I Introduction
The security of twoparty computation is a main research topic in classical cryptography. The goal is usually to correctly compute some function of the inputs from the two parties, while keeping the inputs as private from the opposite party as possible. This has been studied using classical homomorphic encryption techniques Gentry09 ; brakerski2011efficient or through implementing Yao’s “Garbled Circuit” solution Yao86 . Another possibility is to introduce a trusted third party, who may sometimes interact with the two parties for multiple rounds. To lower the requirement on the trusted third party, a “trusted initializer” has been proposed Beaver98 . Such trusted initializer only prepares some initial correlations between the two parties, and does not interact with any party afterwards. A trusted initializer who prepares certain initial correlations, referred to as “onetime tables”, can help make the bipartite computation secure.
Secure twoparty quantum computation is the corresponding problem in quantum computing and quantum cryptography. The two parties wish to correctly compute an output according to some public or private program while keeping their (quantum) inputs as secure as possible. Special cases of this general problem include quantum homomorphic encryption (QHE) rfg12 ; MinL13 ; ypf14 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; Mahadev17 ; ADSS17 ; Newman18 ; TOR18 , secure assisted quantum computation Ch05 ; Fisher13 and computing on shared quantum secrets Ouyang17 , and physically motivated secure computation (e.g. OTF19 ). In the study of QHE, it is found that secure computation of the modulo inner product of two bit strings provided by the two parties is a key task, and the onetime tables mentioned above turn out to be helpful for this task.
In this work, we propose twoparty quantum protocols with aborts as replacements for the trusted initializer in preparing the onetime tables, and show that the prepared onetime tables can help achieving some degree of informationtheoretic security in bipartite classical or quantum computation. Our main protocols are based on Protocol 1 which implements the following task approximately with partial privacy: it takes as input two locallygenerated random bits and from Alice and Bob, respectively, and outputs two bits and on the two parties, where is a random bit. The onetime table contains four bits: two input bits and two output bits. By putting the possible aborts in the preprocessing which does not involve useful data, we avoid the problem of early terminations with leaking of data in other possible protocols with aborts.
We propose Protocol 2 to select some onetime tables generated by Protocol 1. It allows Bob to abort during the protocol when he finds that Alice is cheating. When Protocol 2 is used in a generic interactive bipartite classical computation with the roles of Alice and Bob switched, the data leakage of Alice is asymptotically vanishing for noiseless physical systems, but for noisy physical systems, the leakage is linearly related to the noise level. The data privacy of Bob is partial: the leakage is about half of his input bits, but the privacy is better in the case that the function is a manytoone map for Bob’s input, including the case that the function effectively evaluates universal circuits.
We then propose Protocol 3 which includes checks from both sides to ensure that the average rate of cheating by any party is asymptotically vanishing. So for the bipartite computation task, the data leakage of any party is asymptotically vanishing for noiseless systems, while for noisy systems, the leakage of both parties are linearly related to the noise level.
We then propose Protocol 4 which combines several onetime tables generated by Protocol 2 or 3 into one. When Protocol 4 based on Protocol 2 is used in bipartite classical computation, the data leakage of Alice is asymptotically vanishing, and almost independent of the physical errors, as discussed in Sec. VI, while the data privacy of Bob is worse than that in Protocol 2 under comparable resource cost.
The Protocols 2, 3 and 4 are secure in the honestbutcurious model. An honestbutcurious party is one who follows the protocol while possibly making measurements which do not affect the final computation result. In our protocols, an honestbutcurious party does not learn anything about the other party’s data, while the privacy of his or her own data is guaranteed to reach the targeted level.
The following remarks are for the general malicious case. The security of Bob’s data is dependent on that he is conservative, meaning that he values the privacy of his data higher than the possibility to learn Alice’s data; Alice needs to be weakly cooperating for the protocols not to abort, meaning that she does not cheat much in some batch of the instances of Protocol 1. For Alice’s data security to be enhanced by her verifications in Protocol 3, she should be conservative in the sense described above. Although Protocol 4 is quite effective when there is no noise (including errors), it may not be better than Protocol 2 or 3 when there is some nonnegligible level of noise. In the noisy case, we propose just using Protocol 3.
We show some applications in general twoparty classical computation, and the cheatsensitive implementations of oblivious transfer and bit commitment under some assumptions. To enjoy some quantum speedup together with the security benefit brought about by our preprocessing, we propose a quantum homomorphic encryption scheme which uses the generated onetime tables as a resource, but with more rounds of communication than usual. Such scheme is then generalized to general twoparty quantum computation with a publicly known circuit and private inputs on both parties.
The rest of the paper is organized as follows. Sec. II contains some introduction of the background. In Sec. III we introduce the quantum protocols for generating the onetime tables. Sec. IV shows applications in general twoparty classical computation. Sec. V shows applications in general twoparty quantum computation. Sec. VI contains some discussions about the security in the noisy case, and physical implementations. Sec. VII contains the conclusion and some open problems.
Ii Preliminaries
On computing twoparty classical functions with quantum circuits, Lo Lo97 studied the data privacy for publicly known classical functions with the output on one party only. Buhrman et al bcs12 studied the security of twoparty quantum computation for publicly known classical functions in the case that both parties know the outcome, although with some limitations in the security notions. These and other results in the literature Colbeck07 suggest that secure bipartite classical computing cannot be generally done by quantum protocols where the two parties have full quantum capabilities. In the current work, the protocols allow aborts in the quantum preprocessing (Bob may abort when he detects that Alice has cheated), so the scenario considered here does not fit into the assumptions in the works mentioned above. We assume that one party values the privacy of his data higher than the possibility to learn the other party’s data. Under such assumption, we do not require the parties in the main bipartite computation stage to be entirely classical.
