International Journal of Theoretical Physics

, Volume 57, Issue 6, pp 1864–1871 | Cite as

Application of Blind Quantum Computation to Two-Party Quantum Computation

  • Zhiyuan Sun
  • Qin Li
  • Fang Yu
  • Wai Hong Chan


Blind quantum computation (BQC) allows a client who has only limited quantum power to achieve quantum computation with the help of a remote quantum server and still keep the client’s input, output, and algorithm private. Recently, Kashefi and Wallden extended BQC to achieve two-party quantum computation which allows two parties Alice and Bob to perform a joint unitary transform upon their inputs. However, in their protocol Alice has to prepare rotated single qubits and perform Pauli operations, and Bob needs to have a powerful quantum computer. In this work, we also utilize the idea of BQC to put forward an improved two-party quantum computation protocol in which the operations of both Alice and Bob are simplified since Alice only needs to apply Pauli operations and Bob is just required to prepare and encrypt his input qubits.


Blind quantum computation Two-party quantum computation 

1 Introduction

Quantum computation uses the principles of quantum mechanics to perform computation. It is widely believed that quantum computation can solve some computational tasks much faster than its classical counterparts [1]. For instance, Shor’s algorithms offer an efficient solution for factoring big integers and solving discrete logarithm problems in polynomial time [2]. Grover’s algorithm provides a quadratic speedup over its best-known classical algorithm for searching problems [3]. However, the experimental realization of quantum computation is still a big challenge now. Due to the limitation of current technologies, quantum computers are still in the primary stage and they just allow for several operations on a few qubits. It may be a long way to build large-scale quantum computers. In the future, the first generation quantum computers may be used in the cloud style [4] where only a small number of groups such as governments and huge industries can possess them. Although delegating computing to a remote system may be highly practical and economical, it may cause some security problems [5]. For example, if a client who holds only limited quantum resources wants to perform quantum computation, he may need to delegate his computation to powerful quantum servers in the network and still wants his own data private. Blind quantum computation (BQC) can help him to achieve both goals at the same time.

BQC was first proposed by Childs on the basis of circuit model [6]. In this protocol, the client needs quantum memory and the ability to implement the SWAP gate. Then Arrighi and Salvail proposed a BQC protocol which only requires Alice to prepare and measure entangled states [7]. But it only allows for calculating certain classical functions and thus is not universal. Based on the measurement model, Broadbent, Fitzsimons, and Kashefi (BFK) presented the first universal BQC protocol [8], where the client only requires preparing single-qubit states and does not require quantum memory or any quantum computation power. In Ref. [9], the measurement-based quantum computation (MBQC) model is shown to be the same as the circuit model. It can be viewed as a set of classical measurement angles on a highly entangled quantum state to perform quantum computation. Thereafter, various protocols have been proposed based on different models [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]. On the one hand, some researchers tried to make the BQC as practical as possible, such as using entanglement swapping to make client just need to access quantum channels [11], using some anti-noise technologies to perform BQC in a noisy environment [12, 13, 14], or designing some verification methods to make the client verify her quantum computation efficiently [15, 16]. On the other hand, some of them utilized the BQC to achieve special functions [25, 26, 27], such as extending the verifiable BQC protocol [15] to realize a two-party computation protocol [25].

Two-party computation was first introduced by Yao [28] in the form of the millionaire problem where two persons want to compare which of them is richer without revealing their personal fortunes. The quantum version of two-party computation can be described as follows [29]: Alice holds her private input \(|\rho _{in_{A}}\rangle \), Bob holds \(|\rho _{in_{B}}\rangle \), and both of them want to perform a unitary transform U on their joint input \(|\rho _{in_{A}}\rangle \otimes |\rho _{in_{B}}\rangle \) without revealing any information about their input as described in Fig. 1. In Ref. [25], Kashefi and Wallden proposed such a protocol that can allow two users Alice and Bob can receive their own outputs which depend on their inputs. It was called QYao protocol which requires Alice to prepare rotated single qubits and perform the Pauli-X and Z(𝜃) operations and requires Bob to have a powerful quantum computer to perform quantum computation.
Fig. 1

The process of two-party quantum computation

In this work, we design an improved protocol which eases both Alice and Bob’s burden. More specifically, Alice is not required to prepare rotated single qubits and Bob is just required to prepare and encrypt his input qubits by delegating their computation to an untrusted quantum server.

