On the Possibility of Classical Client Blind Quantum Computing
Abstract
:Contents  
1  Introduction and Related Works  3 
1.1 Related Work  3  
1.2 Our Contributions  4  
1.3 Applications  5  
1.4 Overview of the Protocol and Proof  6  
2  Preliminaries  9 
2.1 Classical Definitions  9  
2.2 Quantum Definitions  11  
3  CC − RSP_{θ} Primitive  11 
4  The Real Protocol  12 
5  Security of HBC − QFactory  15 
5.1 GameBased Security Definition  15  
5.2 GameBased Security of HBC − QFactory  16  
5.3 Hardcore Function _{θ}  18  
6  Function Constructions  20 
6.1 Obtaining TwoRegular, Collision Resistant/Second Preimage Resistant, Trapdoor OneWay Functions  20  
6.2 Injective, Homomorphic QuantumSafe Trapdoor OneWay Function from LWE  24  
6.3 A Suitable δ2 Regular Trapdoor Function  25  
6.4 Parameter Choices  27  
7  Implementation of HBC−QFactory on IBM Quantum Cloud  28 
7.1 Function Construction for Simulation  28  
7.2 Results of Implementation of HBC−QFactory  29  
7.2.1 Randomness  29  
7.2.2 Correctness  29  
8  Conclusions  31 
8.1 Summary of Results and Discussion  31  
8.2 Future Directions  32  
A  CC−RSP_{θ} within Several Applications  33 
B  Full Proof of Theorem 7  34 
C  Proof of Theorem 9  41 
D  Proof of Theorem 11  42 
D.1 δ2 Regularity  43  
D.2 Collision Resistance  45  
D.3 OneWayness  45  
D.4 Trapdoor  46  
E  Proof of Lemma 7  46 
References  48 
1. Introduction and Related Works
1.1. Related Work
1.2. Our Contributions
 We define the primitive classical client remote state preparation (${\mathsf{CC}\mathsf{RSP}}_{\theta}$) in Section 3. In the earlier version of this work we called this primitive secret random qubit generator, but we switched to the term remote state preparation (RSP), which is the terminology established by the quantum cryptography community. The parameter $\theta $ refers to the set of quantum states produced by the primitive, which are the quantum states ${\left\{\left{+}_{\theta}\right.\u232a\right\}}_{\theta \in \{0,\cdots ,7\pi /4\}}$. ${\mathsf{CC}\mathsf{RSP}}_{\theta}$ can replace the need for quantum channel between parties in certain quantum communication protocols with the tradeoff that the protocols become computationally secure (against quantum adversaries).
 We give a basic protocol ($\mathsf{HBC}\mathsf{QFactory}$) that achieves this functionality from a correctness point of view, given a trapdoor oneway function that is quantumsafe, tworegular and collision resistant in Section 4 and prove its correctness.
 We prove the security of the $\mathsf{HBC}\mathsf{QFactory}$ against honestbutcurious server (server follows the protocol specifications, but can try to infer any information about the secret from the classical transcripts) or against any malicious third party using a gamebased security definition. To show the security, we prove that the classical description of the generated qubits is a hardcore function (following a reduction similar to that of the Goldreich–Levin Theorem) in Section 5.
 While the abovementioned results do not depend on the specific function used, the existence of such specific functions (with all desired properties) makes the ${\mathsf{CC}\mathsf{RSP}}_{\theta}$ a practical primitive that can be employed as described in this paper. In Section 6, we first give methods for obtaining tworegular trapdoor oneway functions with extra properties (collision resistant or second preimage resistant) assuming the existence of simpler trapdoor oneway functions (permutation trapdoor or homomorphic, injective trapdoor functions). We use reductions to prove that the resulting functions maintain all the properties required. Furthermore, we give in Section 6.3 an explicit family of functions that respect all the required properties based on the security of the LearningWithErrors problem as well as a possible instantiation of the parameters. This function is also quantumsafe, and thus directly applicable for our setting. Note, that other functions may also be used, such as the one in [28] or functions based on the Niederreither cryptosystem and the construction in [29].
 Finally, we implement $\mathsf{HBC}\mathsf{QFactory}$ on the quantum computer IBM Quantum Experience using a toy function (given the current limited number of available qubits we consider a 2regular function acting on a small number of bits, consequently, it cannot be postquantum secure). Hence, we provide in addition to the theoretical results, an experimental evidence of the correctness and output distribution of the $\mathsf{HBC}\mathsf{QFactory}$ protocol on a real quantum device. This is the first implementation of an $\mathsf{RSP}\mathsf{CC}$ protocol on a quantum cloud service.
