Garbled Quantum Computation
Abstract
:1. Introduction
1.1. Our Contribution
 In Section 3, we present a protocol for secure twoparty quantum computation that we refer to as QYao. This protocol involves two parties with asymmetric roles that wish to securely compute any given unitary on a joint quantum input. Similar to the classical protocol of [22], in QYao, an honestbutcurious (formally defined for the quantum setting in [21]) client capable of preparing only random single qubit and performing constant depth classical computation “garbles” the entire unitary. The fullymalicious server/evaluator receives instructions from the garbler and inserts their input either using a (classical) oblivious transfer (OT) or by a quantum input insertion scheme secure against the honestbutcurious garbler. The evaluator performs the computation, extracts its own output qubits and returns the remaining output qubits to the garbler. After the garbler verifies the computation, the encryption keys of the evaluator output qubits are released. Unlike the classical setting, our proposed QYao protocol is interactive, but importantly, only classical online communication is required. The gain we have, on the other hand, is the boosted security since apart from the initial input exchange where classical OT is needed, the rest of the protocol is unconditionally secure. If one could replace the classical OT’s in our QYao protocol with new primitives, such as the unconditionally secure relativistic primitives [23], the security would be extended to fully unconditional. In Section 4, we prove the security of the protocol in the ideal realworld paradigm using a simulationbased technique.
 In Section 5, we follow the classical approach of [24] and make our QYao protocol noninteractive by using the classical hardware primitive “onetime memory” (OTM), which is essentially a noninteractive oblivious transfer. Using OTM, the need for initial OT calls, in our QYao protocol, is also removed, leading to a onetime universal compiler for any given quantum computation. Such onetime quantum programs can be executed only once, where the input can be chosen at any time. The onetime programs have a wide range of applications ranging from program obfuscation, software protection to temporary transfer of cryptographic ability [24]. Classically, the challenge in lifting the Yao protocol for twoparty computation to a onetime program is addressing the issue of a malicious adversary. However, our QYao protocol is already secure against a malicious evaluator without any extra primitive or added overhead. Our quantum onetime program is therefore a straightforward translation of QYao. The same technique is applicable to essentially any cryptographic protocols developed in the measurementbased model that require offline quantum preparation and online classical communications. In any such MBQC computation, there are exponentially many branches of computation (this expansion is the result of the nondeterministic nature of the intermediate singlequbits measurement that occurs during the computation); however, we prove that a single OTM (of constant size) per computation qubit suffices to make the QYao noninteractive. This is due to the fact that in any constant degree graphstate (the underlying entanglement resources for an MBQC computation), the flow of information acts locally. We prove that this is the case for the required entangled recourse in the verifiable UBQC introduced in [25] that is the basis of our QYao protocol. Hence, each classical message between parties, in the interactive case, depends only on the constant number of previous messages, and this allows us to remove this interaction using a simple constantsize OTM.
1.2. Related Works
2. Preliminaries
2.1. Verifiable Universal Blind Quantum Computation
 We are given a basegraph G that has vertices $v\in V\left(G\right)$ and edges $e\in E\left(G\right)$.
 For each vertex ${v}_{i}$, we define a set of three new vertices ${P}_{{v}_{i}}=\{{p}_{1}^{{v}_{i}},{p}_{3}^{{v}_{i}},{p}_{3}^{{v}_{i}}\}$. These are called primary vertices.
 Corresponding to each edge $e({v}_{i},{v}_{j})\in E\left(G\right)$ of the basegraph that connects the base vertices ${v}_{i}$ and ${v}_{j}$, we introduce a set of nine edges ${E}_{e({v}_{i},{v}_{j})}$ that connect each of the vertices in the set ${P}_{{v}_{i}}$ with each of the vertices in the set ${P}_{{v}_{j}}$.
 We replace every edge in the resulted graph with a new vertex connected to the two vertices originally joined by that edge. The new vertices added in this step are called added vertices. This is the dotted triplegraph $DT\left(G\right)$.
 (i)
 Primary vertices are coloured in one of the three colours, white or black (for traps) and green (for computation). There is an exception for input baselocations (see Step (v)).
 (ii)
 Added vertices are coloured in one of the four colours white, black, green or red.
 (iii)
 In each primary set ${P}_{v}$, there is exactly one vertex of each colour.
