A Distributed Architecture for Secure Delegated Quantum Computation

Abstract

In this paper, we propose a distributed secure delegated quantum computation protocol, by which an almost classical client can delegate a $\left(dk\right)$-qubit quantum circuit to d quantum servers, where each server is equipped with a $2k$-qubit register that is used to process only k qubits of the delegated quantum circuit. None of servers can learn any information about the input and output of the computation. The only requirement for the client is that he or she has ability to prepare four possible qubits in the state of $(|0⟩+e^{i\theta }|1⟩)/\sqrt{2}$, where $\theta \in \{0,\pi /2,\pi ,3\pi /2\}$. The only requirement for servers is that each pair of them share some entangled states $(|0⟩|+⟩+|1⟩|-⟩)/\sqrt{2}$ as ancillary qubits. Instead of assuming that all servers are interconnected directly by quantum channels, we introduce a third party in our protocol that is designed to distribute the entangled states between those servers. This would simplify the quantum network because the servers do not need to share a quantum channel. In the end, we show that our protocol can guarantee unconditional security of the computation under the situation where all servers, including the third party, are honest-but-curious and allowed to cooperate with each other.

1. Introduction

Quantum computing has been extensively studied from theory to practice [1,2]. It is widely accepted that noisy intermediate-scale quantum (NISQ) computers may be available in the coming decades [3]. However, the limited quantum memory of NISQ devices means that they may not have the capability to deal with large-scale quantum information processing. This is obviously a severe constraint, as many practical problems, e.g., machine learning, usually require immense memory overhead. A feasible way to overcome this obstacle is to utilize distributed architecture for quantum computations [4]. That is, using a group of small-scale quantum computers interconnected by classical and quantum networks to implement large-scale quantum computation tasks. However, considering the tremendous cost of building a quantum computer, it is not likely that ordinary consumers will be able to afford an NISQ computer in the foreseeable future. In fact, it is widely believed that the role of quantum computers is similar to today’s classical supercomputers, which means only a few organizations or enterprises can have quantum computers at their disposal. Thus, for ordinary customers, a better way to access quantum computers is to delegate their computations to the companies that offer quantum computing as cloud services. Indeed, this computation pattern has been applied in today’s Internet, e.g., IBM Quantum platform [5].

Delegated quantum computation is actually closely related to distributed quantum computation [4]. The client-to-server pattern in delegated computation naturally belongs to the category of distributed quantum computation. A class of delegated quantum computation protocols are constructed under the framework of measurement-based quantum computation (MBQC) [6,7,8], which is driven by a sequence of single-qubit measurements on some specific entangled state, where the entangled resource is also a basic module in the distributed quantum computation. Another class of delegated quantum computation protocols are obtained using the technique quantum computing on encrypted data (QCED) [9] or quantum homomorphic encryption (QHE) [10]. Although QCED and QHE are distinct concepts, the basic idea behind them is identical. Both of them use the quantum one-time pad to encrypt the input and output states but use different the methods to achieve the non-Clifford gates. Nevertheless, most schemes use the entangled states as the ancillary resources, for example [10,11,12].

Both distributed quantum computation and delegated quantum computation have been investigated broadly; see references [13,14,15,16,17,18,19,20,21] and [6,11,22,23,24,25,26,27,28], respectively. Typically, the distributed architecture for quantum computation makes use of photons as flying qubits between computational nodes, where each node is equipped with a quantum computer. The flying qubits are usually used to generate entangle states between distinct servers (i.e., nodes). By means of quantum entanglement, the non-local operations, such as controlled-NOT gate, can be done between two distant servers. Note that the quantum computer in each server is not necessarily an optical quantum computer; it can be made up of some other quantum system [29], such as ion traps or cloud atoms. Related experiments have been successfully demonstrated (see references [30,31]). Recently, researchers also investigated the possibility of simulating large-scale quantum systems in a hybrid quantum-classical manner [32]. That is, using a classical computer combined with a small quantum computer to simulate a large quantum computer [33]. However, the computational model considered in [32,33] is slightly different from the traditional model of circuit-based quantum computation. In this paper, we will not consider the method in [32], but rather the quantum entanglement to implement the non-local operation. In general, delegated quantum computation refers specifically to the secure delegated quantum computation (SDQC), which requires that no one except the client can obtain the right input and output of the computation. Typically, the client is required to have some basic quantum capacities, for example, preparing some single qubits or performing single-qubit measurements. In [34], the authors proposed a more rigorous SDQC protocol, which they called universal blind quantum computation (UBQC). The new protocol can guarantee that not only the input and output but also the computation itself, i.e., the algorithm, are unknown to the server. Although it seems that UBQC is more secure than SDQC, they are equivalent. That is, SDQC can be converted into UBQC [35]. As delegated quantum computation protocols effectively release the quantum resources in the client side, related experimental demonstrations have rapidly been implemented using the linear optics components (see References [9,25,36,37]).

