Open Access
This article is
 freely available
 reusable
Cryptography 2017, 1(1), 6; doi:10.3390/cryptography1010006
Article
Garbled Quantum Computation
^{1}
School of Informatics, University of Edinburgh, 10 Crichton Street, Edinburgh EH8 9AB, UK
^{2}
CNRS LTCI, UPMC–LIP6, 4 Place Jussieu 75252, Paris CEDEX 05, France
^{*}
Author to whom correspondence should be addressed.
Academic Editor:
Kwangjo Kim
Received: 2 March 2017 / Accepted: 30 March 2017 / Published: 7 April 2017
Abstract
:The universal blind quantum computation protocol (UBQC) enables an almost classical client to delegate a quantum computation to an untrusted quantum server (in the form of a garbled quantum circuit) while the security for the client is unconditional. In this contribution, we explore the possibility of extending the verifiable UBQC, to achieve further functionalities following the analogous research for classical circuits (Yao 1986). First, exploring the asymmetric nature of UBQC (the client preparing only single qubits, while the server runs the entire quantum computation), we present a “Yao”type protocol for secure twoparty quantum computation. Similar to the classical setting, our quantum Yao protocol is secure against a specious (quantum honestbutcurious) garbler, but in our case, against a (fully) malicious evaluator. Unlike the previous work on quantum twoparty computation of Dupuis et al., 2010, we do not require any onlinequantum communication between the garbler and the evaluator and, thus, no extra cryptographic primitive. This feature will allow us to construct a simple universal onetime compiler for any quantum computation using onetime memory, in a similar way to the classical work of Goldwasser et al., 2008, while more efficiently than the previous work of Broadbent et al., 2013.
Keywords:
blind quantum computation; Yao’s twoparty computation protocol; onetime memory1. Introduction
Future information and communication networks will consist of both classical and quantum devices, some of which are expected to be dishonest. These devices will have various different functionalities, ranging from simple routers to servers executing quantum algorithms. Within the last few years, anticipating this development has led to the formation and growth of the field of delegated quantum computing [1,2,3,4,5,6]. Among them is the universal blind quantum computation (UBQC) protocol of [3], which is developed based on the measurementbased quantum computation model (MBQC) [7] that appears as the most promising physical implementation for a networked architecture [8]. In the UBQC framework, the only quantum requirement for the client is the offline creation of random single qubit states, which is a currently available technology and has been demonstrated experimentally [9].
The MBQC model of computation can be viewed as a set of classical instructions steering a quantum computation performed on a highly entangled quantum state. The classical outcomes of the singlesystem measurements that occur during the computation are in general randomly distributed bits with no significance for the final output of the computation. This enables one to use relatively basic obfuscation techniques in order to prevent an untrusted operator (that implements an MBQC computation) from obtaining access to the true flow of information. This key observation has led to an entirely new approach to quantum verification that exploits cryptographic techniques [4,5,10,11,12,13,14,15,16,17]. The core idea is to encode simple trap computations within a target computation that is run on a remote device. This is done in such a way that the computation is not affected while, at the same time, revealing no information to the server. The correctness of the overall computation is tested by verifying that the trap computations were done correctly. The latter, being significantly less costly, leads to efficient verification schemes. This approach of quantum verification has been recently used to obtain specific cryptographic primitives, such as quantum onetime program [6] and secure twoparty quantum computation [18], which are also the main focus of this paper.
1.1. Our Contribution
We will explore two extensions of the verifiable universal blind quantum computing (VUBQC) protocols, which are built based on measurementbased quantum computation, in order to achieve new functionalities to be implemented in the quantum network setting [8]. The essential novelty of our approach is that the clientserver setting allows different participants to have different quantum technological requirements. As a result, in our proposed twoparty primitives, one party (garbler or sender) remains as classical as possible (with no need for quantum memory), while it is only the other party (evaluator or receiver) that requires access to a quantum computer. Moreover, the required offline initial quantum communication between the participants is also limited to the exchange of simple single quantum states that can be generated, for example, in any quantum key distribution network (as was proven recently in [19]). Finally, all of the utilised subprotocols in our schemes could be reduced to the core protocols of offline preparation [19] and verifiable universal blind quantum computation [10,14] that are both proven to be composably secure in the abstract cryptography framework of [20]. For simplicity, we only present the standalone security proof for our protocols as we follow the framework of [21] and use simulationbased techniques. We present two new protocols:
 In Section 3, we present a protocol for secure twoparty quantum computation that we refer to as QYao. This protocol involves two parties with asymmetric roles that wish to securely compute any given unitary on a joint quantum input. Similar to the classical protocol of [22], in QYao, an honestbutcurious (formally defined for the quantum setting in [21]) client capable of preparing only random single qubit and performing constant depth classical computation “garbles” the entire unitary. The fullymalicious server/evaluator receives instructions from the garbler and inserts their input either using a (classical) oblivious transfer (OT) or by a quantum input insertion scheme secure against the honestbutcurious garbler. The evaluator performs the computation, extracts its own output qubits and returns the remaining output qubits to the garbler. After the garbler verifies the computation, the encryption keys of the evaluator output qubits are released. Unlike the classical setting, our proposed QYao protocol is interactive, but importantly, only classical online communication is required. The gain we have, on the other hand, is the boosted security since apart from the initial input exchange where classical OT is needed, the rest of the protocol is unconditionally secure. If one could replace the classical OT’s in our QYao protocol with new primitives, such as the unconditionally secure relativistic primitives [23], the security would be extended to fully unconditional. In Section 4, we prove the security of the protocol in the ideal realworld paradigm using a simulationbased technique.
 In Section 5, we follow the classical approach of [24] and make our QYao protocol noninteractive by using the classical hardware primitive “onetime memory” (OTM), which is essentially a noninteractive oblivious transfer. Using OTM, the need for initial OT calls, in our QYao protocol, is also removed, leading to a onetime universal compiler for any given quantum computation. Such onetime quantum programs can be executed only once, where the input can be chosen at any time. The onetime programs have a wide range of applications ranging from program obfuscation, software protection to temporary transfer of cryptographic ability [24]. Classically, the challenge in lifting the Yao protocol for twoparty computation to a onetime program is addressing the issue of a malicious adversary. However, our QYao protocol is already secure against a malicious evaluator without any extra primitive or added overhead. Our quantum onetime program is therefore a straightforward translation of QYao. The same technique is applicable to essentially any cryptographic protocols developed in the measurementbased model that require offline quantum preparation and online classical communications. In any such MBQC computation, there are exponentially many branches of computation (this expansion is the result of the nondeterministic nature of the intermediate singlequbits measurement that occurs during the computation); however, we prove that a single OTM (of constant size) per computation qubit suffices to make the QYao noninteractive. This is due to the fact that in any constant degree graphstate (the underlying entanglement resources for an MBQC computation), the flow of information acts locally. We prove that this is the case for the required entangled recourse in the verifiable UBQC introduced in [25] that is the basis of our QYao protocol. Hence, each classical message between parties, in the interactive case, depends only on the constant number of previous messages, and this allows us to remove this interaction using a simple constantsize OTM.
1.2. Related Works
Deriving new quantum cryptographic protocols for functionalities beyond the secure key exchange [26] is an active field of research (see a recent review for a summary [27]). In particular, our contributions are directly linked to the works on verifiable blind quantum computing (VUBQC) [4,5,10], secure twoparty quantum computing [18,21] and quantum onetime program and quantum obfuscation [6,28]. The main focus in VUBQC research is the ability of a limited verifier to certify the correctness of the quantum computation performed by a remote server. Recently, many such protocols have been developed achieving different quantum technological requirement for the verifier or the prover [11,13,15,16,29]. We have used the optimal (from the verifier’s point of view) VUBQC that has the additional property of a local and independent trap construction [25]. This property allows us to construct a simple yet generic scheme for the server (receiver, evaluator) input insertion and output extraction that could be applicable to other VUBQC schemes and that might lead to further properties not present in the scheme of [25].
Due to the impossibility results of [6,28], having extra primitives such as OTM is unavoidable in order to achieve program hiding. However, using the MBQC framework with the verification protocol of [25] leads to a simpler procedure for removing the classical interaction compared to the initial work that pioneered this approach [6]. Furthermore, due to the direct utilisation of OTMs instead of classical onetime programs, our scheme could be applicable to other VUBQC protocols that might emerge in the future. Another way of making protocols noninteractive is based on the security of other classical primitives, as was done in [30] using fullyhomomorphic encryption. However, to apply this method for noninteractive secure twoparty quantum computation, it is important to enable verifiability from the side of the sender, something naturally present in our scheme, but not necessarily in other schemes. Finally, the VUBQC framework, which naturally separates the classical and quantum part of the computation, allows us to construct a clientserver scheme for secure twoparty quantum computation that unlike the work of [21] removes the requirement of any extra cryptographic primitive, which was an open question in [21]. Here, we need to clarify that, while in the classical Yao with an honestbutcurious garbler the primitive of OT is required for the evaluator’s input insertion, in our QYao, this is not the case. This is simply due to the fact that the notion of the quantum specious adversary that was formalised in [21] is more restrictive than classical honestbutcurious in certain cases (see Appendix B). Hence, instead of utilising a classical OT, one could simply devise a quantum communication scheme, as we present here, in order to achieve the same goal of secure input insertion against a (less powerful) adversarial garbler.
Another related issue is that the serverclient setting can also be exploited to achieve simpler (implementationwise) multiparty blind quantum computation protocols, where multiple clients use a single server to jointly and securely perform a quantum computation [31].
Finally, an interesting future direction is to try to view secure twoparty quantum computation (2PQC) as a quantum game. The link of classical SMPCand game theory has been analysed, for example, in connection with the issue of fairness and rational players [32,33]. Moreover, the quantum settings with multiple parties having competing interests has also been considered in a gametheoretic way (e.g., [34] and recently [35]), which leads to the question of using these techniques in the 2PQC case.
2. Preliminaries
2.1. Verifiable Universal Blind Quantum Computation
We will assume that the reader is familiar with the measurementbased quantum computation (MBQC) model [7] that is known to be the same as any gate teleportation model [36,37]. In this section, we introduce MBQC and use it to revise a blind quantum computation (the server performs computation without learning input/output or computation) [3] and a verifiable blind quantum computation (the client can also verify that the computation was performed correctly) [10] protocols. The general idea behind the MBQC model is: start with a large and highly entangled generic multiparty state (the resource state), and then, perform the computation by carrying out singlequbit measurements. To perform a desired quantum computation, each qubit should be measured in a suitable basis, and this basis is (partly) determined by some default measurement angles ${\varphi}_{i}$. There is an order in which the measurements should occur, which is determined by the flow of the computation (see also later), and the basis by which each qubit is measured generally depends on the outcomes of previous measurements (and the default measurement angle ${\varphi}_{i}$). The resource states used are known as graph states, as they can be fully determined by a given graph (see the details in [38]). A way to construct a graph state given the graph description is by assigning to each vertex of the graph a qubit initially prepared in the state $\left+\right.\u232a$ and for each edge of the graph to perform a $\mathrm{controlled}Z$ gate for the two adjacent vertices. For completeness, in Appendix A, we give the expression for the measurement angles of each qubit and an example of measurement pattern (graph state and default measurement angles ${\varphi}_{i}$) that implements each gate from a universal set of gates.
If one starts with a graph state where qubits are prepared in a rotated basis $\left{+}_{\theta}\right.\u232a=1/\sqrt{2}(\left0\right.\u232a+\phantom{\rule{3.33333pt}{0ex}}{e}^{i\theta}\left1\right.\u232a)$ instead, then it is possible to perform the same computation with the nonrotated graph state by preforming measurements in a similarly rotated basis. This observation led to the formulation of the universal blind quantum computation (UBQC) protocol [3], which hides the computation in a clientserver setting. Here, a client prepares rotated qubits, where the rotation is only known to them. The client sends the qubits to the server, as soon as they are prepared (hence, there is no need for any quantum memory). Finally, the client instructs the server to perform entangling operations according to the graph and to carry out single qubit measurements in suitable angles in order to complete the desired computation (where an extra randomisation ${r}_{i}$ of the outcome of the measurements is added). During the protocol, the client receives the outcomes of previous measurements and can classically evaluate the next measurement angles. Due to the unknown rotation and the extra outcome randomisation, the server does not learn what computation they actually perform.
The UBQC protocol can be uplifted to a verification protocol where the client can detect a cheating server. To do so, the client for certain vertices (called dummies) sends states from the set $\{\left0\right.\u232a,\left1\right.\u232a\}$, which has the same effect as a Zbasis measurement on that vertex. In any graph state, if a vertex is measured in the Zbasis, it results in a new graph where that vertex and all of its adjacent edges are removed. During the protocol, the server does not know for a particular vertex if the client sent a dummy qubit (i.e., a qubit from $\{\left0\right.\u232a,\left1\right.\u232a\}$) or not. This enables the client to isolate some qubits (disentangled from the rest of the graph). Those qubits have fixed deterministic outcomes if the server followed the instructions honestly. The positions of those isolated qubits are unknown to the server, and the client uses them as traps to test that the server performs the quantum operations that are requested. This technique led to the first universal VUBQC protocol [10] and was subsequently extended to many other protocols depending on what optimised construction was used, what was the required quantum technology and which was the desired level of security. It is clear that the more (independent) traps we have within a graph, the higher the probability of detecting a deviation. In [25], we gave a construction that, while maintaining an overhead that is linear in the size of the computation, introduced multiple traps and in particular of the same number as the computation qubits. We will be using that construction, not only for efficiency reasons, but because this construction is “local”, and revealing to the server partial information about the graph does not compromise the security. This is important for our QYao protocol since, in this case, the server has the input and output and needs to know in which parts of the graph their input/output belongs. The construction is summarised below:
 We are given a basegraph G that has vertices $v\in V\left(G\right)$ and edges $e\in E\left(G\right)$.
