Quantum preprocessing for information-theoretic security in two-party computation
QQuantum preprocessing for information-theoretic security in two-party computation
Li Yu ∗ Department of Physics, Hangzhou Normal University, Hangzhou, Zhejiang 311121, China
In classical two-party computation, a trusted initializer who prepares certain initial correlations,known as one-time tables, can help make the inputs of both parties information-theoretically secure.We propose some bipartite quantum protocols with possible aborts for approximately generatingsuch bipartite classical correlations with varying degrees of privacy, without introducing a thirdparty. Under some weak requirements for the parties, the security level is nontrivial for use inbipartite computation. We show that the security is sometimes dependent on the noise level, butwe propose a method for dealing with noise. The security is “forced security”, which implies thatthe probability that some useful one-time tables are generated can approach 1 in the noiseless caseunder quite weak assumptions about the parties, although the protocols allow aborts. We show howto use the generated one-time tables to achieve nontrivial information-theoretic security in generictwo-party classical or quantum computation tasks, including (interactive) quantum homomorphicencryption. Our methods provide check-based implementations of some no-signaling correlations,including the PR-box type, with the help of communication which carry no information about theinputs in the generated correlations.
I. INTRODUCTION
The security of two-party computation is a main re-search topic in classical cryptography. The goal is usu-ally to correctly compute some function of the inputsfrom the two parties, while keeping the inputs as privatefrom the opposite party as possible. This has been stud-ied using classical homomorphic encryption techniques[1, 2] or through implementing Yao’s “Garbled Circuit”solution [3]. Another possibility is to introduce a trustedthird party, who may sometimes interact with the twoparties for multiple rounds. To lower the requirement onthe trusted third party, a “trusted initializer” has beenproposed [4]. Such trusted initializer only prepares someinitial correlations between the two parties, and does notinteract with any party afterwards. A trusted initializerwho prepares certain initial correlations, referred to as“one-time tables”, can help make the bipartite computa-tion secure.Secure two-party quantum computation is the corre-sponding problem in quantum computing and quantumcryptography. The two parties wish to correctly com-pute an output according to some public or private pro-gram while keeping their (quantum) inputs as secure aspossible. Special cases of this general problem includequantum homomorphic encryption (QHE) [5–17], secureassisted quantum computation [18, 19], computing on ∗ Electronic address: [email protected] shared quantum secrets [20], and physically-motivatedsecure computation (e.g. [21]). In the study of QHE, itis found that secure computation of the modulo-2 innerproduct of two bit strings provided by the two partiesis a key task, and the one-time tables mentioned aboveturn out to be helpful for this task.In this work, we propose two-party quantum protocolswith aborts as replacements for the trusted initializer inpreparing the one-time tables, and show that the pre-pared one-time tables can help achieve nontrivial degreesof information-theoretic security in bipartite classical orquantum computation. Our main protocols are basedon Protocol 1 which implements the following task withpartial privacy: it takes as input two locally-generateduniformly random bits x and y from Alice and Bob, re-spectively, and outputs ( x AND y) XOR r on Alice’s sideand r on Bob’s side, where r is a uniformly random bit.The one-time table contains four bits: two input bitsand two output bits. By putting the possible aborts inthe preprocessing which does not involve useful data, wepartly avoid the problem of data leakage in those abortedruns in other possible protocols with aborts.Security in quantum key distribution [22] is dependenton verifications. Inspired by this, we propose some proto-cols that verify the correctness of Protocol 1. We proposeProtocol 3 to select some one-time tables generated byProtocol 1. It allows Bob to abort during the protocolwhen he finds that Alice is cheating. When Protocol 3 isused in a generic interactive bipartite classical computa-tion with the roles of Alice and Bob switched, the data a r X i v : . [ qu a n t - ph ] D ec leakage of Alice is asymptotically vanishing for noiselessphysical systems, but for noisy physical systems, the leak-age is linearly related to the noise level. The data privacyof Bob is partial: the leakage is about half of his inputbits, but the privacy is better in the case that the functionis a many-to-one map for Bob’s input, including the casethat the function effectively evaluates universal circuits.We then propose Protocol 4 which includes checks fromboth sides to ensure that the average rate of cheating byany party is asymptotically vanishing. For the bipar-tite computation task, the data leakage of any party isasymptotically vanishing for noiseless systems, while fornoisy systems, the leakage of both parties are linearlyrelated to the noise level.We then propose Protocol 5 which combines severalone-time tables generated by Protocol 3 or 4 into one.When Protocol 5 based on Protocol 3 is used in bipar-tite classical computation, the data leakage of Alice isexponentially small, so it is almost independent of thephysical noise, while some polynomial overhead is neededto make the data privacy of Bob comparable to that inProtocol 3. But such polynomial overhead is not toobad, since the function to be computed can be recom-piled in general, as discussed in Sec. VII. To deal withnoise, we propose Protocol 6 which has enhanced cor-rectness. It detects the errors (from noise and possiblemalicious activity) with some good chance, such that theerror rate in the output is polynomially small, while thesecurity level is similar to that of Protocol 4 at the costof a polynomial-factor increase in resources. It also has avariant of combining one-time tables in the similar wayas in Protocol 5. The resource overhead in Protocol 6 isexponentially large if the output error rate is required tobe exponentially small. However, we think that polyno-mially small error in the output is sometimes acceptable,since the circuit to be evaluated is usually of polynomiallength.All the protocols are secure if both parties are honest-but-curious. An honest-but-curious party is one who fol-lows the protocol while possibly making measurementswhich do not affect the final computation result. Inour protocols, an honest-but-curious party does not learnanything about the other party’s data, no matter whetherthe other party cheats or not.In our protocols, when one party is honest-but-curiousand the other party is malicious, the privacy of the dataof the honest-but-curious party is guaranteed to reach thetargeted level even if the other party cheats. In Proto- col 3, we assume that Bob is conservative , meaning thathe values the privacy of his data higher than the pos-sibility to learn Alice’s data. Operationally, this meanshe always performs the checking and aborts when thenumber of wrong instances exceeds the threshold thathe had chosen. Alice needs to be weakly cooperating forthe protocols not to abort, meaning that she does notcheat much in some batch of the instances of Protocol 1.For Alice’s data security to be enhanced by her verifi-cations in Protocol 4, she should be conservative in thesense described above. But partly due to the possibleaborts, it actually suffices to assume one of the partiesis conservative in Protocol 4, since then the other partymight as well be conservative to reach a better securitylevel for himself (herself). Although Protocol 5 is quiteeffective when there is no noise (including errors), it maynot be better than Protocol 3 or 4 when there is somenon-negligible level of noise. In the noisy case, we pro-pose using Protocol 4 or Protocol 6, where the latter isfor performing some error detection while not harmingsecurity too much.The security of the protocols is “forced security”,which means Alice is forced by Bob’s checks to not cheatin some batches of Protocol 1. It implies that the prob-ability that some one-time tables with targeted (partial)security are generated would approach 1 in the noise-less case under quite weak assumptions about the parties(that Alice weakly cooperates by not cheating in somebatches of Protocol 1, and Bob indeed does the checksdue to that he is conservative), although the protocolsallow aborts.We show some applications in general two-party clas-sical computation, and the check-based implementationsof 1-out-of-2 oblivious transfer and bit commitment un-der some assumptions mentioned above. To enjoy somequantum speedup together with the security benefitbrought about by our preprocessing, we propose an inter-active QHE scheme with costs polynomial in circuit size,as well as a constant-round QHE scheme with exponen-tial cost, which use the precomputed one-time tables asa resource, but both schemes have more rounds of com-munication than in the original definition of QHE. Suchscheme is then generalized to general two-party quantumcomputation with a publicly known circuit and privateinputs on both parties, and to the case of private circuitprovided by one party and private inputs on both par-ties. Our protocols provide check-based implementationsof some no-signaling correlations with the help of classi-cal communication which do not carry information aboutthe inputs in the generated correlations.The rest of the paper is organized as follows. Sec. IIcontains some introduction of the background. In Sec. IIIwe introduce the quantum protocols for generating theone-time tables. Sec. IV shows applications in generaltwo-party classical computation. Sec. V shows applica-tions in general two-party quantum computation. Sec. VIshows applications in check-based implementations ofsome no-signaling correlations with the help of classi-cal communication. Sec. VII contains some discussionsabout the security in the noisy case, and physical imple-mentations. Sec. VIII contains the conclusion and someopen problems. II. PRELIMINARIES
On computing two-party classical functions with quan-tum circuits, Lo [23] studied the data privacy for publiclyknown classical functions with the output on one partyonly. Buhrman et al [24] studied the security of two-party quantum computation for publicly known classicalfunctions in the case that both parties know the outcome,although with some limitations in the security notions.These and other results in the literature [25] suggest thatsecure bipartite classical computing cannot be generallydone by quantum protocols where the two parties havefull quantum capabilities. In the current work, the proto-cols allow aborts in the quantum preprocessing (Bob mayabort when he detects that Alice has cheated), so the sce-nario considered here does not fit into the assumptions inthe works mentioned above. We assume that one partyvalues the privacy of his data higher than the possibilityto learn the other party’s data. Under such assumption,we do not require the parties in the main bipartite com-putation stage to be entirely classical.Next, we introduce the simplest case in the one-timetables [4]. The bipartite AND gate with distributed out-put is a gate that takes as input two distant bits a and b , and outputs ( a · b ) ⊕ r and r on the two parties, re-spectively, where r is a uniformly random bit. (XOR isdenoted as ⊕ ; AND is denoted as the · symbol.) It issufficient for secure two-party classical computation, al-though there may be other constructions. Theoretically,the bipartite AND gate with distributed output on twodistant input bits a and b can be computed while keep-ing both input bits completely private, with the help ofa precomputed ideal one-time table of the nonlocal-AND type. Such one-time table has two locally-generated uni-formly random bits x and y on Alice’s and Bob’s side,respectively, and also has ( x · y ) ⊕ r and r on Alice’s andBob’s side, respectively, where r is a uniformly randombit. The steps for the bipartite AND-gate computationwith distributed output are as follows:1. Alice announces a (cid:48) = a ⊕ x . Bob announces b (cid:48) = b ⊕ y .2. Each party calculates an output bit according to theone-time table and the received message. Alice’s outputis ( x · b (cid:48) ) ⊕ ( x · y ) ⊕ r . Bob’s output is ( a (cid:48) · b ) ⊕ r .The XOR of the two output bits is ( x · b (cid:48) ) ⊕ ( x · y ) ⊕ r ⊕ ( a (cid:48) · b ) ⊕ r = a · b , while each output bit is a uniformlyrandom bit when viewed alone, because r is a uniformlyrandom bit. Since the messages a (cid:48) and b (cid:48) do not con-tain any information about a and b , the desired bipartiteAND gate is implemented while a and b are still perfectlyprivate.Some notations are as follows. By “forced security”,we mean that the security in a protocol is guaranteed byverifications where failure to pass them would cause theprotocol to abort. By saying that a protocol is “cheat-sensitive”, we mean that any cheating will probably causethe protocol to abort. Denote | ˜0 (cid:105) = | + (cid:105) := √ ( | (cid:105) + | (cid:105) ),and | ˜1 (cid:105) = |−(cid:105) := √ ( | (cid:105) − | (cid:105) ). The Hadamard gate H satisfies H | (cid:105) = | + (cid:105) and H | (cid:105) = |−(cid:105) . The random bits areunbiased and independent of other variables by default.An EPR pair is two qubits in the state √ ( | (cid:105) + | (cid:105) ). III. THE QUANTUM PROTOCOLS FORGENERATING ONE-TIME TABLES
