I Introduction
The security of twoparty computation is a main research topic in classical cryptography. The goal is usually to correctly compute some function of the inputs from the two parties, while keeping the inputs as private from the opposite party as possible. This has been studied using classical homomorphic encryption techniques Gentry09 ; brakerski2011efficient or through implementing Yao’s “Garbled Circuit” solution Yao86 . Another possibility is to introduce a trusted third party, who may sometimes interact with the two parties for multiple rounds. To lower the requirement on the trusted third party, a “trusted initializer” has been proposed Beaver98 . Such trusted initializer only prepares some initial correlations between the two parties, and does not interact with any party afterwards. A trusted initializer who prepares certain initial correlations, referred to as “onetime tables”, can help make the bipartite computation secure.
In this work, we propose twoparty quantum protocols with aborts as replacements for the trusted initializer, for achieving some degree of informationtheoretic security in bipartite classical computation. Our main protocols are based on Protocol 1 which implements the following task approximately with partial privacy: it takes as input two locallygenerated random bits and from Alice and Bob, respectively, and outputs two bits and on the two parties, where is a random bit. We propose Protocol 2 to select some onetime tables generated by Protocol 1. It allows Bob to abort during the protocol when he finds that Alice is cheating. When Protocol 2 is used in the generic interactive bipartite classical computing task, the data leakage of Alice is asymptotically vanishing for perfect physical systems, but for noisy physical systems, the leakage is linearly related to the noise level. The data privacy of Bob is partial: the leakage is about half of his input bits, but the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result, including the case that the function effectively evaluates universal circuits. We then propose Protocol 3 which is based on Protocol 2, such that the data privacy of Alice is asymptotically vanishing and almost independent of the physical errors, while the data privacy of Bob is still good but worse than that in Protocol 2 under comparable resource cost. The security of the overall protocol is dependent on that the two parties are weakly cooperating and that Bob indeed does the checking in the preprocessing so that the onetime tables can be generated.
The structures of Protocols 2 and 3 are similar: both protocols have some initial steps for generating some correlations, and some step for verification, and postselection of some generated correlations. The difference is only that Protocol 3 has an extra postprocessing step, and the usages of the protocols in the later bipartite classical computation task are different. The verifications in these protocols take hint from similar procedures for quantum key distribution BB84
. Success is not guaranteed if Alice always cheats, but this does not cause much problem since Alice’s cheating is caught with high probability, and this is a preprocessing stage anyway so the useful data is not leaked. The failures in the quantum gates, measurements, and entanglement generation or qubit transmissions in the preprocessing stage can be tolerated by trialanderror. These failures are required to be reported in the protocols, so they have no effect for Bob’s testing and later computations. In some experimental implementations the failures might not be reported and might appear as errors, and this would affect the security.
The rest of the paper is organized as follows. Sec. II contains some introduction of the background. In Sec. III we introduce the quantum protocols. Sec. IV shows applications in general twoparty classical computation, and the security assumptions. Sec. V contains some discussions. Sec. VI contains the conclusion and some open problems.
Ii Preliminaries
On computing twoparty classical functions with quantum circuits, Lo Lo97 studied the data privacy for publicly known classical functions with the output on one party only. Buhrman et al bcs12 studied the security of twoparty quantum computation for publicly known classical functions in the case that both parties know the outcome, although with some limitations in the security notions. These and other results in the literature Colbeck07 suggest that secure bipartite classical computing cannot be generally done by quantum protocols where the two parties have full quantum capabilities. In the current work, the protocols allow aborts in the quantum preprocessing (Bob may abort when he detects that Alice has cheated), so the scenario considered here does not fit into the assumptions in the works mentioned above. We have considered adopting a nonstandard assumption that the parties in the main bipartite computation stage are restricted to be entirely classical; but such assumption does not appear to be essential.
