On the Possibility of Classical Client Blind Quantum Computing

Abstract

Classical client remote state preparation (CC − RSP) is a primitive where a fully classical party (client) can instruct the preparation of a sequence of random quantum states on some distant party (server) in a way that the description is known to the client but remains hidden from the server. This primitive has many applications, most prominently, it makes blind quantum computing possible for classical clients. In this work, we give a protocol for classical client remote state preparation, that requires minimal resources. The protocol is proven secure against honest-but-curious servers and any malicious third party in a game-based security framework. We provide an instantiation of a trapdoor (approximately) 2-regular family of functions whose security is based on the hardness of the Learning-With-Errors problem, including a first analysis of the set of usable parameters. We also run an experimentation on IBM’s quantum cloud using a toy function. This is the first proof-of-principle experiment of classical client remote state preparation.

Contents
1	Introduction and Related Works	3
	1.1      Related Work	3
	1.2      Our Contributions	4
	1.3      Applications	5
	1.4      Overview of the Protocol and Proof	6
2	Preliminaries	9
	2.1      Classical Definitions	9
	2.2      Quantum Definitions	11
3	CC − RSPθ Primitive	11
4	The Real Protocol	12
5	Security of HBC − QFactory	15
	5.1      Game-Based Security Definition	15
	5.2      Game-Based Security of HBC − QFactory	16
	5.3      Hardcore Function θ	18
6	Function Constructions	20
	6.1      Obtaining Two-Regular, Collision Resistant/Second Preimage Resistant, Trapdoor One-Way Functions	20
	6.2      Injective, Homomorphic Quantum-Safe Trapdoor One-Way Function from LWE	24
	6.3      A Suitable δ-2 Regular Trapdoor Function	25
	6.4      Parameter Choices	27
7	Implementation of HBC−QFactory on IBM Quantum Cloud	28
	7.1      Function Construction for Simulation	28
	7.2      Results of Implementation of HBC−QFactory	29
	7.2.1      Randomness	29
	7.2.2      Correctness	29
8	Conclusions	31
	8.1      Summary of Results and Discussion	31
	8.2      Future Directions	32
A	CC−RSPθ within Several Applications	33
B	Full Proof of Theorem 7	34
C	Proof of Theorem 9	41
D	Proof of Theorem 11	42
	D.1      δ-2 Regularity	43
	D.2      Collision Resistance	45
	D.3      One-Wayness	45
	D.4      Trapdoor	46
E	Proof of Lemma 7	46
References		48

1. Introduction and Related Works

The recent interest in quantum technologies has brought forward a vision of quantum internet [1] that could implement a collection of known protocols for enhanced security or communication complexity [2]. On the other hand, the rapid development of quantum hardware has increased the computational capacity of quantum servers that could be linked in such a communicating network. This raised the necessity and importance of privacy-preserving functionalities such as the research developed around quantum computing on encrypted data (see a recent review in [3]).

However, there exist some challenges in adapting widely the above vision: A reliable long-distance quantum communication network connecting all the interested parties might be very costly and hard to realize. Moreover, currently, some of the most promising quantum computation devices (e.g., superconducting such as the devices developed by IBM, Google) do not yet offer the possibility of “networked” architecture, i.e., cannot receive and send quantum states.

Therefore, given the crucial role of quantum cloud services, the most important challenge imposing practicality limitations refers to the need of quantum communication. On the one hand, quantum communication is required for the most secure quantum computing primitives, but also for the development of extended quantum communication networks reaching all interested parties (even those with light devices) that need to ensure the compatibility between different quantum communication and computing platforms. For this reason, there has been extensive research focusing on the practicality aspect of quantum delegated computation protocols (and related functionalities). One direction is to reduce the required communications by exploiting classical fully-homomorphic-encryption schemes [4,5,6], or by defining their direct quantum analogues [7,8,9,10]. Different encodings, on the client-side, could also reduce the communication [11,12]. However, in all these approaches the client still requires some quantum capabilities. While no-go results indicate restrictions on which of the above properties are jointly achievable for classical clients [13,14,15,16], completing this picture remains an open problem.

Another very important direction is to consider fully-classical client protocols, compatible with the no-go results, that can therefore achieve more restricted levels of security. The first such procedure achieving statistical security (but not for universal computations) was proposed in [17].

In recent breakthrough results of Mahadev [18], a universal blind delegated protocol for a fully-classical client was proposed under post-quantum computational security. This work, as well as the result of Brakerski [19] which improves the security of [18], proposed quantum fully homomorphic encryption schemes for quantum computations.

The solution we propose in this work, takes a different modular approach. We replace the need for a quantum communication with a classical primitive mimicking a quantum channel. Specifically, what we define and achieve is a version of “classical client remote state preparation” (CC − RSP) formally defined in [20], where the security is post-quantum in the honest-but-curious model.

Note: We first introduced this primitive and the protocol presented here, in a preprint in 2018 that was also presented in QCrypt ’18, which appeared in between the above mentioned works, but was not published. Here we present an extended version of that work, where we have extended our initial work with a series of results which include: the formal proof of security in a game-based framework and realising the first proof-of-principle experiment on a quantum cloud service of such a primitive using a small-scale toy function.

1.1. Related Work

The first proposal for a fully-classical delegated quantum computation protocol appeared in [18], followed by another classical fully homomorphic encryption scheme for quantum computation with improved security parameters in [19]. However, unlike their solution, our approach is modular, as the primitive we propose can be used for a number of functionalities, including delegation of quantum computations (such as [21]), to replace the required quantum communication and make the functionalities directly accessible to classical parties.

Following the introduction of this family of primitives, known as classical client remote state preparation (CC − RSP), in our earlier work [22] (version 2), more works have arose that present constructions of CC − RSP achieving security against arbitrarily deviating, computationally bounded, adversaries. In [23], it is provided a CC − RSP protocol, whose security holds against any malicious server. Concurrently in [24], the authors provide a verifiable version of this CC − RSP primitive with composable security, but under some assumption known as “measurement buffer”. A thorough analysis for the security of this important class of resources was given in [20], where it is shown that the family of CC − RSP cannot be composably-secure unless they leak the description of the produced quantum state to the adversary. In the recent work of [25], the author proposes a delegated quantum computation protocol in which the quantum communication is independent of the size of the computation and depends only (polynomially) on the security parameter (and where the size of the quantum circuit the client has to perform, is also polynomial in the security parameter). This property referred here as “succinct” complexity for the client is achieved in a protocol whose security is proven in the quantum random oracle model. For more details on the general topic of quantum cryptography there are numerous reviews (see for example [26,27]).

1.2. Our Contributions

• We define the primitive classical client remote state preparation (${\mathsf{CC}-\mathsf{RSP}}_{\theta }$) in Section 3. In the earlier version of this work we called this primitive secret random qubit generator, but we switched to the term remote state preparation (RSP), which is the terminology established by the quantum cryptography community. The parameter $\theta$ refers to the set of quantum states produced by the primitive, which are the quantum states ${\left\{\left|{+}_{\theta }\right.〉\right\}}_{\theta \in \{0,\cdots ,7\pi /4\}}$. ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ can replace the need for quantum channel between parties in certain quantum communication protocols with the trade-off that the protocols become computationally secure (against quantum adversaries).
• We give a basic protocol ($\mathsf{HBC}-\mathsf{QFactory}$) that achieves this functionality from a correctness point of view, given a trapdoor one-way function that is quantum-safe, two-regular and collision resistant in Section 4 and prove its correctness.
• We prove the security of the $\mathsf{HBC}-\mathsf{QFactory}$ against honest-but-curious server (server follows the protocol specifications, but can try to infer any information about the secret from the classical transcripts) or against any malicious third party using a game-based security definition. To show the security, we prove that the classical description of the generated qubits is a hard-core function (following a reduction similar to that of the Goldreich–Levin Theorem) in Section 5.
• While the above-mentioned results do not depend on the specific function used, the existence of such specific functions (with all desired properties) makes the ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ a practical primitive that can be employed as described in this paper. In Section 6, we first give methods for obtaining two-regular trapdoor one-way functions with extra properties (collision resistant or second preimage resistant) assuming the existence of simpler trapdoor one-way functions (permutation trapdoor or homomorphic, injective trapdoor functions). We use reductions to prove that the resulting functions maintain all the properties required. Furthermore, we give in Section 6.3 an explicit family of functions that respect all the required properties based on the security of the Learning-With-Errors problem as well as a possible instantiation of the parameters. This function is also quantum-safe, and thus directly applicable for our setting. Note, that other functions may also be used, such as the one in [28] or functions based on the Niederreither cryptosystem and the construction in [29].
• Finally, we implement $\mathsf{HBC}-\mathsf{QFactory}$ on the quantum computer IBM Quantum Experience using a toy function (given the current limited number of available qubits we consider a 2-regular function acting on a small number of bits, consequently, it cannot be post-quantum secure). Hence, we provide in addition to the theoretical results, an experimental evidence of the correctness and output distribution of the $\mathsf{HBC}-\mathsf{QFactory}$ protocol on a real quantum device. This is the first implementation of an $\mathsf{RSP}-\mathsf{CC}$ protocol on a quantum cloud service.

1.3. Applications

The ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ primitive, viewed as a resource, has a wide range of applications. Here we give a general overview of the applications, while for details on how to use the exact output of the ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ obtained in this paper in specific protocols, we refer the reader to Appendix A. ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ enables fully-classical parties to participate in many quantum protocols using only public classical channels and a single (potentially malicious) quantum server.

The first type of applications concerns a large class of delegated quantum computation protocols, including blind quantum computation and verifiable blind quantum computation. These protocols are of great importance, enabling information-theoretically secure (and verifiable) access to a quantum cloud. However, the requirement for quantum communication limits their domain of applicability. This limitation is removed by replacing the off-line preparation stage with our $\mathsf{HBC}-\mathsf{QFactory}$ protocol. Concretely, we can use $\mathsf{HBC}-\mathsf{QFactory}$ to implement the blind quantum computation protocol of [21], as well as the verifiable blind quantum computation protocols (e.g., those in [30,31,32]), in order to achieve classical client secure and verifiable access to a quantum cloud.

In all these cases, the cost of using ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ is that the security becomes post-quantum computational (from information-theoretic). However, the possibility of information-theoretically secure classical client blind quantum computation seems highly unlikely due to strong complexity-theoretic arguments given in [15] and therefore this is the best we could hope for.

The second type of applications involves a more general family of protocols for which their quantum communication consists of random single qubits similar to those provided by the QFactory, such as: quantum-key-distribution [33], quantum money [34], quantum coin-flipping [35], quantum signatures [36], etc.

In the two previous families of applications, QFactory can be used in order to replace quantum clients with classical clients. There is a third type of applications of QFactory that is quite novel: QFactory could be used in order to improve the efficiency and security of some protocols. More specifically, it could be used in protocols where each party needs to make sure that all the other parties are honest. Three major examples of such applications would be the following: two-party quantum computation [37,38], multiparty quantum computation [39] and quantum one-time programs [40]. Indeed, most of these protocols suffer from the fact that one party could try to cheat by sending malicious states instead of the honest single qubit states. Using QFactory, all communications between the client(s) and the server become classical and this observation can be exploited to use classical techniques (e.g., zero-knowledge proofs) to achieve exponential security. Specifically, because of this issue, ref. [39] is proven secure only when there is no dishonest coalition between some clients and the server, while some other works like [38] try to resolve this issue by using a “cut-and-choose” technique where the client sends s qubits, as well as s commitments to their corresponding classical descriptions. All but one commitment are opened for testing and the remaining qubit is then used in the actual computation, leading to a security level of $\frac{1}{s}$, i.e., security that can grow only linearly with the security parameter. QFactory can improve this in the following way. To make sure that the client(s) behave honestly, the client(s) are requested to send a (post-quantum, but classical) zero-knowledge proof, proving that all the data were generated honestly (i.e., that he knows the trapdoor corresponding to the public description k of the function, as well as the two preimages corresponding to the image y given by the server (see later). One could also add a distributed coin toss before the protocol (where the randomness provided by the client is not revealed, but used in the zero-knowledge proofs) to make sure that the randomness used by the client is not chosen in a malicious way). In this way, QFactory, can achieve an exponential security in the protocol of [38], and also improve the security proof of other protocols. This approach was recently used in the setting of two-party quantum computation [41].