The main quantum protocols to be introduced laterare based on Protocol 1, which is the revised version of asubprocedure of a protocol from [26]. The Protocol 1 ef-fectively computes an AND function on two remote clas-sical bits from the two parties, with the output beinga distributed bit, i.e. the XOR of two bits on the twoparties. The security is not ideal: the plain use of suchprotocol would give rise to non-ideal security in (inter-active) quantum homomorphic encryption [26], and thesecurity is such that some additional verification need tobe added in the protocol for it to be nontrivial. Later wepropose protocols that check and sometimes combine theone-time tables generated from Protocol 1, to be used asa preprocessing stage for a bipartite classical or quantumcomputation task.The Protocol 1 involves direct sending of states, whilethe Protocol 11 in Appendix A is the correspondingentanglement-based variant. The Protocol 11 uses priorshared entanglement to remotely prepare some state onBob’s side via Alice’s local measurements, and it alsoinvolves a step of teleportation [27] from Bob to Alicewith partial information about the corrections withheldby the sending party. The teleportation approach allowsAlice and Bob to do operations simultaneously, see thediscussions in Secs. VI and VII. These two protocols cru-cially depend on the property of the
CNOT gate: it isequivalent to a
CNOT gate in the reverse direction in anunbiased basis (the X basis on both parties).In Protocol 1, Alice’s input bit has partial privacy evenfor a cheating Bob, while Bob’s input bit is secure for anhonest-but-curious Alice, but is not secure at all for acheating Alice. The privacy of Alice’s input bit x can bequantified using the accessible information or the tracedistance. The accessible information, i.e. the maximumclassical mutual information corresponding to Bob’s pos-sible knowledge about Alice’s input, is exactly bits,which happens to be equal to the Holevo bound in thecurrent case. For a cheating Bob to get the maximumamount of information, his best measurement strategy inthe current case is to use a fixed projective measurement:to measure the first qubit in the Z basis, and the secondqubit in the X basis. The trace distance of the two den-sity operators for Alice’s two possible input values is ,by direct calculation. Thus, the probability that Bobguesses Alice’s input bit correctly is (1 + ) · = . Notethat with this particular measurement just mentioned,he cannot make the distributed output of the one-timetable correct. In other words, Bob cannot learn the otherparty’s input without consequences.To learn about Bob’s input bit, a cheating Alice mayuse an entangled state ( | (cid:105) + | (cid:105) + | (cid:105) − | (cid:105) ). FromBob’s returned state, Alice may find out Bob’s input bitwith certainty. But in such case Alice has no effectiveinput to speak of, and she does not know Bob’s outputbit h , so even if she chooses an input bit for herself later,she cannot determine her output bit for making the dis-tributed output correct.The entanglement-based version for Protocol 1 is Pro-tocol 11 in Appendix A. Note that in Protocols 1 and11, Alice may cheat by declaring that she did not receivesome qubits in some instances. In such case she may becertain about one of the three bits: y , y ⊕ r or r , depend-ing on her measurement strategy, but she cannot learnboth y and one of r and y ⊕ r (near) perfectly. Since this is a somewhat non-conventional way of cheating (asthere is significant ratio of failed instances noticeable toBob), we discuss this case near the end of Appendix A.The Protocol 1 has two stages of communication. Thefollowing Protocol 2 has only one stage of communica-tion. It is derived from the entanglement-based Proto-col 11. Instead of using prior entanglement, Bob preparessome pure state on four qubits dependent on his privatekeys and a private input bit y . Bob sends such state anda classical bit related to his choice of the state to Alice.Since there are some different choices of such pure state,Alice receives a mixed state in her view. She does somesingle-qubit measurements in some bases of her choice toobtain some classical correlation (one-time table) sharedwith Bob.In Protocol 2, Bob’s input y is partly secure. For anhonest Bob, Alice can know Bob’s input y with probabil-ity , since the two density operators of Bob’s (viewingthe classical bit w as a state on an extra qubit) havetrace distance . On the other hand, Alice’s input inthe one-time table, x , is completely insecure in the worstcase for a cheating Bob, but it is completely secure foran honest Bob. A cheating Bob could prepare some statesuch that the x is determined, such as preparing | (cid:105)| + (cid:105) on the first two qubits, but then the output of the one-time table would be completely random (due to that Al-ice would measure one of the first two qubits with anunbiased basis compared to the basis for the state of thequbit), hence it is incorrect with large probability. Over-all, the security characteristics of Protocol 2 is analogousto that of Protocol 1 but with the roles of the two partiesswitched. But the fewer rounds of communication makesProtocol 2 potentially interesting in other applications.In later parts of the paper, we take Protocol 1 as theexample in analyzing some composed protocols.In the following we present protocols which check orcombine the one-time tables generated in Protocol 1. Thefirst one has partial security for Alice and near-perfectsecurity for Bob, while the second one involves checkingby both parties, and aims for near-perfect security forboth parties. The third one aims for near-perfect securityfor both parties with emphasis on the security of oneparty.In Protocol 3, Alice’s input bit has partial privacy,which is the same as in the analysis of Protocol 1 above.When the ratio Km is near one, the nonlocal correlationsin the remaining unchecked one-time tables can be re-garded as almost surely correct. This is because of Bob’s Protocol 1
A two-message quantum protocol for generating one-time tables with partial privacy
Input:
A random bit x from Alice and a random bit y from Bob. Output: ( x · y ) ⊕ r on Alice’s side, and r on Bob’s side, where r is a random bit.The input and output together form the one-time table.1. Alice generates two random bits s and t . If s = 0, she prepares the state | x (cid:105)| t (cid:105) ; if s = 1, she prepares the state | ˜ t (cid:105)| ˜ x (cid:105) ,where the tilde represents X -basis encoding. She sends the prepared two-qubit state to Bob.2. Bob receives the two qubits. If y = 0, Bob does a CNOT gate on the two qubits, with the first qubit being the controlqubit.3. He generates two random bits h and h . He does a σ y gate on any qubit where the corresponding bit h j ( j = 1 ,
2) is 1.He generates a random bit p . If p = 1, he does σ z gates on both qubits. He sends the two qubits to Alice. The bit h := h ⊕ h is his output.4. Alice receives the two qubits. If s = 0, Alice measures the two received qubits in the Z basis, otherwise she measuresthem in the X basis. She calculates the XOR of three bits: the two outcome bits, and the t . The obtained bit is heroutput. Protocol 2
A one-message quantum protocol for generating one-time tables with partial privacy
Input of the generated one-time table:
A random bit x generated in the protocol, and a random bit y from Bob. Output of the generated one-time table: ( x · y ) ⊕ r on Alice’s side, and r on Bob’s side, where r is a random bit.The input and output together form the one-time table.1. Bob initializes four qubits in a random computational basis state | i (cid:105)| i (cid:105)| i (cid:105)| i (cid:105) . He denotes w := i ⊕ i ⊕ i ⊕ i , and r := i ⊕ i . He performs the Hadamard gate on the first two qubits. He then performs the gates CNOT and CNOT ,where the subscripts are labels for the qubits, and the first label is for the controlling qubit. If y = 0, he does a CNOT gate. He sends the four qubits and the bit value w to Alice. Bob’s output bit is r .2. Alice receives the four qubits from Bob. She generates a random bit s . If s = 0, she measures the four qubits in the Z basis, and records the measurement outcome on the first qubit as x ; if s = 1, she measures the four qubits in the X basis, and records her measurement outcome on the second qubit as x . (Under X -basis measurement, the states | + (cid:105) and |−(cid:105) are recorded as 0 and 1, respectively.) The XOR of the measurement outcomes on the three remaining qubits isrecorded as g . Alice calculates her output bit: g ⊕ ( s · w ). checking. We require Alice to be weakly cooperating,that is, she does not cheat in some of the batches of in-stances, since otherwise no one-time table may pass thetest. Some degree of weak cooperation is required for twoparties to perform a computation anyway, and the aboveassumption of Alice has no effect on the data securityof any party when Bob satisfies the assumption below,thus we may ignore the assumption above and just statethe following assumption on Bob as the requirement ofour protocols. In the following we assume that Bob isconservative, which means that he values the privacy ofhis data higher than the possibility to learn Alice’s data.Later in Sec. IV we will see that it effectively implies thathe indeed does the checking. For an honest-but-curiousAlice, the resulting correlation is correct, and she doesnot learn anything about Bob’s input bit y (using thenotations in Protocol 1, same below). In the followingwe discuss the case that Alice cheats. If Alice cheats and gets at least partial informationabout Bob’s input bit y , the state sent from Alice to Bobmust be different from what is specified in the protocol;her best choice of state for cheating is mentioned pre-viously. To pass Bob’s test while learning about Bob’sinput y , she should know both y and r , or know both y and y ⊕ r . (The two conditions are equivalent in theexact case, but not necessarily equivalent in the partial-information case.) In the following, let I M y denote theclassical mutual information learnable by Alice aboutBob’s bit y (with uniform prior distribution) if she usesthe measurement M on the received two qubits (possi-bly a POVM measurement), in an instance of Protocol 1.The I M r and I M y ⊕ r are defined similarly, but note that theyare conditioned on the uniform distribution for y , similarto the case of I M y . Proposition 1.
In Protocol 1, the following inequalities
Protocol 3
A partly-secure protocol for checking the one-time tables
1. Alice and Bob perform many instances of Protocol 1 (sequentially or in parallel) to generate some one-time tables, andexchange messages to agree on which instances were successfully implemented experimentally. Suppose m one-time tableswere implemented. The one-time tables labeled by j has inputs a j and b j , and outputs e j and f j .2. Bob randomly selects K integers in { , · · · , m } , which are labels for which one-time table. He tells his choices to Alice.The integer K satisfies that m − K is an upper bound on the number of required one-time tables in the main bipartitecomputing task, and the ratio Km is related to the targeted security level of the overall computation.3. Alice sends the bits a j and e j to Bob for all chosen labels j .4. For any chosen label j , Bob checks whether a j and e j satisfy that a j · b j = e j ⊕ f j . If the total number of failures is largerthan some preset number of Bob’s (e.g. 0, or a small constant times K ), he aborts the protocol, or restarts the protocolto do testing on a new batch of instances of Protocol 1 if the two parties still want to perform some secure two-partycomputation. Otherwise, the remaining one-time tables are regarded as having passed the checking and will be used laterin the two-party computing task. They may repeat the steps above to prepare more one-time tables on demand. hold: I M y + I M r ≤ , (1) I M y + I M y ⊕ r ≤ , (2) I M y + max( I M r , I M y ⊕ r ) ≤ . (3)where the two M are the same in each equation. Allthe quantities on the left-hand-sides are also dependenton Bob’s received state σ A . It is effectively prepared byAlice, and is a mixed state on two qubits (in numericalcalculations, it is viewed as a pure state on two of Bob’squbits and two imaginary ancillary qubits), and the two σ A are the same in each equation. We abbreviate thesymbol σ A .Note that the relationship between σ A and x is as fol-lows: if Alice is honest, the σ A is determined by thechoice of x according to Protocol 1 up to some Paulioperators (arising from the teleportations in Step 2 ofProtocol 1). If Alice is dishonest, the σ A is not necessar-ily related to x (since the latter may be undefined), andit may be a mixed state in Bob’s view, but Alice mayhold the purification for it, where the purification systemneeds to include two ancillary qubits at most. In defining σ A , we use Bob’s received state instead of Alice’s inputstate before teleportation, since it is more general: Alicecould cheat by changing her operations to deviate fromthe original operations in the teleportation, but she al-ways effectively prepares a (mixed) state on Bob’s twoqubits no matter what she does. Proof.
