I Introduction
As quantum computers are difficult to build, a practical way for doing quantum computation is using the clientserver model. The quantum computer is placed at the server, and the clients may have limited quantum capabilities. The client and the server may want to hide some information about their program or data from each other. This is part of the reason why security in bipartite quantum computing is of interest. Bipartite quantum computation may also be related to or directly implement some classical or quantum cryptographic tasks. Two problems in bipartite quantum computing have attracted a lot of attention. One of them is blind quantum computing, and the other is quantum homomorphic encryption, the main topic of this paper.
In classical cryptography, homomorphic encryption (HE) is an encryption scheme that allows computation to be performed (effectively on the plaintext after decryption) while having access only to the ciphertext. A fully homomorphic encryption (FHE) scheme allows for any computation to be performed in such fashion. The known schemes Gentry09 ; brakerski2011efficient are based on computational assumptions. Quantum (fully) homomorphic encryption (QHE and QFHE respectively) allows (universal) quantum computation to be performed without accessing the unencrypted data. Schemes for quantum homomorphic encryption rfg12 ; Fisher13 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; Lai17 ; Mahadev17 ; TOR18 allow two stages of communication, with some initial shared entangled state. The requirements are that the final computation result is correct, and the data and the final computation result are known only to the dataprovider, who learns little about the circuit performed beyond what can be deduced from the result of the computation itself. There is no limit to the quantum capabilities of any party.
It is known that informationtheoreticallysecure (ITS) QHE for circuits of unrestricted size necessarily incurs exponential overhead NS17 ; Lai17 ; Newman18 . For the special case of unrestricted quantum input states and perfect data privacy, a stronger lower bound is stated in ypf14 . Some computationallysecure QHE schemes for polynomialsized quantum circuits have been constructed bj15 ; Dulek16 ; Mahadev17 .
In this paper, we firstly introduce a QHE scheme for a restricted type of circuits (Scheme 1). It keeps the real product input state perfectly secure, and the circuit privacy is optimal up to a constant factor. We then propose a QHE scheme for a larger class of polynomialdepth quantum circuits, which has partial data privacy and nearoptimal circuit privacy. The entanglement and classical communication costs in both schemes scale linearly with the product of input size and circuit depth.
Ii Review of past results
In the following we put our work in the context of literature results on quantum homomorphic encryption and related problems.
Blind quantum computing (BQC) is a task in which Alice knows both the data and program but can only do limited quantum operations, and the main part of the computation is to be carried out by Bob, who learns neither the data nor much about the program. The output is to be known to Alice but not Bob (this is different from QHE, in which the party with the program does not know the output). Broadbent, Fitzsimons and Kashefi presented a BQC scheme bfk09 using the measurementbased quantum computing model. An experimental demonstration is in Barz12 . There are other BQC schemes based on the circuit model ABE10 , or the ancilladriven model skm13 . The possibility of Alice being a classical client (allowing partial leakage of the client’s information) is discussed in Mantri17 .
In Yu et al ypf14 , it is shown that the condition of perfect data privacy implies an information localization phenomenon, and this puts restrictions on the possible forms of QHE schemes and their complexity. The Theorem 1 and Corollary 1 of ypf14 are for the case that input states are unrestricted. For restricted input states such as real product states, the Scheme 1 in the current work and the scheme in Lai17 provide examples for which the above statements do not apply.
Newman and Shi NS17 (see also Newman18 ), concurrently with Lai and Chung Lai17 , showed that ITSQFHE schemes require communication cost (including entanglement cost) that is at least exponential in the number of input qubits, where “ITS” allows a negligible amount of data leakage. This is based on the work of Nayak Nayak99 .
On computing twoparty classical functions with quantum circuits, Lo Lo97 studied the data privacy in the case that the output is on one party only, and both parties know the function. The security of twoparty quantum computation for fixed classical function with both parties knowing the outcome has been studied by Buhrman et al bcs12 .
