# Application of Blind Quantum Computation to Two-Party Quantum Computation

## Abstract

Blind quantum computation (BQC) allows a client who has only limited quantum power to achieve quantum computation with the help of a remote quantum server and still keep the client’s input, output, and algorithm private. Recently, Kashefi and Wallden extended BQC to achieve two-party quantum computation which allows two parties Alice and Bob to perform a joint unitary transform upon their inputs. However, in their protocol Alice has to prepare rotated single qubits and perform Pauli operations, and Bob needs to have a powerful quantum computer. In this work, we also utilize the idea of BQC to put forward an improved two-party quantum computation protocol in which the operations of both Alice and Bob are simplified since Alice only needs to apply Pauli operations and Bob is just required to prepare and encrypt his input qubits.

## Keywords

Blind quantum computation Two-party quantum computation## 1 Introduction

Quantum computation uses the principles of quantum mechanics to perform computation. It is widely believed that quantum computation can solve some computational tasks much faster than its classical counterparts [1]. For instance, Shor’s algorithms offer an efficient solution for factoring big integers and solving discrete logarithm problems in polynomial time [2]. Grover’s algorithm provides a quadratic speedup over its best-known classical algorithm for searching problems [3]. However, the experimental realization of quantum computation is still a big challenge now. Due to the limitation of current technologies, quantum computers are still in the primary stage and they just allow for several operations on a few qubits. It may be a long way to build large-scale quantum computers. In the future, the first generation quantum computers may be used in the cloud style [4] where only a small number of groups such as governments and huge industries can possess them. Although delegating computing to a remote system may be highly practical and economical, it may cause some security problems [5]. For example, if a client who holds only limited quantum resources wants to perform quantum computation, he may need to delegate his computation to powerful quantum servers in the network and still wants his own data private. Blind quantum computation (BQC) can help him to achieve both goals at the same time.

BQC was first proposed by Childs on the basis of circuit model [6]. In this protocol, the client needs quantum memory and the ability to implement the SWAP gate. Then Arrighi and Salvail proposed a BQC protocol which only requires Alice to prepare and measure entangled states [7]. But it only allows for calculating certain classical functions and thus is not universal. Based on the measurement model, Broadbent, Fitzsimons, and Kashefi (BFK) presented the first universal BQC protocol [8], where the client only requires preparing single-qubit states and does not require quantum memory or any quantum computation power. In Ref. [9], the measurement-based quantum computation (MBQC) model is shown to be the same as the circuit model. It can be viewed as a set of classical measurement angles on a highly entangled quantum state to perform quantum computation. Thereafter, various protocols have been proposed based on different models [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]. On the one hand, some researchers tried to make the BQC as practical as possible, such as using entanglement swapping to make client just need to access quantum channels [11], using some anti-noise technologies to perform BQC in a noisy environment [12, 13, 14], or designing some verification methods to make the client verify her quantum computation efficiently [15, 16]. On the other hand, some of them utilized the BQC to achieve special functions [25, 26, 27], such as extending the verifiable BQC protocol [15] to realize a two-party computation protocol [25].

*X*and

*Z*(

*𝜃*) operations and requires Bob to have a powerful quantum computer to perform quantum computation.

In this work, we design an improved protocol which eases both Alice and Bob’s burden. More specifically, Alice is not required to prepare rotated single qubits and Bob is just required to prepare and encrypt his input qubits by delegating their computation to an untrusted quantum server.

The rest of this paper is organized as follows. In Section 2, we briefly review the QYao protocol in Ref. [25]. Section 3 presents our protocol. Section 4 analyzes the security of the proposed protocol and makes a comparison with the QYao protocol. The last section gives a conclusion of this paper.

## 2 The Review of QYao Protocol

Before presenting the main part of our protocol, we first review the QYao protocol. The QYao protocol shows that the measurement-based quantum computation model can be used in two-party quantum computation tasks and provides the idea of our work.