Next, we introduce the simplest case in the onetime tables Beaver98 . The bipartite AND gate with distributed output is a gate that takes as input two distant bits and , and outputs and on the two parties, respectively, where is a uniformly random bit. (XOR is denoted as ; AND is denoted as the symbol.) It is sufficient for secure twoparty classical computation, although there may be other constructions. Theoretically, the bipartite AND gate with distributed output on two distant input bits and can be computed while keeping both input bits completely private, with the help of a precomputed ideal onetime table of the nonlocalAND type. Later we present methods for approximately generating such onetime tables. The onetime table has two locallygenerated uniformly random bits and on the two parties, respectively, and also has and on the two parties, respectively, where is a uniformly random bit. The steps for the bipartite ANDgate computation with distributed output are as follows:
1. Alice announces . Bob announces .
2. Each party calculates an output bit according to the onetime table and the received message. Alice’s output is . Bob’s output is .
The XOR of the two output bits is , while each output bit is a uniformly random bit when viewed alone, because is a uniformly random bit. Since the messages and do not contain any information about and , the desired bipartite AND gate is implemented while and are still perfectly private.
Iii The quantum protocols for generating onetime tables
The main quantum protocols to be introduced later are based on Protocol 1, which is the revised version of a subprocedure of a protocol from Yu18 . The Protocol 1 effectively computes an AND function on two remote classical bits from the two parties, with the output being a distributed bit, i.e. the XOR of two bits on the two parties. The security is not ideal: the plain use of such protocol would give rise to nonideal security in (interactive) quantum homomorphic encryption Yu18 , and the security is such that some additional verification need to be added in the protocol for it to be nontrivial. Later we propose protocols that check and sometimes combine the onetime tables generated from Protocol 1, to be used as a preprocessing stage for a bipartite classical or quantum computation task. The security level in those quantum protocols are higher than that achievable from the plain use of Protocol 1.
In Protocol 1, denote , and
, and the random bits are unbiased and independent of other variables by default. An EPR pair is two qubits in the state
. The protocol involves teleportations bbc93 with partial information about the outcomes withheld by the sending party, and this can alternatively be implemented by the direct sending of quantum states that have been subject to certain Pauli operators just before sending. The teleportation approach allows Alice and Bob to do operations simultaneously. See the discussions in Sec. VI.We explain the last parts of Protocol 1. Even if Alice did a correction on the first qubit corresponding to Bob’s sent bit (in fact she does not do it, but only adjusts the final outcome), she receives the two qubits with a possible mask for each qubit (which are related to Bob’s final outcome), together with possible simultaneous masks on both qubits (which does not affect any party’s final outcome). Bob’s outcome can alternatively be viewed as being obtained in the following way: if a correction is needed for one received qubit, Bob regards his mask bit for that qubit as , and otherwise he regards it as . Bob’s output bit in the protocol is the XOR of the two mask bits.
In Protocol 1, Alice’s input bit has partial privacy even for a cheating Bob, while Bob’s input bit is secure for an honestbutcurious Alice, but is not secure at all for a cheating Alice. The privacy of Alice’s input bit can be quantified using the accessible information or the trace distance. The accessible information, i.e. the maximum classical mutual information corresponding to Bob’s possible knowledge about Alice’s input, is exactly bits, which happens to be equal to the Holevo bound in the current case. For a cheating Bob to get the maximum amount of information, his best measurement strategy in the current case is to use a fixed projective measurement: to measure the first qubit in the basis, and the second qubit in the basis. The trace distance of the two density operators for Alice’s two possible input values is , by direct calculation (see also Yu18
). Thus, the probability that Bob guesses Alice’s input bit correctly is
. Note that with this particular measurement just mentioned, he cannot make the distributed output of the onetime table correct. In other words, Bob cannot learn the other party’s input without consequences. We will see below that the similar remark can be said for Alice as well, implying that the protocol is secure in the honestbutcurious model.To learn about Bob’s input bit, a cheating Alice may use an entangled state . From Bob’s returned state, and after correcting for the Pauli operator indicated by Bob’s returned classical message, Alice may find out Bob’s input bit with certainty.
In the following we present protocols which check or combine the onetime tables generated in Protocol 1. The first one has partial security for Alice and nearperfect security for Bob, while the second one involves checking by both parties, and aims for nearperfect security for both parties. The third one aims for nearperfect security for both parties with emphasis on the security of one party.
In Protocol 2, Alice’s input bit has partial privacy, which is the same as in the analysis of Protocol 1 above. When the ratio is near one, the nonlocal correlations in the remaining unchecked onetime tables can be regarded as almost surely correct. This is because of Bob’s checking. We require Alice to be weakly cooperating, that is, she does not cheat in some of the batches of instances, since otherwise no onetime table may pass the test. Some degree of weak cooperation is required for two parties to perform a computation anyway, and the above assumption of Alice has no effect on the data security of any party when Bob satisfies the assumption below, thus we may ignore the assumption above and just state the following assumption on Bob as the requirement of our protocols. In the following we assume that Bob is conservative, which means that he values the privacy of his data higher than the possibility to learn Alice’s data. Later in Sec. IV we will see that it effectively implies that he indeed does the checking. For an honestbutcurious Alice, the resulting correlation is correct, and she does not learn anything about Bob’s input bit (using the notations in Protocol 1, same below). In the following we discuss the case that Alice cheats.
If Alice cheats and gets at least partial information about Bob’s input bit , the state sent from Alice to Bob must be different from what is specified in the protocol; her best choice of state for cheating is mentioned previously. To pass Bob’s test while learning about Bob’s input , she should know both and , or know both and . (The two conditions are equivalent in the exact case, but not necessarily equivalent in the partialinformation case.) In the following, let denote the classical mutual information learnable by Alice about the bit if she uses the measurement . The and
are defined similarly, but note that they are conditioned on the uniform distribution for
.Proposition 1.
The follows inequalities hold:
(1)  
(2)  
(3) 
where the two are the same in each equation.
