Blind oracular quantum computation

Here we review one-way quantum computing (1WQC) [17, 18], the measurement calculus [28], and deterministic computations made possible by the existence of flow [29]. A computation within 1WQC is executed by consecutively measuring qubits in a cluster state: a highly entangled quantum state, which can be efficiently parameterized by mathematical graphs [30]. A cluster state corresponds to the space-time layout of the quantum computer, and consecutive measurements define quantum operations. In this study, we use measurement calculus to describe processes within a 1WQC computation, and we use flow to specify measurement-dependency structure.

A graph is used to represent the resource (cluster state) of a 1WQC computation. The graph's vertices represent qubits whose states are initially in the xy-plane of Bloch sphere, and its edges represent CPHASE gates applied to the corresponding nodes. We will interchangeably use graph and graph state. In particular, open graph is used as a 1WQC resource, that is a triplet $(\mathcal{G},I,O)$, with a set of quantum input nodes I and quantum output nodes O that may intersect, where $\mathcal{G}=(V,E)$ is a simple graph ⁹ with a set of vertices V and edges E, I ⊂ V and O ⊂ V, where I ≠ ∅, and O ≠ ∅. For a subset K ⊂ V, $\mathcal{G}[K]$ denotes the induced subgraph whose vertex set is K and whose edge set is those from E whose endpoints are both in K—denoted as E(K). Given a node k, we define the following notations:

$$\begin{equation}\begin{aligned}{N}_{\mathcal{G}}(k)& \hspace{2pt}\text{as nodes adjacent to}k\;\text{---}\;\text{called}\enspace \mathrm{o}\mathrm{p}\mathrm{e}\mathrm{n}\enspace \mathrm{n}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{b}\mathrm{o}\mathrm{r}\mathrm{h}\mathrm{o}\mathrm{o}\mathrm{d},\\ {N}_{\mathcal{G}}[k]& \hspace{2pt}\text{as nodes adjacent to}\;\enspace k,\text{including}\;k\;\text{---}\;\text{called}\enspace \mathrm{c}\mathrm{l}\mathrm{o}\mathrm{s}\mathrm{e}\mathrm{d}\enspace \mathrm{n}\mathrm{e}\mathrm{i}\mathrm{g}\mathrm{h}\mathrm{b}\mathrm{o}\mathrm{r}\mathrm{h}\mathrm{o}\mathrm{o}\mathrm{d}.\end{aligned}\end{equation} \tag{ 1 }$$

Another formalism that we use here is measurement calculus on measurement patterns (or patterns) [28] in order to describe processes within the 1WQC scheme. A pattern comprises commands: (i) ${N}_{j}^{\theta }{:=}$ prepare qubit j in state $\left\vert {+}_{\theta }\right\rangle$,

$$\begin{equation}\left\vert {+}_{\theta }\right\rangle {:=}\frac{1}{\sqrt{2}}(\left\vert 0\right\rangle +{\text{e}}^{\text{i}\theta }\left\vert 1\right\rangle ),\end{equation} \tag{ 2 }$$

(ii) E_ij := apply CPHASE between qubits i, j. (iii) ${M}_{j}^{\theta }{:=}$ measure j in the basis $\left\vert {{\pm}}_{\theta }\right\rangle$. Finally (iv) ${X}_{i}^{s},{Z}_{i}^{s}$ are Pauli corrections on qubit i for signal s; that is, if s = 1, the corrections ${X}_{i}^{1}={X}_{i},{Z}_{i}^{1}={Z}_{i}$ are done, and if s = 0 no corrections are done since ${X}_{i}^{0}={Z}_{i}^{0}={\mathbb{1}}_{i}$. In addition, we denote ${N}_{Q}^{\theta }{:=}{\bigotimes}_{i\in Q}{N}_{i}^{{\theta }_{i}}$ as preparing a set of qubits Q accordingly.

Apart from those commands, we introduce the following extra notations. First, Z_i (θ) signifies rotation about z-axis on qubit i with angle θ; in particular

$$\begin{equation}Z(\theta ){:=}\left(\begin{matrix}\hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill {\text{e}}^{\text{i}\theta }\hfill \end{matrix}\right).\end{equation} \tag{ 3 }$$

Second, given a graph $\mathcal{G}=(V,E)$ with an ordering > on the nodes, for any subgraph $\mathcal{G}[K]$ that K ⊂ V,

$$\begin{equation}{E}_{K}{:=}\prod\limits _{(i,j)\in E(K)}{E}_{ij},\qquad {E}_{iK}{:=}\prod\limits _{k\in K}{E}_{ik}\quad \text{where}\quad i\notin K,\quad {E}_{iK}^{{ >}}{:=}\prod\limits _{k\in K,k{ >}i}{E}_{ik},\end{equation} \tag{ 4 }$$

where E_ij is the entangling command (ii) in measurement calculus; E_ij are all mutually commuting.

Note that Pauli corrections can be absorbed into measurement angles [28]:

$$\begin{equation}{M}_{j}^{\theta }{X}_{j}={M}_{j}^{(-\theta )}\qquad {M}_{j}^{\theta }{Z}_{j}={M}_{j}^{\theta +\pi },\end{equation} \tag{ 5 }$$

where −θ and θ + π are understood to be evaluated modulo 2π.

A set of angles $\theta ={\left\{{\theta }_{j}\right\}}_{j\in \mathbb{N}}$ specifies quantum operations; angle θ_j can denote the parameter of a projective measurement performed on node j with projectors

$$\begin{equation}\left\{\left(\left\vert {+}_{{\theta }_{j}}\right\rangle \left\langle {+}_{{\theta }_{j}}\right\vert ,\mathtt{\text{0}}\left.\right),\left(\right.\left\vert {+}_{{\theta }_{j}+\pi }\right\rangle \left\langle {+}_{{\theta }_{j}+\pi }\right\vert ,1\right)\right\},\end{equation} \tag{ 6 }$$

where θ_j ∈ [0, 2π). The two projectors in (equation (6)) will be reported as outcomes 0 and 1 respectively. We also refer to such a measurement as 'measure in basis $\left\vert {{\pm}}_{{\theta }_{j}}\right\rangle$'. An angle θ_j may be dependent on signals s_<j , that is, measurement outcomes obtained previous to measuring qubit j. It is inevitable that measurements introduce indeterminacies. Thus, adaptive measurements—measurements which are depending on some prior signals—are performed. The adaptive measurement in θ_j may be X_i - or Z_i -dependent on a signal i. If it is X_i -dependent, θ_j is replaced by ${(-1)}^{{s}_{i}}{\theta }_{j}$; if it is Z_i -dependent, θ_j is replaced by θ_j + s_i π; these replacements are indicated in equation (5). This dependency structure is captured within the notion of flow. It is worth mentioning that it is possible in 1WQC to perform measurements other than those in the xy-plane, such as those in the xz- or yz-plane [31]. However, we consider only xy-plane measurements here.

A flow f is a map from the measured qubit to the prepared qubit. f: O^c → I^c, where A^c denotes the complement of set A. More specifically for cluster states, f(j) indicates the X correction and ${N}_{\mathcal{G}}(f(j))$ indicate Z corrections for the measured node j. By its definition, we will see that a flow induces a partial order that covers V. The state of an open graph $(\mathcal{G},I,O)$ has flow if there exists a map f: O^c → I^c together with a partial order ≻ over nodes V such that for all j ∈ O^c [29, 31]:

$$\begin{equation}(\text{F0})\enspace (j,f(j))\in E,\quad (\text{F1})\enspace f(j)\succ j,\quad (\text{F2})\enspace \forall \enspace k\in {N}_{\mathcal{G}}(f(j)){\backslash}\left\{j\right\},k\succ j.\end{equation} \tag{ 7 }$$

Hence, a 1WQC computation can be described with a set

$$\begin{equation}\left\{(\mathcal{G},I,O),f,\phi ,{\rho }^{\mathrm{i}\mathrm{n}}\right\},\end{equation} \tag{ 8 }$$

where $(\mathcal{G},I,O)$ denotes an open graph with flow f, ϕ signifies a set of measurement angles, and ρⁱⁿ is a quantum state assigned to nodes I.

Reference [29] also characterizes an interesting family of patterns as follows.

Theorem 1. [29] Suppose the open graph state $(\mathcal{G},I,O)$ has flow (f, ≻), then the pattern:

is runnable and deterministic for all $\overrightarrow {\theta }$ and $\overrightarrow {s}$. It realizes the isometry ${\bigotimes}_{i\in {O}^{\mathrm{c}}}{\left\langle {+}_{{\theta }_{i}}\right\vert }_{i}{E}_{\mathcal{G}}{N}_{{I}^{\mathrm{c}}}^{0}$, where ${E}_{\mathcal{G}}{:=}{\prod }_{(i,j)\in \mathcal{G}}{E}_{ij}$.

A pattern is said to be runnable [29] if it satisfies the following conditions: (R0) no command depends on an outcome not yet measured, (R1) no command acts on a qubit already measured or not yet prepared (except preparation commands), and (R2) a qubit i is measured (prepared) if and only if i is not an output (input).

Theorem 1 provides a sufficient condition in which the existence of flow guarantees a deterministic computation. Notice that in equation (9) we introduce the notation , signifying an ordered product with respect to any given ordering ≻.

Abstract cryptography (AC) [14] is a mathematical framework that we use to model the security of our protocols. The AC framework ensures composability: a secure protocol in AC is guaranteed to be secure when composing a larger cryptographic system. AC is a constructive cryptography [32], i.e. we are constructing a resource from other weaker resources. To assess the security in such a construction, AC implements an 'ideal-world real-world' paradigm in which the distance of resources is used as the security metric. Simply put, we want to construct an ideal resource (resources with desired security in the ideal world) from a real resource (resources found in the real world), while minimizing the distance between the two worlds (or systems). Perfect security is achieved when both systems are completely indistinguishable.

AC uses a top-down approach: it starts from the highest-level possible of abstraction, then proceeds downwards, introducing in each level the minimum necessary specializations. The framework defines a system as an abstract object with interfaces. There are two types of systems: resources and converters. A resource is a system with a set of interfaces $\mathcal{I}=\left\{A,B,C,\dots \right\}$; each element $i\in \mathcal{I}$ is associated with a player, which models how party i can access the resource. A converter is a system with two interfaces: an inside interface that is connected to a resource and the outside interface that receives inputs and gives outputs.

A (cryptographic) protocol is a set of converters possessed by honest parties {π_i }. Converters π_i , π_j can be appended to a resource $\mathcal{R}$ via their inside interfaces, ¹⁰ forming a new resource ${\pi }_{i}{\pi }_{j}\mathcal{R}$ with the same set of interfaces. ¹¹ Resources and converters can be instantiated with any mathematical object that follows the AC composition defined in [14]; in our case, we can instantiate them with quantum combs [33]. The quantum comb generalizes quantum channels, mapping quantum circuits to quantum circuits rather than quantum states to quantum states. Thus, here the compositions may be defined as the operations of quantum combs as well.