_{ A }〉, Bob has input |Φ

_{ B }〉, and both of them know the unitary operator U that they wish to compute. Alice has a description of their computation in MBQC using the base graph G. Suppose that the base graph G has three vertices and two edges as described in Fig. 2a. Then Alice maps it to the DT(G) as shown in Fig. 2b. For each vertices

*v*

_{ i }in G, there is a set of three new vertices \(P_{v_{i}}=\{p_{1}^{v_{i}},p_{2}^{v_{i}},p_{3}^{v_{i}} \}\) in DT(G). Corresponding to each edge

*e*(

*v*

_{ i },

*v*

_{ j }) that connects

*v*

_{ i }and

*v*

_{ j }in G, there is a set of nine edges \(E_{e}(P_{v_{i}},P_{v_{j}})\) that connect each of the vertices in \(P_{v_{i}}\) and \(P_{v_{j}}\) [15]. Then, Alice randomly chooses the added qubit from the set {|0〉,|1〉} for each

*E*

_{ e }to get the DT(G). By using the DT(G), Alice can hide her actual computation graph G (such as the blue one) in three sub-graphs which are described in Fig. 2c. For each qubit only Alice knows the initial rotation angles and its dependencies. The base-locations of the inputs and outputs of both parties are public [25].

- Q1
Bob encrypts his input using secret keys (

*m*_{z,i},*m*_{x,i}) and then sends to Alice the states \(X^{m_{x,i}}Z^{m_{z,i}}|{\Phi }_{B}\rangle \) for all*i*∈*I*_{ B }, where*I*_{ B }denotes the specific positions of Bob’s input. - Q2
Alice prepares all the states of the DT(G) except the computation qubits of Bob’s input.

- Q3
After receiving Bob’s input qubits which are described in step 1, Alice chooses at random \(x_{i}^{\prime }\), \({\theta }_{i}^{\prime }\) for each Bob’s input qubit and encrypts them to obtain the states:\(X^{x_{i}^{\prime }}Z({\theta }_{i}^{\prime })X^{m_{x,i}}Z^{m_{z,i}}|{\Phi }_{B}\rangle \).

- Q4
Alice mixes the computation qubit of the Bob’s input with a dummy qubit and a trap qubit and returns to Bob the three qubits of Bob’s input base-locations using the method shown in Fig. 3.

- Q5
Bob produces the DT(G) state that was specified by Alice. Then, Bob returns to Alice the secret bits (

*m*_{z,i},*m*_{x,i}) for all*i*of his input. - Q6
Alice computes \(x_{i}:=x_{i}^{\prime }+m_{x,i}\) and \(\theta _{i}:=(-1)^{m_{x,i}}\theta _{i}^{\prime }+\pi {m_{z,i}}\) and uses these (

*x*_{ i },*𝜃*_{ i }) for computing the suitable measurement angles \(\delta _{i} = \phi _{i}^{\prime }+\theta _{i}+\pi {r_{i}}\) like the way in the UBQC protocol in Ref. [8]. - Q7
On the output stage, Bob chooses pair of secret bits \((m_{x,i}^{\prime },m_{z,i}^{\prime })\) to encrypt each qubit in position

*i*that corresponds to Bob’s output base-locations. Then he sends to Alice the state \(X^{m_{x,i}^{\prime }}Z^{m_{z,i}^{\prime }}Tr_{A}(U(|{\Psi }_{A}\rangle ,|{\Phi }_{B}\rangle ))\) and the Alice’s output is*T**r*_{ B }(*U*(|Ψ_{ A }〉,|Φ_{ B }〉)). - Q8
Alice keeps the qubits that correspond to traps and dummies in the final layer of Bob’s output, and returns to Bob the computation qubits of his output.

- Q9
Bob sends to Alice the key \((m_{x,i}^{\prime },m_{z,i}^{\prime })\).

- Q10
Alice checks the traps and returns to Bob the final layer paddings for Bob’s input locations.

- Q11
Bob uses the final paddings to obtain the output.

At the end of this protocol, Alice and Bob obtain the output qubits respectively if this protocol is performed correctly. In this QYao protocol, Alice only requires limited quantum power but Bob needs the ability of performing quantum computation as a fully quantum server.

## 3 The Proposed Protocol

In this section, we propose a protocol which allows two users Alice and Bob with limited quantum power to perform two-party quantum computation with the help of an untrusted quantum server Charlie. In our protocol, Alice needs to prepare {|0〉,|1〉} states and perform Pauli-*X* and *Z*(*𝜃*) operations and Bob only needs to prepare and encrypt his input qubits. Supposed that Alice and Bob plan to implement the same quantum computation as that in the reviewed QYao protocol [25] and use similar parameters in it. Then inputs of Alice and Bob are |Ψ_{ A }〉 and |Φ_{ B }〉 respectively, and both of them want to perform the unitary operator U on them. The detailed steps of our protocol are described as follows.

**Preparation Stage:**

- D1
Charlie prepares a single qubit |+〉 and sends it to Alice.