 For each vertex ${v}_{i}$, we define a set of three new vertices ${P}_{{v}_{i}}=\{{p}_{1}^{{v}_{i}},{p}_{3}^{{v}_{i}},{p}_{3}^{{v}_{i}}\}$. These are called primary vertices.
 Corresponding to each edge $e({v}_{i},{v}_{j})\in E\left(G\right)$ of the basegraph that connects the base vertices ${v}_{i}$ and ${v}_{j}$, we introduce a set of nine edges ${E}_{e({v}_{i},{v}_{j})}$ that connect each of the vertices in the set ${P}_{{v}_{i}}$ with each of the vertices in the set ${P}_{{v}_{j}}$.
 We replace every edge in the resulted graph with a new vertex connected to the two vertices originally joined by that edge. The new vertices added in this step are called added vertices. This is the dotted triplegraph $DT\left(G\right)$.
We can see (Figure 1) that each vertex in the $DT\left(G\right)$ corresponds to either a vertex (for primary vertices) or an edge (for added vertices) of the basegraph. The precise edge/vertex of the basegraph to which each vertex $v\in DT\left(G\right)$ belongs is called baselocation. The nice property of this graph is that one can reduce this graph to three copies of the basegraph by “breaking” some edges (which can be done using dummy qubits). Moreover, the choice of which vertex belongs to each of the three graphs is essentially independent (for different baselocations corresponding to vertices of the basegraph). With this construction we can eventually use one copy of the basegraph for the computation, while make multiple single traps from the two remaining copies (see Figure 1). The choice of which vertex belongs to which graph is called trapcolouring. This is a free choice made by the client, and the fact that the server is ignorant of the actual trapcolouring guarantees the security (see the details in [25]).
Definition 1 (Trapcolouring).
We define trapcolouring to be an assignment of one colour to each of the vertices of the dotted triplegraph that is consistent with the following conditions.
 (i)
 Primary vertices are coloured in one of the three colours, white or black (for traps) and green (for computation). There is an exception for input baselocations (see Step (v)).
 (ii)
 Added vertices are coloured in one of the four colours white, black, green or red.
 (iii)
 In each primary set ${P}_{v}$, there is exactly one vertex of each colour.
 (iv)
 Colouring the primary vertices fixes the colours of the added vertices: added vertices that connect primary vertices of different colour are red; added vertices that connect primary vertices of the same colour get that colour.
 (v)
 For input baselocations, instead of green, we have a blue vertex (but all other rules, including how to connect with the other vertices, apply in the same way as if it were green).
For completeness, we give the basic verification protocol from [25] that we use.
Protocol 1 Verifiable universal blind quantum computation using the dotted triple graph (with faulttolerant encoding); taken from [25]. 
We assume that a standard labelling of the vertices of the dotted triplegraph $DT\left(G\right)$, is known to both the client and the server. The number of qubits is at most $3N(3c+1)$ where c is the maximum degree of the base graph G. • Client’s resources – Client is given a base graph G. The corresponding dotted graph state $\leftD\left(G\right)\right.\u232a$ is generated by graph $D\left(G\right)$ that is obtained from G by replacing every edge with a new vertex connected to the two vertices originally joined by that edge. – Client is given an MBQC measurement pattern ${\mathbb{M}}_{\mathrm{Comp}}$ which: Applied on the dotted graph state $\leftD\left(G\right)\right.\u232a$ performs the desired computation, in a faulttolerant way, that can detect or correct errors fewer than $\delta /2$. – Client generates the dotted triplegraph $DT\left(G\right)$, and selects a trapcolouring according to Definition 1 which is done by choosing independently the colours for each set ${P}_{v}$. – Client for all red vertices will send dummy qubits and thus performs break operation. – Client chooses the green graph to perform the computation. – Client for the white graph sends dummy qubits for all added qubits ${a}_{w}^{e}$ and thus generates white isolated qubits at each primary vertex set ${P}_{v}$. Similarly for the black graph the client sends dummy qubits for the primary qubits ${p}_{b}^{v}$ and thus generates black isolated qubits at each added vertex set ${A}_{e}$. – The dummy qubits position set D is chosen as defined above (fixed by the trapcolouring). – A binary string $\mathbf{s}$ of length at most $3N(3c+1)$ represents the measurement outcomes. It is initially set to all zero’s. – A sequence of measurement angles, $\varphi ={\left({\varphi}_{i}\right)}_{1\le i\le 3N(3c+1)}$ with ${\varphi}_{i}\in A=\{0,\pi /4,\cdots ,7\pi /4\}$, consistent with ${\mathbb{M}}_{\mathrm{Comp}}$. We define ${\varphi}_{i}^{\prime}({\varphi}_{i},\mathbf{s})$ to be the measurement angle in MBQC, when corrections due to previous measurement outcomes $\mathbf{s}$ are taken into account (the function depends on the specific basegraph and its flow, see e.g., [3]). We also set ${\varphi}_{i}^{\prime}=0$ for all of the trap and dummy qubits. The Client chooses a measurement order on the dotted basegraph $D\left(G\right)$ that is consistent with the flow of the computation (this is known to Server). The measurements within each set ${P}_{v},{A}_{e}$ of $DT\left(G\right)$ graph are ordered randomly. – $3N(3c+1)$ random variables ${\theta}_{i}$ with value taken uniformly at random from A. – $3N(3c+1)$ random variables ${r}_{i}$ and $\leftD\right$ random variable ${d}_{i}$ with values taken uniformly at random from $\{0,1\}$. – A fixed function $C(i,{\varphi}_{i},{\theta}_{i},{r}_{i},\mathbf{s})={\varphi}_{i}^{\prime}({\varphi}_{i},\mathbf{s})+{\theta}_{i}+\pi {r}_{i}$ that for each nonoutput qubit i computes the angle of the measurement of qubit i to be sent to the Server. • Initial Step – Client’s move: Client sets all of the values in $\mathbf{s}$ to be 0 and prepares the input qubits as
$$\begin{array}{c}\lefte\right.\u232a={X}^{{x}_{1}}Z\left({\theta}_{1}\right)\otimes \dots \otimes {X}^{{x}_{l}}Z\left({\theta}_{l}\right)\leftI\right.\u232a\hfill \end{array}$$
$$\begin{array}{ccc}\forall i\in D\hfill & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\hfill & \left{d}_{i}\right.\u232a\hfill \\ \forall i\notin D\hfill & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\hfill & \prod _{j\in {N}_{G}\left(i\right)\cap D}{Z}^{{d}_{j}}\left{+}_{{\theta}_{i}}\right.\u232a\hfill \end{array}$$
– Server’s move: Server receives $3N(3c+1)$ single qubits and entangles them according to $DT\left(G\right)$. – Continues to Protocol 2 
Protocol 2 Continuing from Protocol 1: VUBQC with DT(G). 
• Step $i:\phantom{\rule{0.277778em}{0ex}}1\le i\le 3N(3c+1)$ – Client’s move: Client computes the angle ${\delta}_{i}=C(i,{\varphi}_{i},{\theta}_{i},{r}_{i},\mathbf{s})$ and sends it to the Server. – Server’s move: Server measures qubit i with angle ${\delta}_{i}$ and sends the Client the result ${b}_{i}$. – Client’s move: Client sets the value of ${s}_{i}$ in $\mathbf{s}$ to be ${b}_{i}+{r}_{i}$. • Final Step: – Server’s move: Server returns the last layer of qubits (output layer) to the Client. • Verification – After obtaining the output qubits from the Server, the Client measures the output trap qubits with angle ${\delta}_{t}={\theta}_{t}+{r}_{t}\pi $ to obtain ${b}_{t}$. – Client accepts if ${b}_{i}={r}_{i}$ for all of the white (primary) and black (added) trap qubits i. 
2.2. TwoParty Quantum Protocols
The impossibility of achieving unconditionally secure twoparty cryptographic protocols has led to the definition and use of simpler hardware or software primitives to form the basis for the desired functionalities. A one out of n oblivious transfer (OT) is a twoparty protocol where one party (Alice) has input n messages $({x}_{1},\cdots ,{x}_{n})$ and the other party (Bob) inputs a number $c\in \{1,\cdots ,n\}$ and receives the message ${x}_{c}$ with the following guarantees: Bob learns nothing about the other messages ${x}_{i}i\ne c$, and Alice is “oblivious” (does not know) about which message Bob obtained (i.e., does not know the value c) [39]. A hardware token that implements a noninteractive OT is called onetime memory (OTM) [24]. We will utilise a one out of n OTM, where again Alice stores in the OTM n strings $({x}_{1},\cdots ,{x}_{n})$, Bob specifies a value c and the OTM reveals ${x}_{c}$ to Bob and then selfdestructs; i.e., the remaining strings ${x}_{i}i\ne c$ are lost forever.
The first paper that studied secure twoparty quantum computation is [21], and we follow their notations and conventions. We have two parties $A,B$ with registers $\mathcal{A},\mathcal{B}$ and an extra register $\mathcal{R}$ with $dim\mathcal{R}=(dim\mathcal{A}+dim\mathcal{B})$. The input state is denoted ${\rho}_{in}\in D(\mathcal{A}\otimes \mathcal{B}\otimes \mathcal{R})$, where $D\left(\mathcal{A}\right)$ is the set of all possible quantum states in register $\mathcal{A}$. We also denote with $L\left(\mathcal{A}\right)$ the set of linear mappings from $\mathcal{A}$ to itself, and the superoperator $\varphi :L\left(\mathcal{A}\right)\to L\left(\mathcal{B}\right)$ that is completely positive and trace preserving is called a quantum operation. We denote ${\mathbb{I}}_{\mathcal{A}}$ the identity operator in register $\mathcal{A}$. The ideal output is then given by ${\rho}_{out}=(U\otimes {\mathbb{I}}_{\mathcal{R}})\xb7{\rho}_{in}$, where for simplicity, we write $U\xb7\rho $ instead of $U\rho {U}^{\u2020}$. For two states ${\rho}_{0},{\rho}_{1}$, we denote the trace norm distance $\Delta ({\rho}_{0},{\rho}_{1}):=\frac{1}{2}\parallel {\rho}_{0}{\rho}_{1}\parallel $. If $\Delta ({\rho}_{0},{\rho}_{1})\le \u03f5$, then any process applied on ${\rho}_{0}$ behaves as for ${\rho}_{1}$, except with probability at most $\u03f5$.
Definition 2
(Taken from [21]). An nstep twoparty strategy with oracle calls is denoted ${\Pi}^{O}=(A,B,O,n)$:
 1.
 input spaces ${\mathcal{A}}_{0},{\mathcal{B}}_{0}$ and memory spaces ${\mathcal{A}}_{1},\cdots ,{\mathcal{A}}_{n}$ and ${\mathcal{B}}_{1},\cdots ,{\mathcal{B}}_{n}$
 2.
 ntuple of quantum operations $({L}_{1}^{A},\cdots ,{L}_{n}^{A})$ and $({L}_{1}^{B},\cdots ,{L}_{n}^{B})$ such that ${L}_{i}^{A}:L\left({\mathcal{A}}_{i1}\right)\to L\left({\mathcal{A}}_{i}\right)$ and similarly for ${L}_{i}^{B}$.
 3.
 ntuple of oracle operations $({\mathcal{O}}_{1},\cdots ,{\mathcal{O}}_{n})$ where each oracle is a global operation for that step, ${\mathcal{O}}_{i}:L({\mathcal{A}}_{i}\otimes {\mathcal{B}}_{i})\to L({\mathcal{A}}_{i}\otimes {\mathcal{B}}_{i})$
The trivial oracle is a communication oracle that transfers some quantum register from one party to another. Protocols that have only such oracles are called the bare model. Other oracles include calls to other cryptographic primitives. The quantum state in each step of the protocol is given by:
$$\begin{array}{ccc}\hfill {\rho}_{1}\left({\rho}_{in}\right)& :=& ({\mathcal{O}}_{1}\otimes \mathbb{I})({L}_{1}^{A}\otimes {L}_{1}^{B}\otimes \mathbb{I})\left({\rho}_{in}\right)\hfill \\ \hfill {\rho}_{i+1}\left({\rho}_{in}\right)& :=& ({\mathcal{O}}_{i+1}\otimes \mathbb{I})({L}_{i+1}^{A}\otimes {L}_{i+1}^{B}\otimes \mathbb{I})\left({\rho}_{i}\left({\rho}_{in}\right)\right)\hfill \end{array}$$
The security definitions are based on the ideal functionality of twoparty quantum computation (2PQC) that takes a joint input ${\rho}_{in}\in {\mathcal{A}}_{0}\otimes {\mathcal{B}}_{0}$, obtains the state $U\xb7{\rho}_{in}$ and returns to each party their corresponding quantum registers. A protocol ${\Pi}_{U}^{O}$ implements the protocol securely, if no possible adversary in any step of the protocol can distinguish whether they interact with the real protocol or with a simulator that has only access to the ideal functionality. When a party is malicious, we add the notation “∼”, e.g., $\tilde{A}$.
Definition 3 (Simulator).
$\mathcal{S}\left(\tilde{A}\right)=\langle ({\mathcal{S}}_{1},\cdots ,{\mathcal{S}}_{n}),q\rangle $ is a simulator for adversary $\tilde{A}$ in ${\Pi}_{U}^{O}$ if it consists of:
 1.
 operations where ${\mathcal{S}}_{i}:L\left({\mathcal{A}}_{0}\right)\to L\left(\tilde{{\mathcal{A}}_{i}}\right)$,
 2.
 sequence of bits $q\in {\{0,1\}}^{n}$ determining if the simulator calls the ideal functionality at step i (${q}_{i}=1$ calls the ideal functionality).
For other adversaries, the simulator is defined analogously.