A practical view of a protocol is seeing it as an effort to obtain the ideal-world functionalities from the real-world functionalities. Note that this framework does not capture the kind of failure, the severity of failure, nor the cheating strategy. Instead, we ask if the defined ideal resource captures all the security features that we need; otherwise, we define it differently.

Consider a three-party protocol π with players Alice($\mathcal{A}$), Oscar($\mathcal{O}$), and Bob($\mathcal{B}$), where Bob can be dishonest. There are two security requirements that we want to achieve with the protocol π: correctness (or completeness) and security (or soundness). Correctness is a property that can be present only when all parties are honest (no adversary present), defined in definition 1. Security is a property involving the presence of an adversary (or adversaries), defined in definition 2 for a cheating Bob.

Definition 1 [14]. Let $\pi =({\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}},{\pi }_{\mathcal{B}})$ be a protocol with no adversary and $\mathcal{R},\mathcal{S}$ be resources. Protocol π is ɛ-correct if it constructs an ideal resource within ɛ, viz, $\mathcal{R}\pi ,\varepsilon {\to }\mathcal{S}$, such that

$$\begin{equation*}d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}{\pi }_{\mathcal{B}},\mathcal{S}){\leqslant}\varepsilon .\end{equation*}$$

Definition 2 [14]. Let $\pi =({\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}})$ be a protocol with an adversary $\mathcal{B}$ and ${\mathcal{R},\mathcal{S}}^{\prime }$ be resources. Protocol π is ɛ-secure, that is, it constructs an ideal resource within ɛ, viz, $\mathcal{R}\pi ,\varepsilon {\to }{\mathcal{S}}^{\prime }$, if there exists a converter ${\sigma }_{\mathcal{B}}$ (called simulator), such that

$$\begin{equation*}d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R},{\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}){\leqslant}\varepsilon .\end{equation*}$$

Here, d signifies a pseudo-metric such that: $d(\mathcal{R},\mathcal{R})=0$, $d(\mathcal{R},\mathcal{S})=d(\mathcal{S},\mathcal{R})$, and $d(\mathcal{R},\mathcal{S}){\leqslant}d(\mathcal{R},\mathcal{T})+d(\mathcal{T},\mathcal{S})$. If both definitions above are fulfilled, we say protocol π is ɛ-secure in producing tasks defined in $\mathcal{S}$, using resources $\mathcal{R}$, and ɛ is the probability of failing. For ɛ = 0, we call the protocol π perfectly secure.

In definition 2, with Bob being dishonest, an arbitrary system (simulator ${\sigma }_{\mathcal{B}}$) is appended to ${\mathcal{S}}^{\prime }$ at the $\mathcal{B}$-interface in order to make both systems (${\mathcal{S}}^{\prime }$ and ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$) comparable. The system ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ is also called a relaxation of ${\mathcal{S}}^{\prime }$ [34], where the definition of simulator ${\sigma }_{\mathcal{B}}$ is independent of Bob's cheating strategies. A simulator assures that none of these relaxations can be more useful to Bob than the ideal resource. As all relaxations are defined in the ideal world, a real-world system is secure when it is indistinguishable from at least one relaxation of the ideal system.

It now remains for us to practically specify 'distinguishing two resources'; here, we use the notion of advantage. ¹² Two resources $\mathcal{R}$ and $\mathcal{S}$ are indistinguishable if the rest of the world cannot tell whether it is interacting with $\mathcal{R}$ or $\mathcal{S}$; a distinguisher captures the rest of the world. One can think of a distinguisher as a referee who has some access to and can freely interact with an unknown system ($\mathcal{R}$ or $\mathcal{S}$). A distinguisher can read outputs, give inputs, take the role of an adversary, generate an arbitrary joint system, measure a joint system, and measure a purification. ¹³ The distinguisher is then asked whether it is interacting with $\mathcal{R}$ (B = 0) or $\mathcal{S}$ (B = 1). In this setting, the distance metric is called distinguishing advantage. Given D as a random variable that signifies the distinguisher's guess, the distinguishing advantage is defined as

$$\begin{equation}\left\vert \mathrm{Pr}[D=0\vert B=0]-\mathrm{Pr}[D=0\vert B=1]\right\vert ,\end{equation} \tag{ 10 }$$

which is the difference between guessing correctly and erroneously. Perfect security is accomplished when the distinguishing advantage is zero.

This paper aims to provide a mechanism for a client to privately delegate her oracular computation with the cooperation of a separate oracle client. For this we propose our scheme, which we call BOQC. There are several BOQC protocols provided here, which vary based on the used resources, e.g. solid-state qubits, photonic qubits, classical or quantum inputs, and based on whether the outputs are classical or quantum.

Consider the following illustration to give a picture of a situation in which a BOQC will be used. Alice wants to run a private oracular quantum algorithm, ¹⁴ but she has neither a powerful quantum computer nor the resources needed to construct her oracle function. On the other hand, Oscar has the information necessary to generate an oracle quantum circuit. Also, Bob has a quantum computer, offered to clients as a service. While building a reliable quantum computer is very hard, in our idealized setting Alice and Oscar will be motivated to use Bob's quantum computer. However, they do not wish to risk revealing information about their computation while running it on Bob's quantum computer. Hence, they run the computation using the BOQC scheme. Consider figure 1 that pictures this situation.

We assume that Alice and Oscar (the clients) possess the same level of quantum power, and are always honest. The client-cooperation scheme is implemented with minimal shared information, where Alice and Oscar are not communicating during the protocol run; this is possible by the nature of an oracle in an algorithm, which is a computation independent of the algorithm itself. Since the algorithm is run within the 1WQC scheme, Alice and Oscar represent their algorithms as graphs and measurement angles. In particular, their preparations are captured in definition 3, the pre-protocol steps, which are performed before the protocol runs.

Definition 3. [5] Pre-protocol steps. Given that Oscar agreed to provide oracle information for a quantum computation that Alice wishes to run, the following steps are done via an authentic channel before starting a BOQC protocol:

(B1) Alice and Oscar determine the size of bit string b; the string must be long enough to indicate all possible measurement angles ϕ_i , ψ_i ∈ Ω. The allowed set of angles is ${\Omega}={\left\{\pi k/{2}^{b-1}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.

(B2) Alice and Oscar join their graphs in the following way. Given that Alice's oracular quantum algorithm needs k oracle queries, she marks each query as a black box on her graph $\mathcal{A}$. Given that Oscar's graph $\mathcal{O}$ is a graph with k components, he sends Alice $\left\{\mathcal{O},{f}_{\mathcal{O}}\right\}$. Alice joins their graphs with a connection C by replacing each black box in $\mathcal{A}$ with a component of $\mathcal{O}$ according to C; she obtains $\mathcal{G}=\mathcal{A}{\cup }_{C}\mathcal{O}$, and computes the total flow (f, ≻) for the entire graph $\mathcal{G}$. The connection C is valid when the resulting graph $\mathcal{G}$ has flow. ¹⁵

(B3) Alice determines a total ordering > that is consistent with the partial ordering ≻. This step is optional for the BOQC protocols (protocols 1 and 3), but it is necessary for optimized protocols such as BOQCo protocols (protocols 2 and 4).

(B4) Alice publicly informs Bob of $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$, where $~{I}\subseteq I$ is a set of nodes assigned with quantum input ρⁱⁿ, $~{O}\subseteq O$ is a set unmeasured nodes that will be sent to Alice, ${V}_{\mathcal{A}}\equiv V(\mathcal{A})$, and ${V}_{\mathcal{O}}\equiv V(\mathcal{O})$. If $~{I}\ne \varnothing$ and $~{O}\ne \varnothing$, then $~{I}\cap {V}_{\mathcal{O}}=\varnothing$ and $~{O}\cap {V}_{\mathcal{O}}=\varnothing$, respectively; simply put, Oscar does not give quantum input and does not receive quantum output. The total order > is given if step (B3) is executed.

Notice that we introduce $~{I}$ and $~{O}$ in addition to I and O. While variables I and O are required to define a 1WQC computation (equation (8)) such that one can describe the resulting computation per theorem 1, variables $~{I}$ and $~{O}$ signify nodes whose quantum information is associated with Alice. Set $~{I}$ comprises nodes assigned with Alice's quantum input and $~{O}$ is a set of nodes whose state is received by Alice as the final output. For a classical input c = c_n ...c₂ c₁, where c_i ∈ {0, 1}, we can consider it as quantum input with state ${\prod }_{i=1}^{n}\left\vert {c}_{i}\right\rangle \left\langle {c}_{i}\right\vert$ in the formalism used in theorem 1. Also, a classical output can be considered as quantum output—in the formalism used in theorem 1—with a density of states whose matrix is diagonal.

Example 1. Alice wants to run a two-qubit Grover algorithm and Oscar has the four-element database. The algorithm comprises one oracle call and is implementable with circuit

where $\mathcal{A}$, ${\mathcal{O}}_{f}(\pi )$ and $\mathcal{D}(\pi )$ indicate preparation, oracle, and diffusion operators respectively. The following steps show the steps in definition 3 to run a two-qubit Grover algorithm; the algorithm (the graph state) is taken from [5].

First Alice and Oscar agree upon the bit string size, e.g. b = 4. As Alice does not need any quantum input and output, so she sets $~{I}=~{O}=\varnothing$. Alice's graph state $\mathcal{A}$ contains a black box indicating the oracle. Then, Oscar tells Alice his graph and flow $\left\{\mathcal{O},{f}_{\mathcal{O}}\right\}$, where $\mathcal{O}$ is a graph with one component. The following shows graphs of Alice and Oscar whose flows are indicated with arrows.

Here, $\mathcal{A}=(\left\{1,2,3,4\right\},\left\{(2,3),(1,4),(3,4)\right\})$ and $\mathcal{O}=(\left\{5,6,7,8\right\},\left\{(5,6),(6,7),(5,8)\right\})$. Alice obtains the total graph $\mathcal{G}=\mathcal{A}{\cup }_{C}\mathcal{O}$ with C = {(7, 2), (8, 1)} and the total flow (f, ≻) as shown here:

with I = {5, 6}, $~{I}=\varnothing$, O = {3, 4}, $~{O}=\varnothing$, ${V}_{\mathcal{A}}=\left\{1,2,3,4\right\}$, ${V}_{\mathcal{O}}=\left\{5,6,7,8\right\}$, partial ordering {5, 6} ≻ {7, 8} ≻ {1, 2} ≻ {3} ≻ {4}, and a total ordering, e.g. 5 < 6 < 7 < 8 < 1 < 2 < 3 < 4. Finally, Alice publicly tells Bob $\left\{(\mathcal{G},\varnothing ,\varnothing ),{V}_{\mathcal{A}},{V}_{\mathcal{O}},{ >},\succ ,4\right\}$.

