Private Set Intersection with Delegated Blind Quantum Computing

by   Michele Amoretti, et al.

Private set intersection is an important problem with implications in many areas, ranging from remote diagnostics to private contact discovery. In this work, we consider the case of two-party PSI in the honest-but-curious setting. We propose a protocol that solves the server-aided PSI problem using delegated blind quantum computing. More specifically, the proposed protocol allows Alice and Bob (who do not have any quantum computational resources or quantum memory) to interact with Steve (who has a quantum computer) in order for Alice and Bob to obtain set intersection such that privacy is preserved. In particular, Steve learns nothing about the clients' input, output, or desired computation. The proposed protocol is correct, secure and blind against a malicious server, and characterized by a quantum communication complexity that is linear in the input size.



There are no comments yet.


page 1

page 2

page 3

page 4


Multi-server Blind Quantum Computation Protocol With Limited Classical Communication Among Servers

A user who does not have a quantum computer but wants to perform quantum...

Quantum Private Distributed Learning Through Blind Quantum Computing

Private distributed learning studies the problem of how multiple distrib...

A Secure Two-Party Computation Protocol for Intersection Detection between Two Convex Hulls

Intersection detection between three-dimensional bodies has various appl...

Full-Blind Delegating Private Quantum Computation

The delegating private quantum computation (DQC) protocol with the unive...

Distance-Aware Private Set Intersection

Private set intersection (PSI) allows two mutually-untrusting parties to...

Quantum randomized encoding, verification of quantum computing, no-cloning, and blind quantum computing

Randomized encoding is a powerful cryptographic primitive with various a...

Rational proofs for quantum computing

It is an open problem whether a classical client (verifier) can delegate...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Private set intersection (PSI) is a problem within the field of secure computation. In two-party PSI, Alice and Bob each hold a set of items, i.e., and , respectively. The goal is to design a protocol by which Alice and Bob obtain the intersection , under the privacy restriction that anything about items that are not in the intersection must not be revealed. I.e., if then Alice learns nothing about it.

PSI is an important problem with implications in many areas. For example, in remote diagnostics [1]

, a vectorized patient’s (client) electronic health record gets a status (sick or not sick with a certain disease) from a medical diagnostic program. While the client learns about her sickness, the program remains secret and the program owner (server) does not learn anything about the client’s data. Another example is

private record linkage [2], where two data owners hold different types of information for the same customer. In order to make data mining possible, the two records must be linked together and shared without giving away any other private data stored. In private contact discovery, a user (client) wants to find out who of its private contacts also have a certain communication app (server) [3]. In

DNA testing and pattern matching

[4], the user gets its DNA sequenced and wants to find out about sequences linked to genetic diseases which are stored on a database (server).

In this work, we consider the case of two-party PSI in the honest-but-curious setting. I.e., Alice and Bob fairly cooperate to obtain , but they would love to know the other party’s full set. We assume that Alice and Bob agree to use the service of an untrusted third party. In this setting, also known as server-aided PSI, Alice and Bob interact with an additional party, called Steve, under the following privacy restriction: Steve should not learn information about the items of Alice and Bob (Figure 1). We also assume neither Alice nor Bob collude with Steve to break the other party’s privacy.

Figure 1: Server-aided PSI.

We use delegated blind quantum computing, in the multiparty version introduced by Kashefi and Pappa [5], to solve the server-aided PSI problem. More precisely, we give a protocol that allows Alice and Bob (who do not have any quantum computational resources or quantum memory) to interact with Steve (who has a quantum computer) in order for Alice and Bob to obtain such that privacy is preserved. In particular, Steve learns nothing about Alice’s and Bob’s input, output, or desired computation. Because of blind quantum computing, the privacy is perfect, includes the computation (which is hidden from Steve), does not rely on any computational assumptions, and holds no matter what actions a cheating Steve undertakes.

Alice and Bob only need to prepare single qubits and send them to Steve, who creates an entangled state from all received quantum states. After this initial preparation (where all the quantum communication takes place), Alice and Bob drive the computation, using two-way classical communication to send single-qubit measurement instructions to Steve, depending on previous measurement outcomes. The protocol is characterized by a quantum communication complexity that is

, i.e., linear in the input size.