Suppose σ A is Bob’s received two-qubit mixedstate. The overall communication from Bob to Alice inProtocol 1 is effectively only one classical bit, since if Bobrandomly performs a σ z gate on his first sent qubit, the sent two qubits would be in a maximally mixed state,containing no information for Alice. Also note that thereare effectively no other prior correlations between the twoparties besides the fixed entangled state, so the lockingof information [28] does not occur here. The amount ofinformation that Alice learns about the joint distributionof y and r is upper bounded by 1 bit. The bits y and r are independent when Bob produces them, so the y and r are independent prior to Alice’s measurement. Thus theinequality (1) holds, where we have assumed that the two σ A implicit in the information quantities are the same inthis equation (same below). The bits y and y ⊕ r jointlydetermine y and r , and vice versa, so the amount of infor-mation that Alice learns about the joint distribution of y and y ⊕ r is upper bounded by 1 bit. And since the bits y and y ⊕ r are independent prior to Alice’s measurement,we have that the inequality (2) holds. The inequalities(1) and (2) together imply (3). (cid:117)(cid:116) The probability that Alice passes Bob’s test at a partic-ular instance is related to the max( I M r , I M y ⊕ r ) in Eq. (3).When the probability of passing approaches 1, such max-imum approaches 1, then it must be that one of themapproaches 1. Then, Prop. 1 implies that Alice can learnalmost nothing about y if she measured in the same ba-sis, but in fact a cheating Alice knows which instances areremaining and will not be checked later (although it isconceivable that some checks may be done after the maincomputation, see Sec. VII below), so she can choose to doany measurement on the received states in these remain-ing instances. Such measurement may not be the sameas M in the other term in Eq. (3). This implies thatEq. (3) alone is not sufficient for proving the security ofProtocol 3. Theorem 1.
In Protocol 3, Bob’s input is asymptoticallysecure.Proof.
We first consider the case that Alice’s operationsare independent among different instances of Protocol 1,and at last comment that the non-independent case stillsatisfy the extreme case of the inequalities above, givingrise to the security of Protocol 3.Due to the freedom of measurement basis choice men-tioned above, the Holevo bounds, which are upperbounds of the information quantities, are more relevantfor proving the security of Protocol 3. Under the condi-tion that Alice’s operations are independent among theinstances, we need only consider the Holevo bounds fora single instance of Protocol 1. Let χ y be the Holevoquantity which is the upper bound for I M y . It is definedas χ y = S ( ρ ) − (cid:88) j =1 S ( ρ j ) , (4)where ρ j is the density operator that Alice receives fromBob for the case of y = j after Pauli corrections deter-mined by Bob’s sent bit, and ρ = ( ρ + ρ ). The S represents the von Neumann entropy. The definition of χ y shows that it is conditioned on the uniform prior dis-tribution for y . The quantities χ r and χ y ⊕ r are definedsimilarly and are also conditioned on the uniform priordistribution for y . We claim that the following inequalityholds for small positive (cid:15) and a nonnegative continuousfunction f ( (cid:15) ), χ y + max( χ r , χ y ⊕ r ) ≤ f ( (cid:15) ) , for max( χ r , χ y ⊕ r ) ≥ − (cid:15), where f is continuous and f (0) = 0 . (5)The reason is as follows. The Holevo quantities in Eq. (5)satisfy uniform continuity, because of the combination ofthe following two reasons: the ancilla in Alice’s initialstate σ A (introduced in Prop. 1) is effectively at most 4dimensions due to the Schmidt decomposition, and notethat such ancilla is also the ancilla for Alice’s final state;the Holevo quantity χ y in (4) is continuous as a functionof ρ and ρ and is therefore a continuous function ofAlice’s initial state σ A , and similarly, the Holevo quanti-ties χ r and χ y ⊕ r are also continuous functions of Alice’sinitial state σ A . Given that the Holevo quantities satisfyuniform continuity, we obtain Eq. (5) by noting the factthat max( χ r , χ y ⊕ r ) = 1 = ⇒ χ y = 0 , (6) where Eq. (6) holds because max( χ r , χ y ⊕ r ) = 1 impliesthat max( I M r , I M y ⊕ r ) = 1 for some M , and the latter im-plies χ y = 0 due to the following argument: suppose I M r = 1 (the case that I M y ⊕ r = 1 is similar), and considerthe four density operators on Alice’s side correspond-ing to four different combinations of y and r , then thetwo pairs corresponding to different r must be orthogo-nal across the pairs. Then if the states in one pair arepartially distinguishable, the left-hand-side of (3) wouldbe greater than 1 for some M , which violates Prop 1.The above arguments shows that max( I M r , I M y ⊕ r ) = 1 forsome M implies χ y = 0, hence Eq. (6) holds.Alice may cheat in some instances of Protocol 1 so wemay define a rate of cheating. Partial cheating in a in-stance is converted into a fractional number of cheatinginstances in calculating such rate. Alice’s cheating proba-bilities among different instances may be correlated, butthat does not affect the following argument since Bobrandomly chooses which instances to check. It is sortof subjective for Bob to determine the average rate ofcheating from the number of wrong results and the totalnumber of tests in Protocol 3, since it depends on the apriori knowledge about the probability distribution forAlice’s average rate of cheating, and also depends on thecorrelations between rates of cheating among different in-stances of Protocol 1. Suppose that after some checking,Bob estimates that Alice’s average rate of cheating is (cid:15) ,which is a small positive constant near 0, then the follow-ing estimate holds for the uniform distribution of y and r (the uniform distribution of y can be imposed by Bobsince he wants to make Alice’s cheating be detected, andthe r has uniform distribution according to Protocol 1):max( χ r , χ y ⊕ r ) ≥ − (cid:15) . Hence, χ y ≤ (cid:15) + f ( (cid:15) ) accordingto Eq. (5). This shows that the expected amount of in-formation about y learnable by a cheating Alice in theremaining instances of Protocol 1 is arbitrarily near zerofor sufficiently small (cid:15) , even if she measures in differentbases from those for the tested instances. The word “ex-pected” means that even if L(cid:15) <
1, where L is the totalnumber of one-time tables to be used for the main com-putation, Alice may sometimes learn about one or a fewbits of Bob’s input by chance, but on average, she learnsnot more than L(cid:15) bits. Since the information about y is linearly related to the information learnable by Alicein the later main computation stage (see the bipartiteAND-gate computation method in Sec. II), this showsthe security of Protocol 3 in the case that Alice’s opera-tions are independent among instances of Protocol 1. In the following we consider the general case that Al-ice’s operations are not necessarily independent amonginstances of Protocol 1. If Alice initially prepares somecorrelated quantum states among m instances, the gener-alization of Eq. (6) should hold, due to the similar reasonas that after Eq. (6). Then the generalization of Eq. (5)for the corresponding Holevo bounds should hold approx-imately near such extreme point, due to the uniform con-tinuity of the Holevo bounds (as functions of the jointstate on Bob’s side on multiple subsystems). Since Bob’svariables y and r are independent among the instances,the generalizations of Eq. (5) just mentioned have thesame scaling near the extreme point (as the number ofinstances of Protocol 1 grow) as in the case that Alice’soperations are independent. The last point can be seenfrom that Alice’s states in other instances of Protocol 1serve as auxiliary systems in considering Holevo quanti-ties of the form (4), so the one-copy tradeoff curve of theHolevo quantities still holds, i.e. Eq. (5) for one instancestill holds with the same quantitative levels (includingnear the extreme point). This shows that the argumentfor the security for the case of independent operations ofAlice can be extended to the general case. (cid:117)(cid:116) Some numerical results are in Appendix B.To improve Alice’s security in the protocol above, wepropose the following Protocol 4, in which Alice also doessome checking about Bob’s behavior.By noting that there is effectively only one bit of clas-sical communication from Alice to Bob in Protocol 1,the analysis for Protocol 3 about Bob’s data privacy canprovide hints for analyzing Alice’s data privacy in Pro-tocol 4. There are analogues of Prop. 1 and Theorem 1for Alice instead of Bob, see Prop. 2 and Theorem 2 be-low. To draw an analogy to the analysis of Protocol 3,note that the output bits of Protocol 1 can alternativelybe written as r (cid:48) on Alice’s side and ( x · y ) ⊕ r (cid:48) on Bob’sside, respectively, where r (cid:48) is a uniformly random bit. Westate the following results. The I M x is the classical mutualinformation learnable by Bob about Alice’s input x us-ing measurement M , in an instance of Protocol 1, wherethe M incorporates his possible CNOT gate, some Paulicorrections or equivalently some classical postprocessing,and Bell-state measurement with withheld masks. Andthe other quantities are defined similarly.
Proposition 2.
In Protocol 1, the follows inequalities hold: I M x + I M r (cid:48) ≤ , (7) I M x + I M x ⊕ r (cid:48) ≤ , (8) I M x + max( I M r (cid:48) , I M x ⊕ r (cid:48) ) ≤ . (9)where the two M are the same in each equation. Proof.
The overall communication from Alice to Bob inProtocol 1 is effectively only one classical bit, since Alicecould apply an arbitrary Pauli operator to the qubit notencoding x , while applying a σ z to the qubit encoding x if it is encoded in the Z basis, or a σ x to the qubitencoding x if it is encoded in the X basis. The protocolstill works under these changes, with Alice’s recording ofthe value of t changed. Then, if Alice further applies aPauli operator, the two qubits sent to Bob would be ina maximally mixed state, containing no information forBob. This shows that the overall communication fromAlice to Bob in Protocol 1 is effectively only one classi-cal bit. Thus the amount of information that Bob learnsabout the joint distribution of x and r (cid:48) is upper boundedby 1 bit. (As mentioned below, the value of r (cid:48) is depen-dent on t , so it is not decided by Bob.) The bits x and r (cid:48) are independent, because r (cid:48) is an independent uniformlyrandom bit, by the construction of Protocol 1: she takesthe XOR of some intermediate result and a uniformlyrandom bit t (generated by herself and independent from x ) in the last step of Protocol 1. Thus the inequality (7)holds. The bits x and x ⊕ r (cid:48) jointly determine x and r (cid:48) ,and vice versa, so the amount of information that Boblearns about the joint distribution of x and x ⊕ r (cid:48) is upperbounded by 1 bit. And since the bits x and x ⊕ r (cid:48) areindependent, we have that the inequality (8) holds. Theinequalities (7) and (8) together imply (9). (cid:117)(cid:116) Theorem 2.
In Protocol 4, Alice’s input is asymptoti-cally secure.Proof.