 (iv)
 Colouring the primary vertices fixes the colours of the added vertices: added vertices that connect primary vertices of different colour are red; added vertices that connect primary vertices of the same colour get that colour.
 (v)
 For input baselocations, instead of green, we have a blue vertex (but all other rules, including how to connect with the other vertices, apply in the same way as if it were green).
Protocol 1 Verifiable universal blind quantum computation using the dotted triple graph (with faulttolerant encoding); taken from [25]. 
We assume that a standard labelling of the vertices of the dotted triplegraph $DT\left(G\right)$, is known to both the client and the server. The number of qubits is at most $3N(3c+1)$ where c is the maximum degree of the base graph G. • Client’s resources – Client is given a base graph G. The corresponding dotted graph state $\leftD\left(G\right)\right.\u232a$ is generated by graph $D\left(G\right)$ that is obtained from G by replacing every edge with a new vertex connected to the two vertices originally joined by that edge. – Client is given an MBQC measurement pattern ${\mathbb{M}}_{\mathrm{Comp}}$ which: Applied on the dotted graph state $\leftD\left(G\right)\right.\u232a$ performs the desired computation, in a faulttolerant way, that can detect or correct errors fewer than $\delta /2$. – Client generates the dotted triplegraph $DT\left(G\right)$, and selects a trapcolouring according to Definition 1 which is done by choosing independently the colours for each set ${P}_{v}$. – Client for all red vertices will send dummy qubits and thus performs break operation. – Client chooses the green graph to perform the computation. – Client for the white graph sends dummy qubits for all added qubits ${a}_{w}^{e}$ and thus generates white isolated qubits at each primary vertex set ${P}_{v}$. Similarly for the black graph the client sends dummy qubits for the primary qubits ${p}_{b}^{v}$ and thus generates black isolated qubits at each added vertex set ${A}_{e}$. – The dummy qubits position set D is chosen as defined above (fixed by the trapcolouring). – A binary string $\mathbf{s}$ of length at most $3N(3c+1)$ represents the measurement outcomes. It is initially set to all zero’s. – A sequence of measurement angles, $\varphi ={\left({\varphi}_{i}\right)}_{1\le i\le 3N(3c+1)}$ with ${\varphi}_{i}\in A=\{0,\pi /4,\cdots ,7\pi /4\}$, consistent with ${\mathbb{M}}_{\mathrm{Comp}}$. We define ${\varphi}_{i}^{\prime}({\varphi}_{i},\mathbf{s})$ to be the measurement angle in MBQC, when corrections due to previous measurement outcomes $\mathbf{s}$ are taken into account (the function depends on the specific basegraph and its flow, see e.g., [3]). We also set ${\varphi}_{i}^{\prime}=0$ for all of the trap and dummy qubits. The Client chooses a measurement order on the dotted basegraph $D\left(G\right)$ that is consistent with the flow of the computation (this is known to Server). The measurements within each set ${P}_{v},{A}_{e}$ of $DT\left(G\right)$ graph are ordered randomly. – $3N(3c+1)$ random variables ${\theta}_{i}$ with value taken uniformly at random from A. – $3N(3c+1)$ random variables ${r}_{i}$ and $\leftD\right$ random variable ${d}_{i}$ with values taken uniformly at random from $\{0,1\}$. – A fixed function $C(i,{\varphi}_{i},{\theta}_{i},{r}_{i},\mathbf{s})={\varphi}_{i}^{\prime}({\varphi}_{i},\mathbf{s})+{\theta}_{i}+\pi {r}_{i}$ that for each nonoutput qubit i computes the angle of the measurement of qubit i to be sent to the Server. • Initial Step – Client’s move: Client sets all of the values in $\mathbf{s}$ to be 0 and prepares the input qubits as
$$\begin{array}{c}\lefte\right.\u232a={X}^{{x}_{1}}Z\left({\theta}_{1}\right)\otimes \dots \otimes {X}^{{x}_{l}}Z\left({\theta}_{l}\right)\leftI\right.\u232a\hfill \end{array}$$
$$\begin{array}{ccc}\forall i\in D\hfill & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\hfill & \left{d}_{i}\right.\u232a\hfill \\ \forall i\notin D\hfill & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\hfill & \prod _{j\in {N}_{G}\left(i\right)\cap D}{Z}^{{d}_{j}}\left{+}_{{\theta}_{i}}\right.\u232a\hfill \end{array}$$
– Server’s move: Server receives $3N(3c+1)$ single qubits and entangles them according to $DT\left(G\right)$. – Continues to Protocol 2 
Protocol 2 Continuing from Protocol 1: VUBQC with DT(G). 