There is a line of work on partiallyITS QHE, which are sometimes limited to certain types of circuits. In the scheme of Rohde et al rfg12 , only a logarithmic amount of information about the data is hidden, and the type of circuit is limited to Boson sampling. Tan et al Tan16 ; TOR18 presented QHE schemes that allow some types of quantum circuits and hides only partial information (but more than that in rfg12 ) about the data. Ouyang et al Ouyang18 presented a scheme that hides almost all information about the data, but can only perform Clifford gates and a constant number of nonClifford gates. In the scheme in Ouyang18 , the party with initial data could cheat by replacing the mixed qubits by pure qubits in some particular input state to gain partial knowledge about the Clifford gates applied, without affecting the correctness of the evaluation. The degree of circuit privacy is related to the size of the code, thus it is in a tradeoff with data privacy.
The following results are based on the existence of computationallysecure classical homomorphic encryption schemes. Broadbent and Jeffery bj15 presented two computationallysecure QFHE schemes that are relatively efficient for polynomialsized quantum circuits with limited use of gates (and arbitrary use of Clifford gates). A compact QFHE scheme was proposed by Dulek, Schaffner and Speelman Dulek16 . Its complexity of decryption (but not the overall computation and communication costs) could be independent of the size of the circuit to be evaluated, by choosing the classical HE scheme in it appropriately. Mahadev Mahadev17 presented a quantum leveled fully homomorphic encryption scheme using classical homomorphic encryption schemes with certain properties. The client holding the program in the scheme is classical.
Some schemes for delegated quantum computation have been proposed Ch05 ; Fisher13 . In their original form, they usually have good data privacy but are not necessarily strong in circuit privacy. The Supplementary Note 1 of Fisher13 contains a method based on socalled “universal circuits” to achieve blind quantum computing (hiding the information about the circuit which is initially on the same party as the data) but this does not make it useful for the QHE problem, since the input data and the program are on opposite parties in QHE, unlike in BQC. It is pointed out in bfk09 (with details in Fitz17 ) that the protocol in Ch05 can be modified to become a blind quantum computing protocol having circuit privacy. This method is also not useful for QHE.
Some lower bounds on the length of classical encryption key in an ITS QHE scheme can be found in LaiChung18 .
Iii Preliminaries
First, we give a definition for quantum homomorphic encryption. Note the Encryption algorithm below absorbs both the key generation algorithm and the encryption algorithm in bj15 . The measurements are explicitly allowed.
Definition 1.
A quantum homomorphic encryption scheme (QHE) contains the following three algorithms, where is the security parameter, and refers to a quantum circuit which may contain measurements and quantum gates controlled by classical functions of measurement outcomes, is an initial entangled resource state shared by Alice and Bob, and is the input data state of Alice.

Encryption algorithm . The algorithm outputs some quantum state called the ciphertext. The reduced state of on Alice’s and Bob’s systems are denoted and , respectively.

Evaluation algorithm that does a computation on without decryption.

Decryption algorithm , where .
A scheme is correct if for any input state with associated ciphertext , and any circuit chosen from a set of permitted quantum circuits , (up to a possible global phase). A scheme with perfect data privacy is one such that Bob cannot learn anything about the input , except the size of the input, from . The requirement of circuit privacy refers to that Alice does not learn anything about the circuit performed beyond what can be deduced from the result of the computation itself. In actual protocols we seem only able to approach this goal. A quantum fully homomorphic encryption (QFHE) scheme is one that is homomorphic for all circuits, i.e. the set is the set of all unitary quantum circuits. For more details about the security notions in QHE, see bj15 .
