first party, to save the required number of one-time tables when Alice’s data privacy is more important than Bob’s data privacy. Then Alice’s data in the main computation is asymptotically secure because of the property of Protocol 5. The remarks above are for the noiseless case. For the case with noise, see Sec. VII, where it is suggested to use Protocol 4 or Protocol 6.
The Protocol 8 has a good property that cheating would usually give rise to wrong results. If some party (partially) cheated in generating some of the one-time tables, so that some but not all of the one-time tables used in Protocol 8 are not secure, then the insecure one-time tables are wrong with some significant probability according to Eq. (3): the calculation results for a particular nonlocal AND gate would often be incorrect after the distributed output bits are recombined. This implies that the final computation result has large probability to be wrong. But if that party cheated in all the generated one-time tables and passed the other party’s test, the computation result could be calculated by the cheating party alone with the help of the messages sent from the other party in the main computation stage. The latter case is not likely to happen, since the other party could set a low threshold in the testing.
Some protocol similar to Protocol 8 could be used for evaluating a public circuit on shared classical secrets between Alice and Bob, when each effective input bit is the XOR of two remote bits. The steps are quite similar except for some initial local gates, so we abbreviate the protocol here.
In the following we discuss the security assumptions. We define Bob to be “conservative”, if he values the privacy of his input data higher than the possibility to learn Alice’s data.
First, let us assume that Bob honestly does the testing in the Protocols 3 and 5. There could be superpositions in the input and the output of these quantum protocols, but in the later classical computation task, the parties may do computational-basis measurements to force the received superposed states to collapse. Note that one party may insist on using the superposed output from some instance of the one-time table, but when the other party does some later gate using such output as an input, the latter party may do computational-basis measurements to force the collapse of the superposition.
Next, we discuss the case out of the assumption, that is, Bob cheats in the quantum protocols. He may cheat by not aborting after finding that Alice is cheating. This way of cheating is not powerful by itself, but see the following for discussion about his combined ways of cheating. The second way for him to cheat is to use general quantum input (allowing superpositions and entanglement) for the one-time tables, which also allows general quantum output for the one-time tables. In such case, Alice may do computational-basis measurements in the main bipartite computation stage to force the collapse of superpositions. The case that he uses general quantum output for the one-time tables is discussed in the previous paragraph. For the case that Bob combines the two cheating methods above, if Alice is honest, Bob cannot get more information about Alice’s data compared to the case of him not cheating in this way. If Alice also cheats, then it is possible that Bob’s knowledge about Alice’s data on average is better (e.g. when they discard some one-time tables, so that Bob obtains more information about Alice’s input in the remaining one-time tables). But that comes at the expense of the higher possible leakage of Bob’s data. So a conservative Bob should not do such combined cheating. The third way for Bob to cheat is by using superposed states in the main computation but not the preprocessing. This has no effect since Alice may make a computational-basis measurement on the state received from Bob in the main computation. Note that Alice’s data leakage is limited by design of the quantum protocols, except in the case of non-conservative Bob discussed above. In conclusion, if we assume Bob to be conservative, the quantum protocols are asymptotically secure; if we assume Alice to be honest-but-curious, the Protocol 5 is asymptotically secure for Alice (as mentioned in Sec. III), and in such case it does not make much sense for Bob to cheat since he cannot gain from cheating.
In the following we consider implementing some cryptographic primitives such as 1-out-of-2 oblivious transfer Crepeau88 ; Kilian88 and bit commitment. The Protocol 9 is a protocol of 1-out-of-2 oblivious transfer, with its definition shown in the initial part of the protocol. It is constructed based on the one-time table (which effectively implements the PR-box with the help of some communication, c.f. Sec. V) by using the method in WW05 . In the Rabin oblivious transfer, Alice sends a bit to Bob and it is received with probability , and Alice does not know whether the message is received by Bob. The 1-out-of-2 oblivious transfer can be constructed from the Rabin oblivious transfer Crepeau88 , but we are not aware of a construction for the transformation in the reverse direction, although the oblivious key protocol WW05 , which is quite similar to the Rabin oblivious transfer, can be constructed from the 1-out-of-2 oblivious transfer according to WW05 .