1.4. Overview of the Protocol and Proof

The general idea is that a classical client gives instructions to a quantum server to perform certain actions (quantum computation). Those actions lead to the server having as output a single qubit, which is randomly chosen from within a set of possible states of the form $|0\rangle +e^{ir\pi /4}|1\rangle$, where $r\in \{0,\cdots ,7\}$. The randomness of the output qubit is due to the (fundamental) randomness of quantum measurements that are part of the instructions that the client gives. Moreover, the server cannot guess the value of r any better than if he had just received that state directly from the client (up to negligible probability). This is possible because the instructed quantum computation is generically a computation that is hard to (i) classically simulate and (ii) to reproduce quantumly because it is unlikely (exponentially in the number of measurements) that by running the same instructions the server obtains the exact same measurement outcomes twice. On the other hand, we wish the client to know the classical description and thus the value of r. To achieve this task, the instructions/quantum computation the client uses are based on a family of trapdoor one-way functions with certain extra properties (The functions should also be two-regular (each image has exactly two preimages), quantum safe (secure against quantum attackers) and collision resistant (hard to find two inputs with the same image)). Such functions are hard to invert (e.g., for the server) unless someone (the client in our case) has some extra “trapdoor” information $t_k$. This extra information makes the quantum computation easy to classically reproduce for the client, which can recover the value r, while it is still hard to classically reproduce for the server. Sending random qubits of the above type, is exactly what is required from the client in most of the protocols and applications given earlier, while with simple modifications our protocol could achieve other similar sets of states.

Our $\mathsf{HBC}-\mathsf{QFactory}$ protocol can heuristically be described in the next steps:

Preparation. The client randomly selects a function $f_k$, from a family of trapdoor one-way, quantum-safe, two-regular and collision resistant functions. The choice of $f_k$ is public (server knows), but the trapdoor information $t_k$ needed to invert the function is known only to the client.

Stage 1: Preimages Superposition. The client instructs the server (i) to apply Hadamard(s) on the control register, (ii) to apply $U_{f_k}$ on the target register i.e., to obtain ${\sum }_x|x\rangle \otimes |f_k\left(x\right)\rangle$ and (iii) to measure the target register in the computational basis, in order to obtain a value y. This collapses his state to the state $(|x\rangle +|x^{\prime }\rangle )\otimes |y\rangle$, where $x,x^{\prime }$ are the unique two preimages of y.

Remarks. First we note that each image y appears with same probability (therefore, obtaining twice the same y happens with negligible probability). We now consider the first register $|x\rangle +|x^{\prime }\rangle =|x_1\cdots x_n\rangle +|x_1^{\prime }\cdots x_n^{\prime }\rangle$, where the subscripts denote the different bits of the corresponding preimages x and $x^{\prime }$. We rewrite this:

$$\begin{array}{c}\hfill \left({\otimes }_{i\in \overline{G}}|x_i\rangle \right)\otimes \left(\prod _{j\in G}{X}^{x_j}\right)\left({|0\cdots 0\rangle }_G+{|1\cdots 1\rangle }_G\right)\end{array}$$

where $\overline{G}$ is the set of bits positions where $x,x^{\prime }$ are identical, G is the set of bits positions where the preimages differ, while we have suitably changed the order of writing the qubits. It is now evident that the state at the end of Stage 1 is a tensor product of isolated $|0\rangle$ and $|1\rangle$ states, and a Greenberger–Horne–Zeilinger (GHZ) state with random X’s applied. The crucial observation is that the connectivity (which qubit belongs to the GHZ and which doesn’t) depends on the XOR of the two preimages $x\oplus x^{\prime }$ and is computationally impossible to determine, with non-negligible advantage, without the trapdoor information $t_k$.

Stage 2: Squeezing. The client instructs the server to measure each qubit i (except the output) in a random basis $\{|0\rangle \pm e^{i{\alpha }_i\pi /4}|1\rangle \}$ and return back the measurement outcome $b_i$. The output qubit is of the form $|{+}_{\theta }\rangle =|0\rangle +e^{i\theta }|1\rangle$, where:

$$\theta =\frac{\pi }{4}{(-1)}^{x_n}\sum _{i=1}^{n-1}(x_i-x_i^{\prime })(4b_i+{\alpha }_i)mod8$$

(1)

Intuitively, measuring qubits that are not connected has no effect to the output, while measuring qubits within the GHZ part, rotates the phase of the output qubit (by a $(-{\left(1\right)}^{x_i}{\alpha }_i+4b_i)\pi /4$ angle). The above intuition shows that our $\mathsf{HBC}-\mathsf{QFactory}$ protocol is correct, as fully proven in Theorem 5.

Security. The protocol is secure, if we can prove that the server (or other third parties) cannot guess (obtain noticeable advantage in guessing) the classical description of the state, i.e., the value of $\theta$. We consider a quantum-honest-but-curious server which means that he essentially follows the protocol and the security reduces to proving that the server cannot use his classical information to obtain any advantage in guessing the classical description of the (honest) quantum output.

The server does not know the two preimages $x,x^{\prime }$ and needs to guess $\theta$ (which is a three-bit string) from the value of the image y. The key technical part of the security proof is showing a variant of the Goldreich–Levin theorem [42], that (informally) states that the predicate represented by the inner product of the preimage of a one-way function with a random vector, taken modulo 2, is indistinguishable from a random bit. In our case, $\theta$ has a similar expression (1) as it can be expressed as the inner product between the XOR of two preimages and a random vector taken modulo 8. We prove in Theorem 7 that if a computationally bounded server could obtain non-trivial advantage in guessing $\theta$, then he could also break the property of “second preimage resistance” which we requested for our function $f_k$. Note, that in our protocol, we actually request the strongest collision-resistance property that implies the second preimage resistance. To prove this theorem we first express each of the 3 bits of $\theta$ as an XOR between a Goldreich–Levin type of predicate and some extra functions. Each of these predicates, instead of having a preimage in the inner product, they have the (bitwise) XOR of the two preimages. We therefore show that guessing any of those predicates would break the (stronger) assumption of collision resistance, reaching a contradiction. Then, to connect the hardness of computing the bits of $\theta$ (each of the three predicates) with the hardness of computing $\theta$, we use the result of [43] to address the issue of possible correlations. The technical hardest part of Theorem 7 is on the one hand, that we fix all but one variable in the expression of each predicate (bit of $\theta$), with an extra cost that is an inverse polynomial probability and on the other hand, that we then use a “disentangling” trick to express the bits as the XOR between a Goldreich–Levin predicate and an extra function (now independent of the other variables).

Using the property of $\theta$ mentioned above, we then prove the full security of the $\mathsf{HBC}-\mathsf{QFactory}$ protocol by proving the game-based security holds by a reduction to the hardcore function property of $\theta$ in Theorem 6. More specifically, we show that if the server runs honestly the protocol, but keeps a record of the classical transcript of the protocol together with the measurement outcomes he performs, then it is hard for him to correlate this internal view of the protocol with the protocol output ($\theta$, $|{+}_{\theta }\rangle$).

The function. Our protocol relies on using functions that have a number of properties (one-way, trapdoor, two-regular, collision resistant (see Remark 1), quantum safe). Any function satisfying those conditions is suitable for our protocol. While in first thought some of these appear hard to satisfy jointly (e.g., two-regularity and collision resistance), we give two constructions that achieve those properties from simpler functions: one from injective, homomorphic trapdoor one-way function and one from bijective trapdoor one-way function. Both constructions define a new function that has domain extended by one bit, and the value of that bit “decides” whether one uses the initial basic function or not.

More specifically, for the first construction, let us denote the injective, homomorphic, trapdoor one-way function by $g_k$, with k the public description of the function and $t_k$ the trapdoor—used for the inversion of the function $g_k$. Then, we pick at random an element $x_0$ from the domain of $g_k$. The public description $k^{\prime }$ of the new desired function f will be k along with $g_k\left(x_0\right)$ and the corresponding trapdoor $t_{k^{\prime }}$ of f would be $t_k$ along with $x_0$.

Then, the function f, which is evaluated by the server, is described as: $f_{k^{\prime }}(x,c)=g_k\left(x\right)+c·g_k\left(x_0\right)$, which due to the homomorphic property of g, can be rewritten as: $f_{k^{\prime }}(x,c)=g_k(x+c·x_0)$. Now, we can see the 2-regularity property of f as, since $g_k$ is injective, f will always have exactly 2 preimages of the form: x and $x+x_0$, which can always be efficiently computed from the image of f using $t_{k^{\prime }}$. The one-wayness and quantum-safety of f are then proved by reduction to the one-wayness, respectively quantum-safety of g and finally, we prove the collision-resistance of f, by reducing it to the one-wayness of g.

For the second construction, we denote again by g, the bijective, trapdoor one-way function. Then, in order to construct f, we will basically use 2 such functions g: the public description $k^{\prime }$ of f will consist of $k_0$ and $k_1$—the public descriptions of $g_{k_0}$ and $g_{k_1}$ and the trapdoor of $f_{k^{\prime }}$ will consist of the pair $t_{k^{\prime }}=(t_{k_0},t_{k_1})$—the trapdoors of $g_{k_0}$ and $g_{k_1}$.

Then, the function f, evaluated by the server, is described as: $f_{k^{\prime }}(x,c)=g_{k_c}\left(x\right)$. Now, we can see the 2-regularity property of f as, since $g_k$ is bijective, every y from the image of f, will have 2 preimages, namely the unique preimage of $g_{k_0}$ and the unique preimage of $g_{k_1}$, which can be both computed from y using $t_{k^{\prime }}$. Then, in Appendix C we prove the one-wayness and quantum-safety of f by reduction to one-wayness and quantum-safety of g and finally, we prove the second preimage-resistance of f by reduction to the one-wayness of one of the 2 functions g.

We then give a real instantiation of the required function f based on the first type of construction, starting from the injective trapdoor one-way function defined in [44], which is derived from the Learning-With-Errors problem: $g_K(s,e)=s^{t}K+e^t$, where $s\in {\mathbb{Z}}_q^n$ and $K\in {\mathbb{Z}}_q^{n\times m}$, so using the above notation, we have $x=(s,e)$ and $x_0=(s_0,e_0)$. This function also seems to satisfy the homomorphic property with respect to addition modulo q: $g_K(s,e)+g_K(s_0,e_0)modq=(s^{t}K+e^t+s_0^{t}K+e_0^t)modq=g_K((s+s_0)modq,e+e_0)$. Unfortunately, things are not so simple, because the domain of the error vector $e\in {\mathbb{Z}}^m$ is such that each component of e is bounded by some value $\mu$, in order for g to be injective and correctly inverted using the trapdoor. This implies that g is homomorphic as long as $e+e_0$ is also bounded (in infinite norm) by $\mu$. In our case, this means that $e+e_0$ may not be small enough to lie within g’s domain, so it may be possible to have only one preimage for some image y. To overpass these problems, we do the following:

When we are constructing the trapdoor for the function f, in particular when we are sampling $x_0=(s_0,e_0)$ from the domain of g, we will in fact sample $e_0$ from a smaller set, such that when it will be added together with a random input e, the total noise vector will still be small enough to lie within the domain of g with some good probability.

What we prove is that as long as $e_0$ is sampled from a subset of the domain of g such that $e_0$ is now bounded by ${\mu }^{\prime }=\frac{\mu }{m}$, we will get that with at least a constant probability, $e+e_0$ is inside the domain of g, or in other words that f is now 2-regular with at least a constant probability. What remains to be proven is that when $e_0$ is restricted to this smaller domain, $g_K(s_0,e_0)$ still cannot be inverted by an adversary. Therefore, as a final step we prove that there exists an explicit choice of parameters such that both g and the restriction of g to the domain of $e_0$ are one-way functions and such that all the other properties of g are preserved.

As a result, under this choice of parameters, we obtain our desired function f, satisfying all required properties: one-wayness, trapdoor, collision-resistance and 2-regularity (with a least a constant probability), where the hardness of f is proven by reduction to worst-case hardness of approximating short vectors problems, with polynomial approximation factor, which is the current standard in lattice-based cryptosystems.