In this example, neither Alice nor Oscar provide classical or quantum input, and $I\subset {V}_{\mathcal{O}}$; this is consistent with definition 3 since $~{I}=\varnothing$. Instead, here the input is implicit, i.e. two zeros $\left\vert 00\right\rangle \left\langle 00\right\vert$ ( and ).

The BOQC protocol involves three players: Alice, Bob, and Oscar, indicated with $\mathcal{A}$, $\mathcal{B}$, and $\mathcal{O}$, respectively. In the language of AC, we denote the protocol as ${\pi }_{\text{boqc}}=({\pi }_{\mathcal{A}},{\pi }_{\mathcal{B}},{\pi }_{\mathcal{O}})$—with an honest Bob—which uses a real-world resource $\mathcal{R}$. The resource $\mathcal{R}$ comprises three channels: a secure key channel between Alice and Oscar, a two-way insecure classical channel between each client and Bob, and one-way quantum channels between each client and Bob. If Alice expects quantum outputs, a two-way quantum channel between Alice and Bob is needed.

The BOQC protocol is provided in protocol 1, in a clear-cut style with explicit adaptive measurements. For generality, protocol 1 admits the case in which Alice requires quantum input and quantum output; integrating classical inputs and outputs to the protocol is straightforward, and it is also discussed. Note that symbol ⊕ is defined as modulo 2 addition.

Protocol 1. BOQC (${\pi }_{\text{boqc}}=\left\{{\pi }_{\mathcal{A}},{\pi }_{\mathcal{B}},{\pi }_{\mathcal{O}}\right\}$).

Alice's input: $\left\{(\mathcal{G},I,O),f,\phi ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\right\}$	⊳ $~{I}=I$ and $~{O}=O$
Oscar's input: {ψ}
Alice's output for an honest Bob: ${\rho }_{\mathcal{A}}^{\text{out}}=\mathcal{E}({\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}})$
Assumptions and conventions:
(I) Alice ($\mathcal{A}$) and Oscar ($\mathcal{O}$) have performed pre-protocol steps in definition 3;	Bob knows $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$. Here, we set
$~{I}=I$ and $~{O}=O$.
Recall $~{O}\cap {V}_{\mathcal{O}}=\varnothing$ (quantum outputs are held by Alice) and ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.
(II) sinvf(i) = 0, ∀ i ∈ I and ti = 0, ∀ i ∈ Ic.
(III) invf(i) ≡ f−1(i), $z(i){:=}{\bigoplus}_{k\prec i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, and $t(i){:=}{\bigoplus}_{k\in I,i\in {N}_{\mathcal{G}}(k)}{t}_{k}$.
Pre-preparation
1: Alice and Oscar receive keys r, t via a secure key channel, where ri ∈ {0, 1}, i ∈ Oc and tj ∈ {0, 1}, j ∈ I.
State preparation
2: for i ∈ V\O following partial ordering ≻ do 16	⊳ It may follow ordering >
3:    if $i\in {V}_{\mathcal{A}}$ then
4:           Alice chooses αi ∈ Ω at random.
5:           if i ∈ I then
6:                 Alice applies ${Z}_{i}({\alpha }_{i}){X}_{i}^{{t}_{i}}$ to ${\mathrm{t}\mathrm{r}}_{I{\backslash}i}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ and sends it to Bob. 17
7:                Alice updates angles:
$\begin{cases}{\phi }_{i}={(-1)}^{{t}_{i}}{\phi }_{i}\\ {\phi }_{j}={\phi }_{j}+{t}_{i}\pi ,\enspace \forall \enspace j\in {N}_{\mathcal{G}}(i)\cap {V}_{\mathcal{A}}.\end{cases}$
8:                Oscar updates angles ${\psi }_{j}={\psi }_{j}+{t}_{i}\pi ,\enspace \forall \enspace j\in {N}_{\mathcal{G}}(i)\cap {V}_{\mathcal{O}}$.
9:           else
10:                Alice prepares ${\left\vert {+}_{{\alpha }_{i}}\right\rangle }_{i}$ and sends it to Bob.
11:           end if
12:      else if $i\in {V}_{\mathcal{O}}$ then
13:           Oscar prepares ${\left\vert {+}_{{\beta }_{i}}\right\rangle }_{i}$ and sends it to Bob, where βi ∈ Ω is chosen at random.
14:      end if
15: end for
16: For all i ∈ O, Bob prepares ${\left\vert +\right\rangle }_{i}$.
Graph state formation
17: Bob applies entangling operator ${E}_{\mathcal{G}}$ defined in equation (4).
Classical interaction and measurement
18: for i ∈ V\O which follows partial ordering ≻ do
19:      if $i\in {V}_{\mathcal{A}}$ then
20:            Alice computes ${\phi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$.
21:            Alice computes ${\delta }_{i}{:=}{\phi }_{i}^{\prime }+\pi {r}_{i}+{\alpha }_{i}$, and sends Bob δi .
22:      else if $i\in {V}_{\mathcal{O}}$ then
23:            Oscar computes ${\psi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\psi }_{i}+z(i)\pi$.
24:            Oscar computes ${\delta }_{i}{:=}{\psi }_{i}^{\prime }+\pi {r}_{i}+{\beta }_{i}$, and sends Bob δi .
25:      end if
26:      Bob measures qubit i in $\left\vert {{\pm}}_{{\delta }_{i}}\right\rangle$ basis, then sends Alice and Oscar the outcome ${~{s}}_{i}$.
27:      Alice and Oscar set ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$.
28: end for
Output transmission and correction
29: Bob sends Alice output qubits ${\rho }_{\mathcal{B}}^{\text{out}}$ (all qubits i ∈ O).
30: Alice corrects the final output $P({\rho }_{\mathcal{B}}^{\text{out}})=\hspace{-2pt}:\hspace{2pt}{\rho }_{\mathcal{A}}^{\text{out}}$, where $P\equiv {\otimes }_{i\in O}{X}_{i}^{{s}_{invf(i)}+{t}_{i}}{Z}_{i}^{z(i)+t(i)}$.

¹⁶It means the loop goes through all nodes in V\O following a total ordering > that is consistent with ≻; the total ordering > is implicit there. ¹⁷Operator tr_j is a partial trace, where subsystem j is traced-out; thus ${\mathrm{t}\mathrm{r}}_{I{\backslash}i}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ indicates that subsystem i remains, where i ∈ I.

Every usage of a resource in $\mathcal{R}$—interactions with communication channels—is depicted in figure 2, where a circled number corresponds to the indicated part in protocol 1. Figure 2 shows that Alice and Oscar alternately take over the computation (transmitting qubits and giving commands with measurement angles) without communicating with each other, apart from sharing a key in the beginning.

Zoom In Zoom Out Reset image size

In protocol 1 Bob receives input from Alice as $\left\{(\mathcal{G},I,O),f,\phi ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\right\}$ and input from Oscar as {ψ}, where $\mathcal{G}$ is the total graph with flow f, I is a set of input nodes that will be assigned with input state ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}$, O is a set of output nodes, ϕ is a set of measurement angles of Alice's nodes, and ψ is a set of measurement angles of Oscar's nodes. Prior to the protocol, we assume pre-protocol steps in definition 3 have been successfully done.

Protocol 1 comprises five steps: pre-preparation, state preparation, graph state formation, classical interaction and measurements, and output transmission and correction. The interactions of players via a channel at each step are depicted in figure 2. The protocol is initiated by establishing a symmetric key between Alice and Oscar via a secure key channel—step . This step allows them to privately delegate their joint computation: in particular, it allows them to know the actual measurement outcomes so that their adaptive measurements can be computed independently. Steps comprises the delegated computation process: the clients send Bob the encrypted qubits, Bob entangles the received qubits, the clients communicate to Bob the measurement angles, and Bob sends the output qubits if necessary, i.e. quantum outputs.

The following lemma (lemma 1) shows that, for any computation, the obtained pattern in protocol 1 without randomness is identical to the obtained pattern in the 1WQC scheme. The proof of lemma 1 is available in appendix A.

Lemma 1. [5] Suppose the open graph state $(\mathcal{G},I,O)$ has flow (f, ≻), then the following patterns ${\mathfrak{P}}_{1},{\mathfrak{P}}_{2}$ are identical ∀ ϕ_i :

where $z(i){:=}{\bigoplus}_{k\prec i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, invf(i) ≡ f⁻¹(i), and invf(i) = 0 for all i ∈ I.

Patterns ${\mathfrak{P}}_{1}$ and ${\mathfrak{P}}_{2}$ give different points of view in writing the corrections: pattern ${\mathfrak{P}}_{1}$ shows the obtained correction from measuring i, while pattern ${\mathfrak{P}}_{2}$ shows the corrections that can be done before measuring i. ¹⁸ Those points of view were first introduced in [36]. See table 1 for an illustration.

Table 1. Correction terms in lemma 1 with graph $(\mathcal{G},I,O)$ from example 1. In pattern ${\mathfrak{P}}_{1}$, upon measuring i, X-correction goes to node f(i) and Z-corrections go to nodes ${N}_{\mathcal{G}}(f(i)){\backslash}\left\{i\right\}$. In pattern ${\mathfrak{P}}_{2}$, before measuring i, X-correction is performed based on measurement invf(i) and Z-correction based on measurements z(i).

Using lemma 1, we obtain theorem 1, which states that an algorithm run within the BOQC implements the same map as when the algorithm is run directly within the 1WQC, without requiring Alice and Oscar to share any of their secrets. The proof of theorem 2 is available in appendix A.

Theorem 2. [5] The BOQC protocol π_boqc defined in protocol 1 delegates a computation with the isometry defined in theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computations to each other.

Like UBQC, BOQC is a protocol that involves a clear separation of quantum power between client and server, where a client is only capable of producing and transmitting quantum states of the form $\left\vert {+}_{\theta }\right\rangle$, while the server is presumed to posses unlimited quantum power. While this formulation is exactly true for classical input and output ($~{I}=~{O}=\varnothing$), a client needs higher quantum power for quantum input and output, i.e. $~{I}\ne \varnothing$ or $~{O}\ne \varnothing$. Table 2 summarizes the minimal quantum power requirement of running BOQC protocols with various input–output types.

Table 2. [5] Minimal quantum power requirements of Alice and Bob to run a BOQC protocol. Oscar's requirement remains (C1) for all cases. Initial 'c' indicates 'entirely classical' and initial 'q' indicates 'entirely quantum'. Resources $\mathcal{K,C,Q}$, and $\mathcal{Q}2$ are respectively signifying a secure key channel between Alice and Oscar, an insecure classical channel between each client and server, a one-way quantum channel (each client to server), and a two-way quantum channel between Alice and Bob. Other notations follow the notations in protocol 1.