1.1 Related Work

An almost complete survey of classical PSI protocols in the honest-but-curious setting can be found in the recent paper by Falk, Noble and Ostrovsky [6]. In that work, the authors propose a protocol requiring only communication between the parties, where is a security parameter. So far, this is the best classical solution to the PSI problem in the honest-but-curious setting.

Effective protocols for solving the server-aided PSI problem were proposed by Kamara et al. [7]. The central idea is to add redundancy to the data sent by Alice and Bob to Steve. Such data are shuffled so that the untrusted server, once executed the set intersection algorithm, cannot easily omit specific items, as the related redundancy is hard to locate. However, there is a case that is not addressed by these protocols: Steve can omit all values from the intersection and simply give back an empty list to Alice and Bob.

Recently, Le et al. [8] proposed a different approach for solving the above cheating potential by Steve without the need of redundancy. The proposed protocols force Steve to prove to Alice and Bob that . In the proof, Alice and Bob have to perform a task whose cost is . Moreover, the proposed protocols allow Alice and Bob to compute some arbitrary function over the intersection.

In the quantum setting, previous work considered the two-party and multi-party PSI scenario [12, 13, 9, 11, 10]. Instead, to the best of our knowledge, the server-aided one has not been considered so far.

1.2 Outline of the Protocol

A Bloom filter is a data structure that provides space-efficient storage of sets at the cost of a probability of false positives on membership queries

[14, 15]. As illustrated in Fig. 2, for each item we set to 1 the bits of the Bloom filter that correspond to the results of hash functions computed on the items. The optimal number of hash functions depends on the size of the Bloom filter and on the maximum number of items that have to be stored. More precisely, .

Figure 2: Mapping items into a Bloom filter, by means of hash functions.

In the proposed protocol, Alice and Bob agree on a Bloom filter of size , with sufficiently large to make the probability of false positives negligible. Then, Alice and Bob insert their items in their own Bloom filter instances, respectively and . Moreover, Alice stores , for all , in a dictionary . Similarly, Bob stores , for all , in a dictionary . The PSI problem reduces to privately computing the bitwise AND of the two Bloom filters.222It is worth noting that the -bit Bloom filters allow Alice and Bob to have input sets with a different number of items, provided that such a number is less than or equal to .

Therefore, using a multiparty delegated quantum computing protocol, Alice and Bob drive Steve into performing a blind quantum computation whose quantum result, which is returned from Steve to Alice and Bob, encodes the classical result AND. By decrypting the quantum result, Alice and Bob can easily find by means of their dictionaries.

If Steve follows the protocol, the output is correct. If Steve is dishonest and deviates from the protocol, anyway he does not learn anything about the inputs of the clients (security property) and the computation he is performing (blindness property).

Figure 3: Circuit description of the MBQC model. Here, is a quantum gate that prepares an open graph state.

2 Preliminaries

2.1 Measurement-Based Quantum Computing (MBQC)

In the MBQC model [16, 17], a computation is described by a set of measurement angles on an entangled state. A circuit description of the MBQC model is provided in Fig. 3. The computation is done in layers, following what is called a measurement pattern, which is defined by a finite set of qubits , a subset of input qubits , a subset of output qubits and a sequence of measurements acting on qubits (with ). The outcome of the measurement done at qubit is denoted as . Dependent corrections, used to control nondeterminism, are written as and .

The qubits in the set can be considered as nodes of the underlying undirected graph of the entangled state. The tuple defines an open graph state, which is prepared by a quantum gate that we denote as . In this gate, there are an dependencies and these affect the future measurements. Their placement is dictated by the flow of the graph , which is a map , and by a partial order over the nodes of the graph such that for all :

  • ,

  • ,

  • for all , we also have .

Each qubit is -dependent on qubit and -dependent on qubits for which belongs to the set of neighbors of in , which is denoted as . An open graph state with flow is illustrated in Fig. 4.

Figure 4: Conceptual representation of an open graph state with flow. The input qubits are depicted as boxed circles, the output qubits as pink circles. All the dark circles (non-output qubits) are measured during the execution of the pattern. The arrows represent the flow function. The 4 partition sets give the partial order on the vertices.
Figure 5: Graph representation of a brickwork state at the server. With reference to the notation used in Fig. 3, the total number of qubits is . The first qubits at the server are initialized with the encrypted quantum input . The following qubits are prepared to states , for . In both cases, protocols that involve all the clients and the server are executed. The last qubits at the server are prepared in the state. Then, controlled- gates are performed between qubits that correspond to vertices joined by an edge, in the graph (the formal construction is reported in [21]). This last step creates the brickwork state at the server. In the implementation, the server does not have all of the qubits of the entire brickwork state in memory at the same time. Indeed, construction and entanglement can be done “just in time,” as is standard with measurement-based quantum computing [22]. Finally, after the execution of the measurement pattern on the brickwork state, the quantum state of the last qubits will be the output to be returned to the clients.