Denote the Pauli operators by , , , . The set of Clifford gates is defined as the set of unitaries satisfying , where and
are tensor products of Pauli operators. The
qubit Clifford gates form a group called Clifford group. Since we ignore the global phase here, the size of the qubit Clifford group is of an expression given in CRSS98 . In particular, the onequbit Clifford group has elements. Let the rotations of angle about the three axes of the Bloch sphere be , , and . Let , , and . Any onequbit Clifford gate (ignoring global phase, same below) can be decomposed using products of (proportional to ) and (proportional to ) in different sequences. The qubit Clifford gates can be decomposed into products of onequbit Clifford gates and the (controlled) gate. The Clifford gates and the gate together form a universal set of gates for quantum computing. For more about universal sets of gates, see Shi03 . In this paper, the term “EPR pair” refers to two qubits in the state . Let denote , and denote .We shall adopt the rebit quantum computation formalism in Rudolph02 in our schemes. (See MMG09 for more about simulating the usual quantum circuit or Hamiltonian within the rebit formalism.) States of complex amplitudes can be represented by states of real amplitudes with only one extra qubit. Let there be an ancillary qubit with an orthonormal basis . The following nonunitary encoding is used in Rudolph02 :
(1) 
where are real numbers. When there are qubits in the initial input, only one ancillary qubit is needed. This ancillary qubit will be called the “phase qubit” in this paper. For Scheme 1 in this paper, we only need to deal with real input states, and in this case the initial encoding is trivial.
Next, we introduce how to apply gates on such representation. A unitary rotation in the basis of an original qubit is mapped to a controlled on the real (i.e. original) qubit and the phase qubit, with the real qubit as the control. A unitary rotation in the basis of an original qubit is still the same gate on the original qubit, and no action is needed on the phase qubit. An entangling twoqubit gate [which is controlled] is implemented by the same gate on the original qubits, and no action is needed on the phase qubit. These gates are all real (meaning that their matrix elements are real), and they can generate all possible unitary operations on any number of qubits, hence quantum computation in this particular representation can be done using only real gates. Let us denote three gates (on the logical qubit) , and as forming the gate set . These three gates can generate the Clifford group on any number of logical qubits, and each of them can be implemented using real gates in the rebit formalism.
In the following paragraphs, we show how an unknown logical onequbit Clifford gate can be implemented up to a phase by just performing the onequbit gates in and the uncertain gates in the set . We shall call the latter gate the uncertain gate. The uncertain gate on Alice’s side is generated using the gadget shown in Fig. 1 which initially contains an EPR pair shared by Alice and Bob. Alice performs a controlled gate with her part of the EPR pair as the control and the data qubit (assumed to be real) as the target. Then she performs a gate on her qubit in the EPR pair and measures it in the basis (with basis states being or ). Bob performs a gate and does a measurement in the basis, where . The choice of determines the gate applied on Alice’s qubit up to a correction and a phase. Such correction can be commuted through the Clifford gates performed later with some Pauli operators as corrections.
Inspired by an gate gadget construction in Broadbent18 , we give a construction using and for some integers to implement one of the four gates , where . We have
(2)  
(3) 
where are real constants, and . Noticing that , the uncertain gate can be implemented using the uncertain gate and the gate which is in . Since and generate the singlequbit Clifford group, the two types of uncertain gates generate the same group.
We also notice that a gate can be implemented using the same gadget. Alice’s action is still the same as before. Bob does some gate with or before doing a basis measurement. The choice of depends on Alice and Bob’s previous measurement results. All previous gadgets and fixed gates give rise to some Pauli operators known to Bob (which are to be corrected by Alice later), and these Pauli operators cause some Pauli operator on Bob’s qubit in the gadget, which is corrected by Bob’s choice of gate before measurement in the gadget. Generally, Bob may implement a gate for any real , by suitably choosing his gate before measurement in the gadget. We omit the details here, since this is a special case of the more general multiqubit diagonal gate in Scheme 1 below.
Iv Main results
(1) About Scheme 1. The Scheme 1 is for a restricted type of circuits with restricted types of input states. The scheme uses the rebit quantum computation techniques in Rudolph02 . In the following, we denote the number of input data qubits as .
The input state for Scheme 1 can be a product real state, but it can also be slightly more general: a product state of onequbit real states on qubits with a logical qubit state encoded in the rebit form (1), where the physical qubit for that exceptional logical qubit is the first data qubit. The output of Scheme 1 is of the form of (1). If the required output of Scheme 1
is classical, we only need to measure the qubits except the phase qubit to get the outcome. There might be other applications in which there are both real and imaginary parts in the output state, and the wanted part is real. Then we may still have some probability of success: do a measurement of the phase qubit in the
basis, and if the outcome corresponds to , we then measure the remaining qubits to get the result. If an output state with complex amplitudes is required, we may measure the phase qubit in the basis, and if the result is the first one, we know the output state is correct.The Scheme 1 allows continuous families of multiqubit gates to be performed using relatively few gadgets. Bob is required to be able to perform more general operations than singlequbit measurements. The ability to perform twoqubit gates and singlequbit measurements is enough, but for better efficiency, he should do gates on more than two qubits.