I	O	Client (Alice)	Server (Bob)	Resource
c	c	(C1) creates $\left\vert {+}_{\theta }\right\rangle$, then transmits it to Bob	(S1) receives $\left\vert {+}_{\theta }\right\rangle$, performs	$\mathcal{K,C,Q}$
			CPHASE gates, and measures qubits in the xy-plane bases
c	q	(C1) and (C2) receives ${\rho }_{\mathcal{B}}^{\text{out}}$ from Bob,	(S1) and (S2) create $\left\vert +\right\rangle \forall \enspace i\in O$	$\mathcal{K,C,Q,Q}2$
		then performs Pauli correction on it	and sends Alice the final outputs ${\rho }_{\mathcal{B}}^{\text{out}}$
q	c	(C1) and (C3) creates quantum input ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}$,	(S1) and (S3) receives input states (arbitrary)	$\mathcal{K,C,Q}$
		performs a quantum one-time pad (e.g., line 6	from Alice
		in protocol 1) then transmits it to Bob
q	q	(C1)–(C3)	(S1)–(S3)	$\mathcal{K,C,Q,Q}2$

Protocol 1 admits the general case, i.e. $~{I}=I$ and $~{O}=O$. As shown in table 2, it has the highest requirement among all the cases. A few adjustments from protocol 1 are needed if $~{I}\subset I$ or $~{O}\subset O$.

Given an entirely classical input case $~{I}=\varnothing$, e.g. Alice's input is a binary string c = c₁ c₂...c_n , where c_i ∈ {0, 1}, lines 6–8 in protocol 1 turns into a single line:

$$\begin{equation*}``\mathrm{A}\mathrm{l}\mathrm{i}\mathrm{c}\mathrm{e}\enspace \mathrm{p}\mathrm{r}\mathrm{e}\mathrm{p}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{s}\hspace{2pt}\left\vert {+}_{{\alpha }_{i}},+,\pi ,{\mathrm{c}}_{i}\right\rangle '';\end{equation*}$$

recall that $Z\left\vert +\right\rangle =\left\vert {+}_{\pi }\right\rangle$. Since the quantum one-time pad is unnecessary, the random string t is omitted (or setting t_i = 0, ∀ i). Thus, requirements (C3) and (S3) vanish.

Now, when $~{O}=\varnothing$ (entirely classical output), measurements will be performed on all qubits i ∈ V and Bob does not need to prepare state $\left\vert +\right\rangle$ himself nor to send Alice the final outcome ${\rho }_{\mathcal{B}}^{\text{out}}$. The first removes requirement (C2), which replaces the loop in line 18 with

$$\begin{equation*}``\mathbf{f}\mathbf{o}\mathbf{r}\enspace i\in V\enspace \mathrm{w}\mathrm{h}\mathrm{i}\mathrm{c}\mathrm{h}\enspace \mathrm{f}\mathrm{o}\mathrm{l}\mathrm{l}\mathrm{o}\mathrm{w}\mathrm{s}\enspace \mathrm{p}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{i}\mathrm{a}\mathrm{l}\enspace \mathrm{o}\mathrm{r}\mathrm{d}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{n}\mathrm{g}\succ .''\end{equation*}$$

The latter eliminates requirement (S2), which removes line 16 and removes step entirely.

Therefore, the lowest quantum power demand occurs for the entirely classical input and output case, i.e. $~{I}=~{O}=\varnothing$, requiring only (C1) and (S1). We provide an explicit BOQC protocol for entirely classical input and output in protocol 3, appendix B.

The lazy 1WQC is a 1WQC-computation scheme that allows one to prepare parts of the graph state as needed such that the number of physical qubits is minimal. The lazy 1WQC scheme is shown in algorithm 1 with input

$$\begin{equation}\left\{({\mathcal{G}}^{{ >}},I,O),f,\phi ,{\rho }^{\mathrm{i}\mathrm{n}}\right\},\end{equation} \tag{ 13 }$$

where $({\mathcal{G}}^{{ >}},I,O)$ is an open graph with total ordering > that follows the flow f, ϕ is the set of measurement angles, and ρⁱⁿ is the state assigned to I. Note that to describe a lazy 1WQC, one needs an additional parameter, total ordering > , compared with the description of a 1WQC computation in equation (8). That is, the user must settle on a total ordering > beforehand. ²¹ Any two valid total orderings will result in the same computation and have same requirement on the number of physical qubits, but they might require different coherence time for the qubits, as we have illustrated on our work on the Grover algorithm [26].

Algorithm 1. Lazy 1WQC computation.

Input: $\left\{({\mathcal{G}}^{{ >}},I,O),f,\phi ,{\rho }^{\mathrm{i}\mathrm{n}}\right\}$
Output: $\mathcal{E}({\rho }^{\mathrm{i}\mathrm{n}})$	⊳ See theorem 3
Conventions:
(I) Partial order ≻ is induced by flow f.
(II) $z(i){:=}{\bigoplus}_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, invf(i) ≡ f−1(i).
(III) sinvf(i) = 0 for all i ∈ I.
1: Assign ρin to the input nodes I.
2: for i ∈ V with ordering > do
3:      for k ∈ A(i) do	⊳ See equation (14)
4:           assign state $\left\vert +\right\rangle$ to node k
5:      end for
6:      Apply entangling operations ${E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}$.
7:      if i ∈ Oc then
8:           ${\phi }_{i}^{\prime }{:=}{(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$
9:           Measure i in basis $\left\vert {{\pm}}_{{\phi }_{i}^{\prime }}\right\rangle$ and obtain measurement outcome si .
10:      else
11:           Correct output i applying ${X}_{i}^{{s}_{invf(i)}}{Z}_{i}^{z(i)}$.
12:      end if
13: end for

Algorithm 1 shows the general case, where the input and output are quantum. ²² If the input is classical, one can trivially encode as a quantum state ρⁱⁿ implemented as the following. Given the input state as a bit string c, one can implement by setting the input nodes as $\left\vert {+}_{{c}_{i}\pi }\right\rangle$ for all i ∈ I. If the output is classical, all nodes in O will be measured, i.e. the loop in line 2 is replaced with

$$\begin{equation*}\mathbf{f}\mathbf{o}\mathbf{r}\enspace i\in V\enspace \text{withordering}{ >}\mathbf{d}\mathbf{o},\end{equation*}$$

and the algorithm is terminated after line 13. Consider example 2 to illustrate running a lazy 1WQC computation.

Example 2. Given a computation $\left\{({\mathcal{G}}^{{ >}},I,O),f,\phi ,{\rho }^{\mathrm{i}\mathrm{n}}\right\}$, where $\mathcal{G}=(V,E)$ for V = {1, 2, 3, 4, 5, 6, 7} and E = {(1, 3), (2, 3), (2, 4), (4, 6), (4, 5), (3, 5), (3, 7)}; state ρⁱⁿ is assigned to input nodes I = {1, 2}, output nodes O = {5, 6, 7}, and quantum inputs–outputs are expected. Running this computation in the lazy 1WQC scheme is illustrated in figure 3.

The allocation of fresh physical qubits, which corresponds to grey nodes in example 2, occurs in algorithm 1 in lines 3–5; these qubits are then initialized with state $\left\vert +\right\rangle$. We denote such a set of nodes as

$$\begin{equation}A(i){:=}{N}_{\mathcal{G}}[i]{\backslash}(I{\cup }_{j{< }i}{N}_{\mathcal{G}}[j]),\end{equation} \tag{ 14 }$$

which is a closed neighborhood, excluding the ones that have been assigned before. We assume that the input nodes i ∈ I are assigned with the desired quantum input ρⁱⁿ before the scheme starts. As it is obvious that A(i) ⊆ V, the lazy 1WQC scheme does not construct the whole graph state at once. ²³

In the following, we establish the correctness of the lazy 1WQC. That is, we show that it results in the same computation as the standard 1WQC scheme. Then we derive bounds on the number of physical qubits needed.

First, note that we can write the resulting pattern of algorithm 1 by consecutively placing the initialization, entanglement, Pauli-correction, and measurement commands:

where $z(i){:=}{\oplus }_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$ and invf(i) = 0 for all i ∈ I. Note that the specification of Pauli operators before measurement follows equation (5).

Theorem 3 formally states the correctness of the lazy 1WQC, with the help of lemmas 1 to 3. The proof of each lemma is available in appendix A.

Zoom In Zoom Out Reset image size

Lemma 2. [5] Suppose the open graph state $({\mathcal{G}}^{{ >}},I,O)$ has flow (f, ≻) and a proper total order >, then A(i) contains at least f(i) for all i ∈ O^c and A(i) ∩ A(j) = ∅ for all i ≠ j.

Lemma 3. [5] Suppose the open graph state $({\mathcal{G}}^{{ >}},I,O)$ has flow (f, ≻) and a proper total order >, then ∪_i∈V A(i) = I^c.

Lemma 4. [5] Suppose an open graph state $({\mathcal{G}}^{{ >}},I,O)$ has flow (f, ≻) and a proper total order >, then ${\prod }_{i\in V}{E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}={E}_{\mathcal{G}}$, where ${E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}{:=}{\prod }_{k\in {N}_{\mathcal{G}}(i),k{ >}i}{E}_{ik}$.

Lemma 2 shows that in every time-step, one must assign at least one fresh qubit. Followed by lemma 3 which shows that every non-input qubit is assigned once. Lemma 4 proves that we recover the whole graph. Note that, these lemmas (lemmas 2 and 3) consider the general case—quantum input and output—in which the input nodes are initialized beforehand. Finally, we prove the correctness of lazy 1WQC in the following theorem.

Theorem 3. [5] The lazy 1WQC scheme and the 1WQC scheme implement the same map, they produce the same output for the same input.

Proof. The following proof is similar to the one in [5]. Let $\left\{({\mathcal{G}}^{{ >}},I,O),f,\phi ,{\rho }^{\mathrm{i}\mathrm{n}}\right\}{:=}\mathcal{I}$ be the input of the lazy scheme (algorithm 1), where > is consistent with the flow (f, ≻), i.e. the flow of the open graph $(\mathcal{G},I,O)$. Since > is consistent with ≻, $\mathcal{I}$ is a valid input of the 1WQC scheme.

One can prove the map equality by comparing the patterns, e.g. we will show that ${\mathfrak{P}}_{1\text{wqc}}$ in equation (9) can be reduced to pattern ${\mathfrak{P}}_{\text{lazy}}$ in equation (15). Using previous results, we have

Note that in the third equality, the partial ordering ≻ is replaced with the total ordering >; this is valid since > is consistent with ≻.

