Quantum preprocessing for security enhancement in classical two-party computation

by   Li Yu, et al.

In classical two-party computation, a trusted initializer who prepares certain initial correlations can help make the bipartite computation secure. We propose two bipartite quantum protocols with possible aborts for approximately generating such bipartite classical correlations with varying degrees of privacy, without introducing a third party. The two parties are assumed to be weakly cooperating and one of them needs to be modestly honest so that the quantum precomputed correlations can be established successfully. Then the main two-party classical computation has nontrivial information-theoretic security for generic circuits.



There are no comments yet.


page 1

page 2

page 3

page 4


Quantum preprocessing for information-theoretic security in two-party computation

In classical two-party computation, a trusted initializer who prepares c...

Quantum Correlations Can Speed Up All Classical Computation

Quantum correlations can provide performance advantages in various tasks...

Client-Server Identification Protocols with Quantum PUF

Recently, major progress has been made towards the realisation of the qu...

InfoCommit: Information-Theoretic Polynomial Commitment and Verification

We introduce InfoCommit, a protocol for polynomial commitment and verifi...

Bipartite discrimination of independently prepared quantum states as a counterexample of a parallel repetition conjecture

For distinguishing quantum states sampled from a fixed ensemble, the gap...

Bipartite discrimination of independently prepared quantum states: revival of distinguishability with entanglement

For distinguishing quantum states sampled from a fixed ensemble, the gap...

Summonable Supermoney: virtual tokens for a relativistic economy

We propose definitions and implementations of "supermoney" - virtual tok...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The security of two-party computation is a main research topic in classical cryptography. The goal is usually to correctly compute some function of the inputs from the two parties, while keeping the inputs as private from the opposite party as possible. This has been studied using classical homomorphic encryption techniques Gentry09 ; brakerski2011efficient or through implementing Yao’s “Garbled Circuit” solution Yao86 . Another possibility is to introduce a trusted third party, who may sometimes interact with the two parties for multiple rounds. To lower the requirement on the trusted third party, a “trusted initializer” has been proposed Beaver98 . Such trusted initializer only prepares some initial correlations between the two parties, and does not interact with any party afterwards. A trusted initializer who prepares certain initial correlations, referred to as “one-time tables”, can help make the bipartite computation secure.

In this work, we propose two-party quantum protocols with aborts as replacements for the trusted initializer, for achieving some degree of information-theoretic security in bipartite classical computation. Our main protocols are based on Protocol 1 which implements the following task approximately with partial privacy: it takes as input two locally-generated random bits and from Alice and Bob, respectively, and outputs two bits and on the two parties, where is a random bit. We propose Protocol 2 to select some one-time tables generated by Protocol 1. It allows Bob to abort during the protocol when he finds that Alice is cheating. When Protocol 2 is used in the generic interactive bipartite classical computing task, the data leakage of Alice is asymptotically vanishing for perfect physical systems, but for noisy physical systems, the leakage is linearly related to the noise level. The data privacy of Bob is partial: the leakage is about half of his input bits, but the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result, including the case that the function effectively evaluates universal circuits. We then propose Protocol 3 which is based on Protocol 2, such that the data privacy of Alice is asymptotically vanishing and almost independent of the physical errors, while the data privacy of Bob is still good but worse than that in Protocol 2 under comparable resource cost. The security of the overall protocol is dependent on that the two parties are weakly cooperating and that Bob indeed does the checking in the preprocessing so that the one-time tables can be generated.

The structures of Protocols 2 and 3 are similar: both protocols have some initial steps for generating some correlations, and some step for verification, and postselection of some generated correlations. The difference is only that Protocol 3 has an extra post-processing step, and the usages of the protocols in the later bipartite classical computation task are different. The verifications in these protocols take hint from similar procedures for quantum key distribution BB84

. Success is not guaranteed if Alice always cheats, but this does not cause much problem since Alice’s cheating is caught with high probability, and this is a preprocessing stage anyway so the useful data is not leaked. The failures in the quantum gates, measurements, and entanglement generation or qubit transmissions in the preprocessing stage can be tolerated by trial-and-error. These failures are required to be reported in the protocols, so they have no effect for Bob’s testing and later computations. In some experimental implementations the failures might not be reported and might appear as errors, and this would affect the security.