1.3. Applications
1.4. Overview of the Protocol and Proof
2. Preliminaries
2.1. Classical Definitions
 There exists a PPT algorithm that can compute ${f}_{k}\left(x\right)$ for any index function k, outcome of the PPT parametergeneration algorithm Gen and any input $x\in D$;
 any PPT algorithm $\mathcal{A}$ can invert ${f}_{k}$ with at most negligible probability over the choice of k:$\underset{\begin{array}{c}k\leftarrow Gen\left({1}^{n}\right)\\ x\leftarrow D\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[f(\mathcal{A}(k,{f}_{k}\left(x\right))=f\left(x\right)]\le \mathrm{negl}(n)$where $rc$ represents the randomness used by $\mathcal{A}$;
 There exists a PPT algorithm that can compute ${f}_{k}\left(x\right)$ for any index function k, outcome of the PPT parametergeneration algorithm Gen and any input $x\in D$;
 for any PPT algorithm $\mathcal{A}$, given an input x, it can find a different input ${x}^{\prime}$ such that ${f}_{k}\left(x\right)={f}_{k}\left({x}^{\prime}\right)$ with at most negligible probability over the choice of k:$\underset{\begin{array}{c}k\leftarrow Gen\left({1}^{n}\right)\\ x\leftarrow D\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}(k,x)={x}^{\prime}\phantom{\rule{4.pt}{0ex}}\mathrm{such}\phantom{\rule{4.pt}{0ex}}\mathrm{that}\phantom{\rule{4.pt}{0ex}}x\ne {x}^{\prime}\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{f}_{k}\left(x\right)={f}_{k}\left({x}^{\prime}\right)]\le \mathrm{negl}(n)$where $rc$ is the randomness of $\mathcal{A}$;
 There exists a PPT algorithm that can compute ${f}_{k}\left(x\right)$ for any index function k, outcome of the PPT parametergeneration algorithm Gen and any input $x\in D$;
 any PPT algorithm $\mathcal{A}$ can find two inputs $x\ne {x}^{\prime}$ such that ${f}_{k}\left(x\right)={f}_{k}\left({x}^{\prime}\right)$ with at most negligible probability over the choice of k:$\underset{\begin{array}{c}k\leftarrow Gen\left({1}^{n}\right)\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}\left(k\right)=(x,{x}^{\prime})\phantom{\rule{4.pt}{0ex}}\mathrm{such}\phantom{\rule{4.pt}{0ex}}\mathrm{that}\phantom{\rule{4.pt}{0ex}}x\ne {x}^{\prime}\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}{f}_{k}\left(x\right)={f}_{k}\left({x}^{\prime}\right)]\le \mathrm{negl}(n)$where $rc$ is the randomness of $\mathcal{A}$ ($rc$ will be omitted from now).
 There exists a PPT algorithmGenwhich on input ${1}^{n}$ outputs $(k,{t}_{k})$, where k represents the index of the function;
 ${\{{f}_{k}:D\to R\}}_{k\in K}$ is a family of oneway functions;
 there exists a PPT algorithmInv, which on input ${t}_{k}$ (which is called the trapdoor information) output byGen(${1}^{n}$) and $y={f}_{k}\left(x\right)$ can invert y (by returning all preimages of y) with nonnegligible probability over the choice of $(k,{t}_{k})$ and uniform choice of x. Note, that while in the standard definition of trapdoor functions it suffices for the inversion algorithmInvto return one of the preimages of any output of the function, in our case we require a tworegular trapdoor function where the inversion procedure returns both preimages for any function output.
 There exists a PPT algorithm that for any input x can compute $hc\left(x\right)$;
 any PPT algorithm $\mathcal{A}$ when given $f\left(x\right)$, can compute $hc\left(x\right)$ with negligible better than $1/2$ probability:$\underset{\begin{array}{c}x\leftarrow D\left(n\right)\\ rc\leftarrow {\{0,1\}}^{*}\end{array}}{Pr}[\mathcal{A}(f\left(x\right),{1}^{n})=hc\left(x\right)]\le \frac{1}{2}+\mathrm{negl}(n)$, where $rc$ represents the randomness used by $\mathcal{A}$;
 There exists a PPT algorithm that can compute $h\left(x\right)$ for any input x;
 for any PPT algorithm $\mathcal{A}$ when given $f\left(x\right)$, $\mathcal{A}$ can distinguish between $h\left(x\right)$ and a uniformly distributed element in E with at most negligible probability:$$\underset{\begin{array}{c}x\leftarrow D\left(n\right)\end{array}}{Pr}[\mathcal{A}(f\left(x\right),h\left(x\right))=1]\phantom{\rule{0.166667em}{0ex}}\underset{\begin{array}{c}x\leftarrow D\left(n\right)\\ r\leftarrow E\left(\righth\left(x\right)\left\right)\end{array}}{Pr}[\mathcal{A}(f\left(x\right),r)=1]\le \mathrm{negl}(n)$$
 $g(x,r)=\left(f\right(x),r)$ is a oneway function, where $\leftx\right=\leftr\right$.
 $hc(x,r)=\langle x,r\rangle \phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}2$ is a hardcore predicate for g.