Each layer of the circuit in the scheme implements some diagonal unitary. Note that diagonal unitaries on multiple qubits are not necessarily real, and the scheme is limited to implementing those real diagonal unitaries. This is to guarantee the satisfaction of the requirement in rebit computation that the physical states are real. A class of examples of a threequbit real diagonal gate is , where is real.
The implementation of a diagonal unitary uses the groupbased protocol of remote implementation of unitary operators in LW13 . Such protocol is derived from the protocol for implementation of doublegroup unitaries on two parties ygc10 . The doublegroup unitary protocol is a bipartite version of a groupbased local quantum computing scheme KR03 , with additional analysis in the case of projective representations. In the current work, we only deal with the simple case of ordinary representation of a group, and the group is Abelian: it is the fold direct product of the group (the group with two elements), denoted as . In Scheme 1, is the number of qubits involved in the logical diagonal unitary. The paper LW13 contains the detailed steps for the remote unitary protocol for the case of ordinary representation of a group. In Scheme 1, all qubits are on Alice’s side. The unitary operators used in the current case are , where , and the subscript means the gate acts on qubit . The target unitary (on data qubits) is diagonal in the axis, so it can be expanded using such a set of unitary operators:
(4) 
where is a group element in , and can be represented using a binary string of length , consisting of the bits : . The unitary is of the form . The coefficients
appear in the unitary matrix
in the remote unitary scheme. From the equation (45) in ygc10 , the matrix is defined using (ignoring phases since we are dealing with ordinary representations here)(5) 
where and are group elements, and their product is the group multiplication. When each element is represented using a binary string of length
as mentioned above, the group multiplication is just the addition modulo 2 on each position of the vector. The corrections are
. In the current case, it amounts to or [equivalent to up to a global phase] on each qubit. It is shown in KR03 that when is unitary and that the is an ordinary representation, it is guaranteed that there exists at least one matrix that is unitary. Further, if the is a linearly independent set (which is true for the current case), then is unique. These statements are extended in ygc10 to the case of projective representations.Some note about a particular step in the scheme: Bob’s or gates on his qubit in each gadget are the product of two gates: one of them is or , which is a correction according to Alice’s measurement outcome, and the other is a fixed gate to correct for the phase in the controlled gate in the gadget. Bob’s such gates can also be absorbed into his unitary .
The entanglement and classical communication costs in Scheme 1 scale linearly with the product of the input size and the circuit depth. For data privacy in Scheme 1, we have the following theorem, with the proof in Appendix A.
Theorem 1.
When Scheme 1 is used for almostcommuting circuits with input state of the type specified in the scheme, the input data is perfectly secure.
A statement about the circuit privacy in Scheme 1 is in Theorem 2 below. The circuit privacy is already optimal up to a constant factor, since Alice can always learn bits of information about the circuit by looking at her output.
We note that there is a simplification of the scheme, using a method from Lai17 : for the last data qubits, Alice could choose to apply possible masks on them and send them to Bob before the protocol starts. In this way, the ancillary qubits for those data qubits can be saved. At the end of the protocol, Bob sends these qubits back, and Alice can recover this part of the output by undoing the masks. An alternative way of simplification is by combining some gate gadgets so that each of the last data qubits uses one gate gadget only.
(2) About Scheme 2. Based on Scheme 1, we propose the following Scheme 2 which works for a large class of polynomialdepth circuits. Its data privacy is only partial. Its circuit privacy is similar to that in Scheme 1.