Given input ${\rho}_{in}$, the simulated view for step i is defined as:
and similarly for the other party.
$$\begin{array}{c}\hfill {\nu}_{i}(\tilde{A},{\rho}_{in}):={\mathrm{Tr}}_{{\mathcal{B}}_{0}}\left(({\mathcal{T}}_{i}\otimes \mathbb{I})({U}^{{q}_{i}}\otimes \mathbb{I})\xb7{\rho}_{in}\right)\end{array}$$
Definition 4 (Privacy).
We say that the protocol is δprivate if for all adversaries and for all steps i:
where ${\tilde{\rho}}_{i}(\tilde{A},{\rho}_{in})$ the state of the real protocol with corrupted party $\tilde{A}$, at step i.
$$\begin{array}{c}\hfill \Delta ({\nu}_{i}(\tilde{A},{\rho}_{in}),{\mathrm{Tr}}_{{\mathcal{B}}_{i}}\left({\tilde{\rho}}_{i}(\tilde{A},{\rho}_{in})\right))\le \delta \end{array}$$
In classical cryptography, a type of adversary commonly considered is the “honestbutcurious”. This adversary follows the protocol, but also keeps records of its actions and attempts to learn from those more than what it should. This type of weak adversary has been proven very useful in many protocols, since it typically constitutes the first step in constructing protocols secure against more powerful (even fully malicious) adversaries.
Since quantum states cannot be copied, one cannot have a direct analogue of honestbutcurious. Instead, we have the notion of specious adversaries [21], where they can deviate as they wish, but in every step, if requested, should be able to reproduce the honest global state by acting only on their subsystems. More formally:
Definition 5 (Specious).
An adversary $\tilde{A}$ is ϵspecious if there exists a sequence of operations $({\mathcal{T}}_{1},\cdots ,{\mathcal{T}}_{n})$, where ${\mathcal{T}}_{i}:L\left({\tilde{\mathcal{A}}}_{i}\right)\to L\left({\mathcal{A}}_{i}\right)$, such that:
$$\begin{array}{c}\hfill \Delta \left(({\mathcal{T}}_{i}\otimes \mathbb{I})\left({\tilde{\rho}}_{i}(\tilde{A},{\rho}_{in})\right),{\rho}_{i}\left({\rho}_{in}\right)\right)\le \u03f5\end{array}$$
Note that this (standard) definition of specious adversary allows for different interpretations that lead to stronger and weaker versions of the adversary. These subtleties are explained in Appendix B. Here, we stress that we take the weaker notion that takes Equation (4) in the stricter sense, while in [21], the authors implicitly used a stronger version. This difference led to our paper evading certain impossibility results mentioned in [21]. A detailed discussion of this is given in Appendix B.
A 2PQC protocol needs to be (by definition) private. Moreover, it may have two extra properties, verification and fairness. Verification means that each party, when they receive their output, not only is sure that nothing leaked about its input, but also it can know whether the outcome it received is correct or corrupted. Fairness is the extra property that no party should be able to obtain its output and after that cause an abort (or a corruption) for the other party. Even in classical 2PC, it is impossible to have fairness against fullymalicious adversaries (without any extra assumption). We consider twoparty protocols ${\Pi}^{0}=(C,S,O,n)$ where C denotes the client and S the server.
3. Secure TwoParty Quantum Computation
The first extension of VUBQC that we will explore refers to its use in order to construct a 2PQC protocol similar to the classical Yao protocol of [22]. We refer to this protocol as QYao, where the sendergarbler is called the client and the receiverevaluator is called the server. As in the Yao protocol, we assume that the client, when adversarial, is specious; however, we make no such assumption for the server, which is assumed to be fully malicious. In [22], the server needs to use OT in order to insert its input. We, instead, use a scheme to insert the quantum input that requires no such functionality. This is possible because we make the assumption that the client is specious, and in specific situations, a specious adversary is weaker than honestbutcurious (see Appendix B.1). For the specific case of classical input/output, one can modify our protocol to make it secure against the classical honestbutcurious adversary by replacing the input injection subprotocol (see below) with OT.
Our QYao protocol provides a onetime verifiable 2PQC similar to the classical setting as recently shown for the original Yao protocol in [40]. The speciousness of the client restricts any possible deviations on their side, while a malicious server would be detected through the hidden traps of the VUBQC protocol. The blindness property of VUBQC also guarantees that the server learns nothing before the client is certain that there was no deviation and returns the suitable keys for the decryption of the output.
The major difference that the QYao protocol has in comparison with regular VUBQC [25] is that the server needs to provide (part of) the input and at the end keeps (part of) the output. There are multiple ways to modify the VUBQC protocol; we use a direct approach at the cost of having two rounds of quantum communication during input preparation and two rounds of quantum communication during output readout. However, there is no quantum communication during the evaluation stage. Note that if we restrict the protocol to classical input/output, we would avoid all quantum communication apart from the initial and offline sending of prerotated qubits from the client to the server (but we would then need OT, as in the classical Yao, for the server to insert its input).
3.1. Server’s Input Injection
The qubits composing the DT(G)(see Figure 1) are prepared by the client. This is crucial in order to ensure that the server is blind about the positions of the traps. However, the server should somehow insert their input in the DT(G). For simplicity, we present here the case that there is a single qubit input, but it generalises trivially. To do so, the server encrypts its input using secret keys $({m}_{z,i},{m}_{x,i})$ and sends the state ${X}^{{m}_{x,i}}{Z}^{{m}_{z,i}}\left{\mathsf{\Phi}}_{S}\right.\u232a$ to the client, to insert it randomly in the corresponding baselocation. The state $\left{\mathsf{\Phi}}_{S}\right.\u232a$ is assumed to be pure as we have included its purification in the hands of the server. The client encrypts further the server’s input by applying an extra random $Z\left({\theta}_{i}^{\prime}\right)$ and an ${X}^{{x}_{i}^{\prime}}$ correction to obtain the state:
$$\begin{array}{c}\hfill {X}^{{x}_{i}^{\prime}}Z\left({\theta}_{i}^{\prime}\right){X}^{{m}_{x,i}}{Z}^{{m}_{z,i}}\left{\mathsf{\Phi}}_{S}\right.\u232a\end{array}$$
This extra encryption is needed in order to hide the future actual measurement of the input qubit (to be performed by the server) and ensure that no information about the position of the traps is leaked. Trap hiding also requires the client to return two extra qubits for the input insertion (see Figure 2) that will belong to trap graphs (called the whitegraph and blackgraph). The white qubit (which is a trap qubit) is prepared in a state $\left{\theta}_{k}\right.\u232a$, while the black qubit (which is a dummy qubit) is prepared in state $\left{d}_{j}\right.\u232a$. The three qubits will be randomly permuted by the client so that the server does not know which qubit is which. A similar procedure (with no communication from the server) is applied for client’s input qubits, as well as for all of the qubits corresponding to the gate computation (see Figure 2).
Finally, after the server has received all of the qubits, he/she announces the secret keys $({m}_{x,i},{m}_{z,i})$ for each input i to the client, so that the client can update the encryption for these qubits and have $({x}_{i},{\theta}_{i}):=\left({x}_{i}^{\prime}+{m}_{x,i},{(1)}^{{m}_{x,i}}{\theta}_{i}^{\prime}+\pi {m}_{z,i}\right)$. With the updated encryption, the client computes the suitable measurement angles ${\delta}_{i}$. It is worth pointing out that the key releasing step from server to client could be avoided by using classical OT to compute the measurement angles as a function of the secret parameters of the server ${\delta}_{i}({m}_{x,i},{m}_{z,i})$ for the first two layers (that have dependency on ${m}_{x,i},{m}_{z,i}$). To construct protocols dealing with a malicious client, the use of OTs may be necessary. For our case, however, the client is (weak) specious, and using OTs is not necessary.
3.2. Server’s Output Extraction
In the standard VUBQC protocol, the server returns all of the output qubits to the client. The client measures the final layer’s traps to check for any deviation and then obtains the output of the computation by decrypting the output computation qubits using their secret keys. In the 2PQC, part of the output (of known baselocations) should remain in the hands of the server. This, however, would not allow the client to check for the related traps (that could have effects on other output qubits). Similar to the input injection, the solution is obtained via an extra layer of encryption by the server followed by a delayed key releasing. The server will encrypt using two classical bits $({k}_{x},{k}_{z})$: ${E}_{k}\left(\left\psi \right.\u232a\right)={X}^{{k}_{x}}{Z}^{{k}_{z}}\left\psi \right.\u232a$, all of the output qubits that correspond to the server’s output baselocations and then return all of the output qubits to the client. Due to the encryption, the client obtains no information about the output of the server, while it now has access to all of the final trap qubits for the verification. The client returns to the server only the computation qubits corresponding to the server’s output baselocations, while keeping the traps and all of the qubits from other baselocations. The server reveals their keys (note that the client, being specious, has not kept the computation output qubits, because it would be impossible to reconstruct the ideal state by acting only on their systems). The client checks all of the traps and, if all of them are correct, reveals the final computation output keys to the server (${\theta}_{i},{r}_{i}$). The server undoes the padding to reveal their output.
3.3. The QYao Protocol
We combine Protocols 3 and 4 with the core VUBQC, Protocol 1, to obtain a secure twoparty protocol to compute unitaries given as Protocol 5. An illustration of a simple example is given in Appendix C.1.
Protocol 3 Server’s input injection 
Setting: • The server has input $\left{\mathsf{\Phi}}_{S}\right.\u232a$ that corresponds to specific positions ${I}_{S}$ of the input layer of the basegraph. For each i qubit, server chooses pair of secret bits $({m}_{x,i},{m}_{z,i})$. Instructions:
Outcome: • The server receives a DT(G), where the quantum input is the joint input of the client and server and the related measurement angles instructions perform the desired unitary operation, if the client is honest. 
Protocol 4 Server’s output extraction. 
Setting: • The server has the state ${\mathrm{Tr}}_{C}\left(\left\psi \left(f\right)\right.\u232a\right)$ at the corresponding positions ${O}_{S}$ of their output baselocations of the DT(G). For each i qubit, server chooses pair of secret bits $({m}_{x,i},{m}_{z,i})$. Instructions:
Outcome: • The server obtains the computation qubits of their output baselocations unpadded ${\mathrm{Tr}}_{C}\left(U({\left\mathsf{\Psi}\right.\u232a}_{C},{\left\mathsf{\Phi}\right.\u232a}_{S})\right)$. 
Theorem 1 (Correctness).
If both the client and server follow the steps of Protocol 5, then the output is correct, and the computation is accepted.
Proof.
If the client and server follow Protocol 5, after Step 1, where the server injected its input, we are in exactly the same situation as in Protocol 1, with (overall) input ${\rho}_{in}={\left\mathsf{\Psi}\right.\u232a}_{C}\otimes {\left\mathsf{\Phi}\right.\u232a}_{S}$.
During Step 2, the client and server run exactly Protocol 1, and the correctness follows from the correctness of that protocol; the proof is given in [25]. The positions of dummies result in having isolated traps measured on the correct basis, and thus, there is never an abort. From the remaining qubits, one copy of the dotted basegraph G, where the measurement pattern ${\mathbb{M}}_{\mathrm{Comp}}$ is applied, results in the state ${E}_{{k}^{S},{k}^{C}}(U\xb7{\rho}_{in})$. This is the honest global final state, encrypted with keys of both the client (secret parameters) and the server (the padding $({m}_{x,i},{m}_{z,i})$ from the output extraction protocol, which applies to server’s output registers only).
Protocol 5 Secure 2PQCQYao. 
Input:
Output:
The protocol

During Step 3, the client keeps the registers of its output, while returning the registers of the server’s output. The protocol finishes with the server returning its keys $({m}_{x,i},{m}_{z,i})$ to the client (to check for traps), while the client returns the keys (secret parameters) involved with the final decryption of the server’s output registers. ☐
Since the protocol we give is generic for any quantum computation, the complexity of the 2PQC protocol with respect to the input size depends on the specific computation/algorithm used, and it is against this that it should be compared. At this point, we should stress that the number of qubits required for the 2PQC protocol is exactly the same as those to perform the same computation using VUBQC where all input and output are of the client. From [25], the number of qubits and classical messages to be exchanged is linear to the number of qubits required to perform the quantum computation using MBQC (i.e., without blindness or verification). Finally, the only extra “cost” for 2PQC is the extra quantum communication (and related classical exchanges) during the input injection and the output extraction. This extra communication is simply one extra qubit communication per server input qubits and similarly one extra qubit communication per server output qubit.
Due to the simple composition of input injection and output extraction, the verification property of our QYao is directly inherited from the VUBQC. We prove this first, before presenting and proving the main privacy property of the QYao protocol in the next section (which exploits the verifiability).
Definition 6.
We define a 2PQC protocol to be $\u03f5$verifiable for the client, if for any (potentially malicious) server, the probability of obtaining a corrupt output and not an abort is bounded by ϵ. The output of the real protocol with malicious server $\tilde{S}$ is $\tilde{\rho}(\tilde{S},{\rho}_{in})$, and we have:
where
and ${\mathcal{C}}_{{\mathcal{H}}_{S}}$ is the deviation that acts on the server’s systems after it receives its outcome (a CPmap, but can be purified if we include ancilla). Furthermore, ${\rho}_{in}^{\prime}=({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {D}_{{\mathcal{H}}_{S}})\xb7{\rho}_{in}$ is an initial state compatible with the client’s input, with ${D}_{{\mathcal{H}}_{S}}$ the deviation on the input by the server.
$$\begin{array}{ccc}\hfill \Delta (\tilde{\rho}(\tilde{S},{\rho}_{in}),{\rho}_{ideal}\left({\rho}_{in}^{\prime}\right))& \le & \u03f5\hfill \end{array}$$
$$\begin{array}{ccc}{\rho}_{ideal}\left({\rho}_{in}\right)\hfill & :=\hfill & {p}_{ok}({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {\mathcal{C}}_{{\mathcal{H}}_{S}})\xb7U\xb7\left({\rho}_{in}\right)+(1{p}_{ok})\left(\leftfail\right.\u232a\left.\u2329fail\right\right)\hfill \end{array}$$
We should note that the server can always choose any input from its side, and the security of the protocol is defined with respect to this “deviated” input. Moreover, since the deviation ${\mathcal{C}}_{{\mathcal{H}}_{S}}$ is performed at the final step of the protocol, we also have that the global state (before that deviation, i.e., at step $n1$) obeys:
where
$$\begin{array}{ccc}\hfill \Delta ({\tilde{\rho}}^{n1}(\tilde{S},{\rho}_{in}),{\rho}_{ideal}^{n1}\left({\rho}_{in}^{\prime}\right))& \le & \u03f5\hfill \end{array}$$
$$\begin{array}{ccc}{\rho}_{ideal}^{n1}\left({\rho}_{in}\right)\hfill & :=\hfill & {p}_{ok}U\xb7\left({\rho}_{in}\right)+(1{p}_{ok})\left(\leftfail\right.\u232a\left.\u2329fail\right\right)\hfill \end{array}$$
Theorem 2 (ϵverification for the client).