There are some no-go theorems for quantum bit commitment LoChau97 ; Mayers97 . Since our quantum preprocessing protocols allow aborts, and there are some requirements on the players in those protocols, it is still possible that bit commitment can be implemented with the help of the one-time tables generated by the quantum preprocessing protocols. In the Protocol 10 we propose a bit commitment protocol inspired by a computationally-secure construction based on quantum one-way permutations DMS2000 . Here, instead of using the quantum one-way permutations, we use a special bipartite classical computation with distributed output, with the help of quantum preprocessing. Our scheme is cheat-sensitive and subject to some other assumptions similar to those for the generic Protocol 8. It requires that one of the parties be conservative.
In the last step of Protocol 10, if Alice sends Bob some random bit string, the results obtained by Bob are generally not consistent with any input value of . For large , it is hard for Alice to guess the appropriate bit string that could make Bob believe the input was . The reason is as follows. There are possible bit strings of length representing the results of the nonlocal AND gates (called “outcome strings” below). In the generic case that Bob did not use all zero values for the input bits for the nonlocal AND gates, one of the outcome strings corresponds to the input value , while a different outcome string corresponds to the input value , and all other outcome strings are meaningless for Bob. And since Alice does not know Bob’s inputs (which we assume to be randomly distributed among the nonzero -bit strings) nor his part of the outcome string, she has probability of of correctly guessing her part of the outcome string corresponding to the input value . In the remaining case that Bob had used inputs bits that are all zero, Alice’s input does not affect the outcome string which is the all-zero string, so Bob cannot distinguish between the case and the case , and therefore he should not have chosen such all-zero string as his input. The above analysis means that Bob has an allowed strategy such that a cheating Alice has probability of success in trying to change the committed bit after making the commit.
Coin flipping. It is mentioned in Appendix H of NO09 that universally composable oblivious transfer of strings implies coin flipping. And such type of coin flipping is referred to as strong coin flipping in the literature Mochon05 . The paper BC91 also gives a protocol for transforming bit commitment into coin flipping. Thus, we obtain that there is a quantum check-based protocol for strong coin flipping.
V Applications in two-party quantum computation
The methods in this work can be applied in two-party secure quantum computing tasks. When such tasks have classical input and output, they also serve as classical tasks of the type discussed in Sec. IV, but with quantum implementations. In this way, classical computational tasks are completed with quantum speedup and quantum security advantage. But this requires at least one party to have quantum capabilities beyond those required by Protocol 1. A typical problem in two-party quantum computation is quantum homomorphic encryption (QHE). QHE is an encryption method that allows quantum computation to be performed on one party’s private data with the program provided by another party, without revealing much information about the data nor the program to the opposite party. In this work we present an interactive QHE scheme (“interactive” means there may be multiple rounds of communication), and a constant-round QHE scheme. The main part of the constant-round scheme has three stages of communication, instead of two in the usual definition of QHE bj15 . The initial preparation of the one-time tables with checking and preparation of entanglement also involve a constant number of stages of communication.
In the QHE schemes below, there are some polynomials with at least variables, where is the number of qubits in Alice’s input. The variables correspond to Pauli masks in Alice’s teleportation of the input data to Bob. The way Bob changes the coefficients of the polynomials is called coefficient-update rules below. The coefficient-update rules for the first variables (and other variables mentioned below) under the action of Clifford gates can be easily obtained from the following relations:
[TABLE]
where the is addition modulo 2, and in the gate , the qubit 1 is the control. The coefficient-update rules for the variables under the gate can be obtained from the relations
[TABLE]
The coefficient-update rules are analogous to the key-update rules in bj15 ; Dulek16 , but here the coefficients, rather than the Pauli keys (the variables), are updated.
An interactive QHE scheme with almost optimal information-theoretic data privacy and circuit privacy is obtainable by using the method in Protocol 7 to evaluate classical linear polynomials, and using the latter as a subprocedure in the Scheme 4 in Yu18 . We describe the steps as follows.
Scheme 1 (An interactive QHE scheme using precomputed one-time tables)
Alice and Bob produce a large number of one-time tables. 2. 2.
Alice teleports her input data qubits to Bob without telling him any Pauli corrections. The bits indicating the Pauli corrections are part of the variables in the polynomials to be evaluated. 3. 3.
