A Distributed Architecture for Secure Delegated Quantum Computation

In this paper, we propose a distributed secure delegated quantum computation protocol, by which an almost classical client can delegate a (dk)-qubit quantum circuit to d quantum servers, where each server is equipped with a 2k-qubit register that is used to process only k qubits of the delegated quantum circuit. None of servers can learn any information about the input and output of the computation. The only requirement for the client is that he or she has ability to prepare four possible qubits in the state of (|0〉+eiθ|1〉)/2, where θ∈{0,π/2,π,3π/2}. The only requirement for servers is that each pair of them share some entangled states (|0〉|+〉+|1〉|−〉)/2 as ancillary qubits. Instead of assuming that all servers are interconnected directly by quantum channels, we introduce a third party in our protocol that is designed to distribute the entangled states between those servers. This would simplify the quantum network because the servers do not need to share a quantum channel. In the end, we show that our protocol can guarantee unconditional security of the computation under the situation where all servers, including the third party, are honest-but-curious and allowed to cooperate with each other.


Introduction
Quantum computing has been extensively studied from theory to practice [1,2]. It is widely accepted that noisy intermediate-scale quantum (NISQ) computers may be available in the coming decades [3]. However, the limited quantum memory of NISQ devices means that they may not have the capability to deal with large-scale quantum information processing. This is obviously a severe constraint, as many practical problems, e.g., machine learning, usually require immense memory overhead. A feasible way to overcome this obstacle is to utilize distributed architecture for quantum computations [4]. That is, using a group of small-scale quantum computers interconnected by classical and quantum networks to implement largescale quantum computation tasks. However, considering the tremendous cost of building a quantum computer, it is not likely that ordinary consumers will be able to afford an NISQ computer in the foreseeable future. In fact, it is widely believed that the role of quantum computers is similar to today's classical supercomputers, which means only a few organizations or enterprises can have quantum computers at their disposal. Thus, for ordinary customers, a better way to access quantum computers is to delegate their computations to the companies that offer quantum computing as cloud services. Indeed, this computation pattern has been applied in today's Internet, e.g., IBM Quantum platform [5].
Delegated quantum computation is actually closely related to distributed quantum computation [4]. The client-to-server pattern in delegated computation naturally belongs to the category of distributed quantum computation. A class of delegated quantum computation protocols are constructed under the framework of measurement-based quantum computation (MBQC) [6][7][8], which is driven by a sequence of single-qubit measurements on some specific entangled state, where the entangled resource is also a basic module in the distributed quantum computation. Another class of delegated quantum computation protocols are obtained using the technique quantum computing on encrypted data (QCED) [9] or quantum homomorphic encryption (QHE) [10]. Although QCED and QHE are distinct concepts, the basic idea behind them is identical. Both of them use the quantum one-time pad to encrypt the input and output states but use different the methods to achieve the non-Clifford gates. Nevertheless, most schemes use the entangled states as the ancillary resources, for example [10][11][12].
Both distributed quantum computation and delegated quantum computation have been investigated broadly; see references [13][14][15][16][17][18][19][20][21] and [6,11,[22][23][24][25][26][27][28], respectively. Typically, the distributed architecture for quantum computation makes use of photons as flying qubits between computational nodes, where each node is equipped with a quantum computer. The flying qubits are usually used to generate entangle states between distinct servers (i.e., nodes). By means of quantum entanglement, the non-local operations, such as controlled-NOT gate, can be done between two distant servers. Note that the quantum computer in each server is not necessarily an optical quantum computer; it can be made up of some other quantum system [29], such as ion traps or cloud atoms. Related experiments have been successfully demonstrated (see references [30,31]). Recently, researchers also investigated the possibility of simulating large-scale quantum systems in a hybrid quantum-classical manner [32]. That is, using a classical computer combined with a small quantum computer to simulate a large quantum computer [33]. However, the computational model considered in [32,33] is slightly different from the traditional model of circuit-based quantum computation. In this paper, we will not consider the method in [32], but rather the quantum entanglement to implement the non-local operation. In general, delegated quantum computation refers specifically to the secure delegated quantum computation (SDQC), which requires that no one except the client can obtain the right input and output of the computation. Typically, the client is required to have some basic quantum capacities, for example, preparing some single qubits or performing single-qubit measurements. In [34], the authors proposed a more rigorous SDQC protocol, which they called universal blind quantum computation (UBQC). The new protocol can guarantee that not only the input and output but also the computation itself, i.e., the algorithm, are unknown to the server. Although it seems that UBQC is more secure than SDQC, they are equivalent. That is, SDQC can be converted into UBQC [35]. As delegated quantum computation protocols effectively release the quantum resources in the client side, related experimental demonstrations have rapidly been implemented using the linear optics components (see References [9,25,36,37]).
