Impossibility of perfectly-secure one-round delegated quantum computing for classical client
aa r X i v : . [ qu a n t - ph ] M a r YITP-19-19
Impossibility of perfectly-secure one-round delegated quantumcomputing for classical client
Tomoyuki Morimae
1, 2, 3, ∗ and Takeshi Koshiba † Yukawa Institute for Theoretical Physics, Kyoto University,Kitashirakawa Oiwakecho, Sakyo-ku, Kyoto 606-8502, Japan JST, PRESTO, 4-1-8 Honcho, Kawaguchi, Saitama 332-0012, Japan Department of Computer Science, Gunma University,1-5-1 Tenjin-cho Kiryu-shi Gunma-ken, 376-0052, Japan Faculty of Education and Integrated Arts and Sciences,Waseda University, Nishi-waseda 1-6-1,Shinjuku-ku, Tokyo 169-8050, Japan (Dated: March 26, 2019)
Abstract
Blind quantum computing protocols enable a client, who can generate or measure single-qubitstates, to delegate quantum computing to a remote quantum server protecting the client’s privacy(i.e., input, output, and program). With current technologies, generations or measurements ofsingle-qubit states are not too much burden for the client. In other words, secure delegated quantumcomputing is possible for “almost classical” clients. However, is it possible for a “completelyclassical” client? Here we consider a one-round perfectly-secure delegated quantum computing, andshow that the protocol cannot satisfy both the correctness (i.e., the correct result is obtained whenthe server is honest) and the perfect blindness (i.e., the client’s privacy is completely protected)simultaneously unless BQP is in NP. Since BQP is not believed to be in NP, the result suggeststhe impossibility of the one-round perfectly-secure delegated quantum computing. ∗ Electronic address: [email protected] † Electronic address: [email protected] . INTRODUCTION Imagine that Alice who does not have any sophisticated quantum technology wants tofactorize a large integer. She has a rich friend, Bob, who owns a full-fledged scalable quantumcomputer. Alice wants Bob to do the factoring for her. However, the problem is that Alicedoes not trust Bob, and therefore she does not want to reveal her input, output, and theprogram (in this case Shor’s factoring algorithm) to Bob. Can she delegate her quantumcomputation to Bob while protecting her privacy?Broadbent, Fitzsimons, and Kashefi [1] theoretically showed that such a secure delegatedquantum computing is indeed possible if some minimum quantum technology is assumedfor the client. In the protocol of Ref. [1] (Fig. 1), Alice, a client, has a device that emitsrandomly rotated single qubit states. She sends these states to Bob, the server, who has thefull quantum technology. Alice and Bob are also connected with a two-way classical channel.Bob performs quantum computing by using qubits sent from Alice and classical messagesexchanging with Alice via the classical channel. After finishing his quantum computation,Bob sends the output of his computation, which is a classical message, to Alice. This messageencrypts the result of Alice’s quantum computing, which is not accessible to Bob. Alicedecrypts the message, and obtains the desired result of her quantum computing. (Ref. [1]also proposed a quantum input and quantum output protocol.) It was shown in Ref. [1]that whatever Bob does, he cannot learn anything about the input, the program, and theoutput of Alice’s computation (except for some unavoidable leakage, such as upperbounds ofthe sizes of the input, output, and program, etc.). Proof-of-principle experiments were alsodone with photonic qubits [2–4]. The composable security of the protocol was also shownin Ref. [5].In the protocol, the client has to possess a device that generates single qubit states.Generations of single qubit states are ubiquitous in today’s laboratories, and therefore nottoo much burden for the client. In other words, “almost classical” client can enjoy securedelegated quantum computing.However, isn’t it possible to realize secure delegated quantum computing for a “completelyclassical” client (Fig. 2)? Motivated by this question (and by other important questionssuch as the verifiability [6]), many variant protocols for blind quantum computing havebeen proposed [6–17, 28]. For example, it was shown that, instead of single-qubit states,2 lice Bob
Classical channel Quantum computerqubitsSingle qubitgenerator