Remark 1.

It appears that the second preimage resistance property will be enough to prove the security of our scheme in the honest-but-curious setting. However, as soon as the server can be malicious, the collision resistance property will be very important, else the server might forge known valid states, which would break the security.

2. Preliminaries

2.1. Classical Definitions

We are considering protocols secure against quantum adversaries, so we assume that all the properties of our functions hold for a general Quantum Polynomial Time (QPT) adversary, rather than the usual Probabilistic Polynomial Time (PPT) one. We will denote D the domain of the functions, while $D\left(n\right)$ is the subset of strings of length n.

Definition 1

(Quantum-Safe (informal)). A protocol/function is quantum-safe (also known as post-quantum secure), if all its properties remain valid when the adversaries are QPT (instead of PPT).

The following definitions are for PPT adversaries, however in this paper we will generally use quantum-safe versions of those definitions and thus security is guaranteed against QPT adversaries.

Definition 2

(One-way). A family of functions ${\{f_k:D\to R\}}_{k\in K}$ is one-way if:

• There exists a PPT algorithm that can compute $f_k\left(x\right)$ for any index function k, outcome of the PPT parameter-generation algorithm Gen and any input $x\in D$;
• any PPT algorithm $\mathcal{A}$ can invert $f_k$ with at most negligible probability over the choice of k:
  $\underset{\begin{array}{c}k\leftarrow Gen\left(1^n\right)\\ x\leftarrow D\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[f(\mathcal{A}(k,f_k\left(x\right))=f\left(x\right)]\le \mathrm{negl}(n)$
  where $rc$ represents the randomness used by $\mathcal{A}$;

Definition 3

(Second preimage resistant). A family of functions ${\{f_k:D\to R\}}_{k\in K}$ is second preimage resistant if:

• There exists a PPT algorithm that can compute $f_k\left(x\right)$ for any index function k, outcome of the PPT parameter-generation algorithm Gen and any input $x\in D$;
• for any PPT algorithm $\mathcal{A}$, given an input x, it can find a different input $x^{\prime }$ such that $f_k\left(x\right)=f_k\left(x^{\prime }\right)$ with at most negligible probability over the choice of k:
  $\underset{\begin{array}{c}k\leftarrow Gen\left(1^n\right)\\ x\leftarrow D\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}(k,x)=x^{\prime }\mathrm{such}\mathrm{that}x\ne x^{\prime }\mathrm{and}{f}_k\left(x\right)=f_k\left(x^{\prime }\right)]\le \mathrm{negl}(n)$
  where $rc$ is the randomness of $\mathcal{A}$;

Definition 4

(Collision resistant). A family of functions ${\{f_k:D\to R\}}_{k\in K}$ is collision resistant if:

• There exists a PPT algorithm that can compute $f_k\left(x\right)$ for any index function k, outcome of the PPT parameter-generation algorithm Gen and any input $x\in D$;
• any PPT algorithm $\mathcal{A}$ can find two inputs $x\ne x^{\prime }$ such that $f_k\left(x\right)=f_k\left(x^{\prime }\right)$ with at most negligible probability over the choice of k:
  $\underset{\begin{array}{c}k\leftarrow Gen\left(1^n\right)\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}\left(k\right)=(x,x^{\prime })\mathrm{such}\mathrm{that}x\ne x^{\prime }\mathrm{and}{f}_k\left(x\right)=f_k\left(x^{\prime }\right)]\le \mathrm{negl}(n)$
  where $rc$ is the randomness of $\mathcal{A}$ ($rc$ will be omitted from now).

Theorem 1.

[45] Any function that is collision resistant is also second preimage resistant.

Definition 5

(k-regular). A deterministic function $f:D\to R$ is k-regular if $\forall y\in \mathrm{Im}\left(f\right)$, we have $|f^{-1}\left(y\right)|=k$.

Definition 6

(Trapdoor Function). A family of functions $\{f_k:D\to R\}$ is a trapdoor function if:

• There exists a PPT algorithmGenwhich on input $1^n$ outputs $(k,t_k)$, where k represents the index of the function;
• ${\{f_k:D\to R\}}_{k\in K}$ is a family of one-way functions;
• there exists a PPT algorithmInv, which on input $t_k$ (which is called the trapdoor information) output byGen($1^n$) and $y=f_k\left(x\right)$ can invert y (by returning all preimages of y) with non-negligible probability over the choice of $(k,t_k)$ and uniform choice of x. Note, that while in the standard definition of trapdoor functions it suffices for the inversion algorithmInvto return one of the preimages of any output of the function, in our case we require a two-regular trapdoor function where the inversion procedure returns both preimages for any function output.

Definition 7

(Hard-core Predicate). A function $hc:D\to \{0,1\}$ is a hard-core predicate for a function f if:

• There exists a PPT algorithm that for any input x can compute $hc\left(x\right)$;
• any PPT algorithm $\mathcal{A}$ when given $f\left(x\right)$, can compute $hc\left(x\right)$ with negligible better than $1/2$ probability:
  $\underset{\begin{array}{c}x\leftarrow D\left(n\right)\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}(f\left(x\right),1^n)=hc\left(x\right)]\le \frac{1}{2}+\mathrm{negl}(n)$, where $rc$ represents the randomness used by $\mathcal{A}$;

Definition 8

(Hard-core Function). A function $h:D\to E$ is a hard-core function for a function f if:

• There exists a PPT algorithm that can compute $h\left(x\right)$ for any input x;
• for any PPT algorithm $\mathcal{A}$ when given $f\left(x\right)$, $\mathcal{A}$ can distinguish between $h\left(x\right)$ and a uniformly distributed element in E with at most negligible probability:

  $$|\underset{\begin{array}{c}x\leftarrow D\left(n\right)\end{array}}{Pr}[\mathcal{A}(f\left(x\right),h\left(x\right))=1]-\underset{\begin{array}{c}x\leftarrow D\left(n\right)\\ r\leftarrow E\left(\right|h\left(x\right)\left|\right)\end{array}}{Pr}[\mathcal{A}(f\left(x\right),r)=1]|\le \mathrm{negl}(n)$$

The intuition behind this definition is that as far as a QPT adversary is concerned, the hard-core function appears indistinguishable from a randomly chosen element of the same length.

Theorem 2

(Goldreich–Levin [42]). From any one-way function $f:D\to R$, we can construct another one-way function $g:D\times D\to R\times D$ and a hard-core predicate for g. If f is a one-way function, then:

• $g(x,r)=\left(f\right(x),r)$ is a one-way function, where $\left|x\right|=\left|r\right|$.
• $hc(x,r)=\langle x,r\rangle mod2$ is a hard-core predicate for g.

Informally, the Goldreich–Levin theorem is proving that when f is a one-way function, then $f\left(x\right)$ is hiding the xor of a random subset of bits of x from any PPT adversary. The Goldreich–Levin proof is using a reduction from breaking the hard-core predicate $hc(x,r)$ to breaking the one-wayness of g. In this paper, the functions we consider are one-way against quantum adversaries, and using the same reduction we conclude that $hc(x,r)$ is a hard-core predicate against QPT adversaries.

Theorem 3

(Vazirani–Vazirani XOR-Condition Theorem [43]). Function h is hard-core function for f if and only if the xor of any non-empty subset of h’s bits is a hard-core predicate for f.

The Learning-With-Errors problem (LWE) can be described in the following way:

Definition 9

(LWE problem (informal)). Given s, an n dimensional vector with elements in ${\mathbb{Z}}_q$, the task is to distinguish between a set of polynomially many noisy random linear combinations of the elements of s and a set of polynomially many random numbers from ${\mathbb{Z}}_q$.

Regev [46] and Peikert [47] have given quantum and classical reductions from the average case of LWE to problems such as approximating the length of the shortest vector or the shortest independent vectors problem in the worst case, problems which are conjectured to be hard even for quantum computers.

Theorem 4

(Reduction LWE, from ([46], Theorem 1.1)). Let n, q be integers and $\alpha \in (0,1)$ be such that $\alpha q>2\sqrt{n}$. If there exists an efficient algorithm that solves $LWE{}_{q,{\overline{\Psi }}_{\alpha }}$, then there exists an efficient quantum algorithm that approximates the decision version of the shortest vector problem GapSVP and the shortest independent vectors problem SIVP to within $\tilde{O}(n/\alpha )$ in the worst case.

2.2. Quantum Definitions

We assume basic familiarity with quantum computing notions. For any function $f:A\to B$ that can be described by a polynomially-sized classical circuit, we define the controlled-unitary $U_f$, as acting in the following way:

$$\begin{array}{c}\hfill U_f|x\rangle |y\rangle =|x\rangle |y\oplus f\left(x\right)\rangle \forall x\in A\forall y\in B,\end{array}$$

(2)

where we name the first register $|x\rangle$ control and the second register $|y\rangle$ target. Given the classical description of this function f, we can always define a QPT algorithm that efficiently implements $U_f$.

3. CC − RSP_θ Primitive

In many distributed protocols the required communication consists of sending sequence of single qubits prepared in random states that are unknown to the receiver (and any other third parties). What we want to achieve through our ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ primitive (Algorithm 1) is a way to generate remotely single qubits that are random and (appear to be) unknown to all parties but the “client” that gives the instructions.

Definition 10.

Let $|{+}_{\theta }\rangle =1/\sqrt{2}\left(|0\rangle +e^{i\theta }|1\rangle \right)$. We define the set of states

$$\begin{array}{c}\hfill R:=\left\{|{+}_{\theta }\rangle \right\}where\theta \in \{0,\pi /4,\pi /2,\cdots ,7\pi /4\}\end{array}$$

(3)

By including magic states ($|{+}_{\pi /4}\rangle$), this set of states can be viewed as a “universal” resource, as applying Clifford operations on those states is sufficient for universal quantum computation. Furthermore, it is sufficient to implement both blind quantum computation (e.g., [21]) and verifiable blind quantum computation (e.g., [32]).

We emphasize that the aim of defining an ideal functionality is to highlight the task we want to achieve (in terms of correctness) with our protocol $\mathsf{HBC}-\mathsf{QFactory}$, rather than using it in a simulation or composable security definition.

Remarks: (i) The outcome of this primitive is the client “sending” the qubit $|{+}_{\theta }\rangle$ (that he knows) to the server, thus simulating a quantum channel. (ii) We note that there is an abort possibility and some auxiliary classical messages $(m_C,m_S)$, both included to make the primitive general enough to allow for our construction. Furthermore, the classical description of the qubit, $\theta$, and the classical messages $(m_C,m_S)$ are totally uncorrelated (as $\theta$ is chosen independently at random for each $(m_C,m_S)$. (iii) While the server can learn something about the classical description (e.g., by measuring the qubit), this information is limited and is the exact same information that he could obtain if the client had prepared and sent him a random qubit.

Algorithm 1 Primitive: Classical Channel Remote State Preparation (${\mathsf{CC}-\mathsf{RSP}}_{\theta }$)

Requirements: Client is a purely classical party with no access to quantum resources. Public Information: A distribution on pairs of lists M, intuitively containing the values of the classical variables used by the client and by the server. Trusted Party: – With some probability p returns to both parties $\mathsf{abort}$, otherwise: – Samples $(m_C,m_S)\leftarrow M$ – Samples $\theta \leftarrow {\{0,1\}}^3·\frac{\pi }{4}$ – Prepares a qubit in state $|{+}_{\theta }\rangle$ Outputs: – Either returns $\mathsf{abort}$ to both client and server – Or returns $(m_C,\theta )$ to the client, and $(m_S,|{+}_{\theta }\rangle )$ to the server

4. The Real Protocol

To construct our protocol $\mathsf{HBC}-\mathsf{QFactory}$ (Algorithm 2) we assume the existence of a family ${\{f_k:{\{0,1\}}^n\to {\{0,1\}}^m\}}_{k\in K}$ of trapdoor one-way functions that are two-regular and collision resistant (or the weaker second preimage resistance property, see Remark 1) even against a quantum adversary. For any y, we will denote by $x\left(y\right)$ and $x^{\prime }\left(y\right)$ the two unique different preimages of y by $f_k$ (if the y is clear, we may remove it). Note that because of the two-regularity property $m\ge n-1$. We use subscripts to denote the different bits of the strings. See Section 6 for our function. With that choice, we are guaranteed that the last bits of the two preimages are always different, and thus no need for an abort. We keep the protocol general so that different functions can be used.