Protocol 5 is ϵverifiable for the client, where $\u03f5={\left(\frac{8}{9}\right)}^{d}$ and $d=\lceil \frac{\delta}{2(2c+1)}\rceil $, c is the maximum degree of the base graph and δ is the number of errors tolerated on the base graph G.
Proof.
In order to prove the verifiability for the client, we assume that the client is honest, while the server is malicious.
During Step 1 of Protocol 5, the server sends his/her input and also gives the keys of the onetime padding encryption $({m}_{x,i},{m}_{z,i})$ from the input injection phase. It follows that any deviation on these affects only the computation qubits of the server’s input baselocation; in other words, it results in a state: ${\rho}_{in}^{\prime}=({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {D}_{{\mathcal{H}}_{S}})\xb7{\rho}_{in}$
During Step 2, the protocol proceeds exactly as the VUBQC, Protocol 1, with the only difference that the qubits with the baselocation of the server’s output have an extra encryption with keys known to the server. This means that the client delays the measurement of the traps in those baselocations, until the next step, where it receives from the server these keys. Note, however, that the client can already check all of the past traps and the ones corresponding to baselocation of the clients’ output.
In Step 3, the server returns the keys $({m}_{x,i},{m}_{z,i})$ for all of its output baselocations qubit and also receives the computation qubits of those baselocations encrypted with both the client’s and server’s keys. Any deviation by the server at this stage either returns different (wrong) keys to the client or acts only on the server’s output. Returning wrong keys increases the chance of an abort, but in any case, it is equivalent to this deviation happening before the return of the output to the server. The only remaining, extra deviation is a possible deviation acting on the computation output qubits of the server, i.e., a deviation of the form $({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {\mathcal{C}}_{{\mathcal{H}}_{S}})$.
It follows that this protocol has the same verification properties as Protocol 1, with the modified input and (server’s part) of the output given by Equation (6). From [25], we have that Protocol 1 is $\u03f5$verifiable with $\u03f5={\left(\frac{8}{9}\right)}^{d}$ and $d=\lceil \frac{\delta}{2(2c+1)}\rceil $, and this completes the proof. ☐
It is worth mentioning that this verification property essentially restricts the server to behave similarly as a specious adversary, with the extra ability to abort the protocol.
4. Proof of the Privacy of the QYao Protocol
Recall that we defined a protocol to be secure if no possible adversary in any step of the protocol can distinguish whether it interacts with the real protocol or with a simulator that has access only to the ideal functionality (see Definition 4).
Theorem 3.
The QYao protocol, Protocol 5, which is ${\u03f5}_{1}$verifiable for the client, is $O\left(\sqrt{{\u03f5}_{2}}\right)$private against an ${\u03f5}_{2}$specious client and ${\u03f5}_{1}$private against a malicious server.
To prove the theorem, we need to introduce simulators for each step of the protocol and each possible adversary. Below, we define those simulators and prove that they are as close to the real protocol as requested from Theorem 3. Since in our setting, the two parties have different roles and maliciousness, we consider the simulators for each party separately.
4.1. Client’s Simulators
The client is $\u03f5$specious, and this means that for each step i, there exist a map ${\mathcal{T}}_{i}:L\left({\mathcal{H}}_{{\tilde{V}}_{i}}\right)\to L\left({\mathcal{H}}_{{V}_{i}}\right)$, such that:
$$\begin{array}{c}\hfill \Delta \left(({\mathcal{T}}_{i}\otimes \mathbb{I})\left({\tilde{\rho}}_{i}(\tilde{V},{\rho}_{in})\right),{\rho}_{i}\left({\rho}_{in}\right)\right)\le \u03f5\end{array}$$
Following the proof of the “rushing lemma” of [21], we obtain a similar lemma for each step of the protocol, where it shows that there is no extra information stored in the ancillas of the specious adversary:
Lemma 1 (Noextra information).
Let ${\Pi}_{U}=(A,B,n)$ be a correct protocol for the twoparty evaluation of U. Let $\tilde{A}$ be any ϵspecious adversary. Then, there exists an isometry ${T}_{i}:{\tilde{A}}_{i}\to {A}_{i}\otimes \widehat{A}$ and a (fixed) mixed state $\widehat{{\rho}_{i}}\in D\left(\widehat{{A}_{i}}\right)$, such that for all joint input states ${\rho}_{in}$,
where ${\rho}_{i}\left({\rho}_{in}\right)$ is the state in the honest run and ${\tilde{\rho}}_{i}(\tilde{A},{\rho}_{in})$ is the real state (with the specious adversary $\tilde{A}$).
$$\begin{array}{c}\hfill \Delta \left(({T}_{i}\otimes \mathbb{I})\left({\tilde{\rho}}_{i}(\tilde{A},{\rho}_{in})\right),\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\rho}_{in}\right)\right)\le 12\sqrt{2\u03f5}\end{array}$$
Proof.
This proof follows closely the proof of the “rushing lemma” of [21], where one can find further details. For simplicity, we assume pure ${\rho}_{in}$ (where it holds in general by convexity). Consider two different states $\left{\psi}_{1}\right.\u232a,\left{\psi}_{2}\right.\u232a$ in ${\mathcal{A}}_{0}\otimes {\mathcal{B}}_{0}\otimes \mathcal{R}$, and we extend the space ${\mathcal{R}}^{\prime}=\mathcal{R}\otimes {\mathcal{R}}_{2}$ with ${\mathcal{R}}_{2}=\mathrm{span}\{\left0\right.\u232a,\left1\right.\u232a\}$. We define the state $\left\psi \right.\u232a=1/\sqrt{2}(\left{\psi}_{1}\right.\u232a\left1\right.\u232a+\left{\psi}_{2}\right.\u232a\left2\right.\u232a)$. Due to the speciousness of $\tilde{A}$ and using Ulmann’s theorem, there is an isometry ${T}_{i}:{\tilde{\mathcal{A}}}_{i}\to {\mathcal{A}}_{i}\otimes \widehat{\mathcal{A}}$ and a state $\tilde{\rho}\in D\left(\widehat{\mathcal{A}}\right)$, such that:
$$\begin{array}{c}\hfill \Delta \left(({T}_{i}\otimes \mathbb{I})\xb7\tilde{{\rho}_{i}}(\tilde{A},\psi ),\tilde{\rho}\otimes {\rho}_{i}\left(\psi \right)\right)\le 2\sqrt{2\u03f5}\end{array}$$
The state $\tilde{\rho}$ in general is not independent of the input $\psi $, so there are a few more steps required. By noting that the projection and partial trace are trace nonincreasing maps (by projecting on the $\left1\right.\u232a$ subspace and tracing out the ${\mathcal{R}}^{\prime}$ subspace), we obtain:
and similarly for ${\psi}_{2}$. We repeat the same using ${\psi}_{1},{\psi}_{3}$ and with initial state $\left{\psi}^{\prime}\right.\u232a=1/\sqrt{2}(\left{\psi}_{1}\right.\u232a\left1\right.\u232a+\left{\psi}_{3}\right.\u232a\left2\right.\u232a)$ and obtain:
$$\begin{array}{c}\hfill \Delta \left(({T}_{i}\otimes \mathbb{I})\xb7\tilde{{\rho}_{i}}(\tilde{A},{\psi}_{1}),\tilde{\rho}\otimes {\rho}_{i}\left({\psi}_{1}\right)\right)\le 4\sqrt{2\u03f5}\end{array}$$
$$\begin{array}{c}\hfill \Delta \left(({T}_{i}\otimes \mathbb{I})\xb7\tilde{{\rho}_{i}}(\tilde{A},{\psi}_{1}),\tilde{{\rho}^{\prime}}\otimes {\rho}_{i}\left({\psi}_{1}\right)\right)\le 4\sqrt{2\u03f5}\end{array}$$
By the triangular inequality, we get $\Delta (\tilde{\rho},\tilde{{\rho}^{\prime}})\le 8\sqrt{2\u03f5}$. This means that for any state $\left\chi \right.\u232a$, there exists a state $\widehat{\rho}\in \widehat{\mathcal{A}}$ with $\Delta (\tilde{\rho},\widehat{\rho})\le 8\sqrt{2\u03f5}$, such that:
and the lemma follows by using once more the triangle inequality. ☐
$$\begin{array}{c}\hfill \Delta \left(({T}_{i}\otimes \mathbb{I})\xb7\tilde{{\rho}_{i}}(\tilde{A},\chi ),\widehat{\rho}\otimes {\rho}_{i}\left(\chi \right)\right)\le 4\sqrt{2\u03f5}\end{array}$$
Before introducing the simulators, we give some intuitive arguments. The client, during the inputinjection step, receives a fullyonetime padded quantum state, while in later steps (up until the last), it has no legitimate quantum state (all of the quantum states are in the server’s side). Therefore, using the above lemma, we can already see that the client has no information about the actual quantum state during any step before the last. This is illustrated by the fact that the simulators for these steps can run the honest protocol with a random (but fixed) input, and the client’s view is the same (they cannot distinguish a run with the correct or different input in any step before the last). The simulator for the final step (after receiving the quantum states from the server) is more subtle, as it necessarily involves a call to the ideal functionality.
Proof of Theorem 3.
Simulator upon receiving the server’s encoded input: There is a full onetime pad on the server’s input; thus, a simulator can use a random fixed state ${\phi}^{\ast}$ instead of the real state ${\mathrm{Tr}}_{C}\left({\rho}_{in}\right)$, and the client cannot distinguish them.
Simulator after returning the server’s input and before receiving output: The simulator runs the honest protocol using instead of ${\rho}_{in}$ a fixed random input ${\phi}^{\ast}$. The honest state with input $\chi $ at this stage is:
where ${\sigma}_{i}\left(\chi \right)$ is the evolution of the input state, when the gates corresponding to the ith step have been performed (here, we collectively call the secret parameters used to encrypt the state in each step as ${k}_{i}$). Later, we will be more specific about the different secret parameters. Furthermore, ${d}_{i},{\theta}_{{t}_{i}}$ are the dummy and trap qubits of the ith layer (we can include the qubits of future layers, as well with no difference in the remaining argument). It is easy to see that the reduced state on the client’s side ${\mathcal{H}}_{C}$ is independent of the input state $\chi $. The simulator is then constructed:
as ${T}_{i}^{\u2020}$ does not acts on ${\mathcal{H}}_{{S}_{i}}$ and thus commutes with the partial trace, while tracing out ${\mathcal{H}}_{{S}_{i}}$ leaves the reduced state independent from the input (see Equation (14)). Since isometries leave invariant the trace distance, while the partial trace is nonincreasing, we use Equation (9), and we have:
Simulator after receiving client’s output: First, we need to introduce some notation and conventions:
$$\begin{array}{cc}\hfill {\rho}_{i}\left(\chi \right)& :=\hfill \\ & {\left(\left{k}_{i}\right.\u232a\left.\u2329{k}_{i}\right\otimes \left{b}_{i}\right.\u232a\left.\u2329{b}_{i}\right\right)}_{{\mathcal{H}}_{C}}\otimes {\left({E}_{{k}_{i}}\left({\sigma}_{i}\left(\chi \right)\right)\otimes \left{d}_{i}\right.\u232a\left.\u2329{d}_{i}\right\otimes \left{+}_{{\theta}_{{t}_{i}}}\right.\u232a\left.\u2329{+}_{{\theta}_{{t}_{i}}}\right\right)}_{{\mathcal{H}}_{S}}\hfill \end{array}$$
 The simulator runs the protocol with fixed but random input ${\phi}^{\ast}$, to obtain ${\rho}_{i}\left({\phi}^{\ast}\right)$.
 The simulator obtains the fixed state $\widehat{{\rho}_{i}}$ and the isometry ${T}_{i}$, which are both independent of the input.
 The simulated view is then defined to be:$$\begin{array}{c}\hfill {\nu}_{i}(\tilde{C},{\rho}_{in}):={\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{i}}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\phi}^{\ast}\right))\right)\end{array}$$
$$\begin{array}{c}\hfill {\nu}_{i}(\tilde{C},{\rho}_{in})={\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{i}}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\rho}_{in}\right))\right)={\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{i}}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\phi}^{\ast}\right))\right)\end{array}$$
$$\begin{array}{c}\hfill \Delta \left({\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{i}}}\left({\tilde{\rho}}_{i}(\tilde{C},{\rho}_{in})\right),{\nu}_{i}(\tilde{C},{\rho}_{in})\right)\le 12\sqrt{2\u03f5}\end{array}$$
 By ${k}^{S},{k}^{C}$, we define the padding of the server’s and client’s output, respectively. In more detail, these keys are functions of the trapcolouring (trap positions) of the last layer, the rotations $\theta $, the secret parameters r’s and measurement results b’s of the previous two layers. We collectively denote the rest, i.e., all of the other secret keys, as ${k}^{R}$.