• Step $i:\phantom{\rule{0.277778em}{0ex}}1\le i\le 3N(3c+1)$ – Client’s move: Client computes the angle ${\delta}_{i}=C(i,{\varphi}_{i},{\theta}_{i},{r}_{i},\mathbf{s})$ and sends it to the Server. – Server’s move: Server measures qubit i with angle ${\delta}_{i}$ and sends the Client the result ${b}_{i}$. – Client’s move: Client sets the value of ${s}_{i}$ in $\mathbf{s}$ to be ${b}_{i}+{r}_{i}$. • Final Step: – Server’s move: Server returns the last layer of qubits (output layer) to the Client. • Verification – After obtaining the output qubits from the Server, the Client measures the output trap qubits with angle ${\delta}_{t}={\theta}_{t}+{r}_{t}\pi $ to obtain ${b}_{t}$. – Client accepts if ${b}_{i}={r}_{i}$ for all of the white (primary) and black (added) trap qubits i. 
2.2. TwoParty Quantum Protocols
 1.
 input spaces ${\mathcal{A}}_{0},{\mathcal{B}}_{0}$ and memory spaces ${\mathcal{A}}_{1},\cdots ,{\mathcal{A}}_{n}$ and ${\mathcal{B}}_{1},\cdots ,{\mathcal{B}}_{n}$
 2.
 ntuple of quantum operations $({L}_{1}^{A},\cdots ,{L}_{n}^{A})$ and $({L}_{1}^{B},\cdots ,{L}_{n}^{B})$ such that ${L}_{i}^{A}:L\left({\mathcal{A}}_{i1}\right)\to L\left({\mathcal{A}}_{i}\right)$ and similarly for ${L}_{i}^{B}$.
 3.
 ntuple of oracle operations $({\mathcal{O}}_{1},\cdots ,{\mathcal{O}}_{n})$ where each oracle is a global operation for that step, ${\mathcal{O}}_{i}:L({\mathcal{A}}_{i}\otimes {\mathcal{B}}_{i})\to L({\mathcal{A}}_{i}\otimes {\mathcal{B}}_{i})$
 1.
 operations where ${\mathcal{S}}_{i}:L\left({\mathcal{A}}_{0}\right)\to L\left(\tilde{{\mathcal{A}}_{i}}\right)$,
 2.
 sequence of bits $q\in {\{0,1\}}^{n}$ determining if the simulator calls the ideal functionality at step i (${q}_{i}=1$ calls the ideal functionality).
3. Secure TwoParty Quantum Computation
3.1. Server’s Input Injection
3.2. Server’s Output Extraction
3.3. The QYao Protocol
Protocol 3 Server’s input injection 
Setting: • The server has input $\left{\mathsf{\Phi}}_{S}\right.\u232a$ that corresponds to specific positions ${I}_{S}$ of the input layer of the basegraph. For each i qubit, server chooses pair of secret bits $({m}_{x,i},{m}_{z,i})$. Instructions:
Outcome: • The server receives a DT(G), where the quantum input is the joint input of the client and server and the related measurement angles instructions perform the desired unitary operation, if the client is honest. 
Protocol 4 Server’s output extraction. 
Setting: • The server has the state ${\mathrm{Tr}}_{C}\left(\left\psi \left(f\right)\right.\u232a\right)$ at the corresponding positions ${O}_{S}$ of their output baselocations of the DT(G). For each i qubit, server chooses pair of secret bits $({m}_{x,i},{m}_{z,i})$. Instructions:
Outcome: • The server obtains the computation qubits of their output baselocations unpadded ${\mathrm{Tr}}_{C}\left(U({\left\mathsf{\Psi}\right.\u232a}_{C},{\left\mathsf{\Phi}\right.\u232a}_{S})\right)$. 
Protocol 5 Secure 2PQCQYao. 
Input:
Output:
The protocol

4. Proof of the Privacy of the QYao Protocol
4.1. Client’s Simulators
 The simulator runs the protocol with fixed but random input ${\phi}^{\ast}$, to obtain ${\rho}_{i}\left({\phi}^{\ast}\right)$.