Algorithm 2: Real $\mathsf{HBC}-\mathsf{QFactory}$ Protocol

Requirements: Public: A family $\mathcal{F}=\{f_k:{\{0,1\}}^n\to {\{0,1\}}^m\}$ of trapdoor one-way functions that are quantum-safe, two-regular and collision resistant (or second preimage resistant, see Remark 1) Input: – Client: uniformly samples a set of random three-bits strings $\alpha =({\alpha }_1,\cdots ,{\alpha }_{n-1})$ where ${\alpha }_i\leftarrow {\{0,1\}}^3$, and runs the algorithm $(k,t_k)\leftarrow {\mathrm{Gen}}_{\mathcal{F}}\left(1^n\right)$. The $\alpha$ and k are public inputs (known to both parties), while $t_k$ is the “private” input of the client. Stage 1: Preimages superposition – Client: instructs server to prepare one register at ${\otimes }^{n}H|0\rangle$ and second register initiated at ${|0\rangle }^m$ – Client: sends k to server and the server applies $U_{f_k}$ using the first register as control and the second as target – Server: measures the second register in the computational basis, obtains the outcome y and returns this result y to the client. Here, an honest server would have a state $(|x\rangle +|x^{\prime }\rangle )\otimes |y\rangle$ with $f_k\left(x\right)=f_k\left(x^{\prime }\right)=y$ and $y\in \mathrm{Im}{f}_k$. Stage 2: Squeezing – Client: instructs the server to measure all the qubits (except the last one) of the first register in the $\left\{|0\rangle \pm e^{{\alpha }_i\pi /4}|1\rangle \right\}$ basis. Server obtains the outcomes $b=(b_1,\cdots ,b_{n-1})$ and returns the result b to the client – Client: using the trapdoor $t_k$ computes $x,x^{\prime }$. Then check if the n-th bit of x and $x^{\prime }$ (corresponding to the y received in Stage 1) are the same or different. If they are the same, returns $\mathsf{abort}$, otherwise, obtains the classical description of the server’s state. Output: If the protocol is run honestly, when there is no abort, the state that server has is $|{+}_{\theta }\rangle$, where the client (only) knows the classical description (see Theorem 5): $$\begin{array}{c}\hfill \theta =\frac{\pi }{4}{(-1)}^{x_n}\sum _{i=1}^{n-1}(x_i-x_i^{\prime })(4b_i+{\alpha }_i)mod8\end{array}$$ (4)

Remarks: The first thing to note is that the server should not only be unable to guess $\theta$ from his classical communications, but he should also be unable to distinguish it from a random string with probability greater than negligible. We will prove this later, but for now it is enough to point out that $\theta$ depends on the preimages x and $x^{\prime }$ of y (which the client can obtain using $t_k$).

The second thing to note is that while our expression of $\theta$ resembles the inner product in the Goldreich–Levin (GL) theorem, it differs in a number of places and our proof (that $\theta$ is a hard-core function), while it builds on the GL theorem proof, is considerably more complicated. Details can be found in the security proof, but here we simply mention the differences: (i) our case involves three-bits rather than a predicate, and the different bits, if we view them separately, may not be independent, (ii) we have a term $(x-x^{\prime })$ rather than a single preimage, so rather than the one-way property of the function we will need the second preimage resistance and (iii) for the same reason, if we view our function as an inner product, it can take both negative and positive values ($(x-x^{\prime })$ could be negative).

A third thing to note is that we have singled-out the last qubit of the first register, as the qubit that will be the output qubit. One could have a more general protocol where the output qubit is chosen randomly, or, for example, in the set of the qubits that are known to have different bit values between x and $x^{\prime }$, but this would not improve our analysis so we keep it like this for simplicity. Moreover, while the “inner product” normally involves the full string x that one tries to invert, in our case, it does not include one of the bits (the last) of the string we wish to invert. It is important to note that it does not change anything to our proofs, since if one can invert all of the string apart from one bit with inverse polynomial probability of success, then trivially one can invert the full string with inverse polynomial probability (by randomly guessing the remaining bit or by trying out both values of that bit). Therefore, all the proofs by contradiction are still valid and in the remaining; for notational simplicity, we will take the inner products to involve all n bits.

Correctness and Intuition

Theorem 5.

If both the client and the server follow Algorithm 2, the protocol aborts when $x_n=x_n^{\prime }$, while otherwise the server ends up with the output (single) qubit being in the state $|{+}_{\theta }\rangle$, where θ is given by Equation (4).

Proof. 

In the first stage, before the first measurement, but after the application of $U_{f_k}$, the state is ${\sum }_x|x\rangle \otimes |f_k\left(x\right)\rangle$. What the measurement does, is that it collapses the first register in the equal superposition of the two unique preimages of the measured $y=f_k\left(x\right)=f_k\left(x^{\prime }\right)$, in other words in the state $\left(|x\rangle +|x^{\prime }\rangle \right)\otimes |y\rangle$. It is not possible, even for malicious adversary (not considered here), to force the output of the measurement to be a given y (see [48] for relation of PostBQP with BQP). This completes the first stage of the protocol. Before proceeding with the proof of correctness we make three observations.

By the second preimage resistance property of the trapdoor function, learning x is not sufficient to learn $x^{\prime }$ but with negligible probability, and intuitively, by the stronger collision resistance property, even a malicious server cannot forge a state $|x\rangle +|x^{\prime }\rangle$ (with $f\left(x\right)=f\left(x^{\prime }\right)$) fully known to him.

Then, we examine what happens if the last bit of x and $x^{\prime }$ are the same and see why the protocol aborts. In this case, in the first register, the last qubit is in product form with the remaining state, and therefore any further measurements in stage 2 do not affect it, leaving it in the state $|x_n\rangle$. As a result of this, the output state is not of the form of Equation (4), while including this states in the set of possible outputs would change considerably our analysis.

Finally, we should note that the resulting state is essentially a Greenberger–Horne–Zeilinger (GHZ) state [49]: let G be the set of bits positions where x and $x^{\prime }$ differ (which include n – output qubit), while $\overline{G}$ is the set where they are identical. The state is then (where we no longer keep the qubits in order, but group them depending on their belonging to G or $\overline{G}$):

$$\begin{array}{c}\hfill \left({\otimes }_{i\in \overline{G}}|x_i\rangle \right)\otimes \left({\otimes }_{j\in G}|x_j\rangle +{\otimes }_{j\in G}|x_j\oplus 1\rangle \right)\end{array}$$

(5)

This can be rewritten as (up to trivial re-normalization):

$$\begin{array}{c}\hfill \left({\otimes }_{i\in \overline{G}}|x_i\rangle \right)\otimes \left(\prod _{j\in G}{X}^{x_j}\right)\left({|0\cdots 0\rangle }_G+{|1\cdots 1\rangle }_G\right)\end{array}$$

(6)

It is now evident that the state at the end of Stage 1 is a tensor product of isolated $|0\rangle$ and $|1\rangle$ states, and a GHZ state with random X’s applied. You can find in Figure 1 an illustration of this state, before and after the Stage 2. Note that GHZ-states when viewed as graph states correspond to stars due to the corresponding graph as we can see here too.

The important thing to note is that the set G, that determines which qubits are in the GHZ state and which qubits are not, is not known to the server (apart from the fact that the position of the output qubit belongs to G since otherwise the protocol aborts). Moreover, this set denotes the positions where x and $x^{\prime }$ differ, which is given by the XOR of the two preimages $x\oplus x^{\prime }:=(x_1\oplus x_1^{\prime },\cdots ,x_n\oplus x_n^{\prime })$. As a result of second preimage resistance of the function, the server should not be able to invert and obtain $x\oplus x^{\prime }$ apart with negligible probability (without access to the trapdoor $t_k$). This in itself does not guarantee that the server cannot learn any information about the XOR of the preimages, but we will see that the actual form of the state is such that being able to obtain information would lead to invert the full XOR and thus break the second preimage resistance.

Now, let us continue towards Stage 2. Measuring a qubit (other than the last one) in $\overline{G}$ has no effect on the last qubit (since it is disentangled). When the qubit index is in G, then measuring it at angle ${\alpha }_i\pi /4$ gives a phase to the output qubit of the form $(-{(-1)}^{x_i}{\alpha }_i+4b_i)\pi /4$ as one can easily check. We remark that the ${(-1)}^{x_i}$-term arises because of the commutation of $X_i^{x_i}$ with the measurement angle, and the final $X_n^{x_n}$ gate gives an overall ${(-1)}^{x_n}$ to the angle of deviation. Therefore, adding all the phases leads to the output state being:

$$\begin{array}{c}\hfill |{+}_{\theta }\rangle ;\theta =\frac{\pi }{4}{(-1)}^{x_n}\left(\sum _{i\in G\backslash \left\{n\right\}}\left(-{\alpha }_i{(-1)}^{x_i}+4b_i\right)\right)mod8\end{array}$$

(7)

As a result that $\theta$ is defined modulo $2\pi$ and $-4=4mod8$, we can express the output angle in a more symmetrical way:

$$\begin{array}{c}\hfill \theta =\frac{\pi }{4}{(-1)}^{x_n}\left(\sum _{i=1}^{n-1}(x_i-x_i^{\prime })\left(4b_i+{\alpha }_i\right)\right)mod8\end{array}$$

(8)

Note that because the angles are defined modulo $2\pi$, one can represent this angle as a 3-bits string $\tilde{B}$ (interpretable as an integer) such that $\theta :=\tilde{B}\times \frac{\pi }{4}$ and eventually remove the ${(-1)}^{x_n}$ if needed by choosing the suitable convention in defining x and $x^{\prime }$.    □

A final remark is that in an honest run of this protocol, the measurement outcomes $b_i$ and y are uniformly chosen from $\{0,1\}$ and $\mathrm{Im}\left(f_k\right)$ respectively. This justifies why in the honest-but-curious model we can view the protocol as sampling randomly the different $\alpha ,y,b$’s.

5. Security of HBC − QFactory

Here we will prove the security of $\mathsf{HBC}-\mathsf{QFactory}$ (Algorithm 2) against honest-but-curious adversaries in the game-based security model.

Before proceeding further, it is worth stressing that this security level has three-fold importance. Firstly, the honest-but-curious model concerns any application of ${\mathsf{CC}-\mathsf{RSP}}_{\theta }$ that involves a protocol where the adversaries are third parties that have access to the classical communication and nothing else. In this case, we can safely assume that the quantum part of the protocol is followed honestly and we only require to prove that the third parties learn nothing about the classical description of the state from the classical public communication. Second case of interest is scenarios where the “server” does not intend to sabotage/corrupt the computation but may be interested to learn (for free) extra information. In such a case, the protocol should be followed honestly, since any non-reversible deviation other than copying classical information could corrupt the computation. Finally, the honest-but-curious case, as in the classical setting, is a first step towards proving the full security against malicious adversaries.

5.1. Game-Based Security Definition

Definition 11.

In the following, $\mathsf{HBC}-\mathsf{QFactory}$ is said to be secure if for all QPT adversaries $\mathcal{A}$ the following game is won with probability at most $\frac{1}{2}+\mathrm{negl}(n)$:

Adversary $\mathcal{A}$ wins the game $G_{sec}$ if and only if $c=\tilde{c}$.

Then what we want to show is that:

$$Pr\left[\mathcal{A}\mathrm{wins}{G}_{sec}\right]\le \frac{1}{2}+\mathrm{negl}(n)$$

(9)

In other words:

$$Pr[\mathcal{A}({\theta }^{\left(c\right)},|{+}_{{\theta }^{\left(c\right)}}\rangle )=c]\le \frac{1}{2}+\mathrm{negl}(n)$$

(10)

Remark 2.