Based on the above observations, in this paper we formally propose a distributed secure delegated quantum computation protocol that allows a half-classical client who can only prepare special single qubits to implement a large-scale quantum circuit on several quantum servers interconnected by entangled channels. Each server only has a limited quantum memory so that it can only compute a fraction of the delegated circuit. Moreover, during the computation, servers get nothing about the input and output of the computation. We also give a detailed security proof for our protocol. The rest of this paper is organized as follows. Section 2 introduces some basic preliminaries and notation. Section 3 presents the basic modules for delegated quantum computation. Section 4 gives the complete distributed delegated quantum computation protocol. Section 5 analyzes the security of our protocol. The last section discusses some remaining problems in our work.

Preliminaries and Notation
We assume that readers are familiar with the basics of quantum computation. In this work, we will use the following basic quantum gates: T |s = e i s 4 π |s , CZ |s, t = e istπ |s, t , where s, t ∈ {0, 1} and i = √ −1; P and T refer to the phase gate and the π/8 gate, respectively; and CZ denotes the controlled-Z gate. In order to analyze conveniently, we also introduce the Z-rotation operator defined as follows: where α ∈ [0, 2π) is referred as the rotation angle. Regardless of the global phases, we can see that Z ≡ R z (π), P ≡ R z ( π 2 ), and T ≡ R z ( π 4 ). We use |+ ϕ to denote the following single qubit: where we consider ϕ ∈ [0, 2π). It is clear that, up to an unimportant global phase, R z (α) |+ ϕ ≡ |+ (ϕ+α) . Thus, ϕ is also called as the rotation angle. By this definition, we can see that |+ = |+ 0 and |− = |+ π . Note that for any θ ∈ [0, 2π) the states |+ θ and |+ (θ+π) comprise a basis, thus we can define a single-qubit measurement operator as follows: where θ is referred as the measurement angle in this case, and s ∈ {0, 1} denotes the classical measurement outcome. Specifically, s = 0 if the post-measurement state is |+ θ , otherwise s = 1. Finally, in this work we will also use a special two-qubit entangled state defined as follows: which can be prepared by applying a CZ gate on two qubits |+ |+ .

Secure Delegated Quantum Computation
In this work, the delegated quantum computation model we adopt is from [38], in which the authors improved the original QCED protocol [11] in two aspects. First, the quantum capacities of clients are further reduced. In theory, they only need to prepare the qubits |+ ϕ , where ϕ ∈ {0, π 2 , π, 3π 2 }. Second, the security of the protocol can be still guaranteed even if some information is leaked to servers.
First of all, we specify that the client's input is encoded in X basis. That is, encoding 0 and 1 as |+ and |− , respectively. Let x = x 1 x 2 · · · x n ∈ {0, 1} n be the n-bit classical input string, then the corresponding encoded input state can be expressed as |+ xπ ≡ |+ x 1 π |+ x 2 π · · · |+ x n π . For simplicity, we abbreviate |+ xπ as |+ x . The universal gate set we consider is U = {X, Z, P, T, H, CZ}. Note that this gate set is not minimal because X, Z, and P can be obtained from {T, H}. Despite that, additional basic gates can effectively decrease the circuit complexity. Now suppose the client's input state is |+ x , where x ∈ {0, 1} n . In [38], the client uses the random operator X 1} are referred as the encryption keys, and for any operator U we define U 0 = I and U 1 = U. The subscript i in X i , Z i , and P i is used to denote that the corresponding gate is applied on the ith qubit (hereinafter referred to as qubit i). Similarly, the subscript i in a i , b i , c i is used to denote that the corresponding encryption keys are related to qubit i. We can check that this encryption scheme is a quantum one-time pad (see Equation (11)), thus it provides an information-theoretical security for any qubit ρ.