Proof.
The overall communication from Bob to Alice in Protocol 1 is only one classical bit (note the entangled states used in the teleportations are fixed and do not count towards the amount of communication), then, by the Holevo bound (also noting that there are effectively no other prior correlations between the two parties besides the fixed entangled state, so the locking of information DHL04
does not occur here), the amount of information that Alice learns about the joint distribution of
and is upper bounded by bit. The bits and are independent when Bob produces them, so the and are independent prior to Alice’s measurement. Thus the inequality (1) holds. The bits and jointly determine and , so the amount of information that Alice learns about the joint distribution of and is upper bounded by bit. And since the bits and are independent prior to Alice’s measurement, we have that the inequality (2) holds. The inequalities (1) and (2) together imply (3).The probability that Alice passes Bob’s test at a particular instance is related to the in Eq. (3). When the probability of passing approaches , such maximum approaches , then it must be that one of them approaches . Then, Prop. 1 implies that Alice can learn almost nothing about if she measured in the same basis, but in fact a cheating Alice knows which instances are remaining and will not be checked later (although it is conceivable that some checks may be done after the main computation, see Sec. VI below), so she can choose to do any measurement on the received states in these remaining instances. Such measurement may not be the same as in the other term in Eq. (3). This implies that Eq. (3) alone is not sufficient for proving the security of Protocol 2.
Theorem 1.
In Protocol 2, Bob’s input is asymptotically secure.
Proof.
We first consider the case that Alice’s operations are independent among different instances of Protocol 1, and at last comment that the nonindependent case still satisfy the extreme case of the inequalities above, giving rise to the security of Protocol 2.
Due to the freedom of measurement basis choice mentioned above, the Holevo bounds, which are upper bounds of the information quantities, are more relevant for proving the security of Protocol 2. Under the condition that Alice’s operations are independent among the instances, we need only consider the Holevo bounds for a single instance of Protocol 1. Let be the Holevo quantity which is the upper bound for . It is defined as
(4) 
where is the density operator that Alice receives from Bob for the case of after Pauli corrections determined by Bob’s sent bit, and . The represents the von Neumann entropy. The quantities and are defined similarly, but note that they are conditioned on the uniform distribution for . We claim that the following inequality holds for small positive and nonnegative continuous function ,
(5) 
This has been confirmed by numerical calculations. The analytical reason is as follows. The Holevo quantities in Eq. (III) satisfy uniform continuity, because that the ancilla is effectively at most dimensions due to the Schmidt decomposition, and that the Holevo quantity (4) is continuous as a function of and and therefore is a continuous function of Alice’s initial state. Together with the fact that
(6) 
which is by the construction of the protocol, we recover Eq. (III).
Alice may cheat in some instances of Protocol 1 so we may define a rate of cheating. Partial cheating in a instance is converted into a fractional number of cheating instances in calculating such rate. Alice’s cheating probabilities among different instances may be correlated, but that does not affect the following argument since Bob randomly chooses which instances to check. It is sort of subjective for Bob to determine the average rate of cheating from the number of wrong results and the total number of tests in Protocol 2, since it depends on the a priori
knowledge about the probability distribution for Alice’s average rate of cheating, and also depends on the correlations between rates of cheating among different instances of Protocol
1. Suppose that after some checking, Bob estimates that Alice’s average rate of cheating is
, which is a small positive constant near , then the following approximation holds for the uniform distribution of and : . Hence, according to Eq. (III). This shows that the expected amount of information about learnable by a cheating Alice in the remaining instances of Protocol 1 is arbitrarily near zero for sufficiently small , even if she measures in different bases from those for the tested instances. The word “expected” means that even if , where is the total number of onetime tables to be used for the main computation, Alice may sometimes learn about one or a few bits of Bob’s input by chance, but on average, she learns not more than bits. Since the information about is linearly related to the information learnable by Alice in the later classical computation stage (see Sec. II), this shows the security of Protocol 2 for use in the later classical computation in the case that Alice’s operations are independent among instances of Protocol 1.In the following we consider the general case that Alice’s operations are not necessarily independent among instances of Protocol 1. If Alice initially prepares some correlated quantum states among instances, the generalization of Eq. (6) should hold, due to the construction of the protocol. Then the generalization of Eq. (III) for the corresponding Holevo bounds should hold approximately near such extreme point, due to the uniform continuity of the Holevo bounds. This shows that the argument for the security for the case of independent operations of Alice can be extended to the general case.
We mention some numerical results. Numerical calculations confirm the inequalities (1) through (3). Note the same occurs twice in each inequality. The calculations assume that Alice uses some general quantum pure state as input, allowing an ancillary system of dimensions, the maximum required by the Schmidt decomposition. The calculations use projective measurements, although POVM measurements may give rise to a larger sum on the lefthandside, and such weakness is remedied by the calculation of the Holevo bound below. Numerical calculations suggest the following inequalities.
(7)  
(8) 
where is a constant somewhat larger than and is yet to be precisely determined. This implies that
(9) 
Numerics suggest that near the ends of the tradeoff curve indicated by Eqs. 7 and 8, one quantity approaches bit while the other quantity approaches . For some input state of Alice’s that approaches the numerically found maximal value of the lefthandside, the two terms on the lefthandside of Eq. (9) are about equal, and the corresponding sum in the lefthandside of Eq. (3) under projective measurements is numerically found to be not greater than bit. The latter sum is observed to have the same property for initial states satisfying . When there is no ancilla, numerics suggest that the lefthandside of Eq. (9) is not greater than bit. As quantitative examples for Eq. (III), we have , and .
To improve Alice’s security in the protocol above, we propose the following Protocol 3, in which Alice also does some checking about Bob’s behavior.