Note that a stronger game could have been defined, where the $|{+}_{\theta }\rangle$ that is sent to the adversary is always $|{+}_{{\theta }^{\left(0\right)}}\rangle$, along with ${\theta }^{\left(c\right)}$. This would be closer to the actual view of an honest-but-curious adversary, but it is not possible to prove the security of this game, no matter how secure the underlying protocol is. Indeed, given ${\theta }^{\left(c\right)}$ and $|{+}_{{\theta }^{\left(0\right)}}\rangle$, it is always possible to measure the $|{+}_{{\theta }^{\left(0\right)}}\rangle$ in the basis ${\theta }^{\left(c\right)}$ and output $\tilde{c}=0$ only if the measurement outcome was 0.

The case $c=0$ corresponds to the adversary receiving a transcript of the protocol ($\tilde{k},\tilde{y},\tilde{b}$) along with the real output of the protocol (${\theta }^{\left(0\right)},|{+}_{{\theta }^{\left(0\right)}}\rangle$) matching to this transcript. The case $c=1$ corresponds to adversary receiving a transcript of the protocol along with a random output of the protocol (${\theta }^{\left(1\right)},|{+}_{{\theta }^{\left(1\right)}}\rangle$). The game ensures that an adversary cannot distinguish these two views. The security of $G_{sec}$ tries to capture the following idea: If an adversary (server) runs honestly the protocol and keeps a record of the measurements he performs together with the transcripts he receives during the protocol, it must be hard for him to correlate this internal view with the output of the protocol ($\theta ,|{+}_{\theta }\rangle$). This is why in the game we ask the adversary to distinguish whether he has access to either a correlated or an uncorrelated $\theta$.

5.2. Game-Based Security of $\mathsf{HBC}-\mathsf{QFactory}$

Theorem 6.

For any QPT adversary $\mathcal{A}$, the game $G_{sec}$ can be won with probability at most $\ge \frac{1}{2}+\le \mathrm{negl}(n)$.

To prove that $\mathsf{HBC}-\mathsf{QFactory}$ is secure according to Definition 11, we will rely on the following result, proven in the next section:

Theorem 7.

The function θ expressed as:

$$\begin{array}{c}\hfill \theta =\frac{\pi }{4}\left(\sum _{i=1}^{n-1}(x_i-x_i^{\prime })(4b_i+{\alpha }_i)\right)mod8\end{array}$$

(11)

as was defined in Algorithm 2, is a hard-core function with respect to $f_k$.

NB: here the collision resistance is not needed and is replaced by the weaker second preimage resistance property.

Proof of Theorem 6.

The main idea would be to use a reduction to the hardcore property of the state description $\theta$. We will assume that there exists an adversary $\mathcal{A}$ that can win $G_{sec}$ with probability $\frac{1}{2}+p$ and we will construct an adversary ${\mathcal{A}}^{\prime }$ that can break the hard-core function property of $\theta$ with probability $\frac{1}{8}+\frac{p}{4}$. This implies that if the game $G_{sec}$ can be won with inverse polynomial probability, the same applies to the hard-core function property, and hence we reach a contradiction.

More specifically, let us assume that the adversary $\mathcal{A}$ can win with probability $\frac{1}{2}+p_0$ when $c=0$ and with probability $\frac{1}{2}+p_1$ when $c=1$. Then, we have:

$$Pr\left[\mathcal{A}\mathrm{wins}{G}_{sec}\right]=Pr[\tilde{c}=c]=Pr[\tilde{c}=0|c=0]·\frac{1}{2}+Pr[\tilde{c}=1|c=1]·\frac{1}{2}$$

So we have: $Pr[\tilde{c}=0|c=0]+Pr[\tilde{c}=1|c=1]=1+2p$.

By denoting $Pr[\tilde{c}=0|c=0]=\frac{1}{2}+p_0$ and $Pr[\tilde{c}=1|c=1]=\frac{1}{2}+p_1$, we obtain: $p_0+p_1=2p$.

Now we can define the following adversary ${\mathcal{A}}^{\prime }$ that will attack the hardcore property of the state description using the adversary $\mathcal{A}$ for the game $G_{sec}$. Namely, ${\mathcal{A}}^{\prime }$ will receive the tuple $(y,b,k)$—representing the messages that an adversary has during an honest run of $\mathsf{HBC}-\mathsf{QFactory}$ and will try to determine the underlying state description $\theta$.

Now we want to determine the probability that the output of the adversary $\mathcal{A}$ is equal to the “true” $\theta (y,b,k,\alpha )$ that is obtained by $Inv(t_k,y,b,\alpha )$.

We will consider separately two cases, namely: (i) $\varphi =\theta (y,b,k,\alpha )$ and (ii) $\varphi \ne \theta (y,b,k,\alpha )$. Since $\varphi$ is chosen randomly from the eight possible angles, it is clear that case (i) occurs with probability $1/8$ and case (ii) occurs with probability $7/8$.

(i)

$\mathcal{A}$ receives the “true” state ($c=0$), so to win the game he needs to return $\tilde{c}=0$. By definition, this happens with $\frac{1}{2}+p_0$, and in this case ${\mathcal{A}}^{\prime }$ also wins (since he outputs the correct state). The overall probability that all this happens, i.e., that ${\mathcal{A}}^{\prime }$ succeeds in this case, is $\frac{1}{8}·\left(\frac{1}{2}+p_0\right)$.

(ii)

$\mathcal{A}$ receives one of the “false” states ($c=1$), and thus to win $G_{sec}$ he needs to return $\tilde{c}=1$. By definition this happens with probability $\frac{1}{2}+p_1$. Now, in this case, ${\mathcal{A}}^{\prime }$ has essentially ruled-out one of the eight possible states. His random guess, after ruling-out one state, succeeds with probability $\frac{1}{7}$. Combining all this together we see that ${\mathcal{A}}^{\prime }$ succeeds with probability $\frac{7}{8}·\left(\frac{1}{2}+p_1\right)·\frac{1}{7}$.

More explicitly, the probability that ${\mathcal{A}}^{\prime }$ breaks the hardcore property of $\theta$ is (where we denoted the “true” $\theta (y,b,k,\alpha )$ by simply $\theta$):

$$\begin{array}{cc}\hfill & Pr[{\mathcal{A}}^{\prime }(y,b,k,\alpha )=\theta ]=Pr[{\mathcal{A}}^{\prime }(y,b,k,\alpha )=\theta |\varphi =\theta ]·Pr[\varphi =\theta ]+\hfill \\ \hfill & +Pr[{\mathcal{A}}^{\prime }(y,b,k,\alpha )=\theta |\varphi \ne \theta ]·Pr[\varphi \ne \theta ]\hfill \\ \hfill & =\frac{1}{8}·Pr[{\mathcal{A}}^{\prime }(y,b,k,\alpha )=\theta |\varphi =\theta ]+\frac{7}{8}·Pr[{\mathcal{A}}^{\prime }(y,b,k,\alpha )=\theta |\varphi \ne \theta ]\hfill \\ \hfill & =\frac{1}{8}Pr[\tilde{c}=0|c=0]+\frac{7}{8}Pr[\tilde{c}=1\mathrm{and}\mathrm{random}\tilde{\theta }=\theta |c=1]\hfill \\ \hfill & =\frac{1}{8}\left(\frac{1}{2}+p_0\right)+\frac{7}{8}·\left(\frac{1}{2}+p_1\right)·\frac{1}{7}=\frac{1}{8}+\frac{p_0+p_1}{8}=\frac{1}{8}+\frac{p}{4}\hfill \end{array}$$

(12)

We showed that Adversary ${\mathcal{A}}^{\prime }$ succeeds with probability $\frac{1}{8}+\frac{p}{4}$ in guessing $\theta (y,b,k,\alpha )$, where p is the advantage $\mathcal{A}$ has in $G_{sec}$. However, we will prove in Theorem 7, that $\mathcal{A}$ can’t win with probability better than $1/8+\mathrm{negl}(n)$. Contradiction.    □

5.3. Hardcore Function θ

Proof Sketch of Theorem 7.

In Algorithm 2, the adversary (server) can only use the classical information that he possesses ($k,y,\alpha ,b$) in order to try and guess with some probability the value of $\theta$ in the case that there is no abort. Since the adversary follows the honest protocol, the choices of $y,b$ are truly random (and not determined by the adversary as he could in the malicious case). Outline of proof sketch: We first express the classical description of the state into expressions for each of the corresponding three bits. The aim is to prove that it is impossible to distinguish the sequence of these three bits from three random bits with non-negligible probability. To show this we follow five steps. In Step 1, we express each of the bits as a sum mod two, of an inner product (of the form present in GL theorem) and some other terms. In Step 2, we show that guessing the sum modulo two of the two preimages breaks the second preimage resistance of the function and thus is impossible. We assume that the adversary can achieve some inverse polynomial advantage in guessing certain predicates and in the remaining steps we show that in this case he can obtain a polynomial inversion algorithm for the one-way function $f_k$, and thus reach the contradiction. In Step 3, we use the Vazirani–Vazirani Theorem 3 to reduce the proof of hard-core function to a number of single hard-core bits (predicates). In Step 4, we use a result that allows us to fix all but one variable in each expression, with an extra cost that is an inverse polynomial probability and therefore the (fixed variables) guessing algorithm still needs to have negligible success probability. Finally, in Step 5, we reduce all the predicates in a form of a known hard-core predicate XOR with a function that involves variables not included in that predicate. Using the previous step, it reduces to guessing the XOR of a hard-core predicate with a constant, which is bounded by the probability of guessing the (known to be hard-core) predicate.

Here we give the sketch described above, while the full proof can be found in the Appendix B. Let us start by defining:

$$\begin{array}{c}\hfill \tilde{B}={\tilde{B}}_1{\tilde{B}}_2{\tilde{B}}_3=\left(\sum _{i=1}^{n-1}(x_i-x_i^{\prime })(4b_i+{\alpha }_i)\right)mod8\end{array}$$

(13)

where ${\tilde{B}}_i$ are single bits. Moreover, we treat $x,x^{\prime }$ as vectors in ${\{0,1\}}^n$; we define ${\alpha }^{\left(j\right)}=({\alpha }_1^{\left(j\right)},\cdots ,{\alpha }_{n-1}^{\left(j\right)})$ the vector that involves the $j\in \{1,2,3\}$ bit of each of three-bit strings $\alpha$, and we define $\tilde{x}:=x\oplus x^{\prime }$. We define z as a vector in ${\{-1,0,1\}}^n$ defined as the element-wise differences of the bits of x and $x^{\prime }$, i.e., $z_i=x_i-x_i^{\prime }$. Finally, as in GL theorem, we use the notation for the inner product $\langle a,b\rangle ={\sum }_{i=1}^{n-1}{a}_i{b}_i$.

We will prove that any QPT adversary $\mathcal{A}$ having all the classical information that server has $(y,\alpha ,b)$, can guess $\tilde{B}$ with at most negligible probability:

$$\begin{array}{c}\hfill \underset{\begin{array}{c}x\leftarrow {\{0,1\}}^n\\ \alpha \leftarrow {\{0,1\}}^{3n}\\ b\leftarrow {\{0,1\}}^n\end{array}}{Pr}[\mathcal{A}(f\left(x\right),{\alpha }^{\left(1\right)},{\alpha }^{\left(2\right)},{\alpha }^{\left(3\right)},b)=\widetilde{B_1}\widetilde{B_2}\widetilde{B_3}]\le \frac{1}{8}+\mathrm{negl}(n)\end{array}$$

(14)

where for simplicity we denote the function f instead of $f_k$. This means that the adversary $\mathcal{A}$ cannot distinguish $\tilde{B}$ from a random three-bit string with non-negligible probability.

Step 1: We decompose Equation (13) into three separate bits, and use the variable $\tilde{x},z$ defined above.

$$\begin{array}{ccc}\hfill {\tilde{B}}_3& =& \langle \tilde{x},{\alpha }^{\left(3\right)}\rangle mod2\hfill \\ \hfill {\tilde{B}}_2& =& \langle \tilde{x},{\alpha }^{\left(2\right)}\rangle mod2\oplus h_2(z,{\alpha }^{\left(3\right)})\hfill \\ \hfill {\tilde{B}}_1& =& \langle \tilde{x},{\alpha }^{\left(1\right)}\rangle mod2\oplus h_1(z,{\alpha }^{\left(3\right)},{\alpha }^{\left(2\right)},b)\hfill \end{array}$$

(15)

where the derivation and exact expressions for the functions $h_1,h_2$ are given in Appendix B. We notice from Equation (15) that each bit includes a term of the form $\langle \tilde{x},{\alpha }^{\left(i\right)}\rangle mod2$ which on its own is a hard-core predicate following the GL theorem.