Based on the above observations, in this paper we formally propose a distributed secure delegated quantum computation protocol that allows a half-classical client who can only prepare special single qubits to implement a large-scale quantum circuit on several quantum servers interconnected by entangled channels. Each server only has a limited quantum memory so that it can only compute a fraction of the delegated circuit. Moreover, during the computation, servers get nothing about the input and output of the computation. We also give a detailed security proof for our protocol. The rest of this paper is organized as follows. Section 2 introduces some basic preliminaries and notation. Section 3 presents the basic modules for delegated quantum computation. Section 4 gives the complete distributed delegated quantum computation protocol. Section 5 analyzes the security of our protocol. The last section discusses some remaining problems in our work.

2. Preliminaries and Notation

We assume that readers are familiar with the basics of quantum computation. In this work, we will use the following basic quantum gates:

$$\begin{array}{c}Z|s\rangle =e^{is\pi }|s\rangle ,\end{array}$$

(1)

$$\begin{array}{c}X|s\rangle =|s\oplus 1\rangle ,\end{array}$$

(2)

$$\begin{array}{c}H|s\rangle =\frac{1}{\sqrt{2}}\left(|0\rangle +e^{is\pi }|1\rangle \right),\end{array}$$

(3)

$$\begin{array}{c}P|s\rangle =e^{i\frac{s}{2}\pi }|s\rangle ,\end{array}$$

(4)

$$\begin{array}{c}T|s\rangle =e^{i\frac{s}{4}\pi }|s\rangle ,\end{array}$$

(5)

$$\begin{array}{c}CZ|s,t\rangle =e^{ist\pi }|s,t\rangle ,\end{array}$$

(6)

where $s,t\in \{0,1\}$ and $i=\sqrt{-1}$; P and T refer to the phase gate and the $\pi /8$ gate, respectively; and $CZ$ denotes the controlled-Z gate. In order to analyze conveniently, we also introduce the Z-rotation operator defined as follows:

$$R_z\left(\alpha \right)=\left(\begin{array}{cc}{e}^{-i\frac{\alpha }{2}}& 0\\ 0& e^{i\frac{\alpha }{2}}\end{array}\right),$$

(7)

where $\alpha \in [0,2\pi )$ is referred as the rotation angle. Regardless of the global phases, we can see that $Z\equiv R_z\left(\pi \right)$, $P\equiv R_z\left(\frac{\pi }{2}\right)$, and $T\equiv R_z\left(\frac{\pi }{4}\right)$. We use $|{+}_{\phi }\rangle$ to denote the following single qubit:

$$|{+}_{\phi }\rangle =\frac{|0\rangle +e^{i\phi \pi }|1\rangle }{\sqrt{2}},$$

(8)

where we consider $\phi \in [0,2\pi )$. It is clear that, up to an unimportant global phase, $R_z\left(\alpha \right)|{+}_{\phi }\rangle \equiv |{+}_{(\phi +\alpha )}\rangle$. Thus, $\phi$ is also called as the rotation angle. By this definition, we can see that $|+\rangle =|{+}_0\rangle$ and $|-\rangle =|{+}_{\pi }\rangle$. Note that for any $\theta \in [0,2\pi )$ the states $|{+}_{\theta }\rangle$ and $|{+}_{(\theta +\pi )}\rangle$ comprise a basis, thus we can define a single-qubit measurement operator as follows:

$$M\left(\theta \right)=\sum _{s\in \{0,1\}}{(-1)}^s|{+}_{(\theta +s\pi )}\rangle \langle {+}_{(\theta +s\pi )}|,$$

(9)

where $\theta$ is referred as the measurement angle in this case, and $s\in \{0,1\}$ denotes the classical measurement outcome. Specifically, $s=0$ if the post-measurement state is $|{+}_{\theta }\rangle$, otherwise $s=1$. Finally, in this work we will also use a special two-qubit entangled state defined as follows:

$$|H\rangle =\frac{|0\rangle |+\rangle +|1\rangle |-\rangle }{\sqrt{2}},$$

(10)

which can be prepared by applying a $CZ$ gate on two qubits $|+\rangle |+\rangle$.

3. Secure Delegated Quantum Computation

In this work, the delegated quantum computation model we adopt is from [38], in which the authors improved the original QCED protocol [11] in two aspects. First, the quantum capacities of clients are further reduced. In theory, they only need to prepare the qubits $|{+}_{\phi }\rangle$, where $\phi \in \{0,\frac{\pi }{2},\pi ,\frac{3\pi }{2}\}$. Second, the security of the protocol can be still guaranteed even if some information is leaked to servers.

First of all, we specify that the client’s input is encoded in X basis. That is, encoding 0 and 1 as $|+\rangle$ and $|-\rangle$, respectively. Let $x=x_1{x}_2\cdots x_n\in {\{0,1\}}^n$ be the n-bit classical input string, then the corresponding encoded input state can be expressed as $|{+}_{x\pi }\rangle \equiv |{+}_{x_1\pi }\rangle |{+}_{x_2\pi }\rangle \cdots |{+}_{x_n\pi }\rangle$. For simplicity, we abbreviate $|{+}_{x\pi }\rangle$ as $|{+}_x\rangle$. The universal gate set we consider is $\mathbb{U}=\{X,Z,P,T,H,CZ\}$. Note that this gate set is not minimal because $X,Z$, and P can be obtained from $\{T,H\}$. Despite that, additional basic gates can effectively decrease the circuit complexity.