By noting that there is only one bit of classical communication from Alice to Bob in Protocol 1, the analysis for Protocol 2 about Bob’s data privacy can basically be used for analyzing Alice’s data privacy in Protocol 3. There are analogues of Proposition 1 and Theorem 1 for Alice instead of Bob. The quantitative security level is somewhat different: Alice’s data privacy has a nonzero lower bound here; with the same resource cost, Bob’s data privacy is somewhat weaker than that in Protocol 2.
When one party’s data privacy is very important, and the other party’s data privacy is not too important, we propose the following Protocol 4. It improves the privacy of Alice’s input in the later main computation task, while that of Bob’s input is somewhat compromised.
In Protocol 4, the privacy of Alice’s bit for the combined onetime table is quite good: The accessible information for Bob is exactly bits, where is the size of in protocol description. It is because the different onetime tables from the first step are independent. The Holevo bound coincides with the accessible information in the current case.
For the privacy of Bob’s input bit in the combined onetime table, it is possible for a cheating Alice to do a joint measurement on received states from Bob, to learn the information about and simultaneously as much as possible (or and ). Bob can deal with this by testing more onetime tables. The resource usage (the amount of entanglement needed and the amount of communication) is estimated to be about times that of Protocol 2, to achieve the similar level of privacy for Bob, where is the total number of onetime tables required for the later main computation, and is the size of in Protocol 4. In such factor , one is for the size of , and the additional factor means that about onetime tables are used in the instance of Protocol 2 in the first step of Protocol 4. This factor appears because Alice may use techniques similar to Grover’s algorithm to increase the amount of information she may learn about , and the same input variable of Bob’s may appear in the original circuit for at most times. But in the case that the function to be evaluated is for evaluating a program provided by Bob on Alice’s data, it is possible that each variable of Bob’s appears only once, then the factor can be omitted, so that the overhead becomes only compared to the plain use of Protocol 2.
The Protocol 4 differs from the previous protocols in that it has an extra step of combining the onetime tables, and its usage in the later bipartite computation task may be different by a switch of the roles of Alice and Bob. The verifications in these protocols take hint from similar procedures for quantum key distribution BB84 . The success of these quantum protocols is not guaranteed if Alice cheats very often (or Bob cheats very often in Protocol 3), but this does not cause much problem since cheating is caught with high probability, and this is a preprocessing stage anyway so the useful data is not leaked. The failures in the quantum gates, measurements, and entanglement generation or qubit transmissions in the preprocessing stage can be tolerated by trialanderror. These failures are required to be reported in the protocols, so they have no effect for Bob’s testing and later computations. In some experimental implementations the failures might not be reported and might appear as errors, and this would affect the security.
Iv Applications in twoparty classical computation
The following Protocol 5 is for evaluating a linear polynomial with distributed output using the quantum preprocessing protocols introduced above. The linear polynomial is of the form , where is a constant bit known to Bob, and and are bits on Alice and Bob’s side, respectively. The output is the XOR of two bits on different sides.
If Protocol 2 is used in Protocol 5, the data privacy of one party is partial. The leakage is about half of his or her input bits. See also the comments after Protocol 6 below. Generally, we suggest using Protocol 3 in Protocol 5, since it at least aims for nearperfect security, although the actual security level is linearly related with noise.
For a generic boolean circuit, we propose Protocol 6. The main computation after the preprocessing does not include any aborts, and only requires the number of communication rounds to be about equal to the circuit depth. The circuit is assumed to be known to both parties, except for some initial local gates, which may be known only to the local party.
If Protocol 2 is used in Protocol 6 with the roles of Alice and Bob switched in the preprocessing only, the data privacy of Bob is partial. The leakage is about half of his input bits in each polynomial. But the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result. In the case that the function effectively evaluates a universal circuit with data given by Alice and the logical circuit given by Bob, his input has partial privacy which is acceptable due to possible recompilations of Bob’s logical circuit. If Protocol 4 is used instead of Protocol 2, it is suggested that Alice always be the first party, to save the required number of onetime tables when Alice’s data privacy is more important than Bob’s data privacy. Then Alice’s data in the main computation is asymptotically secure because of the property of Protocol 4. The remarks above are for the noiseless case. For the case with noise, see Sec. VI, where it is suggested that simply using Protocol 3 may be a good solution.
The Protocol 6 has a good property that cheating would usually give rise to wrong results. If some party (partially) cheated in generating some of the onetime tables, so that some but not all of the onetime tables used in Protocol 6 are not secure, then the insecure onetime tables are wrong with some significant probability according to Eq. (3): the calculation results for a particular nonlocal AND gate would often be incorrect after the distributed output bits are recombined. This implies that the final computation result has large probability to be wrong. But if that party cheated in all the generated onetime tables and passed the other party’s test, the computation result could be calculated by the cheating party alone with the help of the messages sent from the other party in the main computation stage. The latter case is not likely to happen, since the other party could set a low threshold in the testing.
Some protocol similar to Protocol 6 could be used for evaluating a public circuit on shared classical secrets between Alice and Bob, when each effective input bit is the XOR of two remote bits. The steps are quite similar except for some initial local gates, so we abbreviate the protocol here.
In the following we discuss the security assumptions. We define Bob to be “conservative”, if he values the privacy of his input data higher than the possibility to learn Alice’s data.
First, let us assume that Bob honestly does the testing in the Protocols 2 and 4. There could be superpositions in the input and the output of these quantum protocols, but in the later classical computation task, the parties may do computationalbasis measurements to force the received superposed states to collapse. Note that one party may insist on using the superposed output from some instance of the onetime table, but when the other party does some later gate using such output as an input, the latter party may do computationalbasis measurements to force the collapse of the superposition.