 We also assume that the classical measurement outcomes b’s are in the Hilbert space of the client, while being classical and public, could be copied to the server’s Hilbert space as well (adding this copy does not affect the client’s simulators and complicates the notation). Moreover, classical results corresponding to trap measurements are denoted ${b}_{t}$, while other results are simply denoted b. The trap measurements outcomes (in the honest run) are ${b}_{t}={r}_{t}$, where ${r}_{t}$ is one of the secret parameters included in ${k}^{R}$.
 The final layer (unmeasured) qubits are separated into: (i) output qubits (those of the server and the client; and it includes the purification of their inputs), (ii) dummy qubits collectively denoted ${d}^{S},{d}^{C}$ for server/client unmeasured dummies and (iii) trap qubits denoted as ${\theta}_{t}^{S},{\theta}_{t}^{C}$. The dummies and trap qubits are in the tensor product with the rest (in the honest run).
 The Hilbert spaces containing the output qubits (and the related purification of honest run) are denoted ${\mathcal{H}}_{{S}_{o}},{\mathcal{H}}_{{C}_{o}}$, while the remaining qubits are ${\mathcal{H}}_{S},{\mathcal{H}}_{C}$.
 For brevity, we denote $\left[b\right]:=\leftb\right.\u232a\left.\u2329b\right$ and use the analogous notation for other states.
With the above notations, the honest run of the protocol at this step, with some input $\chi $, is:
$$\begin{array}{ccc}\hfill {\rho}_{i}\left(\chi \right)& =& {\left({E}_{{k}_{i}^{C},{k}_{i}^{S}}\left(U\left(\chi \right)\right)\right)}_{{\mathcal{H}}_{{C}_{o}}\otimes {\mathcal{H}}_{{S}_{o}}}\hfill \\ & & \otimes {\left(\left[{k}^{S}\right]\otimes \left[{k}^{C}\right]\otimes \left[{k}^{R}\right]\otimes \left[b\right]\otimes \left[{b}_{t}\right]\otimes \left[{d}^{C}\right]\otimes \left[{\theta}_{t}^{C}\right]\right)}_{{\mathcal{H}}_{C}}\hfill \\ & & \otimes {\left(\left[{d}^{S}\right]\otimes \left[{\theta}_{t}^{S}\right]\right)}_{{\mathcal{H}}_{S}}\hfill \end{array}$$
We define:
$$\begin{array}{ccc}\hfill \varrho (\chi ,{k}^{C},{k}^{S})& :=& {\left({E}_{{k}_{i}^{C},{k}_{i}^{S}}\left(U\left(\chi \right)\right)\right)}_{{\mathcal{H}}_{{C}_{o}}\otimes {\mathcal{H}}_{{S}_{o}}}\hfill \\ \hfill \sigma & :=& {\left(\left[{k}^{S}\right]\otimes \left[{k}^{C}\right]\otimes \left[{k}^{R}\right]\otimes \left[b\right]\otimes \left[{b}_{t}\right]\otimes \left[{d}^{C}\right]\otimes \left[{\theta}_{t}^{C}\right]\right)}_{{\mathcal{H}}_{C}}\otimes {\left(\left[{d}^{S}\right]\otimes \left[{\theta}_{t}^{S}\right]\right)}_{{\mathcal{H}}_{S}}\hfill \\ \hfill {\rho}_{i}\left(\chi \right)& =& \varrho (\chi ,{k}^{C},{k}^{S})\otimes \sigma \hfill \end{array}$$
It is worth pointing out that $\sigma $ is independent of the input $\chi $. Now, the simulator is constructed in the following steps:
 The simulator obtains from the client the choice of secret keys ${k}^{C},{k}^{S},{k}^{R}$ (that can be viewed as part of the client’s input).
 The simulator sets ${b}_{t}={r}_{t}$. For the other measurement outcomes b, the simulator chooses randomly a bit value (to ensure that the b’s obtained are indistinguishable from the real honest protocol, the simulator can run the full protocol with some random input $\phi $. Since in the honest run, the values of b’s do not depend on (are not correlated to) the input, the outcomes that the simulator returns would be indistinguishable from those of a run with the correct input. Finally, speciousness ensures that this state is also close to the real protocol).
 The simulator, using the previous steps, constructs the state $\sigma $.
 The simulator uses the state $\widehat{{\rho}_{i}}$ from Lemma 1 for the ith step, which is a fixed state (independent of the input).
 The simulator calls the ideal functionality and receives the state ${\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left({\rho}_{i}\left({\rho}_{in}\right)\right)$.
 The simulator uses the keys and the state received from the ideal functionality and constructs ${\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left(\varrho ({\rho}_{in},{k}^{C},{k}^{S})\right)$.
 The simulator obtains the operator ${\mathcal{T}}_{i}$ from the definition of specious and constructs the isometry ${T}_{i}$ acting from ${\mathcal{H}}_{\tilde{C}}\to {\mathcal{H}}_{C}\otimes {\mathcal{H}}_{\widehat{C}}$.
 The simulated view is then:$$\begin{array}{c}\hfill \nu (\tilde{C},{\rho}_{in}):={\mathrm{Tr}}_{{\mathcal{H}}_{S}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})\left(\widehat{{\rho}_{i}}\otimes {\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left(\varrho ({\rho}_{in},{k}^{C},{k}^{S})\right)\otimes \sigma \right)\right)\end{array}$$
It is clear that in all of this construction, ${\rho}_{in}$ appears only through ${\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left({\rho}_{i}\left({\rho}_{in}\right)\right)$, which is the ideal output of the client. Now, we prove that this simulated view is $\delta $close to the view of the client in the real protocol.
We start from Equation (9), and we obtain:
$$\begin{array}{c}\hfill \Delta \left({\mathrm{Tr}}_{{\mathcal{H}}_{S},{\mathcal{H}}_{{S}_{o}}}\left({\tilde{\rho}}_{i}(\tilde{C},{\rho}_{in})\right),{\mathrm{Tr}}_{{\mathcal{H}}_{S},{\mathcal{H}}_{{S}_{o}}}\left(\left({T}_{i}^{\u2020}\otimes \mathbb{I}\right)\left(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\rho}_{in}\right)\right)\right)\right)\le 12\sqrt{2\u03f5}\end{array}$$
Now, since ${T}_{i}^{\u2020}$ does not act on either of the server’s Hilbert spaces, it commutes with the partial trace (see Appendix D). We can then see that:
and this concludes the first part of the proof, as we have a $\left(12\sqrt{2\u03f5}\right)$private protocol.
$$\begin{array}{c}\hfill \nu (\tilde{C},{\rho}_{in})={\mathrm{Tr}}_{{\mathcal{H}}_{S},{\mathcal{H}}_{{S}_{o}}}\left(\left({T}_{i}^{\u2020}\otimes \mathbb{I}\right)\left(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\rho}_{in}\right)\right)\right)\end{array}$$
☐
4.2. Server’s Simulators
Our QYao protocol is secure against a fullymalicious server that can deviate in any possible way and can also cause an abort. We will use the fact that the QYao protocol is $\u03f5$verifiable for the client, i.e., Equations (6) and (7) hold. In many classical protocols, to prove security against malicious adversaries, one has to restrict his or her actions to essentially honestbutcurious adversaries. Here, the verification property plays such a role, as the condition obtained can be used in a similar way as the speciousness of the client.
We can see that, before the client sends the secret parameters, the server is totally blind, i.e., the server’s reduced state at all times is the totally mixed state (for all qubits in the DT(G), including their own input qubits, after they are injected). This is highlighted by the fact that one can run the full protocol (before releasing the keys), without choosing the (client’s) input (see simulator below). After receiving the keys from the client, to simulate the server’s view, we need a call to the ideal functionality and, at this point, to use Equation (6).
Continuation of the proof of Theorem 3:
Simulator before receiving keys: The simulator, instead of sending qubits in one of these states $\{\left{+}_{\theta}\right.\u232a,\left0\right.\u232a,\left1\right.\u232a\}$, sends one side of an EPRpair $\left\psi \right.\u232a=\frac{1}{\sqrt{2}}(\left01\right.\u232a+\left10\right.\u232a)$ for each qubit to the server; then chooses an angle ${\delta}_{i}$ at random for each of the measurement angles. The simulator can measure (if it wishes) its qubits (of the EPR pairs) in a suitable way and angles that insert any input it wishes and performs any computation. This can be done after all measurements of the server have taken place (see [14]). It follows that the server cannot obtain any information about the client’s input.
Simulator after receiving keys: The simulator is constructed using the following steps:
 The simulator prepares multiple Bell states $\left\psi \right.\u232a=\frac{1}{\sqrt{2}}(\left01\right.\u232a+\left10\right.\u232a)$, sends the one qubit of each pair to the server and instructs them to entangle the qubits as it would in the normal protocol.
 The simulator for each qubit chooses randomly an angle ${\delta}_{i}$ and instructs the server to measure in this angle.
 The simulator obtains from the server’s (malicious) strategy the parameter ${p}_{ok}$ (see Equation (6)).
 With probability $(1{p}_{ok})$, the simulator returns an abort. Otherwise, it performs the remaining steps.
 The simulator calls the ideal functionality and obtains the state ${\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left(U\left({\rho}_{in}^{\prime}\right)\right)$, where ${\rho}_{in}^{\prime}=({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {D}_{{\mathcal{H}}_{S}})\xb7{\rho}_{in}$ is the deviated input that the corrupted server inputs.
 The simulator encrypts the outcome using ${k}^{S}$, and sends the output qubits of the server back in the state: ${E}_{{k}^{S}}\left({\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left(U\left({\rho}_{in}^{\prime}\right)\right)\right)$
 The simulator returns the keys ${k}^{S}$ to the server.
The last step of the protocol is that the server decrypts its output. The decryption is denoted as ${D}_{{k}^{S}}(\xb7)$, where we have by definition that ${D}_{{k}^{S}}\left({E}_{{k}^{S}}(\xb7)\right)=\mathbb{I}$. It follows that the server’s view of the real protocol after the key exchange is:
$$\begin{array}{c}\hfill {\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({\tilde{\rho}}^{n1}(\tilde{S},{\rho}_{in}^{\prime})\right)\right)\end{array}$$
From Equation (7), we obtain:
as the partial trace is a distance nonincreasing operation. Using the definition of ${\rho}_{ideal}^{n1}\left({\rho}_{in}^{\prime}\right)$ from Equation (7), we see that:
$$\begin{array}{c}\hfill \Delta \left({\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({\tilde{\rho}}^{n1}(\tilde{S},{\rho}_{in})\right)\right),{\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({\rho}_{ideal}^{n1}\left({\rho}_{in}^{\prime}\right)\right)\right)\right)\le \u03f5\end{array}$$
$$\begin{array}{ccc}\hfill {\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({\rho}_{ideal}^{n1}\left({\rho}_{in}^{\prime}\right)\right)\right)& =& {\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({p}_{ok}U\xb7\left({\rho}_{in}^{\prime}\right)+(1{p}_{ok})\left(\leftfail\right.\u232a\left.\u2329fail\right\right)\right)\right)\hfill \\ \hfill {\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left({E}_{{k}^{S}}\left({\rho}_{ideal}^{n1}\left({\rho}_{in}^{\prime}\right)\right)\right)& =& \nu (\tilde{P},{\rho}_{in})\hfill \end{array}$$
We have now proven that the simulated view is $\u03f5$close to the real view of the server, just after the key exchange, thus proving that the protocol is $\u03f5$private against malicious server $\tilde{S}$. ☐
5. NonInteractive QYao
Following the classical approach of [24], we exploit our QYao protocol to construct the onetime program. To do so, we simply need to remove the classical online communication of the QYao protocol using the classical hardware primitive of secure “onetime memory” (OTM), which is essentially a noninteractive oblivious transfer. The obtained onetime quantum programs can be executed only once, where the input can be chosen at any time. Classically, the challenge in lifting the Yao protocol for twoparty computation to the onetime program was the issue of the malicious adversary. However, our QYao protocol is already secure against a malicious evaluator without any extra primitive or added overhead.
Recall that the interaction in our QYao is required for two reasons. First, from the server’s perspective, this is done to obtain the measurement angles ${\delta}_{i}$ that perform the correct computation, while these could not be computed offline as they depend on the measurement outcomes ${b}_{j<i}$ of certain qubits measured before i, but after the preparation stage (and on secret parameters $({\theta}_{i},{r}_{i},{r}_{j<i},T)$ and computation angle ${\varphi}_{i}$ that are known from start). Second, from the client’s perspective, the results of measurements needed to be provide with a “proof” that the output is correct, by testing for deviation from the trap outcomes.
Removing the interaction: An obvious solution for the first issue raised is to have the client compute ${\delta}_{i}$ for all combinations of previous outcomes ${b}_{j<i}$ and then store in an OTM the different values, while the server chooses and learns the entry of the OTM corresponding to the outcomes obtained. This solution, at first, appears to suffer from an efficiency issue as one may think that for each qubit, the client needs to compute ${\delta}_{i}$ for all combinations of past outcomes, which grows exponentially (as would the size of the OTM used). However, a closer look at the dependencies of corrections in MBQC for the typical graphs used shows that the measurement angle of qubit i depends on at most a constant number of qubits. Those dependencies are within the two previous “layers” (past neighbours or past neighbours of past neighbours). This is evident from the flow construction [41,42], which guarantees that corrections can be done, and the explicit form of dependencies involves only neighbours and nextto neighbours in the graph G. A flow is defined by a function ($f:{O}^{c}\to {I}^{c}$) from measured qubits to noninput qubits and a partial order $(\u2aaf)$ over the vertices of the graph such that $\forall i:i\u2aaff\left(i\right)$ and $\forall j\in {N}_{G}\left(i\right):f\left(i\right)\u2aafj$, where ${N}_{G}\left(i\right)$ denotes the neighbours of i in G. Each qubit i is Xdependent on ${f}^{1}\left(i\right)$ and Zdependent on all qubits j, such that $i\in {N}_{G}\left(j\right)$.