Now we need to commute the entangling and preparation operators such that they are distributed according to the lazy scheme. First, consider any two nodes i and k, where i, k ∈ O^c and i < k. The preparation and entangling operators are commuting, i.e.

$$\begin{equation}{E}_{k{N}_{\mathcal{G}}(k)}^{{ >}}{E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}{N}_{A(k)}^{0}{N}_{A(i)}^{0}={E}_{k{N}_{\mathcal{G}}(k)}^{{ >}}{N}_{A(k)}^{0}{E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}{N}_{A(i)}^{0}.\end{equation} \tag{ 20 }$$

However, we need to check if the condition of causality holds: there is no entanglement operation involving qubits that are already measured or not yet created. Denote the set of edges $e(i){:=}\left\{(i,k)\vert k\in {N}_{\mathcal{G}}(i),k{ >}i\right\}$, i.e. edges that correspond to entangling operations ${E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}$. By definition, set e(i) does not contain any node that has already been measured, namely any k < i. The nodes that correspond to edges e(i) are

$$\begin{equation}\left\{k\in {N}_{\mathcal{G}}[i]\vert k{ >}i\right\}=\hspace{-2pt}:\hspace{2pt}n(i).\end{equation} \tag{ 21 }$$

By definition, A(i) contains all nodes in ${N}_{\mathcal{G}}[i]$ minus the ones that have already been created $I{\cup }_{k{< }i}{N}_{\mathcal{G}}[k]$, thus ∀  x ∈ e(i), x ∈ {(i, j)|j ∈ ∪_j⩽i A(j)}, which means every qubit connected by an edge in e(i) is already initialized. Thus, there is no entanglement involving a qubit that has not yet been created. Therefore, equation (20) is causal.

Considering the measurement operator and the Pauli corrections, we need to commute the entangling operation through them, namely

$$\begin{equation}{M}_{i}^{\phi }{X}_{i}{Z}_{i}{E}_{k{N}_{\mathcal{G}}(k)}^{{ >}}{N}_{A(k)}^{0}{E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}{N}_{A(i)}^{0}={E}_{k{N}_{\mathcal{G}}(k)}^{{ >}}{N}_{A(k)}^{0}{M}_{i}^{\phi }{X}_{i}{Z}_{i}{E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}{N}_{A(i)}^{0},\end{equation} \tag{ 22 }$$

which is true if and only if i ∉ n(k). By definition of n(k) (see equation (21)), i < k, thus, i ∉ n(k). Thus, we can distribute the entangling and preparation operators in equation (16) with respect to the ordering > and obtain

□

Since the minimal number of physical qubits is the pivot in the lazy 1WQC, it is natural to ask for a bound on the number of physical qubits for an arbitrary 1WQC computation. We provide conjecture 1 to immediately suggest an answer. The intuition behind conjecture 1 stems from a property of a graph with flow; namely, the number of nodes per layer cannot shrink. It is due to non-colliding correction nodes: two distinct nodes i, j cannot have the same X-correction node, f(i) ≠ f(j); otherwise, it violates the flow criteria (equation (7)).

Conjecture 1. The number of physical qubits required to run lazy 1WQC in algorithm 1, regardless the input and output type—whether classical or quantum—is bounded by |O| + 1.

Executing a 1WQC computation within the lazy scheme reduces the number of physical qubits vastly, bounded to |O| + 1 per conjecture 1. Here we integrate the lazy 1WQC paradigm into BOQC, producing a protocol that we call BOQCo (BOQC-optimized). BOQCo allows the server to prepare the graph state as needed, employing the minimal number of physical qubits while maintaining the blindness of the multi-party scheme. ²⁴

The BOQCo protocol is shown in protocol 2; in AC language, we address it as ${\pi }_{\text{boqco}}=\left\{{\pi }_{\mathcal{A}},{\pi }_{\mathcal{B}},{\pi }_{\mathcal{O}}\right\}$. The scheme employs a strategy identical to BOQC to provide blindness; it is apparent from the introduced randomness: r, t, α, β. The distinguishing feature of BOQCo lies in the distribution of the computation, which follows the lazy 1WQC.

Protocol 2. BOQCo (${\pi }_{\text{boqco}}=\left\{{\pi }_{\mathcal{A}},{\pi }_{\mathcal{B}},{\pi }_{\mathcal{O}}\right\}$).

Alice's input: $\left\{(\mathcal{G},I,O),f,\phi ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\right\}$⊳ $~{I}=I$ and $~{O}=O$
Oscar's input: {ψ}
Alice's output for an honest Bob: ${\rho }_{\mathcal{A}}^{\text{out}}=\mathcal{E}({\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}})$
Assumptions and conventions:
(I) Alice ($\mathcal{A}$) and Oscar ($\mathcal{O}$) have performed pre-protocol steps in definition 3;	Bob knows $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$. Here, we set
$~{I}=I$ and $~{O}=O$. Recall $~{O}\cap {V}_{\mathcal{O}}=\varnothing$
(quantum outputs are held by Alice) and ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.
(II) sinvf(i) = 0, ∀ i ∈ I and ti = 0, ∀ i ∈ Ic.
(III) invf(i) ≡ f−1(i), $z(i){:=}{\bigoplus}_{k\prec i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, and $t(i){:=}{\bigoplus}_{k\in I,i\in {N}_{\mathcal{G}}(k)}{t}_{k}$.
Pre-preparation
1: Alice and Oscar receive keys r, t via a secure key channel, where ri ∈ {0, 1}, i ∈ Oc and	tj ∈ {0, 1}, j ∈ I.
BOQC by parts
2: for i ∈ V with ordering > do
3:      for k ∈ A(i) ∪ I do⊳ Equation (14), section 2.1
4:           if k ∈ I then⊳ Input qubit
5:                Alice applies ${Z}_{k}({\alpha }_{k}){X}_{k}^{{t}_{k}}$ to ${\mathrm{t}\mathrm{r}}_{I{\backslash}k}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ and sends it to Bob,
αk ∈ Ω is chosen at random.
6:                Alice updates angles:
$$\begin{align*}{\phi }_{k}& ={(-1)}^{{t}_{k}}{\phi }_{k}\\ {\phi }_{j}& ={\phi }_{j}+{t}_{k}\pi ,\enspace \forall \enspace j\in {N}_{\mathcal{G}}(k)\cap {V}_{\mathcal{A}}.\end{align*}$$
7:                Oscar updates angles: ${\psi }_{j}={\psi }_{j}+{t}_{k}\pi ,\enspace \forall \enspace j\in {N}_{\mathcal{G}}(k)\cap {V}_{\mathcal{O}}$.
8:           else if k ∈ O then⊳ Output qubit
9:                Bob prepares ${\left\vert +\right\rangle }_{k}$.
10:           else⊳ Auxiliary qubit
11:                if $k\in {V}_{\mathcal{A}}$ then
12:                    Alice prepares ${\left\vert {+}_{{\alpha }_{k}}\right\rangle }_{k}$, sends it to Bob, αk ∈ Ω is chosen at random.
13:                else if $k\in {V}_{\mathcal{O}}$ then
14:                    Oscar prepares ${\left\vert {+}_{{\beta }_{k}}\right\rangle }_{k}$ and send it to Bob, βk ∈ Ω is chosen at random.
15:                end if
16:           end if
17:      end for
18:      Bob applies entangling operations ${E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}$.⊳ Equation (4), section 2.1
19:      if i ∈ Oc then
20:           if $i\in {V}_{\mathcal{A}}$ then
21:                Alice computes ${\phi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$.
22:                Alice computes ${\delta }_{i}{:=}{\phi }_{i}^{\prime }+\pi {r}_{i}+{\alpha }_{i}$ and sends Bob δi .
23:                Bob measures i in $\left\vert {{\pm}}_{{\delta }_{i}}\right\rangle$ basis, sends Alice and Oscar the outcome ${~{s}}_{i}$.
24:                Alice and Oscar set ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$.
25:           else if $i\in {V}_{\mathcal{O}}$ then
26:                Oscar computes ${\psi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\psi }_{i}+z(i)\pi$.
27:                Oscar computes ${\delta }_{i}{:=}{\psi }_{i}^{\prime }+\pi {r}_{i}+{\beta }_{i}$ and sends Bob δi .
28:           end if
29:      else⊳ Output qubit transmissions and corrections
30:           Bob sends Alice qubit i.
31:           Alice corrects qubit i by applying ${X}_{i}^{{s}_{invf(i)}+{t}_{i}}{Z}_{i}^{z(i)+t(i)}$.
32:      end if
33: end for

Protocol 3. BOQC with classical input–output.

Alice's input: $\left\{(\mathcal{G},I,O),f,\phi ,c={c}_{1}{c}_{2},\dots ,{c}_{n}\right\}$	⊳ $~{I}=~{O}=\varnothing ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}={\prod }_{i=1}^{n}\left\vert {c}_{i}\right\rangle \left\langle {c}_{i}\right\vert$
Oscar's input: {ψ}
Alice's output for an honest Bob: ${\rho }_{\mathcal{A}}^{\text{out}}=\mathcal{E}({\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}})$	⊳ ${\rho }_{\mathcal{A}}^{\text{out}}$ is a diagonal matrix
Assumptions and conventions:
(I) Alice ($\mathcal{A}$) and Oscar ($\mathcal{O}$) have performed pre-protocol steps in definition 3;	Bob knows $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$. Here, we set
$~{I}=~{O}=\varnothing$, and recall ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.
(II) sinvf(i) = 0, ∀ i ∈ I.
(III) invf(i) ≡ f−1(i) and $z(i){:=}{\oplus }_{k\prec i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$.
Pre-preparation
1: Alice and Oscar receive a key r via a secure key channel, where ri ∈ {0, 1}, for i ∈ Oc.
State preparation
2: for i ∈ V which follows partial ordering ≻ do
3:      if $i\in {V}_{\mathcal{A}}$ then
4:           if i ∈ I and explicit input then
5:                Alice prepares ${\left\vert {+}_{{\alpha }_{i}+{c}_{i}\pi }\right\rangle }_{i}$ and sends it to Bob; αi ∈ Ω is chosen at random.
6:           else
7:                Alice prepares ${\left\vert {+}_{{\alpha }_{i}}\right\rangle }_{i}$ and sends it to Bob, where αi ∈ Ω is chosen at random
8:           end if
9:      else if $i\in {V}_{\mathcal{O}}$ then
10:           Oscar prepares ${\left\vert {+}_{{\beta }_{i}}\right\rangle }_{i}$ and sends it to Bob; βi ∈ Ω is chosen at random.
11:      end if
12: end for
Graph state formation
13: Bob applies entangling operator ${E}_{\mathcal{G}}$ defined in equation (4).
Classical interaction and measurement
14: for i ∈ V which follows partial ordering ≻ do	⊳ e.g., it follows >
15:      if $i\in {V}_{\mathcal{A}}$ then
16:           Alice computes ${\phi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$.
17:           Alice computes ${\delta }_{i}{:=}{\phi }_{i}^{\prime }+\pi {r}_{i}+{\alpha }_{i}$, and sends Bob δi .
18:      else if $i\in {V}_{\mathcal{O}}$ then
19:           Oscar computes ${\psi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\psi }_{i}+z(i)\pi$.
20:           Oscar computes ${\delta }_{i}{:=}{\psi }_{i}^{\prime }+\pi {r}_{i}+{\beta }_{i}$, and sends Bob δi .
21:      end if
22:      Bob measures qubit i in basis $\left\vert {{\pm}}_{{\delta }_{i}}\right\rangle$, then sends Alice and Oscar the outcome ${~{s}}_{i}$.
23:      Alice and Oscar set ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$.
24: end for

Protocol 4. BOQCo with classical input–output.