2.2 Delegated Blind Quantum Computing

Childs [19] proposed the first delegated blind quantum computing protocol, with one client and one server, which was quite demanding in terms of quantum resources. In particular, the client was required to control a quantum memory and perform SWAP gates. Later, Arrighi and Salvail [20] introduced a scheme with mechanisms for both verification and blindness for a limited range of functions.

The Universal Blind Quantum Computation (UBQC) scheme by Broadbent, Fitzsimons and E. Kashefi [21]

requires the client and the server to exchange only one quantum message, while the rest of the communication is classical. The quantum message sent by the client to the server consists of a tensor product of single-qubit states. Thus, the only quantum capability the client needs is the ability to prepare single-qubit states.

The UBQC protocol is described in terms of the MBQC framework. More precisely, UBQC can be considered as the distributed version of an MBQC computation. In this context, any quantum computation (represented by a unitary operator ) is given as a measurement pattern on a brickwork state, which is an entangled state of qubits.

In the preparation phase, the client prepares quantum states and sends them to the server, which entangles them for creating the brickwork state. Note that this process unavoidably reveals upper bounds on the length of the input and depth of the computation. However, due to universality of the brickwork state, it does not reveal any additional information on the client’s computation.

The client has in mind a unitary operator that is implemented with a measurement pattern on the brickwork state. This pattern could have been designed either directly in MBQC or from a circuit construction. Note that it is assumed that the client’s input to the computation is built into . In other words, the client wishes to compute . In the computation phase, the client transmits (classical) measurement instructions to the server. The classical outcomes of the measurements are communicated by the server to the client, whose choice of the angles in future rounds will depend on these values. The protocol is blind as the client’s quantum states and classical messages are astutely chosen so that, no matter what the server does, it cannot infer anything about the client’s measurement pattern. At the end, the server returns the final qubits to the client.

To further extend the idea of computing over encrypted data, a multiparty delegated quantum computation protocol in the MBQC framework was proposed by Kashefi and Pappa [5]

. Also this protocol consists of a preparation phase where all the quantum communication takes place, followed by a computation phase where the communication is purely classical. During the first stage, each client one-time pads its quantum input and sends it to the server. In this way, the private data of the clients remain secret during the protocol. At the end of this stage, the server entangles the received quantum states in order to produce the brickwork state (Fig.

5). In the second stage, the clients need to securely communicate between them and with the server, in order to jointly compute the measurement angles of the qubits in the different layers of computation. This procedure is purely classical, and based on a Verifiable Secret Sharing (VSS) scheme [23] and a computation oracle [24, 25, 26]. The resulting measurement pattern does not reveal the corresponding unitary operator to the server. At the end of the MBQC process, each client receives its quantum output, consisting of qubits that are naturally encrypted due to the randomness from previous measurements that propagated during the computation. The decryption of the quantum output is based on the classical secret shares of all clients.

3 Main Protocol

From now on, we denote Alice and Bob (the two clients) as and . We want that the private data of each client (i.e., its quantum input and output) remains secret during the protocol. Moreover, we want that the measured angles are not known to the server (i.e., Steve), but are secret-shared with the clients (using a VSS scheme). The quantum input provided by the two clients contributes to the preparation of the quantum state at the server. The measurement angles for qubits are denoted as .

3.1 Preparation Phase

The quantum state at the server is prepared as follows. For (such that qubits of the server are affected):

  1. The client that owns the th qubit applies to its qubit (i.e., performs a one-time padding) and sends the quantum state to the server. The values and are randomly picked, and secret-shared with the other client.

  2. The other client runs Protocol 1 with the server. If the client passes the test, the server at the end has the state , where identifies the client.

  3. The server runs Protocol 2 and announces the outcome .

At this point the server has the state




Then, for (such that qubits of the server are affected):

  1. Both clients run Protocol 1 with the server. If the test is passed by both clients, the server at the end has two states , where identifies the client.