 The simulator obtains the fixed state $\widehat{{\rho}_{i}}$ and the isometry ${T}_{i}$, which are both independent of the input.
 The simulated view is then defined to be:$$\begin{array}{c}\hfill {\nu}_{i}(\tilde{C},{\rho}_{in}):={\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{i}}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})(\widehat{{\rho}_{i}}\otimes {\rho}_{i}\left({\phi}^{\ast}\right))\right)\end{array}$$
 By ${k}^{S},{k}^{C}$, we define the padding of the server’s and client’s output, respectively. In more detail, these keys are functions of the trapcolouring (trap positions) of the last layer, the rotations $\theta $, the secret parameters r’s and measurement results b’s of the previous two layers. We collectively denote the rest, i.e., all of the other secret keys, as ${k}^{R}$.
 We also assume that the classical measurement outcomes b’s are in the Hilbert space of the client, while being classical and public, could be copied to the server’s Hilbert space as well (adding this copy does not affect the client’s simulators and complicates the notation). Moreover, classical results corresponding to trap measurements are denoted ${b}_{t}$, while other results are simply denoted b. The trap measurements outcomes (in the honest run) are ${b}_{t}={r}_{t}$, where ${r}_{t}$ is one of the secret parameters included in ${k}^{R}$.
 The final layer (unmeasured) qubits are separated into: (i) output qubits (those of the server and the client; and it includes the purification of their inputs), (ii) dummy qubits collectively denoted ${d}^{S},{d}^{C}$ for server/client unmeasured dummies and (iii) trap qubits denoted as ${\theta}_{t}^{S},{\theta}_{t}^{C}$. The dummies and trap qubits are in the tensor product with the rest (in the honest run).
 The Hilbert spaces containing the output qubits (and the related purification of honest run) are denoted ${\mathcal{H}}_{{S}_{o}},{\mathcal{H}}_{{C}_{o}}$, while the remaining qubits are ${\mathcal{H}}_{S},{\mathcal{H}}_{C}$.
 For brevity, we denote $\left[b\right]:=\leftb\right.\u232a\left.\u2329b\right$ and use the analogous notation for other states.
 The simulator obtains from the client the choice of secret keys ${k}^{C},{k}^{S},{k}^{R}$ (that can be viewed as part of the client’s input).
 The simulator sets ${b}_{t}={r}_{t}$. For the other measurement outcomes b, the simulator chooses randomly a bit value (to ensure that the b’s obtained are indistinguishable from the real honest protocol, the simulator can run the full protocol with some random input $\phi $. Since in the honest run, the values of b’s do not depend on (are not correlated to) the input, the outcomes that the simulator returns would be indistinguishable from those of a run with the correct input. Finally, speciousness ensures that this state is also close to the real protocol).
 The simulator, using the previous steps, constructs the state $\sigma $.
 The simulator uses the state $\widehat{{\rho}_{i}}$ from Lemma 1 for the ith step, which is a fixed state (independent of the input).
 The simulator calls the ideal functionality and receives the state ${\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left({\rho}_{i}\left({\rho}_{in}\right)\right)$.
 The simulator uses the keys and the state received from the ideal functionality and constructs ${\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left(\varrho ({\rho}_{in},{k}^{C},{k}^{S})\right)$.
 The simulator obtains the operator ${\mathcal{T}}_{i}$ from the definition of specious and constructs the isometry ${T}_{i}$ acting from ${\mathcal{H}}_{\tilde{C}}\to {\mathcal{H}}_{C}\otimes {\mathcal{H}}_{\widehat{C}}$.
 The simulated view is then:$$\begin{array}{c}\hfill \nu (\tilde{C},{\rho}_{in}):={\mathrm{Tr}}_{{\mathcal{H}}_{S}}\left(({T}_{i}^{\u2020}\otimes \mathbb{I})\left(\widehat{{\rho}_{i}}\otimes {\mathrm{Tr}}_{{\mathcal{H}}_{{S}_{o}}}\left(\varrho ({\rho}_{in},{k}^{C},{k}^{S})\right)\otimes \sigma \right)\right)\end{array}$$
4.2. Server’s Simulators
 The simulator prepares multiple Bell states $\left\psi \right.\u232a=\frac{1}{\sqrt{2}}(\left01\right.\u232a+\left10\right.\u232a)$, sends the one qubit of each pair to the server and instructs them to entangle the qubits as it would in the normal protocol.