For each stage of the circuit consisting of some Clifford gates and a gate, the two parties do the following: Bob calculates the coefficients (including the constant term) in the linear polynomial to be used for deciding the correction after the gate. Alice and Bob each does their own part of operations in Protocol 7 to evaluate the current linear polynomial, which has variables. This includes the following: each party takes the XOR of the variables (or coefficients) with the input of some unique one-time table, and sends the resulting bits to the other party, and then each party calculates a bit as a part of the distributed outcome of the linear polynomial. According to the local outcome bit, each party does his or her part of the operations in a garden-hose gadget (shown in Appendix C). The result for a Bell-state measurement corresponding to a correction is recorded as two bits and . The measurement outcomes on Alice’s side are part of the variables of the later polynomials. 4. 4.
After the last gate, Bob performs the last Clifford gates in the desired circuit, and calculates his coefficients in the last polynomials for calculating the final Pauli masks. He does his part in evaluating those polynomials, while Alice also does her part. This includes each party sending the XOR of variables (or coefficients) with the local input bit in one-time tables. Each party obtains a bit, and the XOR of these two bits is the intended outcome of the polynomial. Bob teleports his output state to Alice while modifying the correction bits in the teleportation by taking the XOR of those correction bits with his part of the outcomes for the last polynomials. 5. 5.
Alice corrects the received state from teleportation with the corresponding Pauli operators, which are determined from Bob’s message as well as her part of the output of the last polynomials. The resulting state is the final quantum output.
The following is an estimate of the resource cost of Scheme 1. Suppose is an upper bound on the number of gates in the circuit to be evaluated. The number of variables in a linear polynomial is at most . The factor is from that each Bell-state measurement has two outcome bits, and Alice has two Bell-state measurements in each gadget. As there are linear polynomials to be evaluated, and each variable requires a one-time table in the evaluation of a polynomial, the total number of consumed one-time tables is . This is much smaller than the constant-round Scheme 2 below, which has cost exponential in the -gate depth of the circuit. We still introduce Scheme 2 since there are interpolations between the Scheme 1 and the Scheme 2, giving rise to some tradeoff between the number of rounds and the resource cost: the number of rounds may be fewer than in the interactive scheme, while the number of required one-time tables may be higher. This is achieved by running the Scheme 2 for a segment of the circuit, and the two parties interact, and proceed to the next segment.
The Scheme 2 below is a three-message QHE scheme, with the main structure modified from some scheme with non-ideal security in Yu18 . A main technique of the scheme is to use a simplified version of a garden-hose gadget from Dulek16 (and attached in Appendix C). The main part of the scheme has three stages of classical communication: from Bob to Alice, and from Alice to Bob, and a final teleportation from Bob to Alice. The scheme requires using some linear polynomials of the form in Protocol 7, but also some nonlinear polynomials, which can also be treated as linear polynomials (with the variables being the product of some original variables) in order to apply Protocol 7. The construction of the scheme depends on the following property: Bob’s coefficients of the (nonlinear) polynomials (the constant term is not included here) do not depend on Alice’s original Pauli mask bits or her measurement outcomes in the garden-hose gadgets. The latter independence is possible because we include Alice’s previous measurement outcomes and her original Pauli mask bits, as well as her input bit for the garden-hose gadgets as variables. The XOR of Alice’s and Bob’s inputs for a garden-hose gadget correspond to a polynomial of previous variables, thus Bob’s input to any garden-hose gadget can be expressed as a (nonlinear) polynomial of previous variables XORed with Alice’s input to this garden-hose gadget, the latter being a new variable. Given his input in the garden-hose gadget, Bob’s choice of the pairs of qubits to measure is fixed, independent of Alice’s input in the garden-hose gadget. Then the coefficients of Bob in the polynomials can be regarded as independent of Alice’s variables. Given the above choice of variables, the constant terms in the polynomials are determined by Bob’s local measurement outcomes in his part of the garden-hose gadgets.
Scheme 2 (A three-message high-cost QHE scheme using precomputed one-time tables)
Alice and Bob each calculates the (nonlinear) polynomials locally according to the circuit to be computed. (The positions of the gates in the circuit is known to both parties.) They produce a sufficient number of one-time tables. 2. 2.