The rest of this paper is organized as follows. In Section 2, we briefly review the QYao protocol in Ref. [25]. Section 3 presents our protocol. Section 4 analyzes the security of the proposed protocol and makes a comparison with the QYao protocol. The last section gives a conclusion of this paper.

2 The Review of QYao Protocol

Before presenting the main part of our protocol, we first review the QYao protocol. The QYao protocol shows that the measurement-based quantum computation model can be used in two-party quantum computation tasks and provides the idea of our work.

Suppose that Alice has her input |Ψ A 〉, Bob has input |Φ B 〉, and both of them know the unitary operator U that they wish to compute. Alice has a description of their computation in MBQC using the base graph G. Suppose that the base graph G has three vertices and two edges as described in Fig. 2a. Then Alice maps it to the DT(G) as shown in Fig. 2b. For each vertices v i in G, there is a set of three new vertices \(P_{v_{i}}=\{p_{1}^{v_{i}},p_{2}^{v_{i}},p_{3}^{v_{i}} \}\) in DT(G). Corresponding to each edge e(v i ,v j ) that connects v i and v j in G, there is a set of nine edges \(E_{e}(P_{v_{i}},P_{v_{j}})\) that connect each of the vertices in \(P_{v_{i}}\) and \(P_{v_{j}}\) [15]. Then, Alice randomly chooses the added qubit from the set {|0〉,|1〉} for each E e to get the DT(G). By using the DT(G), Alice can hide her actual computation graph G (such as the blue one) in three sub-graphs which are described in Fig. 2c. For each qubit only Alice knows the initial rotation angles and its dependencies. The base-locations of the inputs and outputs of both parties are public [25].
Fig. 2

a The base graph G. Assume that the base graph of Alice is described in a and it includes the unitary operation U and Alice’s input qubits. b DT(G). The dotted triple-graph which is mapped from a. Here, for each qubit v i which belongs to base graph G, there is a set of three qubits \(P_{v_{i}}\) which are denoted as circles. For each edge which belongs to base graph G, there is a set of nine added qubits A e which are denoted as squares. c The colored blue sub-graph is the real computation graph and will be used to perform the computation, and the white/black sub-graph is used to set trap/dummy qubits

Then the QYao protocol can be briefly described as follows.
  1. Q1

    Bob encrypts his input using secret keys (mz,i,mx,i) and then sends to Alice the states \(X^{m_{x,i}}Z^{m_{z,i}}|{\Phi }_{B}\rangle \) for all iI B , where I B denotes the specific positions of Bob’s input.

  2. Q2

    Alice prepares all the states of the DT(G) except the computation qubits of Bob’s input.

  3. Q3

    After receiving Bob’s input qubits which are described in step 1, Alice chooses at random \(x_{i}^{\prime }\), \({\theta }_{i}^{\prime }\) for each Bob’s input qubit and encrypts them to obtain the states:\(X^{x_{i}^{\prime }}Z({\theta }_{i}^{\prime })X^{m_{x,i}}Z^{m_{z,i}}|{\Phi }_{B}\rangle \).

  4. Q4

    Alice mixes the computation qubit of the Bob’s input with a dummy qubit and a trap qubit and returns to Bob the three qubits of Bob’s input base-locations using the method shown in Fig. 3.

  5. Q5

    Bob produces the DT(G) state that was specified by Alice. Then, Bob returns to Alice the secret bits (mz,i,mx,i) for all i of his input.

  6. Q6

    Alice computes \(x_{i}:=x_{i}^{\prime }+m_{x,i}\) and \(\theta _{i}:=(-1)^{m_{x,i}}\theta _{i}^{\prime }+\pi {m_{z,i}}\) and uses these (x i ,𝜃 i ) for computing the suitable measurement angles \(\delta _{i} = \phi _{i}^{\prime }+\theta _{i}+\pi {r_{i}}\) like the way in the UBQC protocol in Ref. [8].