FIG. 1: The blind quantum computing protocol proposed in Ref. [1]. Alice possesses a devicethat emits randomly-rotated single-qubit states. Bob has a universal quantum computer. Aliceand Bob share a two-way classical channel. the client has only to generate weak coherent pulse states if we add more burden to theserver [7]. Coherent states are considered as “more classical” than single-photon states, andtherefore it enables secure delegated quantum computing for “more classical” client. It wasalso shown that secure delegated quantum computing is possible for a client who can onlymeasure states [8, 9] (Fig. 3). A measurement of a bulk state with a threshold detector issometimes much easier than the single-photon generation, and therefore the protocol alsoenables “more classical” client. However, these protocols still require the client to havesome minimum quantum technologies, namely the generation of weak coherent pulses ormeasurements of quantum states. In fact, all protocols proposed so far require the client tohave some minimum quantum abilities, such as generations or measurements of quantumstates. (If we have two quantum servers, a completely classical client can delegate quantumcomputing [1], but in this case, we have to assume that two servers cannot communicatewith each other.)In short, the possibility of a perfectly-secure delegated quantum computing for acompletely-classical client is open. (Note that the perfect security means that an encryptedtext gives no information about the plain text [18]. It is a typical security notion in theinformation theoretical security.)In this paper, we consider one-round perfectly-secure delegated quantum computing for acompletely-classical client. We show that unless BQP ⊆ NP it is impossible to satisfy boththe correctness and the blindness simultaneously (Theorem 1 below). The definitions of3 lice Bob
Classical channel Quantum computerClassical computer
FIG. 2: The secure delegated quantum computing for a classical client. Alice has only a classicalcomputer, whereas Bob has a universal quantum computer. Alice and Bob share a two-way classicalchannel.
Alice Bob
Entangling gates and quantum memoryqubitsMeasurementdevice
FIG. 3: The blind quantum computing protocol proposed in Refs. [8, 9]. Alice possesses a devicethat measure qubits. Bob has the ability of generating and storing entangled many-qubit states. the correctness and blindness are given in Definition 1 and Definition 2 below, respectively.The containment of BQP in NP is not believed to happen [25, 26], and therefore the resultsuggests the impossibility of one-round perfectly-secure delegated quantum computing for acompletely-classical client.
II. SETUP
We first explain one-round perfectly-secure delegated quantum computing for acompletely-classical client. Alice is completely classical, i.e., she has only a probabilisticpolynomial-time Turing machine. Alice wants to solve a BQP problem. In other words,she wants to decide whether x ∈ L or x / ∈ L for an instance x of a language L in BQP.However, Alice cannot do it by herself (unless BQP = BPP), and therefore she delegatesthe computation to Bob as follows. 4. Alice generates a private key k ∈ K , where K is the set of valid keys. The key gen-eration operation can be done in classical polynomial time. We assume that checkingthe validness of a key can be done in classical polynomial time. (Or, we assume thatall bit strings are valid keys.) She then encrypts L and x as E k ( L, x ), where E isthe encryption operation, which is deterministic and in classical polynomial time. Shesends E k ( L, x ) to Bob.2. Bob sends Alice 0 with probability p Bob (0 | E k ( L, x )) and 1 with probability p Bob (1 | E k ( L, x )) = 1 − p Bob (0 | E k ( L, x )).3. Alice calculates the decrypting bit d k ( L, x ) ∈ { , } , which can be calculated deter-ministically and in classical polynomial time. (It can be computed before she receivesa bit from Bob.) She accepts if and only if d k ( L, x ) ⊕ (the bit sent from Bob) = 1 . When d k ( L, x ) = 0, Bob has to send 1 to make Alice accept. On the other hand, if d k ( L, x ) = 1, Bob has to send 0 to make Alice accept. In other words, Bob’s bit has tobe equal to d k ( L, x ) ⊕ L , x , and k , Alice’sacceptance probability p Alice ( acc | L, x, k ) is p Alice ( acc | L, x, k ) = p Bob ( d k ( L, x ) ⊕ | E k ( L, x )) . We define the correctness and blindness as follows.