Next, we discuss the case out of the assumption, that is, Bob cheats in the quantum protocols. He may cheat by not aborting after finding that Alice is cheating. This way of cheating is not powerful by itself, but see the following for discussion about his combined ways of cheating. The second way for him to cheat is to use general quantum input (allowing superpositions and entanglement) for the onetime tables, which also allows general quantum output for the onetime tables. In such case, Alice may do computationalbasis measurements in the main bipartite computation stage to force the collapse of superpositions. The case that he uses general quantum output for the onetime tables is discussed in the previous paragraph. For the case that Bob combines the two cheating methods above, if Alice is honest, Bob cannot get more information about Alice’s data compared to the case of him not cheating in this way. If Alice also cheats, then it is possible that Bob’s knowledge about Alice’s data on average is better (e.g. when they discard some onetime tables, so that Bob obtains more information about Alice’s input in the remaining onetime tables). But that comes at the expense of the higher possible leakage of Bob’s data. So a conservative Bob should not do such combined cheating. The third way for Bob to cheat is by using superposed states in the main computation but not the preprocessing. This has no effect since Alice may make a computationalbasis measurement on the state received from Bob in the main computation. Note that Alice’s data leakage is limited by design of the quantum protocols, except in the case of nonconservative Bob discussed above. In conclusion, if we assume Bob to be conservative, the quantum protocols are asymptotically secure; if we assume Alice to be honestbutcurious, the Protocol 4 is asymptotically secure for Alice (as mentioned in Sec. III), and in such case it does not make much sense for Bob to cheat since he cannot gain from cheating.
In the following we consider implementing some cryptographic primitives such as oblivious transfer and bit commitment. The usual oblivious transfer (as opposed to 1outof2 oblivious transfer) Kilian88 ; Crepeau88 , can be implemented in a cheatsensitive way as follows. Again, it requires that one of the parties be conservative, in order for the onetime tables to be successfully and securely generated.
In Protocol 7, if , the resulting product is zero and does not carry any information about ; otherwise, the result is , so it transfers Alice’s input bit to Bob. The protocol is cheatsensitive in the sense that if Alice cheated in Protocol 4, it would have been detected and the protocol would have aborted. The protocol has approximate security, since the precomputed onetime tables are approximately secure.
We then consider 1outof2 oblivious transfer. By choosing the linear polynomial of the type , where , and if Bob asks Alice to send him the output she obtained from running the Protocol 5, Bob may accomplish the same function as 1outof2 oblivious transfer, with the additional property that Bob may ask Alice to send if he cheats by setting . The last point makes it different from the definition of 1outof2 oblivious transfer Kilian88 ; Crepeau88 .
There are some nogo theorems for quantum bit commitment LoChau97 ; Mayers97 . Since our quantum preprocessing protocols allow aborts, and there are some requirements on the players in those protocols, it is still possible that bit commitment can be implemented with the help of the onetime tables generated by the quantum preprocessing protocols. In the Protocol 8 we propose a bit commitment protocol using the above idea, inspired by a computationallysecure construction based on quantum oneway permutations DMS2000 . Here, instead of using the quantum oneway permutations, we use a special bipartite classical computation with distributed output, with the help of quantum preprocessing. Our scheme is cheatsensitive and subject to some other assumptions similar to those for the generic Protocol 6. The protocol 8 requires that one of the parties be conservative, in order for the onetime tables to be successfully and securely generated.
In the last step of Protocol 8, if Alice sends Bob some random bit string, the results obtained by Bob are generally not consistent with any input value of . For large , it is hard for Alice to guess the appropriate bit string to send to Bob to make him believe the input was .
V Applications in twoparty quantum computation
The methods in this work can be applied in twoparty secure quantum computing tasks. When such tasks have classical input and output, they also serve as classical tasks of the type discussed in Sec. IV, but with quantum implementations. In this way, classical computational tasks are completed with quantum speedup and quantum security advantage. But this requires at least one party to have quantum capabilities beyond those required by Protocol 1. A typical problem in twoparty quantum computation is quantum homomorphic encryption (QHE). We will consider both interactive protocols and constantround protocols for QHE. Note that the initial preparation of the onetime tables with checking and preparation of entanglement involve a constant number of legs of communication. The communication in preparation of the onetime tables should be counted in the total number of rounds, while that for entanglement generation is usually not counted in, since it can be absorbed into the first communication in the main part of the protocol (although there may be security problems which should be tolerable in a strong protocol).
In the protocols below, there are some linear polynomials with at least variables, where is the size of input. The variables correspond to Pauli masks in Alice’s teleportation of the input data to Bob. The way Bob changes the coefficients of the linear polynomials is by some keyupdate rules. The keyupdate rules for the first variables (and other variables mentioned below) under the action of Clifford gates can be easily obtained from the following relations:
(10) 
where the is addition modulo 2, and in the gate , the qubit 1 is the control. The effective keyupdate rules for the variables under the gate can be obtained from the relations
(11) 
More details about the keyupdate rules are in bj15 ; Dulek16 .
An interactive QHE scheme with almost optimal informationtheoretic data privacy and circuit privacy is obtainable by using the method in Protocol 5 to evaluate classical linear polynomials, and using the latter as a subprocedure in the Scheme 4 in Yu18 .
To reduce the rounds of communication to a constant, we propose a scheme which is modified from the Scheme 3 in version 12 of Yu18 , while adding the use of precomputed onetime tables. A main technique of the scheme is to use the gardenhose gadget from Dulek16 (and attached as Appendix A), instead of the corresponding simplified gadget in the newer versions of Yu18 . Some steps “at some scheduled time” by Alice in the mentioned scheme are combined here, since under our way of evaluating linear polynomials, there is no need for multiple rounds of interactive communication in the main part of the scheme. The main part of the scheme has three stages of classical communication: from Bob to Alice, and from Alice to Bob, and a final teleportation from Bob to Alice. The steps are briefly described as follows. The linear polynomials are of the form in Protocol 5.