Bob calculates the XOR of each coefficient in the (nonlinear) polynomials with his input in a unique precomputed one-time table, and sends the resulting bits, and the labels for the corresponding one-time tables to Alice. 3. 3.
Alice teleports her input data qubits to Bob without telling him any Pauli corrections. The bits indicating the Pauli corrections are part of the variables in the polynomials to be evaluated. With the received message, Alice computes her part of the output of the (nonlinear) polynomials using the one-time tables, based on the method in Protocol 7. Alice records her part of the output of a (nonlinear) polynomial as a new variable, and according to its value, she does some appropriate gate followed by Bell-state measurements in the garden-hose gadgets (shown in Appendix C). The result for a Bell-state measurement corresponding to a correction is recorded as two bits and . The measurement outcomes are part of the variables of the later polynomials. She calculates the XOR of each term in the next polynomial and her input bit in a unique one-time table, and sends the resulting bits to Bob. She proceeds to do this until she reaches the end of the circuit, including sending messages about the last polynomials for the Pauli corrections. 4. 4.
Bob receives Alice’s message and calculates his output for the first polynomial (which is linear) using Protocol 7. The Bob part of the output of the first polynomial decides which measurements he should do in the first garden-hose gadget. He performs the Clifford gates and the gate before the first garden-hose gadget, and performs the appropriate measurements in the first garden-hose gadget. The outcomes of those measurements help determine the constant term in the later (nonlinear) polynomials. He continues to do the next batch of gates and measurements. He evaluates some (nonlinear) polynomial, and according to his part of the output value of such polynomial, he performs the appropriate measurements in the corresponding garden-hose gadget. After the last gate, Bob does his part in evaluating the last polynomials for calculating the final Pauli masks. The outcomes of those polynomials are distributed as the XOR of bits on the two parties. Bob teleports his output state to Alice while modifying the correction bits in the teleportation by taking the XOR with his part of the outcomes of the last polynomials. 5. 5.
Alice corrects the received state from teleportation using the corresponding Pauli gates, which are determined from Bob’s message as well as her part of the output of the last polynomials. The resulting state is the final quantum output.
We analyze the resource cost of Scheme 2. The number of variables in the polynomial in the first stage is , but the polynomial at the second stage (to be evaluated before the second garden-hose gadget) would be nonlinear and has terms apart from the constant term. The term corresponds to Bob’s input bit in the first garden-hose gadget, which is not known to Bob before Alice sends her messages, thus such input bit is regarded as a polynomial function of the initial Pauli masks and Alice’s input bit in the first garden-hose gadget (regarded as a variable). The term stands for the and corrections from Alice’s measurement outcomes in the garden-hose gadget, where each correction is the XOR of two outcome bits (one in each Bell-state measurement). The final term is for two of Alice’s Pauli corrections in such gadget. They could be the and corrections for the later pair, or the and corrections for the first pair. This is enough because the other two corrections were absorbed in the counting above.
Suppose the -th polynomial has terms apart from the constant term. Then when , so when , the number of terms is . There are polynomials (one for each gate, for evaluating the correction before the gate) which follow the induction rule above. But the last polynomials do not follow the rule, and they do not increase any number of variables compared to previous polynomials, because they are for the Pauli corrections after a Clifford circuit. Thus the total number of consumed one-time tables is .
The security of the Schemes 1 and 2 are optimal if the one-time tables have ideal security, where “optimal” means that Alice may learn information about Bob’s input from the final output only, and Bob learns nothing at all about Alice’s input. But in fact, the one-time tables have partial security, due to the finite number of checks and the noise (including errors), so the security of the schemes above is partial. See also the discussion below.
There are two points on which the security of two-party quantum computation may be somewhat weaker than in classical two-party computation based on the similar procedures for generating one-time tables. First, it is less natural in the quantum protocol to impose classicality of the output of the one-time table. Imposing classicality of course helps security, but it is not necessary given our assumptions about the players in the preprocessing stage. In practice, we may assume that the output of the one-time tables have decohered prior to the use in the main computation. Second, in the schemes given above, the Pauli masks for the original input qubits are used as the variables in all the polynomials involved, this means the data privacy is worse than in the case of classical bipartite computation, in which the intermediate variables replace the roles of the initial variables in many of the linear polynomials. But the use of the quantum preprocessing in this work would give rise to better data privacy than some of the schemes in later parts of Yu18 , because those schemes require correlated encoding of the different variables, while the variables in the current work are encoded independently by the one-time tables.