Definition 1 [Correctness] We say that a protocol is correct if the following is satisfied.For any language L ∈ BQP, instance x , and private key k ∈ K , if x ∈ L then p Alice ( acc | L, x, k ) ≥ c, while if x / ∈ L then p Alice ( acc | L, x, k ) ≤ s, where c > , 0 ≤ s < c ≤
1, and c − s ≥ /poly ( | x | ). Definition 2 [Blindness] Informally, blindness means that Bob cannot learn anything aboutAlice’s (
L, x ) from E k ( L, x ). More formaly, we say that an encryption is blind if the following5s satisfied. For any L , L ∈ BQP, valid key k , x ∈ L , and x ∈ L , there exists a validkey k such that E k ( L , x ) = E k ( L , x ) . Note that the above delegation protocol is not the most general one. First, the encryptionoperation by Alice is deterministic and symmetric. It is open whether we can consider moregeneralized encryptions. Second, Bob sends only a single bit of message to Alice. (Regardingthis point, see the Discussion section.) Finally, Alice’s decryption operation is not the mostgeneral one.
III. RESULT
Now we show our main result:
Theorem 1
If the above protocol satisfies both the correctness and blindness simultane-ously, then BQP ⊆ NP.
Proof .— Let L be a language in BQP. We show that the following NP protocol can verify L . 1. Merlin sends polynomial-length classical bit strings w and w to Arthur. If Merlin ishonest, w is any private key from K , and w is a key from K that satisfies E w ( L ,
0) = E w ( L, x ) , (1)where L ≡ { x ∈ { , } ∗ | the first bit of x is 0 } . Obviously, 0 ∈ L and L ∈ BQP. Note that such w always exists for any w ,since otherwise Bob can learn that Alice’s computation is not ( L, x ) when he receives E w ( L , w and w are valid keys. (We have assumed that the check canbe done in classical polynomial time, or all bit strings are valid keys.) If at least oneof them is invalid, Arthur rejects and aborts.6. Arthur calculates E w ( L, x ) and E w ( L , E w ( L, x ) = E w ( L , .
4. Arthur calculates d w ( L, x ) and d w ( L , d w ( L, x ) = d w ( L , . We show that this NP protocol can verify L . Note that due to the correctness, p Bob ( d k ( L , ⊕ | E k ( L , ≥ c (2)for any key k ∈ K .First let us consider the case of x ∈ L . In this case, due to the correctness, p Bob ( d k ( L, x ) ⊕ | E k ( L, x )) ≥ c (3)for any key k ∈ K . Furthermore, Arthur never rejects at steps 2 and 3. Finally, we canshow d w ( L, x ) = d w ( L ,
0) and therefore Arthur accepts. In fact, if d w ( L, x ) = d w ( L , d w ( L ,
0) = d w ( L, x ) ⊕ , (4)then c ≤ p Bob ( d w ( L , ⊕ | E w ( L , p Bob ( d w ( L , ⊕ | E w ( L, x )) (from Eq. (1))= p Bob ( d w ( L, x ) | E w ( L, x )) (from Eq. (4))= 1 − p Bob ( d w ( L, x ) ⊕ | E w ( L, x )) ≤ − c (from Eq. (3)) , which contradicts to c > . Therefore, Arthur accepts when x ∈ L .Next let us consider the case of x / ∈ L . In this case, due to the correctness, p Bob ( d k ( L, x ) ⊕ | E k ( L, x )) ≤ s (5)7or any key k ∈ K . If Arthur arrives at step 4, w and w are valid keys, and E w ( L, x ) = E w ( L ,
0) (6)is satisfied. Let us assume that d w ( L, x ) = d w ( L , . (7)Then, c ≤ p Bob ( d w ( L , ⊕ | E w ( L , p Bob ( d w ( L , ⊕ | E w ( L, x )) (from Eq. (6))= p Bob ( d w ( L, x ) ⊕ | E w ( L, x )) (from Eq. (7)) ≤ s (from Eq. (5)) , which contradicts to s < c . Therefore, d w ( L, x ) = d w ( L , L is in NP. IV. DISCUSSION