  2. The server runs Protocol 3 getting the outcome , and ends up with the state , where


At this point, for , the server prepares states (such that qubits of the server are affected). Finally, the server entangles all the qubits to a brickwork state by applying gates.

Protocol 1 (To enforce honest behavior for client ) Client sends quantum states to the server, and secret-shares the values with the other client, using a VSS scheme. The server requests the shared values from the clients, for all but one qubit, and measures in the bases reconstructed by means of the shared values. If the bases agree with the measurements, then the remaining state is correctly formed in relation to the remaining shared angle, with high probability.
Protocol 2 (State preparation for ) The server stores the quantum states received by the two clients, namely and , to distinct registers. Then, a CNOT is applied, and finally the second qubit is measured, producing the outcome and the quantum state , where .
Protocol 3 (State preparation for ) The server stores the quantum states received by the two clients, namely and , to distinct registers. Then, a CNOT is applied, and finally the first qubit is measured, producing the outcome and the quantum state .

3.2 Computation Phase

In this phase, the clients drive the measurement process at the server. We remark that, in the following description, denotes the sum of the values , where is each node of the graph (representing the entangled state) that has an -dependency with node . Similarly, denotes the sum of the values , where is each node that has a -dependency with node .

For (the non-output qubits of the server):

  1. Both clients choose random , which they secret-share with each other. Then, with the help of a computation oracle, they compute the measurement angle of qubit :


    where undefined values are equal to zero, or otherwise:

    • is the “plain” measurement angle for the th qubit in the brickwork state,

    • ,

    • ,

    • , for ,

    • .

  2. The server receives and measures qubit in the basis, getting as result, which is then announced by the server to the clients.

Then, for (the last qubits at the server), the server sends the quantum state to the corresponding client, which applies to retrieve the actual quantum output.

A straightforward way to implement the bitwise AND function between the inputs of the clients is to implement parallel Toffoli gates in the brickwork state.333For each Toffoli gate, there are two input qubit states and one ancilla state that must be provided by one of the clients. However, the encrypted quantum output of each Toffoli gate cannot be produced in two copies (one for each client), because of the no-cloning theorem. To solve this issue, half of the quantum output is sent to , the other half to . Therefore, further secure classical interaction between the clients is needed, so that they both end up with AND.

4 Analysis of the Protocol

4.1 Communication Complexity

To implement parallel Toffoli gates in the brickwork state, using the strategy proposed by Chien et al. [22] we end up with layers, each layer having qubits. The total number of transmitted qubits is then . For each transmitted quantum state, there is an overhead due to Protocols 1, 2 and 3, that can be expressed as a constant factor. We may conclude that, in general, the quantum communication complexity of the protocol is .

4.2 Correctness, Security and Blindness

The correctness of the proposed protocol comes from the correctness of the individual circuits implementing Protocols 2 and 3. A detailed proof can be derived from the proof of Theorem 1 in [5], asserting the correctness of the general MBQC-based multiparty delegated quantum computation protocol.

The security property of the protocol derives from the fact that the clients never share their sets with each other. The proposed protocol is also secure against a malicious server. This is true in general for the MBQC-based multiparty delegated quantum computation protocol [5]. The proof is based on the fact that the protocol emulates an ideal multiparty delegated quantum computation resource that does not give the server any access to the clients’ input.

At the same time, the protocol has the blindness property, meaning that the server does not know what computation it is doing, provided that the measurement angles remain hidden from the server.

5 Leveraging the Quantum Internet

In the proposed protocol, Alice and Bob send qubits to Steve in the preparation phase, while Steve sends qubits to Alice and Bob at the end of the computation phase. In order to move qubits between any two parties over long distances, quantum state teleportation is preferred to quantum communication, whose fidelity decreases exponentially with the channel length, due to loss [27]. Quantum teleportation requires end-to-end entanglement generation, i.e., probably the most important general-purpose service in the future Quantum Internet [28, 29, 30, 31, 32, 33]. In Figure 6, an example of quantum network stack architecture, inspired by the TCP/IP one, is presented [34, 35].

Figure 6: Quantum network stack architecture [34]. A link layer and a physical layer protocol have been experimentally demonstrated by Pompili et al. [35].

6 Conclusion and Future Work

In this work we have proposed a protocol that solves the server-aided PSI problem using delegated blind quantum computing. The protocol is correct, secure and blind against a malicious server. Moreover, it is characterized by a quantum communication complexity that is linear in the input size.