We now consider two-party computations in which the circuit is known to Bob only, and each party has some private (quantum) input data. A simple extension of the interactive QHE scheme works, where the extension is just by adding some input qubits on Bob’s side. These qubits are not subject to any Pauli masks.
In the following we consider two-party quantum computations with publicly known circuit and private quantum inputs on both parties. One method is to use the simple extension of the interactive QHE scheme as in the last paragraph. A simplified method is to make use of the fact that the circuit is publicly known. We briefly describe it below.
Since the circuit is publicly known, those one-time tables for the linear polynomial for the first correction after the first gate are not needed, since Alice can calculate by herself the contributions to this correction due to her original Pauli masks. She could just tell Bob before the protocol starts to choose a fixed input on his side in the first garden-hose gadget, then she could decide her input for this gadget on her own. But Bob’s measurement outcomes in the garden-hose gadgets are not known to Alice, and they should affect the subsequent corrections. Hence, in later garden-hose gadgets, Bob’s input cannot be fixed, and the rest of the scheme is similar to the interactive scheme, but with some extra (quantum) input data on Bob’s side. In the case that Alice’s input is classical, the initial teleportation can be replaced with classical communication with withheld bit-flip masks. If the output is on Bob’s side, Bob need not send any message after Alice’s message, and Alice sends him some bits for Pauli corrections at the end. In the case that the output is on Alice’s side and is classical, the final teleportation from Bob to Alice can be replaced with classical communication without any masks.
VI Application in check-based implementation of no-signaling correlations with the help of inert communication
The Protocol 11 for generating the one-time tables together with Protocol 4 for checking them effectively implement the PR-box (Popescu-Rohrlich box Popescu1994 ) type of correlations. The implementation needs time in communication, and involves some inert communication, i.e. sending of some classical messages which do not contain useful information about the inputs (in the “useful” one-time tables, but not in those one-time tables subject to checks and not actually used). So this is not a direct implementation of the PR box, which must be instantaneous. Rather, it is a check-based implementation of the PR-box type of correlations with time cost and inert communication cost. The fact that it is check-based implies that it is not a deterministic protocol, but forced almost-deterministic, meaning that the checking party could set the threshold to very low so that the other party must be nearly completely honest to avoid aborting, and if the parties are indeed nearly completely honest, the protocol is almost deterministic. However, in Protocol 11, after the initial entanglement has been established, the two directions of teleportation and partial sending of the measurement outcomes can be done simultaneously. This does have some partial flavor of “instantaneous” implementation.
In the following, we show how to implement the following general type of no-signaling correlations in PPK09 in the check-based way.
[TABLE]
with . According to an argument in MAG06 (also mentioned in PPK09 ), the form (14) is representative of a large class of no-signaing correlations (those with input and output dimensions on both sides). The way to implement the no-signaling correlations above is similar to the implementation of the PR-box correlations above, but with an additional step in those instances of Protocol 11 not subject to checking but used for the final correlations: Bob randomly flips his output bit with probability . Such probabilistic step is not involved in the instances of Protocol 11 subject to checking, so Protocol 4 still applies, although with the output correlations changed. A drawback of such implementation is that Bob knows the original value of his output bit, so he may recover a PR-box type of no-signaling correlation. A non-perfect way of dealing with this is to change the last step to that Alice and Bob both flip the respective output bit with some probability so that . Such modified protocol still has the similar drawback that one party could recover a no-signaling correlation with parameter larger than intended.
VII Discussions
1. Extensions of protocols
The qubit-based quantum protocols in this work can be generalized to work for qudits in principle. This is inspired by the classical case in Beaver98 . This requires some changes in the classical usage of the generated correlations.
The methods in this work are extendable to multipartite classical computation in principle. Some pairs of parties (possibly including some server) may prepare one-time tables using the quantum protocols in this work.