Similar to the proof of Theorem 1, we may definethe Holevo quantities χ x , χ r (cid:48) and χ x ⊕ r (cid:48) , which are con-ditioned on the uniform prior distribution for x . For thesimilar reasons as in the proof of Theorem 1, the follow-ing inequality holds for small positive (cid:15) and a nonnegativecontinuous function g ( (cid:15) ), χ x + max( χ r (cid:48) , χ x ⊕ r (cid:48) ) ≤ g ( (cid:15) ) , for max( χ r (cid:48) , χ x ⊕ r (cid:48) ) ≥ − (cid:15), where g is continuous and g (0) = 0 . (10) Protocol 4
A protocol for checking the one-time tables by both parties
1. Alice and Bob perform many instances of Protocol 1 to generate some one-time tables, and exchange messages to agreeon which instances were successfully implemented experimentally. Suppose m one-time tables were implemented. Theone-time tables labeled by j has inputs a j and b j , and outputs e j and f j .2. (The steps 2 to 4 can be done concurrently with the steps 5 to 7.) Bob randomly selects K B integers in { , · · · , m } ,which are labels for which one-time table. He tells his choices to Alice.3. Alice sends the bits a j and e j to Bob for all chosen labels j .4. For any chosen label j , Bob checks whether a j and e j satisfy that a j · b j = e j ⊕ f j . If the total number of failures islarger than some preset number of Bob’s (e.g. 0, or a small constant times m ), he aborts the protocol, or asks Alice torestart the protocol to do testing on a new batch of instances of Protocol 1 if the two parties still want to perform somesecure two-party computation.5. Alice randomly chooses K A integers in { , · · · , m } , and tells Bob her choices. The chosen set of integers may overlapwith the set chosen by Bob.6. Bob sends the bits b j and f j to Alice for the chosen labels j .7. For any chosen label j , Alice checks whether a j · b j = e j ⊕ f j holds. If the total number of failures is larger than somepreset number of Alice’s, she aborts the protocol, or asks Bob to restart the protocol if needed.8. The remaining one-time tables are regarded as having passed the checking and will be used later in the two-partycomputing task. They may repeat the steps above to prepare more one-time tables on demand. Note that to show the inequality (10) is correct, we needthe following implication:max( χ r (cid:48) , χ x ⊕ r (cid:48) ) = 1 = ⇒ χ x = 0 . (11)The implication in Eq. (11) holds becausemax( χ r (cid:48) , χ x ⊕ r (cid:48) ) = 1 implies that max( I M r (cid:48) , I M x ⊕ r (cid:48) ) = 1 forsome measurement M of Bob’s, and the latter implies χ x = 0 due to the following argument. Suppose I M r (cid:48) = 1(the case that I M x ⊕ r (cid:48) = 1 is similar), and consider thefour density operators on Bob’s side corresponding tofour different combinations of x and r (cid:48) , then the twopairs corresponding to different r (cid:48) must be orthogonalacross the pairs. Then if the states in a pair are partiallydistinguishable, the left-hand-side of (9) would begreater than 1 for some M , which violates Prop 2. Thisshows that max( I M r (cid:48) , I M x ⊕ r (cid:48) ) = 1 for some M implies χ x = 0, hence Eq. (11) holds.In the case that Bob’s operations are independentamong instances of Protocol 1, the security of Alice’sinput in Protocol 3 then follows, for the similar reasonsas in the proof of Theorem 1.In the following we consider the general case that Bob’soperations are not independent among instances of Pro-tocol 1. In such case, the generalization of Eq. (11)should hold, due to the similar reason as that afterEq. (11). Then the generalization of Eq. (10) for thecorresponding Holevo bounds should hold approximatelynear such extreme point, due to the uniform continuity of the Holevo bounds (as functions of Bob’s operationsand his messages sent to Alice), and the argument inthe proof of Theorem 1 which asserts that the systems inother instances serve as auxiliary systems so the one-copytradeoff curve of the Holevo quantities still holds. Thisshows that the argument for the security for the case ofindependent operations of Bob can be extended to thegeneral case. (cid:117)(cid:116) It should be noted that when χ x is near 0, there isstill some exponentially small probability that Bob maylearn quite a significant portion of the information about x in the remaining unchecked instances. The quantita-tive security level is different from that obtainable bydirectly adapting Theorem 1 with the roles of two par-ties switched, at least on the following two points. First,Alice’s data privacy has a nonzero lower bound here, seethe analysis below Protocol 1. Second, with the sameresource cost, Bob’s data privacy is somewhat weakerthan that in Protocol 3, since some of the one-time tablesare used for Alice’s checking now. Bob effectively checksabout half of the instances as in Protocol 3, and Alicechecks the other half. But the security should not bemuch worse since Bob randomly chooses which instancesto check.In Protocol 4, if any one party is conservative, his (her)data privacy is guaranteed. But partly due to the possi-ble aborts, it actually suffices to assume either one of the0parties is conservative in Protocol 4, since then the otherparty might as well be conservative to reach a better se-curity level for himself (herself).When one party’s data privacy is very important, andthe other party’s data privacy is not too important, wepropose the following Protocol 5. It improves the privacyof Alice’s input in the later main computation task, whilethat of Bob’s input is somewhat compromised.In Protocol 5, the privacy of Alice’s bit x for the com-bined one-time table is quite good: The accessible infor-mation for Bob is exactly k bits, where k is the sizeof S in protocol description. It is because the differentone-time tables from the first step are independent. TheHolevo bound coincides with the accessible informationin the current case.For the privacy of Bob’s input bit y in the combinedone-time table, it is possible for a cheating Alice to doa joint measurement on k received states from Bob, tolearn the information about y and r simultaneously asmuch as possible (or y and y ⊕ r ). Bob can deal withthis by testing more one-time tables. The resource usage(the amount of entanglement needed and the amount ofcommunication) is estimated to be about O ( tk ) timesthat of Protocol 3, to achieve the similar level of privacyfor Bob, where t is the total number of one-time tablesrequired for the later main computation, and k is the sizeof S in Protocol 5. In such factor tk , one k is for the sizeof S , and the additional tk factor means that about O ( tk )one-time tables are used in the instance of Protocol 3 inthe first step of Protocol 5. This factor appears becauseAlice may use techniques similar to Grover’s algorithm toincrease the amount of information she may learn about y , and the same input variable of Bob’s may appear in theoriginal circuit for at most t times. But in the case thatthe function to be evaluated is for evaluating a programprovided by Bob on Alice’s data, it is possible that eachvariable of Bob’s appears only once, then the t factorcan be omitted, so that the overhead becomes only O ( k )compared to the plain use of Protocol 3.The Protocol 5 differs from the previous protocols inthat it has an extra step of combining the one-time ta-bles, and its usage in the later bipartite computation taskmay be different by a switch of the roles of Alice and Bob.The success of the quantum protocols is not guaranteedin the presence of cheating, but this does not cause muchproblem since cheating is caught with high probability,and these protocols are in the preprocessing stage forthe overall computation, so the useful data is not leaked. The failures in the quantum gates, measurements, andentanglement generation or qubit transmissions in thepreprocessing stage can be tolerated by trial-and-error.The failures in Protocol 1 are required to be reported inthe protocols, so they have no effect for the testing andlater computations. In some experimental implementa-tions the failures might not be reported and might appearas errors, and this would affect the security.To deal with noise and errors, we propose the follow-ing Protocol 6, which has some polynomial resource over-head, and there is a polynomial reduction in error ratein the output.A remark on the method to analyze the security ofProtocol 6 is as follows. The classical mutual informa-tion rather than the Holevo bound is essential in analyz-ing the security of Protocol 6, which is because the finalquantum state of Alice for each instance of the one-timetable is measured for performing checkings, while in someother protocols such as Protocol 3, the states for the ac-tually used one-time tables are not measured during thechecking.A strategy for Alice to cheat in Protocol 6 is that shecould guess the b and f , and confirms her guesses viawhether the instance is rejected or not after she sent somebits to Bob for him to check. This way of cheating re-quires her to also know both b j and f j , however, she canonly guess but not deterministically learn both those bits.Hence, Alice’s cheating is likely to be caught by Bob whenthe number of checks q is not too small. Bob may cheatby partially learning about some a j through his measure-ments on quantum states, and then deduce a from thesent bit a ⊕ a j . To deal with this strategy of Bob’s, Alicecould check for more instances of one-time tables in theinitial stage, or combine some target instances, similar tothe method in Protocol 5. The later cheating method ofBob requires q to be O (polylog( (cid:15) )), where (cid:15) is the targeterror level in output (assuming the original error level isa constant). On the other hand, q being so small indeedsuffices to achieve the target error level. And the resourceoverhead in such case is O (poly( (cid:15) )), for Bob’s securityto stay comparable to that in Protocol 4 or Protocol 5.From the above, we see that the resource overhead maybe exponentially large if the output error rate is requiredto be exponentially small, while security stays compara-ble to that in Protocol 4. A possible explanation is thatProtocol 6 does not involve active error correction. Forthis problem, we suspect that polynomially small error inthe output is sometimes acceptable, since the circuit to1 Protocol 5
A protocol for generating improved one-time tables with combinations
1. Alice and Bob perform Protocol 3 or Protocol 4 to obtain some one-time tables after checking. Suppose the instancelabeled by j has inputs a j and b j , and outputs e j and f j .2. Bob determines which remaining one-time tables are to be combined into one new instance of one-time table, and tellsAlice his decision. Each new instance corresponds to a set S of old instances which satisfy that Bob’s input bits are equal(denoted as b ). A new instance has inputs a (cid:48) and b (cid:48) , and outputs e (cid:48) and f (cid:48) , where a (cid:48) := (cid:80) j ∈ S a j mod 2, b (cid:48) := b , e (cid:48) := (cid:80) j ∈ S e j mod 2, f (cid:48) := (cid:80) j ∈ S f j mod 2. Protocol 6
A protocol for generating checked one-time tables with reduced error rate
1. Alice and Bob perform many instances of Protocol 1 to generate some one-time tables, and exchange messages to agreeon which instances were successfully implemented experimentally.2. Alice and Bob uses the method in Protocol 4 to check the instances. They use more instances and a higher ratio ofchecking by Bob, for better privacy of Bob.3. Bob chooses a target instance of a one-time table with inputs a and b and outputs e and f . He also randomly choosesother q instances (called “auxiliary” one-time tables) for helping detecting errors in the following step.4. Suppose the auxiliary one-time table labeled by j has inputs a j and b j , and outputs e j and f j , for j = 1 , . . . , q . Bob asksAlice to send a ⊕ a j and e ⊕ e j to him. For those j with b j = b , Bob checks whether ( a ⊕ a j ) · b = e ⊕ e j ⊕ f ⊕ f j .If there is an error, Bob rejects such target instance of one-time table.5. The one-time tables which passed the checking will be used later in the two-party computing task. Alice and Bob repeatthe steps starting from Step 3 to prepare more one-time tables. be evaluated is usually of polynomial length; and someembedded checks in the two-party computation could beadopted so that the computation rewinds to a previouspoint when some error is detected. IV. APPLICATIONS IN TWO-PARTYCLASSICAL COMPUTATION
The following Protocol 7 is for evaluating a linear poly-nomial with distributed output using the quantum pre-processing protocols introduced above. The linear poly-nomial is of the form z = ( c + (cid:80) nj =1 a j b j ) mod 2, where c is a constant bit known to Bob, and a j and b j are bitson Alice and Bob’s side, respectively. The output is theXOR of two bits on different sides.If Protocol 3 is used in Protocol 7, the data privacy ofone party is partial. The leakage is about half of his orher input bits. See also the comments after Protocol 8below. Generally, we suggest using Protocol 4 or Proto-col 6 in Protocol 7, since they at least aim for near-perfectsecurity.For a generic boolean circuit, we propose Protocol 8.The main computation after the preprocessing does notinclude any aborts, and only requires the number of com-munication rounds to be about equal to the circuit depth. The circuit is assumed to be known to both parties, ex-cept for some initial local gates, which may be knownonly to the local party.If Protocol 3 is used in Protocol 8 with the roles of Al-ice and Bob switched in the preprocessing only, the dataprivacy of Bob is partial. The leakage is about half of hisinput bits in each polynomial. But the privacy is betterin the case that the function allows many different inputsof Bob to give rise to the same result. In the case thatthe function effectively evaluates a universal circuit withdata given by Alice and the logical circuit given by Bob,his input has partial privacy which is acceptable due topossible recompilations of Bob’s logical circuit. If Proto-col 5 is used instead of Protocol 3, it is suggested thatAlice always be the first party, to save the required num-ber of one-time tables when Alice’s data privacy is moreimportant than Bob’s data privacy. Then Alice’s data inthe main computation is asymptotically secure becauseof the property of Protocol 5. The remarks above are forthe noiseless case. For the case with noise, see Sec. VII,where it is suggested to use Protocol 4 or Protocol 6.The Protocol 8 has a good property that cheatingwould usually give rise to wrong results. If some party(partially) cheated in generating some of the one-timetables, so that some but not all of the one-time tablesused in Protocol 8 are not secure, then the insecure one-2 Protocol 7
A protocol for evaluating classical linear polynomials with distributed output using one-time tables