Next, we introduce the simplest case in the onetime tables Beaver98 . The bipartite AND gate with distributed output is a gate that takes as input two distant bits and , and outputs and on the two parties, respectively, where is a uniformly random bit. (XOR is denoted as ; AND is denoted as the symbol.) It is sufficient for secure twoparty classical computation, although there may be other constructions. Theoretically, the bipartite AND gate with distributed output on two distant input bits and can be computed while keeping both input bits completely private, with the help of a precomputed ideal onetime table of the nonlocalAND type. Later we present approximate generation methods for such onetime tables. The onetime table has two locallygenerated uniformly random bits and on the two parties, respectively, and also has and on the two parties, respectively, where is a uniformly random bit. The steps for the bipartite ANDgate computation are as follows:
1. Alice announces . Bob announces .
2. Alice takes the output from the onetime table, and computes the XOR with , and regard the result as her output of the bipartite ANDgate computation. Bob takes the output from the onetime table, and computes the XOR with , and regard the result as his output of the bipartite ANDgate computation.
The XOR of the two output bits is , while each output bit is a uniformly random bit when viewed alone, because is a uniformly random bit. Since the messages and do not contain any information about and , the desired bipartite AND gate is implemented while and are still perfectly private.
Iii The quantum protocols
The two main quantum protocols to be introduced later are based on Protocol 1, which is the distributedoutput version of a subprocedure of a protocol from Yu18 . The Protocol 1 effectively computes an AND function on two remote classical bits from the two parties, with the output being a distributed bit, i.e. the XOR of two bits on the two parties. The security is not ideal: the plain use of such protocol would give rise to nonideal security in (interactive) quantum homomorphic encryption Yu18 , and the security is such that some additional verification need to be added in the protocol for it to be nontrivial. Here we propose a quantum protocol as a preprocessing stage for a bipartite classical computation task. By allowing verification and postselection, the security level in the quantum protocol becomes higher than that achievable from the plain use of Protocol 1. The postselected correlations (onetime tables) can be used in a classical bipartite computation task with high levels of correctness and of the privacy of input data.
In Protocol 1, denote , and , and the random bits are unbiased and independent of other variables by default.
In Protocol 1, Alice’s input bit has partial privacy even for a cheating Bob, while Bob’s input bit is secure for an honest Alice, but is not secure at all for a cheating Alice. The privacy of Alice’s input bit can be quantified using the accessible information or the trace distance. The accessible information, i.e. the maximum classical mutual information corresponding to Bob’s possible knowledge about Alice’s input, is exactly bits, which happens to be equal to the Holevo bound in the current case. For a cheating Bob to get the maximum amount of information, his best measurement strategy in the current case is to use a fixed projective measurement: to measure the first qubit in the basis, and the second qubit in the basis. The trace distance of the two density operators for Alice’s two possible input values is , by direct calculation (see also Yu18 ). Thus, the probability that Bob guesses Alice’s input bit correctly is .
To learn about Bob’s input bit, a cheating Alice may use an entangled state . From Bob’s returned state, and after correcting for the Pauli operator indicated by Bob’s returned classical message, Alice may find out Bob’s input bit with certainty.
In the following we present two protocols which check or combine the onetime tables generated in Protocol 1. The first one has partial security for Alice and nearperfect security for Bob, while the second one aims for nearperfect security for both parties with higher resource cost.
In Protocol 2, Alice’s input bit has partial privacy, which is the same as in the analysis of Protocol 1 above. When the ratio is near one, the nonlocal correlations in the remaining unchecked onetime tables can be regarded as almost surely correct. This is because of Bob’s checking. We require Alice to be weakly cooperating, that is, she does not cheat in some of the batches of instances, since otherwise no onetime table may pass the test. In the following we assume that Bob is mildly honest, which means that he indeed does the checking; but we allow him to use a superposed input and later collapse it if the instance is chosen for checking; those instances not subject to checking may be then in a superposition state, but Alice could later do computationalbasis measurements to collapse them, without affecting the correctness of the protocol. For an honest Alice, the resulting correlation is correct. We now discuss the case that Alice cheats. If Alice cheats and gets at least partial information about Bob’s input bit (using the notations in Protocol 1, same below), the state sent from Alice to Bob must be different from what is specified in the protocol; her best choice of state for cheating is mentioned previously. To pass Bob’s test, she should know both and , or know both and . (The two conditions are equivalent in the exact case, but not necessarily equivalent in the partialinformation case.) In the following, let denote the classical mutual information learnable by Alice about the bit if she uses the measurement . The and
are defined similarly, but note that they are conditioned on the uniform distribution for
.Proposition 1.