In this paper, we have shown that unless BQP ⊆ NP one-round perfectly-secure del-egated quantum computing cannot satisfy both the correctness and the perfect blindnesssimultaneously.If we relax the requirement of the perfect security to a computational one, for example,there would be several ways of secure delegated quantum computing for a classical client [19–22]. For example, the fully-homomorphic encryption scheme [19] might be able to achievesecure delegated quantum computing for a classical client. Recently, a secure delegatedquantum computing protocol for a completely classical client has been proposed by usingthe Learning With Errors problem [20].In our proof, we do not assume c − s ≥ /poly . Therefore, a similar proof shows that ifPP can be solved in the protocol, then the polynomial hierarchy collapses.Finally, we point out that a related result was obtained in Ref. [23], where an impossibilityresult of an information-theoretically-secure quantum homomorphic encryption was derivedby showing that the size of the sending message from Alice to Bob must be exponentiallylarge to hide polynomial-size quantum circuits. We also mention that after uploading the8rst version of this paper on arXiv, more general results on the impossibilities of securedelegated quantum computing with a completely classical client have been obtained [24].In particular, Ref. [24] considers more general case where polynomial-length messages areexchanged in polynomial-round between the server and the client, while the present paperconsiders the limited case where only a single bit is sent from the server to the client. On theother hand, the complexity conjecture, BQP NP, that our result is based on has an oracleseparation [25, 26], while that of Ref. [24], BQP NP / poly ∩ coNP / poly, does not [24]. Itis not clear how to generalize our result to the more general case where the server sends apolynomial-length bit string without introducing advice.We also mention that Refs. [24, 27] consider delegations of sampling of output probabilitydistributions of sub-universal quantum computing models, while here we consider delegationsof decision problems in BQP, which does not seem to be directly applied to the sampling. Acknowledgments
TM is supported by MEXT Q-LEAP, JST PRESTO No.JPMJPR176A and JSPS Grant-in-Aid for Young Scientists (B) No.JP17K12637. TK is supported by JSPS Grant-in-Aidfor Scientific Research (A) JP16H01705 and for Scientific Research (B) JP17H01695. [1] A. Broadbent, J. F. Fitzsimons, and E. Kashefi, Universal blind quantum computation. Proc.of the 50th Annual IEEE Sympo. on Found. of Comput. Sci. 517 (2009).[2] S. Barz, E. Kashefi, A. Broadbent, J. F. Fitzsimons, A. Zeilinger, and P. Walther, Demon-stration of blind quantum computing. Science , 303 (2012).[3] S. Barz, J. F. Fitzsimons, E. Kashefi, and P. Walther, Experimental verification of quantumcomputation. Nature Phys. , 727 (2013).[4] C. Greganti, M. Roehsner, S. Barz, T. Morimae, and P. Walther, Demonstration ofmeasurement-only blind quantum computing. New J. Phys. , 013020 (2016).[5] V. Dunjko, J. F. Fitzsimons, C. Portmann, and R. Renner, Composable security of delegatedquantum computation. ASIACRYPT 2014, LNCS Volume 8874, pp.406-425 (2014).[6] J. F. Fitzsimons and E. Kashefi, Unconditionally verifiable blind computation. Phys. Rev. A , 012303 (2017).