Now suppose the client’s input state is $|{+}_x\rangle$, where $x\in {\{0,1\}}^n$. In [38], the client uses the random operator $X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}$ to encrypt each qubit $|{+}_{x_i}\rangle$, where $x_i\in \{0,1\}$, and $a_i,b_i,c_i\in \{0,1\}$ are referred as the encryption keys, and for any operator U we define $U^0=I$ and $U^1=U$. The subscript i in $X_i,Z_i$, and $P_i$ is used to denote that the corresponding gate is applied on the ith qubit (hereinafter referred to as qubit i). Similarly, the subscript i in $a_i,b_i,c_i$ is used to denote that the corresponding encryption keys are related to qubit i. We can check that this encryption scheme is a quantum one-time pad (see Equation (11)), thus it provides an information-theoretical security for any qubit $\rho$.

$$\frac{1}{4}\sum _{a,b,c\in \{0,1\}}{X}^a{Z}^b{P}^c\rho P^{3c}{Z}^b{X}^a=\frac{I}{2}.$$

(11)

In theory, to achieve this encryption, the client needs to perform random gates $P^c$, $Z^b$, and $X^a$ on the state $\rho$ in sequence. However, for the qubit $|{+}_{x_i}\rangle$, it can be easily verified that

$$X^{a_i}{Z}^{b_i}{P}^{c_i}|{+}_{x_i}\rangle \equiv |{+}_{{\phi }_i}\rangle ,$$

(12)

where ${\phi }_i={(-1)}^{a_i}(x_i+b_i+\frac{c_i}{2})\pi mod2\pi \in \{0,\frac{\pi }{2},\pi ,\frac{3\pi }{2}\}$. Thus, instead of preparing $|{+}_{x_i}\rangle$ then encrypting it by $X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}$, the client can directly generate the encrypted qubit. Specifically, given the ith input bit $x_i\in \{0,1\}$, the client randomly chooses the corresponding encryption keys $a_i,b_i,c_i\in \{0,1\}$, then computes the value ${\phi }_i={(-1)}^{a_i}(x_i+b_i+\frac{c_i}{2})\pi mod2\pi$. Finally, the client prepares the qubit $|{+}_{{\phi }_i}\rangle$ as the encrypted qubit i.

After preparing all encrypted input qubits, the client sends them to the server. The server then performs the delegated quantum circuit U on the encrypted qubits. Here, the circuit U is known to both client and server (they can negotiate in advance via a classical channel). We assume that this circuit has been decomposed into a sequence of basic gates from the gate set $\mathbb{U}$. That is, $U=U_m{U}_{m-1}\cdots U_2{U}_1$, where each $U_i\in \mathbb{U}$ and the positive integer number m is the total number of gates. The following identities, which all hold up to an irrelevant global phase, can be easily verified.

$$\begin{array}{c}{X}_i\left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}\right)\equiv \left(X_i^{a_i}{Z}_i^{b_i\oplus c_i}{P}_i^{c_i}\right)X_i,\end{array}$$

(13)

$$\begin{array}{c}{Z}_i\left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}\right)\equiv \left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}\right)Z_i,\end{array}$$

(14)

$$\begin{array}{c}{P}_i\left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}\right)\equiv \left(X_i^{a_i}{Z}_i^{a_i\oplus b_i}{P}_i^{c_i}\right)P_i,\end{array}$$

(15)

$$\begin{array}{c}{T}_i\left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}\right)\equiv \left(X_i^{a_i}{Z}_i^{a_i\oplus b_i\oplus \left(a_i{c}_i\right)}{P}_i^{a_i\oplus c_i}\right)T_i,\end{array}$$

(16)

$$\begin{array}{c}C{Z}_{i,j}\left(X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}{X}_j^{a_j}{Z}_j^{b_j}{P}_j^{c_j}\right)\equiv \left(X_i^{a_i}{Z}_i^{a_j\oplus b_i}{P}_i^{c_i}{X}_j^{a_j}{Z}_j^{a_i\oplus b_j}{P}_j^{c_j}\right)C{Z}_{i,j},\end{array}$$

(17)

It follows from Equations (13)–(17) that the basic gates $X,Z,P,T,CZ$ are commutable with the encryption operator $X^a{Z}^b{P}^c$, although the encryption keys may need to be updated. For example, Equation (13) indicates that performing an $X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}$ followed by an $X_i$ is equivalent to performing an $X_i$ followed by an $X_i^{a_i}{Z}_i^{b_i\oplus c_i}{P}_i^{c_i}$. Thus, the client only needs to update the value of $b_i$ such that $b_i:=b_i\oplus c_i$. The cases for $Z_i,P_i,T_i$, and $C{Z}_{i,j}$ follow the same reason. The related updating rules of encryption keys are shown in Equations (14)–(17). Note, however, that the commutativity noted above is not suited for the Hadamard gate H, as there is no $H{P}^c\equiv P^{c^{\prime }}H$ for any $c,c^{\prime }\in \{0,1\}$. In [38], the authors proposed a quantum teleportation scheme that they called the H-gadget (see Figure 1) so as to implement the H gate in a similar manner. Specifically, the client needs to prepare two ancillary qubits $|{+}_{{\alpha }_i}\rangle ,|{+}_{{\beta }_i}\rangle$ and a measurement angle ${\theta }_i$, where ${\alpha }_i$ and ${\beta }_i$ are chosen randomly, whereas ${\theta }_i$ can be determined by the following way.