The follows inequalities hold:
(1)  
(2) 
where the two classical mutual information in each inequality are defined under the same measurement of Alice.
Proof.
The overall communication from Bob to Alice in Protocol 1 is only one classical bit (note the entangled states used in the teleportations are fixed and do not count towards the amount of communication), then, by the Holevo bound (also noting that there are effectively no other prior correlations between the two parties besides the fixed entangled state, so the locking of information DHL04
does not occur here), the amount of information that Alice learns about the joint distribution of
and is upper bounded by bit. The bits and are independent when Bob produces them, so the and are independent prior to Alice’s measurement. Thus the inequality (1) holds. The bits and jointly determine and , so the amount of information that Alice learns about the joint distribution of and is upper bounded by bit. And since the bits and are independent prior to Alice’s measurement, we have that the inequality (2) holds.The probability that Alice passes Bob’s test is related to the in Eq. (3). When the probability of passing approaches , such maximum approaches , then it must be that one of them approaches . Then, Prop. 1 implies that Alice can learn almost nothing about . A rephrasing in terms of the rate of cheating is given below.
For proving the security of Protocol 2, we only need Eq. (3) in the region . Alice may cheat in some instances of Protocol 1 so we may define a rate of cheating. Partial cheating in a instance is converted into a fractional number of cheating instances in calculating such rate. When the rate of Alice’s cheating is small, Bob would observe few wrong results. It is sort of subjective to determine the exact rate of cheating from the number of wrong results and the total number of tests in Protocol 2, since it depends on the a priori
knowledge about the probability distribution for Alice’s rate of cheating. Suppose that after some checking, Bob decides that Alice’s rate of cheating is
, which is a small positive constant near , then the following approximation holds for the uniform distribution of and : for some measurement chosen by Alice. Hence, holds for the same distributions of and , according to Eq. (3). This shows that the amount of information about learnable by a cheating Alice is small. Since such information is linearly related to the information learnable by Alice in the later classical computation stage (see Sec. II), this shows the security of Protocol 2 for use in the later classical computation.Numerical calculations confirm the inequalities (1) through (3). The calculation assumes that Alice uses some general quantum pure state as input, allowing an ancillary system of dimensions, the maximum required by the Schmidt decomposition. Our calculations use projective measurements; note the same occurs twice in each inequality.
Since the calculations on mutual information often stuck on local maxima, we did a different numerical calculation, that is, a numerical calculation of the Holevo bounds. The latter type of calculations converge quickly due to not having to consider measurement bases, and they indicate upper bounds of the information quantities so they are more convincing for showing the security of our protocols. The numerical results imply the following inequalities for the sum of Holevo bounds. The is the Holevo quantity which is the upper bound for the information learnable by Alice about the bit . The other quantities are defined similarly, but note that they are conditioned on the uniform distribution for .
(4)  
(5) 
where is a constant somewhat larger than and is yet to be precisely determined. This implies that
(6) 
When the ancilla is dimensions, numerics suggest that near the ends of the tradeoff curve indicated by Eqs. 4 and 5, one quantity approaches bit while the other quantity approaches , and this verifies the security of Protocol 2. The numerically observed value of is somewhat higher than bits. For Alice’s input state that achieves the numerically found maximal value of the lefthandside, it satisfies that the two terms on the lefthandside of Eq. (6) are about equal, and the corresponding sum of the form Eq. (3) under projective measurements is numerically found to be not greater than bit. Also, for initial states satisfying , the corresponding sum of the form Eq. (3) under projective measurements is numerically found to be not greater than bit. When there is no ancilla, numerics suggest that the lefthandside of Eq. (6) is not greater than bit.