The entanglement and classical communication costs in the two schemes scale linearly with the product of the input size and the circuit depth. For Scheme 2, it is not known whether arbitrary types of polynomialdepth unitary circuits are allowed, since the scheme only allows real diagonal unitaries performed by Bob and some local unitaries performed by Alice. But it at least implements a large class of unitaries. The data privacy in Scheme 2 is partial. From the proof of Theorem 1, it can be found that the two input states of all and all cannot be distinguished by Bob. For circuit privacy in the two schemes above, we have the following theorem. (The input size is .)
Theorem 2.
Proof.
In (DHL04, , Theorem 1), consider the case that the initial maximum classical mutual information , which means two systems and satisfy that . After bits of classical communication in one direction, the maximum classical mutual information is at most bits. Consider adding a hypothetical program register in Scheme 1 or 2 on Bob’s side, and call it . After Alice has sent measurement outcomes to Bob in the scheme, the combined system of Alice’s system (denoted ) and is in a direct product (mixed) state. Then, after some local operations on Bob’s side between and Bob’s other systems, the systems and is still in a direct product (mixed) state. Then bits of classical message is sent by Bob to Alice. Applying (DHL04, , Theorem 1) to this case, we get that the final maximum classical mutual information is at most bits. This means Alice learns at most bits of information about the program register . Thus the assertions hold.
In Scheme 2, since Bob only sends classical bits, Alice can learn at most bits of information about the circuit. We think this amount is optimal for a sufficiently large class of circuits such as the one in Scheme 2), since Alice could always use superdense coding to learn about bits from the output of the computation.
V Conclusions
In this paper, we have constructed a quantum homomorphic encryption scheme for a restricted type of circuits with perfect data privacy for real product input states. We then constructed a QHE scheme for a larger class of polynomialdepth quantum circuits, which has partial data privacy. Both schemes have good circuit privacy. The entanglement and classical communication costs scale linearly with the product of input size and circuit depth.
The reason why rebits are used is to avoid data leakage: if qubits with complex amplitudes are used, after some measurements are done on the Alice side in the protocol, and the outcomes are sent to Bob, it is often the case that some information about the data would have been sent to Bob. It would be good to understand better the “phase qubit” and its possible applications.
Some further issues to investigate include: a better characterization of the type of circuits allowed in Scheme 2; how to optimize the scheme for particular sets of allowed circuits; how to make the scheme faulttolerant; the verifiability of each party’s actions; composable security; whether there are corresponding schemes in the measurementbased computing model. In view of the results on classicalclient blind quantum computing by Mantri et al Mantri17 , and computationallysecure QHE scheme with classical client Mahadev17 , we may ask whether in a QHE scheme with good data privacy for polynomialsized circuits, the party with the initial program can be fully classical (possibly with some compromise on circuit privacy and data privacy).
Acknowledgments
This research is funded in part by the Ministry of Science and Technology of China under Grant No. 2016YFA0301802, and the Department of Education of Zhejiang province under Grant No. 17LXSTL0008201737289, and the startup grant of Hangzhou Normal University.
References

[1]
Craig Gentry.
Fully homomorphic encryption using ideal lattices.
In
Proceedings of the Fortyfirst Annual ACM Symposium on Theory of Computing
, STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.  [2] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
 [3] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
 [4] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.
 [5] S.H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
 [6] Y. Ouyang, S.H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
 [7] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low Tgate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
 [8] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomialsized circuits. CRYPTO 2016: Advances in Cryptology  CRYPTO 2016, pages 3–32, 2016.
 [9] C.Y. Lai and K.M. Chung. On StatisticallySecure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
 [10] U. Mahadev. Classical Homomorphic Encryption for Quantum Circuits. http://arxiv.org/abs/1708.02130, August 2017.
 [11] SiHui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhatsecure quantum somewhathomomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
 [12] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
 [13] M. Newman. Further Limitations on InformationTheoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
 [14] Li Yu, Carlos A. PérezDelgado, and Joseph F. Fitzsimons. Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
 [15] Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi. Universal blind quantum computation. Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2009), pages 517–526, 2009.
 [16] Stefanie Barz, Elham Kashefi, Anne Broadbent, Joseph F. Fitzsimons, Anton Zeilinger, and Philip Walther. Demonstration of blind quantum computing. Science, 335(6066):303–308, 2012.