The rest of the paper is organized as follows. Sec. II contains some introduction of the background. In Sec. III we introduce the quantum protocols. Sec. IV shows applications in general two-party classical computation, and the security assumptions. Sec. V contains some discussions. Sec. VI contains the conclusion and some open problems.

Ii Preliminaries

On computing two-party classical functions with quantum circuits, Lo Lo97 studied the data privacy for publicly known classical functions with the output on one party only. Buhrman et al bcs12 studied the security of two-party quantum computation for publicly known classical functions in the case that both parties know the outcome, although with some limitations in the security notions. These and other results in the literature Colbeck07 suggest that secure bipartite classical computing cannot be generally done by quantum protocols where the two parties have full quantum capabilities. In the current work, the protocols allow aborts in the quantum preprocessing (Bob may abort when he detects that Alice has cheated), so the scenario considered here does not fit into the assumptions in the works mentioned above. We have considered adopting a non-standard assumption that the parties in the main bipartite computation stage are restricted to be entirely classical; but such assumption does not appear to be essential.

Next, we introduce the simplest case in the one-time tables Beaver98 . The bipartite AND gate with distributed output is a gate that takes as input two distant bits and , and outputs and on the two parties, respectively, where is a uniformly random bit. (XOR is denoted as ; AND is denoted as the symbol.) It is sufficient for secure two-party classical computation, although there may be other constructions. Theoretically, the bipartite AND gate with distributed output on two distant input bits and can be computed while keeping both input bits completely private, with the help of a precomputed ideal one-time table of the nonlocal-AND type. Later we present approximate generation methods for such one-time tables. The one-time table has two locally-generated uniformly random bits and on the two parties, respectively, and also has and on the two parties, respectively, where is a uniformly random bit. The steps for the bipartite AND-gate computation are as follows:

1. Alice announces . Bob announces .

2. Alice takes the output from the one-time table, and computes the XOR with , and regard the result as her output of the bipartite AND-gate computation. Bob takes the output from the one-time table, and computes the XOR with , and regard the result as his output of the bipartite AND-gate computation.

The XOR of the two output bits is , while each output bit is a uniformly random bit when viewed alone, because is a uniformly random bit. Since the messages and do not contain any information about and , the desired bipartite AND gate is implemented while and are still perfectly private.

Iii The quantum protocols

The two main quantum protocols to be introduced later are based on Protocol 1, which is the distributed-output version of a subprocedure of a protocol from Yu18 . The Protocol 1 effectively computes an AND function on two remote classical bits from the two parties, with the output being a distributed bit, i.e. the XOR of two bits on the two parties. The security is not ideal: the plain use of such protocol would give rise to non-ideal security in (interactive) quantum homomorphic encryption Yu18 , and the security is such that some additional verification need to be added in the protocol for it to be nontrivial. Here we propose a quantum protocol as a preprocessing stage for a bipartite classical computation task. By allowing verification and postselection, the security level in the quantum protocol becomes higher than that achievable from the plain use of Protocol 1. The postselected correlations (one-time tables) can be used in a classical bipartite computation task with high levels of correctness and of the privacy of input data.

In Protocol 1, denote , and , and the random bits are unbiased and independent of other variables by default.

Input: A random bit from Alice and a random bit from Bob.
Output: and on the two sides, where is a random bit.
The input and output together form the one-time table.

  1. Alice generates a random bit . If , she encodes ’s value into ; if and , she prepares the state ; in the remaining case , she prepares the state .

  2. She teleports the pair of qubits to Bob without telling him the bit for correction on the first qubit nor the bit for correction on the second qubit. When , she records the bit for correction on the second qubit as , otherwise she records the bit for correction on the first qubit as . Then is a random bit.

  3. If , Bob does a gate on the two received qubits (with the first qubit as the control qubit), otherwise he does nothing.

  4. Bob teleports the resulting qubits to Alice, while withholding part of the information about the measurement outcomes: he calculates the XOR of the two measurement outcomes in the teleportation of each qubit, and calculate the XOR of the obtained two bits in each pair, and sends the resulting bit to Alice. Thus, Alice receives the two qubits with a possible mask for each qubit, together with possible simultaneous masks on both qubits. If a correction is needed for one received qubit, we regard Bob’s mask bit for that qubit as , and otherwise we regard it as . Bob’s output bit in the protocol is the XOR of the two mask bits.