 The simulator for each qubit chooses randomly an angle ${\delta}_{i}$ and instructs the server to measure in this angle.
 The simulator obtains from the server’s (malicious) strategy the parameter ${p}_{ok}$ (see Equation (6)).
 With probability $(1{p}_{ok})$, the simulator returns an abort. Otherwise, it performs the remaining steps.
 The simulator calls the ideal functionality and obtains the state ${\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left(U\left({\rho}_{in}^{\prime}\right)\right)$, where ${\rho}_{in}^{\prime}=({\mathbb{I}}_{{\mathcal{H}}_{C}}\otimes {D}_{{\mathcal{H}}_{S}})\xb7{\rho}_{in}$ is the deviated input that the corrupted server inputs.
 The simulator encrypts the outcome using ${k}^{S}$, and sends the output qubits of the server back in the state: ${E}_{{k}^{S}}\left({\mathrm{Tr}}_{{\mathcal{H}}_{C}}\left(U\left({\rho}_{in}^{\prime}\right)\right)\right)$
 The simulator returns the keys ${k}^{S}$ to the server.
5. NonInteractive QYao
Protocol 6 Preparation of OTMs for noninteractive QYao. 
Description of OTM’s: We will use an (at most) one out of K OTM, where $K={2}^{{max}_{i}\leftE{P}_{i}\right}$. Note, that the first layer does not need an OTM, since (i) we give the angle directly (does not depend on anything) and (ii) there is no trap in the previous layer and thus no need to give a flag. Moreover, for the last layer, while the qubits are not measured (and thus there is no corresponding angle $\delta $) we will use an OTM to obtain the last flags (that correspond to testing traps in the previous layers).

Protocol 7 Noninteractive QYao. 
Assumptions Client and server want to jointly compute a unitary as in Protocol 5. The client has N OTM’s that are 1outofK, i.e., one OTM per qubit, with sufficient entries to store a pair of $({\delta}_{i},{l}_{i})$ measurement angle and flag bitstring (of length at least $m\ge log(\frac{1}{\u03f5}+1)$), for each extended influence past of the qubit. Protocol

6. Conclusions
Acknowledgments
Author Contributions
Conflicts of Interest
Abbreviations
UBQC  Universal blind quantum computation 
MBQC  Measurementbased quantum computation 
VBQC  Verifiable blind quantum computation 
QYao  Quantum “Yao” protocol 
OT  Oblivious transfer 
OTM  Onetime memory 
DT(G)  Dotted triple graph 
2PQC  Secure twoparty quantum computation 
Appendix A. MeasurementBased Quantum Computation
Appendix B. On Specious Adversaries Definitions
Appendix B.1. Restricting to Classical Inputs
Appendix B.2. About the Secret Random Parameters
Appendix B.3. Regarding Secure SWAP NoGo Theorem
Appendix C. Examples
Appendix C.1. Example for Protocol 5
Appendix C.2. Example for Protocol 7
Qubit  Influencepast  Extended influencepast  Nontrivial flag dependence 
13  ∅  $\{1,2,3,4,7,10\}$  $\{2,10\}$ 
14  $\{1,5\}$  $\{1,2,3,5,8,11\}$  $\left\{2\right\}$ 
15  ∅  $\{1,2,3,6,9,12\}$  $\left\{2\right\}$ 
Appendix D. Proof of Commuting
References
 Childs, A. Secure assisted quantum computation. Quant. Inf. Compt. 2005, 5, 456. [Google Scholar]
 Arrighi, P.; Salvail, L. Blind Quantum Computation. Int. J. Quant. Inf. 2006, 4, 883–898. [Google Scholar] [CrossRef]
 Broadbent, A.; Fitzsimons, J.; Kashefi, E. Universal blind quantum computation. In Proceedings of the 50th Annual Symposium on Foundations of Computer Science, Atlanta, GA, USA, 25–27 October 2009; pp. 517–526. [Google Scholar]
 Aharonov, D.; BenOr, M.; Eban, E. Interactive Proofs for Quantum Computations. Proceedings of Innovations in Computer Science 2010, Beijing, China, 5–7 January 2010; pp. 453–469. [Google Scholar]