Note that for any ${\alpha }_i,{\beta }_i\in \{0,\frac{\pi }{2},\pi ,\frac{3\pi }{2}\}$, we can express them uniquely as follows:

$${\alpha }_i=(d_i+\frac{e_i}{2})\pi ,{\beta }_i=(f_i+\frac{g_i}{2})\pi ,$$

(18)

where $d_i,e_i,f_i,g_i\in \{0,1\}$. Thus, the client can first generate random bits $d_i,e_i,f_i,g_i$ then compute the values of ${\alpha }_i$ and ${\beta }_i$. To determine ${\theta }_i$, the client generates a random bit, denoted by $h_i\in \{0,1\}$, then computes ${\theta }_i$ such that

$${\theta }_i=[h_i\oplus b_i\oplus d_i\oplus \left(a_i{c}_i\right)\oplus \left(s_i{c}_i\right)\oplus \left(c_i{e}_i\right)]\pi +\frac{c_i\oplus e_i}{2}\pi .$$

(19)

Note also that ${\theta }_i$ is relevant to the measurement outcome $s_i$, which means it can be determined until the client obtains the first measurement outcome $s_i$ from the server. Nevertheless, in theory, all qubits including ancillary qubits can be sent to the server before the computation begins. Thus, the complete procedure is classically interactive. Finally, the updating rule for H is shown as follows:

$$a_i^{\prime }=s_i^{\prime }\oplus h_i,b_i^{\prime }=a_i\oplus s_i\oplus f_i\oplus \left[g_i(s_i^{\prime }\oplus h_i)\right],c_i^{\prime }=g_i,$$

(20)

where $a_i^{\prime },b_i^{\prime },c_i^{\prime }$ denote the updated encryption keys related to qubit i. The correctness of the H-gadget is given in the Appendix A. The detailed security proof of the protocol can be found in [38].

4. Distributed Architecture for Secure Delegated Quantum Computations

In this section, we give a simple scheme to implement the non-local $CZ$ gate between two quantum servers. Our method uses the entangled state $|H\rangle$ (see Equation (10) for its definition) as ancillary qubits. The similar schemes have been studied intensively, for example, in [39,40]. The basic circuit is shown in Figure 2a. In the following content, we first verify the circuit identity shown in Figure 2, then, based on this circuit identity, we construct a distributed architecture for secure delegated quantum computations.

We start with a circuit named X-teleportation [40] (see Figure 3a), which is easy to verify.

First, we substitute a $CZ$ and two H gates for the $CX$ gate, obtaining the equivalent circuit, as shown in Figure 3b. We then convert the measurement basis from Z to X by the following identity (see Figure 4), which is also easy to verify. Finally, we obtain a variant of the X-teleportation that consists of $H,CZ$, and X-basis measurement, as shown in Figure 5.

We now turn back to Figure 2a. Note first that the $CZ$ gate commutes with itself, thus the circuit can be reorganized, as in Figure 6a. Obviously, the partial circuits in the red-dotted line and blue-dotted line boxes are exactly the same circuit as the one in Figure 5, where $X=M\left(0\right)$. Therefore, we can see that, after measuring qubits $i,j$, the rest qubits and the rest $CZ$ gate comprise the circuit as, in Figure 6b. Finally, we use the following identity to exchange the positions of X and $CZ$, which can be easily verified:

$$CZ·(X^s\otimes I)=(X^s\otimes Z^s)·CZ,$$

(21)

where $s\in \{0,1\}$. Substituting the above identity in Figure 6b and considering the symmetry of $CZ$ gate, we immediately obtain the desired circuit, as shown in Figure 2b.

Considering the encryption operators $X_i^{a_i}{Z}_i^{b_i}{P}_i^{c_i}$ and $X_j^{a_j}{Z}_j^{b_j}{P}_j^{c_j}$ on qubits i and j, we can see from Figure 6b that the non-local $CZ$ can be thought to be performed on qubits $i,j$, which are encrypted by $X_i^{a_i\oplus s_i}{Z}_i^{b_i}{P}_i^{c_i}$ and $X_j^{a_j\oplus s_j}{Z}_j^{b_j}{P}_j^{c_j}$, thus according to the updating rule shown in Equation (17), we immediately obtain the updating rule of the non-local $CZ$ gate as follows:

$$\left\{\begin{array}{c}{a}_i^{\prime }=a_i\oplus s_i,\hfill \\ b_i^{\prime }=a_j\oplus s_j\oplus b_i,\hfill \\ c_i^{\prime }=c_i,\hfill \end{array}\right.\left\{\begin{array}{c}{a}_j^{\prime }=a_j\oplus s_j,\hfill \\ b_j^{\prime }=a_i\oplus s_i\oplus b_j,\hfill \\ c_j^{\prime }=c_j.\hfill \end{array}\right.$$