  5. If , Alice measures the two received qubits in the basis, otherwise she measures them in the basis. She calculates the XOR of both outcomes, and take the XOR with , and obtains a bit. She flips this bit if and Bob’s sent bit are both . The obtained bit is her output.

Protocol 1 A quantum protocol for generating the one-time table of the nonlocal-AND type with partial privacy

In Protocol 1, Alice’s input bit has partial privacy even for a cheating Bob, while Bob’s input bit is secure for an honest Alice, but is not secure at all for a cheating Alice. The privacy of Alice’s input bit can be quantified using the accessible information or the trace distance. The accessible information, i.e. the maximum classical mutual information corresponding to Bob’s possible knowledge about Alice’s input, is exactly bits, which happens to be equal to the Holevo bound in the current case. For a cheating Bob to get the maximum amount of information, his best measurement strategy in the current case is to use a fixed projective measurement: to measure the first qubit in the basis, and the second qubit in the basis. The trace distance of the two density operators for Alice’s two possible input values is , by direct calculation (see also Yu18 ). Thus, the probability that Bob guesses Alice’s input bit correctly is .

To learn about Bob’s input bit, a cheating Alice may use an entangled state . From Bob’s returned state, and after correcting for the Pauli operator indicated by Bob’s returned classical message, Alice may find out Bob’s input bit with certainty.

In the following we present two protocols which check or combine the one-time tables generated in Protocol 1. The first one has partial security for Alice and near-perfect security for Bob, while the second one aims for near-perfect security for both parties with higher resource cost.

  1. Alice and Bob perform Protocol 1 repeatedly (or run many instances in parallel) to generate some one-time tables, and exchange messages to agree on which instances were successfully implemented experimentally. Suppose one-time tables were implemented. The one-time tables labeled by has inputs and , and outputs and .

  2. Bob randomly selects integers in , which are labels for which one-time table. He tells his choices to Alice. The integer satisfies that is an upper bound on the required one-time tables in the main bipartite computing task, and the ratio is related to the targeted security level of the overall computation.

  3. Alice sends the bits and to Bob for all chosen labels .

  4. For any chosen label , Bob checks if and satisfy that . If the total number of failures is larger than some preset number of Bob’s (e.g. , or a small constant times ), he aborts the protocol, or restarts the protocol if needed. Otherwise, the remaining one-time tables are regarded as having passed the checking and will be used later in the two-party classical computing task. They may repeat the steps above to prepare more one-time tables on demand.

Protocol 2 A partly-secure quantum protocol for checking the one-time tables

In Protocol 2, Alice’s input bit has partial privacy, which is the same as in the analysis of Protocol 1 above. When the ratio is near one, the nonlocal correlations in the remaining unchecked one-time tables can be regarded as almost surely correct. This is because of Bob’s checking. We require Alice to be weakly cooperating, that is, she does not cheat in some of the batches of instances, since otherwise no one-time table may pass the test. In the following we assume that Bob is mildly honest, which means that he indeed does the checking; but we allow him to use a superposed input and later collapse it if the instance is chosen for checking; those instances not subject to checking may be then in a superposition state, but Alice could later do computational-basis measurements to collapse them, without affecting the correctness of the protocol. For an honest Alice, the resulting correlation is correct. We now discuss the case that Alice cheats. If Alice cheats and gets at least partial information about Bob’s input bit (using the notations in Protocol 1, same below), the state sent from Alice to Bob must be different from what is specified in the protocol; her best choice of state for cheating is mentioned previously. To pass Bob’s test, she should know both and , or know both and . (The two conditions are equivalent in the exact case, but not necessarily equivalent in the partial-information case.) In the following, let denote the classical mutual information learnable by Alice about the bit if she uses the measurement . The and

are defined similarly, but note that they are conditioned on the uniform distribution for


Proposition 1.

The follows inequalities hold:


where the two classical mutual information in each inequality are defined under the same measurement of Alice.


The overall communication from Bob to Alice in Protocol 1 is only one classical bit (note the entangled states used in the teleportations are fixed and do not count towards the amount of communication), then, by the Holevo bound (also noting that there are effectively no other prior correlations between the two parties besides the fixed entangled state, so the locking of information DHL04

does not occur here), the amount of information that Alice learns about the joint distribution of

and is upper bounded by bit. The bits and are independent when Bob produces them, so the and are independent prior to Alice’s measurement. Thus the inequality (1) holds. The bits and jointly determine and , so the amount of information that Alice learns about the joint distribution of and is upper bounded by bit. And since the bits and are independent prior to Alice’s measurement, we have that the inequality (2) holds.    