Step 2: By the second preimage resistance we have:

$$\begin{array}{ccc}\hfill & & \underset{x\leftarrow {\{0,1\}}^n}{Pr}[\mathcal{A}(1^n,x)=x^{\prime }\mathrm{such}\mathrm{that}f\left(x\right)=f\left(x^{\prime }\right)\mathrm{and}x\ne x^{\prime }]\le \mathrm{negl}(n)\Rightarrow \hfill \\ & & \underset{x\leftarrow {\{0,1\}}^n}{Pr}[\mathcal{A}(1^n,x)=x^{\prime }\oplus x=\tilde{x}]\le \mathrm{negl}(n)\hfill \end{array}$$

(16)

For each bit $j\in \{1,2,3\}$, separately we assume that the adversary can achieve an advantage in guessing ${\tilde{B}}_j$ which is $\frac{1}{2}+{\epsilon }_j\left(n\right)$. Then, similarly to GL theorem, we prove that if this ${\epsilon }_j\left(n\right)$ is inverse polynomial, this leads to contradiction with Equation (16) since one can obtain an inverse-polynomial inversion algorithm for the one-way function f.

Step 3: While each bit includes terms that on its own it would make it hard-core predicate (as stated in Step 1), if we XOR the overall bit with other bits it could destroy this property. To proceed with the proof that $\tilde{B}$ is hard-core function, we use the Vazirani–Vazirani theorem which states that it suffices to show that individual bits as well as combinations of XOR’s of individual bits are all hard-core predicates. In this way, one evades the need to show explicitly that the guesses for different bits are not correlated. To proceed with the proof, we use a trick that “disentangles” the different variables.

Step 4: We would like to be able to fix one variable and vary only the remaining, while at the same time maintain some bound on the guessing probability.

The advantage ${\epsilon }_j\left(n\right)$ that we assume the adversary has for guessing one bit (or a XOR) is calculated “on average” over all the random choices of $(\tilde{x},{\alpha }^{\left(i\right)},b)$. Using Lemma 1 we can fix one-by-one all but one variable (applying the lemma iteratively, see Appendix B). With suitable choices, the cardinality of the set of values that satisfies all these conditions is $O\left(2^n{\epsilon }_j\left(n\right)\right)$ for each iteration. Unless ${\epsilon }_j\left(n\right)$ is negligible, this size is an inverse polynomial fraction of all values. This suffices to reach the contradiction. The actual inversion probability that we will obtain is simply a product of the extra cost of fixing the variables with the standard GL inversion probability. This extra cost is exactly the ratio between the cardinality of the Good sets (defined below) and the set of all values.

Lemma 1.

Let $\underset{(v_1,\cdots ,v_k)\leftarrow {\{0,1\}}^n\times \cdots \times {\{0,1\}}^n}{Pr}\left[\mathit{Guessing}\right]\ge p+\epsilon \left(n\right)$, then for any variable $v_i$, there exists a set ${\mathit{Good}}_{v_i}\subseteq {\{0,1\}}^n$ of size at least $\frac{\epsilon \left(n\right)}{2}{2}^n$, such that for all $v_i\in {\mathit{Good}}_{v_i}$, we have:

$$\underset{(v_1,\cdots ,\cancel{v_i},\cdots ,v_k)\leftarrow {\{0,1\}}^n\times \cdots \times {\{0,1\}}^n}{Pr}\left[\mathit{Guessing}\right]\ge p+\frac{\epsilon \left(n\right)}{2}$$

where the latter probability is taken over all variables except $v_i$.

Step 5: If the expression we wish to guess involves XOR of terms that depend on different variables, then by using Step 4 we can fix the variables of all but one term. Then we note that trying to guess a bit (that depends on some variable and has expectation value close to $1/2$) is at least as hard as trying to guess the XOR of that bit with a constant. For example, if the bit we want to guess is $\langle \tilde{x},r_1\rangle mod2\oplus h(z,r_2,r_3)]$ and we have a bound on the guessing probability where only $r_1$ is varied, then we have

$$\begin{array}{cc}& \underset{\begin{array}{c}{r}_1\leftarrow {\{0,1\}}^n\end{array}}{Pr}[\mathcal{A}(f\left(x\right),r_1,r_2,r_3)=\langle \tilde{x},r_1\rangle mod2\oplus h(z,r_2,r_3)]\le \\ & \underset{\begin{array}{c}{r}_1\leftarrow {\{0,1\}}^n\end{array}}{Pr}[\mathcal{A}(f\left(x\right),r_1,r_2,r_3)=\langle \tilde{x},r_1\rangle mod2]\end{array}$$

We note that all bits of $\tilde{B}$ and their XOR’s can be brought in this form. Then using this, we can now prove security, as the r.h.s. is exactly in the form where the GL theorem provides an inversion algorithm for the one-way function f. For details, see Appendix B.    □

6. Function Constructions

For our Algorithm 2, we need a trapdoor one-way function that is also quantum-safe, two-regular and second preimage resistant (or the stronger collision resistance property). These properties may appear to be too strong to achieve, however, we give here methods to construct functions that achieve these properties starting from trapdoor one-way functions that have fewer (more realistic) conditions, and we specifically give one example that achieves all the desired properties. In particular, we give:

• A general construction given either (i) an injective, homomorphic (with respect to any operation and in particular it is only required to be homomorphic once for this operation) trapdoor one-way function or (ii) a bijective trapdoor one-way function, to obtain a two-regular, second preimage resistant, trapdoor one-way function. In both cases the quantum-safe property is maintained (if the initial function has this property, so does the constructed function). We note that for (i) we prove the stronger collision resistant property.
• (Taken from [44]) A method of how to realise injective quantum-safe trapdoor functions derived from the LWE problem, that has certain homomorphic property.
• A way to use the first construction with the trapdoor from [44] that requires a number of modifications, including relaxation of the notion of two-regularity. The resulting function satisfies all the desired properties if a choice of parameters satisfying certain constraints can be found.
• A specific choice of these parameters satisfying all constraints, that leads to a concrete function with all the desired properties.

6.1. Obtaining Two-Regular, Collision Resistant/Second Preimage Resistant, Trapdoor One-Way Functions

Here we give two constructions. The first uses as a starting point an injective, homomorphic trapdoor function while the second a bijective trapdoor function. While we give both constructions, we focus on the first construction since (i) we can prove the stronger collision-resistance property and (ii) (to our knowledge) there is no known bijective trapdoor function that is believed to be quantum-safe.

Theorem 8.

If $\mathcal{G}$ is a family of injective, homomorphic, trapdoor one-way functions, then there exists a family $\mathcal{F}$ of two-regular, collision resistant, trapdoor one-way functions. Moreover, the family $\mathcal{F}$ is quantum-safe if and only if the family $\mathcal{G}$ is quantum-safe.

From now on, we consider that any function $g_k\in \mathcal{G}$ has domain D and range R and let ${+}_D$ be the closed operation on D and ${+}_R$ be the closed operation on R such that $g_k$ is the morphism between D and R with respect to these 2 operations:

$$g_k\left(a\right){+}_R{g}_k\left(b\right)=g_k\left(a{+}_{D}b\right)\forall a,b\in D$$

We also denote the operation ${-}_D$ on D, the inverse operation of ${+}_D$, specifically: $a{+}_D{b}^{-1}=a{-}_{D}b\forall a,b\in D$ and $0_D$ be the identity element for ${+}_D$.

Then, the family $\mathcal{F}$ is described by the following PPT algorithms:

The evaluation procedure receives as input an index $k^{\prime }$ of a function from $\mathcal{F}$ and an element $\overline{x}$ from the function’s domain ($\overline{x}\in D\times \{0,1\}$):

where every function from $\mathcal{F}$ is defined as:

$$\begin{array}{|c|}\hline \begin{array}{cc}\hfill & f_{k^{\prime }}:D\times \{0,1\}\to R\hfill \\ \hfill & f_{k^{\prime }}(x,c)=\left\{\begin{array}{cc}{g}_k\left(x\right),\hfill & \mathrm{if}c=0\hfill \\ g_k\left(x\right){+}_R{g}_k\left(x_0\right)=g_k\left(x{+}_D{x}_0\right),\hfill & \mathrm{if}c=1\hfill \end{array}\right.\hfill \end{array}\\ \hline\end{array}$$

The last equality follows since each function $g_k$ from $\mathcal{G}$ is homomorphic.

Proof. 

To prove Theorem 8 we give below five lemmata showing that, the family $\mathcal{F}$ of functions defined above, satisfies the following properties: (i) two-regular, (ii) trapdoor, (iii) one-way, (iv) collision resistant and (v) quantum-safe.    □

Lemma 2

(two-regular). If $\mathcal{G}$ is a family of injective, homomorphic functions, then $\mathcal{F}$ is a family of two-regular functions.

Proof. 

For every $y\in \mathrm{Im}{f}_{k^{\prime }}\subseteq R$, where $k^{\prime }=(k,g_k\left(x_0\right))$:

• Since $\mathrm{Im}{f}_{k^{\prime }}=\mathrm{Im}{g}_k$ and $g_k$ is injective, there exists a unique $x:=g_k^{-1}\left(y\right)$ such that $f_{k^{\prime }}(x,0)=g_k\left(x\right)=y$.
• Assume $x^{\prime }$ such that $f_{k^{\prime }}(x^{\prime },1)=y$. By definition $f_{k^{\prime }}(x^{\prime },1)=g_k\left(x^{\prime }{+}_D{x}_0\right)=y$, but $g_k$ is injective and $g_k\left(x\right)=y$ by assumption, therefore there exists a unique $x^{\prime }=x{-}_D{x}_0$ such that $f_{k^{\prime }}(x^{\prime },1)=y$

Therefore, we conclude that:

$$\begin{array}{c}\hfill \forall y\in \mathrm{Im}{f}_{k^{\prime }}:f_{k^{\prime }}^{-1}\left(y\right):=\{(g_k^{-1}\left(y\right),0),(g_k^{-1}\left(y\right){-}_D{x}_0,1)\}\end{array}$$

(17)

   □

Lemma 3

(trapdoor). If $\mathcal{G}$ is a family of injective, homomorphic, trapdoor functions, then $\mathcal{F}$ is a family of trapdoor functions.

Proof. 

Let $y\in \mathrm{Im}{f}_{k^{\prime }}\subseteq R$. We construct the following inversion algorithm:

   □

Lemma 4

(one-way). If $\mathcal{G}$ is a family of injective, homomorphic, one-way functions, then $\mathcal{F}$ is a family of one-way functions.

Proof. 

We prove it by contradiction. We assume that there exists a QPT adversary $\mathcal{A}$ that can invert a function in $\mathcal{F}$ with non-negligible probability P (i.e., given $y\in \mathrm{Im}{f}_{k^{\prime }}$ to return a correct preimage of the form $(x^{\prime },b)$ with probability P). We then construct a QPT adversary ${\mathcal{A}}^{\prime }$ that inverts a function in $\mathcal{G}$ with the same non-negligible probability P reaching a contradiction, since $\mathcal{G}$ is one-way by assumption.

From Equation (17) of Lemma 2, we know the two preimages of y are: (i) $(g_k^{-1}\left(y\right),0)$ and (ii) $(g_k^{-1}\left(y\right){-}_D{x}_0,1)$. We see that information on $g_k^{-1}\left(y\right)$ is obtain in both cases, i.e., obtaining any of these two preimages, is sufficient to recover $g_k^{-1}\left(y\right)$ if $x_0$ is known. We now construct an adversary ${\mathcal{A}}^{\prime }$ that for any function $g_k:D\to R$, inverts any output $y=g_k\left(x\right)$ with the same probability P that $\mathcal{A}$ succeeds.