The following protocol builds on Protocol 2, and it improves the privacy of Alice’s input in the later main computation task, while that of Bob’s input is somewhat compromised.
In Protocol 3, the privacy of Alice’s bit for the combined onetime table is quite good: The accessible information for Bob is exactly bits, where is the size of in protocol description. It is because the different onetime tables from the first step are independent. The Holevo bound happens to coincide with the accessible information in the current case.
For the privacy of Bob’s input bit in the combined onetime table, it is possible for a cheating Alice to do a joint measurement on received states from Bob, to learn the information about and simultaneously as much as possible (or and
). Bob can deal with this by testing more onetime tables. The resource usage (the amount of entanglement needed and the amount of communication) is estimated to be about
times that of Protocol 2, to achieve the similar level of privacy for Bob, where is the total number of onetime tables required for the later main computation, and is the size of in Protocol 3. The factor appears here because Alice may use techniques similar to Grover’s algorithm to increase the amount of information she may learn about .Iv Applications for twoparty classical computation
The following Protocol 4 is for evaluating a linear polynomial with distributed output using the quantum preprocessing protocols introduced above. The linear polynomial is of the form , where is a constant bit known to Bob, and and are bits on Alice and Bob’s side, respectively. The output is the XOR of two bits on different sides.
If Protocol 2 is used in Protocol 4, the data privacy of one party is partial. The leakage is about half of his or her input bits. See also the comments after Protocol 5 below.
By choosing the linear polynomial of the type , where , and if Bob asks Alice to send him the output she obtained from running the Protocol 4, Bob may accomplish the same function as 1outof2 oblivious transfer, with the additional property that Bob may ask Alice to send if he cheats by setting . The last point makes it different from the definition of 1outof2 oblivious transfer Kilian88 ; Crepeau88 .
For a generic boolean circuit, the main computation after the preprocessing does not include any aborts, and only requires the number of communication rounds to be about equal to the circuit depth. The protocol is shown as Protocol 5.
If Protocol 2 is used in Protocol 5 with the roles of Alice and Bob switched, the data privacy of Bob is partial. The leakage is about half of his input bits in each polynomial. But the privacy is better in the case that the function allows many different inputs of Bob to give rise to the same result. In the case that the function effectively evaluates a universal circuit with data given by Alice and the logical circuit given by Bob, his input has partial privacy which is acceptable due to possible recompilations of Bob’s logical circuit. If Protocol 3 is used instead of Protocol 2, it is suggested that Alice be the first party, to save the required number of onetime tables. Then Alice’s data in the main computation is asymptotically secure because of the property of Protocol 3.
We usually assume that Bob honestly does the testing in the Protocols 2 and 3. There could be superpositions in the input and the output of these quantum protocols, but in the later classical computation task, the parties may do computationalbasis measurements to force the superposed states to collapse.
Now we discuss the case out of the assumption, that is, Bob cheats in the quantum protocols. He may cheat by not aborting after finding that Alice is cheating. This way of cheating is not powerful by itself, but becomes complicated to analyze if he also uses the second way to cheat at the same time, and we leave it for future study. The second way for him to cheat is to use general quantum input (allowing superpositions and entanglement) for the instances of Protocol 1. In such case, Alice may do computationalbasis measurements in the main bipartite computation stage to force the collapse of superpositions. But he case that Bob combines the two cheating methods above is more complicated to analyze, especially since Alice may also cheat. The third way for Bob to cheat is by using superposed states in the main computation but not the preprocessing. This has no effect since Alice may make a computationalbasis measurement on the state received from Bob in the main computation.