In theory, to achieve this encryption, the client needs to perform random gates P c , Z b , and X a on the state ρ in sequence. However, for the qubit |+ x i , it can be easily verified that where i , the client can directly generate the encrypted qubit. Specifically, given the ith input bit x i ∈ {0, 1}, the client randomly chooses the corresponding encryption keys 2 )π mod 2π. Finally, the client prepares the qubit |+ ϕ i as the encrypted qubit i.
After preparing all encrypted input qubits, the client sends them to the server. The server then performs the delegated quantum circuit U on the encrypted qubits. Here, the circuit U is known to both client and server (they can negotiate in advance via a classical channel). We assume that this circuit has been decomposed into a sequence of basic gates from the gate set U. That is, U = U m U m−1 · · · U 2 U 1 , where each U i ∈ U and the positive integer number m is the total number of gates. The following identities, which all hold up to an irrelevant global phase, can be easily verified.
It follows from Equations (13)-(17) that the basic gates X, Z, P, T, CZ are commutable with the encryption operator X a Z b P c , although the encryption keys may need to be updated. For example, Equation (13) indicates that performing an X Thus, the client only needs to update the value of b i such that b i := b i ⊕ c i . The cases for Z i , P i , T i , and CZ i,j follow the same reason. The related updating rules of encryption keys are shown in Equations (14)- (17). Note, however, that the commutativity noted above is not suited for the Hadamard gate H, as there is no HP c ≡ P c H for any c, c ∈ {0, 1}. In [38], the authors proposed a quantum teleportation scheme that they called the H-gadget (see Figure 1) so as to implement the H gate in a similar manner. Specifically, the client needs to prepare two ancillary qubits |+ α i , |+ β i and a measurement angle θ i , where α i and β i are chosen randomly, whereas θ i can be determined by the following way. Figure 1. The H-gadget in Ref. [38], which is designed for implementing an H gate on an encrypted qubit i, where s i , s i ∈ {0, 1} are the measurement outcomes and α i , β i ∈ {0, π 2 , π, 3π 2 } are the rotation angles of two ancillary qubits, and θ i ∈ {0, π 2 , π, 3π 2 } is the measurement angle of the second measurement.
Note that for any α i , β i ∈ {0, π 2 , π, 3π 2 }, we can express them uniquely as follows: Thus, the client can first generate random bits d i , e i , f i , g i then compute the values of α i and β i . To determine θ i , the client generates a random bit, denoted by h i ∈ {0, 1}, then computes θ i such that Note also that θ i is relevant to the measurement outcome s i , which means it can be determined until the client obtains the first measurement outcome s i from the server. Nevertheless, in theory, all qubits including ancillary qubits can be sent to the server before the computation begins. Thus, the complete procedure is classically interactive. Finally, the updating rule for H is shown as follows: where a i , b i , c i denote the updated encryption keys related to qubit i. The correctness of the H-gadget is given in the Appendix A. The detailed security proof of the protocol can be found in [38].