Alice's input: $\left\{(\mathcal{G},I,O),f,\phi ,c={c}_{1}{c}_{2},\dots ,{c}_{n}\right\}$	⊳ $~{I}=~{O}=\varnothing ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}={\prod }_{i=1}^{n}\left\vert {c}_{i}\right\rangle \left\langle {c}_{i}\right\vert$
Oscar's input: {ψ}
Alice's output for an honest Bob: ${\rho }_{\mathcal{A}}^{\text{out}}=\mathcal{E}({\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}})$	⊳ ${\rho }_{\mathcal{A}}^{\text{out}}$ is a diagonal matrix
Assumptions and conventions:
(I) Alice ($\mathcal{A}$) and Oscar ($\mathcal{O}$) have performed pre-protocol steps in definition 3; Bob knows	$\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$. Here, we set
$~{I}=~{O}=\varnothing$, and recall ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.
(II) sinvf(i) = 0, ∀ i ∈ I.
(III) invf(i) ≡ f−1(i) and $z(i){:=}{\oplus }_{k\prec i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$.
Pre-preparation
1: Alice and Oscar receive a key r via a secure key channel, where ri ∈ {0, 1}, for i ∈ Oc.
BOQC by parts
2: for i ∈ V with ordering > do
3:      for k ∈ A(i) ∪ I do	⊳ See equation (14) in section 2.1
4:           if k ∈ I and classical input then	⊳ Input qubit
5:                Alice prepares ${\left\vert {+}_{{\alpha }_{k}+{c}_{k}\pi }\right\rangle }_{k}$ and sends it to Bob; αk ∈ Ω is chosen at random.
6:           else	⊳ Auxiliary qubit
7:                if $k\in {V}_{\mathcal{A}}$ then
8:                    Alice prepares ${\left\vert {+}_{{\alpha }_{k}}\right\rangle }_{k}$ and sends it to Bob, αk ∈ Ω is chosen at random.
9:                else if $k\in {V}_{\mathcal{O}}$ then
10:                    Oscar prepares ${\left\vert {+}_{{\beta }_{k}}\right\rangle }_{k}$ and send it to Bob, βk ∈ Ω is chosen at random.
11:                end if
12:           end if
13:      end for
14:      Bob applies entangling operation ${E}_{i{N}_{\mathcal{G}}(i)}^{{ >}}$.	⊳ See equation (4) in section 2.1
15:      if $i\in {V}_{\mathcal{A}}$ then
16:           Alice computes ${\phi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$.
17:           Alice computes ${\delta }_{i}{:=}{\phi }_{i}^{\prime }+\pi {r}_{i}+{\alpha }_{i}$ and sends Bob δi .
18:      else if $i\in {V}_{\mathcal{O}}$ then
19:           Oscar computes ${\psi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\psi }_{i}+z(i)\pi$.
20:           Oscar computes ${\delta }_{i}{:=}{\psi }_{i}^{\prime }+\pi {r}_{i}+{\beta }_{i}$ and sends Bob δi .
21:      end if
22:      Bob measures i in $\left\vert {{\pm}}_{{\delta }_{i}}\right\rangle$ basis, then sends Alice and Oscar the outcome ${~{s}}_{i}$.
23:      Alice and Oscar set ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$.
24: end for

In the BOQCo, we divide the process into three main steps: pre-preparation that is identical to BOQC, computation part by part, which is BOQC (excluding pre-preparation) done one part at a time, and output transmission and correction that is also identical to BOQC. The input and output of the BOQCo protocol is identical to the BOQC, i.e. it receives input from Alice as $\left\{(\mathcal{G},I,O),f,\phi ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\right\}$ and input from Oscar as ψ.

We define the correctness of a BOQCo computation as if it is run in the 1WQC scheme. Formally, we state the correctness in theorem 4, where the proof is provided in appendix A.

Theorem 4. [5] The BOQCo protocol π_boqco defined in protocol 2 delegates a computation with the isometry defined in theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computation to each other.

In terms of quantum power between clients and servers, BOQCo has requirements identical to those of BOQC as discussed in section 3.3. This is because BOQC and BOQCo differ only in the ordering among qubit transmissions, entanglements, and measurements.

We use definition 1 to state the correctness—also known as completeness—of BOQC and BOQCo protocols. Here, we prove that both protocols are perfectly correct (ɛ = 0) and realize an ideal resource $\mathcal{S}$, denoted as $\mathcal{R}{\pi }_{\text{boqc}},0{\to }\mathcal{S}$ and $\mathcal{R}{\pi }_{\text{boqco}},0{\to }\mathcal{S}$, where $\mathcal{R}$ is the real-world resource connected to the protocols and $\mathcal{S}$ is defined in figure 4. In both protocols, resource $\mathcal{R}$ comprises a secure key channel, quantum channels, and insecure classical channels.

Zoom In Zoom Out Reset image size

The ideal resource $\mathcal{S}$ describes the BOQC system in the ideal world when Bob is honest. Resource $\mathcal{S}$ has an identical description of inputs and outputs with the BOQC protocol in protocol 1. Resource $\mathcal{S}$ also describes the BOQCo system in the ideal world. It also has an identical configuration of inputs and outputs with protocol 2. The leaked information ${\ell }^{\mathcal{AO}}$ is not apparent in the protocols (protocols 1 and 2); however this leakage is revealed in the proofs of the correctness theorems: theorem 5 for the BOQC and theorem 6 for the BOQCo.

Theorem 5. [5] The BOQC protocol ${\pi }_{\text{boqc}}=({\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}},{\pi }_{\mathcal{B}})$ defined in protocol 1 is perfectly correct and emulates the ideal resource $\mathcal{S}$ defined in figure 4.

Proof. The following proof is similar to the one in [5]. Protocol π_boqc is correct if it satisfies definition 1: $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}{\pi }_{\mathcal{B}},\mathcal{S})=0$, i.e. resources ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}{\pi }_{\mathcal{B}}$ and $\mathcal{S}$ must be perfectly indistinguishable, where d is a pseudo-metric with properties discussed in section 2.2. Which means, we show that the distinguishing advantage (defined in equation (10)) is zero. For that, we show that both resources have the same—or statistically the same—inputs and outputs.

First, we show that π_boqc and $\mathcal{S}$ have an identical description of inputs. As shown in protocol 1, the protocol receives inputs $\left\{(\mathcal{G},I,O),f,\phi ,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\right\}$ from Alice, ψ from Oscar, and no honest input from Bob. These inputs are identical to the inputs of $\mathcal{S}$.

Second, $\mathcal{S}$ sends an output ${\rho }_{\mathcal{A}}^{\text{out}}=\mathcal{E}({\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}})$, where $\mathcal{E}$ is the superoperator with an isometry given in theorem 1; using theorem 2, BOQC also implements that isometry.

Finally we show that BOQC leaks the same information as $\mathcal{S}$, which is ${\ell }^{\mathcal{AO}}$. Bob receives information $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$ in the protocol, which is public information obtained from the pre-protocol steps defined in definition 3 before the protocol starts. The public information is identical to leak ${\ell }^{\mathcal{AO}}$. Bob is not curious in this setting, thus there is no additional information obtained beyond ${\ell }^{\mathcal{AO}}$. □

We note here that Bob does not erase the received information, as it is required to run the protocol and to provide the bill for his clients. ²⁶

The resource $\mathcal{S}$ models a general case in which Alice expects quantum input and quantum output, i.e. $~{I}=I$ and $~{O}=O$. If Alice needs only classical outputs, Bob will measure all output nodes O and her output density matrix ${\rho }_{\mathcal{A}}^{\text{out}}$ has diagonal form in the security model $\mathcal{S}$. The same applies to the classical input, e.g. for a bit string c = c_n , ..., c₂ c₁, we set ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}={\bigotimes}_{i=1}^{n}\left\vert {c}_{i}\right\rangle \left\langle {c}_{i}\right\vert$ in the security model. Note that, per definition 3, Bob knows beforehand the input–output type, which is captured in the leaked information $~{I}$ and $~{O}$. For instance, Bob knows the input is entirely classical if $~{I}=\varnothing$. Such information is necessary for Bob to prepare his channel.

As the counterpart of theorem 5, we prove the correctness of BOQCo protocol in theorem 6:

Theorem 6. [5] The BOQCo protocol ${\pi }_{\text{boqco}}=({\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}},{\pi }_{\mathcal{B}})$, defined in protocol 2 is perfectly correct, and emulates ideal resource $\mathcal{S}$ defined in figure 4.

Proof. The following proof is similar to the one in [5]. Using definition 1, correctness is achieved when $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}{\pi }_{\mathcal{B}},\mathcal{S})=0$. We prove this condition by reducing BOQCo to BOQC.

First, protocol 2 (BOQCo) has the same inputs as protocol 1 (BOQC). Applying theorem 4, BOQCo also results in the same computation as BOQC, thus, the same output. Secondly, BOQCo and BOQC differ only in the ordering among transmissions, entanglements, and measurements; thus, there is no additional leak introduced beyond ${\ell }^{\mathcal{AO}}$ (figure 4). In terms of correctness, BOQCo is reducible to BOQC. Finally, since BOQC is perfectly correct within the composable definitions, BOQCo is also perfectly correct within the composable definitions. □

It remains to provide the security—also known as soundness—statement for BOQC and BOQCo protocols to achieve a composable secure definition. The security that is aimed for is perfect blindness, meaning the adversary (Bob) can learn nothing about the computation or the measurement outcomes. The same principles used for proving correctness apply also to prove blindness. We set the security model in the ideal world that captures the desired blindness, and then prove that our protocols that live in the real world are indistinguishable to the ideal-world model. However, while the correctness captures the system when everyone is honest, the blindness captures the situation when in the presence of an adversary, i.e. when Bob cheats.

In the presence of an adversary, our protocols realize the ideal resource ${\mathcal{S}}^{\prime }$ that is defined in figure 5. Resource ${\mathcal{S}}^{\prime }$ models the ideal system in the ideal world when Bob is malicious. On the clients' side, ${\mathcal{S}}^{\prime }$ has the same input and output configuration as $\mathcal{S}$; however, in resource ${\mathcal{S}}^{\prime }$, Bob provides dishonest inputs as he wishes, which is captured in . Nevertheless, both resources $\mathcal{S}$ and ${\mathcal{S}}^{\prime }$ leak the same information ${\ell }^{\mathcal{AO}}$.