A method of enhancing the security by additional checks after the computation is as follows. If one party, say Alice, does not require the long-term security of her input in the main computation, Bob may ask her to do additional checking of the one-time tables used in the main computation, at a time such that her input data is no longer sensitive, to make sure that she has not cheated by a lot. Of course, in some practical applications, the final computation result provides some check against Alice’s cheating, since Alice usually has to cheat all the way to the end for a generic computation to be correct (provided that the final result is on her side, not distributed as the XOR of remote bits), and always cheating successfully is unlikely to happen because of the inequalities in Sec. III.
Due to experimental limitations and the overhead from the checkings, the number of one-time tables generated by our quantum protocols may be insufficient if a large two-party computation is to be performed. In that case, it is possible to use some classical processing to achieve a large amount of oblivious transfers (with lowered security) for use in the computation: first turn the quantum-generated one-time tables into the dynamical resource of oblivious transfer using Protocol 9, and then use the method for oblivious transfer extensions, such as in Asharov2017 , to generate more oblivious transfers. Note that Asharov2017 considered 1-out-of-2 oblivious transfers of strings, rather than bits, but the methods should apply to the latter case as well. Since the original oblivious transfers have information-theoretic security while the extensions are computationally secure, we may say that the obtained oblivious transfers have “mixed” security.
2. Physical implementations of Protocol 1
The Protocol 11 is an entanglement-based version of Protocol 1. The shared entanglement in Protocol 11 could be prepared by a fixed entanglement-generating device, allowing for failures in preparation (although we allow failures in the whole Protocol 11, so failures in any particular step is not of much concern). This may also help getting rid of the issue of multiple photons in direct communication, which would harm Bob’s data privacy (although some schemes with the direct sending of photons may also allow the detection of multiple photons). Using generation of entanglement could also increase the allowed distance between Alice and Bob, if the entanglement is generated by a device at the middle, compared to using direct sending. The Protocol 2 is also an alternative to Protocol 1, as it uses direct sending in one direction only, with four qubits sent at a time, compared to two qubits in Protocol 1. As for detector inefficiencies and dark counts, the fact that the Protocol 1 can be redone after failure can help mitigate the effects of these issues. The appeal of Protocol 1 is mainly in that only two qubits are used (although the optical implementation of the gate with checking for multiple photons might involve some ancillary qubits).
3. Effects of noise and errors
If direct sending of photons is used in Protocol 1, we suggest using the known methods such as decoherence-free subspaces or quantum codes, to reduce or prevent the errors in the transmission. We leave the details for future work. In the following, we analyze the theoretical impact of noise (including errors) on our protocols.
We consider the case that the main computation is classical, since the quantum case is similar in that it also involves evaluating classical linear polynomials. When Protocol 3 with noise is used for a bipartite classical computation task, and if Alice’s data privacy is more important than Bob’s, we suggest that Alice who is the first party in the main computation be the second party in the preprocessing. Then the data leakage of Alice is about the product of the circuit size (the number of the one-time tables) and a small constant indicating the noise level. This is because in Protocol 3, the physical errors and the first party’s cheating look about the same for the second party in the verifications (the “first party” in this sentence is the Bob in the main computation). For circuits with a high level of parallelism, the data leakage of Alice per input bit is about the product of circuit depth and the error constant described above. So the allowed circuit depth is a constant, which is inverse proportional to the error constant. Similar remarks can be said for Protocol 4 for both sides.
If Protocol 5 based on Protocol 3 is used for a bipartite classical computation task, we suggest that Alice be the first party both in the preprocessing and the main computation. The noise level is almost not related to the data privacy of Alice, which is exponentially good as the number of one-time tables used in Protocol 5 increases. The noise mainly affects the correctness of the computation, and Bob’s data privacy. If the noise level is not too low, Bob’s data privacy in Protocol 5 would not be too good, since he has some identical inputs, and Alice could try to learn partially about each of them to recover his true input. Bob could check more one-time tables to deal with this problem. Thus some polynomial overhead is needed to achieve the similar privacy of Bob’s as in Protocol 3. An alternative would be simply using Protocol 4. The Protocol 6 is better than Protocol 4 in the correctness, but it has some overhead in resource costs. A more complicated method is using Protocol 5 with “recompilation”, that is, using some new publicly-known function instead of the original function, with Bob’s input changed accordingly, while Alice’s input is unchanged, so that the result is the same as the original function with the original input of Bob. If the new function is chosen so that it encodes universal classical circuits, and the possible new inputs of Bob are long enough, we can achieve a good level of security for Bob’s input. Such recompilation can be done by classical preprocessing.