- D2
Once receiving the particle, Alice randomly chooses (a) to perform

*Z*(*𝜃*_{ i }) on it and sends to Charlie the state | +*𝜃*_{ i }〉, where*𝜃*_{ i }is randomly selected from*S*≡{*k**π*/4|*k*= 0,1,...,7} or (b) to prepares a dummy quantum state selected in {|0〉,|1〉} which will be sent to Charlie. - D3
They repeat (1)-(2) until the qubits is enough to construct the DT(G). Then Charlie produces the Alice’s initial DT(G) which are specified by Alice via the method described in Fig. 3.

- D4
Bob encrypts his input |Φ

_{ B }〉 using secret keys (*m*_{z,j},*m*_{x,j}) and then sends to Alice the state \(X^{m_{x,j}}Z^{m_{z,j}}|{\Phi }_{B}\rangle \). For simplicity, in the following we just give the case that the input is only one qubit since it can be generalized to multiple qubits trivially. - D5
Alice randomly chooses \((x_{j}^{\prime },\theta _{j}^{\prime })\) for each of the Bob’s input and encrypts it again to obtain the following state: \(X^{x_{j}^{\prime }}Z(\theta _{j}^{\prime })X^{m_{x,j}}Z^{m_{z,j}}|{\Phi }_{B}\rangle \).

- D6
Bob prepares a trap qubit state \(|+\theta _{j}\rangle = |0\rangle + e^{i\theta _{j}}|1\rangle \), where

*𝜃*_{ j }is selected randomly from the set*S*, and sends it to Alice. - D7
Alice prepares a dummy qubit and mixes it with Bob’s input qubit and trap qubit. Then, Alice sends the three qubits to Charlie to entangle it in Bob’s input base-locations which are shown in Fig. 3.

**Computation Stage:**

- D8
In order to avoid the key releasing, Alice and Bob use classical secure oblivious transfer (OT) [30] as a function to compute the suitable measurement angles \(\delta _{j}(m_{x,j},m_{z,j}) = \phi _{j}^{\prime }+((-1)^{m_{x,j}+x^{j^{\prime }}}\theta _{j}^{\prime }+\pi {m_{z,j}})+\pi {r_{j}}\), where (

*m*_{z,j},*m*_{x,j}) and \((x_{j}^{\prime },\theta _{j}^{\prime })\) are Bob and Alice’s secret key values respectively and \(\phi _{j}^{\prime }\) is a modified angle according to the previous measurement results. - D9
Alice and Charlie perform the computation just like the UBQC protocol in Ref. [8] from the step 3. Alice tells the classical information

*δ*_{ i }to Charlie. Charlie measures the*i*th qubit in the basis ±|*δ*_{ i }〉 and sends the result to Alice. Through a set of measurements in the DT(G), Alice and Bob can achieve their computation goal*U*(|Ψ_{ A }〉,|Φ_{ B }〉).

**Output Stage:**

- D10
Charlie sends the output qubits to Alice and Bob corresponding to their base-locations respectively.

- D11
Alice checks her traps qubits and keeps her output

*T**r*_{ B }(*U*(|Ψ_{ A }〉,|Φ_{ B }〉)). - D12
Alice tells Bob the information about which qubit is his output qubit, trap qubit or dummy qubit, and returns to Bob the final layer paddings for their locations.

- D13
Bob uses the final paddings to check his trap qubit and obtain his output

*T**r*_{ A }(*U*(|Ψ_{ A }〉,|Φ_{ B }〉)).

## 4 Security Analysis and Comparisons

- 1.
In steps D1-D3, Alice prepares rotated single qubits | +

*𝜃*_{ i }〉 by perform the*Z*(*𝜃*_{ i }) operations on qubits |+〉, and only Alice knows their values. Moreover, Alice encrypts Bob’s input and mixes it with a trap qubit and a dummy qubit to hide the input qubits’ positions. Bob cannot know which qubits are used in real computation and which qubits are trap qubits and thus there is no information about Alice’s input that can be revealed. In addition, Bob encrypts his input qubit by using random key (*m*_{z,j},*m*_{x,j}) in step D4, thus Alice also cannot get any information about Bob’s input. - 2.
If Charlie does not implement the protocol as being told, he still cannot obtain the private data of both participants. For simplicity, suppose he may try to learn the information of