Regarding future work, we plan to study alternative approaches to the implementation of the bitwise AND function at the server. Moreover, we are interested in exploring different strategies with respect to the Bloom filter’s one we have adopted in this work, to efficiently map the clients’ input to the server. An interesting future direction is investigating the possibility to implement a variant of the proposed protocol where clients are fully classical. In a recent work, Aaronson, Cojocaru, Gheorghiu and Kashefi [18] suggested that there is no scheme for blind quantum computing that is information-theoretically secure and that requires only classical communication between client and server. On the other hand, there are interesting proposals for fully-classical client protocols that achieve more restricted levels of security [36, 37, 38].


The author would like to thank Anna Pappa for helpful discussions on the MBQC-based multiparty delegated quantum computation protocol.


  • [1] J. Brickell, D. E. Porter, V. Shmatikov, E. Witchel, Privacy-Preserving Remote Diagnostics, Proc. of the 14th ACM conference on Computer and Communications Security (2007)
  • [2] X. He, A. Machanavajjhala, C. Flynn, D. Srivastava, Composing Differential Privacy and Secure Computation: A case study on scaling private record linkage, Proc. of the 24th ACM conference on Computer and Communications Security (2017)
  • [3] D. Demmler, P. Rindal, M. Rosulek, N. Trieu, PIR-PSI: Scaling Private Contact Discovery, Proc. on Privacy Enhancing Technologies, vol. 2018, no. 4 (2018)
  • [4] A. Yanai, Private Set Intersection, (2020)
  • [5] E. Kashefi, A. Pappa, Multiparty Delegated Quantum Computing, Cryptography, vol. 1, no. 12 (2017)
  • [6] B. Hemenway Falk, D. Noble, R. Ostrovsky, Private Set Intersection with Linear Communication from General Assumptions, Proc. of the 18th ACM Workshop on Privacy in the Electronic Society (2019)
  • [7] S. Kamara, P. Mohassel, M. Raykova, S. Sadeghian, Scaling Private Set Intersection to Billion-Element Sets, Proc. of the International Conference on Financial Cryptography and Data Security (2014)
  • [8] P. H. Le, S. Ranellucci, S. Dov Gordon, Two-party Private Set Intersection with an Untrusted Third Party, Proc. of the 2019 ACM SIGSAC Conference on Computer and Communications (2019)
  • [9] X. Cheng, R. Guo, Y. Chen, Cryptanalysis and improvement of a quantum private set intersection protocol, Quantum Information Processing, vol. 16, no. 37 (2017)
  • [10] B. Liu, M. Zhang, R. Shi, Quantum Secure Multi-party Private Set Intersection Cardinality, International Journal of Theoretical Physics vol. 59, pp. 1992–2007 (2020)
  • [11] A. Maitra, Quantum secure two-party computation for set intersection with rational players, Quantum Information Processing, vol. 17, no. 197 (2018)
  • [12] T. Salman and Y. Baram, Quantum Set Intersection and its Application to Associative Memory

    , Journal of Machine Learning Research 13 (2012)