 Reichardt, B.W.; Unger, R.F.; Vazirani, U. Classical command of quantum systems. Nature 2013, 496, 456–460. [Google Scholar] [CrossRef] [PubMed]
 Broadbent, A.; Gutoski, G.; Stebila, D. Quantum OneTime Programs. In Advances in Cryptology—CRYPTO 2013; Canetti, R., Garay, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume Voume 8043, pp. 344–360. [Google Scholar]
 Raussendorf, R.; Briegel, H.J. A OneWay Quantum Computer. Phys. Rev. Lett. 2001, 86, 5188–5191. [Google Scholar] [CrossRef] [PubMed]
 Nickerson, N.H.; Fitzsimons, J.F.; Benjamin, S.C. Freely scalable quantum technologies using cells of 5to50 qubits with very lossy and noisy photonic links. Phys. Rev. X 2014, 4, 041041. [Google Scholar] [CrossRef]
 Barz, S.; Kashefi, E.; Broadbent, A.; Fitzsimons, J.F.; Zeilinger, A.; Walther, P. Demonstration of blind quantum computing. Science 2012, 335, 303. [Google Scholar] [CrossRef] [PubMed]
 Fitzsimons, J.F.; Kashefi, E. Unconditionally verifiable blind computation. arXiv 2012. [Google Scholar]
 Kapourniotis, T.; Kashefi, E.; Datta, A. Blindness and Verification of Quantum Computation with One Pure Qubit. In Proceedings of the 9th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2014), Singapore, 21–23 May 2014; pp. 176–204. [Google Scholar]
 Gheorghiu, A.; Kashefi, E.; Wallden, P. Robustness and device independence of verifiable blind quantum computing. New J. Phys. 2015, 17, 083040. [Google Scholar] [CrossRef]
 Kapourniotis, T.; Dunjko, V.; Kashefi, E. On optimising quantum communication in verifiable quantum computing, 2015. In Proceedings of the 15th Asian Quantum Information Science Conference (AQISC 2015), Seoul, Korea, 25–28 August 2015; pp. 23–25. [Google Scholar]
 Dunjko, V.; Fitzsimons, J.F.; Portmann, C.; Renner, R. Composable Security of Delegated Quantum Computation. In Advances in Cryptology; Springer: Kaoshiung, Taiwan, 2014. [Google Scholar]
 McKague, M. Interactive proofs for BQP via selftested graph states. arXiv 2013. [Google Scholar]
 Broadbent, A. How to verify a quantum computation. arXiv 2015. [Google Scholar]
 Gheorghiu, A.; Wallden, P.; Kashefi, E. Rigidity of quantum steering and onesided deviceindependent verifiable quantum computation. New J. Phys. 2017, 19, 023043. [Google Scholar] [CrossRef]
 Dupuis, F.; Nielsen, J.B.; Salvail, L. Actively secure twoparty evaluation of any quantum operation. In Advances in Cryptology—CRYPTO 2012; Springer: Santa Barbara, CA, USA, 2012; pp. 794–811. [Google Scholar]
 Dunjko, V.; Kashefi, E. Blind quantum computing with two almost identical states. arXiv 2016. [Google Scholar]
 Maurer, U.; Renner, R. Abstract cryptography. In Innovations in Computer Science; Citeseer: Beijing, China, 2011. [Google Scholar]
 Dupuis, F.; Nielsen, J.B.; Salvail, L. Secure twoparty quantum evaluation of unitaries against specious adversaries. In Advances in Cryptology—CRYPTO 2010; Springer: Santa Barbara, CA, USA, 2010; pp. 685–706. [Google Scholar]
 Yao, A. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science, Toronto, ON, Canada, 27–29 October 1986; pp. 162–167. [Google Scholar]
 Kent, A. Unconditionally secure bit commitment. Phys. Rev. Lett. 1999, 83, 1447. [Google Scholar] [CrossRef]
 Goldwasser, S.; Kalai, Y.T.; Rothblum, G.N. Onetime programs. In Advances in Cryptology—CRYPTO 2008; Springer: Santa Barbara, CA, USA, 2008; pp. 39–56. [Google Scholar]
 Kashefi, E.; Wallden, P. Optimised resource construction for verifiable quantum computation. J. Phys. A Math. Theor. 2017, 50, 145306. [Google Scholar] [CrossRef]