  7. Q7

    On the output stage, Bob chooses pair of secret bits \((m_{x,i}^{\prime },m_{z,i}^{\prime })\) to encrypt each qubit in position i that corresponds to Bob’s output base-locations. Then he sends to Alice the state \(X^{m_{x,i}^{\prime }}Z^{m_{z,i}^{\prime }}Tr_{A}(U(|{\Psi }_{A}\rangle ,|{\Phi }_{B}\rangle ))\) and the Alice’s output is Tr B (U(|Ψ A 〉,|Φ B 〉)).

  8. Q8

    Alice keeps the qubits that correspond to traps and dummies in the final layer of Bob’s output, and returns to Bob the computation qubits of his output.

  9. Q9

    Bob sends to Alice the key \((m_{x,i}^{\prime },m_{z,i}^{\prime })\).

  10. Q10

    Alice checks the traps and returns to Bob the final layer paddings for Bob’s input locations.

  11. Q11

    Bob uses the final paddings to obtain the output.

Fig. 3

Bob sends his input (colored in green) to Alice, and Alice mixes it with a trap qubit and a dummy qubit by randomly choosing their locations. So, Bob cannot know which sub-graph is used to perform the quantum computation

At the end of this protocol, Alice and Bob obtain the output qubits respectively if this protocol is performed correctly. In this QYao protocol, Alice only requires limited quantum power but Bob needs the ability of performing quantum computation as a fully quantum server.

3 The Proposed Protocol

In this section, we propose a protocol which allows two users Alice and Bob with limited quantum power to perform two-party quantum computation with the help of an untrusted quantum server Charlie. In our protocol, Alice needs to prepare {|0〉,|1〉} states and perform Pauli-X and Z(𝜃) operations and Bob only needs to prepare and encrypt his input qubits. Supposed that Alice and Bob plan to implement the same quantum computation as that in the reviewed QYao protocol [25] and use similar parameters in it. Then inputs of Alice and Bob are |Ψ A 〉 and |Φ B 〉 respectively, and both of them want to perform the unitary operator U on them. The detailed steps of our protocol are described as follows.

Preparation Stage:
  1. D1

    Charlie prepares a single qubit |+〉 and sends it to Alice.

  2. D2

    Once receiving the particle, Alice randomly chooses (a) to perform Z(𝜃 i ) on it and sends to Charlie the state | + 𝜃 i 〉, where 𝜃 i is randomly selected from S ≡{kπ/4|k = 0,1,...,7} or (b) to prepares a dummy quantum state selected in {|0〉,|1〉} which will be sent to Charlie.

  3. D3

    They repeat (1)-(2) until the qubits is enough to construct the DT(G). Then Charlie produces the Alice’s initial DT(G) which are specified by Alice via the method described in Fig. 3.

  4. D4

    Bob encrypts his input |Φ B 〉 using secret keys (mz,j,mx,j) and then sends to Alice the state \(X^{m_{x,j}}Z^{m_{z,j}}|{\Phi }_{B}\rangle \). For simplicity, in the following we just give the case that the input is only one qubit since it can be generalized to multiple qubits trivially.

  5. D5

    Alice randomly chooses \((x_{j}^{\prime },\theta _{j}^{\prime })\) for each of the Bob’s input and encrypts it again to obtain the following state: \(X^{x_{j}^{\prime }}Z(\theta _{j}^{\prime })X^{m_{x,j}}Z^{m_{z,j}}|{\Phi }_{B}\rangle \).

  6. D6

    Bob prepares a trap qubit state \(|+\theta _{j}\rangle = |0\rangle + e^{i\theta _{j}}|1\rangle \), where 𝜃 j is selected randomly from the set S, and sends it to Alice.

  7. D7

    Alice prepares a dummy qubit and mixes it with Bob’s input qubit and trap qubit. Then, Alice sends the three qubits to Charlie to entangle it in Bob’s input base-locations which are shown in Fig. 3.