*𝜃*_{ i }, where*𝜃*_{ i }is the rotation angle of Alice’s input qubit | +*𝜃*_{ i }〉. In step D3, Alice mixes her input qubit with a dummy qubit and a trap qubit and only Alice knows the positions of the three qubits. Thus Charlie’s attack may be detected when he measures a trap qubit and the probability that he escapes from the detection is \(p_{fail} \leq \frac {2}{3}\). If Alice has*n*qubits as her input, the Charlie’s attack can be detected by Alice with the probability \(p \geq \ 1 - (\frac {2}{3})^{n}\). Furthermore, Alice can verify the computational result through measuring trap qubits in the output phase. The analysis for Bob is similar to that for Alice. - 3.
If Bob has collusion with Charlie, they can get (

*m*_{z,j},*m*_{x,j}) and*δ*_{ j }. But it is impossible for them to get something about \(\phi _{j}^{\prime } = \delta _{j}-((-1)^{m_{x,j}+x_{j}^{\prime }}\theta _{j}^{\prime }+\pi {m_{z,j}})-\pi {r_{i}}\), since they have no information about Alice’s secret key values \((x_{j}^{\prime },\theta _{j}^{\prime })\). Without knowing \(\phi _{j}^{\prime }\) and the sub-graph used to perform the real computation, Bob and Charlie cannot get any information about Alice’s input and output and thus the proposed protocol can be against Bob and Charlie’s collusion attack. - 4.
If Alice colludes with Charlie, they can get some information about Bob’s input if they does not mind being caught by Bob. For example, in step D8, if Alice sets \(\phi _{j}^{\prime }=\theta _{j}^{\prime }=r_{j}= 0\), then

*δ*_{ j }=*π**m*_{z,j}and she can get the value of*m*_{z,j}. But if Alice tries to get Bob’s secret key values through the above method, it will be detected by Bob according to the change of*δ*_{ j }and the computation process will be aborted. Moreover, if Bob has*n*qubits as input, Alice and Charlie only have the probability of 1/2^{ n }to get Bob’s input. Thus the proposed protocol can be against Alice and Charlie’s collusion attack to some extent.

Comparisons between the QYao protocol and the proposed protocol

QYao protocol [25] | The proposed protocol | |
---|---|---|

Alice’s quantum power | generate | + | generate {|0〉,|1〉}, |

apply Pauli- | apply Pauli- | |

Bob’s quantum power | own fully quantum capability | prepare input qubit, |

apply Pauli- | ||

An untrusted Server | unnecessary | necessary |

## 5 Conclusions

In conclusion, we have applied BQC to propose an improved protocol of two-party quantum computation which simplifies both two parties’ quantum operations compared with those in the original two-party quantum computation protocol in Ref. [25]. Furthermore, we also have shown that the proposed protocol can be against untrusted Charlie, malicious Bob, and specious Alice. Finally, our protocol may be modified to execute in a noisy environment by using some anti-noise methods when transmitting qubits from Alice or Bob to Charlie in the preparation stage, such as using quantum state amplification [31, 32], entanglement purification [33, 34], and entanglement concentration [35, 36] between two servers. However, the problem about how to deal with a malicious Alice has not been addressed and it will be future work.

## Notes

### Acknowledgements

We would like to thank Zhulin Li, Chengdong Liu, and Yu Peng for useful discussion and suggestion. This work was supported by the Joint Funds of the National Natural Science Foundation of China and China General Technology Research Institute (Grant No. U1736113), and the Hunan Provincial Natural Science Foundation of China (Grant No. 2018JJ2403).