Input: n bits a j from Alice, and n bits b j from Bob, and a bit c known to Bob. Output: a bit z A on Alice’s side and a bit z B on Bob’s side, such that z := z A ⊕ z B = ( c + (cid:80) nj =1 a j b j ) mod 2.1. Alice and Bob perform Protocol 3 or 4 or 5 or 6 to obtain n one-time tables.2. For evaluating the linear polynomial z = ( c + (cid:80) nj =1 a j b j ) mod 2, Alice and Bob perform the evaluation of the nonlocalAND gate for a j and b j using the procedure in Sec. II, with the output being distributed. They locally calculate theXOR of all bits from the outputs, and Bob additionally takes the XOR with c . Each party obtains a bit as the output. Protocol 8
A protocol for evaluating publicly-known boolean circuits with private bipartite input using one-timetables
1. Alice and Bob decompose the two-party circuit to be evaluated into some local circuits with AND, XOR gates, and somelinear polynomials with bipartite input, while adding possible ancillary bits with fixed initial value 1 (for implementingthe NOT gates with the help of XOR). Any nonlocal AND gate in the original circuit is a special case of the linearpolynomial.2. For each AND gate not in the initial stage, the inputs may be distributed, i.e. one or both input bits are the XOR of tworemote bits. In the case that both input bits are distributed, Alice and Bob decompose such gate into the XOR of theoutputs of two local AND gates and two nonlocal AND gates, the latter being a special case of the linear polynomial. Inthe case that only one input bit is distributed, they decompose such gate into the XOR of the outputs of a local ANDgate and a nonlocal AND gate. For any XOR gate where both input bits are distributed, it is decomposed into twolocal XOR gates, with the output of the overall gate being distributed. For any XOR gate where only one input bit isdistributed, it is effectively one local XOR gate, with the output of the overall gate being distributed.3. They perform the gates in the resulting circuit in pre-arranged order. The linear polynomials are evaluated usingProtocol 7 with distributed output.4. At the end of the circuit, one party sends some bits to the other party so that the distributed bits for the output arerecombined to form the correct output; if there are output on two parties, both parties need to send messages. time tables are wrong with some significant probabilityaccording to Eq. (3): the calculation results for a par-ticular nonlocal AND gate would often be incorrect afterthe distributed output bits are recombined. This impliesthat the final computation result has large probability tobe wrong. But if that party cheated in all the generatedone-time tables and passed the other party’s test, thecomputation result could be calculated by the cheatingparty alone with the help of the messages sent from theother party in the main computation stage. The lattercase is not likely to happen, since the other party couldset a low threshold in the testing.Some protocol similar to Protocol 8 could be used forevaluating a public circuit on shared classical secrets be-tween Alice and Bob, when each effective input bit isthe XOR of two remote bits. The steps are quite similarexcept for some initial local gates, so we abbreviate theprotocol here.In the following we discuss the security assumptions.We define Bob to be “conservative”, if he values the pri-vacy of his input data higher than the possibility to learn Alice’s data.First, let us assume that Bob honestly does the testingin the Protocols 3 and 5. There could be superpositionsin the input and the output of these quantum protocols,but in the later classical computation task, the partiesmay do computational-basis measurements to force thereceived superposed states to collapse. Note that oneparty may insist on using the superposed output fromsome instance of the one-time table, but when the otherparty does some later gate using such output as an in-put, the latter party may do computational-basis mea-surements to force the collapse of the superposition.Next, we discuss the case out of the assumption, thatis, Bob cheats in the quantum protocols. He may cheatby not aborting after finding that Alice is cheating. Thisway of cheating is not powerful by itself, but see the fol-lowing for discussion about his combined ways of cheat-ing. The second way for him to cheat is to use generalquantum input (allowing superpositions and entangle-ment) for the one-time tables, which also allows generalquantum output for the one-time tables. In such case,3Alice may do computational-basis measurements in themain bipartite computation stage to force the collapse ofsuperpositions. The case that he uses general quantumoutput for the one-time tables is discussed in the previ-ous paragraph. For the case that Bob combines the twocheating methods above, if Alice is honest, Bob cannotget more information about Alice’s data compared to thecase of him not cheating in this way. If Alice also cheats,then it is possible that Bob’s knowledge about Alice’sdata on average is better (e.g. when they discard someone-time tables, so that Bob obtains more informationabout Alice’s input in the remaining one-time tables).But that comes at the expense of the higher possible leak-age of Bob’s data. So a conservative Bob should not dosuch combined cheating. The third way for Bob to cheatis by using superposed states in the main computationbut not the preprocessing. This has no effect since Al-ice may make a computational-basis measurement on thestate received from Bob in the main computation. Notethat Alice’s data leakage is limited by design of the quan-tum protocols, except in the case of non-conservative Bobdiscussed above. In conclusion, if we assume Bob to beconservative, the quantum protocols are asymptoticallysecure; if we assume Alice to be honest-but-curious, theProtocol 5 is asymptotically secure for Alice (as men-tioned in Sec. III), and in such case it does not makemuch sense for Bob to cheat since he cannot gain fromcheating.In the following we consider implementing some cryp-tographic primitives such as 1-out-of-2 oblivious transfer[29, 30] and bit commitment. The Protocol 9 is a protocolof 1-out-of-2 oblivious transfer, with its definition shownin the initial part of the protocol. It is constructed basedon the one-time table (which effectively implements thePR-box with the help of some communication, c.f. Sec. V)by using the method in [31]. In the Rabin oblivious trans-fer, Alice sends a bit to Bob and it is received with proba-bility , and Alice does not know whether the message isreceived by Bob. The 1-out-of-2 oblivious transfer can beconstructed from the Rabin oblivious transfer [29], butwe are not aware of a construction for the transformationin the reverse direction, although the oblivious key pro-tocol [31], which is quite similar to the Rabin oblivioustransfer, can be constructed from the 1-out-of-2 oblivioustransfer according to [31].There are some no-go theorems for quantum bit com-mitment [32, 33]. Since our quantum preprocessing pro-tocols allow aborts, and there are some requirements on Protocol 9
A check-based quantum protocol forapproximately-secure cheat-sensitive 1-out-of-2oblivious transfer
Input:
Two bits m and m on Alice’s side, and a bit b onBob’s side. Output: a bit m c on Bob’s side. It is required that Bobdoes not know m − c , and Alice does not know b .1. Alice and Bob run an instance of Protocol 7 with thepolynomial of the form z = a · b (i.e. with only onevariable and no constant term), where a = m ⊕ m ,and b is Bob’s input bit. Suppose the output bit onAlice’s side is g , then the output on Bob’s side mustbe h = z ⊕ g .2. Alice sends m ⊕ g to Bob. Bob’s output bit is m ⊕ g ⊕ h . the players in those protocols, it is still possible that bitcommitment can be implemented with the help of theone-time tables generated by the quantum preprocessingprotocols. In the Protocol 10 we propose a bit commit-ment protocol inspired by a computationally-secure con-struction based on quantum one-way permutations [34].Here, instead of using the quantum one-way permuta-tions, we use a special bipartite classical computationwith distributed output, with the help of quantum pre-processing. Our scheme is cheat-sensitive and subject tosome other assumptions similar to those for the genericProtocol 8. It requires that one of the parties be conser-vative.In the last step of Protocol 10, if Alice sends Bob somerandom bit string, the results obtained by Bob are gen-erally not consistent with any input value of b . For large m , it is hard for Alice to guess the appropriate bit stringthat could make Bob believe the input was 1 − b . Thereason is as follows. There are 2 m possible bit strings oflength m representing the results of the nonlocal ANDgates (called “outcome strings” below). In the genericcase that Bob did not use all zero values for the m in-put bits for the nonlocal AND gates, one of the outcomestrings corresponds to the input value b , while a differ-ent outcome string corresponds to the input value 1 − b ,and all other 2 m − m − m -bit strings) nor his part of the outcome string,she has probability of m − of correctly guessing her partof the outcome string corresponding to the input value1 − b . In the remaining case that Bob had used m in-4 Protocol 10
A check-based quantum protocol forapproximately-secure cheat-sensitive bit commitment
1. Alice and Bob perform Protocol 5 to obtain some one-time tables with the degree of security dependent on re-source usage. They decide on a large integer m relatedto the intended security of the current bit commitmentprotocol.2. Suppose Alice wants to commit a bit b . She asks Bobto together calculate m nonlocal AND gates using themethod in Sec. II, with her input bits being always b ,but Bob’s inputs are random bits chosen by himself.They obtain some distributed bits as the outcomes.This completes the commit phase.3. (Reveal phase) Alice sends Bob her output in the in-stances of the nonlocal AND gates in the previous step.Bob takes the XOR for the corresponding pairs of bitsto recover the results of the nonlocal AND gates. Fromthese results, Bob finds out b , or decides that Alice hascheated by sending him some random bit string so hecannot recover b . puts bits that are all zero, Alice’s input b does not affectthe outcome string which is the all-zero string, so Bobcannot distinguish between the case b = 0 and the case b = 1, and therefore he should not have chosen such all-zero string as his input. The above analysis means thatBob has an allowed strategy such that a cheating Alicehas probability m − of success in trying to change thecommitted bit after the making the commit. V. APPLICATIONS IN TWO-PARTYQUANTUM COMPUTATION
The methods in this work can be applied in two-partysecure quantum computing tasks. When such tasks haveclassical input and output, they also serve as classicaltasks of the type discussed in Sec. IV, but with quantumimplementations. In this way, classical computationaltasks are completed with quantum speedup and quantumsecurity advantage. But this requires at least one party tohave quantum capabilities beyond those required by Pro-tocol 1. A typical problem in two-party quantum compu-tation is quantum homomorphic encryption (QHE). QHEis an encryption method that allows quantum computa-tion to be performed on one party’s private data withthe program provided by another party, without reveal-ing much information about the data nor the program tothe opposite party. In this work we present an interactive QHE scheme (“interactive” means there may be multiplerounds of communication), and a constant-round QHEscheme. The main part of the constant-round schemehas three stages of communication, instead of two in theusual definition of QHE [10]. The initial preparation ofthe one-time tables with checking and preparation of en-tanglement also involve a constant number of stages ofcommunication.In the QHE schemes below, there are some polynomialswith at least 2 n variables, where n is the number of qubitsin Alice’s input. The 2 n variables correspond to Paulimasks in Alice’s teleportation of the input data to Bob.The way Bob changes the coefficients of the polynomialsis called coefficient-update rules below. The coefficient-update rules for the first 2 n variables (and other variablesmentioned below) under the action of Clifford gates canbe easily obtained from the following relations: PX = i XZP , PZ = ZP , HX = ZH , HZ = XH , CNOT ( X a Z b ⊗ X c Z d ) = ( X a Z b ⊕ d ⊗ X a ⊕ c Z d ) CNOT , (12)where the ⊕ is addition modulo 2, and in the gate CNOT , the qubit 1 is the control. The coefficient-update rules for the variables under the T gate can beobtained from the relations TZ = ZT , TX = e − πi/ PXZT . (13)The coefficient-update rules are analogous to the key-update rules in [10, 11], but here the coefficients, ratherthan the Pauli keys (the variables), are updated.An interactive QHE scheme with almost optimalinformation-theoretic data privacy and circuit privacy isobtainable by using the method in Protocol 7 to evaluateclassical linear polynomials, and using the latter as asubprocedure in the Scheme 4 in [26]. We describe thesteps as follows. Scheme 1 (An interactive QHE scheme using precom-puted one-time tables)1. Alice and Bob produce a large number of one-timetables.2. Alice teleports her n input data qubits to Bob with-out telling him any Pauli corrections. The 2 n bitsindicating the Pauli corrections are part of the vari-ables in the polynomials to be evaluated.53. For each stage of the circuit consisting of some Clif-ford gates and a T gate, the two parties do the fol-lowing: Bob calculates the coefficients (includingthe constant term) in the linear polynomial to beused for deciding the P † correction after the T gate.Alice and Bob each does their own part of opera-tions in Protocol 7 to evaluate the current linearpolynomial, which has 2 n variables. This includeseach party takes the XOR of the variables (or coef-ficients) with the input of some unique one-time ta-ble, and sends the resulting bits to the other party,and then each party calculates a bit as a part of thedistributed outcome of the linear polynomial. Ac-cording to the local outcome bit, each party doeshis or her part of the operations in a garden-hosegadget (shown in Appendix C). The result for aBell-state measurement corresponding to a X j Z k correction is recorded as two bits j and k . Themeasurement outcomes on Alice’s side are part ofthe variables of the later polynomials.4. After the last T gate, Bob performs the last Clif-ford gates in the desired circuit, and calculates hiscoefficients in the last polynomials for calculatingthe final Pauli masks. He does his part in evalu-ating those polynomials, while Alice also does herpart. This includes each party sending the XOR ofvariables (or coefficients) with the local input bitin one-time tables. Each party obtains