   □

Lemma 5

(collision-resistance). If $\mathcal{G}$ is a family of injective, homomorphic, one-way functions, then any function $f\in \mathcal{F}$ is collision resistant.

Proof. 

Assume there exists a QPT adversary $\mathcal{A}$ that given $k^{\prime }=(k,g_k\left(x_0\right))$ can find a collision $(y,(x_1,b_1),(x_2,b_2))$ where $f_{k^{\prime }}(x_1,b_1)=f_{k^{\prime }}(x_2,b_2)=y$ with non-negligible probability P. From Equation (18), we know that the two preimages are of the form $(x,0),(x▵x_0,1)$ where $g_k\left(x\right)=y$. It follows that when $\mathcal{A}$ is successful, by comparing the first arguments of the two preimages, can recover $x_0$.

We now construct a QPT adversary ${\mathcal{A}}^{\prime }$ that inverts the function $g_k$ with the same probability P, reaching a contradiction:

   □

Lemma 6

(quantum-safe). If $\mathcal{G}$ is a family of quantum-safe trapdoor functions, with properties as above, then $\mathcal{F}$ is also a family of quantum-safe trapdoor functions.

Proof. 

The properties that require to be quantum-safe is one-wayness and collision resistance. Both these properties of $\mathcal{F}$ that we derived above were proved using reduction to the hardness (one-wayness) of $\mathcal{G}$. Therefore, if $\mathcal{G}$ is quantum-safe, its one-wayness is also quantum-safe and thus both properties of $\mathcal{F}$ are also quantum-safe.    □

Theorem 9.

If $\mathcal{G}$ is a family of bijective, trapdoor one-way functions, then there exists a family $\mathcal{F}$ of two-regular, second preimage resistant, trapdoor one-way functions. Moreover, the family $\mathcal{F}$ is quantum-safe if and only if the family $\mathcal{G}$ is quantum-safe.

The family $\mathcal{F}$ is described by the following PPT algorithms, where each function $g_k\in \mathcal{G}$ has domain D and range R:

where every function from $\mathcal{F}$ is defined as:

$$\begin{array}{|c|}\hline \begin{array}{cc}\hfill & f_{k^{\prime }}:D\times \{0,1\}\to R\hfill \\ \hfill & f_{k^{\prime }}(x,c)=\left\{\begin{array}{cc}{g}_{k_1}\left(x\right),\hfill & \mathrm{if}c=0\hfill \\ g_{k_2}\left(x\right),\hfill & \mathrm{if}c=1\hfill \end{array}\right.\hfill \end{array}\\ \hline\end{array}$$

The proof of Theorem 9, using the family of function defined above, follows same steps as of Theorem 8 and is given in the Appendix C.

6.2. Injective, Homomorphic Quantum-Safe Trapdoor One-Way Function from LWE

We outline the Micciancio and Peikert [44] construction of injective trapdoor one-way functions, naturally derived from the Learning-With-Errors problem. At the end we comment on the homomorphic property of the function, since this is crucial in order to use this function as the basis to obtain our desired two-regular, collision resistant trapdoor one-way functions.

The algorithm below generates the index of an injective function and its corresponding trapdoor. The matrix G used in this procedure, is a fixed matrix (whose exact form can be seen in [44]) for which the function from the family $\mathcal{G}$ with index G can be efficiently inverted without any trapdoor.

where the parameters k, $\alpha$, q and $\overline{m}$ are defined in Theorem 11.

The actual description of the injective trapdoor function is given in the evaluation algorithm below, where each function from $\mathcal{G}$ is defined on: $g_K:{\mathbb{Z}}_q^n\times L^m\to {\mathbb{Z}}_q^m$, and L is the domain of the errors in the LWE problem (the set of integers bounded in absolute value by the parameter $\mu$):

The inversion algorithm returns the unique preimage $(s,e)$ corresponding to $b^t\in \mathrm{Im}\left(g_K\right)$. The algorithm uses as a subroutine the efficient algorithm $In{v}_G$ for inverting the function $g_G$, with G the fixed matrix mentioned before.

We examine now whether the functions $g_K$ are homomorphic with respect to some operation.

We first define the domain and the range as $D:={\mathbb{Z}}_q^n\times L^m$ and $R:={\mathbb{Z}}_q^m$. Then, given $a=(s_1,e_1)\in {\mathbb{Z}}_q^n\times L^m$ and $b=(s_2,e_2)\in {\mathbb{Z}}_q^n\times L^m$, the operation ${+}_D$ is defined as:

$$(s_1,e_1){+}_D(s_2,e_2)=(s_1+s_{2}modq,e_1+e_2)$$

Given $y_1=g_K\left(a\right)\in {\mathbb{Z}}_q^m$ and $y_2=g_K\left(b\right)\in {\mathbb{Z}}_q^m$, the operation ${+}_R$ is defined as:

$$y_1{+}_R{y}_2=y_1+y_{2}modq$$

Then, we can easily verify that:

$$\begin{array}{cc}& g_K(s_1,e_1)+g_K(s_2,e_2)modq={s_1}^{t}K+{e_1}^t+{s_2}^{t}K+{e_2}^{t}modq=\\ & {(s_1+s_{2}modq)}^{t}K+{(e_1+e_2)}^t=g_K((s_1+s_2)modq,e_1+e_2)\end{array}$$

However, the sum of two error terms, each being bounded by $\mu$, may not be bounded by $\mu$. This means that the function is not (properly) homomorphic. Instead, what we conclude is that as long as the vector $e_1+e_2$ lies inside the domain of $g_K$, then $g_K$ is homomorphic. To address this issue, we will need to define a weaker notion of 2-regularity, and a (slight) modification of the FromInj construction to provide a desired function starting from the trapdoor function of [44].

6.3. A Suitable δ-2 Regular Trapdoor Function

Using the injective trapdoor function of Micciancio and Peikert [44] and the construction defined in the proof of Theorem 8, we derive a family $\mathcal{F}$ of collision resistant trapdoor one-way function, but with a weaker notion of 2-regularity, called $\delta$-2 regularity:

Definition 12

($\delta$-2 regular). A family of functions ${\left(f_k\right)}_{k\leftarrow Ge{n}_{\mathcal{F}}}$ is said to be δ-2 regular, with $\delta \in [0,1]$ if:

$$\underset{k\leftarrow Ge{n}_{\mathcal{F}},y\in \mathrm{Im}\left(f_k\right)}{Pr}\left[\right|f_k^{-1}\left(y\right)|=2]\ge \delta$$

Given this definition, we should note here that in Algorithm 2 we need to modify the abort case to include the possibility that the image y obtained from the measurement does not have two preimages (something that happens with at most probability $(1-\delta )$).

Theorem 10

(Existence of a $\delta$-2 regular trapdoor function family). There exists a family of functions that are δ-2 regular (with δ at least as big as a fixed constant), trapdoor, one-way, collision resistant and quantum-safe, assuming that there is no quantum algorithm that can efficiently solve $SIVP{}_{\gamma }$ for $\gamma =\mathrm{poly}\left(n\right)$.

Proof. 

To prove this theorem, we define a function similar to the one in the FromInj construction, where the starting point is the function defined in [44]. Crucial for the security is a choice of parameters that satisfy a number of conditions given by Theorem 11 and proven in Appendix D. The proof is then completed by providing a choice of parameters given in Lemma 7 that satisfies all conditions as it is shown in Appendix E.    □

Definition 13.

For a given set of parameter $\mathcal{P}$ chosen as in Theorem 11, we define the following functions, that are similar to the constructionFromInj, with the difference that the key generation requires the trapdoor error to be sampled from a smaller subdomain (${\alpha }^{\prime }<\alpha$):

Note, that the pairs $(s,e)$ and $(s_0,e_0)$ correspond to x and $x_0$ of the FromInj construction of Section 6.1. The idea behind this construction is that the noise of the trapdoor, $e_0$, is sampled from a set which is small compared to the noise of the input function. That way, when we will add the trapdoor $(s_0,e_0)$ together with an input $(s,e)$, the total noise will still be small enough to lie in the set of possible input noise with good probability, mimicking the homomorphic property needed in Theorem 8. Note that the parameters need to be carefully chosen, and a trade-off between probability of success and security exists.

We first introduce the following notation: for all $n,q,\mu \in \mathbb{Z},{\mu }^{\prime }\in \mathbb{R}$, let us define:

• $k:=⎡log\left(q\right)⎤$,
• $\overline{m}=2n$,
• $\omega =nk$,
• $m:=\overline{m}+\omega =2n+nk$,
• ${\alpha }^{\prime }=\frac{{\mu }^{\prime }}{\sqrt{m}q}$,
• $\alpha =m{\alpha }^{\prime }$,
• C the constant in Lemma 2.9 of [44] which is approximately $\frac{1}{\sqrt{2\pi }}$,
• $B=2$ if q is a power of 2, and $B=\sqrt{5}$ otherwise.

Theorem 11

(Requirements on the parameters). If for all security parameters n (dimension of the lattice), there exist q (the modulus of LWE) and μ (the maximum amplitude of the components of the errors) such that:

1. 

m is such that $n=o\left(m\right)$ (required for the injectivity of the function (see e.g., [50])),

2. 

$0<\alpha <1$,

3. 

${\mu }^{\prime }=O(\mu /m)$ (required to have non-negligible probability to have two preimages),

4. 

${\alpha }^{\prime }q\ge 2\sqrt{n}$ (required for theLWEtoSIVPreduction),

5. 

$\frac{n}{{\alpha }^{\prime }}$ is $\mathrm{poly}\left(n\right)$ (representing, up to a constant factor, the approximation factor γ in the $SIVP{}_{\gamma }$ problem)—for the standard hardness of theSIVPproblem.

6. 

$$\sqrt{m}\mu <\underset{r_{max}}{\underbrace{\frac{q}{2B\sqrt{{\left(C·(\alpha ·q)·(\sqrt{2n}+\sqrt{kn}+\sqrt{n})\right)}^2+1}}}}-{\mu }^{\prime }\sqrt{m}$$

(required for the correctness of the inversion algorithm-$r_{max}$ represents the maximum length of an error vector that one can correct using the [44] function, and the last term is needed in the proof of collision resistance to ensure injectivity even when we add the trapdoor noise, as illustrated in Figure 2. We remark that we chose to use the computational definition of [44], but this theorem can be easily extended to other definitions of the same paper, or even to other construction of trapdoor short basis).

Then, the family of functions of Definition 13 is δ-2 regular (with δ at least as big as a fixed constant), trapdoor, one-way and collision resistant (all these properties hold even against a quantum attacker), assuming that there is no quantum algorithm that can efficiently solve $SIVP{}_{\gamma }$ for $\gamma =\mathrm{poly}\left(n\right)$.

Proof. 

The proof follows by showing that the function with these constraints on the parameters is: (i) $\delta$-2 regular, (ii) collision resistant, (iii) one-way and (iv) trapdoor. In Appendix D, we give and prove one lemma for each of those properties. For an intuition of the choice of parameters see also Figure 2.    □

6.4. Parameter Choices

Lemma 7

(Existence of parameters). The following set of parameters fulfils Theorem 11.

$$\begin{array}{cc}\hfill n& =\lambda \hfill \\ \hfill k& =5⎡log\left(n\right)⎤+21\hfill \\ \hfill q& =2^k\hfill \\ \hfill \overline{m}& =2n\hfill \\ \hfill \omega & =nk\hfill \\ \hfill m& =\overline{m}+\omega \hfill \\ \hfill \mu & =⎡2mn\sqrt{2+k}⎤\hfill \\ \hfill {\mu }^{\prime }& =\mu /m\hfill \\ \hfill B& =2\hfill \end{array}$$

and $\alpha ,{\alpha }^{\prime },C$ are defined like in Theorem 11.

The proof is given in Appendix E. As a final remark, we stress that other choices of the parameters are possible (considering the trade-off between security and probability of success) and we have not attempted to find an optimal set.