## References

- 1.Nielsen, M.A., Chuang, I.L: Quantum Computation and Quantum Information. Cambridge University Press (2010)Google Scholar
- 2.Shor, P.W.: In: Proceedings of the 35th Annual IEEE Symposium on the Foundations of Computer Science, pp. 124–134 (1994)Google Scholar
- 3.Grover, L.K.: Phys. Rev. Lett.
**79**, 325 (1997)ADSCrossRefGoogle Scholar - 4.Morimae, T., Fujii, K.: Phys. Rev. A
**87**, 050301(R) (2013)ADSCrossRefGoogle Scholar - 5.Fitzsimons, J.F.: npj Quant. Inf.
**3**, 23 (2017)ADSCrossRefGoogle Scholar - 6.Childs, A.M.: Quant. Inf. Comput.
**5**, 456 (2005)Google Scholar - 7.Arrighi, P., Salvail, L.: Int. J. Quant. Inf.
**04**, 883 (2006)CrossRefGoogle Scholar - 8.Broadbent, A., Fitzsimons, J., Kashefi, E.: In: Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science, pp. 517–526 (2009)Google Scholar
- 9.Raussendorf, R., Briegel, H.J.: Phys. Rev. Lett.
**86**, 5188 (2001)ADSCrossRefGoogle Scholar - 10.Morimae, T., Fujii, K.: Phys. Rev. Lett.
**111**, 020502 (2013)ADSCrossRefGoogle Scholar - 11.Li, Q., Chan, W.H., Wu, C., Wen, Z.: Phys. Rev. A
**89**, 040302(R) (2014)ADSCrossRefGoogle Scholar - 12.Sheng, Y.B., Zhou, L.: Sci. Rep.
**5**, 7815 (2015)CrossRefGoogle Scholar - 13.Takeuchi, Y., Fujii, K., Ikuta, R., Yamamoto, T., Imoto, N.: Phys. Rev. A
**93**, 052307 (2016)ADSCrossRefGoogle Scholar - 14.Sheng, Y.B., Zhou, L.: Available at arXiv:1609.08902 (2016)
- 15.Kashefi, E., Wallden, P.: Available at arXiv:1510.07408 (2015)
- 16.Fitzsimons, J.F., Kashefi, E.: Phys. Rev. A
**96**, 012303 (2017)ADSCrossRefGoogle Scholar - 17.Dunjko, V., Kashefi, E., Leverrier, A.: Phys. Rev. Lett.
**108**, 200502 (2012)ADSCrossRefGoogle Scholar - 18.Morimae, T., Fujii, K.: Nat. Commun.
**3**, 251 (2012)CrossRefGoogle Scholar - 19.Li, Q., Li, Z., Chan, W.H., Zhang, S., Liu, C.: Phys. Lett. A
**382**, 938 (2018)ADSMathSciNetCrossRefGoogle Scholar - 20.Brennen, G.K., Miyake, A.: Phys. Rev. Lett.
**101**, 010502 (2008)ADSCrossRefGoogle Scholar - 21.Morimae, T.: Phys. Rev. Lett.
**109**, 230502 (2012)ADSCrossRefGoogle Scholar - 22.Sueki, T., Koshiba, T., Morimae, T.: Phys. Rev. A
**87**, 060301 (2013)ADSCrossRefGoogle Scholar - 23.Mantri, A., Pérez-Delgado, C.A., Fitzsimons, J.F.: Phys. Rev. Lett.
**111**, 230502 (2013)ADSCrossRefGoogle Scholar - 24.Kong, X., Li, Q., Wu, C., Yu, F., He, J., Sun, Z.: Int. J. Theor. Phys.
**55**, 3001 (2016)CrossRefGoogle Scholar - 25.Kashefi, E., Wallden, P.: Cryptography
**1**, 6 (2017)CrossRefGoogle Scholar - 26.Kashefi, E., Pappa, A.: Available at arXiv:1606.09200 (2016)
- 27.Sheng, Y.B., Zhou, L.: Sci. Bull.
**62**, 1025 (2017)CrossRefGoogle Scholar - 28.Yao, A.C.: In: Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pp. 160–164 (1982)Google Scholar
- 29.Dupuis, F., Nielsen, J.B., Salvail, L.: In: Advances in Cryptology-Crypto 2010, pp. 685–706 (2010)Google Scholar
- 30.Naor, M., Pinkas, B.: In: Proceedings of the 31st Annual ACM Symposium on Theory of Computing, pp. 245–254 (1999)Google Scholar
- 31.Osorio, C.I., Bruno, N., Sangouard, N., Zbinden, H., Gisin, N., Thew, R.T.: Phys. Rev. A
**86**, 023815 (2012)ADSCrossRefGoogle Scholar - 32.Zhou, L., Sheng, Y.B.: Laser Phys. Lett.
**12**, 045203 (2015)ADSCrossRefGoogle Scholar - 33.Zwerger, M., Briegel, H.J., Dur, W.: Phys. Rev. A
**90**, 012314 (2014)ADSCrossRefGoogle Scholar - 34.Zhou, L., Sheng, Y.B.: Sci. Rep.
**6**, 28813 (2016)ADSCrossRefGoogle Scholar - 35.Du, F.F., Deng, F.G.: Science china physics. Mech. Astron.
**58**, 040303 (2015)Google Scholar - 36.Sheng, Y.B., Pan, J., Guo, R., Zhou, L., Wang, L.: Science china physics. Mech. Astron.
**58**, 060301 (2015)CrossRefGoogle Scholar