Definition 7 (Past of qubit i).
We define ${P}_{i}={Z}_{i}\cup {X}_{i}$ to be the set of qubits j that have X or Z dependency on i.
Definition 8 (Influencepast of qubit i).
We define influencepast ${c}_{i}$ of qubit i to be an assignment of an outcome ${b}_{j}\in \{0,1\}$ for all qubits $j\in {P}_{i}$.
For each influencepast ${c}_{i}$, there exists a unique value of ${\delta}_{i}\left({c}_{i}\right)$. While ${c}_{i}$ provides all of the necessary dependencies for the client to compute ${\delta}_{i}$, this is not known to the server. This could be problematic, as the server is expected to open the OTM using the past outcomes with a labelling consistent with its own knowledge. The true dependencies depend on the actual flow of the computation, which is hidden from the server, as the positions of dummies (that break the DT(G) to the three graphs) are not known to the server. From here on, we restrict attention to DT(G). This is resolved by defining:
Definition 9 (Extendedpast of qubit i).
We define the extended past $E{P}_{i}$ of qubit i to be the set of all qubits that for some trapcolouring are in the past of i.
Similarly we define the extendedinfluencepast (EIP) of qubit i (it is clear that ${\delta}_{i}$ has trivial dependency on all outcomes of EIP that are not in the actual influencepast). The extended past has also finite cardinality, as it is evident that the only qubits that can affect a qubit with baselocation i are those that belong to (the finite) baselocations that contain the qubits that have true dependency (i.e., neighbours or nextto neighbours baselocations).
Ensuring verification: The interaction is also important from the clients’ perspective, in order to verify that the server did not deviate. Again, one could naively suggest that the server can return all of the measurement outcomes at the end. However, this suffers from a potential attack (not present in normal VUBQC). The underlying reason is that there is nothing to force the server to commit that the ${b}_{i}$’s that will return are the same as the ones used for selecting measuring angles. For example, the server measures Qubit 1 at ${\delta}_{1}$ and obtains ${b}_{1}$ (which will be returned at the end), but uses ${b}_{1}^{\prime}={b}_{1}\oplus 1$ when opening the OTM corresponding to qubit j where $1\in E{P}_{j}$. If qubit j is a computation qubit, this leads to measuring at a wrong angle, while if qubit j is a trap qubit, it has no (real) dependence on ${b}_{1}$; thus, the angle recovered is the correct one, and the server never causes an abort, while corrupting the computation. To avoid this problem, we introduce a method that uses some flag bitstring ${l}_{i}$.
The client provides for each qubit the angle ${\delta}_{i}$ and a flag bitstring ${l}_{i}$ of length m. This flag bitstring is a (onetimepadded) flag of whether a trap failed in the (extended) past of qubit i or not. At the final step of the protocol, the server returns the final layer qubits and all of the flags ${l}_{i}$. Here, we will denote ${b}_{j;i}$ to mean the outcome of qubit j measurement that the client uses for the computation of the measurement angle for qubit i, i.e., the value of ${b}_{j}$ selected by the server when opening the ith OTM.
For each qubit i, the client chooses uniformly at random an mbit string ${l}_{i}^{0}$ to denote that none of its past qubits ($j\in {P}_{i}$) was a failed trap. The string ${l}_{i}^{0}$ will be called the “accept” flag, while all other strings ${l}_{i}\ne {l}_{i}^{0}$ are the “reject” flags. The OTMs are prepared according to Protocol 6.
According to this protocol, the flag that the server obtains when opening the OTM at qubit i, is rejected if and only if in the extended past of this qubit, there is a failed trap outcome (we can see that returning a wrong outcome for some measurement ${b}_{i}$ implies opening an entry of the OTM with the wrong flag only if the qubit is a trap one (as in regular VUBQC), while it still returns the accept flag if it is a dummy or computation qubit). Here, we should note that even if the client knows that one flag is a reject flag (i.e., has one particular ${l}_{i}\ne {l}_{i}^{0}$), the probability of guessing the correct flag is only ${\u03f5}_{f}:={({2}^{m}1)}^{1}$. This, intuitively, will force the client to return the flag obtained from the OTM (or abort with high probability), provided that m is chosen suitably. We can now give the noninteractive QYao Protocol 7 (see Appendix C.2 for a simple example).
Protocol 6 Preparation of OTMs for noninteractive QYao. 
Description of OTM’s: We will use an (at most) one out of K OTM, where $K={2}^{{max}_{i}\leftE{P}_{i}\right}$. Note, that the first layer does not need an OTM, since (i) we give the angle directly (does not depend on anything) and (ii) there is no trap in the previous layer and thus no need to give a flag. Moreover, for the last layer, while the qubits are not measured (and thus there is no corresponding angle $\delta $) we will use an OTM to obtain the last flags (that correspond to testing traps in the previous layers).

Protocol 7 Noninteractive QYao. 
Assumptions Client and server want to jointly compute a unitary as in Protocol 5. The client has N OTM’s that are 1outofK, i.e., one OTM per qubit, with sufficient entries to store a pair of $({\delta}_{i},{l}_{i})$ measurement angle and flag bitstring (of length at least $m\ge log(\frac{1}{\u03f5}+1)$), for each extended influence past of the qubit. Protocol

This protocol requires exactly the same number of qubits as Protocol 5. The only extra “cost” is that we require one OTM per qubit. The size of the labels of the OTM is oneoutofK (where $K={max}_{i}\leftE{P}_{i}\right$), while the size of the content of each cell is $3+m\ge 3+log(\frac{1}{\u03f5}+1)$ bits as described in Protocol 6.
Theorem 4.
Protocol 7 is ϵverifiable for the client, with ϵ the same as the VUBQC protocol that is used.
Proof.
This proof consists of three stages. First, similarly to the proof of theorem 2, we show that the verifiability for the client of the noninteractive QYao reduces to the verifiability of the same VUBQC protocol with modifications for the server’s input and output. The second stage is to observe that the optimal strategy for an adversarial server is to return the flags from the opened OTMs. This makes the verifiability property for this protocol identical to an interactive protocol with the only modification that the server can return different values for the measurement outcome ${b}_{i}$ depending on which future qubit the client needs the outcome (${b}_{i;j}$). The final stage, is to show that this modified (interactive) verification protocol is $\u03f5$verifiable with the same $\u03f5$ as Protocol 1.
Stage 1: Following the proof of Theorem 2, we can see that the noninteractive QYao Protocol 7 is $\u03f5$verifiable for the client if the corresponding noninteractive VUBQC protocol that is used during Step 3 of Protocol 7 is $\u03f5$verifiable, with deviated input ${\rho}_{in}^{\prime}$ and a final deviation $({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {\mathcal{C}}_{{\mathcal{H}}_{S}})$ on the server’s output (computation) qubits.
Stage 2: If the server attempts to guess a flag (given the extra knowledge of one bitstring ${l}_{i}\ne {l}_{i}^{0}$), it causes an abort with high probability ($1{\u03f5}_{f}$, where ${\u03f5}_{f}:={({2}^{m}1)}^{1}$). However, since by assumption $m\ge log(\frac{1}{\u03f5}+1)$, the probability of an abort is so high that it makes the protocol trivially verifiable, as it is $\u03f5$close to the ideal state Equation (6) with $(1{p}_{ok})=(1{\u03f5}_{f})$.
It follows that the adversary (trying to maximising its cheating chances) should return the flags found in the OTMs. This is equivalent to an interactive VUBQC protocol, for which= (i) the server for each qubit i returns multiple values of the measurement outcome ${b}_{i;j}$, one for each j in the extended future qubit of i, (ii) the client uses those outcomes to compute the ${\delta}_{i}$’s and (iii) the client aborts only when it receives at least one trap outcome wrong ${b}_{t;j}\ne {r}_{t}$ for any j.
Stage 3: We should now show the $\u03f5$verifiability of the modified interactive VUBQC protocol described above. The proof follows the same steps of the proof of the verifiability of Protocol 1 in [25]. The first steps exploit the blindness to reduce the possible attacks (of the adversarial server) to a convex combination of Pauli attacks. Then, it is noted that since the computation is encoded in an errorcorrecting code (that corrects up to $\delta /2$ errors), there is a minimum number ($d=\lceil \frac{\delta}{2(2c+1)}\rceil $) of independent baselocations that need to be corrupted to cause an error.
For the proof of verifiability, as in [10,25], we make the assumption that if the minimum number of attacks that could corrupt the computation occurs, then the computation is corrupted. This is clearly not true, but is sufficient to provide a bound on the probability of corrupt and accept (which is the “bad” case that the server manages to cheat). Then, given this minimum number of attacks, the probability of abort is computed and found to be greater than $1\u03f5$, and thus, the protocol is verifiable.
In our case, there is the difference that for each measured qubit ${b}_{i}$ of the original protocol, we have multiple qubits ${b}_{i;j}$. Once again, we make the assumption of minimum corrupted qubits; we need at least $d=\lceil \frac{\delta}{2(2c+1)}\rceil $ independent baselocations; and we can allow for each baselocation to corrupt a single ${b}_{i;j}$ for one specific j. However, this does not change the probability of hitting a trap, as it suffices to give the wrong value ${b}_{t,j}$ for one j to cause an abort. We then obtain again that the probability of an abort (in the minimum corruptible attack) is at least $(1\u03f5)$ (for $\u03f5={\left(\frac{8}{9}\right)}^{d}$), and the protocol is indeed $\u03f5$verifiable. ☐
Theorem 5.
Protocol 7 that is ${\u03f5}_{1}$verifiable for the client is $O\left(\sqrt{{\u03f5}_{2}}\right)$private against an ${\u03f5}_{2}$specious client and ${\u03f5}_{1}$private against a malicious server.
Proof.
We need simulators for the client only during input injection and output extraction (since the client does not participate in the evaluation phase, in the noninteractive protocol). During these steps, the simulators are identical to those in Protocol 5.
The server’s simulators until before the output extraction can be identical with the ones of Protocol 5, where the interaction is replaced with the preparation of OTMs. It is important to note that all OTMs can be constructed with no information about the client’s input and thus from the simulator. Finally, the simulator for the final step of Protocol 5 needs to only use the property that the protocol is $\u03f5$verifiable for the client. We proved in Theorem 4 that this is the case for Protocol 7, and thus, we can use the same simulator. ☐
6. Conclusions
We gave a protocol for 2PQC, secure against specious adversaries. Our protocol differs significantly from [21] since it has an asymmetric treatment of the two parties. There are two approaches for classical S2PC, that of Yao [22] and that of Goldreich et al. [43]. While our protocol can be seen as the quantum version of [22] (that also has asymmetry between parties), the protocol of [21] is a quantum version of [43]. In the quantum case, our approach provides the extra advantage of being more practical in terms of technological requirements. This is because the client requires only basic quantum technologies (preparing single qubits), and there is no online quantum communication among the parties.
Furthermore, due to a subtle difference in the definition of specious adversaries, our protocol requires no extra primitives (see the details in Appendix B). Typically, considering weaker adversaries such as the specious adversaries is a first step towards protocols secure against malicious adversaries. This is why it is not crucial whether we take the stronger or weaker form of the specious adversaries. There are standard techniques, such as the cutandchoose technique and the GMWcompiler [43], that turn protocols from secure against honestbutcurious to secure against malicious adversaries. However, the quantum generalisations are considerably more involved, as these techniques cannot be directly applied due to nocloning and quantum inseparability. We have recently extended our results towards this direction, in the specific case of classical input/output, by generalising the cutandchoose technique [44].
Finally, we obtained a onetime compiler for any quantum computation using onetime memories. This was done following the classical work of Goldwasser et al. [24] and more efficiently than the quantum work of Broadbent et al. [6]. An important difficulty to use the classical Yao protocol directly to construct onetime programs is the case where the evaluator is malicious (rather than honestbutcurious). However, in our QYao, the protocol is secure against an evaluator that is fully malicious, and thus, we can obtain the onetime program directly once we remove the interaction (which is present in the quantum case). To overcome this difficulty, we used OTMs to replace the interaction and introduced an extra “flag” register to ensure the security of the protocol.
Acknowledgments
We would like to thank Frédéric Dupuis for discussions on the definition of specious adversaries. Funding from EPSRCGrants EP/N003829/1 and EP/M013243/1 is acknowledged.
Author Contributions
Both authors contributed to developing the theory and writing the paper.
Conflicts of Interest
The authors declare no conflict of interest.
Abbreviations
The following abbreviations are used in this manuscript:
UBQC  Universal blind quantum computation 
MBQC  Measurementbased quantum computation 
VBQC  Verifiable blind quantum computation 
QYao  Quantum “Yao” protocol 
OT  Oblivious transfer 
OTM  Onetime memory 
DT(G)  Dotted triple graph 
2PQC  Secure twoparty quantum computation 
Appendix A. MeasurementBased Quantum Computation
An MBQC pattern is fully characterised by the graph (representing the entangled state), default measurement angles ${\varphi}_{i}$, an order of measurements (determined by the flow) and a set of corrections that determine the actual measurement angle of each qubit (modify the default measurement angles with respect to previous measurement outcomes).
For the brickwork state, or any subset of the square lattice state, the flow $f\left(i\right)$ takes a qubit to the same row, next column, e.g., $i=(k,l)$, then $f\left(i\right)=(k+1,l)$. Given a flow $f(\xb7)$ and measurement outcomes ${s}_{j}$, the actual (corrected) measurement angle is given:
where ${N}_{G}\left(i\right)$ denotes the set of neighbours (in the graph) of vertex i. It is easy to see that the corrected angle for qubit i has an Xcorrection (i.e., a $(1)$ factor before ${\varphi}_{i}$) from the one qubit ${f}^{1}\left(i\right)$ and Zcorrections (i.e., $\pi $ addition) from some neighbours of neighbours, which for the brickwork state is at most two (but in any case is constant in number).
$$\begin{array}{c}\hfill {\varphi}_{i}^{\prime}({\varphi}_{i},{s}_{j<i}):={\varphi}_{i}{(1)}^{{s}_{{f}^{1}\left(i\right)}}+\pi \sum _{jf\left(j\right)\in {N}_{G}\left(i\right)\setminus f\left(i\right)}{s}_{j}\end{array}$$
We present here diagrams taken from [3] showing how to translate a universal set of gates to the MBQC measurement patterns using the brickwork graphs.