There have been studies of the effects of noise in classical cryptographic tasks, and noise is not always bad for security CK88 . Note that adding some assumptions about quantum capabilities may improve the security in bit commitment Salvail98 . Adding similar assumptions on top of our quantum preprocessing protocols may improve the security in the applications.
VIII Conclusion
We have proposed some quantum protocols for approximately generating a certain type of classical correlations (a special case of the one-time tables Beaver98 ) with varying degrees of privacy, to be used in bipartite secure computation tasks. We discussed the effects of noise, and proposed a protocol for dealing with it. We have shown how to use the generated one-time tables in evaluating linear polynomials and generic boolean circuits, and in cheat-sensitive 1-out-of-2 oblivious transfer and cheat-sensitive bit commitment, as well as in (interactive) quantum homomorphic encryption and general two-party secure quantum computation. In the discussions we have mentioned that our method gives a check-based implementation of the PR-box type of correlations, but with some communication time cost, and involves sending of classical messages which do not contain useful information about the inputs, so it is not a direct implementation of the PR box. Some other no-signaling correlations can also be generated in the checked-based way with the help of similar classical communications. Open problems include: applications in check-based quantum implementation of other cryptographic primitives, which may be weaker than the plain version of the primitives; whether there is a constant-round (check-based) information-theoretically secure QHE scheme with costs polynomial in circuit size; a refined analysis of the protocols, taking into account the physical errors in quantum states and operations; fault-tolerance; application to special classes of circuits or functions; design of experimental schemes.
Acknowledgments
LY thanks Yingkai Ouyang for helpful comments. This research is funded in part by the NKRDP of China (No. 2016YFA0301802), the National Natural Science Foundation of China (No. 11974096), the Scientific Research Fund of Zhejiang Provincial Education Department (No. Y201737289), and the startup grant of Hangzhou Normal University.
Appendix A An entanglement-based version of Protocol 1
In this appendix we introduce Protocol 11 which is a variant of Protocol 1 based on initial entanglement. It contains only communication from Bob to Alice after the entanglement is established. It does not explicitly contain classical communication from Alice to Bob. But this is because the input is generated by the measurement in the protocol. If were generated by Alice before the protocol, one bit of classical communication from Alice to Bob would be needed. For the procedure of testing that the entangled states are indeed EPR pairs, we suggest using a method similar to that using the CHSH inequality in [45], which is for testing the singlet state, but note that we need to leave some EPR pairs untested for later use in our protocol. There are other ways of testing, in which each party measures in one of some different bases, and then the two parties compare notes. These methods generally contain aborts. In Protocol 11, Bob generates the entanglement, since no explicit communication is from Alice to Bob in the protocol (although Alice’s input implicitly becomes partially known to Bob), so he is less motivated to cheat in entanglement generation.
Note that in studying the security of Protocol 11, if Alice’s (cheating) strategy is such that she does not do any operation (including measurement) on her later two qubits before Bob does anything, Alice’s possible ancillary qubits that are involved in her initial operations (if she indeed adds such ancillae) and the possible remaining part of her first two qubits after her initial measurements could be viewed as the purification system for Bob’s first two qubits, thus the security analysis of Protocol 1 (allowing initial hidden ancillae of Alice’s entangled with the sent state) can basically be applied to the analysis of Protocol 11 in such case.
A more complex cheating strategy of Alice is that she does some measurement (including joint measurement on her four qubits) and select only certain outcomes while declaring the instances with other outcomes as “failed” to Bob. She could have an advantage in imposing Bob’s measurement outcomes, and thus she could learn Bob’s output bit while still learn partial information about , as indicated by numerical calculations. Other strategies could potentially help Alice learn perfectly but only learn or partially, but numerical evidence suggests that for any measurement strategy of Alice, the on the right hand side of Eq. (17) cannot be greater than . A remedy for such case is that Bob could observe the measurement statistics on his side for the failed instances (or the instances that did not fail) declared by Alice and his expected statistics of measurement outcomes, to find out if Alice cheated in this way. If Bob finds no deviation from the expected statistics, his reduced density operator of the initial entangled state should be the maximally mixed state on four qubits, and Alice’s possible operations can only be local unitaries on her side only, which does not help her learn extra information compared to the original protocol.