The inequalities (1) and (2) together imply


The probability that Alice passes Bob’s test is related to the in Eq. (3). When the probability of passing approaches , such maximum approaches , then it must be that one of them approaches . Then, Prop. 1 implies that Alice can learn almost nothing about . A rephrasing in terms of the rate of cheating is given below.

For proving the security of Protocol 2, we only need Eq. (3) in the region . Alice may cheat in some instances of Protocol 1 so we may define a rate of cheating. Partial cheating in a instance is converted into a fractional number of cheating instances in calculating such rate. When the rate of Alice’s cheating is small, Bob would observe few wrong results. It is sort of subjective to determine the exact rate of cheating from the number of wrong results and the total number of tests in Protocol 2, since it depends on the a priori

knowledge about the probability distribution for Alice’s rate of cheating. Suppose that after some checking, Bob decides that Alice’s rate of cheating is

, which is a small positive constant near , then the following approximation holds for the uniform distribution of and : for some measurement chosen by Alice. Hence, holds for the same distributions of and , according to Eq. (3). This shows that the amount of information about learnable by a cheating Alice is small. Since such information is linearly related to the information learnable by Alice in the later classical computation stage (see Sec. II), this shows the security of Protocol 2 for use in the later classical computation.

Numerical calculations confirm the inequalities (1) through (3). The calculation assumes that Alice uses some general quantum pure state as input, allowing an ancillary system of dimensions, the maximum required by the Schmidt decomposition. Our calculations use projective measurements; note the same occurs twice in each inequality.

Since the calculations on mutual information often stuck on local maxima, we did a different numerical calculation, that is, a numerical calculation of the Holevo bounds. The latter type of calculations converge quickly due to not having to consider measurement bases, and they indicate upper bounds of the information quantities so they are more convincing for showing the security of our protocols. The numerical results imply the following inequalities for the sum of Holevo bounds. The is the Holevo quantity which is the upper bound for the information learnable by Alice about the bit . The other quantities are defined similarly, but note that they are conditioned on the uniform distribution for .


where is a constant somewhat larger than and is yet to be precisely determined. This implies that


When the ancilla is dimensions, numerics suggest that near the ends of the tradeoff curve indicated by Eqs. 4 and 5, one quantity approaches bit while the other quantity approaches , and this verifies the security of Protocol 2. The numerically observed value of is somewhat higher than bits. For Alice’s input state that achieves the numerically found maximal value of the left-hand-side, it satisfies that the two terms on the left-hand-side of Eq. (6) are about equal, and the corresponding sum of the form Eq. (3) under projective measurements is numerically found to be not greater than bit. Also, for initial states satisfying , the corresponding sum of the form Eq. (3) under projective measurements is numerically found to be not greater than bit. When there is no ancilla, numerics suggest that the left-hand-side of Eq. (6) is not greater than bit.

The following protocol builds on Protocol 2, and it improves the privacy of Alice’s input in the later main computation task, while that of Bob’s input is somewhat compromised.

  1. Alice and Bob perform Protocol 2 to obtain some one-time tables after Bob’s checking. Suppose the instance labeled by has inputs and , and outputs and .

  2. Bob determines which remaining one-time tables are to be combined into one new instance of one-time table, and tells Alice his decision. Each new instance corresponds to a set of old instances which satisfy that Bob’s input bits are equal (denoted as ). A new instance is constructed from the given set of old instances as follows: , , , .

Protocol 3 A quantum protocol for generating improved one-time tables with combinations

In Protocol 3, the privacy of Alice’s bit for the combined one-time table is quite good: The accessible information for Bob is exactly bits, where is the size of in protocol description. It is because the different one-time tables from the first step are independent. The Holevo bound happens to coincide with the accessible information in the current case.

