Optimal Blind Quantum Computation
Abstract
Blind quantum computation allows a client with limited quantum capabilities to interact with a remote quantum computer to perform an arbitrary quantum computation, while keeping the description of that computation hidden from the remote quantum computer. While a number of protocols have been proposed in recent years, little is currently understood about the resources necessary to accomplish the task. Here we present general techniques for upper and lower bounding the quantum communication necessary to perform blind quantum computation, and use these techniques to establish a concrete bounds for common choices of the client’s quantum capabilities. Our results show that the UBQC protocol of Broadbent, Fitzsimons and Kashefi Broadbent et al. (2009), comes within a factor of of optimal when the client is restricted to preparing single qubits. However, we describe a generalization of this protocol which requires exponentially less quantum communication when the client has a more sophisticated device.
The development of quantum computation promises the ability to solve computational problems which prove intractable for classical computers Shor (1997); Grover (1996). Quantum computers would also allow for the simulation of quantum systems that are not possible with present day technology Lloyd (1996); Kassal et al. (2008). The study of quantum computation and information has also led to new insights on the fundamental quantum nature of physics Peres and Terno (2004); Lloyd (2002); Braunstein and Pati (2007); Zwierz et al. (2010); Oreshkov et al. (2012); Fitzsimons et al. (2013). Recently, there has been growing interest in the nature of distributed quantum computation Buhrman and Röhrig (2003); Broadbent and Tapp (2008); Danos et al. (2007). Beyond the ability to shed new light onto the question of the nature of the (possible) advantage of quantum computation over classical Ekert and Jozsa (1998); Knill and Laflamme (1998); Aaronson and Arkhipov (2011); Bremner et al. (2011), this area has important practical applications. Due to the difficulty in constructing large scale quantum computers, it is likely that the availability of such technology will be limited, at least at first. Hence, the ability to perform a quantum computation remotely is of particular interest. More recently, the question has arisen whether it is possible to perform a quantum computation remotely in a blind fashion. In a blind computation Alice gets Bob to perform a quantum computation for her without revealing the nature of the computation, or the input (up to some minimal leaked information such as an upper bound on the size of the circuit/input) Childs (2005); Arrighi and Salvail (2006); Aharonov et al. (2010); Broadbent et al. (2009). This notion mirrors the classical counterpart Feigenbaum (1986), though quantum mechanics appears to allow for encryption of a larger range of problems than is possible classically Broadbent et al. (2009).
One of the least technologically demanding solutions to the problem of blind computation is the Universal Blind Quantum Computation (UBQC) protocol Broadbent et al. (2009); Fitzsimons and Kashefi (2012), which has recently been demonstrated experimentally in a quantum optics setting Barz et al. (2012). This protocol has been shown to be both correct and secure, both in a standalone setting and as a cryptographic primitive Dunjko et al. (2013). However, the question arises of whether the protocol is optimal. That is, is it possible to achieve correctness and security using less resources. In this letter, we address this issue of how much quantum communication is necessary in order to achieve the blind evaluation of some secret unitary operation. To this end, we develop a framework to bound the resources of any possible blind computation. Fixing Alice’s quantum capabilities, we define a figure of merit, , corresponding to the maximum number of quantum gates which can be hidden by any protocol which communicates qubits. We use a simple counting argument to bound from above, and use a generalization of the blind computation protocol presented in Broadbent et al. (2009) to lower bound by giving an achievable rate. We apply these techniques to obtain bounds in a number of physically realistic settings, including those for which blind quantum computing protocols have previously been proposed, as well as others motivated by the current state of quantum technology.
The paper is structured as follows. We begin by introducing our figure of merit, , and demonstrating a simple counting technique for bounding from above the rate at which gates can be hidden. We then proceed to introduce a generalization of the UBQC protocol, and consider its correctness and blindness. We use these techniques to examine various limitations on Alice’s computational abilities. We use the generalized blind computation protocol and the parameter counting argument to bound from below and above, respectively, in each setting. We conclude with a discussion of the universality of the generalized protocol in the settings under consideration.