 Bennett, C.; Brassard, G.; Ekert, A. Quantum cryptography. In Progress in Atomic physics Neutrinos and Gravitation, Proceedings of the XXVIIth Rencontre de Moriond, Les Arcs, Savoie, France, 25 January–1 February 1992; Atlantica Séguier Frontières: Biarritz, France, 1992; p. 371. [Google Scholar]
 Broadbent, A.; Schaffner, C. Quantum cryptography beyond quantum key distribution. Des. Codes Cryptogr. 2016, 78, 351–382. [Google Scholar] [CrossRef]
 Alagic, G.; Fefferman, B. On quantum obfuscation. arXiv 2016. [Google Scholar]
 Hayashi, M.; Morimae, T. Verifiable measurementonly blind quantum computing with stabilizer testing. arXiv 2015. [Google Scholar]
 Dulek, Y.; Schaffner, C.; Speelman, F. Quantum homomorphic encryption for polynomialsized circuits. arXiv 2016. [Google Scholar]
 Kashefi, E.; Pappa, A. Blind multiparty quantum computing. 2016; in preparation. [Google Scholar]
 Abraham, I.; Dolev, D.; Gonen, R.; Halpern, J. Distributed Computing Meets Game Theory: Robust Mechanisms for Rational Secret Sharing and Multiparty Computation. In Proceedings of the Twentyfifth Annual ACM Symposium on Principles of Distributed Computing, Denver, CO, USA, 23–26 July 2006; pp. 53–62. [Google Scholar]
 Kol, G.; Naor, M. Cryptography and game theory: Designing protocols for exchanging information. In Theory of Cryptography; Springer: New York, NY, USA, 2008; pp. 320–339. [Google Scholar]
 Eisert, J.; Wilkens, M.; Lewenstein, M. Quantum Games and Quantum Strategies. Phys. Rev. Lett. 1999, 83, 3077–3080. [Google Scholar] [CrossRef]
 Pappa, A.; Kumar, N.; Lawson, T.; Santha, M.; Zhang, S.; Diamanti, E.; Kerenidis, I. Nonlocality and Conflicting Interest Games. Phys. Rev. Lett. 2015, 114, 020401. [Google Scholar] [CrossRef] [PubMed]
 Childs, A.M.; Leung, D.W.; Nielsen, M.A. Unified derivations of measurementbased schemes for quantum computation. Phys. Rev. A 2005, 71, 032318. [Google Scholar] [CrossRef]
 Danos, V.; Kashefi, E.; Panangaden, P. The Measurement Calculus. J. ACM 2007, 54, 8. [Google Scholar] [CrossRef]
 Hein, M.; Eisert, J.; Briegel, H.J. Multiparty entanglement in graph states. Phys. Rev. A 2004, 69, 062311. [Google Scholar] [CrossRef]
 Naor, M.; Pinkas, B. Oblivious transfer and polynomial evaluation. In Proceedings of the ThirtyFirst Annual ACM Symposium on Theory of computing, Atlanta, GA, USA, 1–4 May 1999; pp. 245–254. [Google Scholar]
 Gennaro, R.; Gentry, C.; Parno, B. Noninteractive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology—CRYPTO 2010; Springer: Santa Barbara, CA, USA, 2010; pp. 465–482. [Google Scholar]
 Danos, V.; Kashefi, E. Determinism in the oneway model. Phys. Rev. A 2006, 74, 052310. [Google Scholar] [CrossRef]
 Browne, D.E.; Kashefi, E.; Mhalla, M.; Perdrix, S. Generalized flow and determinism in measurementbased quantum computation. New J. Phys. 2007, 9, 250. [Google Scholar] [CrossRef]
 Goldreich, O.; Micali, S.; Wigderson, A. How to Play ANY Mental Game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, New York, NY, USA, 25–27 May 1987; pp. 218–229. [Google Scholar]
 Kashefi, E.; Music, L.; Wallden, P. The Quantum CutandChoose Technique and Quantum TwoParty Computation. arXiv 2017. [Google Scholar]
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kashefi, E.; Wallden, P. Garbled Quantum Computation. Cryptography 2017, 1, 6. https://doi.org/10.3390/cryptography1010006
Kashefi E, Wallden P. Garbled Quantum Computation. Cryptography. 2017; 1(1):6. https://doi.org/10.3390/cryptography1010006
Chicago/Turabian StyleKashefi, Elham, and Petros Wallden. 2017. "Garbled Quantum Computation" Cryptography 1, no. 1: 6. https://doi.org/10.3390/cryptography1010006