For the privacy of Bob’s input bit in the combined one-time table, it is possible for a cheating Alice to do a joint measurement on received states from Bob, to learn the information about and simultaneously as much as possible (or and

). Bob can deal with this by testing more one-time tables. The resource usage (the amount of entanglement needed and the amount of communication) is estimated to be about

times that of Protocol 2, to achieve the similar level of privacy for Bob, where is the total number of one-time tables required for the later main computation, and is the size of in Protocol 3. The factor appears here because Alice may use techniques similar to Grover’s algorithm to increase the amount of information she may learn about .

Iv Applications for two-party classical computation

The following Protocol 4 is for evaluating a linear polynomial with distributed output using the quantum preprocessing protocols introduced above. The linear polynomial is of the form , where is a constant bit known to Bob, and and are bits on Alice and Bob’s side, respectively. The output is the XOR of two bits on different sides.

  1. Alice and Bob perform Protocol 2 or Protocol 3 to obtain some one-time tables.

  2. For evaluating the linear polynomial , Alice and Bob perform the evaluation of the nonlocal AND gate for and using the procedure in Sec. II, with the output being distributed. They locally calculate the XOR of all bits from the outputs, and Bob additionally takes the XOR with . Each party obtains a bit as the output.

Protocol 4 A protocol for evaluating classical linear polynomials with distributed output using one-time tables

If Protocol 2 is used in Protocol 4, the data privacy of one party is partial. The leakage is about half of his or her input bits. See also the comments after Protocol 5 below.

By choosing the linear polynomial of the type , where , and if Bob asks Alice to send him the output she obtained from running the Protocol 4, Bob may accomplish the same function as 1-out-of-2 oblivious transfer, with the additional property that Bob may ask Alice to send if he cheats by setting . The last point makes it different from the definition of 1-out-of-2 oblivious transfer Kilian88 ; Crepeau88 .

For a generic boolean circuit, the main computation after the preprocessing does not include any aborts, and only requires the number of communication rounds to be about equal to the circuit depth. The protocol is shown as Protocol 5.

  1. Alice and Bob decompose the two-party circuit to be evaluated into some local circuits with AND, XOR gates, and some linear polynomials with bipartite input, while adding possible ancillary bits with fixed initial values.

  2. For each AND gate not in the initial stage, the inputs are distributed, i.e. each bit is the XOR of two remote bits. Alice and Bob decompose such gate into the XOR of the outputs of two local AND gates and two nonlocal AND gates, the latter being a special case of the linear polynomial.

  3. They perform the gates in the resulting circuit in pre-arranged order. The linear polynomials are evaluated using Protocol 4 with distributed output. The outputs of the linear polynomials affect the coefficients in the later linear polynomials.

Protocol 5 A protocol for evaluating classical boolean circuits using one-time tables

If Protocol 2 is used in Protocol 5 with the roles of Alice and Bob switched, the data privacy of Bob is partial. The leakage is about half of his input bits in each polynomial. But the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result. In the case that the function effectively evaluates a universal circuit with data given by Alice and the logical circuit given by Bob, his input has partial privacy which is acceptable due to possible recompilations of Bob’s logical circuit. If Protocol 3 is used instead of Protocol 2, it is suggested that Alice be the first party, to save the required number of one-time tables. Then Alice’s data in the main computation is asymptotically secure because of the property of Protocol 3.

We usually assume that Bob honestly does the testing in the Protocols 2 and 3. There could be superpositions in the input and the output of these quantum protocols, but in the later classical computation task, the parties may do computational-basis measurements to force the superposed states to collapse.

Now we discuss the case out of the assumption, that is, Bob cheats in the quantum protocols. He may cheat by not aborting after finding that Alice is cheating. This way of cheating is not powerful by itself, but becomes complicated to analyze if he also uses the second way to cheat at the same time, and we leave it for future study. The second way for him to cheat is to use general quantum input (allowing superpositions and entanglement) for the instances of Protocol 1. In such case, Alice may do computational-basis measurements in the main bipartite computation stage to force the collapse of superpositions. But he case that Bob combines the two cheating methods above is more complicated to analyze, especially since Alice may also cheat. The third way for Bob to cheat is by using superposed states in the main computation but not the preprocessing. This has no effect since Alice may make a computational-basis measurement on the state received from Bob in the main computation.