There are some nogo theorems for quantum bit commitment LoChau97 ; Mayers97 . Because of the fact that our quantum preprocessing protocols allow aborts, and there are some requirements on the players in those protocols, it is still possible that bit commitment can be implemented with the help of the onetime tables generated by the quantum preprocessing protocols. In the following we propose a bit commitment protocol using the above idea, inspired by a computationallysecure construction based on quantum oneway permutations DMS2000 . Here, instead of using the quantum oneway permutations, we use a special bipartite classical computation with distributed output, with the help of quantum preprocessing. Our scheme is cheatsensitive and subject to some other assumptions similar to those for the generic Protocol 5.
In the last step of Protocol 6, if Alice sends Bob some random bit string, the results obtained by Bob are generally not consistent with any input value of . For large , it is hard for Alice to guess the appropriate bit string to send to Bob to make him believe the input was .
V Discussions
The qubitbased quantum protocols in this work can be generalized to work for qudits in principle. This is inspired by the classical case in Beaver98 . This requires some changes in the classical usage of the generated correlations.
The methods in this work are extendable to multipartite classical computation in principle. The pairs of parties (possibly including some server) may prepare onetime tables using the quantum protocols in this work.
The onetime tables generated by the quantum protocols in this work could in principle be used in a quantum bipartite computation task, in particular quantum homomorphic encryption rfg12 ; Fisher13 ; ypf14 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; Mahadev17 ; ADSS17 ; Newman18 ; TOR18 . As for the quantum homomorphic encryption problem, an interactive protocol is obtainable by using the current method to evaluate classical linear polynomials, and use this as a subprocedure in the framework in Yu18 ; further, if the teleportation method in Dulek16 is adopted instead of the corresponding simplified version in Yu18 , the number of rounds needed in the main computation may be reduced to a constant. But there are two points on which the security of the quantum computation may be somewhat weaker than in the classical case. First, it is less natural in the quantum protocol to impose classicality of the output of the onetime table. Imposing classicality of course helps security, but we doubt it is really necessary given our assumptions about the players in the preprocessing stage. In practice, we may assume that the output of the onetime tables have decohered prior to the use in the main computation. Second, in the current framework for quantum bipartite computation such as in Yu18 , the Pauli masks for the original input qubits are used as the variables in all the linear polynomials involved, this means the data privacy is worse than in the case of classical bipartite computation, in which the intermediate variables replace the roles of the initial variables in many of the linear polynomials. But the use of the quantum preprocessing in this work would give rise to better data privacy in quantum homomorphic encryption than some of the schemes in Yu18 , because those schemes require correlated encoding of the different variables, while the techniques here do not require correlated encoding of the different variables.
The following are some considerations about implementations and physical errors. The Protocol 1 makes use of teleportation bbc93 , with certain classical messages withheld by the sending party. Such step in the protocol is equivalent to the direct sending of quantum states that have been subject to certain Pauli operators just before sending. Using teleportations allows entanglement to be prepared by a fixed entanglement generating device, allowing for failures in preparation. This may also help getting rid of the issue of multiple photons in direct communication, which harms the privacy in Protocol 1. As for detector inefficiencies and dark counts, the fact that the Protocol 1 can be redone after failure can help mitigate the effects of these issues.
When Protocol 2 with noise is used for the bipartite classical computation task, the data leakage is about the product of the circuit size (the number of the onetime tables) and a small constant determined by the errors in the physical setup. This is because the physical errors and Alice’s cheating look about the same for Bob in the verifications in Protocol 2. For circuits with a high level of parallelism, the data leakage per input bit is about the product of circuit depth and the error constant described above. So the allowed circuit depth is a constant, which is inverse proportional to the error constant. If Protocol 3 is used instead, the physical errors are somewhat less related to data privacy. There have been studies of the effects of noise in classical cryptographic tasks, and noise is not always bad for security CK88 . Note that adding some assumptions about quantum capabilities may improve the security in bit commitment Salvail98 . Adding similar assumptions on top of our quantum preprocessing protocols may improve the security in the applications.