Scheme 1 (A threemessage QHE scheme using precomputed onetime tables)

Bob’s coefficients of the linear polynomials, except the constant term, do not depend on Alice’s original Pauli mask bits or her measurement outcomes in the gardenhose gadgets. The constant terms in the linear polynomials depend on his local measurements in his part of the gardenhose gadgets. So he calculates the XOR of some coefficients with random inputs of the precomputed onetime tables, and sends the resulting bits to Alice.

Alice performs the initial teleportation of her input data qubits without telling Bob any Pauli corrections. The Pauli masks are part of the variables in the linear polynomials to be evaluated. With the received message, Alice computes her part of the output of the linear polynomials, in order to decide what measurements to do in the gardenhose gadgets (shown in Appendix A), and she does the Bellstate measurements with possible gates before the measurements. The measurement outcomes, and some dummy outcomes of the value zero for those measurements not actually done are also part of the variables of the linear polynomials. She sends Bob the XOR of the variables and the inputs of some onetime tables.

Bob receives Alice’s message and calculates his output for the first linear polynomial, and decide which measurements to do in the first gardenhose gadget. He performs the Clifford gates and the gates before the first gardenhose gadget in his circuit, and the measurements in the first gardenhose gadget. The outcomes of those measurements help determine the constant term in the next linear polynomial, so they help determine his measurement choices in the next gardenhose gadget, together with the help from Alice’s message. He continues to do the next batch of gates and measurements, so on. At last, he obtains some quantum output with Pauli masks known to Alice. He teleports his output state to Alice.

Alice corrects the received state from teleportation with the corresponding Pauli masks, to obtain the final quantum output.
In the scheme above, the number of variables in a linear polynomial is at most , where is an upper bound on the number of gates in the circuit to be evaluated. This is because each Bellstate measurement has two outcome bits, and there are six of these measurements, although Alice does three of them at a time. As there are linear polynomials to be evaluated, the total number of consumed onetime tables is .
There are two points on which the security of the quantum computation may be somewhat weaker than in the classical case. First, it is less natural in the quantum protocol to impose classicality of the output of the onetime table. Imposing classicality of course helps security, but it is not necessary given our assumptions about the players in the preprocessing stage. In practice, we may assume that the output of the onetime tables have decohered prior to the use in the main computation. Second, in the current framework for quantum bipartite computation such as in Yu18 , the Pauli masks for the original input qubits are used as the variables in all the linear polynomials involved, this means the data privacy is worse than in the case of classical bipartite computation, in which the intermediate variables replace the roles of the initial variables in many of the linear polynomials. But the use of the quantum preprocessing in this work would give rise to better data privacy than some of the schemes in later parts of Yu18 , because those schemes require correlated encoding of the different variables, while the variables in the current work are encoded independently by the onetime tables.
In the following we extend from QHE to general twoparty quantum computation with publicly known circuit and private quantum inputs. The description of the steps are almost the same as for the QHE scheme above, except that Bob has also some (quantum) input data. If the final output is on Bob’s side, the last teleportation to Alice can be omitted, and Alice needs to send Bob some Pauli masks. We omit the description here. The number of legs of communication in the scheme can be reduced to a constant, by the similar method as that in the QHE scheme above. In the case of classical input, the initial teleportation can be replaced with classical communication with withheld bitflip masks. In the case of classical output, if it needs to be sent to Alice’s side, the final teleportation can just be replaced with classical communication without any masks.
Vi Discussions
The Protocol 1 together with other protocols for checking them effectively implement the PRbox (PopescuRohrlich box Popescu1994 ) type of correlations. The implementation needs time in communication, and involves sending of some classical messages which do not contain useful information about the inputs. So it is not a direct implementation of the PR box, which must be instantaneous. Rather, it is a checkbased implementation of the PRbox type of correlations. However, in Protocol 1, after the initial entanglement has been established, the two directions of teleportation and partial sending of the measurement outcomes can be done simultaneously. This does have some partial flavor of “instantaneous” implementation. The PRbox is nosignaling, so a natural question is whether there is a nosignaling theory that could exist as a physical theory while allowing implementation of the PR boxes. Some new principles have been suggested in the literature that may exclude a large potential set of nosignaling theories PPK09 . Whether our protocols provide any insight on such principles is currently unclear.
The qubitbased quantum protocols in this work can be generalized to work for qudits in principle. This is inspired by the classical case in Beaver98 . This requires some changes in the classical usage of the generated correlations.
The methods in this work are extendable to multipartite classical computation in principle. Some pairs of parties (possibly including some server) may prepare onetime tables using the quantum protocols in this work.
A method of enhancing the security by some additional checks after the computation is as follows. If one party, say Alice, does not require the longterm security of her input in the main computation, Bob may ask her to do additional checking of the onetime tables used in the main computation, at a time such that her input data is no longer sensitive, to make sure that she has not cheated by a lot. Of course, in some practical applications, the final computation result provides some check against Alice’s cheating, since Alice usually has to cheat all the way to the end for a generic computation to be correct (provided that the final result is on her side, not distributed as the XOR of remote bits), and always cheating successfully is unlikely to happen because of the inequalities in Sec. III.
The following are some considerations about physical implementations. The Protocol 1 makes use of teleportation bbc93 , with certain classical messages withheld by the sending party. Such step in the protocol is equivalent to the direct sending of quantum states that have been subject to certain Pauli operators just before sending. Using teleportations allows entanglement to be prepared by a fixed entanglement generating device, allowing for failures in preparation. This may also help getting rid of the issue of multiple photons in direct communication, which harms the privacy in Protocol 1. As for detector inefficiencies and dark counts, the fact that the Protocol 1 can be redone after failure can help mitigate the effects of these issues. Another interesting thing is that the two directions of teleportations in Protocol 1 can be done simultaneously, with the help of some classical processing, due to the special form of the states to be sent. If direct sending is used instead, Bob has to wait for Alice’s qubits before he can do operations on them.