a bit, andthe XOR of these two bits is the intended outcomeof the polynomial. Bob teleports his output stateto Alice while modifying the correction bits in theteleportation by taking the XOR of those correc-tion bits with his part of the outcomes for the lastpolynomials.5. Alice corrects the received state from teleportationwith the corresponding Pauli operators, which aredetermined from Bob’s message as well as her partof the output of the last polynomials. The resultingstate is the final quantum output.The following is an estimate of the resource cost ofScheme 1. Suppose R is an upper bound on the numberof T gates in the circuit to be evaluated. The numberof variables in a linear polynomial is at most 2 n + 4 R .The factor 4 is from that each Bell-state measurementhas two outcome bits, and Alice has two Bell-state mea-surements in each gadget. As there are R + 2 n linearpolynomials to be evaluated, and each variable requires a one-time table in the evaluation of a polynomial, thetotal number of consumed one-time tables is O ( n + R ).This is much smaller than the constant-round Scheme 2below, which has cost exponential in the T -gate depthof the circuit. We still introduce Scheme 2 since thereare interpolations between the Scheme 1 and the Scheme2, giving rise to some tradeoff between the number ofrounds and the resource cost: the number of rounds maybe fewer than in the interactive scheme, while the num-ber of required one-time tables may be higher. This isachieved by running the Scheme 2 for a segment of thecircuit, and the two parties interact, and proceed to thenext segment.The Scheme 2 below is a three-message QHE scheme,with the main structure modified from some schemewith non-ideal security in [26]. A main technique of thescheme is to use a simplified version of a garden-hosegadget from [11] (and attached in Appendix C). Themain part of the scheme has three stages of classicalcommunication: from Bob to Alice, and from Alice toBob, and a final teleportation from Bob to Alice. Theschemes requires using some linear polynomials of theform in Protocol 7, but also some nonlinear polynomials,which can also be treated as linear polynomials (with thevariables being the product of some original variables)in order to apply Protocol 7. The construction ofthe scheme depends on the following property: Bob’scoefficients of the (nonlinear) polynomials (the constantterm is not included here) do not depend on Alice’soriginal Pauli mask bits or her measurement outcomesin the garden-hose gadgets. The latter independence ispossible because we include Alice’s previous measure-ment outcomes and her original Pauli mask bits, as wellas her input bit for the garden-hose gadgets as variables.The XOR of Alice’s and Bob’s inputs for a garden-hosegadget correspond to a polynomial of previous variables,thus Bob’s input to any garden-hose gadget can be ex-pressed as a (nonlinear) polynomial of previous variablesXORed with Alice’s input to this garden-hose gadget,the latter being a new variable. Then the coefficientsof Bob can be effectively regarded as independent ofAlice’s variables. Given the above choice of variables,the constant terms in the polynomials are determinedby Bob’s local measurement outcomes in his part of thegarden-hose gadgets. Scheme 2 (A three-message high-cost QHE schemeusing precomputed one-time tables)6 1. Alice and Bob produce a large number of one-timetables.2. Bob calculates the XOR of each coefficient in the(nonlinear) polynomials with his input in a uniqueprecomputed one-time table, and sends the result-ing bits, and the labels for the corresponding one-time tables to Alice.3. Alice teleports her n input data qubits to Bob with-out telling him any Pauli corrections. The 2 n bitsindicating the Pauli corrections are part of the vari-ables in the polynomials to be evaluated. Withthe received message, Alice computes her part ofthe output of the (nonlinear) polynomials using theone-time tables, based on the method in Protocol 7.Alice records her part of the output of a (nonlin-ear) polynomial as a new variable, and accordingto its value, she does some appropriate P † gate fol-lowed by Bell-state measurements in the garden-hose gadgets (shown in Appendix C). The resultfor a Bell-state measurement corresponding to a X j Z k correction is recorded as two bits j and k .The measurement outcomes are part of the vari-ables of the later polynomials. She calculates theXOR of each term in the next polynomial and herinput bit in a unique one-time table, and sends theresulting bits to Bob. She proceeds to do this untilshe reaches the end of the circuit, including send-ing messages about the last 2 n polynomials for thePauli corrections.4. Bob receives Alice’s message and calculates his out-put for the first polynomial (which is linear) usingProtocol 7. The Bob part of the output of the firstpolynomial decides which measurements he shoulddo in the first garden-hose gadget. He performsthe Clifford gates and the T gate before the firstgarden-hose gadget, and performs the appropriatemeasurements in the first garden-hose gadget. Theoutcomes of those measurements help determinethe constant term in the later (nonlinear) polyno-mials. He continues to do the next batch of gatesand measurements. He evaluates some (nonlinear)polynomial, and according to his part of the outputvalue of such polynomial, he performs the appropri-ate measurements in the corresponding garden-hosegadget. After the last T gate, Bob does his part inevaluating the last polynomials for calculating thefinal Pauli masks. The outcomes of those polyno- mials are distributed as the XOR of bits on thetwo parties. Bob teleports his output state to Al-ice while modifying the correction bits in the tele-portation by taking the XOR with his part of theoutcomes of the last polynomials.5. Alice corrects the received state from teleportationusing the corresponding Pauli gates, which are de-termined from Bob’s message as well as her part ofthe output of the last polynomials. The resultingstate is the final quantum output.We analyze the resource cost of Scheme 2. The numberof variables in the first polynomial is 2 n , but the secondpolynomial would be nonlinear and has 2 n + (2 n + 1) × k -th polynomial has f ( k ) terms apart fromthe constant term. Then f ( k ) = f ( k −
1) + [ f ( k −
1) +1] × k >
1, so when k = R , the number of termsis O ( n · R ). There are R polynomials (correspondingto the T gates) which follow the induction rule above.But the last 2 n polynomials do not follow the rule, andthey do not increase any number of variables comparedto previous polynomials, because they are for the Paulicorrections after a Clifford circuit. Thus the total numberof consumed one-time tables is O ( n · R ).The security of the Schemes 1 and 2 are optimal ifthe one-time tables have ideal security, where “optimal”means that Alice may learn information about Bob’s in-put from the final output only, and Bob learns nothing atall about Alice’s input. But in fact, the one-time tableshave partial security, due to the finite number of checksand the noise (including errors), so the security of thescheme above is partial. See also the discussion below.There are two points on which the security of two-partyquantum computation may be somewhat weaker than inclassical two-party computation based on the similar pro-cedures for generating one-time tables. First, it is lessnatural in the quantum protocol to impose classicality ofthe output of the one-time table. Imposing classicality ofcourse helps security, but it is not necessary given our as-sumptions about the players in the preprocessing stage.In practice, we may assume that the output of the one-time tables have decohered prior to the use in the maincomputation. Second, in the Schemes 1 or 2 given above,the Pauli masks for the original input qubits are used asthe variables in all the polynomials involved, this meansthe data privacy is worse than in the case of classical bi-partite computation, in which the intermediate variables7replace the roles of the initial variables in many of thelinear polynomials. But the use of the quantum prepro-cessing in this work would give rise to better data privacythan some of the schemes in later parts of [26], becausethose schemes require correlated encoding of the differ-ent variables, while the variables in the current work areencoded independently by the one-time tables.We now consider two-party computations in which thecircuit is known to Bob only, and each party has someprivate (quantum) input data. A simple extension of theinteractive QHE scheme works, where the extension isjust by adding some input qubits on Bob’s side. Thesequbits are not subject to any Pauli masks.In the following we consider two-party quantum com-putations with publicly known circuit and private quan-tum inputs on both parties. One method is to use thesimple extension of the interactive QHE scheme as in thelast paragraph. A simplified method is to make use ofthe fact that the circuit is publicly known. We brieflydescribe it below.Since the circuit is publicly known, those one-time ta-bles for the linear polynomial for the first P † correctionafter the first T gate are not needed, since Alice can cal-culate by herself the contributions to this P † correctiondue to her original Pauli masks. She could just tell Bobbefore the protocol starts to choose a fixed input on hisside in the first garden-hose gadget, then she could decideher input for this gadget on her own. But Bob’s measure-ment outcomes in the garden-hose gadgets are not knownto Alice, and they should affect the subsequent P † correc-tions. Hence, in later garden-hose gadgets, Bob’s inputcannot be fixed, and the rest of the scheme is similar tothe interactive scheme, but with some extra (quantum)input data on Bob’s side. In the case that Alice’s inputis classical, the initial teleportation can be replaced withclassical communication with withheld bit-flip masks. Ifthe output is on Bob’s side, Bob need not send any mes-sage after Alice’s message, and Alice sends him some bitsfor Pauli corrections at the end. In the case that the out-put is on Alice’s side and is classical, the final telepor-tation from Bob to Alice can be replaced with classicalcommunication without any masks. VI. APPLICATION IN CHECK-BASEDIMPLEMENTATION OF NO-SIGNALINGCORRELATIONS WITH THE HELP OF INERTCOMMUNICATION
The Protocol 11 for generating the one-time tables to-gether with Protocol 4 for checking them effectively im-plement the PR-box (Popescu-Rohrlich box [35]) typeof correlations. The implementation needs time in com-munication, and involves some inert communication , i.e.sending of some classical messages which do not containuseful information about the inputs (in the “useful” one-time tables, but not in those one-time tables subject tochecks and not actually used). So this is not a directimplementation of the PR box, which must be instanta-neous. Rather, it is a check-based implementation of thePR-box type of correlations with time cost and inert com-munication cost. The fact that it is check-based impliesthat it is not a deterministic protocol, but forced almost-deterministic , meaning that the checking party could setthe threshold to very low so that the other party mustbe nearly completely honest to avoid aborting, and ifthe parties are indeed nearly completely honest, the pro-tocol is almost deterministic. However, in Protocol 11,after the initial entanglement has been established, thetwo directions of teleportation and partial sending of themeasurement outcomes can be done simultaneously. Thisdoes have some partial flavor of “instantaneous” imple-mentation.In the following, we show how to implement the fol-lowing general type of no-signaling correlations in [36] inthe check-based way. P ( A ⊕ B = ab | a, b ) = 12 (1 + E ) , (14)with 0 ≤ E ≤
1. According to an argument in [37] (alsomentioned in [36]), the form (14) is representative of alarge class of no-signaing correlations (those with inputand output dimensions 2 on both sides). The way toimplement the no-signaling correlations above is similarto the implementation of the PR-box correlations above,but with an additional step in those instances of Proto-col 11 not subject to checking but used for the final cor-relations: Bob randomly flips his output bit with prob-ability (1 − E ). Such probabilistic step is not involvedin the instances of Protocol 11 subject to checking, soProtocol 4 still applies, although with the output cor-relations changed. A drawback of such implementationis that Bob knows the original value of his output bit,8so he may recover a PR-box type of no-signaling cor-relation. A non-perfect way of dealing with this is tochange the last step to that Alice and Bob both flip therespective output bit with some probability p = −√ E sothat (1 − p ) + p = E . Such modified protocol stillhas the similar drawback that one party could recover ano-signaling correlation with parameter larger than in-tended. VII. DISCUSSIONS
1. Extensions of protocols
The qubit-based quantum protocols in this work canbe generalized to work for qudits in principle. This isinspired by the classical case in [4]. This requires somechanges in the classical usage of the generated correla-tions.The methods in this work are extendable to multipar-tite classical computation in principle. Some pairs ofparties (possibly including some server) may prepare one-time tables using the quantum protocols in this work.A method of enhancing the security by additionalchecks after the computation is as follows. If one party,say Alice, does not require the long-term security of herinput in the main computation, Bob may ask her to doadditional checking of the one-time tables used in themain computation, at a time such that her input data isno longer sensitive, to make sure that she has not cheatedby a lot. Of course, in some practical applications, thefinal computation result provides some check against Al-ice’s cheating, since Alice usually has to cheat all the wayto the end for a generic computation to be correct (pro-vided that the final result is on her side, not distributedas the XOR of remote bits), and always cheating success-fully is unlikely to happen because of the inequalities inSec. III.Due to experimental limitations and the overhead fromthe checkings, the number of one-time tables generatedby our quantum protocols may be insufficient if a largetwo-party computation is to be performed. In that case,it is possible to use some classical processing of thequantum-generated one-time tables, to generate moreone-time tables with computational security. Note thatextensions of 1-out-of-2 oblivious transfers is studied in[38], and our one-time tables correspond to the 1-out-of-2 oblivious transfer, as shown in Protocol 9. This showsthat the classical extensions for the quantum-generatedone-time tables are in principle possible.