As the exact relationship between BQP and NP remains unknown, there is in fact no proof that the decision problems answerable with a quantum computer cannot be hidden from a remote server using purely classical means, as is achieved for certain problems in Feigenbaum (1986). However, quantum computation does more than answer decision problems. It manipulates quantum states in a continuous way, and such a computation cannot be completely hidden using purely classical communication ^{\theendnote}^{\theendnote}endnote: \theendnoteTo see this, consider a protocol which consisted entirely of classical communication. Given enough time, Bob could rerun the protocol many times using the transcript of a single run with Alice, and perform tomography on the output state. This would limit the possible computations which could have been performed by Alice to a discrete set. Hence continuous rotations cannot be completely hidden, and the computation is revealed up to Alice’s decoding operations..
Definition 1.
We define a single parameter gate to be any gate parameterised by a single real variable which, for varying values of the parameter, maps an input state which is in a fixed maximally entangled state with an ancilla register onto states which collectively lie on a one dimensional curve of finite length in the Hilbert space of the system. Then, for a particular choice of Alice’s apparatus, we define to be the maximum number of such single parameter gates which can by encoded across transmitted qubits given the limitations of Alice’s device.
A simple example of such a single parameter gate is a Pauli rotation through an arbitrary angle. Given the above definition, can be bounded using a well known result from topology.
Theorem 1.
For a fixed choice of Alice’s apparatus, if any qubit output state which Alice can produce lies of a manifold of real dimension , then .
Proof.
For a quantum computation composed of single parameter gates, provided that no gates are redundant, the possible output states correspond to points on a manifold of real dimension , since each such gate increases the real dimension of the manifold by at most one. It is well established in topology that a manifold of finite dimension cannot be continuously mapped into a manifold of lower dimension Hurewitz and Wallman (1941). However, the input states received by Bob lie on a manifold of dimension . Hence, since any operation Bob can perform is necessarily continuous due to the linearity of quantum mechanics, . ∎
This theorem implies that for a fixed choice of her quantum capabilities, by bounding by counting the independent continuous parameters necessary to describe states produced by Alice, it is possible to place an upper bound on .
We now turn our attention to establishing a lower bound on , by presenting a generalization of the Broadbent et al. protocol. We assume that Alice has the ability to generate input states randomly chosen from some set, , which she can then send (perfectly) to Bob, and that Bob has access to a full quantum computer.
We will consider only sets which can be generated in the following way. Take a set of diagonal unitary operators which forms a group under multiplication, and which has the additional property that for all . We then define
The generalized UBQC (GUBQC) protocol is then as follows:

Alice chooses an ordered set of operators from such that corresponds to her desired computation.

For every Alice chooses (uniformly at random) and . She then prepares the qubit state , and sends it to Bob. Bob stores this state in the register of his quantum computer.

For all and , Bob interacts the qubit of register to the qubit of register , by applying a controlled gate between them.

For each step :

Alice sends Bob a classical description of the operator where
Here and , is the measurement result on the qubit of qubit state. Here captures the measurement dependency structure between registers. We use the convention that and for .

Bob applies on the register of his system. He then performs a measurement of each qubit in that register in the Hadamard basis (i.e., ). He sends the measurement result to Alice, with the convention that corresponds to the outcome 0, while corresponds to 1.

Alice sets the value of


In the case of classical output, Alice takes the ordered set as the output of the computation. In the case of quantum output, Bob returns the final register to Alice, without measurement, after applying followed by Hadamard gates on each qubit. Alice then performs the last set of correction operators herself, by applying to the state she receives.
If both parties follow the protocol then the result corresponds to Alice’s desired computation, as shown below.
Theorem 2.
If Alice and Bob follow the steps as set out in the protocol, then the output received by Alice is in the case of a quantum output, or the result of measuring this state in the computational basis otherwise.
Proof.
As is a diagonal operator, it commutes with the controlled operators used to entangle Bob’s registers. Hence, the net effect of the protocol is identical to the case where and is the identity, independent of the specific choices actually made by Alice for . Therefore the action of in first layer of protocol can be equivalently written as . By using the one bit teleportation circuit Gottesman and Chuang (1999), as shown in Fig 1, the effect of measurement as if the initial state sent for the second register was prepared in the state , and no previous layers existed.