We now consider how physical noise (errors are counted as noise here) affect the protocols. We consider the case that the main computation is classical, since the quantum case is similar in that it also involves evaluating classical linear polynomials. When Protocol 2 with noise is used for a bipartite classical computation task, and if Alice’s data privacy is more important than Bob’s, we suggest that Alice who is the first party in the main computation be the second party in the preprocessing. Then the data leakage of Alice is about the product of the circuit size (the number of the onetime tables) and a small constant indicating the noise level. This is because in Protocol 2, the physical errors and the first party’s cheating look about the same for the second party in the verifications (the “first party” in this sentence is the Bob in the main computation). For circuits with a high level of parallelism, the data leakage of Alice per input bit is about the product of circuit depth and the error constant described above. So the allowed circuit depth is a constant, which is inverse proportional to the error constant. Similar remarks can be said for Protocol 3 for both sides.
If Protocol 4 based on Protocol 2 is used for a bipartite classical computation task, we suggest that Alice be the first party both in the preprocessing and the main computation. The noise level is not directly related to the data privacy of Alice, as it mainly affects the correctness of the computation, and Bob’s data privacy. If Bob only requires only partial privacy (such as in the case that many input values of Bob correspond to the same output value of the function), then Bob’s data privacy may be acceptable even with noise. The correctness may be improved by repeating some instances of Protocol 1 using the same inputs, but that would require using more instances of Protocol 1, and would affect both parties’ data privacy in a potential manner. The word “potential” means that to learn the other party’s data requires one party to do some measurement in the preprocessing stage which would affect the correctness. Suppose that the size of in Protocol 4 is , which means Alice has independent input bits, and each is repeated for times, then , which is necessary to guarantee that Alice’s data is not completely leaked. By adopting majority voting as the decoding method, we may set to be much smaller than and still be able to achieve the correctness. The method of “majority voting” involves Alice sending Bob the XOR of some of her output bits with her first output bit, since directly sending all of them reveals the output to be generated. Bob’s data privacy is indeed affected by that is generally necessary for the correctness of the computation to be at an acceptable level. Hence, when there is nonnegligible noise, the advantage of Protocol 4 over Protocol 2 is weaker than that in the noiseless case, but is still not negligible if Bob’s data privacy is regarded as less important than Alice’s data privacy and the correctness of the computation.
In the noisy case, to avoid the complications in using Protocol 4 as mentioned above, simply using Protocol 3 may be a good solution. An alternative would be using Protocol 2 with “recompilation”, that is, using some new publiclyknown function instead of the original function, with Bob’s input changed accordingly, while Alice’s input is unchanged, so that the result is the same as the original function with the original input of Bob. If the new function is chosen so that it encodes universal classical circuits, and the possible new inputs of Bob are long enough, we can achieve a good level of security for Bob’s input. Such recompilation can be done by classical preprocessing.
There have been studies of the effects of noise in classical cryptographic tasks, and noise is not always bad for security CK88 . Note that adding some assumptions about quantum capabilities may improve the security in bit commitment Salvail98 . Adding similar assumptions on top of our quantum preprocessing protocols may improve the security in the applications.
Since the protocol requires the use of entanglement (or quantum communication instead), the allowed distance between the two parties is expected to be not greater than that for quantum key distribution (QKD). In the case that the two parties are located at longer distance than entanglement generation would allow, we suggest the following two methods: the first method is that one party (Bob) tells his input to the onetime tables to a quantum agent near Alice via some computationallysecure method, and the agent cooperates with Alice in running the quantum protocols to generate onetime tables, and the output of the onetime tables belonging to Bob are sent to Bob via a computationallysecure method. The second method is that some trusted intermediate nodes be added, so that Bob could tell his input to the onetime tables to a node nearest to Alice, via the channel established by relayed QKD of the trusted nodes. The onetime tables are generated by such node and Alice. The output of the onetime tables belong to Bob’s side are sent back to Bob via the channel established by relayed QKD of the trusted nodes. In the main twoparty classical computation between Alice and Bob, most of the communication (except for the last combining of results) can be via public classical channels, but to make it secure against the trusted nodes mentioned above, the communication can also be via relayed QKD by some other trusted nodes, or by some computationallysecure method via public classical channels. The last combining of results should be via one of the two methods just mentioned to keep this part of information secure from the prior set of trusted nodes. For twoparty quantum computation with quantum inputs, the situation is more difficult, since an initial teleportation is needed, but if the input of one party is fully classical, we may let that party send the bits to the other party with masks, without using quantum teleportation, and if the final output on that classicalinput party is also classical, the final result with unknown Pauli masks can be sent back via a classical channel. So we have that the main twoparty quantum computation with classical input and output on one party can be implemented classically, overcoming the difficulty caused by the distance between the two parties, provided that the onetime tables are available with the help of trusted nodes, or by a trusted agent with the help of computationallysecure communication.
To make the protocols secure against eavesdroppers, we suggest using QKD for sending of the classical messages in the protocols. But there is also the use of entanglement in Protocol 1, and the generation of entanglement may be subject to interception by the eavesdropper. The quality of entanglement generation in Protocol 1 may be tested using the standard techniques such as the two parties measuring locally in different bases and compare notes, but that depends on the degree of honesty of the two parties. Note that Alice’s honesty can be verified in Protocols 2 and 4, and Bob’s cheating can be verified in Protocol 3. Bob’s honesty may alternatively be guaranteed by the assumption of conservative Bob. Even if there is a reduction of the quality of entanglement, the data leakage of Alice is still upperbounded by the protocols, although the correctness of the twoparty computation would be affected.