2.2. Quantum Definitions
3. CC − RSP_{θ} Primitive
Algorithm 1 Primitive: Classical Channel Remote State Preparation (${\mathsf{CC}\mathsf{RSP}}_{\theta}$) 
Requirements: Client is a purely classical party with no access to quantum resources. Public Information: A distribution on pairs of lists M, intuitively containing the values of the classical variables used by the client and by the server. Trusted Party: – With some probability p returns to both parties $\mathsf{abort}$, otherwise: – Samples $({m}_{C},{m}_{S})\leftarrow M$ – Samples $\theta \leftarrow {\{0,1\}}^{3}\xb7\frac{\pi}{4}$ – Prepares a qubit in state ${+}_{\theta}\rangle $ Outputs: – Either returns $\mathsf{abort}$ to both client and server – Or returns $({m}_{C},\theta )$ to the client, and $({m}_{S},{+}_{\theta}\rangle )$ to the server 
4. The Real Protocol
Algorithm 2: Real $\mathsf{HBC}\mathsf{QFactory}$ Protocol 
Requirements: Public: A family $\mathcal{F}=\{{f}_{k}:{\{0,1\}}^{n}\to {\{0,1\}}^{m}\}$ of trapdoor oneway functions that are quantumsafe, tworegular and collision resistant (or second preimage resistant, see Remark 1) Input: – Client: uniformly samples a set of random threebits strings $\alpha =({\alpha}_{1},\cdots ,{\alpha}_{n1})$ where ${\alpha}_{i}\leftarrow {\{0,1\}}^{3}$, and runs the algorithm $(k,{t}_{k})\leftarrow {\mathrm{Gen}}_{\mathcal{F}}\left({1}^{n}\right)$. The $\alpha $ and k are public inputs (known to both parties), while ${t}_{k}$ is the “private” input of the client. Stage 1: Preimages superposition – Client: instructs server to prepare one register at ${\otimes}^{n}H0\rangle $ and second register initiated at ${0\rangle}^{m}$ – Client: sends k to server and the server applies ${U}_{{f}_{k}}$ using the first register as control and the second as target – Server: measures the second register in the computational basis, obtains the outcome y and returns this result y to the client. Here, an honest server would have a state $(x\rangle +{x}^{\prime}\rangle )\otimes y\rangle $ with ${f}_{k}\left(x\right)={f}_{k}\left({x}^{\prime}\right)=y$ and $y\in \mathrm{Im}{f}_{k}$. Stage 2: Squeezing – Client: instructs the server to measure all the qubits (except the last one) of the first register in the $\left\{0\rangle \pm {e}^{{\alpha}_{i}\pi /4}1\rangle \right\}$ basis. Server obtains the outcomes $b=({b}_{1},\cdots ,{b}_{n1})$ and returns the result b to the client – Client: using the trapdoor ${t}_{k}$ computes $x,{x}^{\prime}$. Then check if the nth bit of x and ${x}^{\prime}$ (corresponding to the y received in Stage 1) are the same or different. If they are the same, returns $\mathsf{abort}$, otherwise, obtains the classical description of the server’s state. Output: If the protocol is run honestly, when there is no abort, the state that server has is ${+}_{\theta}\rangle $, where the client (only) knows the classical description (see Theorem 5):
$$\begin{array}{c}\hfill \theta =\frac{\pi}{4}{(1)}^{{x}_{n}}\sum _{i=1}^{n1}({x}_{i}{x}_{i}^{\prime})(4{b}_{i}+{\alpha}_{i})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}8\end{array}$$

Correctness and Intuition
5. Security of HBC − QFactory
5.1. GameBased Security Definition
5.2. GameBased Security of $\mathsf{HBC}\mathsf{QFactory}$
 (i)
 $\mathcal{A}$ receives the “true” state ($c=0$), so to win the game he needs to return $\tilde{c}=0$. By definition, this happens with $\frac{1}{2}+{p}_{0}$, and in this case ${\mathcal{A}}^{\prime}$ also wins (since he outputs the correct state). The overall probability that all this happens, i.e., that ${\mathcal{A}}^{\prime}$ succeeds in this case, is $\frac{1}{8}\xb7\left(\frac{1}{2}+{p}_{0}\right)$.
 (ii)
 $\mathcal{A}$ receives one of the “false” states ($c=1$), and thus to win ${G}_{sec}$ he needs to return $\tilde{c}=1$. By definition this happens with probability $\frac{1}{2}+{p}_{1}$. Now, in this case, ${\mathcal{A}}^{\prime}$ has essentially ruledout one of the eight possible states. His random guess, after rulingout one state, succeeds with probability $\frac{1}{7}$. Combining all this together we see that ${\mathcal{A}}^{\prime}$ succeeds with probability $\frac{7}{8}\xb7\left(\frac{1}{2}+{p}_{1}\right)\xb7\frac{1}{7}$.
5.3. Hardcore Function θ
6. Function Constructions
 A general construction given either (i) an injective, homomorphic (with respect to any operation and in particular it is only required to be homomorphic once for this operation) trapdoor oneway function or (ii) a bijective trapdoor oneway function, to obtain a tworegular, second preimage resistant, trapdoor oneway function. In both cases the quantumsafe property is maintained (if the initial function has this property, so does the constructed function). We note that for (i) we prove the stronger collision resistant property.
 (Taken from [44]) A method of how to realise injective quantumsafe trapdoor functions derived from the LWE problem, that has certain homomorphic property.
 A way to use the first construction with the trapdoor from [44] that requires a number of modifications, including relaxation of the notion of tworegularity. The resulting function satisfies all the desired properties if a choice of parameters satisfying certain constraints can be found.
 A specific choice of these parameters satisfying all constraints, that leads to a concrete function with all the desired properties.
6.1. Obtaining TwoRegular, Collision Resistant/Second Preimage Resistant, Trapdoor OneWay Functions
 Since $\mathrm{Im}{f}_{{k}^{\prime}}=\mathrm{Im}{g}_{k}$ and ${g}_{k}$ is injective, there exists a unique $x:={g}_{k}^{1}\left(y\right)$ such that ${f}_{{k}^{\prime}}(x,0)={g}_{k}\left(x\right)=y$.
 Assume ${x}^{\prime}$ such that ${f}_{{k}^{\prime}}({x}^{\prime},1)=y$. By definition ${f}_{{k}^{\prime}}({x}^{\prime},1)={g}_{k}\left({x}^{\prime}\phantom{\rule{0.166667em}{0ex}}{+}_{D}\phantom{\rule{0.166667em}{0ex}}{x}_{0}\right)=y$, but ${g}_{k}$ is injective and ${g}_{k}\left(x\right)=y$ by assumption, therefore there exists a unique ${x}^{\prime}=x{}_{D}{x}_{0}$ such that ${f}_{{k}^{\prime}}({x}^{\prime},1)=y$
6.2. Injective, Homomorphic QuantumSafe Trapdoor OneWay Function from LWE
6.3. A Suitable δ2 Regular Trapdoor Function
 $k:=\u23a1log\left(q\right)\u23a4$,
 $\overline{m}=2n$,
 $\omega =nk$,
 $m:=\overline{m}+\omega =2n+nk$,
 ${\alpha}^{\prime}=\frac{{\mu}^{\prime}}{\sqrt{m}q}$,
 $\alpha =m{\alpha}^{\prime}$,
 $B=2$ if q is a power of 2, and $B=\sqrt{5}$ otherwise.