Applying this equivalence recursively we obtain the effective initial state of the final register as . Thus, in the case of classical output, since the operators commute with the measurement and incorporates corrections for the byproducts, the result of the computation is as desired. Similarly, for quantum output, after the Hadamard gates are applied by Bob, Alice’s correction exactly cancels the and by products to result in final state of Alice’s register of . ∎
Having shown that the output of the protocol is indeed as expected in the case that Bob follows the protocol, we now turn our attention to the issue of blindness. In proving that our protocol is indeed blind, we base the definition of blindness on that used in Broadbent et al. (2009) and Fitzsimons and Kashefi (2012).
Theorem 3.
The GUBQC protocol is blind while leaking at most and .
Proof.
In order for the GUBQC protocol to be blind while leaking at most it is necessary that two conditions hold: 1) the distribution of classical information obtained by Bob during a run of the protocol must depend only on and , and 2) given the distribution of above classical information, as well as and , the state of the quantum system obtained by Bob from Alice is fixed.
The information received by Bob in the protocol are the circuit dimensions and , different qubit quantum states , and classical descriptions of each . We first note that for a given the distribution of is uniformly random over elements of , since is randomly chosen, and . Thus the first criterion is satisfied. Although the quantum states appear correlated with , this is in fact not the case. As all operators in are diagonal, they commute with Pauli operators, and so . As is chosen uniformly at random, we must average over this secret parameter to determine the reduced density matrix for the quantum state Bob receives, which results in the maximally mixed state for any fixed and . Thus the second criterion is also satisfied. ∎
We now have the tools in place to bound for a specific choice of Alice’s quantum capabilities. Theorem 1 allows us to upper bound by determining the dimensionality of any manifold containing all possible states generated by Alice’s device. The GUBQC protocol, on the other hand, represents a concrete blind computation protocol, and a lower bound on can be obtained for a specific setting by identifying a suitable set of states . We now calculate the bounds for four specific settings corresponding to various limitations on Alice’s quantum capabilities.
1. Restriction to preparing separable qubit states: The first case we consider is where Alice is restricted to transmitting individual qubits prepared in a separable state. This setting places very little technological requirements on Alice, as she need only be able to prepare and send a single qubit at a time. Similar capabilities have already been widely demonstrated in the context of quantum key distribution SchmittManderbach et al. (2007). The upper bound on is straightforward to calculate in this instance, since all single qubit pure states reside on a twodimensional surface (the surface of the Bloch sphere). Thus separable states of qubits lie on a surface of dimensions, and hence by Theorem 1 we have .
As this corresponds to the setting considered by Broadbent et al Broadbent et al. (2009), we can use the UBQC protocol presented in that paper to place a lower bound on . The explicit gate construction they present encodes up to 3 single parameter gates for every 4 qubits sent from Alice to Bob. However, a general measurement pattern on the same graph obtains a single parameter gate (in the form of a rotation followed by a Hadamard gate) for every qubit sent from Alice to Bob, thus lower bounding by . Thus the UBQC protocol is within a factor of of optimality, and we have .
2. Restriction to preparing separable qubit states We now consider a generalization of the previous setting, where we instead allow Alice to prepare entangled states of qubits at a time, which are then send to Bob. This corresponds to the situation where Alice can prepare entangled states of a certain size, but cannot store and interact the qubits she produces. Physically, this is motivated by quantum optics, where production and transmission of entangled states can be achievable (for example by parametric down conversion Kwiat et al. (1995)) with significantly less effort than is required to interact photons.
In general the quantum state of qubits can be written as , where are complex numbers. Since these coefficients are normalized such that , and global phases can be neglected, such states lie on a surface of dimensionality . Thus, by Theorem 1, we have . Note that since Alice can prepare any qubit state, she can necessarily prepare states of the form , as needed for the GUBQC protocol, where (the set from which all are drawn) is taken simply to be the set of tensor products of arbitrary diagonal unitary operators on qubits, where for simplicity we will take to be an integer multiple of . Thus each contains single parameter gates. As there are such performed, is lower bounded by . In the case where this reduces to meaning that an exponential number of single parameter gates can be hidden.
3. Restriction to commuting unitary operators: We now consider the case where Alice is restricted to applying operators from a commuting set to a fixed input, which we will assume to be the Hadamard transform of one of the common eigenstates of this set of operators, as in instantaneous quantum computation Shepherd and Bremner (2008). By using exactly the same choice for as in the previous case we obtain a similar lower bound, i.e. . Here, unlike in previous settings, our parameter counting argument yields a matching upper bound, since the set of states producible by Alice’s apparatus lie on a manifold of exactly dimensions.