2. Physical implementations of Protocol 1
The Protocol 11 is an entanglement-based version ofProtocol 1. The shared entanglement in Protocol 11could be prepared by a fixed entanglement-generatingdevice, allowing for failures in preparation (although weallow failures in the whole Protocol 11, so failures in anyparticular step is not of much concern). This may alsohelp getting rid of the issue of multiple photons in directcommunication, which would harm Bob’s data privacy(although some schemes with the direct sending of pho-tons may also allow the detection of multiple photons).Using generation of entanglement could also increase theallowed distance between Alice and Bob, if the entangle-ment is generated by a device at the middle, comparedto using direct sending. The Protocol 2 is also an al-ternative to Protocol 1, as it uses direct sending in onedirection only, with four qubits sent at a time, comparedto two qubits in Protocol 1. As for detector inefficienciesand dark counts, the fact that the Protocol 1 can be re-done after failure can help mitigate the effects of these is-sues. The appeal of Protocol 1 is mainly in that only twoqubits are used (although the optical implementation ofthe
CNOT gate with checking for multiple photons mightinvolve some ancillary qubits).
3. Effects of noise and errors
If direct sending of photons is used in Protocol 1, wesuggest using the known methods such as decoherence-free subspaces or quantum codes, to reduce or preventthe errors in the transmission. We leave the details forfuture work. In the following, we analyze the theoreticalimpact of noise (including errors) on our protocols.We consider the case that the main computation isclassical, since the quantum case is similar in that it alsoinvolves evaluating classical linear polynomials. WhenProtocol 3 with noise is used for a bipartite classical com-putation task, and if Alice’s data privacy is more impor-tant than Bob’s, we suggest that Alice who is the firstparty in the main computation be the second party in thepreprocessing. Then the data leakage of Alice is aboutthe product of the circuit size (the number of the one-time tables) and a small constant indicating the noiselevel. This is because in Protocol 3, the physical errorsand the first party’s cheating look about the same for thesecond party in the verifications (the “first party” in thissentence is the Bob in the main computation). For cir-cuits with a high level of parallelism, the data leakage ofAlice per input bit is about the product of circuit depthand the error constant described above. So the allowed9circuit depth is a constant, which is inverse proportionalto the error constant. Similar remarks can be said forProtocol 4 for both sides.If Protocol 5 based on Protocol 3 is used for a bipar-tite classical computation task, we suggest that Alice bethe first party both in the preprocessing and the maincomputation. The noise level is almost not related to thedata privacy of Alice, which is exponentially good as thenumber of one-time tables used in Protocol 5 increases.The noise mainly affects the correctness of the compu-tation, and Bob’s data privacy. If the noise level is nottoo low, Bob’s data privacy in Protocol 5 would not betoo good, since he has some identical inputs, and Alicecould try to learn partially about each of them to recoverhis true input. Bob could check more one-time tables todeal with this problem. Thus some polynomial overheadis needed to achieve the similar privacy of Bob’s as in Pro-tocol 3. An alternative would be simply using Protocol 4.The Protocol 6 is better than Protocol 4 in the correct-ness, but it has some overhead in resource costs. A morecomplicated method is using Protocol 5 with “recompi-lation”, that is, using some new publicly-known functioninstead of the original function, with Bob’s input changedaccordingly, while Alice’s input is unchanged, so that theresult is the same as the original function with the origi-nal input of Bob. If the new function is chosen so that itencodes universal classical circuits, and the possible newinputs of Bob are long enough, we can achieve a goodlevel of security for Bob’s input. Such recompilation canbe done by classical preprocessing.There have been studies of the effects of noise in clas-sical cryptographic tasks, and noise is not always bad forsecurity [39]. Note that adding some assumptions aboutquantum capabilities may improve the security in bitcommitment [40]. Adding similar assumptions on top ofour quantum preprocessing protocols may improve thesecurity in the applications.
VIII. CONCLUSION
We have proposed some quantum protocols for ap-proximately generating a certain type of classical cor- relations (a special case of the one-time tables [4]) withvarying degrees of privacy, to be used in bipartite securecomputation tasks. We discussed the effects of noise,and proposed a protocol for dealing with it. We haveshown how to use the generated one-time tables in eval-uating linear polynomials and generic boolean circuits,and in cheat-sensitive 1-out-of-2 oblivious transfer andcheat-sensitive bit commitment, as well as in (interactive)quantum homomorphic encryption and general two-partysecure quantum computation. In the discussions we havementioned that our method gives a check-based imple-mentation of the PR-box type of correlations, but withsome communication time cost, and involves sending ofclassical messages which do not contain useful informa-tion about the inputs, so it is not a direct implementationof the PR box. Some other no-signaling correlations canalso be generated in the checked-based way with the helpof similar classical communications. Open problems in-clude: applications in check-based cheat-sensitive quan-tum implementation of other cryptographic primitives,which may be weaker than the plain version of the prim-itives; whether there is a constant-round QHE schemewith costs polynomial in circuit size; a refined analysis ofthe protocols, taking into account the physical errors inquantum states and operations; fault-tolerance; applica-tion to special classes of circuits or functions; design ofexperimental schemes.
Acknowledgments
LY thanks Yingkai Ouyang for helpful comments. Thisresearch is funded in part by the NKRDP of China (No.2016YFA0301802), the National Natural Science Foun-dation of China (No. 11974096), the Scientific ResearchFund of Zhejiang Provincial Education Department (No.Y201737289), and the startup grant of Hangzhou NormalUniversity. [1] Craig Gentry. Fully homomorphic encryption using ideallattices. In
Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing , STOC ’09, pages169–178, New York, NY, USA, 2009. ACM. [2] Z. Brakerski and V. Vaikuntanathan. Efficient fully ho-momorphic encryption from (standard) LWE. In , pages 97–106, Oct 2011.[3] A. C. Yao. How to generate and exchange secrets. In ,pages 162–167, Oct 1986.[4] Donald Beaver. One-time tables for two-party compu-tation. In Wen-Lian Hsu and Ming-Yang Kao, editors, Computing and Combinatorics , pages 361–370, Berlin,Heidelberg, 1998. Springer Berlin Heidelberg.[5] Peter P. Rohde, Joseph F. Fitzsimons, and AlexeiGilchrist. Quantum walks with encrypted data.
Phys.Rev. Lett. , 109:150501, 2012.[6] Min Liang. Symmetric quantum fully homomorphic en-cryption with perfect security.
Quantum Inf. Process. ,12:3675–3687, 2013.[7] Li Yu, Carlos A. P´erez-Delgado, and Joseph F. Fitzsi-mons. Limitations on information-theoretically-securequantum homomorphic encryption.
Phys. Rev. A ,90:050303(R), Nov 2014.[8] S.-H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, andJ. F. Fitzsimons. A quantum approach to homomorphicencryption.
Sci. Rep. , 6:33467, 2016.[9] Y. Ouyang, S.-H. Tan, and J. Fitzsimons. Quantum ho-momorphic encryption from quantum codes.
Phys. Rev.A , 98:042334, 2018.[10] Anne Broadbent and Stacey Jeffery. Quantum homo-morphic encryption for circuits of low T-gate complexity.
In Proceedings of Advances in Cryptology — CRYPTO2015 , pages 609–629, 2015.[11] Yfke Dulek, Christian Schaffner, and Florian Speelman.Quantum homomorphic encryption for polynomial-sizedcircuits.
CRYPTO 2016: Advances in Cryptology -CRYPTO 2016 , pages 3–32, 2016.[12] M. Newman and Y. Shi. Limitations on TransversalComputation through Quantum Homomorphic Encryp-tion.
Quantum Information and Computation , 18:927–948, 2018.[13] C.-Y. Lai and K.-M. Chung. On Statistically-SecureQuantum Homomorphic Encryption.
Quantum Informa-tion and Computation , 18:785–794, 2018.[14] U. Mahadev. Classical homomorphic encryption forquantum circuits. In ,pages 332–338, Oct 2018.[15] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Flo-rian Speelman. Quantum fully homomorphic encryptionwith verification. In Tsuyoshi Takagi and Thomas Peyrin,editors,
Advances in Cryptology – ASIACRYPT 2017 ,pages 438–467, Cham, 2017. Springer International Pub-lishing.[16] M. Newman. Further Limitations on Information-Theoretically Secure Quantum Homomorphic Encryp-tion. http://arxiv.org/abs/1809.08719 , September2018.[17] Si-Hui Tan, Yingkai Ouyang, and Peter P. Rohde. Prac-tical somewhat-secure quantum somewhat-homomorphicencryption with coherent states.
Phys. Rev. A , 97:042308,Apr 2018.[18] Andrew Childs. Secure assisted quantum computation.
Quantum Information and Computation , 5(6):456, 2005.[19] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie,R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data.
Nat. Commun. , 5:3074,2014.[20] Yingkai Ouyang, Si-Hui Tan, Liming Zhao, and Joseph F.Fitzsimons. Computing on quantum shared secrets.
Phys. Rev. A , 96:052333, Nov 2017.[21] Yingkai Ouyang, Si-Hui Tan, Joseph Fitzsimons, and Pe-ter P. Rohde. Homomorphic encryption of linear opticsquantum computation on almost arbitrary states of lightwith asymptotically perfect security. http://arxiv.org/abs/1902.10972 , Feb 2019.[22] C. H. Bennett and G. Brassard. Quantum cryptography:Public key distribution and coin tossing. In
Proceedingsof IEEE International Conference on Computers, Sys-tems and Signal Processing , volume 175, page 8. NewYork, 1984.[23] Hoi-Kwong Lo. Insecurity of quantum secure computa-tions.
Phys. Rev. A , 56:1154–1162, Aug 1997.[24] Harry Buhrman, Matthias Christandl, and ChristianSchaffner. Complete insecurity of quantum protocolsfor classical two-party computation.
Phys. Rev. Lett. ,109:160501, Oct 2012.[25] Roger Colbeck. Impossibility of secure two-party classicalcomputation.
Phys. Rev. A , 76:062308, Dec 2007.[26] Li Yu. A quantum homomorphic encryption scheme forpolynomial-sized circuits. http://arxiv.org/abs/1810.01166 , October 2018.[27] C. H. Bennett, G. Brassard, C. Cr´epeau, R. Jozsa,A. Peres, and W. K. Wootters. Teleporting an unknownquantum state via dual classical and Einstein-Podolsky-Rosen channels.