Computation Stage:
  1. D8

    In order to avoid the key releasing, Alice and Bob use classical secure oblivious transfer (OT) [30] as a function to compute the suitable measurement angles \(\delta _{j}(m_{x,j},m_{z,j}) = \phi _{j}^{\prime }+((-1)^{m_{x,j}+x^{j^{\prime }}}\theta _{j}^{\prime }+\pi {m_{z,j}})+\pi {r_{j}}\), where (mz,j,mx,j) and \((x_{j}^{\prime },\theta _{j}^{\prime })\) are Bob and Alice’s secret key values respectively and \(\phi _{j}^{\prime }\) is a modified angle according to the previous measurement results.

  2. D9

    Alice and Charlie perform the computation just like the UBQC protocol in Ref. [8] from the step 3. Alice tells the classical information δ i to Charlie. Charlie measures the i th qubit in the basis ±|δ i 〉 and sends the result to Alice. Through a set of measurements in the DT(G), Alice and Bob can achieve their computation goal U(|Ψ A 〉,|Φ B 〉).

Output Stage:
  1. D10

    Charlie sends the output qubits to Alice and Bob corresponding to their base-locations respectively.

  2. D11

    Alice checks her traps qubits and keeps her output Tr B (U(|Ψ A 〉,|Φ B 〉)).

  3. D12

    Alice tells Bob the information about which qubit is his output qubit, trap qubit or dummy qubit, and returns to Bob the final layer paddings for their locations.

  4. D13

    Bob uses the final paddings to check his trap qubit and obtain his output Tr A (U(|Ψ A 〉,|Φ B 〉)).


4 Security Analysis and Comparisons

In this section, we will analyze the security of the proposed protocol and show it will not reveal the information about users’ input and output. Similar to the QYao protocol, we suppose that Alice is a specious (quantum honest-but-curious) [29] user, and Bob and Charlie can be fully malicious. The specious adversary must appear to act honestly at any step during the execution of a protocol. It means that he may want to learn some information of the honest party without being detected.
  1. 1.

    In steps D1-D3, Alice prepares rotated single qubits | + 𝜃 i 〉 by perform the Z(𝜃 i ) operations on qubits |+〉, and only Alice knows their values. Moreover, Alice encrypts Bob’s input and mixes it with a trap qubit and a dummy qubit to hide the input qubits’ positions. Bob cannot know which qubits are used in real computation and which qubits are trap qubits and thus there is no information about Alice’s input that can be revealed. In addition, Bob encrypts his input qubit by using random key (mz,j,mx,j) in step D4, thus Alice also cannot get any information about Bob’s input.

  2. 2.

    If Charlie does not implement the protocol as being told, he still cannot obtain the private data of both participants. For simplicity, suppose he may try to learn the information of 𝜃 i , where 𝜃 i is the rotation angle of Alice’s input qubit | + 𝜃 i 〉. In step D3, Alice mixes her input qubit with a dummy qubit and a trap qubit and only Alice knows the positions of the three qubits. Thus Charlie’s attack may be detected when he measures a trap qubit and the probability that he escapes from the detection is \(p_{fail} \leq \frac {2}{3}\). If Alice has n qubits as her input, the Charlie’s attack can be detected by Alice with the probability \(p \geq \ 1 - (\frac {2}{3})^{n}\). Furthermore, Alice can verify the computational result through measuring trap qubits in the output phase. The analysis for Bob is similar to that for Alice.

  3. 3.

    If Bob has collusion with Charlie, they can get (mz,j,mx,j) and δ j . But it is impossible for them to get something about \(\phi _{j}^{\prime } = \delta _{j}-((-1)^{m_{x,j}+x_{j}^{\prime }}\theta _{j}^{\prime }+\pi {m_{z,j}})-\pi {r_{i}}\), since they have no information about Alice’s secret key values \((x_{j}^{\prime },\theta _{j}^{\prime })\). Without knowing \(\phi _{j}^{\prime }\) and the sub-graph used to perform the real computation, Bob and Charlie cannot get any information about Alice’s input and output and thus the proposed protocol can be against Bob and Charlie’s collusion attack.

  4. 4.

    If Alice colludes with Charlie, they can get some information about Bob’s input if they does not mind being caught by Bob. For example, in step D8, if Alice sets \(\phi _{j}^{\prime }=\theta _{j}^{\prime }=r_{j}= 0\), then δ j = πmz,j and she can get the value of mz,j. But if Alice tries to get Bob’s secret key values through the above method, it will be detected by Bob according to the change of δ j and the computation process will be aborted. Moreover, if Bob has n qubits as input, Alice and Charlie only have the probability of 1/2 n to get Bob’s input. Thus the proposed protocol can be against Alice and Charlie’s collusion attack to some extent.