Zoom In Zoom Out Reset image size

Given that $\mathcal{R}$ is the real-world resource used in our protocols, we need to achieve statements $\mathcal{R}{\pi }_{\text{boqc}},0{\to }{\mathcal{S}}^{\prime }$ and $\mathcal{R}{\pi }_{\text{boqco}},0{\to }{\mathcal{S}}^{\prime }$ where ɛ = 0 signifies perfect blindness. To prove that, we must satisfy definition 2, i.e. there exists a simulator ${\sigma }_{\mathcal{B}}$, such that $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R},{\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}})=0$. Recall that a simulator ${\sigma }_{\mathcal{B}}$ is needed to make ${\mathcal{S}}^{\prime }$ and ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$ become comparable, i.e. ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$ has more inputs and outputs than ${\mathcal{S}}^{\prime }$. See the proof of theorem 7 for explicit details. Theorem 7 provides the security statement of the BOQC protocol, whose relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ is defined in protocol 5 and in appendix B.

Protocol 5. [5] A relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$.

Conventions:

(I) given public information $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$, where $~{I}=I$, $~{O}=O$, $\mathcal{G}=(V,E)$, $V={V}_{\mathcal{A}}\cup {V}_{\mathcal{O}}$, and ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.

(II) ${s}_{invf(i)}=0,{\underline{s}}_{ invf(i)}=0$ for all i ∈ I and ti = 0 for all i ∈ Ic.

(III) invf(i) ≡ f−1(i), $z(i){:=}{\bigoplus}_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, $\underline{z}(i){:=}{\bigoplus}_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{\underline{s}}_{k}$, and $t(i){:=}{\sum }_{k\in I,i\in {N}_{\mathcal{G}}(k)}{t}_{k}$.

(IV) Measurements are performed in the computational basis.

The simulator ${\sigma }_{\mathcal{B}}$

1: Prepares an EPR pair $(\left\vert 00\right\rangle +\left\vert 11\right\rangle )/\sqrt{2}$ for every node i ∈ Oc and outputs its half.

2: Picks random angles {δi ∈Ω|i ∈ Oc} =:δ and outputs it.

3: Receives responses $\left\{{~{s}}_{i}\in \left\{0,1\right\}\vert i\in {O}^{\mathrm{c}}\cap {V}_{\mathcal{A}}\right\}=\hspace{-2pt}:\enspace ~{s}$ and $\left\{{\underline{~{s}}}_{i}\in \left\{0,1\right\}\vert i\in {O}^{\mathrm{c}}\cap {V}_{\mathcal{O}}\right\}=\hspace{-2pt}:\hspace{2pt}\underline{~{s}}$.

4: Receives the corresponding output qubits ${\rho }_{\mathcal{B}}^{\text{out}}$ (all qubits i ∈ O).

5: Sends ${\mathcal{S}}^{\prime }$ the other halves of EPR pairs ($\left\{\right.\mathrm{h}\mathrm{a}\mathrm{l}\mathrm{f}-\mathrm{E}\mathrm{P}\mathrm{R}-i\vert i\in {O}^{\mathrm{c}}\left.\right\}=\hspace{-2pt}:\hspace{2pt}$EPRs), $\delta ,~{s},~{\underline{s}}$, and ${\rho }_{\mathcal{B}}^{\text{out}}$.

The ideal BOQC resource ${\mathcal{S}}^{\prime }$

6: Receives $\left\{(\mathcal{G},I,O),f,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}},\phi \right\}$ at Alice's interface and ψ at Oscar's interface, and information from step 5—EPRs, $\delta ,~{s},~{\underline{s}}$, and ${\rho }_{\mathcal{B}}^{\text{out}}$.

7: Applies CNOT gates between ${\mathrm{t}\mathrm{r}}_{I{\backslash}i}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ (as control) and half-EPR-i, for all i ∈ I, then measures the half-EPR, stores the outcome as ti ,

and updates measurement angles:

$\begin{gathered}\forall \enspace i\in I,{\phi }_{i}={(-1)}^{{t}_{i}}{\phi }_{i},\\ \forall \enspace i\in I,\enspace \forall \enspace j\in {N}_{\mathcal{G}}(i)\cap {V}_{\mathcal{A}},{\phi }_{j}={\phi }_{j}+{t}_{i}\pi \\ \forall \enspace i\in I,\forall \enspace j\in {N}_{\mathcal{G}}(i)\cap {V}_{\mathcal{O}},{\psi }_{j}={\psi }_{j}+{t}_{i}\pi .\end{gathered}$

8: for i ∈ Oc which follows ordering > do

9:      if $i\in {V}_{\mathcal{A}}$ then

10:           Computes ${\phi }_{i}^{\prime }={(-1)}^{{s}_{invf(i)}}{\phi }_{i}+z(i)\pi$.

11:           Computes ${\theta }_{i}^{\prime }={\delta }_{i}-{\phi }_{i}^{\prime }$.

12:      else if $i\in {V}_{\mathcal{O}}$ then

13:           Computes ${\psi }_{i}^{\prime }={(-1)}^{{\underline{s}}_{ invf(i)}}{\psi }_{i}+\underline{z}(i)\pi$.

14:           Computes ${\theta }_{i}^{\prime }={\delta }_{i}-{\psi }_{i}^{\prime }$.

15:      end if

16:      if i ∈ I then

17:           Applies HZi (θi ) to an input qubit ${\mathrm{t}\mathrm{r}}_{I{\backslash}i}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ followed by measurement.

18:      else

19:           Applies HZi (θi ) to the half-EPR-i followed by measurement

20:      end if

21:      Stores the measurement outcome as ri and sets ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$ and ${\underline{s}}_{i}={~{\underline{s}}}_{i}\oplus {r}_{i}$.

22: end for

23: Corrects the output $P({\rho }_{\mathcal{B}}^{\text{out}})=\hspace{-2pt}:{\rho }_{\mathcal{A}}^{\text{out}}$, where $P\equiv {\bigotimes}_{i\in O}{X}_{i}^{{s}_{invf(i)}+{t}_{i}}{Z}_{i}^{z(i)+t(i)}$, then outputs it on Alice's interface.

Theorem 7. [5] The BOQC protocol with dishonest Bob ${\pi }_{\text{boqc}}=\left\{{\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}}\right\}$, defined in protocol 1, is perfectly blind and realizes the ideal resource ${\mathcal{S}}^{\prime }$ defined in figure 5.

Proof. The following proof is similar to the one in [5]. Applying definition 2, $\mathcal{R}{\pi }_{\text{boqc}},0{\to }{\mathcal{S}}^{\prime }$ if there exists a simulator ${\sigma }_{\mathcal{B}}$ such that $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R},{\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}})=0$; thus, we must find a relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ that is perfectly indistinguishable from ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$. Suppose the relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ is defined in protocol 5, then we proceed to prove that it is indistinguishable from ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$.

To simplify the problem, we first reduce the protocol to a one-client protocol as follows. Consider a pictorial representation of π_boqc (in the absence of Bob) in figure 6; it clearly shows that the common information between Alice and Oscar is the keys s, t, shared via a secure key channel. Since it is known that a secure key channel guarantees secrecy and authenticity, Alice and Oscar obtain their keys without leaking any information to Bob. Therefore, we may think that Alice and Oscar have already shared the keys before the protocol starts. Thus, protocol ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}$ is reducible to a one-client protocol ${\pi }_{\mathcal{AO}}$, shown in figure 7, where the alternating part between Alice and Oscar is captured within functions θ(i), s(i), and δ(i).

Relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ defined in protocol 5 is pictured in figure 8. Thus, we now can prove the statement $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R},{\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}})=0$ by showing that figures 7 and 8 are indistinguishable.

Notice that figures 6 and 7 clearly show identical inputs and outputs, indicated by the same configuration of arrows. Thus, it now remains for us to prove that the arrows with a circled letter are (statistically) the same.

Remark that we focus only on blindness without verifiability. Since verification is not involved, Alice does not care whether her computation is correct or not. That is, some information related to the computation can be arbitrary, such as ${\rho }_{\mathcal{B}}^{\text{out}}$, ${~{s}}_{i}$, ${~{\underline{s}}}_{i}$, and δ_i .

Consider the information sent by Bob: , , and . First, in both figures, ${\rho }_{\mathcal{B}}^{\text{out}}$ is an arbitrary state chosen by Bob (simulator). Second, in figure 7, ${~{s}}_{i}$ and ${\underline{~{s}}}_{i}$ signify measurement outcomes seen by Bob, which is random information independent of the actual measurement outcomes: ${s}_{i}={~{s}}_{i}\oplus {r}_{i}$ and ${\underline{s}}_{i}={\underline{~{s}}}_{i}\oplus {r}_{i}$. The same is true in figure 8; ${~{s}}_{i},{~{\underline{s}}}_{i}$ are arbitrary information inputted to Bob's interface in ${\mathcal{S}}^{\prime }$.

We now analyze the information received by Bob: , , and δ_i . First, in both figures, δ_i are uniformly distributed random angles, independent of the actual measurement angles, ${\phi }_{i}^{\prime },{\psi }_{i}^{\prime }$. Second, consider the information at , namely at input node i ∈ I. In figure 7, is an encrypted input state ${X}^{{t}_{i}}{Z}_{i}({\alpha }_{i})({\rho }_{i})$, where ${\rho }_{i}{:=}{\mathrm{t}\mathrm{r}}_{I{\backslash}i}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$. In figure 8, is an uncorrected teleported state ${X}_{i}^{{t}_{i}}{Z}_{i}^{{r}_{i}}{Z}_{i}({\delta }_{i}-{\phi }_{i}^{\prime })({\rho }_{i})={X}_{i}^{{t}_{i}}{Z}_{i}({\delta }_{i}-{\phi }_{i}^{\prime }-\pi {r}_{i})({\rho }_{i})={X}_{i}^{{t}_{i}}{Z}_{i}({\alpha }_{i})({\rho }_{i})$, which is identical to in figure 7. Third, for , consider $i\in {V}_{\mathcal{A}}$. In figure 7, is $\left\vert {+}_{{\alpha }_{i}}\right\rangle$. In figure 8, is a remote state preparation [39] of ${Z}^{{r}_{i}}\left\vert {+}_{{\delta }_{i}-{\phi }_{i}^{\prime }}\right\rangle =\left\vert {+}_{{\delta }_{i}-{\phi }_{i}^{\prime }-\pi {r}_{i}}\right\rangle =\left\vert {+}_{{\alpha }_{i}}\right\rangle$. This is also clearly true for $i\in {V}_{\mathcal{O}}$.

Finally, since both figures have the same inputs and outputs, it remains to show that the leak is given by ${\ell }^{\mathcal{AO}}$. The leak of information ${\ell }^{\mathcal{AO}}$ is inputted to the simulator from Bob's interface. The simulator does not use the leak to create any useful information. Now we need to prove that the simulator does not learn anything beyond ${\ell }^{\mathcal{AO}}$. For that, the information received by the simulator must be independent of the computation. First, δ_i is an arbitrary angle, thus independent of the computation. Second, and are completely mixed states because of the randomness α_i , β_i ; thus, the simulator cannot guess α_i or β_i with complete certainty. A curious Bob might correctly guess other information such as the flow f, however it gives him no advantage. Therefore, there is no more leak than ${\ell }^{\mathcal{AO}}$ throughout the protocol. This concludes the proof.□

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

Note that our strategy for constructing the simulator ${\sigma }_{\mathcal{B}}$ in protocol 5 comes to us from the work on composable security of delegated quantum computation by Dunjko et al in reference [15]. However, its usefulness in our case is only guaranteed by theorem 2.