 1.
 m is such that $n=o\left(m\right)$ (required for the injectivity of the function (see e.g., [50])),
 2.
 $0<\alpha <1$,
 3.
 ${\mu}^{\prime}=O(\mu /m)$ (required to have nonnegligible probability to have two preimages),
 4.
 ${\alpha}^{\prime}q\ge 2\sqrt{n}$ (required for theLWEtoSIVPreduction),
 5.
 $\frac{n}{{\alpha}^{\prime}}$ is $\mathrm{poly}\left(n\right)$ (representing, up to a constant factor, the approximation factor γ in the $SIVP{}_{\gamma}$ problem)—for the standard hardness of theSIVPproblem.
 6.
 $$\sqrt{m}\mu <\underset{{r}_{max}}{\underbrace{\frac{q}{2B\sqrt{{\left(C\xb7(\alpha \xb7q)\xb7(\sqrt{2n}+\sqrt{kn}+\sqrt{n})\right)}^{2}+1}}}}{\mu}^{\prime}\sqrt{m}$$
6.4. Parameter Choices
7. Implementation of HBC − QFactory on IBM Quantum Cloud
7.1. Function Construction for Simulation
7.2. Results of Implementation of HBC − QFactory
7.2.1. Randomness
7.2.2. Correctness
 The server always obtains a $\left{+}_{\theta}\right.\u232a$ type of state on his side;
 the client, by knowing the preimages of each image y, can always efficiently compute this $\theta $.
 If $\theta ={\theta}_{r}$, we should obtain measurement outcome 0 with probability 1;
 if $\theta ={\theta}_{r}\pm \pi $ we should obtain 1 with probability 1;
 if $\theta ={\theta}_{r}\pm \frac{\pi}{2}$ we should get 1 with probability $\frac{1}{2}$;
 if $\theta ={\theta}_{r}\pm \frac{\pi}{4}$ we should get 0 with probability $\frac{1}{2}+\frac{\sqrt{2}}{4}$;
 and, in general, the probability of the outcome 0 is equal to: $p\left(0\right)=\frac{1}{2}+\frac{cos(\theta {\theta}_{r})}{2}$.
8. Conclusions
8.1. Summary of Results and Discussion
8.2. Future Directions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
Appendix A. CC−RSP_{θ} within Several Applications
 In the quantum homomorphic encryption scheme AUX in [4], where the target quantum computation must have constant Tgate depth, using our QFactory protocol would allow a classical client to participate (delegate such computation) provided, of course, that the input/output are classical. Specifically, as the input is classical, the client will instruct the server to prepare a quantum state of the classical onetime pad of this input (and then the client will also send to the server a classical homomorphic encryption of the classical onetime pad key of each of the input’s bits). Moreover, for every Tgate in the quantum computation, the auxiliary qubits in the evaluation key can be produced using QFactory: $\{+\rangle ,P+\rangle ={+}_{2\pi /4}\rangle ,Z+\rangle ={+}_{4\pi /4}\rangle ,ZP+\rangle ={+}_{6\pi /4}\rangle \}$.We note that due to the use of a classical fully homomorphic encryption scheme, the AUX protocol [4] has computationally security, thus, the computational security offered by the QFactory is not downgrading the security of this protocol.
 In the blind delegated quantum computation protocol of [21], the client needs to prepare and send to the server qubits, randomly chosen, from the set of states $\{+\rangle ,{+}_{\pi /4}\rangle ,\dots ,{+}_{7\pi /4}\rangle \}$. This is exactly the set of states of Equation (3) which are given by the QFactory. It follows that our construction eliminates the need for quantum communication and thus any classical client can use this protocol.
 The verifiable blind quantum computation protocol in [32], the only quantum ability that the verifier needs is to prepare and send to the prover single qubits, randomly chosen, from the set of states $\left\{{+}_{k\pi /4}\rangle \right\}$. Again, this is exactly the set of states given by the QFactory. Therefore, the quantum communication, and thus quantum abilities of the verifier, can be completely replaced by the $\mathsf{CC}\mathsf{RSP}$ primitive.
 For the quantum keydistribution construction in [33], we can use two conjugate bases to realise this protocol, namely: the diagonal basis $\{+\rangle ,{+}_{\pi}\rangle \}$ and the leftright handed circular basis $\{{+}_{\pi /2}\rangle ,{+}_{3\pi /2}\rangle \}$. All these four quantum states can be obtained by the QFactory protocol. We note that if one was interested in obtaining exactly and only this set of states, we can modify the QFactory to do so, in a way that actually simplifies the proofs too. For example, we could simply ask to measure the qubits in the second stage in the basis $\left\{{\pm}_{{\alpha}_{i}\pi /2}\rangle \right\}$. As the quantum coin flipping protocol of [33], the quantum money protocol of [34] or the quantum digital signatures protocol of [36] only require, as in [33], any pair of conjugate bases, this implies that we can use QFactory in a straight forward way. On the other hand, for the quantum coin flip construction in [35], the single qubit quantum states needed are of the form $\sqrt{a}0\rangle +{(1)}^{{\alpha}_{i}}\sqrt{1a}1\rangle $, which might be achieved by a different construction of the ${\mathsf{CC}\mathsf{RSP}}_{\theta}$.
 In the multiparty quantum computation protocol of [39], the n clients need to send multiple copies of quantum states in the set $\left\{{+}_{k\pi /4}\rangle \right\}$ to the server, who entangles and measures them all but one. Using QFactory all these states will be prepared by the server, which would enable the n clients to be fully classical.