Phys. Rev. Lett. , 70:1895–1899, Mar1993.[28] D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A.Smolin, and B. M. Terhal. Locking classical correlationsin quantum states.
Phys. Rev. Lett. , 92:067902, Feb 2004.[29] Claude Cr´epeau. Equivalence between two flavours ofoblivious transfers. In Carl Pomerance, editor,
Advancesin Cryptology — CRYPTO ’87 , pages 350–354, Berlin,Heidelberg, 1988. Springer Berlin Heidelberg.[30] Joe Kilian. Founding cryptography on oblivious transfer.In
Proceedings of the Twentieth Annual ACM Symposiumon Theory of Computing , STOC ’88, pages 20–31, NewYork, NY, USA, 1988. ACM.[31] S. Wolf and J. Wullschleger. Oblivious transfer and quan-tum non-locality. In
Proceedings. International Sympo-sium on Information Theory, 2005. ISIT 2005. , pages1745–1748, Sep. 2005.[32] Hoi-Kwong Lo and H. F. Chau. Is quantum bit commit-ment really possible?
Phys. Rev. Lett. , 78:3410–3413,Apr 1997.[33] Dominic Mayers. Unconditionally secure quantum bitcommitment is impossible.
Phys. Rev. Lett. , 78:3414–3417, Apr 1997.[34] Paul Dumais, Dominic Mayers, and Louis Salvail. Per-fectly concealing quantum bit commitment from anyquantum one-way permutation. In Bart Preneel, editor,
Advances in Cryptology — EUROCRYPT 2000 , pages300–315, Berlin, Heidelberg, 2000. Springer Berlin Hei-delberg.[35] Sandu Popescu and Daniel Rohrlich. Quantum nonlocal-ity as an axiom.
Foundations of Physics , 24(3):379–385,Mar 1994.[36] Marcin Pawlowski, Tomasz Paterek, Dagomir Kasz-likowski, Valerio Scarani, Andreas Winter, and Marek˙Zukowski. Information causality as a physical principle. Nature , 461:1101–1104, 2009.[37] Ll. Masanes, A. Acin, and N. Gisin. General propertiesof nonsignaling theories.
Phys. Rev. A , 73:012112, Jan2006.[38] Gilad Asharov, Yehuda Lindell, Thomas Schneider, andMichael Zohner. More efficient oblivious transfer exten-sions.
Journal of Cryptology , 30(3):805–858, Jul 2017.[39] C. Cr´epeau and J. Kilian. Achieving oblivious trans-fer using weakened security assumptions. In [Proceedings1988] 29th Annual Symposium on Foundations of Com-puter Science , pages 42–52, Oct 1988.[40] Louis Salvail. Quantum bit commitment from a phys-ical assumption. In Hugo Krawczyk, editor,
Advancesin Cryptology — CRYPTO ’98 , pages 338–353, Berlin,Heidelberg, 1998. Springer Berlin Heidelberg.[41] Artur K. Ekert. Quantum cryptography based on Bell’stheorem.
Phys. Rev. Lett. , 67:661–663, Aug 1991.
Appendix A: An entanglement-based version ofProtocol 1
In this appendix we introduce Protocol 11 which is avariant of Protocol 1 based on initial entanglement. Itcontains only communication from Bob to Alice after theentanglement is established. It does not explicitly con-tain classical communication from Alice to Bob. But thisis because the input x is generated by the measurementin the protocol. If x were generated by Alice before theprotocol, one bit of classical communication from Alice toBob would be needed. For the procedure of testing thatthe entangled states are indeed EPR pairs, we suggest us-ing a method similar to that using the CHSH inequalityin [41], which is for testing the singlet state, but note thatwe need to leave some EPR pairs untested for later use inour protocol. There are other ways of testing, in whicheach party measures in one of some different bases, andthen the two parties compare notes. These methods gen-erally contain aborts. In Protocol 11, Bob generates theentanglement, since no explicit communication is fromAlice to Bob in the protocol (although Alice’s input x implicitly becomes partially known to Bob), so he is lessmotivated to cheat in entanglement generation.Note that in studying the security of Protocol 11, ifAlice’s (cheating) strategy is such that she does not doany operation (including measurement) on her later twoqubits before Bob does anything, Alice’s possible ancil-lary qubits that are involved in her initial operations (ifshe indeed adds such ancillae) and the possible remainingpart of her first two qubits after her initial measurementscould be viewed as the purification system for Bob’s firsttwo qubits, thus the security analysis of Protocol 1 (al-lowing initial hidden ancillae of Alice’s entangled with the sent state) can basically be applied to the analysis ofProtocol 11 in such case.A more complex cheating strategy of Alice is that shedoes some measurement (including joint measurement onher four qubits) and select only certain outcomes whiledeclaring the instances with other outcomes as “failed”to Bob. She could have an advantage in imposing Bob’smeasurement outcomes, and thus she could learn Bob’soutput bit r while still learn partial information about y ,as indicated by numerical calculations. Other strategiescould potentially help Alice learn y perfectly but onlylearn r or y ⊕ r partially, but numerical evidence suggestthat for any measurement strategy of Alice, the c on theright hand side of Eq. (B3) cannot be greater than 1 .
5. Aremedy for such case is that Bob could observe the mea-surement statistics on his side for the failed instances (orthe instances that did not fail) declared by Alice and hisexpected statistics of measurement outcomes, to find outif Alice cheated in this way. If Bob finds no deviationfrom the expected statistics, his reduced density opera-tor of the initial entangled state should be the maximallymixed state on four qubits, and Alice’s possible opera-tions can only be local unitaries on her side only, whichdoes not help her learn extra information compared tothe original protocol.Note that in Protocol 1, Alice could potentially have acheating strategy as follows: she could use some entan-gled state at the initial sending of qubits, and after Bob’soperations, do some (joint) measurement on the ancillaeand the returned state from Bob, and declare failure forsome measurement outcomes. The security of Protocol 1is more resilient to such attack, since Bob’s state is di-rectly sent back. Some simple calculations suggest thatthe extreme cases in Eq. (B3) still hold in such case, butthe intermediate cases may have somewhat worse secu-rity than in the case that Alice did not cheat in this way.As a counter-measure, Bob could check that the averagestate on two qubits received in the instances that did notfail is the maximally mixed state. Note that such consid-erations has no effect on the security of Protocol 1 whenAlice is honest or honest-but-curious. Also note that theProtocol 2 is quite resistent to such attack since thereis only one-way communication from Bob to Alice, butagain, the intermediate cases need to be studied. But wenote that the intermediate cases of the Holevo quantitytradeoffs may become not relevant if Protocol 6 is usedfor checking one-time tables, since the classical mutualinformation rather than the Holevo bound is essential in2analyzing the security of Protocol 6, which is because thefinal quantum state of Alice for each instance of the one-time table is measured for performing checkings, whilein some other protocols such as Protocol 3, the statesfor the actually used one-time tables are not measuredduring the checking.
Appendix B: Numerical results for the quantumprotocols
Numerical calculations confirm the inequalities (1)through (3). Note the same M occurs twice in each in-equality. The calculations assume that Bob’s received atwo-qubit mixed state from Alice. This is modeled witha pure state on four qubits, according to the Schmidtdecomposition. The calculations assume projective mea-surements by Alice after she receives the message fromBob, although POVM measurements may give rise to alarger sum on the left-hand-side, and such weakness isremedied by the calculation of the Holevo bound below.Numerical calculations suggest the following inequalities. χ y + χ r ≤ c, (B1) χ y + χ y ⊕ r ≤ c, (B2)where c is a constant somewhat larger than 1 .
388 and isyet to be precisely determined. This implies that χ y + max( χ r , χ y ⊕ r ) ≤ c. (B3)Numerics suggest that near the ends of the tradeoffcurve indicated by Eqs. B1 and B2, one quantity ap-proaches 1 bit while the other quantity approaches 0.For some of Bob’s received state that approaches the nu-merically found maximal value of the left-hand-side, thetwo terms on the left-hand-side of Eq. (B3) are aboutequal, and the corresponding sum in the left-hand-sideof Eq. (3) under projective measurements is numericallyfound to be not greater than 1 bit. The latter sum isobserved to have the same property for initial states sat-isfying max( χ r , χ y ⊕ r ) ≈
1. When there is no ancilla, nu-merics suggest that the left-hand-side of Eq. (B3) is notgreater than 1 bit. As quantitative examples for Eq. (5),we have f (0 . ≈ .
3, and f (0 . ≈ .
06. An illustrationof Eq. (B3) by numerical calculations is in Fig. 1.
Appendix C: The garden-hose gadget that correctsan unwanted P gate The Fig. 2 shows a simplified version of a gadget in[11] for correcting an unwanted P gate due to a T gate FIG. 1: An illustration of Eq. (B3) by numerical calculations.The two axes are the Holevo bounds for 500000 random mixedstates received by Bob from Alice on two qubits, which ismodeled by a pure state on four qubits including two ancillaryqubits. Horizontal axis (H1): max( χ r , χ y ⊕ r ); vertical axis(H2): χ y . in the circuit with certain prior Pauli corrections. Theinput qubit starts from the position “in”, and ends upin a qubit which is initially maximally entangled withBob’s qubit labeled “E” [in the state √ ( | (cid:105) + | (cid:105) )].The unwanted P on this qubit is corrected, but someother Pauli corrections are now needed because of theBell-state measurements. These Pauli corrections are tobe accounted for in the later evaluation of polynomials.Note that in each use of this gadget, some of the Bell-state measurements are not actually performed. Alice’stwo Bell-state measurements are on the same pairs ofqubits irrespective of q .3 Protocol 11
An entanglement-based quantum protocol for generating one-time tables
Input of the generated one-time table:
A random bit x generated in the protocol by Alice, and a random bit y that Bobgenerates before the protocol. Output of the generated one-time table: ( x · y ) ⊕ r and r on the two sides, where r is a random bit.The input and output together form the one-time table.1. After some procedure of generating EPR states and testing them, the two parties share four tested EPR pairs. Bobgenerates and distributes the entanglement. The testing procedure, which may contain aborts on failure of passing thetests, is discussed in the text.2. (The steps 3 and 4 performed by Bob can be done concurrently with the Step 2 performed by Alice.) Alice generates arandom bit s . If s = 0, she measures the four qubits in her part of the EPR pairs in the Z basis, and records themeasurement outcome on the first qubit as x ; if s = 1, she measures these four qubits in the X basis, and records hermeasurement outcome on the second qubit as x . The states | + (cid:105) and |−(cid:105) are regarded as 0 and 1, respectively, in therecording. The XOR of the measurement outcomes on the three remaining qubits is recorded as g .3. If y = 0, Bob does a CNOT gate on his first two qubits, with the first qubit being the control qubit.4. Bob teleports his first two qubits to Alice, using the later two EPR pairs, while withholding part of the informationabout the measurement outcomes: he calculates the XOR of the four correction bits, and sends the resulting bit w toAlice. Bob calculates the XOR of the two bits for X corrections (although they actually correspond to σ y correctionsdue to the sending of a bit above) on the two qubits, and records the result as his output for the protocol.5. Alice calculates her output bit: g ⊕ ( s · w ).E p q P † P † Bob AliceFIG. 2: A simplified version of a gadget in [11] for applyinga P † to a qubit initially at the position “in” if and only if p + q = 1 (mod 2), using the “garden hose” method. Thedots connected by wavy lines are EPR pairs. The curvedlines are for Bell-state measurements. For example, if p = 0and q = 1, the qubit is teleported through the first and thethird EPR pairs, with a P † applied to it by Alice in between.The transformed state of the input qubit always ends up ina qubit on Bob’s side which is initially maximally entangledwith the qubit labeled “E” [in the state √ ( | (cid:105) + | (cid:105)(cid:105)