Here we consider the general case when Alice's input and output are quantum, i.e. $~{I}=I$ and $~{O}=O$. The security is maintained as long as the input–output configuration admits the security model ${\mathcal{S}}^{\prime }$. Thus, the security is maintained for $~{I}\subset I$ and $~{O}\subset O$ for the following reasons:

First, letting $~{I}\subset I$, we denote Alice's quantum input ${\rho }^{\mathrm{i}\mathrm{n}}\in {\mathcal{H}}_{~{I}}$ and quantum input of the security model ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}\in {\mathcal{H}}_{I}$. Since ${\mathcal{H}}_{I}\subset {\mathcal{H}}_{~{I}}$, she has another classical input in the form of a bit string c with length $\vert I{\backslash}~{I}\vert$. As one may always encode classical information into qubits as we choose, we can set ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}={\rho }^{\mathrm{i}\mathrm{n}}{\bigotimes}_{i\in I{\backslash}I}\left\vert {c}_{i}\right\rangle \left\langle {c}_{i}\right\vert$, where c_i ∈ {0, 1}. Therefore, ${\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}$ is now entirely quantum as modeled by ${\mathcal{S}}^{\prime }$. Finally, the same applies for $~{O}\subset O$ in which classical output can be represented as a diagonal density matrix.

Now it remains to prove the blindness of BOQCo. The proof is rather straightforward because BOQC and BOQCo differ only in the ordering among qubit transmissions, entanglements, and measurements. Theorem 8 provides the security statement of BOQCo, whose relaxation ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ is provided in protocol 6, in appendix B.

Protocol 6. [5] A relaxation (${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$) for BOQCo.

Conventions:
(I) given public information $\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$,where $~{I}=I$, $~{O}=O$, $\mathcal{G}=(V,E)$,
$V={V}_{\mathcal{A}}\cup {V}_{\mathcal{O}}$, and ${\Omega}={\left\{\frac{\pi k}{{2}^{b-1}}\right\}}_{0{\leqslant}k{< }{2}^{b}}$.
(II) ${s}_{invf(i)}=0,{\underline{s}}_{ invf(i)}=0$ for all i ∈ I and ti = 0 for all i ∈ Ic.
(III) invf(i) ≡ f−1(i), $z(i){:=}{\bigoplus}_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{s}_{k}$, $\underline{z}(i){:=}{\bigoplus}_{k{< }i,i\in {N}_{\mathcal{G}}(f(k))}{\underline{s}}_{k}$, and $t(i){:=}{\sum }_{k\in I,i\in {N}_{\mathcal{G}}(k)}{t}_{k}$.
(IV) Measurements are performed in the computational basis.
Part
1: ${\mathcal{S}}^{\prime }$ receives $\left\{(\mathcal{G},I,O),f,{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}},\phi \right\}$ at Alice's interface and ψ at Oscar's interface.
Part
2: for i ∈ V\O with ordering > do
3:      for k ∈ A(i) ∪ I do	⊳ See equation (14) in section 4.1
The simulator ${\sigma }_{\mathcal{B}}$
4:           if k ∉ O then
5:                Prepares an EPR pair $(\left\vert 00\right\rangle +\left\vert 11\right\rangle )/\sqrt{2}$ and outputs its half.
6:                Picks δk ∈ Ω at random, outputs δk .
7:                Receives a responses ${~{s}}_{k}$ and ${~{\underline{s}}}_{k}$, where ${~{s}}_{k},{~{\underline{s}}}_{k}\in \left\{0,1\right\}$.
8:                Sends resource ${\mathcal{S}}^{\prime }$ the other half of EPR pair (half-EPR-k), δk ,${~{s}}_{k}$, and ${~{\underline{s}}}_{k}$.
9:           else if k ∈ O then
10:                Receives output qubit ${\mathrm{t}\mathrm{r}}_{O{\backslash}k}[{\rho }_{\mathcal{B}}^{\text{out}}]$, and sends it to the ideal resource.
11:           end if
The ideal BOQCo resource ${\mathcal{S}}^{\prime }$
12:           Receives {half-EPR-$k,{s}_{k},{~{s}}_{k},{~{\underline{s}}}_{k},{\delta }_{k}$} if k ∈ Oc, otherwise receives ${\mathrm{t}\mathrm{r}}_{O{\backslash}k}[{\rho }_{\mathcal{B}}^{\text{out}}]$.
13:           if k ∈ I then
14:                Applies CNOT gate between ${\mathrm{t}\mathrm{r}}_{I{\backslash}k}[{\rho }_{\mathcal{A}}^{\mathrm{i}\mathrm{n}}]$ and half-EPR-k.
15:                Measures half-EPR-k, stores the outcome as rk , then updates:
$\begin{gathered}{\phi }_{k}={(-1)}^{{t}_{k}}{\phi }_{k},\\ \forall \enspace j\in {N}_{\mathcal{G}}(k)\cap {V}_{\mathcal{A}},{\phi }_{j}={\phi }_{j}+{t}_{k}\pi \\ \forall \enspace j\in {N}_{\mathcal{G}}(k)\cap {V}_{\mathcal{O}},{\psi }_{j}={\psi }_{j}+{t}_{k}\pi .\end{gathered}$
16:           end if
17:           if k ∈ Oc then
18:                if $k\in {V}_{\mathcal{A}}$ then
19:                    Computes ${\phi }_{k}^{\prime }={(-1)}^{{s}_{invf(k)}}{\phi }_{k}+z(k)\pi$.
20:                    Computes ${\theta }_{k}^{\prime }={\delta }_{k}-{\phi }_{k}^{\prime }$.
21:                else if $k\in {V}_{\mathcal{O}}$ then
22:                    Computes ${\psi }_{k}^{\prime }={(-1)}^{{\underline{s}}_{ invf(k)}}{\psi }_{k}+\underline{z}(k)\pi$.
23:                    Computes ${\theta }_{k}^{\prime }={\delta }_{k}-{\psi }_{k}^{\prime }$
24:                end if
25:                Applies $H{Z}_{k}({\theta }_{k}^{\prime })$ to half-EPR-k followed by measurement.
26:                Stores the measurement outcomes as rk .
27:                Sets ${s}_{k}={~{s}}_{k}\oplus {r}_{k}$ and ${~{\underline{s}}}_{k}={~{\underline{s}}}_{k}\oplus {r}_{k}$ if $k\in {V}_{\mathcal{O}}$.
28:           else	⊳ k ∈ O
29:                Corrects ${\mathrm{t}\mathrm{r}}_{O{\backslash}k}[{\rho }_{\mathcal{B}}^{\text{out}}]$ with ${X}_{k}^{{s}_{invf(k)}+{t}_{k}}{Z}_{k}^{z(k)+t(k)}$ and outputs it on Alice's interface.
30:           end if
31:      end for
32: end for

Theorem 8. The BOQCo protocol with dishonest Bob ${\pi }_{\text{boqco}}^{\prime }=({\pi }_{\mathcal{A}},{\pi }_{\mathcal{O}})$, defined in protocol 2 is perfectly blind, and realizes ideal resource ${\mathcal{S}}^{\prime }$ defined in figure 5.

Proof. By definition 2, statement $\mathcal{R}{\pi }_{\text{boqco}},0{\to }{\mathcal{S}}^{\prime }$ is achieved if there exists a simulator ${\sigma }_{\mathcal{B}}$ such that $d({\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R},{\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}})=0$. Such a relaxation can be straightforwardly derived from protocol 5 by rearranging the process order, viz, qubit transmissions, entanglements, and measurements according to the lazy computation in algorithm 1 (the relaxation is shown explicitly in protocol 6, appendix B).

Since BOQCo and BOQC differ only by the process order, they have the same configuration of inputs and outputs. Therefore, ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$ and ${\mathcal{S}}^{\prime }{\sigma }_{\mathcal{B}}$ have pictorial representations as figures 7 and 8, respectively, where the figures are proven to be indistinguishable in theorem 7. The difference in the process order will not reveal any information about the computation because the ordering is determined before the protocol starts, arranged in pre-protocol steps (definition 3).

Since we obtain an indistinguishable relaxation to ${\pi }_{\mathcal{A}}{\pi }_{\mathcal{O}}\mathcal{R}$ that has the same leak as BOQC, this concludes the proof. □

The BOQC and the BOQCo protocols provide simple cooperation between Alice and Oscar to delegate their blind computations, allowing the malicious Bob to learn no more that public information ${\ell }^{\mathcal{AO}}{:=}\left\{(\mathcal{G},~{I},~{O}),{V}_{\mathcal{A}},{V}_{\mathcal{O}},\succ ,{ >},b\right\}$. The leaking information ${\ell }^{\mathcal{AO}}$ is insufficient to infer the computation, but there is a catch:

Consider an example of a real-life situation in which Oscar's company is well-known for storing massive confidential databases. Thus, Bob might reasonably make an priori assumption that they are running a quantum search algorithm. If the oracle's graph varies according to the request being made, Bob might infer some information about Alice's request, such as, a simple graph marks a zeros state in the Grover algorithm. Thus, Oscar's oracle graphs must remain the same for all requests; he is only allowed to vary only the measurement angles for different queries. We call such graphs, i.e. a class of graphs that runs a set of different requests, 'BOQC-compatible' graphs.

A BOQC-compatible graph is a standard oracle graph, determined by Oscar, for a class of requests. One can use a universal graph, e.g. a fixed-size brickwork state as introduced in reference [10]; however, the number of qubits increases rapidly with the circuit depth of the gate model representation. Another strategy is to optimize the graphs, constrained to the set of requests as done in reference [26], for two- and three-qubits exact Grover algorithms. The resulting graph is significantly more compact than the brickwork graph.

As the final remark of this paper, it is worth noting how BOQC and UBQC are related. As an extension of the UBQC, BOQC implements the same hiding protocol and achieves the same security level as the UBQC. This similarity shows clearly in section 5, in figure 6, where Alice and Oscar can be reduced to a client who has full knowledge of the computation. The difference between BOQC and UBQC can be summarized as follows. First, BOQC allows two clients with different computation knowledge, where UBQC has one client who has the full knowledge of the computation. Thus, BOQC works only for oracular quantum algorithms, whereas UBQC works for general computations. Second, UBQC restricts the graph state to the brickwork state, but BOQC allows arbitrary graph states from Alice and Oscar; moreover, Oscar needs BOQC-compatible graphs. Lifting the graph restriction will leak more classical information; however, it allows the clients to have compact graphs according to their wish or graphs optimized to the hardware architecture. Finally, we also extend the BOQC optimized to a particular solid-state hardware, introducing the BOQCo, which also inherits the same level of security as the UBQC.