 The verifiable blind quantum computation protocols in [30,31] or the twoparty quantum computation protocols in [37,38], require the honest party to prepare single qubit states from the set of states $\{0\rangle ,1\rangle ,{+}_{k\pi /4}\rangle \}$. While the QFactory primitive can output the ${+}_{k\pi /4}\rangle $ states, in order to make the honest party fully classical, we need to change the construction of QFactory in order to also be able to output the $0\rangle $ and $1\rangle $ states, and maintain the same guarantees in privacy as in the QFactory.
Appendix B. Full Proof of Theorem 7
Appendix C. Proof of Theorem 9
 Since $\mathrm{Im}{f}_{{k}^{\prime}}=\mathrm{Im}{g}_{{k}_{1}}$ and ${g}_{{k}_{1}}$ is bijective, there exist unique ${x}_{1}:={g}_{{k}_{1}}^{1}\left(y\right)$ such that ${f}_{{k}^{\prime}}(x,0)={g}_{{k}_{1}}\left(x\right)=y$.
 Since $\mathrm{Im}{f}_{{k}^{\prime}}=\mathrm{Im}{g}_{{k}_{2}}$ and ${g}_{{k}_{2}}$ is bijective, there exist unique ${x}_{2}:={g}_{{k}_{2}}^{1}\left(y\right)$ such that ${f}_{{k}^{\prime}}(x,1)={g}_{{k}_{2}}\left(x\right)=y$.
Appendix D. Proof of Theorem 11
Appendix D.1. δ2 Regularity
 If $\underset{m\to \infty}{lim}\frac{{\mu}^{\prime}}{\mu}=0$, then:$$\underset{m\to \infty}{lim}{\left(1\frac{{\mu}^{\prime}}{4\mu}\right)}^{m}=\underset{m\to \infty}{lim}{\left(1\frac{{\mu}^{\prime}}{4\mu}\right)}^{\frac{4\mu}{{\mu}^{\prime}}\frac{{\mu}^{\prime}m}{4\mu}}={\left(\frac{1}{e}\right)}^{{lim}_{m\to \infty}\frac{{\mu}^{\prime}m}{4\mu}}$$Now, what we require is that $\underset{m\to \infty}{lim}\frac{{\mu}^{\prime}m}{4\mu}$ = c $\ge 0$, where c is a constant, as then, we have that the probability of success is at least a constant $\ge {\left(\frac{1}{e}\right)}^{c}$.
 If $\underset{m\to \infty}{lim}\frac{{\mu}^{\prime}}{\mu}>0$ (and less than 1, as $0<{\mu}^{\prime}<\mu $), then:$$\underset{m\to \infty}{lim}{\left(1\frac{{\mu}^{\prime}}{4\mu}\right)}^{m}=0$$
Appendix D.2. Collision Resistance
Appendix D.3. OneWayness
Appendix D.4. Trapdoor
Appendix E. Proof of Lemma 7
 The first three requirements are trivially satisfied.
 In the forth condition, the only difficulty is to show that $\alpha <1$. By definition,$$\begin{array}{cccc}\hfill \alpha & =\frac{m\mu}{\sqrt{m}mq}=\frac{\mu}{\sqrt{m}q}\hfill & =\frac{\u23a12mn\sqrt{2+k\u23a4}}{\sqrt{m}q}\hfill & \le \frac{4mn\sqrt{2+k}}{\sqrt{m}q}\le \frac{8mn\sqrt{k}}{\sqrt{m}q}\hfill \\ & \le \frac{8\sqrt{m}nk}{q}\le \frac{8\sqrt{2n+nk}nk}{{2}^{21}{n}^{5}}\hfill & \le \frac{8\sqrt{2nk}nk}{{2}^{21}{n}^{5}}\hfill & \le \frac{16{\left(nk\right)}^{3/2}}{{2}^{21}{n}^{5}}\hfill \\ & \le \frac{16{\left(n(5(log\left(n\right)+1)+21)\right)}^{3/2}}{{2}^{21}{n}^{5}}\hfill & \hfill \le \frac{16{(5\times 21{n}^{2})}^{3/2}}{{2}^{21}{n}^{5}}& \hfill \le \frac{16\times 1076{n}^{3}}{{2}^{21}{n}^{5}}<\frac{1}{{n}^{2}}\le 1\end{array}$$
 Now, let us show the fifth condition, i.e., ${\alpha}^{\prime}q\ge 2\sqrt{n}$. First we note that ${\alpha}^{\prime}q:=\frac{\mu}{\sqrt{m}m}\ge 2\sqrt{n}\iff \mu \ge 2\sqrt{n}m\sqrt{m}=2mn\sqrt{2+k}$. Then, by defining $\mu =\u23a12mn\sqrt{2+k\u23a4}$, the condition is satisfied.
 For the fifth condition, i.e., $\frac{n}{{\alpha}^{\prime}}$ is $\mathrm{poly}\left(n\right)$, we just need to remark that $1/{\alpha}^{\prime}=\frac{{m}^{3/2}q}{\mu}<{m}^{3/2}q$, and that both m and q are $\mathrm{poly}\left(n\right)$.