  • [13] R. Shi, Y. Mu, H. Zhong, J. Cui, S. Zhang, An efficient quantum scheme for Private Set Intersection, Quantum Information Processing, vol. 15, no. 1 (2016)
  • [14] A. Broder, M. Mitzenmacher, Network applications of Bloom filters: A survey, Internet Math., vol. 1, no. 4, pp. 485–509 (2004)
  • [15] M. Amoretti, O. Alphand, G. Ferrari, F. Rousseau and A. Duda, DINAS: A Lightweight and Efficient Distributed Naming Service for All-IP Wireless Sensor Networks, IEEE Internet of Things Journal, vol. 4, no. 3, pp. 670-684 (2017)
  • [16] R. Raussendorf, H. Briegel, A one-way quantum computer, Phys. Rev. Lett., vol. 86, pp. 5188–5191 (2001)
  • [17] R. Raussendorf, D. Browne, H. Briegel, Measurement-based quantum computation with cluster states, Phys. Rev. A, vol. 68, pp. 022312 (2003)
  • [18] S. Aaronson, A. Cojocaru, A. Gheorghiu, E. Kashefi, Complexity-theoretic limitations on blind delegated quantum computation, Proc. of the 46th International Colloquium on Automata, Languages, and Programming (2019)
  • [19] A. Childs, Secure Assisted Quantum Computation, Quantum Information & Computation, vol. 5, no. 6, pp. 456–466 (2005)
  • [20] P. Arrighi, L. Salvail, Blind Quantum Computation, International Journal of Quantum Information, vol. 4, no. 5, pp. 883–898 (2006)
  • [21] A. Broadbent, J. Fitzsimons, E. Kashefi, Universal Blind Quantum Computation, Proc. of the 50th Annual Symposium on Foundations of Computer Science (2009)
  • [22] C.-H. Chien, E. van Meter, S.-Y. Kuo, Fault-Tolerant Operations for Universal Blind Quantum Computation ACM Journal on Emerging Technologies in Computing Systems, vol. 12, no. 1, 2015.
  • [23] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing and achieving simultaneity in the presence of faults, 26th Annual Symposium on Foundations of Computer Science, pp. 383-395 (1985)
  • [24] R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, Proc. of the 42nd IEEE Symposium on Foundations of Computer Science (2001)
  • [25] Y. Ishai, M. Prabhakaran, A. Sahai, Founding Cryptography on Oblivious Transfer – Efficiently Proc. of CRYPTO (2008)
  • [26] D. Unruh, Universally Composable Quantum Multi-party Computation, Proc. of EUROCRYPT (2010)
  • [27] P. P. Rohde, The Quantum Internet, Cambridge University Press (2021)
  • [28] S. Wehner, D. Elkouss, R. Hanson, Quantum Internet: a Vision for the road ahead, Science, 362, 6412 (2018)
  • [29] A. S. Cacciapuoti, M. Caleffi, F. Tafuri, F. S. Cataliotti, S. Gherardini and G. Bianchi, Quantum Internet: Networking Challenges in Distributed Quantum Computing, IEEE Network, vol. 34, no. 1, pp. 137-143 (2020)
  • [30] H. V. Nguyen, Z. Babar, D. Alanis, P. Botsinis, D. Chandra, M. A. Mohd Izhar, S. X. Ng and L. Hanzo, Towards the Quantum Internet: Generalised Quantum Network Coding for Large-Scale Quantum Communication Networks, IEEE Access, vol. 5, pp. 17288-17308 (2017)
  • [31] M. Amoretti and S. Carretta, Entanglement verification in quantum networks with tampered nodes, IEEE Journal on Selected Areas in Communications, vol. 38, no. 3, pp. 598-604 (2020)
  • [32] R. Van Meter and S. J. Devitt, The Path to Scalable Distributed Quantum Computing, Computer, vol. 49, no. 9, pp. 31-42 (2016)
  • [33] D. Ferrari, A. S. Cacciapuoti, M. Amoretti and M. Caleffi, Compiler Design for Distributed Quantum Computing, IEEE Transactions on Quantum Engineering, vol. 2, pp. 1-20, art no. 4100720 (2021)
  • [34] A. Dahlberg, M. Skrypczyk, T. Coopmans, L. Wubben, F. Rozpedek, M. Pompili, A. Stolk, P. Pawelczak, R. Knegjens, J. de Oliveira Filho, R. Hanson, S. Wehner, A link layer protocol for quantum networks, Proc. of ACM SIGCOMM, pp.159-173 (2019)
  • [35] M. Pompili, C. Delle Donne, I. te Raa, B. van der Vecht, M. Skrypczyk, G. Ferreira, L. de Kluijver, A. J. Stolk, S. L. N. Hermans, P. Pawelczak, W. Kozlowski, R. Hanson, S. Wehner, Experimental demonstration of entanglement delivery using a quantum network stack, arXiv:2111.11332 (2021)
  • [36] A. Mantri, T. F. Demarie, N. C. Menicucci, J. F. Fitzsimons, Flow Ambiguity: A Path Towards Classically Driven Blind Quantum Computation, Physical Review X, vol. 7, no. 3, pp. 031004 (2017)
  • [37] U. Mahadev, Classical Verification of Quantum Computations, Proc. of IEEE FOCS, pp.259-267 (2018)
  • [38] A. Cojocaru, L. Colisson, E. Kashefi and P. Wallden, On the Possibility of Classical Client Blind Quantum Computing, Cryptography, vol. 5, no. 1, art no. 3 (2021)