Distributed Architecture for Secure Delegated Quantum Computations
In this section, we give a simple scheme to implement the non-local CZ gate between two quantum servers. Our method uses the entangled state |H (see Equation (10) for its definition) as ancillary qubits. The similar schemes have been studied intensively, for example, in [39,40]. The basic circuit is shown in Figure 2a. In the following content, we first verify the circuit identity shown in Figure 2, then, based on this circuit identity, we construct a distributed architecture for secure delegated quantum computations. We start with a circuit named X-teleportation [40] (see Figure 3a), which is easy to verify. First, we substitute a CZ and two H gates for the CX gate, obtaining the equivalent circuit, as shown in Figure 3b. We then convert the measurement basis from Z to X by the following identity (see Figure 4), which is also easy to verify. Finally, we obtain a variant of the X-teleportation that consists of H, CZ, and X-basis measurement, as shown in Figure 5. We now turn back to Figure 2a. Note first that the CZ gate commutes with itself, thus the circuit can be reorganized, as in Figure 6a. Obviously, the partial circuits in the red-dotted line and blue-dotted line boxes are exactly the same circuit as the one in Figure 5, where X = M(0). Therefore, we can see that, after measuring qubits i, j, the rest qubits and the rest CZ gate comprise the circuit as, in Figure 6b. Finally, we use the following identity to exchange the positions of X and CZ, which can be easily verified: where s ∈ {0, 1}. Substituting the above identity in Figure 6b and considering the symmetry of CZ gate, we immediately obtain the desired circuit, as shown in Figure 2b.
Considering the encryption operators X  (17), we immediately obtain the updating rule of the non-local CZ gate as follows: Based on the above analysis, we construct a distributed architecture for secure delegated quantum computation, where a classical client equipped with some qubit generator can delegate an n-qubit circuit to d small-scale quantum servers. Without loss of generality, we assume that n = dk. In this configuration, each server typically needs a 2k-qubit register to process k input qubits of the n-qubit circuit. That is, for each qubit in the n-qubit circuit, the server needs a 2-qubit register to simulate it. To make sure 2k < n, it requires that d > 2. We show this distributed architecture in Figure 7. Note that there is a special third party in this distributed architecture, which is used to generate and distribute entangled states |H between all quantum servers. Thus, all servers do not need to be interconnected directly by a quantum (even classical) channel, as there is no information exchange between servers during the computation. We give the complete procedure of the protocol in terms of pseudo-code (see . For simplicity, we use C and {S q } d q=1 to denote the client and d servers, respectively. That is, the qth quantum server is referred to as S q . As noted, each server only processes k input qubits of the n-qubit delegated circuit. More specifically, for S q , it only processes the qubits indexed by (q − 1)k + 1, (q − 1)k + 2, · · · , qk. Thus, in the case of no confusion, we also use S q = {(q − 1)k + 1, (q − 1)k + 2, · · · , qk} to denote the corresponding qubits. In addition, the delegated circuit U is formally expressed as . . , n} denotes the qubits on which the basic gate U i is exerted. For example, if U p i i is a CZ gate on qubits k and l, then p i = {k, l}. By this definition, we can see that there must be p i ⊂ S q if U p i i is a local gate in S q , otherwise it only can be p i ⊂ S q ∪ S q for some S q and S q .
// a is the X encryption keys of the final state Algorithm 2 Implement an H gate on qubit i where i is in S q 1: procedure HADAMARD(i, q) // qubit i is encrypted by X a i Z b i P c i 2: C generates d i , e i ← R {0, 1} and computes the angle α i according to Equation (18), then prepares and sends the ancillary qubit |+ α i to S q 3: S q performs H i and CZ gates on qubit i and |+ α i , then measures qubit i and sends the measurement outcome s i to C, finally labels the ancillary qubit as i 4: and computes the angles β i and θ i according to Equations (18) and (19), respectively, then prepares the ancillary qubit |+ β i and sends it with θ i to S q

5:
S q performs a CZ gate on qubit i and |+ β i , then measures qubit i with M(θ i ) and sends the measurement outcome s i to C, finally labels the ancillary qubit as i 6: C updates the encryption keys of qubit i according to Equation (20) 7: end procedure Algorithm 3 Implement a nonlocal CZ gate on qubits i and j where i is in S q while j is in S q , that is, {i, j} ⊂ S q ∪ S q 1: procedure NONLOCAL-CZ({i, j}, q, q ) // qubits i and j are encrypted by X a i Z b i P c i and X a j Z b j P c j , respectively 2: C delegates the third party to prepare an entangled state |H and distribute it to S q and S q , that is, each server holds one qubit of |H as the ancillary qubit 3: S q (S q ) performs H i (H j ) and CZ gates on qubit i (j) and its ancillary qubit, then measures qubit i (j) and sends the measurement outcome s i (s j ) to C, finally labels its ancillary qubit as i (j) 4: C updates the encryption keys of qubits i and j according to Equation (22) 5: end procedure

The Security of the Distributed Delegated Quantum Computation
We show that our protocol can guarantee the unconditional privacy of the input and output of the computation. We only consider that all servers and the third party who serves as an entanglement resource are honest-but-curious, which means they follow the algorithm honestly but try to obtain the information about the input and output. For example, they may record all classical information generated during the computation and cooperate with each other, even with the third party.