 Finally, to show that the last condition is satisfied, we note that:$$\begin{array}{cc}\hfill \sqrt{m}\mu & <\frac{q}{2B\sqrt{{\left(C\xb7(\alpha \xb7q)\xb7(\sqrt{2n}+\sqrt{kn}+\sqrt{n})\right)}^{2}+1}}{\mu}^{\prime}\sqrt{m}\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& =\frac{q}{4\sqrt{{\left(C\xb7\frac{\mu}{\sqrt{m}}\xb7(\sqrt{2n}+\sqrt{kn}+\sqrt{n})\right)}^{2}+1}}\frac{\mu}{\sqrt{m}}\hfill \end{array}$$$$A:=4\left(\sqrt{m}+\frac{1}{\sqrt{m}}\right)\mu \sqrt{{\left(C\xb7\frac{\mu}{\sqrt{m}}\xb7(\sqrt{2n}+\sqrt{kn}+\sqrt{n})\right)}^{2}+1}\le q$$Now, let us suppose that $k:=u\u23a1log\left(n\right)\u23a4+v$ with $u\le 5$ and $v\ge 19$ and we need to find $u,v$ such that $A\le {2}^{k}$. Note that we will include v in some constants and then find the good v at the end. First, remark that:$$\begin{array}{cc}\hfill \sqrt{m}+\frac{1}{\sqrt{m}}\phantom{\rule{1.em}{0ex}}& =\sqrt{m}(1+\frac{1}{m})\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& =\sqrt{m}(1+\frac{1}{n(2+k)})\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \le \sqrt{m}(1+\frac{1}{2+k})\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \le \sqrt{m}\underset{{\gamma}_{0}}{\underbrace{(1+\frac{1}{2+v})}}={\gamma}_{0}\sqrt{m}\hfill \end{array}$$So now,$$\begin{array}{cc}\hfill A& \le 4C{\gamma}_{0}{\mu}^{2}\sqrt{kn}\sqrt{{\left(1+\sqrt{\frac{2}{k}}+\frac{1}{\sqrt{k}}\right)}^{2}+\frac{1}{kn{\left(C\xb7\frac{\mu}{\sqrt{m}}\right)}^{2}}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =4C{\gamma}_{0}{[2mn\sqrt{2+k]}}^{2}\sqrt{kn}\sqrt{{\left(1+\sqrt{\frac{2}{k}}+\frac{1}{\sqrt{k}}\right)}^{2}+\frac{1}{kn{\left(C\xb7\frac{\u23a12mn\sqrt{2+k\u23a4}}{\sqrt{m}}\right)}^{2}}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 4C{\gamma}_{0}{[2mn\sqrt{2+k]}}^{2}\sqrt{kn}\underset{{\gamma}_{1}}{\underbrace{\sqrt{{\left(1+\sqrt{\frac{2}{v}}+\frac{1}{\sqrt{v}}\right)}^{2}+\frac{1}{v{\left(2C\sqrt{2+v}\right)}^{2}}}}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 4C{\gamma}_{0}{\gamma}_{1}{\left(2mn\sqrt{2+k}+1\right)}^{2}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =4C{\gamma}_{0}{\gamma}_{1}{\left(2{n}^{2}{(2+k)}^{3/2}+1\right)}^{2}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =16C{\gamma}_{0}{\gamma}_{1}{n}^{4}{(2+k)}^{3}{\left(1+\frac{1}{2{n}^{2}{(2+k)}^{3/2}}\right)}^{2}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{n}^{4}{(2+k)}^{3}\underset{{\gamma}_{2}}{\underbrace{{\left(1+\frac{1}{2{(2+v)}^{3/2}}\right)}^{2}}}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{n}^{4}{\left(k\left(1+\frac{2}{k}\right)\right)}^{3}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{n}^{4}{k}^{3}\underset{{\gamma}_{3}}{\underbrace{{\left(1+\frac{2}{v}\right)}^{3}}}\sqrt{kn}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{\gamma}_{3}{n}^{9/2}{\left(u\u23a1log\left(n\right)\u23a4+v\right)}^{7/2}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{\gamma}_{3}{n}^{9/2}{v}^{7/2}{\left(1+\frac{u\u23a1log\left(n\right)\u23a4}{v}\right)}^{7/2}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{\gamma}_{3}{n}^{9/2}{v}^{7/2}{\left(1+\frac{5\u23a1log\left(n\right)\u23a4}{19}\right)}^{7/2}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 16C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{\gamma}_{3}{n}^{9/2}{v}^{7/2}3{n}^{1/2}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \le 48C{\gamma}_{0}{\gamma}_{1}{\gamma}_{2}{\gamma}_{3}{v}^{7/2}{n}^{5}\hfill \end{array}$$Finally, we observe that if $v=21$ and $u=5$, we have $A\le {2}^{v+u\u23a1log\left(n\right)\u23a4}={2}^{k}$, which concludes the proof.