(22)

Based on the above analysis, we construct a distributed architecture for secure delegated quantum computation, where a classical client equipped with some qubit generator can delegate an n-qubit circuit to d small-scale quantum servers. Without loss of generality, we assume that $n=dk$. In this configuration, each server typically needs a $2k$-qubit register to process k input qubits of the n-qubit circuit. That is, for each qubit in the n-qubit circuit, the server needs a 2-qubit register to simulate it. To make sure $2k<n$, it requires that $d>2$. We show this distributed architecture in Figure 7. Note that there is a special third party in this distributed architecture, which is used to generate and distribute entangled states $|H\rangle$ between all quantum servers. Thus, all servers do not need to be interconnected directly by a quantum (even classical) channel, as there is no information exchange between servers during the computation.

We give the complete procedure of the protocol in terms of pseudo-code (see Algorithms  1–3). For simplicity, we use $\mathcal{C}$ and ${\left\{{\mathcal{S}}_q\right\}}_{q=1}^d$ to denote the client and d servers, respectively. That is, the qth quantum server is referred to as ${\mathcal{S}}_q$. As noted, each server only processes k input qubits of the n-qubit delegated circuit. More specifically, for ${\mathcal{S}}_q$, it only processes the qubits indexed by $(q-1)k+1,(q-1)k+2,\cdots ,qk$. Thus, in the case of no confusion, we also use ${\mathcal{S}}_q=\{(q-1)k+1,(q-1)k+2,\cdots ,qk\}$ to denote the corresponding qubits. In addition, the delegated circuit U is formally expressed as $U=U_m^{p_m}{U}_{m-1}^{p_{m-1}}\cdots U_1^{p_1}$, where $p_i\subset \{1,2,\cdots ,n\}$ denotes the qubits on which the basic gate $U_i$ is exerted. For example, if $U_i^{p_i}$ is a $CZ$ gate on qubits k and l, then $p_i=\{k,l\}$. By this definition, we can see that there must be $p_i\subset {\mathcal{S}}_q$ if $U_i^{p_i}$ is a local gate in ${\mathcal{S}}_q$, otherwise it only can be $p_i\subset {\mathcal{S}}_q\cup {\mathcal{S}}_{q^{\prime }}$ for some ${\mathcal{S}}_q$ and ${\mathcal{S}}_{q^{\prime }}$.

Algorithm 1 Distributed Secure Delegated Quantum Computations

Input:  $x=x_1{x}_2\cdots x_n$                  $//$ private against all ${\mathcal{S}}_q$ $U=U_m^{p_m}{U}_{m-1}^{p_{m-1}}\cdots U_1^{p_1}$         $//$ public for $\mathcal{C}$ and all ${\mathcal{S}}_q$ Output:  $y=y_1{y}_2\cdots y_n$                $//$ private against all ${\mathcal{S}}_q$ 1: $\mathcal{C}$ generates $a,b,c{\leftarrow }_R{\{0,1\}}^n$ and computes rotation angles $({\phi }_1,\cdots ,{\phi }_n)$ according to Equation (12), then prepares $|{+}_{{\phi }_1}\rangle \cdots |{+}_{{\phi }_n}\rangle$ as the encrypted input state, finally sends the qubits $(q-1)k+1,q(k-1)+2,\cdots ,qk$ to ${\mathcal{S}}_q$ where $q=1,2,\cdots ,d$. Specifically, $\mathcal{C}$ sends the qubits $1,2,\cdots ,k$ to ${\mathcal{S}}_1$ then sends the qubits $k+1,k+2,\cdots ,2k$ to ${\mathcal{S}}_2$, and so on 2: for$i\leftarrow 1,m$do 3:  if $U_i^{p_i}\in \{X,Z,P,T,H\}$ and $p_i\subset {\mathcal{S}}_q$ for some $q\in \{1,2,\cdots ,d\}$ then 4:   if $U_i^{p_i}$ is not H then 5:    ${\mathcal{S}}_q$ performs $U_i^{p_i}$ on qubit $p_i$ while $\mathcal{C}$ updates the encryption keys of this qubit according to the updating rules shown in Equations (13)–(16) 6:   else 7:    $\mathcal{C}$ calls the procedure Hadamard($p_i,q$) (See Algorithm 2) 8:   end if 9:  else           $//$ $U_i^{p_i}$ is a $CZ$ gate on qubits $p_i$ 10:   if $p_i\subset {\mathcal{S}}_q$ for some $q\in \{1,2,\cdots ,d\}$ then 11:    ${\mathcal{S}}_q$ performs $U_i^{p_i}$ on qubits $p_i$ while $\mathcal{C}$ updates the encryption keys of those qubits according to the updating rule shown in Equation (17) 12:   else        $//$ $p_i\subset {\mathcal{S}}_q\cup {\mathcal{S}}_{q^{\prime }}$ for some $q,q^{\prime }\in \{1,2,\cdots ,d\}$ 13:    $\mathcal{C}$ calls the procedure Nonlocal-CZ($p_i,q,q^{\prime }$) (See Algorithm 3) 14:   end if 15:  end if 16: end for 17: Each server measures the final k qubits in Z basis, then sends the measurement outcomes to $\mathcal{C}$         $//$ let $\tilde{y}\in {\{0,1\}}^n$ be the result collected from all servers 18: $\mathcal{C}$ computes the output $y=\tilde{y}\oplus a$.         $//$ a is the X encryption keys of the final state