Note that in Protocol 1, Alice could potentially have a cheating strategy as follows: she could use some entangled state at the initial sending of qubits, and after Bob’s operations, do some (joint) measurement on the ancillae and the returned state from Bob, and declare failure for some measurement outcomes. The security of Protocol 1 is more resilient to such attack, since Bob’s state is directly sent back. Some simple calculations suggest that the extreme cases in Eq. (17) still hold in such case, but the intermediate cases may have somewhat worse security than in the case that Alice did not cheat in this way. As a counter-measure, Bob could check that the average state on two qubits received in the instances that did not fail is the maximally mixed state. Note that such considerations have no effect on the security of Protocol 1 when Alice is honest or honest-but-curious. Also note that the Protocol 2 is quite resistent to such attack since there is only one-way communication from Bob to Alice, but again, the intermediate cases need to be studied. But we note that the intermediate cases of the Holevo quantity tradeoffs may become not relevant if Protocol 6 is used for checking one-time tables, since the classical mutual information rather than the Holevo bound is essential in analyzing the security of Protocol 6, which is because the final quantum state of Alice for each instance of the one-time table is measured for performing checkings, while in some other protocols such as Protocol 3, the states for the actually used one-time tables are not measured during the checking.
Appendix B Numerical results for the quantum protocols
Numerical calculations confirm the inequalities (1) through (3). Note the same occurs twice in each inequality. The calculations assume that Bob’s received a two-qubit mixed state from Alice. This is modeled with a pure state on four qubits, according to the Schmidt decomposition. The calculations assume projective measurements by Alice after she receives the message from Bob, although POVM measurements may give rise to a larger sum on the left-hand-side, and such weakness is remedied by the calculation of the Holevo bound below. Numerical calculations suggest the following inequalities.
[TABLE]
where is a constant somewhat larger than and is yet to be precisely determined. This implies that
[TABLE]
Numerics suggest that near the ends of the tradeoff curve indicated by Eqs. 15 and 16, one quantity approaches bit while the other quantity approaches [math]. For some of Bob’s received state that approaches the numerically found maximal value of the left-hand-side, the two terms on the left-hand-side of Eq. (17) are about equal, and the corresponding sum in the left-hand-side of Eq. (3) under projective measurements is numerically found to be not greater than bit. The latter sum is observed to have the same property for initial states satisfying . When there is no ancilla, numerics suggest that the left-hand-side of Eq. (17) is not greater than bit. As quantitative examples for Eq. (III), we have , and . An illustration of Eq. (17) by numerical calculations is in Fig. 1.
Appendix C The garden-hose gadget that corrects an unwanted gate
The Fig. 2 shows a simplified version of a gadget in [11] for correcting an unwanted gate due to a gate in the circuit with certain prior Pauli corrections.
In the figure, the input qubit starts from the position “in”, and ends up in a qubit which is initially maximally entangled with Bob’s qubit labeled “E” [in the state ]. The unwanted on this qubit is corrected, but some other Pauli corrections are now needed because of the Bell-state measurements. These Pauli corrections are to be accounted for in the later evaluation of polynomials. Note that in each use of this gadget, some of the Bell-state measurements are not actually performed. Alice’s two Bell-state measurements are on the same pairs of qubits irrespective of .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing , STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.
- 2[2] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science , pages 97–106, Oct 2011.
- 3[3] A. C. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science , pages 162–167, Oct 1986.
- 4[4] Donald Beaver. One-time tables for two-party computation. In Wen-Lian Hsu and Ming-Yang Kao, editors, Computing and Combinatorics , pages 361–370, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.
- 5[5] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett. , 109:150501, 2012.
- 6[6] Min Liang. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process. , 12:3675–3687, 2013.
- 7[7] Li Yu, Carlos A. Pérez-Delgado, and Joseph F. Fitzsimons. Limitations on information-theoretically-secure quantum homomorphic encryption. Phys. Rev. A , 90:050303(R), Nov 2014.
- 8[8] S.-H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep. , 6:33467, 2016.