Appendix B. On Specious Adversaries Definitions
The definition of specious, as given by Equation (4), includes ${\rho}_{i}\left({\rho}_{in}\right)$, which is the honest state in step i, for any input state ${\rho}_{in}$. There are two subtle issues with what this means, (i) in relation with what are the possible input states ${\rho}_{in}$ and (ii) in relation to whether the random secret parameters are considered the input of the computation or not. If we take the most restrictive case, it leads to a very weak adversary. In [21], there are some impossibility results that stem from taking a (slightly) stronger form of this adversary. Here, we see separately these two issues and finally discuss the differences with [21].
Appendix B.1. Restricting to Classical Inputs
The first important point is that we observe that a specious adversary, under certain conditions, could be weaker than an honestbutcurious classical adversary. A specious adversary is allowed to do actions/operations that for any (allowed) input can be “undone” by actions on his/her side if there is an audit.
Now, we consider a (trivial) example that specious is weaker than classical honestbutcurious. Assume that as the first step of a protocol, a party (that is specious adversary) $\tilde{A}$ receives a onetime padded quantum input ${E}_{k}\left({\left\psi \right.\u232a}_{S}\right)$ of the other party. As the second step, the $\tilde{A}$ returns the padded quantum state back. If the input is considered to be a general (unknown) quantum state, a specious adversary cannot do the following action before returning the system S:
$$\begin{array}{c}\hfill {(\wedge X)}_{SA}{E}_{k}\left({\left\psi \right.\u232a}_{S}\right)\otimes {\left0\right.\u232a}_{A}\end{array}$$
There is no map that $\tilde{A}$ can apply to their private system/ancilla A alone and obtain the correct state ${\rho}_{i}\left({\rho}_{in}\right)$, because for a general ${E}_{k}\left({\left\psi \right.\u232a}_{S}\right)$, the resulting joint state is entangled.
However, imagine that we are actually considering a classical protocol, which means that the input is in computational basis, i.e., either $\left0\right.\u232a$ or $\left1\right.\u232a$. In that case, the $\wedge X$ simply copies the ciphertext ${E}_{k}\left({\left\psi \right.\u232a}_{S}\right)$, which is exactly the action that an honestbutcurious classical adversary can do (Note that in this specific case, the resulting state is no longer an entangled state and thus could be recovered by acting only on system S. Nonetheless, the definition of specious requires recovering the correct state at each step for any possible input.). It is exactly because of this property (that specious under certain conditions is weaker than classical honestbutcurious) that we can avoid using OT for inserting the input of the server (unlike the Yao protocol). In generalisations where we will have stronger adversaries, we will once again need to have OT for the input insertion.
Appendix B.2. About the Secret Random Parameters
The second important subtlety of the specious definition is related to the secret (random) parameters that the adversary can choose. Specious adversaries should be able to recover the global state ${\rho}_{i}\left({\rho}_{in}\right)$ in any step. However, this definition may be somewhat ambiguous. In general, the quantum state in any step is also a function of secret random parameters of the two parties ${k}_{A},{k}_{B}$, i.e., we have ${\rho}_{i}({\rho}_{in},{k}_{A},{k}_{B})$. We can (and generally do) treat the secret keys as part of the input of the two parties (i.e., part of ${\rho}_{in}$), but in this case, the specious adversary is essentially requested to reconstruct precisely the state ${\rho}_{i}({\rho}_{in},{k}_{A},{k}_{B})$ at step i.
However, we can imagine an adversary $\tilde{A}$ that could reproduce the state ${\rho}_{i}({\rho}_{in},{k}_{A}^{\prime},{k}_{B})$ instead, i.e., reproduce a state that would be correct for step i, if the secret parameter were ${k}_{A}^{\prime}$ instead of the ${k}_{A}$ that was given at the start. In this case, the adversary $\tilde{A}$ is not specious with the standard definition that we use. On the other hand, intuitively, since ${k}_{A}$ is a secret parameter (not known by anyone but $\tilde{A}$ until this step), it should not matter what is this value, and reproducing ${\rho}_{i}({\rho}_{in},{k}_{A}^{\prime},{k}_{B})$ should be sufficient for a version of quantum honestbutcurious.
We will define the strong specious adversary to be the adversary that is required to have CP maps ${\mathcal{T}}_{i}$ acting only on their subsystem, such that they can reproduce the state ${\rho}_{i}({\rho}_{in},{k}_{A},{k}_{B})$ for at least one secret key ${k}_{A}$ (not determined in advance and thus of their choice).
We will again give a simple example to make the distinction of these two flavours of specious adversaries. Imagine a protocol that a (strong or weak) specious adversary $\tilde{A}$ is supposed to return an unknown state $\left\psi \right.\u232a$ padded with its key ${E}_{{k}_{A}}\left(\left\psi \right.\u232a\right)$. A strong specious adversary can cheat by keeping the state $\left\psi \right.\u232a$ and returning instead the one side of an EPR pair (and keep the other side). Then, if an audit occurs, the adversary can use its side of the EPR pair and teleport the state $\left\psi \right.\u232a$ back, where the resulting state at the honest side is ${E}_{{k}_{m}}\left(\left\psi \right.\u232a\right)$, with ${k}_{m}$ being (randomly) determined by the outcome of the Bell measurement that teleports the state. A weak specious adversary, on the other hand, cannot do this. The state that is supposed to be returned needs to be padded with the key ${k}_{A}$ that is fixed from the start of the protocol, while ${k}_{m}$ is randomly determined during the audit (by the Bell measurement outcome).
Appendix B.3. Regarding Secure SWAP NoGo Theorem
It is not difficult to see that a protocol that is secure against the standard (weak) specious adversary can be made secure against the strong specious adversary by modifying the protocol to request that in every step a new random (secret) parameter appears, a commitment to its value is made. This means that requesting an adversary to be weak specious is practically equivalent to a strong specious adversary where commitments are allowed.
Here, it is worth mentioning that in [21], while not explicitly stated, their protocol was secure against the stronger version of specious adversaries (unlike our protocol). This difference in the definition of specious adversaries (implicit assumption of the stronger adversaries) also resolves the apparent contradiction of our result (no secure primitive needed) with their nogo theorem (a secure SWAPis needed for 2PQC even for specious adversaries). As is mentioned in [21], their nogo would not hold if commitments were possible, which is exactly what our weaker definition essentially permits.
Appendix C. Examples
We will now give two simple examples (one for Protocol 5 and one for Protocol 7) to illustrate how the generic protocols given work practically.
Appendix C.1. Example for Protocol 5
We consider a simple example for Protocol 5 where each of the clients/servers has a single qubit input/output, and the unitary/computation to be implemented is a CNOT gate. The MBQC pattern for this gate is given in Figure A1b. The basegraph required is a “brick” from the brickwork state of [3] and consists of 10 qubits. To use the VUBQC protocol of [25], we need the DT(G) of that graph, the construction that is summarised in Section 2.1, resulting in the coloured DT(G) of Figure 1a. In Figure A2, we see the dotted basegraph, while in Figure A3, we can see the resulting DT(G) construction after the dummies have been removed, leaving us with the dotted basegraph of Figure A2 along with the one trap/tag qubit for each computation qubit (as was done in the general case in Figure 1b). The white trap qubit corresponds to primary vertices (qubits of the initial basegraph of Figure A1b), while black trap qubits correspond to added vertices (those that resulted from “dotting” the initial basegraph). Note that in Figure A3, the computation qubits are entangled (connected with edges), while the trap/tag qubits are isolated. The server, from his/her view, cannot distinguish whether one qubit belongs to the dotted basegraph (i.e., is used for computation) or is the related trap/tag qubit (denoted in the same box in Figure A3). In the next example (Appendix C.2), the basegraph is simpler, and we will give the construction starting from the basegraph and resulting in the dotted basegraph with tags in greater detail.
Figure A1.
MBQC patterns for different gates: (a) $\pi /8$ gate, (b) CNOTgate, (c) identity gate and (d) Hadamard gate.
Figure A3.
Dotted basegraph for a CNOT gate along with isolated traps/tags. The input/output of the client/server is coloured blue.
Finally, we note that in UBQC, the measurement angle that the client instructs the server to measure is given: ${\delta}_{i}={\varphi}_{i}^{\prime}({\varphi}_{i},{b}_{j<i})+{\theta}_{i}+\pi {r}_{i}=C(i,{\varphi}_{i},{\theta}_{i},{r}_{i},\mathbf{s})$.
The protocol starts with the server’s input injection, where the server gives his/her input (bottom left blue qubit in Figure A3) onetime padded to the client as described in Section 3.1. The client then permutes it with a trap and a dummy qubit (see Figure 2) and returns the triplet to the server. Now, after removing the dummies (that play no role), the server’s view is that of Figure A3, where he/she is not aware which qubit was his/her input and which qubit is a trap/tag. The same holds for the other qubits of the MBQC pattern.
The client instructs the server to measure the qubits at angles ${\delta}_{i}$. The distribution of these angles is uniformly random within the set $\{0,\pi /4,2\pi /4,\cdots ,7\pi /4\}$ irrespective of the actual computation, and thus, the server (from his/her perspective) is totally blind to what computation is performed or of which qubits are computation and which are trap/tag qubits.
The client, from his/her view, taking into account the prerotations ${\theta}_{i}$ and corrections from previous measurements in reality is actually asking the server to measure the computation qubits in the angles of Figure A1b and thus performing the CNOT gate. At the same time, the instruction for the trap/tag qubits is to measure them in the basis that was prepared $\left{\pm}_{\theta}\right.\u232a$ and thus return a deterministic outcome (since they are isolated from the rest qubits).
Finally is the server’s output extraction part (see Section 3.2). Here, the server onetime pads both his/her output (bottom right blue qubit) and the corresponding trap/tag (since he/she is not aware of which is which) and returns them to the client. The client knows the position of the server’s output (but not the padding, so it obtains no information). The client keeps the trap/tag, but returns the real output to the server. The protocol is completed with the exchange of keys (as described in Section 3.2), where the client can test that the final traps are indeed correct (so no deviation occurred before that), and the server obtains the key to his/her output and recovers it.
Appendix C.2. Example for Protocol 7
In this example, we are not concerned with the input/output constructions, as these are similar to Protocol 5. Instead, we give the simplest example of a basegraph to illustrate what influencepast and extended influencepast means and how the flags and the OTMs are constructed.
We start with the simplest basegraph of two qubits given in Figure A4a. Following the DT(G) procedure (described in Section 2.1), we have the DT(G) of Figure A4b, where we label the qubits. Note, that for each of the basegraph qubits (Figure A4a), we have three copies (circles in Figure A4b); all qubits of the one baselocation are connected with all qubits of the other baselocation (nine edges in total); and an added qubit (square) is added to each of these (nine) edges. This is the view that the server has, since he/she is not aware of the trapcolouring (i.e., of which qubit is computation, trap or dummy).
Figure A4.
(a) Simple MBQC basegraph. (b) Corresponding dotted triplegraph with labelled qubits (view of the server).
The view of the client (that knows the trapcolouring) is given in Figure A5a, where we remove the dummies in Figure A5b to keep only the relevant information. This, of course, is just an example of one consistent trapcolouring.
Figure A5.
(a) Labelled dotted triplegraph with trap colouring (view of client). (b) Labelled dotted triplegraph when removing dummy qubits (essential information from client’s view).
Now, influencepast is defined in terms of which qubit results in a Z or X correction (in the MBQC terms). It is clear that corrections exist only for qubits that are truly entangled (i.e., the green qubits $\{1,5,14\}$). In particular, qubit $\left\{5\right\}$ has Xdependency from qubit $\left\{1\right\}$, which is its influencepast. Qubit $\left\{14\right\}$ has Xdependency from qubit $\left\{5\right\}$ and Zdependency from qubit $\left\{1\right\}$, i.e., its influencepast is $\{1,5\}$. The influencepast of isolated qubits is the empty set.
The extended influencepast includes all of the qubits that for some trapcolouring could be at the influencepast, and it is a superset of the influencepast. In other words, all of the qubits that belong to the same baselocation as the true influencepast are always included. We consider the last layer qubits $\{13,14,15\}$, and we summarise their influencepasts and extended influencepasts in this table:
Qubit  Influencepast  Extended influencepast  Nontrivial flag dependence 
13  ∅  $\{1,2,3,4,7,10\}$  $\{2,10\}$ 
14  $\{1,5\}$  $\{1,2,3,5,8,11\}$  $\left\{2\right\}$ 
15  ∅  $\{1,2,3,6,9,12\}$  $\left\{2\right\}$ 
Now, we describe the OTMs. First, the cells of each OTM are labelled according to different outcomes of qubits in the extended influencepast. In other words, for the OTM for Qubit 13, we will have one cell for each string of measurement outcomes of the qubits $\{1,2,3,4,7,10\}$, i.e., ${2}^{6}$ cells (see the table). Within each cell of the OTM, there will be the measurement angle corresponding to these outcomes (in general, the corrected measurement angle ${\varphi}_{i}^{\prime}$ depends on outcomes of qubits in the actual influencepast). Moreover, in each cell, there is a flag bitstring of length m (see Section 5). There is one string ${l}_{i}^{0}$ that corresponds to the accept flag. This flag is contained in all cells except for those that contain a wrong result at one (past) trap/tag. Trap/tag qubits (in the example $\{2,10,15\}$) have a deterministic outcome (in an honest run). Therefore, in all cells of an OTM in which the outcome of one of this trap is wrong, a flag ${l}_{i}\ne {l}_{i}^{0}$ is returned. For our example, we can see from the last column of the table which qubits outcomes may result to the nonaccept flag in the related cell of the OTM.