For the input, the conclusion is obvious as the client encrypts each input qubit by a quantum one-time pad. Therefore, to complete the proof, we only need to prove that the output state of the computation is also encrypted by a unbiased quantum one-time pad. In other words, there is no information leakage about the encryption keys during the computation. From the procedures of Algorithm 1, we can see that only when the client calls the procedures HADAMARD and NONLOCAL-CZ will there be an interaction between client and servers. In the other cases, the algorithm is non-interactive, which means there is no information leakage about the encryption keys from client to server as they do not exchange any information. Based on this observation, we infer that to prove the privacy we only need to analyze the procedures that implement the H and the nonlocal CZ gates.
We first consider the procedure HADAMARD(i, q). In the following content, we use S to denote all servers including the untrusted third party. According to Algorithm 2, we can see that given the qubit i encrypted by X a i Z b i P c i where i ⊂ S q , S controls two ancillary qubits Z d i P e i |+ and Z f i P g i |+ , and receives a measurement angle θ i from C, it also generates two measurement outcomes s i , s i ∈ {0, 1} from two independent measurements. We can infer from the below state evolution that the measurement outcomes s i , s i are uniformly random, thus S can obtain no information gain about any encryption keys according to s i and s i .

|φ |+
The only available information to S now is the measurement angle θ i . Let θ i be u i π + v i π 2 , where u i , v i ∈ {0, 1}, then according to Equation (19), we know that u i and v i can be expressed as follows: where u i , v i , and s i are known to S. Intuitively, given u i , v i , and s i , no server can determine the correct values of a i , b i , c i , d i , e i , h i , as there are six variables in two equations. Nevertheless, S may gain some information utilizing u i and v i . For example, if v i = 1, then S can infer that c i e i = 0. Substituting this into Equation (24a), S can obtain a simplified equality Despite this fact, we can show that there is no information leakage about all variables from a i to h i . That is, we prove that in the view of S, the following equality holds true: where the random variable r i represents the possible parameters To see that, we need to know the following simple facts. First, if x, y ∈ {0, 1} and x is uniform, i.e., x ∈ R {0, 1}, then x ⊕ y is also uniform. Second, if x, y ∈ {0, 1} are uniform and let z = x ⊕ y, then Pr[x|z] = Pr[x] = 1/2. Finally, if x, y 1 , y 2 ∈ {0, 1} and x is uniform, let z = x ⊕ (y 1 y 2 ), then Pr[y 1 |z] = Pr[y 1 ]. These three basic facts can be easily verified. With these facts, we can complete our proof. Define   (25), from which we know that the servers can obtain no information gain about a i , b i , c i , d i , e i , f i , g i , h i from the θ i . Thus, after the procedure HADAMARD(i, q), the updated keys a i , b i , c i are also secure.
Finally, we consider the procedure NONLOCAL-CZ({i, j}, q, q ), where {i, j} ∈ S q ∪ S q . Note that in this procedure, S can only obtain two independent and uniform measurement outcomes s i , s j . According to the updating rules shown in Equation (22), we can see that as long as the encryption keys {a i , b i , c i } and {a j , b j , c j } are secure then the updated keys will also be secure against the servers. As a result, we conclude that, from the perspective of all servers, the output state of the computation is still encrypted by a sound quantum one-time pad.