[7] V. Dunjko, E. Kashefi, and A. Leverrier, Blind quantum computing with weak coherent pulses.Phys. Rev. Lett. , 200502 (2012).[8] T. Morimae and K. Fujii, Blind quantum computation for Alice who does only measurements.Phys. Rev. A , 050301(R) (2013).[9] M. Hayashi and T. Morimae, Verifiable measurement-only blind quantum computing withstabilizer testing. Phys. Rev. Lett. , 220502 (2015).[10] T. Morimae, V. Dunjko, and E. Kashefi, Ground state blind quantum computation on AKLTstate. Quant. Inf. Comput. , 0200 (2015).[11] T. Morimae and K. Fujii, Blind topological measurement-based quantum computation. NatureCommunications , 1036 (2012).[12] T. Morimae, Continuous-variable blind quantum computation. Phys. Rev. Lett. , 230502(2012).[13] V. Giovannetti, L. Maccone, T. Morimae, and T. G. Rudolph, Efficient universal blind com-putation. Phys. Rev. Lett. , 230501 (2013).[14] A. Mantri, C. P´erez-Delgado, J. F. Fitzsimons, Optimal blind quantum computation. Phys.Rev. Lett. , 230502 (2013).[15] T. Sueki, T. Koshiba, and T. Morimae, Ancilla-driven universal blind quantum computation.Phys. Rev. A , 060301(R) (2013).[16] Y. Takeuchi, K. Fujii, T. Morimae, and N. Imoto, arXiv:1607.01568[17] T. Morimae and K. Fujii, Secure entanglement distillation for double-server blind quantumcomputation. Phys. Rev. Lett. , 020502 (2013).[18] D. R. Stinson, Cryptography: Theory and Practice , (Chapman & Hall / CRC, 2006).[19] C. Gentry, Fully homomorphic encryption using ideal lattices, Symposium on the Theory ofComputing (STOC) pp.169 (2009).[20] U. Mahadev, Classical homomorphic encryption for quantum circuits. IEEE 59th AnnualSymposium on Foundations of Computer Science (FOCS) (2018).[21] A. Cojocaru, L. Colisson, E. Kashefi, and P. Wallden, On the possibility of classical clientblind quantum computing. arXiv:1802.08759[22] Z. Brakerski, Quantum FHE (Almost) As Secure As Classical. Advances in Cryptology,CRYPTO 2018. Lecture Notes in Computer Science, vol 10993, pp67-95 (2018).
23] L. Yu, C. A. P´erez-Delgado, and J. F. Fitzsimons, Limitations on information-theoretically-secure quantum homomorphic encryption. Phys. Rev. A , 050303(R) (2014).[24] S. Aaronson, A. Cojocaru, A. Gheorghiu, and E. Kashefi, On the implausiblity of classicalclient blind quantum computing. arXiv:1704.08482[25] J. Watrous, Succinct quantum proofs for properties of finite groups. Proceedings of IEEEFOCS’2000, pp.537-546 (2000).[26] R. Raz and A. Tal, Oracle separation of BQP and PH. ECCC TR18-107 (2018).[27] T. Morimae, H. Nishimura, Y. Takeuchi, and S. Tani, Impossibility of blind quantum samplingfor classical client. arXiv:1812.03703[28] V. Dunjko and E. Kashefi, Blind quantum computing with two almost identical states.arXiv:1604.01586, 050303(R) (2014).[24] S. Aaronson, A. Cojocaru, A. Gheorghiu, and E. Kashefi, On the implausiblity of classicalclient blind quantum computing. arXiv:1704.08482[25] J. Watrous, Succinct quantum proofs for properties of finite groups. Proceedings of IEEEFOCS’2000, pp.537-546 (2000).[26] R. Raz and A. Tal, Oracle separation of BQP and PH. ECCC TR18-107 (2018).[27] T. Morimae, H. Nishimura, Y. Takeuchi, and S. Tani, Impossibility of blind quantum samplingfor classical client. arXiv:1812.03703[28] V. Dunjko and E. Kashefi, Blind quantum computing with two almost identical states.arXiv:1604.01586