However we can generalize this case by assuming that Alice can apply no more than commuting single parameter gates in a given run of the protocol. This restriction is motivated by the desire to consider settings where Alice is required to perform only computationally efficient operations. Trivially, Theorem 1 implies that . Using the same protocol as for the previous case, as long as and is an integer, it is possible to choose so that it encodes exactly single parameter gates in each , and hence hides gates. As we then have matching upper and lower bounds, this implies that .
4. Restriction on quantum memory: The last case we will consider is where Alice possesses a quantum computer with a finite memory, as in Aharonov et al. (2010), and can send qubits individually while keeping others in memory and replacing the transmitted qubit. The unitary operators that can be used in this case are restricted to be sized. In this case, the most general operation Alice can perform is to iteratively perform a unitary across her entire register and then transmit a single qubit to Bob, replacing the sent qubit. When she reaches the last qubits she can transmit them all at once, since any unitary applied to these qubits between transmissions could have been absorbed into a previous operation.
In this case, it is not viable to directly calculate the exact dimensionality of the lowest dimensional manifold on which all of the states producible by Alice’s device lie. Instead we upper bound this quantity by simply counting the number of independent single parameter gates Alice can perform before she has transmitted the last qubit to Bob. A general qubit unitary operator can be decomposed into exactly free parameters. Since Alice applies such an every time she replaces a transmitted qubit the resulting states lie on a manifold of dimension . However this bound can be improved by noting that a unitary operation performed on the set of common qubits between rounds could be absorbed into the qubit unitary in either the preceding or subsequent rounds. Eliminating this redundancy reduces the number of parameters by for a total of rounds. This leads to an improved bound of .
Turning to the lower bound, we consider what would happen if Alice initially prepared qubits in the state and then applied only diagonal operations. In this case it is possible to exactly count the number of independent single parameter gates applied to the initial state. The unitary applied to the initial qubits has free parameters, while each subsequent unitary must act nontrivial on the replaced qubit in order to be distinct from previous operations, and hence has free parameters. Thus states produced in this way lie on a manifold of dimension , and so .
The four settings considered above are intended to cover the most obvious choices of Alice’s apparatus, however we note that the technique used to upper bound can readily be applied to any device. The GUBQC protocol is not quite as general, as it requires Alice to produce states from a set with a certain mathematical structure. Nonetheless, we expect that the GUBQC protocol can be adapted to most settings of practical interest, through a suitable choice of . Although we have not addressed the question of universality for the GUBQC protocol, in the three settings where it is used here, as long as Alice’s system is of at least two qubits, in all cases the identity and CZ gates, as well as arbitrary local rotations lie in . As each can be chosen from this set of gates arbitrarily, when the fixed Hadamard gates are taken into account, the set of operations is universal for quantum computation.
Although we have found that existing protocols are close to optimal for the first setting, in the other three settings the GUBQC protocol can hide significantly more quantum gates per qubit communicated than prior protocols, and in some cases requires exponentially less quantum communication. Further, in these cases (cases 2 and 3), the GUBQC protocol is within a factor of two of being optimal.
After the initial preparation of this manuscript, the authors became aware of a recent proposal from Giovanetti, Maccone, Morimae and Rudolph Giovanetti et al. (2013) for blind computation in the first setting which claims optimality. We note that their protocol is only optimal when quantum and classical communication are treated equally, and is not optimal from the point of view of quantum communication alone. Indeed, for their scheme, we obtain a value of , compared to for the UBQC scheme of Broadbent et al. (2009). Nonetheless, we believe their protocol represents an interesting new approach to blind computation.
Acknowledgements – JF and CPD acknowledge support from the National Research Foundation and Ministry of Education, Singapore.
References
 Broadbent et al. (2009) A. Broadbent, J. Fitzsimons, and E. Kashefi, in Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on (IEEE, 2009), pp. 517–526.
 Shor (1997) P. W. Shor, SIAM journal on computing 26, 1484 (1997).
 Grover (1996) L. K. Grover, in Proceedings of the twentyeighth annual ACM symposium on Theory of computing (ACM, 1996), pp. 212–219.
 Lloyd (1996) S. Lloyd, Science 273, 1073 (1996).