References
 Elkouss, D.; Lipinska, V.; Goodenough, K.; Rozpedek, F.; Kalb, N.; van Dam, S.; Le Phuc, T.; Murta, G.; Humphreys, P.; Taminiau, T.; et al. Quantum internet: The certifiable road ahead. In Proceedings of the APS Meeting Abstracts, New Orleans, LA, USA, 13–17 March 2017. [Google Scholar]
 Broadbent, A.; Schaffner, C. Quantum cryptography beyond quantum key distribution. Des. Codes Cryptogr. 2016, 78, 351–382. [Google Scholar] [CrossRef][Green Version]
 Fitzsimons, J.F. Private quantum computation: An introduction to blind quantum computing and related protocols. Npj Quantum Inf. 2017, 3, 23. [Google Scholar] [CrossRef]
 Broadbent, A.; Jeffery, S. Quantum homomorphic encryption for circuits of low Tgate complexity. In Annual Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2015; pp. 609–629. [Google Scholar]
 Dulek, Y.; Schaffner, C.; Speelman, F. Quantum homomorphic encryption for polynomialsized circuits. In Annual Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2016; pp. 3–32. [Google Scholar]
 Alagic, G.; Dulek, Y.; Schaffner, C.; Speelman, F. Quantum fully homomorphic encryption with verification. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2017; pp. 438–467. [Google Scholar]
 Liang, M. Quantum fully homomorphic encryption scheme based on universal quantum circuit. Quantum Inf. Process. 2015, 14, 2749–2759. [Google Scholar] [CrossRef][Green Version]
 Ouyang, Y.; Tan, S.H.; Fitzsimons, J. Quantum homomorphic encryption from quantum codes. arXiv 2015, arXiv:1508.00938. [Google Scholar] [CrossRef][Green Version]
 Tan, S.H.; Kettlewell, J.A.; Ouyang, Y.; Chen, L.; Fitzsimons, J.F. A quantum approach to homomorphic encryption. Sci. Rep. 2016, 6, 33467. [Google Scholar] [CrossRef] [PubMed][Green Version]
 Lai, C.Y.; Chung, K.M. On statisticallysecure quantum homomorphic encryption. arXiv 2017, arXiv:1705.00139. [Google Scholar]
 Mantri, A.; PérezDelgado, C.A.; Fitzsimons, J.F. Optimal blind quantum computation. Phys. Rev. Lett. 2013, 111, 230502. [Google Scholar] [CrossRef][Green Version]
 Giovannetti, V.; Maccone, L.; Morimae, T.; Rudolph, T.G. Efficient universal blind quantum computation. Phys. Rev. Lett. 2013, 111, 230501. [Google Scholar] [CrossRef][Green Version]
 Armknecht, F.; Gagliardoni, T.; Katzenbeisser, S.; Peter, A. General impossibility of group homomorphic encryption in the quantum world. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2014; pp. 556–573. [Google Scholar]
 Yu, L.; PérezDelgado, C.A.; Fitzsimons, J.F. Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A 2014, 90, 050303. [Google Scholar] [CrossRef][Green Version]
 Aaronson, S.; Cojocaru, A.; Gheorghiu, A.; Kashefi, E. ComplexityTheoretic Limitations on Blind Delegated Quantum Computation. In Proceedings of the 46th International Colloquium on Automata, Languages, and Programming (ICALP 2019), Patras, Greece, 8–12 July 2019. [Google Scholar]
 Newman, M.; Shi, Y. Limitations on Transversal Computation through Quantum Homomorphic Encryption. arXiv 2017, arXiv:1704.07798. [Google Scholar]
 Mantri, A.; Demarie, T.F.; Menicucci, N.C.; Fitzsimons, J.F. Flow ambiguity: A path towards classically driven blind quantum computation. Phys. Rev. X 2017, 7, 031004. [Google Scholar] [CrossRef][Green Version]
 Mahadev, U. Classical Homomorphic Encryption for Quantum Circuits. In Proceedings of the 59th IEEE Annual Symposium on Foundations of Computer Science (FOCS 2018), Paris, France, 7–9 October 2018; Thorup, M., Ed.; IEEE Computer Society: Washington, DC, USA, 2018; pp. 332–338. [Google Scholar]
 Brakerski, Z. Quantum FHE (Almost) As Secure As Classical. In Advances in Cryptology—CRYPTO 2018; Springer International Publishing: Cham, Switzerland, 2018; pp. 67–95. [Google Scholar]
 Badertscher, C.; Cojocaru, A.; Colisson, L.; Kashefi, E.; Leichtle, D.; Mantri, A.; Wallden, P. Security Limitations of ClassicalClient Delegated Quantum Computing. In Advances in Cryptology—ASIACRYPT 2020; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar] [CrossRef]
 Broadbent, A.; Fitzsimons, J.; Kashefi, E. Universal blind quantum computation. In Proceedings of the 50th Annual Symposium on Foundations of Computer Science (FOCS ’09), Atlanta, GA, USA, 25–27 October 2009; IEEE Computer Society: Washington, DC, USA, 2009; pp. 517–526. [Google Scholar] [CrossRef][Green Version]
 Cojocaru, A.; Colisson, L.; Kashefi, E.; Wallden, P. On the possibility of classical client blind quantum computing. arXiv 2018, arXiv:1802.08759. [Google Scholar]
 Cojocaru, A.; Colisson, L.; Kashefi, E.; Wallden, P. QFactory: ClassicallyInstructed Remote Secret Qubits Preparation. In Advances in Cryptology—ASIACRYPT 2019; Galbraith, S.D., Moriai, S., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2019; pp. 615–645. [Google Scholar]
 Gheorghiu, A.; Vidick, T. ComputationallySecure and Composable Remote State Preparation. In Proceedings of the 2019 IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), Baltimore, MA, USA, 9–12 November 2019; pp. 1024–1033. [Google Scholar]
 Zhang, J. Succinct Blind Quantum Computation Using a Random Oracle. arXiv 2020, arXiv:2004.12621. [Google Scholar]