Vii Conclusion
We have proposed some quantum protocols for approximately generating a certain type of classical correlations (a special case of the onetime tables Beaver98 ) with varying degrees of privacy, to be used in bipartite secure computation tasks. We have shown how to use the generated onetime tables in evaluating linear polynomials and generic boolean circuits, and in cheatsensitive oblivious transfer and cheatsensitive bit commitment, as well as in quantum homomorphic encryption and general twoparty secure quantum computation. In the discussions we have mentioned that our method gives a checkbased implementation of the PRbox type of correlations, but with some communication time cost, and involves sending of classical messages which do not contain useful information about the inputs, so it is not a direct implementation of the PR box, but rather the PRbox type of correlations. Open problems include: applications in cheatsensitive quantum implementation of other cryptographic primitives, which may be weaker than the plain version of the primitives; a refined analysis of the protocols, taking into account the physical errors in quantum states and operations; faulttolerance; application to special classes of circuits or functions; design of experimental schemes.
Acknowledgments
LY thanks Yingkai Ouyang for helpful comments. This research is funded in part by the Ministry of Science and Technology of China under Grant No. 2016YFA0301802, and the Department of Education of Zhejiang province under Grant No. Y201737289, and the startup grant of Hangzhou Normal University.
References

[1]
Craig Gentry.
Fully homomorphic encryption using ideal lattices.
In
Proceedings of the Fortyfirst Annual ACM Symposium on Theory of Computing
, STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.  [2] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
 [3] A. C. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science, pages 162–167, Oct 1986.
 [4] Donald Beaver. Onetime tables for twoparty computation. In WenLian Hsu and MingYang Kao, editors, Computing and Combinatorics, pages 361–370, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.
 [5] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
 [6] Min Liang. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process., 12:3675–3687, 2013.
 [7] Li Yu, Carlos A. PérezDelgado, and Joseph F. Fitzsimons. Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
 [8] S.H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
 [9] Y. Ouyang, S.H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
 [10] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low Tgate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
 [11] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomialsized circuits. CRYPTO 2016: Advances in Cryptology  CRYPTO 2016, pages 3–32, 2016.
 [12] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
 [13] C.Y. Lai and K.M. Chung. On StatisticallySecure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
 [14] U. Mahadev. Classical homomorphic encryption for quantum circuits. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 332–338, Oct 2018.
 [15] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum fully homomorphic encryption with verification. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 438–467, Cham, 2017. Springer International Publishing.
 [16] M. Newman. Further Limitations on InformationTheoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
 [17] SiHui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhatsecure quantum somewhathomomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
 [18] Andrew Childs. Secure assisted quantum computation. Quantum Information and Computation, 5(6):456, 2005.
 [19] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.
 [20] Yingkai Ouyang, SiHui Tan, Liming Zhao, and Joseph F. Fitzsimons. Computing on quantum shared secrets. Phys. Rev. A, 96:052333, Nov 2017.
 [21] Yingkai Ouyang, SiHui Tan, Joseph Fitzsimons, and Peter P. Rohde. Homomorphic encryption of linear optics quantum computation on almost arbitrary states of light with asymptotically perfect security. http://arxiv.org/abs/1902.10972, Feb 2019.
 [22] HoiKwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
 [23] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical twoparty computation. Phys. Rev. Lett., 109:160501, Oct 2012.
 [24] Roger Colbeck. Impossibility of secure twoparty classical computation. Phys. Rev. A, 76:062308, Dec 2007.
 [25] Li Yu. A quantum homomorphic encryption scheme for polynomialsized circuits. http://arxiv.org/abs/1810.01166, October 2018.
 [26] C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, and W. K. Wootters. Teleporting an unknown quantum state via dual classical and EinsteinPodolskyRosen channels. Phys. Rev. Lett., 70:1895–1899, Mar 1993.
 [27] D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A. Smolin, and B. M. Terhal. Locking classical correlations in quantum states. Phys. Rev. Lett., 92:067902, Feb 2004.
 [28] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175, page 8. New York, 1984.
 [29] Joe Kilian. Founding crytpography on oblivious transfer. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pages 20–31, New York, NY, USA, 1988. ACM.
 [30] Claude Crépeau. Equivalence between two flavours of oblivious transfers. In Carl Pomerance, editor, Advances in Cryptology — CRYPTO ’87, pages 350–354, Berlin, Heidelberg, 1988. Springer Berlin Heidelberg.
 [31] HoiKwong Lo and H. F. Chau. Is quantum bit commitment really possible? Phys. Rev. Lett., 78:3410–3413, Apr 1997.
 [32] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414–3417, Apr 1997.
 [33] Paul Dumais, Dominic Mayers, and Louis Salvail. Perfectly concealing quantum bit commitment from any quantum oneway permutation. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, pages 300–315, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.
 [34] Sandu Popescu and Daniel Rohrlich. Quantum nonlocality as an axiom. Foundations of Physics, 24(3):379–385, Mar 1994.
 [35] Marcin Pawlowski, Tomasz Paterek, Dagomir Kaszlikowski, Valerio Scarani, Andreas Winter, and Marek Żukowski. Information causality as a physical principle. Nature, 461:1101–1104, 2009.
 [36] C. Crépeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science, pages 42–52, Oct 1988.
 [37] Louis Salvail. Quantum bit commitment from a physical assumption. In Hugo Krawczyk, editor, Advances in Cryptology — CRYPTO ’98, pages 338–353, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.
Appendix A The gardenhose gadget that corrects an unwanted gate
The Fig. 1 shows a construction from [11] for correcting an unwanted gate due to a gate in the circuit with certain prior Pauli corrections. The input qubit starts from the position “in”, and ends up in a qubit on Bob’s side which is initially maximally entangled [in the state ] with the qubit in the position “out”. The unwanted on this qubit is corrected, but some other Pauli corrections are now needed because of the Bellstate measurements. In each use of this gadget, some of the Bellstate measurements are not actually performed, dependent on the value of and . The outcomes for those Bellstate measurements not actually performed are recorded as zero.