Algorithm 2 Implement an H gate on qubit i where i is in ${\mathcal{S}}_q$

1: procedureHadamard($i,q$)    $//$ qubit i is encrypted by $X^{a_i}{Z}^{b_i}{P}^{c_i}$ 2:  $\mathcal{C}$ generates $d_i,e_i{\leftarrow }_R\{0,1\}$ and computes the angle ${\alpha }_i$ according to Equation (18), then prepares and sends the ancillary qubit $|{+}_{{\alpha }_i}\rangle$ to ${\mathcal{S}}_q$ 3:  ${\mathcal{S}}_q$ performs $H_i$ and $CZ$ gates on qubit i and $|{+}_{{\alpha }_i}\rangle$, then measures qubit i and sends the measurement outcome $s_i$ to $\mathcal{C}$, finally labels the ancillary qubit as i 4:  $\mathcal{C}$ generates $f_i,g_i,h_i{\leftarrow }_R\{0,1\}$ and computes the angles ${\beta }_i$ and ${\theta }_i$ according to Equations (18) and (19), respectively, then prepares the ancillary qubit $|{+}_{{\beta }_i}\rangle$ and sends it with ${\theta }_i$ to ${\mathcal{S}}_q$ 5:  ${\mathcal{S}}_q$ performs a $CZ$ gate on qubit i and $|{+}_{{\beta }_i}\rangle$, then measures qubit i with $M\left({\theta }_i\right)$ and sends the measurement outcome $s_i^{\prime }$ to $\mathcal{C}$, finally labels the ancillary qubit as i 6:  $\mathcal{C}$ updates the encryption keys of qubit i according to Equation (20) 7: end procedure

Algorithm 3 Implement a nonlocal $CZ$ gate on qubits i and j where i is in ${\mathcal{S}}_q$ while j is in ${\mathcal{S}}_{q^{\prime }}$, that is, $\{i,j\}\subset {\mathcal{S}}_q\cup {\mathcal{S}}_{q^{\prime }}$

1: procedureNonlocal-CZ($\{i,j\},q,q^{\prime }$)   $//$ qubits i and j are encrypted by $X^{a_i}{Z}^{b_i}{P}^{c_i}$ and $X^{a_j}{Z}^{b_j}{P}^{c_j}$, respectively 2:  $\mathcal{C}$ delegates the third party to prepare an entangled state $|H\rangle$ and distribute it to ${\mathcal{S}}_q$ and ${\mathcal{S}}_{q^{\prime }}$, that is, each server holds one qubit of $|H\rangle$ as the ancillary qubit 3:  ${\mathcal{S}}_q$ (${\mathcal{S}}_{q^{\prime }}$) performs $H_i$ ($H_j$) and $CZ$ gates on qubit i (j) and its ancillary qubit, then measures qubit i (j) and sends the measurement outcome $s_i$ ($s_j$) to $\mathcal{C}$, finally labels its ancillary qubit as i (j) 4:  $\mathcal{C}$ updates the encryption keys of qubits i and j according to Equation (22) 5: end procedure

5. The Security of the Distributed Delegated Quantum Computation

We show that our protocol can guarantee the unconditional privacy of the input and output of the computation. We only consider that all servers and the third party who serves as an entanglement resource are honest-but-curious, which means they follow the algorithm honestly but try to obtain the information about the input and output. For example, they may record all classical information generated during the computation and cooperate with each other, even with the third party.

For the input, the conclusion is obvious as the client encrypts each input qubit by a quantum one-time pad. Therefore, to complete the proof, we only need to prove that the output state of the computation is also encrypted by a unbiased quantum one-time pad. In other words, there is no information leakage about the encryption keys during the computation. From the procedures of Algorithm 1, we can see that only when the client calls the procedures Hadamard and Nonlocal-CZ will there be an interaction between client and servers. In the other cases, the algorithm is non-interactive, which means there is no information leakage about the encryption keys from client to server as they do not exchange any information. Based on this observation, we infer that to prove the privacy we only need to analyze the procedures that implement the H and the nonlocal $CZ$ gates.