7. Implementation of HBC − QFactory on IBM Quantum Cloud

Finally, we provide the first proof-of-principle demonstration of a classical remote state preparation protocol. Very importantly, this implementation is not secure against a quantum adversary. The reason is that, as our 2-regular trapdoor function needs to be hard to invert this requires the size of the function to be sufficiently large, but at the same time we need to implement on server’s quantum computer the unitary corresponding to this function. Therefore, given the current limited number of available qubits, we choose a 2-regular function that can be easily inverted by brute-force attacks. The scope of this implementation is to demonstrate the correctness and the randomness of the $\mathsf{HBC}-\mathsf{QFactory}$ protocol.

For the implementation we use the IBM Quantum Experience service and will run all the experiments to prove the correctness and randomness of the protocol using both the simulator “ibmq_qasm_simulator” (32 available qubits) and the IBM real devices: “ibmq_athens” (5 available qubits) and “ibmq_melbourne” (16 available qubits).

7.1. Function Construction for Simulation

We will construct a specific 2-regular function (which given the limitations of the number of available qubits cannot be LWE-based or one-way). More specifically, we define the following 2-regular family of functions $f_{A,B}:{\{0,1\}}^3\to {\{0,1\}}^2$, where the public key is a pair of 2 matrices $A,B\in {\{0,1\}}^{3\times 3}$:

$$f_{A,B}\left(x_1{x}_2{x}_3\right)=\left(\underset{i,j}{⨁}{A}_{i,j}{x}_i{x}_j\right)\parallel \left(\underset{i,j}{⨁}{B}_{i,j}{x}_i{x}_j\right)$$

(18)

where by ∥ we denote the concatenation of the 2 bits.

To construct the Key Generation algorithm, we will proceed as follows. We first sample uniformly at random the trapdoor information, $(d_0,e)\in {\{0,1\}}^2$, and we will construct the public key $(A,B)$ as a function of the trapdoor in the following way:

$$A_{e+1,e+1}=A_{2-e,3}=B_{3,3}=1,B_{2-e,2-e}=d_0,\mathrm{and}\mathrm{all}\mathrm{others}\mathrm{elements}\mathrm{are}0$$

(19)

For the Inversion algorithm, we proceed in the following way:

Given a function image $y=(y_1,y_2)\in {\{0,1\}}^2$, we compute its 2 preimages $x=(x_1,x_2,x_3)\in {\{0,1\}}^3$ and $x^{\prime }=(x_1^{\prime },x_2^{\prime },x_3^{\prime })\in {\{0,1\}}^3$ as:

$$\begin{array}{cc}\hfill & x_{2-e}=0,x_{1+e}=y_1,x_3=y_2\hfill \\ \hfill & x_{2-e}^{\prime }=1,x_{1+e}^{\prime }=y_1\oplus y_2\oplus d_0,x_3^{\prime }=y_2\oplus d_0\hfill \end{array}$$

(20)

We emphasize that by constructing f in this particular way, we have the structure required for both $\mathsf{HBC}-\mathsf{QFactory}$ and Malicious QFactory functions. Indeed, if we define the “hardcore predicate” $h\left(x_1{x}_2{x}_3\right)=x_3$ (as in the Malicious QFactory protocol), then the two preimages x and $x^{\prime }$ of any $y\in {\{0,1\}}^2$ are such that $h\left(x\right)\oplus h\left(x^{\prime }\right)=d_0$.

Moreover, the circuit to implement the unitary $U_{f_{A,B}}$, it is simple to derive from A and B as we just need to implement a Toffoli gate (or CNOT if $i=j$) between i-th input qubit, j-th input qubit and the first output qubit whenever $A_{ij}=1$, and similarly with the second output qubit whenever $B_{ij}=1$.

7.2. Results of Implementation of HBC − QFactory

7.2.1. Randomness

We first want to indicate the randomness of the output of the $\mathsf{HBC}-\mathsf{QFactory}$ protocol.

By this we mean that we want to show that the quantum output is a $\left|{+}_{\theta }\right.〉$ state, where $\theta$ is uniformly sampled from a set of 8 possible values: $\{0,\frac{\pi }{8},\cdots ,\frac{7\pi }{8}\}$.

The following plot indicates the distribution of $\theta$, can be seen in Figure 3.

We run the protocol 5000 number of times, where the distribution is taken over the randomness of the 2 measurements: y (image register) and b (the final measurement—the preimage register) and over the uniform distribution of the measurement angles $\alpha$ and the plot in Figure 3 indicated an almost uniform distribution of $\theta$. We want to emphasize that the number of trial runs was chosen as the largest choice we could accommodate on the IBM Quantum Service, as a higher number of runs resulted in different failures of obtaining a result from the quantum service.

7.2.2. Correctness

For the correctness of the protocol, we want to show 2-fold:

• The server always obtains a $\left|{+}_{\theta }\right.〉$ type of state on his side;
• the client, by knowing the preimages of each image y, can always efficiently compute this $\theta$.

Additionally, we will actually run 2 different types of experiments: using the simulator and a real quantum device. We proceed in the following two different manners.

Interestingly, we proceed in 2 different manners:

When running the simulator we check that the state description the client obtained and the quantum state resulted on the server’s side correspond to the same value of $\theta$, in the following manner: For client we run the algorithm described in $\mathsf{HBC}-\mathsf{QFactory}$ and we compute the value $\theta$. To check that server obtained exactly the state $\left|{+}_{\theta }\right.〉$, the simulator allows us to get the description of the corresponding final quantum output state (as a vector), and we are therefore able to check that it matches perfectly.

Therefore, the first correctness evidence is showed in Figure 4, which depicts the values of ${\theta }_A$ obtained by client and the values of ${\theta }_B$, where $\left|{+}_{{\theta }_B}\right.〉$ is obtained by server. As observed ${\theta }_A={\theta }_B$ for all the runs of our protocol.

For the run on the actual quantum device, client obtains the $\theta$ in the same way. However, we are no longer able to get the vector description of the quantum state of server, because now it corresponds to an actual physical qubit. Now, the only way to see what state server has on his side is to perform a final measurement on the output qubit $\left|{\psi }_{out}\right.〉$.

One way would be to measure the output state $\left|{\psi }_{out}\right.〉$ in the $\{\left|{+}_{\theta }\right.〉,\left|{-}_{\theta }\right.〉\}$ basis, where $\theta$ would be the angle obtained by client through her classical computations, and in this way for correctness we should have always outcome 1 for this measurement.

However, this is not possible, because the IBM does not allow for intermediate measurements. Therefore, the way we will proceed for this is the following:

At the beginning of the protocol, we pick a random ${\theta }_r$, and then we measure the final state of server $\left|{\psi }_{out}\right.〉$ in the basis $\{\left|{+}_{{\theta }_r}\right.〉,\left|{-}_{{\theta }_r}\right.〉\}$. Then, once we receive all the measurement outcomes (preimage, image registers and $\left|{\psi }_{out}\right.〉$) we first compute (using client’s algorithm) the actual $\theta$ and then we check:

• If $\theta ={\theta }_r$, we should obtain measurement outcome 0 with probability 1;
• if $\theta ={\theta }_r\pm \pi$ we should obtain 1 with probability 1;
• if $\theta ={\theta }_r\pm \frac{\pi }{2}$ we should get 1 with probability $\frac{1}{2}$;
• if $\theta ={\theta }_r\pm \frac{\pi }{4}$ we should get 0 with probability $\frac{1}{2}+\frac{\sqrt{2}}{4}$;
• and, in general, the probability of the outcome 0 is equal to: $p\left(0\right)=\frac{1}{2}+\frac{cos(\theta -{\theta }_r)}{2}$.

Therefore, in Figure 5a, we can see the expected probability of the measurement outcome to be 0-which corresponds to the “ideal” quantum computer case. Then, in Figure 5b we have the actual probability of outcome 0, as a result of running it on the “noisy” real quantum device—which corresponds to the real run.

8. Conclusions

8.1. Summary of Results and Discussion

The current work studies the problem of secure delegation of quantum computations between a fully classical honest client and a quantum untrusted server. To achieve this, we introduce the classical client remote state preparation ($\mathsf{CC}-\mathsf{RSP}$) primitive, whose purpose is to remove the need for quantum communication in quantum computation and communication protocols and replace it with classical communication and post-quantum security. Our protocol denoted as $\mathsf{HBC}-\mathsf{QFactory}$ allows a fully classical party (client) to instruct the preparation of a sequence of random quantum states on some distant party (server) in a way that the description of the produced quantum states is known to the client but remains hidden from the server. This protocol relies on the existence of a cryptographic family of functions, specifically a trapdoor one-way function that is quantum-safe, two-regular and collision resistant. We prove the security of our construction against an honest-but-curious server, that follows the protocol specifications, but can try to learn about the secret from the classical transcripts. We show that the description of the output qubit is completely hidden from the server using an argument similar to the Goldreich–Levin theorem. Furthermore, to complete the picture, we show how to construct the required cryptographic functions, by giving an explicit family of functions and an instantiation of its parameters that satisfy all the required properties. These functions are based on the Learning-With-Errors problem. Finally, we provide an experiment of this $\mathsf{CC}-\mathsf{RSP}$ protocol on IBM’s quantum computer using a toy function. This is the first proof-of-principle experiment of classical client remote state preparation.

The main motivation for the current work is that the $\mathsf{CC}-\mathsf{RSP}$ primitive and particularly the $\mathsf{HBC}-\mathsf{QFactory}$ construction, can be used by classical clients to replace a specific quantum channel and enable them to securely delegate quantum computations, for example, by combining $\mathsf{HBC}-\mathsf{QFactory}$ with the protocol of [21]. However, we have noted that enabling classical parties to participate in quantum communication protocols opens numerous opportunities for the applications outlined in Section 1.3 and Appendix A. Indicatively, our protocol can be used in: quantum money, quantum coin-flipping, quantum signatures, etc. The classical client remote state preparation has also been recently employed to construct a quantum two-party computation between a quantum party and a fully classical party [41].

At this point we would like to discuss the practical setup advantages and limitations. The protocol we consider has two main aspects that are evaluated: security (maintaining the privacy of the classical description of the remote state prepared) and correctness (ensuring that an honest server produces the desired state in his lab). The fact that the client is fully classical and there is no quantum state prepared by the (honest) client means that any imperfections and noise could exist only on the server’s side. Since the server is the adversary, imperfections on his side only deteriorate his chances of cheating and thus the security of the protocol is not affected from such practical considerations. In other words, noise does not help the server to obtain further information on the classical description of the ideal state that is prepared. On the other hand, the correctness of the protocol is affected by noise as we have seen in our simulations in Section 7. This serves as a reminder, that our setting is more relevant when the server has the ability to perform universal (fault-tolerant) quantum computations. For example, attempts to use such protocol in Noisy Intermediate Scale Quantum (NISQ) devices, is likely to lead to very noisy output qubits and thus, $\mathsf{HBC}-\mathsf{QFactory}$ is not really practically implementable in this setting.

8.2. Future Directions

Given the need for a practical solution for the classical secure delegation of quantum computations problem in order to exploit the full potential of quantum computers, an important priority is to reduce the cost and bring this primitive close to practice. There are a number of potential improvements to consider such as: finding trapdoor functions that lead to smaller overhead (either by using a different function construction, or a different implementation or a different “quantum-hard” problem) and making a more robust version that can tolerate noise on the server’s side, while maintaining the same security guarantees.

We have, somehow heuristically, mentioned that our primitive (classical client remote state preparation) can be combined with other protocols to achieve a number of applications. Another future direction is to make this intuition concrete and prove that those applications that could use our primitive as a subroutine, are secure (as it was done in the quantum multiparty computation setting [41]). The formal (and not always achievable) way to deal with composite protocols is to use a composable security framework. In the recent work of [20], the use of a classical client remote state preparation in bigger contexts has been studied using such a composable security framework, and an impossibility result for composable $\mathsf{CC}-\mathsf{RSP}$ was proven. This implies that we cannot resort to such an “economic” solution, where one proves the security of the primitive and can then use it directly as subroutine. Instead, for each of the applications we outlined that would use $\mathsf{CC}-\mathsf{RSP}$ as a sub-module, we have to prove the security of the resulting protocol afresh using a game-based security definition. This is an important future direction. Note, that in [20], this game-based approach was used for proving the security of a classical secure delegation of quantum computations protocol (combining a version of $\mathsf{CC}-\mathsf{RSP}$ with the protocol of [21]).