Discussion
In this work, we proposed a secure distributed delegated quantum computation protocol, which allows clients to delegate their private computation to several quantum servers. We have shown that unconditional security of the input and output of the computation can be guaranteed as long as all servers follow the protocol honestly. Nevertheless, there are some notable problems in our work when we consider it in practice. In the end of this paper, we discuss those practical problems.
First, note that our protocol can only work well in a noise-free environment. To make our protocol fault-tolerant, we assume that each quantum server must be capable of performing fault-tolerant quantum computation [41]. However, this would inevitably increase the overhead of ancillary qubits. In addition, we need to consider two channel noises: one is between the client and each server, the other is between the third party and each server. The former will introduce errors in the input state, whereas the latter will introduce errors in the entangled state. There are some methods to remedy this problem. For the input state, the client can utilize some quantum error-correct code [42] to protect each qubit. However, it requires that the client can perform additional quantum operations. As for the entangled state, each pair of servers can use some quantum entanglement distill [43] protocol to obtain the entangled states with high fidelity. Similarly, it requires additional local operations and classical communications between the servers.
Second, note that our protocol can only protect the security of the input and output of the computation. This is because the model of the delegated quantum computation we used in our work is SDQC protocol instead of UBQC protocol. Nevertheless, we can convert, in principle, a SDQC protocol into a UBQC protocol. To do that, we first encode the delegated circuit U as a binary string denoted by C(U). Next, according to the quantum computation theory [44], there exists a universal quantum circuit U such that where the input of the universal circuit U consists of two parts: |+ x is the input state of U and |+ C(U) is the canonical and quantum description of the circuit U. Performing this universal circuit U in our protocol, we can apparently achieve a blind distributed delegated quantum computation. Last, we should note that in this work we only consider the honest servers and the third party who perform the protocol as the client desires. However, a real server may not follow the protocol honestly, and an untrusted third party may prepare some other entangled states for the servers. To detect such a malicious server including the untrusted third party, we should introduce a verification mechanics in our protocol. Indeed, verification is an important topic in the quantum computation theory (see [45,46]). There is an easy way to achieve the verification in our protocol. Specifically, given the delegated circuit U, the client can introduce another small quantum circuit V, for example, a permutation circuit [47], which is easy to simulate on a classical computer. The client then randomly inserts the qubits of V into the circuit U and runs this hybrid circuit on the universal quantum circuit U . After the computation, the client check the result of V; if the result does not match the desired, then the client rejects the output.  In the following content, we simplify this output qubit. For simplicity, we temporarily drop the subscript i and define R z (γ) ≡ Z b P c , that is, γ = (b + c 2 )π. It is easy to check that X a R z (θ)X a = R z ((−1) a θ) for any θ. Thus, the output qubit can be rewritten as follows: R z (β)X s HR z (α − θ)X a⊕s R z (γ) |φ = X s R z (−1) s β HX a⊕s R z (−1) a⊕s (α − θ) R z (γ) |φ = X s R z (−1) s β Z a⊕s HR z γ + (−1) a⊕s (α − θ) |φ = X s R z (−1) s β + (a ⊕ s)π HR z γ + (−1) a⊕s (α − θ) |φ (A2) Let θ = (−1) a⊕s γ + α + hπ, where h ∈ {0, 1}. Note that θ here is seemingly not the same as the one defined in Equation (19). Despite that, we will show they are exactly the same one. Substitute θ in the above equation, we can easily get the following result: X s R z (−1) s β + (a ⊕ s)π HR z − (−1) a⊕s hπ |φ . (A3) As R z is an operator with a period of 2π, which means R z (π) ≡ R z (−π) ≡ Z, thus the output qubit can be expressed as follows: X s R z (−1) s β + (a ⊕ s)π HZ h |φ = X s R z (−1) s β + (a ⊕ s)π X h H |φ = X s ⊕h R z (−1) s ⊕h β + (−1) h (a ⊕ s)π H |φ .