We first consider the procedure Hadamard($i,q$). In the following content, we use $\mathcal{S}$ to denote all servers including the untrusted third party. According to Algorithm 2, we can see that given the qubit i encrypted by $X^{a_i}{Z}^{b_i}{P}^{c_i}$ where $i\subset {\mathcal{S}}_q$, $\mathcal{S}$ controls two ancillary qubits $Z^{d_i}{P}^{e_i}|+\rangle$ and $Z^{f_i}{P}^{g_i}|+\rangle$, and receives a measurement angle ${\theta }_i$ from $\mathcal{C}$, it also generates two measurement outcomes $s_i,s_i^{\prime }\in \{0,1\}$ from two independent measurements. We can infer from the below state evolution that the measurement outcomes $s_i,s_i^{\prime }$ are uniformly random, thus $\mathcal{S}$ can obtain no information gain about any encryption keys according to $s_i$ and $s_i^{\prime }$.

$$|\varphi \rangle |+\rangle \stackrel{H\otimes I}{\to }\left(H|\varphi \rangle \right)|+\rangle \stackrel{CZ}{\to }\frac{|+\rangle }{\sqrt{2}}|\varphi \rangle +\frac{|-\rangle }{\sqrt{2}}X|\varphi \rangle .$$

(23)

The only available information to $\mathcal{S}$ now is the measurement angle ${\theta }_i$. Let ${\theta }_i$ be $u_i\pi +\frac{v_i\pi }{2}$, where $u_i,v_i\in \{0,1\}$, then according to Equation (19), we know that $u_i$ and $v_i$ can be expressed as follows:

$$\begin{array}{cc}\hfill & u_i=h_i\oplus b_i\oplus d_i\oplus \left(a_i{c}_i\right)\oplus \left(s_i{c}_i\right)\oplus \left(c_i{e}_i\right),\hfill \end{array}$$

(24a)

$$\begin{array}{cc}\hfill & v_i=c_i\oplus e_i,\hfill \end{array}$$

(24b)

where $u_i,v_i$, and $s_i$ are known to $\mathcal{S}$. Intuitively, given $u_i,v_i$, and $s_i$, no server can determine the correct values of $a_i,b_i,c_i,d_i,e_i,h_i$, as there are six variables in two equations. Nevertheless, $\mathcal{S}$ may gain some information utilizing $u_i$ and $v_i$. For example, if $v_i=1$, then $\mathcal{S}$ can infer that $c_i{e}_i=0$. Substituting this into Equation (24a), $\mathcal{S}$ can obtain a simplified equality $u_i=h_i\oplus b_i\oplus d_i\oplus (a_i\oplus s_i)c_i$. Despite this fact, we can show that there is no information leakage about all variables from $a_i$ to $h_i$. That is, we prove that in the view of $\mathcal{S}$, the following equality holds true:

$$Pr\left[r_i\right|u_i,v_i]=Pr\left[r_i\right]=\frac{1}{2},$$

(25)

where the random variable $r_i$ represents the possible parameters $\{a_i,b_i,c_i,d_i,e_i,f_i,g_i,h_i\}$. To see that, we need to know the following simple facts.

First, if $x,y\in \{0,1\}$ and x is uniform, i.e., $x{\in }_R\{0,1\}$, then $x\oplus y$ is also uniform. Second, if $x,y\in \{0,1\}$ are uniform and let $z=x\oplus y$, then $Pr\left[x\right|z]=Pr[x]=1/2$. Finally, if $x,y_1,y_2\in \{0,1\}$ and x is uniform, let $z=x\oplus \left(y_1{y}_2\right)$, then $Pr\left[y_1\right|z]=Pr\left[y_1\right]$. These three basic facts can be easily verified. With these facts, we can complete our proof. Define ${\xi }_i=b_i\oplus d_i\oplus \left(a_i{c}_i\right)\oplus \left(s_i{c}_i\right)\oplus \left(c_i{e}_i\right)$ so that $u_i=h_i\oplus {\xi }_i$. As $b_i,d_i{\in }_R\{0,1\}$, we first know that ${\xi }_i{\in }_R\{0,1\}$. Furthermore, as $h_i,{\xi }_i{\in }_R\{0,1\}$, we can get that $Pr\left[h_i\right|u_i]=Pr\left[h_i\right]=1/2$. Likewise, we can also get $Pr\left[b_i\right|u_i]=Pr\left[b_i\right]=1/2$ and $Pr\left[d_i\right|u_i]=Pr\left[d_i\right]=1/2$. For $a_i{\in }_R\{0,1\}$, define ${\xi }_i=h_i\oplus b_i\oplus d_i\oplus \left(s_i{c}_i\right)\oplus \left(c_i{e}_i\right)$ so that $u_i={\xi }_i\oplus \left(a_i{c}_i\right)$, from which we can infer that $Pr\left[a_i\right|u_i]=Pr\left[a_i\right]=1/2$. Note that $h_i,b_i,d_i$, and $a_i$ are irrelevant to $v_i$, which means $Pr\left[r_i\right|u_i,v_i]=Pr\left[r_i\right|u_i]$ for any $r_i\in \{h_i,b_i,d_i,a_i\}$. As for $c_i,e_i{\in }_R\{0,1\}$, as they are related to both $u_i$ and $v_i$, in order to simplify our analysis, we define $h_i^{\prime }=h_i\oplus \left(a_i{c}_i\right)$, $b_i^{\prime }=b_i\oplus \left(s_i{c}_i\right)$, and $d_i^{\prime }=d_i\oplus \left(c_i{e}_i\right)$, then obtain that $u_i=h_i^{\prime }\oplus b_i^{\prime }\oplus d_i^{\prime }$. Clearly, $h_i^{\prime },b_i^{\prime },d_i^{\prime }{\in }_R\{0,1\}$, so $c_i$ and $e_i$ are only related to $v_i$. By this, we can easily get that $Pr\left[c_i\right|u_i,v_i]=Pr\left[c_i\right|v_i]=Pr\left[c_i\right]=1/2$ and $Pr\left[e_i\right|u_i,v_i]=Pr\left[e_i\right|v_i]=Pr\left[e_i\right]=1/2$. Finally, $f_i$ and $g_i{\in }_R\{0,1\}$ are obviously irrelevant to $u_i$ and $v_i$ (see Equations (24a) and (24b)), which means $Pr\left[f_i\right|u_i,v_i]=Pr\left[f_i\right]=1/2$ and $Pr\left[g_i\right|u_i,v_i]=Pr\left[g_i\right]=1/2$. So far, we have proved the statement in Equation (25), from which we know that the servers can obtain no information gain about $a_i,b_i,c_i,d_i,e_i,f_i,g_i,h_i$ from the ${\theta }_i$. Thus, after the procedure Hadamard($i,q$), the updated keys $a_i^{\prime },b_i^{\prime },c_i^{\prime }$ are also secure.