Finally, we stress again that in the above table, the influencepast and nontrivial flag dependence is not known to the server, while the extended influencepast is.
Appendix D. Proof of Commuting
We prove here that the partial trace over one system commutes with any operation to the nontracedout system. We express a generic density matrix ${\rho}_{AB}\in {\mathcal{H}}_{AB}$ with respect to some fixed orthonormal basis as:
$$\begin{array}{c}\hfill {\rho}_{AB}=\sum _{i,{i}^{\prime},j,{j}^{\prime}}{\rho}_{i{i}^{\prime},j{j}^{\prime}}{\lefti\right.\u232a}_{A}\left.\u2329{i}^{\prime}\right\otimes {\leftj\right.\u232a}_{B}\left.\u2329{j}^{\prime}\right\end{array}$$
Similarly, a general operator ${T}_{B}$ acting on system B is given by:
$$\begin{array}{c}\hfill {T}_{B}=\sum _{k,{k}^{\prime}}{T}_{k{k}^{\prime}}{\leftk\right.\u232a}_{B}\left.\u2329{k}^{\prime}\right\end{array}$$
It is easy to see that:
which proves that the partial trace (over system A) commutes with any operation on the nontracedout system B. We can see this since the lefthand side equals:
using the orthonormality of the bases used (i.e., $\left.\u2329i\right\left{i}^{\prime}\right.\u232a={\delta}_{i,{i}^{\prime}}$ etc.). The righthand side is:
which completes the proof.
$$\begin{array}{c}\hfill {\mathrm{Tr}}_{A}({\mathbb{I}}_{A}\otimes {T}_{B}\xb7{\rho}_{AB})={T}_{B}\xb7{\mathrm{Tr}}_{A}\left({\rho}_{AB}\right)\end{array}$$
$$\begin{array}{ccc}\hfill \mathrm{l}.\mathrm{h}.\mathrm{s}& =& \sum _{\tilde{i},i,{i}^{\prime},j,{j}^{\prime},k,{k}^{\prime}}{\left.\u2329\tilde{i}\right}_{A}{T}_{k{k}^{\prime}}{\rho}_{i{i}^{\prime},j{j}^{\prime}}{\lefti\right.\u232a}_{A}\left.\u2329{i}^{\prime}\right\otimes \left({\leftk\right.\u232a}_{B}\left.\u2329{k}^{\prime}\right{\leftj\right.\u232a}_{B}\left.\u2329{j}^{\prime}\right\right){\left\tilde{i}\right.\u232a}_{A}\hfill \\ & =& \sum _{i,j,{j}^{\prime},k}{T}_{kj}{\rho}_{ii,j{j}^{\prime}}\left({\leftk\right.\u232a}_{B}\left.\u2329{j}^{\prime}\right\right){\delta}_{i,{i}^{\prime}}{\delta}_{i,\tilde{i}}{\delta}_{j,{k}^{\prime}}\hfill \end{array}$$
$$\begin{array}{ccc}\hfill \mathrm{r}.\mathrm{h}.\mathrm{s}& =& \sum _{\tilde{i},i,{i}^{\prime},j,{j}^{\prime},k,{k}^{\prime}}\left({T}_{k{k}^{\prime}}{\leftk\right.\u232a}_{B}\left.\u2329{k}^{\prime}\right\right)\xb7\left({\left.\u2329\tilde{i}\right}_{A}{\rho}_{i{i}^{\prime},j{j}^{\prime}}\left({\lefti\right.\u232a}_{A}\left.\u2329{i}^{\prime}\right\otimes {\leftj\right.\u232a}_{B}\left.\u2329{j}^{\prime}\right\right){\left\tilde{i}\right.\u232a}_{A}\right)\hfill \\ & =& \sum _{i,j,{j}^{\prime},k}{T}_{kj}{\rho}_{ii,j{j}^{\prime}}\left({\leftk\right.\u232a}_{B}\left.\u2329{j}^{\prime}\right\right){\delta}_{i,{i}^{\prime}}{\delta}_{i,\tilde{i}}{\delta}_{j,{k}^{\prime}}\hfill \end{array}$$
References
 Childs, A. Secure assisted quantum computation. Quant. Inf. Compt. 2005, 5, 456. [Google Scholar]
 Arrighi, P.; Salvail, L. Blind Quantum Computation. Int. J. Quant. Inf. 2006, 4, 883–898. [Google Scholar] [CrossRef]
 Broadbent, A.; Fitzsimons, J.; Kashefi, E. Universal blind quantum computation. In Proceedings of the 50th Annual Symposium on Foundations of Computer Science, Atlanta, GA, USA, 25–27 October 2009; pp. 517–526.
 Aharonov, D.; BenOr, M.; Eban, E. Interactive Proofs for Quantum Computations. In Proceedings of Innovations in Computer Science 2010, Beijing, China, 5–7 January 2010; pp. 453–469.
 Reichardt, B.W.; Unger, R.F.; Vazirani, U. Classical command of quantum systems. Nature 2013, 496, 456–460. [Google Scholar] [CrossRef] [PubMed]
 Broadbent, A.; Gutoski, G.; Stebila, D. Quantum OneTime Programs. In Advances in Cryptology—CRYPTO 2013; Canetti, R., Garay, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume Voume 8043, pp. 344–360. [Google Scholar]
 Raussendorf, R.; Briegel, H.J. A OneWay Quantum Computer. Phys. Rev. Lett. 2001, 86, 5188–5191. [Google Scholar] [CrossRef] [PubMed]
 Nickerson, N.H.; Fitzsimons, J.F.; Benjamin, S.C. Freely scalable quantum technologies using cells of 5to50 qubits with very lossy and noisy photonic links. Phys. Rev. X 2014, 4, 041041. [Google Scholar] [CrossRef]
 Barz, S.; Kashefi, E.; Broadbent, A.; Fitzsimons, J.F.; Zeilinger, A.; Walther, P. Demonstration of blind quantum computing. Science 2012, 335, 303. [Google Scholar] [CrossRef] [PubMed]
 Fitzsimons, J.F.; Kashefi, E. Unconditionally verifiable blind computation. arXiv 2012. [Google Scholar]
 Kapourniotis, T.; Kashefi, E.; Datta, A. Blindness and Verification of Quantum Computation with One Pure Qubit. In Proceedings of the 9th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2014), Singapore, 21–23 May 2014; pp. 176–204.
 Gheorghiu, A.; Kashefi, E.; Wallden, P. Robustness and device independence of verifiable blind quantum computing. New J. Phys. 2015, 17, 083040. [Google Scholar] [CrossRef]
 Kapourniotis, T.; Dunjko, V.; Kashefi, E. On optimising quantum communication in verifiable quantum computing, 2015. In Proceedings of the 15th Asian Quantum Information Science Conference (AQISC 2015), Seoul, Korea, 25–28 August 2015; pp. 23–25.
 Dunjko, V.; Fitzsimons, J.F.; Portmann, C.; Renner, R. Composable Security of Delegated Quantum Computation. In Advances in Cryptology; Springer: Kaoshiung, Taiwan, 2014. [Google Scholar]
 McKague, M. Interactive proofs for BQP via selftested graph states. arXiv 2013. [Google Scholar]
 Broadbent, A. How to verify a quantum computation. arXiv 2015. [Google Scholar]
 Gheorghiu, A.; Wallden, P.; Kashefi, E. Rigidity of quantum steering and onesided deviceindependent verifiable quantum computation. New J. Phys. 2017, 19, 023043. [Google Scholar] [CrossRef]
 Dupuis, F.; Nielsen, J.B.; Salvail, L. Actively secure twoparty evaluation of any quantum operation. In Advances in Cryptology—CRYPTO 2012; Springer: Santa Barbara, CA, USA, 2012; pp. 794–811. [Google Scholar]
 Dunjko, V.; Kashefi, E. Blind quantum computing with two almost identical states. arXiv 2016. [Google Scholar]
 Maurer, U.; Renner, R. Abstract cryptography. In Innovations in Computer Science; Citeseer: Beijing, China, 2011. [Google Scholar]
 Dupuis, F.; Nielsen, J.B.; Salvail, L. Secure twoparty quantum evaluation of unitaries against specious adversaries. In Advances in Cryptology—CRYPTO 2010; Springer: Santa Barbara, CA, USA, 2010; pp. 685–706. [Google Scholar]
 Yao, A. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science, Toronto, ON, Canada, 27–29 October 1986; pp. 162–167.
 Kent, A. Unconditionally secure bit commitment. Phys. Rev. Lett. 1999, 83, 1447. [Google Scholar] [CrossRef]
 Goldwasser, S.; Kalai, Y.T.; Rothblum, G.N. Onetime programs. In Advances in Cryptology—CRYPTO 2008; Springer: Santa Barbara, CA, USA, 2008; pp. 39–56. [Google Scholar]
 Kashefi, E.; Wallden, P. Optimised resource construction for verifiable quantum computation. J. Phys. A Math. Theor. 2017, 50, 145306. [Google Scholar] [CrossRef]
 Bennett, C.; Brassard, G.; Ekert, A. Quantum cryptography. In Progress in Atomic physics Neutrinos and Gravitation, Proceedings of the XXVIIth Rencontre de Moriond, Les Arcs, Savoie, France, 25 January–1 February 1992; Atlantica Séguier Frontières: Biarritz, France, 1992; p. 371. [Google Scholar]
 Broadbent, A.; Schaffner, C. Quantum cryptography beyond quantum key distribution. Des. Codes Cryptogr. 2016, 78, 351–382. [Google Scholar] [CrossRef]
 Alagic, G.; Fefferman, B. On quantum obfuscation. arXiv 2016. [Google Scholar]
 Hayashi, M.; Morimae, T. Verifiable measurementonly blind quantum computing with stabilizer testing. arXiv 2015. [Google Scholar]
 Dulek, Y.; Schaffner, C.; Speelman, F. Quantum homomorphic encryption for polynomialsized circuits. arXiv 2016. [Google Scholar]
 Kashefi, E.; Pappa, A. Blind multiparty quantum computing. 2016; in preparation. [Google Scholar]
 Abraham, I.; Dolev, D.; Gonen, R.; Halpern, J. Distributed Computing Meets Game Theory: Robust Mechanisms for Rational Secret Sharing and Multiparty Computation. In Proceedings of the Twentyfifth Annual ACM Symposium on Principles of Distributed Computing, Denver, CO, USA, 23–26 July 2006; pp. 53–62.
 Kol, G.; Naor, M. Cryptography and game theory: Designing protocols for exchanging information. In Theory of Cryptography; Springer: New York, NY, USA, 2008; pp. 320–339. [Google Scholar]
 Eisert, J.; Wilkens, M.; Lewenstein, M. Quantum Games and Quantum Strategies. Phys. Rev. Lett. 1999, 83, 3077–3080. [Google Scholar] [CrossRef]
 Pappa, A.; Kumar, N.; Lawson, T.; Santha, M.; Zhang, S.; Diamanti, E.; Kerenidis, I. Nonlocality and Conflicting Interest Games. Phys. Rev. Lett. 2015, 114, 020401. [Google Scholar] [CrossRef] [PubMed]
 Childs, A.M.; Leung, D.W.; Nielsen, M.A. Unified derivations of measurementbased schemes for quantum computation. Phys. Rev. A 2005, 71, 032318. [Google Scholar] [CrossRef]
 Danos, V.; Kashefi, E.; Panangaden, P. The Measurement Calculus. J. ACM 2007, 54, 8. [Google Scholar] [CrossRef]
 Hein, M.; Eisert, J.; Briegel, H.J. Multiparty entanglement in graph states. Phys. Rev. A 2004, 69, 062311. [Google Scholar] [CrossRef]
 Naor, M.; Pinkas, B. Oblivious transfer and polynomial evaluation. In Proceedings of the ThirtyFirst Annual ACM Symposium on Theory of computing, Atlanta, GA, USA, 1–4 May 1999; pp. 245–254.
 Gennaro, R.; Gentry, C.; Parno, B. Noninteractive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology—CRYPTO 2010; Springer: Santa Barbara, CA, USA, 2010; pp. 465–482. [Google Scholar]
 Danos, V.; Kashefi, E. Determinism in the oneway model. Phys. Rev. A 2006, 74, 052310. [Google Scholar] [CrossRef]
 Browne, D.E.; Kashefi, E.; Mhalla, M.; Perdrix, S. Generalized flow and determinism in measurementbased quantum computation. New J. Phys. 2007, 9, 250. [Google Scholar] [CrossRef]
 Goldreich, O.; Micali, S.; Wigderson, A. How to Play ANY Mental Game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, New York, NY, USA, 25–27 May 1987; pp. 218–229.
 Kashefi, E.; Music, L.; Wallden, P. The Quantum CutandChoose Technique and Quantum TwoParty Computation. arXiv 2017. [Google Scholar]
Figure 1.
Dotted triple graph. Circles: primary vertices with the baselocation of the vertex of the basegraph; squares: added vertices with the baselocation of edges of the basegraph. (a) Trapcolouring. Blue: input qubits; green: gate qubits; white/black: trap qubits; red: wiring qubits. The client chooses the colours randomly for each vertex with the baselocation of vertex of the basegraph and prepares each qubit individually before sending them one by one to the server to entangle them according to the generic construction. (b) After entangling, the breaking operation defined by the wiring qubits will reduce the graph in (a) to the computation graph and for each vertex a corresponding trap/tag qubits.
Figure 2.
The server gives its input (blue), and the client chooses (randomly) where in the input baselocation to place the input. The random choice is highlighted. The trapcolouring is filled correspondingly, after the random choice is made.
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license ( http://creativecommons.org/licenses/by/4.0/).