 Kassal et al. (2008) I. Kassal, S. P. Jordan, P. J. Love, M. Mohseni, and A. AspuruGuzik, Proceedings of the National Academy of Sciences 105, 18681 (2008).
 Peres and Terno (2004) A. Peres and D. R. Terno, Reviews of Modern Physics 76, 93 (2004).
 Lloyd (2002) S. Lloyd, Phys. Rev. Lett. 88, 237901 (2002).
 Braunstein and Pati (2007) S. L. Braunstein and A. K. Pati, Physical review letters 98, 080502 (2007).
 Zwierz et al. (2010) M. Zwierz, C. A. PérezDelgado, and P. Kok, Phys. Rev. Lett. 105, 180402 (2010).
 Oreshkov et al. (2012) O. Oreshkov, F. Costa, and Č. Brukner, Nature communications 3, 1092 (2012).
 Fitzsimons et al. (2013) J. Fitzsimons, J. Jones, and V. Vedral, arXiv preprint arXiv:1302.2731 (2013).
 Buhrman and Röhrig (2003) H. Buhrman and H. Röhrig, Mathematical Foundations of Computer Science 2003 pp. 1–20 (2003).
 Broadbent and Tapp (2008) A. Broadbent and A. Tapp, ACM SIGACT News 39, 67 (2008).
 Danos et al. (2007) V. Danos, E. D’Hondt, E. Kashefi, and P. Panangaden, Electronic Notes in Theoretical Computer Science 170, 73 (2007).
 Ekert and Jozsa (1998) A. Ekert and R. Jozsa, Philosophical Transactions A 356, 1769 (1998).
 Knill and Laflamme (1998) E. Knill and R. Laflamme, Physical Review Letters 81, 5672 (1998).
 Aaronson and Arkhipov (2011) S. Aaronson and A. Arkhipov, in Proceedings of the 43rd annual ACM symposium on Theory of computing (ACM, 2011), pp. 333–342.
 Bremner et al. (2011) M. J. Bremner, R. Jozsa, and D. J. Shepherd, Proceedings of the Royal Society A: Mathematical, Physical and Engineering Science 467, 459 (2011).
 Childs (2005) A. Childs, Quantum Information & Computation 5, 456 (2005).
 Arrighi and Salvail (2006) P. Arrighi and L. Salvail, International Journal of Quantum Information 4, 883 (2006).
 Aharonov et al. (2010) D. Aharonov, M. BenOr, and E. Eban, in Proceedings of Innovations in Computer Science 2010 (2010), p. 453.
 Feigenbaum (1986) J. Feigenbaum, in Proceedings of Advances in Cryptology—CRYPTO 85 (1986), pp. 477–488.
 Fitzsimons and Kashefi (2012) J. Fitzsimons and E. Kashefi, Arxiv preprint arXiv:1203.5217 (2012).
 Barz et al. (2012) S. Barz, E. Kashefi, A. Broadbent, J. Fitzsimons, A. Zeilinger, and P. Walther, Science 335, 303 (2012).
 Dunjko et al. (2013) V. Dunjko, J. F. Fitzsimons, C. Portmann, and R. Renner, Arxiv preprint arXiv:1301.3662 (2013).
 Hurewitz and Wallman (1941) W. Hurewitz and H. Wallman, Dimension theory (Princeton University Press, 1941).
 Gottesman and Chuang (1999) D. Gottesman and I. Chuang, Nature 402, 390 (1999).
 SchmittManderbach et al. (2007) T. SchmittManderbach, H. Weier, M. Fürst, R. Ursin, F. Tiefenbacher, T. Scheidl, J. Perdigues, Z. Sodnik, C. Kurtsiefer, J. G. Rarity, et al., Physical Review Letters 98, 010504 (2007).
 Kwiat et al. (1995) P. G. Kwiat, K. Mattle, H. Weinfurter, A. Zeilinger, A. V. Sergienko, and Y. Shih, Physical Review Letters 75, 4337 (1995).
 Shepherd and Bremner (2008) D. Shepherd and M. J. Bremner, arXiv preprint arXiv:0809.0847 (2008).
 Giovanetti et al. (2013) V. Giovanetti, L. Maccone, T. Morimae, and T. G. Rudolph, Arxiv preprint arXiv:1306.2724 (2013).