Finally, we consider the procedure Nonlocal-CZ($\{i,j\},q,q^{\prime }$), where $\{i,j\}\in {\mathcal{S}}_q\cup {\mathcal{S}}_{q^{\prime }}$. Note that in this procedure, $\mathcal{S}$ can only obtain two independent and uniform measurement outcomes $s_i,s_j$. According to the updating rules shown in Equation (22), we can see that as long as the encryption keys $\{a_i,b_i,c_i\}$ and $\{a_j,b_j,c_j\}$ are secure then the updated keys will also be secure against the servers. As a result, we conclude that, from the perspective of all servers, the output state of the computation is still encrypted by a sound quantum one-time pad.

6. Discussion

In this work, we proposed a secure distributed delegated quantum computation protocol, which allows clients to delegate their private computation to several quantum servers. We have shown that unconditional security of the input and output of the computation can be guaranteed as long as all servers follow the protocol honestly. Nevertheless, there are some notable problems in our work when we consider it in practice. In the end of this paper, we discuss those practical problems.

First, note that our protocol can only work well in a noise-free environment. To make our protocol fault-tolerant, we assume that each quantum server must be capable of performing fault-tolerant quantum computation [41]. However, this would inevitably increase the overhead of ancillary qubits. In addition, we need to consider two channel noises: one is between the client and each server, the other is between the third party and each server. The former will introduce errors in the input state, whereas the latter will introduce errors in the entangled state. There are some methods to remedy this problem. For the input state, the client can utilize some quantum error-correct code [42] to protect each qubit. However, it requires that the client can perform additional quantum operations. As for the entangled state, each pair of servers can use some quantum entanglement distill [43] protocol to obtain the entangled states with high fidelity. Similarly, it requires additional local operations and classical communications between the servers.

Second, note that our protocol can only protect the security of the input and output of the computation. This is because the model of the delegated quantum computation we used in our work is SDQC protocol instead of UBQC protocol. Nevertheless, we can convert, in principle, a SDQC protocol into a UBQC protocol. To do that, we first encode the delegated circuit U as a binary string denoted by $C\left(U\right)$. Next, according to the quantum computation theory [44], there exists a universal quantum circuit $\mathcal{U}$ such that

$$\mathcal{U}|{+}_{C\left(U\right)}\rangle |{+}_x\rangle =|{+}_{C\left(U\right)}\rangle U|{+}_x\rangle ,$$

(26)

where the input of the universal circuit $\mathcal{U}$ consists of two parts: $|{+}_x\rangle$ is the input state of U and $|{+}_{C\left(U\right)}\rangle$ is the canonical and quantum description of the circuit U. Performing this universal circuit $\mathcal{U}$ in our protocol, we can apparently achieve a blind distributed delegated quantum computation.

Last, we should note that in this work we only consider the honest servers and the third party who perform the protocol as the client desires. However, a real server may not follow the protocol honestly, and an untrusted third party may prepare some other entangled states for the servers. To detect such a malicious server including the untrusted third party, we should introduce a verification mechanics in our protocol. Indeed, verification is an important topic in the quantum computation theory (see [45,46]). There is an easy way to achieve the verification in our protocol. Specifically, given the delegated circuit U, the client can introduce another small quantum circuit V, for example, a permutation circuit [47], which is easy to simulate on a classical computer. The client then randomly inserts the qubits of V into the circuit U and runs this hybrid circuit on the universal quantum circuit $\mathcal{U}$. After the computation, the client check the result of V; if the result does not match the desired, then the client rejects the output.