Vi Conclusions
We have proposed two quantum protocols for approximately generating a certain type of classical correlations (a special case of the onetime table Beaver98 ) with varying degrees of privacy, to be used in bipartite secure classical computation tasks. We show the application to evaluating linear polynomials and generic boolean circuits. Open problems include: applications in cheatsensitive quantum implementation of other cryptographic primitives, which may be weaker than the plain version of the primitives; a refined analysis of the protocols, taking into account the physical errors in quantum states and operations; faulttolerance; application to special classes of classical circuits; design of experimental schemes, where the failures must be known when they happen.
Acknowledgments
This research is funded in part by the Ministry of Science and Technology of China under Grant No. 2016YFA0301802, and the Department of Education of Zhejiang province under Grant No. Y201737289, and the startup grant of Hangzhou Normal University.
References

[1]
Craig Gentry.
Fully homomorphic encryption using ideal lattices.
In
Proceedings of the Fortyfirst Annual ACM Symposium on Theory of Computing
, STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.  [2] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
 [3] A. C. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science, pages 162–167, Oct 1986.
 [4] Donald Beaver. Onetime tables for twoparty computation. In WenLian Hsu and MingYang Kao, editors, Computing and Combinatorics, pages 361–370, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.
 [5] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175, page 8. New York, 1984.
 [6] HoiKwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
 [7] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical twoparty computation. Phys. Rev. Lett., 109:160501, Oct 2012.
 [8] Roger Colbeck. Impossibility of secure twoparty classical computation. Phys. Rev. A, 76:062308, Dec 2007.
 [9] Li Yu. A quantum homomorphic encryption scheme for polynomialsized circuits. http://arxiv.org/abs/1810.01166, October 2018.
 [10] D. P. DiVincenzo, M. Horodecki, D. W. Leung, J. A. Smolin, and B. M. Terhal. Locking classical correlations in quantum states. Phys. Rev. Lett., 92:067902, Feb 2004.
 [11] Joe Kilian. Founding crytpography on oblivious transfer. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pages 20–31, New York, NY, USA, 1988. ACM.
 [12] Claude Crépeau. Equivalence between two flavours of oblivious transfers. In Carl Pomerance, editor, Advances in Cryptology — CRYPTO ’87, pages 350–354, Berlin, Heidelberg, 1988. Springer Berlin Heidelberg.
 [13] HoiKwong Lo and H. F. Chau. Is quantum bit commitment really possible? Phys. Rev. Lett., 78:3410–3413, Apr 1997.
 [14] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett., 78:3414–3417, Apr 1997.
 [15] Paul Dumais, Dominic Mayers, and Louis Salvail. Perfectly concealing quantum bit commitment from any quantum oneway permutation. In Bart Preneel, editor, Advances in Cryptology — EUROCRYPT 2000, pages 300–315, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.
 [16] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
 [17] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.
 [18] Li Yu, Carlos A. PérezDelgado, and Joseph F. Fitzsimons. Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
 [19] S.H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
 [20] Y. Ouyang, S.H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
 [21] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low Tgate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
 [22] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomialsized circuits. CRYPTO 2016: Advances in Cryptology  CRYPTO 2016, pages 3–32, 2016.
 [23] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
 [24] C.Y. Lai and K.M. Chung. On StatisticallySecure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
 [25] U. Mahadev. Classical homomorphic encryption for quantum circuits. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 332–338, Oct 2018.
 [26] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum fully homomorphic encryption with verification. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 438–467, Cham, 2017. Springer International Publishing.
 [27] M. Newman. Further Limitations on InformationTheoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
 [28] SiHui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhatsecure quantum somewhathomomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
 [29] C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, and W. K. Wootters. Teleporting an unknown quantum state via dual classical and einsteinpodolskyrosen channels. Phys. Rev. Lett., 70:1895–1899, Mar 1993.
 [30] C. Crepeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science, pages 42–52, Oct 1988.
 [31] Louis Salvail. Quantum bit commitment from a physical assumption. In Hugo Krawczyk, editor, Advances in Cryptology — CRYPTO ’98, pages 338–353, Berlin, Heidelberg, 1998. Springer Berlin Heidelberg.