 [17] Dorit Aharonov, Michael BenOr, and Elad Eban. Interactive proofs for quantum computations. In Proceeding of the First Symposium on Innovations in Computer Science, pages 453–469, 2010.
 [18] Takahiro Sueki, Takeshi Koshiba, and Tomoyuki Morimae. Ancilladriven universal blind quantum computation. Phys. Rev. A, 87:060301(R), Jun 2013.
 [19] Atul Mantri, Tommaso F. Demarie, Nicolas C. Menicucci, and Joseph F. Fitzsimons. Flow ambiguity: A path towards classically driven blind quantum computation. Phys. Rev. X, 7:031004, Jul 2017.
 [20] A. Nayak. Optimal lower bounds for quantum automata and random access codes. In 40th Annual Symposium on Foundations of Computer Science, pages 369–376, Oct 1999.
 [21] HoiKwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
 [22] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical twoparty computation. Phys. Rev. Lett., 109:160501, Oct 2012.
 [23] Andrew Childs. Secure assisted quantum computation. Quantum Information and Computation, 5(6):456, 2005.
 [24] J. F. Fitzsimons. Private quantum computation: an introduction to blind quantum computing and related protocols. npj Quantum Information, 3:23, June 2017.
 [25] C.Y. Lai and K.M. Chung. Generalized Quantum Shannon Impossibility for Quantum Encryption. http://arxiv.org/abs/1801.03656, January 2018.
 [26] A. R. Calderbank, E. M. Rains, P. M. Shor, and N. J. A. Sloane. Quantum error correction via codes over GF(4). IEEE Transactions on Information Theory, 44(4):1369–1387, July 1998.
 [27] Yaoyun Shi. Both Toffoli and controlledNOT need little help to do universal quantum computing. Quantum Information and Computation, 3(1):84–92, January 2003.
 [28] T. Rudolph and L. Grover. A 2 rebit gate universal for quantum computing. http://arxiv.org/abs/quantph/0210187, October 2002.
 [29] Matthew McKague, Michele Mosca, and Nicolas Gisin. Simulating quantum systems using real Hilbert spaces. Phys. Rev. Lett., 102:020505, Jan 2009.
 [30] Anne Broadbent. How to verify a quantum computation. Theory of Computing, 14(11):1–37, 2018.
 [31] S.H. Luo and A.M. Wang. Remote implementation of partially unknown operations and its entanglement costs. http://arxiv.org/abs/1301.5866, January 2013.
 [32] Li Yu, Robert B. Griffiths, and Scott M. Cohen. Efficient implementation of bipartite nonlocal unitary gates using prior entanglement and classical communication. Phys. Rev. A, 81(6):062315, 2010.
 [33] Andreas Klappenecker and Martin Roetteler. Quantum software reusability. International Journal of Foundations of Computer Science, 14(05):777–796, 2003.
 [34] D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A. Smolin, and B. M. Terhal. Locking classical correlations in quantum states. Phys. Rev. Lett., 92:067902, Feb 2004.
Appendix A Proof of data privacy in Scheme 1
The following is a proof for Theorem 1.
Proof.
Alice’s measurement outcomes in the gate gadgets are uniformly random and independent. In the following we argue that Alice’s fixed gates, gate gadgets together with sending of her measurement outcomes to Bob do not reveal information about the data. As a preparation, since Alice’s measurement outcomes can be compensated by gates on Bob’s qubits, we may remove Alice’s qubit in the EPR pair in the gate gadgets and directly link Bob’s qubit in the gadget with Alice’s data qubit with a controlled gate.