 Pirandola, S.; Andersen, U.L.; Banchi, L.; Berta, M.; Bunandar, D.; Colbeck, R.; Englund, D.; Gehring, T.; Lupo, C.; Ottaviani, C.; et al. Advances in quantum cryptography. Adv. Opt. Photon. 2020, 12, 1012–1236. [Google Scholar] [CrossRef][Green Version]
 Wallden, P.; Kashefi, E. Cyber Security in the Quantum Era. Commun. ACM 2019, 62, 120. [Google Scholar] [CrossRef][Green Version]
 Brakerski, Z.; Christiano, P.; Mahadev, U.; Vazirani, U.; Vidick, T. Certifiable Randomness from a Single Quantum Device. arXiv 2018, arXiv:1804.00640. [Google Scholar]
 Freeman, D.M.; Goldreich, O.; Kiltz, E.; Rosen, A.; Segev, G. More constructions of lossy and correlationsecure trapdoor functions. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2010; pp. 279–295. [Google Scholar]
 Fitzsimons, J.F.; Kashefi, E. Unconditionally verifiable blind computation. arXiv 2012, arXiv:1203.5217. [Google Scholar]
 Broadbent, A. How to Verify a Quantum Computation. arXiv 2015, arXiv:1509.09180. [Google Scholar]
 Ferracin, S.; Kapourniotis, T.; Datta, A. Towards minimising resources for verification of quantum computations. arXiv 2017, arXiv:1709.10050. [Google Scholar]
 Bennett, C.H.; Brassard, G. Quantum cryptography: Public key distribution and coin tossing. Theor. Comput. Sci. 2014, 560, 7–11. [Google Scholar] [CrossRef]
 Bozzio, M.; Orieux, A.; Vidarte, L.T.; Zaquine, I.; Kerenidis, I.; Diamanti, E. Experimental investigation of practical unforgeable quantum money. Npj Quantum Inf. 2018, 4, 5. [Google Scholar] [CrossRef][Green Version]
 Pappa, A.; Chailloux, A.; Diamanti, E.; Kerenidis, I. Practical quantum coin flipping. Phys. Rev. A 2011, 84, 052305. [Google Scholar] [CrossRef][Green Version]
 Wallden, P.; Dunjko, V.; Kent, A.; Andersson, E. Quantum digital signatures with quantumkeydistribution components. Phys. Rev. A 2015, 91, 042304. [Google Scholar] [CrossRef][Green Version]
 Kashefi, E.; Wallden, P. Garbled Quantum Computation. Cryptography 2017, 1, 6. [Google Scholar] [CrossRef][Green Version]
 Kashefi, E.; Music, L.; Wallden, P. The Quantum CutandChoose Technique and Quantum TwoParty Computation. arXiv 2017, arXiv:1703.03754. [Google Scholar]
 Kashefi, E.; Pappa, A. Multiparty Delegated Quantum Computing. Cryptography 2017, 1, 12. [Google Scholar] [CrossRef][Green Version]
 Broadbent, A.; Gutoski, G.; Stebila, D. Quantum OneTime Programs. In Advances in Cryptology—CRYPTO 2013; Canetti, R., Garay, J., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8043, pp. 344–360. [Google Scholar] [CrossRef][Green Version]
 Ciampi, M.; Cojocaru, A.; Kashefi, E.; Mantri, A. Secure Quantum TwoParty Computation: Impossibility and Constructions. arXiv 2020, arXiv:2010.07925. [Google Scholar]
 Goldreich, O.; Levin, L.A. A Hardcore Predicate for All Oneway Functions. In Proceedings of the TwentyFirst Annual ACM Symposium on Theory of Computing (STOC ’89), Washington, DC, USA, 15–17 May 1989; ACM: New York, NY, USA, 1989; pp. 25–32. [Google Scholar] [CrossRef]
 Vazirani, U.V.; Vazirani, V.V. Efficient and Secure PseudoRandom Number Generation (Extended Abstract). In Advances in Cryptology; Blakley, G.R., Chaum, D., Eds.; Springer: Berlin/Heidelberg, Germany, 1985; pp. 193–202. [Google Scholar]
 Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology—EUROCRYPT 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 700–718. [Google Scholar]
 Katz, J.; Lindell, Y. Introduction to Modern Cryptography, 2nd ed.; Chapman & Hall/CRC: Boca Raton, FL, USA, 2014. [Google Scholar]
 Regev, O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In Proceedings of the ThirtySeventh Annual ACM Symposium on Theory of Computing (STOC ’05), Baltimore, MD, USA, 22–24 May 2005; ACM: New York, NY, USA, 2005; pp. 84–93. [Google Scholar] [CrossRef]
 Peikert, C. Publickey Cryptosystems from the Worstcase Shortest Vector Problem: Extended Abstract. In Proceedings of the FortyFirst Annual ACM Symposium on Theory of Computing (STOC ’09), Bethesda, MD, USA, 31 May–2 June 2009; ACM: New York, NY, USA, 2009; pp. 333–342. [Google Scholar] [CrossRef][Green Version]
 Aaronson, S. Quantum computing, postselection, and probabilistic polynomialtime. Proc. R. Soc. Lond. Ser. A 2005, 461, 3473–3482. [Google Scholar] [CrossRef][Green Version]
 Greenberger, D.M.; Horne, M.A.; Zeilinger, A. Going beyond Bell’s theorem. In Bell’s Theorem, Quantum Theory and Conceptions of the Universe; Springer: Berlin/Heidelberg, Germany, 1989; pp. 69–72. [Google Scholar]
 Vaikuntanathan, V. Advanced Topics in Cryptography: Lattices. Available online: https://people.csail.mit.edu/vinodv/6876Fall2015/L13.pdf (accessed on 7 December 2018).
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. 
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Cojocaru, A.; Colisson, L.; Kashefi, E.; Wallden, P. On the Possibility of Classical Client Blind Quantum Computing. Cryptography 2021, 5, 3. https://doi.org/10.3390/cryptography5010003
Cojocaru A, Colisson L, Kashefi E, Wallden P. On the Possibility of Classical Client Blind Quantum Computing. Cryptography. 2021; 5(1):3. https://doi.org/10.3390/cryptography5010003
Chicago/Turabian StyleCojocaru, Alexandru, Léo Colisson, Elham Kashefi, and Petros Wallden. 2021. "On the Possibility of Classical Client Blind Quantum Computing" Cryptography 5, no. 1: 3. https://doi.org/10.3390/cryptography5010003