In Kashefi et al.’s protocol in Ref. [25], Alice needs the ability to prepare rotated single qubits and implement quantum encryption and Bob needs the ability to perform quantum computation as a fully quantum server. But in our protocol Alice is not required to prepare rotated single qubits and Bob is unnecessary to own a powerful quantum computer. The cost is that an untrusted quantum server is introduced. In addition, both of the QYao protocol and our proposed protocol need Alice to be a specious (quantum honest-but-curious) user and require the users Alice and Bob to have the ability to perform Pauli operations. The specific comparisons are shown in Table 1.
Table 1

Comparisons between the QYao protocol and the proposed protocol


QYao protocol [25]

The proposed protocol

Alice’s quantum power

generate | + 𝜃〉,

generate {|0〉,|1〉},


apply Pauli-X and Z(𝜃)

apply Pauli-X and Z(𝜃)

Bob’s quantum power

own fully quantum capability

prepare input qubit,


apply Pauli-X and Z(𝜃)

An untrusted Server



5 Conclusions

In conclusion, we have applied BQC to propose an improved protocol of two-party quantum computation which simplifies both two parties’ quantum operations compared with those in the original two-party quantum computation protocol in Ref. [25]. Furthermore, we also have shown that the proposed protocol can be against untrusted Charlie, malicious Bob, and specious Alice. Finally, our protocol may be modified to execute in a noisy environment by using some anti-noise methods when transmitting qubits from Alice or Bob to Charlie in the preparation stage, such as using quantum state amplification [31, 32], entanglement purification [33, 34], and entanglement concentration [35, 36] between two servers. However, the problem about how to deal with a malicious Alice has not been addressed and it will be future work.



We would like to thank Zhulin Li, Chengdong Liu, and Yu Peng for useful discussion and suggestion. This work was supported by the Joint Funds of the National Natural Science Foundation of China and China General Technology Research Institute (Grant No. U1736113), and the Hunan Provincial Natural Science Foundation of China (Grant No. 2018JJ2403).