There are some no-go theorems for quantum bit commitment LoChau97 ; Mayers97 . Because of the fact that our quantum preprocessing protocols allow aborts, and there are some requirements on the players in those protocols, it is still possible that bit commitment can be implemented with the help of the one-time tables generated by the quantum preprocessing protocols. In the following we propose a bit commitment protocol using the above idea, inspired by a computationally-secure construction based on quantum one-way permutations DMS2000 . Here, instead of using the quantum one-way permutations, we use a special bipartite classical computation with distributed output, with the help of quantum preprocessing. Our scheme is cheat-sensitive and subject to some other assumptions similar to those for the generic Protocol 5.

  1. Alice and Bob perform Protocol 3 to obtain some one-time tables with the degree of security dependent on resource usage. They decide on a large integer related to the intended security of the current bit commitment protocol.

  2. Suppose Alice wants to commit a bit . She asks Bob to together calculate nonlocal AND gates, using the method in Sec. II, with her input bits being always , but Bob’s inputs vary for each instance and are determined by Bob. They obtain some distributed bits as the outcomes. This completes the commit phase.

  3. (Reveal phase) Alice sends Bob her output in the instances of the nonlocal AND gates in the previous step. Bob takes the XOR for the corresponding pairs of bits to recover the result of the nonlocal AND gates. From these results, Bob finds out , or decide that Alice has cheated by sending him some random bit string so he cannot recover .

Protocol 6 A protocol for cheat-sensitive quantum bit commitment under some assumptions

In the last step of Protocol 6, if Alice sends Bob some random bit string, the results obtained by Bob are generally not consistent with any input value of . For large , it is hard for Alice to guess the appropriate bit string to send to Bob to make him believe the input was .

V Discussions

The qubit-based quantum protocols in this work can be generalized to work for qudits in principle. This is inspired by the classical case in Beaver98 . This requires some changes in the classical usage of the generated correlations.

The methods in this work are extendable to multipartite classical computation in principle. The pairs of parties (possibly including some server) may prepare one-time tables using the quantum protocols in this work.

The one-time tables generated by the quantum protocols in this work could in principle be used in a quantum bipartite computation task, in particular quantum homomorphic encryption rfg12 ; Fisher13 ; ypf14 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; Mahadev17 ; ADSS17 ; Newman18 ; TOR18 . As for the quantum homomorphic encryption problem, an interactive protocol is obtainable by using the current method to evaluate classical linear polynomials, and use this as a subprocedure in the framework in Yu18 ; further, if the teleportation method in Dulek16 is adopted instead of the corresponding simplified version in Yu18 , the number of rounds needed in the main computation may be reduced to a constant. But there are two points on which the security of the quantum computation may be somewhat weaker than in the classical case. First, it is less natural in the quantum protocol to impose classicality of the output of the one-time table. Imposing classicality of course helps security, but we doubt it is really necessary given our assumptions about the players in the preprocessing stage. In practice, we may assume that the output of the one-time tables have decohered prior to the use in the main computation. Second, in the current framework for quantum bipartite computation such as in Yu18 , the Pauli masks for the original input qubits are used as the variables in all the linear polynomials involved, this means the data privacy is worse than in the case of classical bipartite computation, in which the intermediate variables replace the roles of the initial variables in many of the linear polynomials. But the use of the quantum preprocessing in this work would give rise to better data privacy in quantum homomorphic encryption than some of the schemes in Yu18 , because those schemes require correlated encoding of the different variables, while the techniques here do not require correlated encoding of the different variables.

The following are some considerations about implementations and physical errors. The Protocol 1 makes use of teleportation bbc93 , with certain classical messages withheld by the sending party. Such step in the protocol is equivalent to the direct sending of quantum states that have been subject to certain Pauli operators just before sending. Using teleportations allows entanglement to be prepared by a fixed entanglement generating device, allowing for failures in preparation. This may also help getting rid of the issue of multiple photons in direct communication, which harms the privacy in Protocol 1. As for detector inefficiencies and dark counts, the fact that the Protocol 1 can be redone after failure can help mitigate the effects of these issues.

When Protocol 2 with noise is used for the bipartite classical computation task, the data leakage is about the product of the circuit size (the number of the one-time tables) and a small constant determined by the errors in the physical setup. This is because the physical errors and Alice’s cheating look about the same for Bob in the verifications in Protocol 2. For circuits with a high level of parallelism, the data leakage per input bit is about the product of circuit depth and the error constant described above. So the allowed circuit depth is a constant, which is inverse proportional to the error constant. If Protocol 3 is used instead, the physical errors are somewhat less related to data privacy. There have been studies of the effects of noise in classical cryptographic tasks, and noise is not always bad for security CK88 . Note that adding some assumptions about quantum capabilities may improve the security in bit commitment Salvail98 . Adding similar assumptions on top of our quantum preprocessing protocols may improve the security in the applications.