After the above preparation, the fixed gates and the gate gadgets on Alice’s side contain only Clifford gates. This means that if we apply some initial operator on Alice’s input qubits, they will “commute” through the circuit with Pauli corrections on all the qubits, including Bob’s qubits. Since Bob’s qubits only interact with Alice’s qubits via the controlled gates, it can be found that any nontrivial Pauli correction on Bob’s qubits can only be up to a phase. For each input data qubit, there is a subset of Bob’s qubits that is subject to corrections resulting from the initial on that input data qubit. An initial on the phase qubit does not change Bob’s reduced density operator. Since Bob’s qubits are connected to Alice’s part of the circuit via the controlled gates, the basis information of each Bob’s qubit is reflected in Alice’s part of the circuit as a choice of or . Let us consider the reduced density operator of Bob’s. We argue that the offdiagonal terms are such that they are insensitive to the gates induced by Alice’s initial masks (the diagonal terms are trivially so, since only applies phases on the computationalbasis states). Consider an offdiagonal term of the form , where is the shorthand notation for , where are bits, and is the total number of Bob’s qubits. Note that the gates induced by a fixed initial mask pattern [ on some input data qubits] may only bring a sign to this offdiagonal term when
(6) 
where when the qubit is subject to the correction resulting from this mask pattern, and otherwise; the is similarly defined.
The two bit strings and correspond to two patterns of ’s in Alice’s part of the circuit. In order to calculate the coefficient for the offdiagonal term , we need to calculate the partial trace on Alice’s side. Consider using the circuit diagram of Alice’s side with the target qubits in controlled gates replaced with when the corresponding , and another circuit diagram similarly obtained using the bits instead of the . The partial trace is usually calculated by using a concatenated circuit with the output ends of the two original circuits connected on each qubit line. Since it is symmetric, we may instead consider a “difference” circuit where the appears at the qubit originally linked to Bob’s th qubit when
(7) 
Suppose some initial mask pattern changes an offdiagonal term of the form in Bob’s reduced density operator, then it must be that this term does not vanish. We now prove that the term satisfying Eq. (6) must vanish, then we will get that no initial mask pattern may change an offdiagonal term. Note that when we commute or gates through a data qubit line in the circuit, they either preserve themselves (with possible corrections on neighboring qubits) or swap with each other. Thus, only an even number of operators on a qubit line may cancel out after commuting them on this line. If there is a qubit line on which the operators resulting from nonzero and cancel out [it must be that their resulting operators on the phasequbit line also cancel out], then we may remove these operators, and change these and (and associated and , if any) to zero, without affecting Eqs. (6) and (7) (which is due to the definition of and and the types of gates in the circuit), and look at a reduced case with fewer nonzero and . After these reductions, we have that on at least one qubit line, the operators do not cancel out. [If no such line exists, Eq. 6 is violated.] We may cancel out the operators on the same line in pairs, without affecting the two equations, so that only one or two operators remain on each line. On each data qubit other than the first data qubit, either there is no correction operator, in which case this line can be removed without affecting the two equations, or there is only one operator, which when applied on the real input state on that data qubit would give rise to zero trace on Alice’s side. Now we consider the operators on the first data qubit. If there is only one operator on this qubit line, it must be that either or appears at the beginning of the line after commuting the operator on this line to the beginning. In the case that appears at the beginning, it must be that no operator appears on the phase qubit line, then since the initial input on the first data qubit is a real state for each of the phase qubit’s initial state or , we obtain zero trace on Alice’s side. In the remaining case that appears at the beginning, it must be that a is on the phase qubit. Since the phase qubit is initially in a real state for each of the first data qubit’s initial state or , a gate on it would give rise to zero partial trace on Alice’s side. In the case that there are two operators on the first qubit line, it must be that a is on the phase qubit, and this similarly implies zero trace on Alice’s side. Thus the term satisfying Eq. (6) must vanish. Thus it must be that no initial mask pattern may change any offdiagonal term in Bob’s reduced density operator.
In the above, we have shown that for any pure input state of the required type, and its padded states [with possible
gates applied on some qubits, possibly including the phase qubit], the reduced density operators of Bob’s system after correcting for Alice’s measurement outcomes are the same. Thus for such input states, Bob’s reduced density operator is equal to that for the input being the average state of all padded states, which is a fixed maximallymixed state. Thus, these reduced density operators of Bob’s are fixed regardless of what the pure input state is. The case of probabilistic mixture of such states follows by linearity. Thus Bob does not receive any information about the input data.