  1. 1.
    Nielsen, M.A., Chuang, I.L: Quantum Computation and Quantum Information. Cambridge University Press (2010)Google Scholar
  2. 2.
    Shor, P.W.: In: Proceedings of the 35th Annual IEEE Symposium on the Foundations of Computer Science, pp. 124–134 (1994)Google Scholar
  3. 3.
    Grover, L.K.: Phys. Rev. Lett. 79, 325 (1997)ADSCrossRefGoogle Scholar
  4. 4.
    Morimae, T., Fujii, K.: Phys. Rev. A 87, 050301(R) (2013)ADSCrossRefGoogle Scholar
  5. 5.
    Fitzsimons, J.F.: npj Quant. Inf. 3, 23 (2017)ADSCrossRefGoogle Scholar
  6. 6.
    Childs, A.M.: Quant. Inf. Comput. 5, 456 (2005)Google Scholar
  7. 7.
    Arrighi, P., Salvail, L.: Int. J. Quant. Inf. 04, 883 (2006)CrossRefGoogle Scholar
  8. 8.
    Broadbent, A., Fitzsimons, J., Kashefi, E.: In: Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science, pp. 517–526 (2009)Google Scholar
  9. 9.
    Raussendorf, R., Briegel, H.J.: Phys. Rev. Lett. 86, 5188 (2001)ADSCrossRefGoogle Scholar
  10. 10.
    Morimae, T., Fujii, K.: Phys. Rev. Lett. 111, 020502 (2013)ADSCrossRefGoogle Scholar
  11. 11.
    Li, Q., Chan, W.H., Wu, C., Wen, Z.: Phys. Rev. A 89, 040302(R) (2014)ADSCrossRefGoogle Scholar
  12. 12.
    Sheng, Y.B., Zhou, L.: Sci. Rep. 5, 7815 (2015)CrossRefGoogle Scholar
  13. 13.
    Takeuchi, Y., Fujii, K., Ikuta, R., Yamamoto, T., Imoto, N.: Phys. Rev. A 93, 052307 (2016)ADSCrossRefGoogle Scholar
  14. 14.
    Sheng, Y.B., Zhou, L.: Available at arXiv:1609.08902 (2016)
  15. 15.
    Kashefi, E., Wallden, P.: Available at arXiv:1510.07408 (2015)
  16. 16.
    Fitzsimons, J.F., Kashefi, E.: Phys. Rev. A 96, 012303 (2017)ADSCrossRefGoogle Scholar
  17. 17.
    Dunjko, V., Kashefi, E., Leverrier, A.: Phys. Rev. Lett. 108, 200502 (2012)ADSCrossRefGoogle Scholar
  18. 18.
    Morimae, T., Fujii, K.: Nat. Commun. 3, 251 (2012)CrossRefGoogle Scholar
  19. 19.
    Li, Q., Li, Z., Chan, W.H., Zhang, S., Liu, C.: Phys. Lett. A 382, 938 (2018)ADSMathSciNetCrossRefGoogle Scholar
  20. 20.
    Brennen, G.K., Miyake, A.: Phys. Rev. Lett. 101, 010502 (2008)ADSCrossRefGoogle Scholar
  21. 21.
    Morimae, T.: Phys. Rev. Lett. 109, 230502 (2012)ADSCrossRefGoogle Scholar
  22. 22.
    Sueki, T., Koshiba, T., Morimae, T.: Phys. Rev. A 87, 060301 (2013)ADSCrossRefGoogle Scholar
  23. 23.
    Mantri, A., Pérez-Delgado, C.A., Fitzsimons, J.F.: Phys. Rev. Lett. 111, 230502 (2013)ADSCrossRefGoogle Scholar
  24. 24.
    Kong, X., Li, Q., Wu, C., Yu, F., He, J., Sun, Z.: Int. J. Theor. Phys. 55, 3001 (2016)CrossRefGoogle Scholar
  25. 25.
    Kashefi, E., Wallden, P.: Cryptography 1, 6 (2017)CrossRefGoogle Scholar
  26. 26.
    Kashefi, E., Pappa, A.: Available at arXiv:1606.09200 (2016)
  27. 27.
    Sheng, Y.B., Zhou, L.: Sci. Bull. 62, 1025 (2017)CrossRefGoogle Scholar
  28. 28.
    Yao, A.C.: In: Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pp. 160–164 (1982)Google Scholar
  29. 29.
    Dupuis, F., Nielsen, J.B., Salvail, L.: In: Advances in Cryptology-Crypto 2010, pp. 685–706 (2010)Google Scholar
  30. 30.
    Naor, M., Pinkas, B.: In: Proceedings of the 31st Annual ACM Symposium on Theory of Computing, pp. 245–254 (1999)Google Scholar
  31. 31.
    Osorio, C.I., Bruno, N., Sangouard, N., Zbinden, H., Gisin, N., Thew, R.T.: Phys. Rev. A 86, 023815 (2012)ADSCrossRefGoogle Scholar
  32. 32.
    Zhou, L., Sheng, Y.B.: Laser Phys. Lett. 12, 045203 (2015)ADSCrossRefGoogle Scholar
  33. 33.
    Zwerger, M., Briegel, H.J., Dur, W.: Phys. Rev. A 90, 012314 (2014)ADSCrossRefGoogle Scholar
  34. 34.
    Zhou, L., Sheng, Y.B.: Sci. Rep. 6, 28813 (2016)ADSCrossRefGoogle Scholar
  35. 35.
    Du, F.F., Deng, F.G.: Science china physics. Mech. Astron. 58, 040303 (2015)Google Scholar
  36. 36.
    Sheng, Y.B., Pan, J., Guo, R., Zhou, L., Wang, L.: Science china physics. Mech. Astron. 58, 060301 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.College of Information EngineeringXiangtan UniversityXiangtanChina
  2. 2.Department of Computer ScienceJinan UniversityGuangzhouChina
  3. 3.Department of Mathematics and Information TechnologyThe Education University of Hong KongTai PoHong Kong

Personalised recommendations