Vi Conclusions

We have proposed two quantum protocols for approximately generating a certain type of classical correlations (a special case of the one-time table Beaver98 ) with varying degrees of privacy, to be used in bipartite secure classical computation tasks. We show the application to evaluating linear polynomials and generic boolean circuits. Open problems include: applications in cheat-sensitive quantum implementation of other cryptographic primitives, which may be weaker than the plain version of the primitives; a refined analysis of the protocols, taking into account the physical errors in quantum states and operations; fault-tolerance; application to special classes of classical circuits; design of experimental schemes, where the failures must be known when they happen.


This research is funded in part by the Ministry of Science and Technology of China under Grant No. 2016YFA0301802, and the Department of Education of Zhejiang province under Grant No. Y201737289, and the startup grant of Hangzhou Normal University.


  • [1] Craig Gentry. Fully homomorphic encryption using ideal lattices. In

    Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing

    , STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.
  • [2] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
  • [3] A. C. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science, pages 162–167, Oct 1986.
  • [4] Donald Beaver. One-time tables for two-party computation. In Wen-Lian Hsu and Ming-Yang Kao, editors, Computing and Combinatorics, pages 361–370, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.
  • [5] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175, page 8. New York, 1984.
  • [6] Hoi-Kwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
  • [7] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical two-party computation. Phys. Rev. Lett., 109:160501, Oct 2012.
  • [8] Roger Colbeck. Impossibility of secure two-party classical computation. Phys. Rev. A, 76:062308, Dec 2007.
  • [9] Li Yu. A quantum homomorphic encryption scheme for polynomial-sized circuits. http://arxiv.org/abs/1810.01166, October 2018.
  • [10] D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A. Smolin, and B. M. Terhal. Locking classical correlations in quantum states. Phys. Rev. Lett., 92:067902, Feb 2004.
  • [11] Joe Kilian. Founding crytpography on oblivious transfer. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pages 20–31, New York, NY, USA, 1988. ACM.
  • [12] Claude Crépeau. Equivalence between two flavours of oblivious transfers. In Carl Pomerance, editor, Advances in Cryptology — CRYPTO ’87, pages 350–354, Berlin, Heidelberg, 1988. Springer Berlin Heidelberg.
  • [13] Hoi-Kwong Lo and H. F. Chau. Is quantum bit commitment really possible? Phys. Rev. Lett., 78:3410–3413, Apr 1997.
  • [14] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414–3417, Apr 1997.
  • [15] Paul Dumais, Dominic Mayers, and Louis Salvail. Perfectly concealing quantum bit commitment from any quantum one-way permutation. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, pages 300–315, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.
  • [16] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
  • [17] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.
  • [18] Li Yu, Carlos A. Pérez-Delgado, and Joseph F. Fitzsimons. Limitations on information-theoretically-secure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
  • [19] S.-H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
  • [20] Y. Ouyang, S.-H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
  • [21] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low T-gate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
  • [22] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomial-sized circuits. CRYPTO 2016: Advances in Cryptology - CRYPTO 2016, pages 3–32, 2016.
  • [23] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
  • [24] C.-Y. Lai and K.-M. Chung. On Statistically-Secure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
  • [25] U. Mahadev. Classical homomorphic encryption for quantum circuits. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 332–338, Oct 2018.
  • [26] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum fully homomorphic encryption with verification. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 438–467, Cham, 2017. Springer International Publishing.
  • [27] M. Newman. Further Limitations on Information-Theoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
  • [28] Si-Hui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhat-secure quantum somewhat-homomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
  • [29] C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, and W. K. Wootters. Teleporting an unknown quantum state via dual classical and einstein-podolsky-rosen channels. Phys. Rev. Lett., 70:1895–1899, Mar 1993.
  • [30] C. Crepeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science, pages 42–52, Oct 1988.
  • [31] Louis Salvail. Quantum bit commitment from a physical assumption. In Hugo Krawczyk, editor, Advances in Cryptology — CRYPTO ’98, pages 338–353, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.