Introduction

Quantum computing is an emerging field of computation technology that promises to produce faster algorithms for solving computational problems1,2. Many government agencies and large companies like Google, IBM, and Amazon are putting efforts into building a programmable quantum device that can outperform existing classical computers3,4. Some of them have already managed to develop small-scale quantum computers and provide cloud services allowing users to delegate their quantum computations5,6,7,8.

Although this form of delegated quantum computation (DQC) services is very useful in practice, for education and research, for example, running algorithms on untrusted quantum hardware raises important privacy issues. A major challenge of DQC is to ensure the privacy of the client’s computation who doesn’t have any quantum computation capability. In this paper, we address this issue by introducing a quantum hardware assumption, namely quantum trusted execution environment (Quantum TEE) and showing how it can be used to implement privacy-preserving DQC, even with a fully-classical client.

In the classical world, a trusted execution environment (TEE) can be figured as a secure processor that executes code in an isolated environment and prevents malicious access from the rest of the device. Global Platform initially proposed standardization to ensure the protection of stored applications and data9. In practice, a TEE is designed to isolate the trusted execution of the software layer from the untrusted area, also called rich execution environment (REE). It is based on a combination of hardware architecture and cryptographic protection. It allows to control the flow of information between applications in multiple environments with different root-of-trust. In more advanced scenarios, TEEs have been used for blockchain10, privacy-preserving machine learning11,12, or cloud services13,14.

The goal of delegated computation is to allow a computationally bounded client to assign some computation to a computationally powerful but untrusted server while maintaining the privacy of data. This is relevant, especially in the case of high-performance computing in the cloud. A similar question arises with universal quantum computers becoming available in the near future. Even though we have recently been witnessing spectacular developments, it is expected that scalable quantum computers will remain hard to build and expensive for a long time. It is very likely that they will only be accessed remotely, exactly like supercomputers are nowadays. In this context, DQC enables a client with limited quantum capabilities to delegate a computation to a quantum server while maintaining the correctness and privacy of the computation.

The first efficient universal protocol for secure (blind) delegated quantum computation was introduced in15 see recent reviews for other similar protocols16,17. However, these protocols all assume a quantum channel between the client and the server, which for some quantum hardware platforms such as superconducting or cold atom qubits might prove to be impractical, at least in the near future. For this reason, the construction of an efficient, private, and secure DQC protocol using only classical communication will be extremely important. Given the impossibility of achieving information secure delegated computing using only classical communication18 other assumptions must be considered. Recent breakthroughs based on post-quantum secure trapdoor one-way functions paved the way for developing entirely new approaches toward fully-classical client protocols for emerging quantum servers19,20,21. Nevertheless, the challenge for these protocols is the huge server overhead. This is due to the fact that one has to ensure the quantum circuit implementing the required masking protocol based on the learning with error (LWE) encryption22 remains unhackable both classically and quantumly. That leads to current proposals that require an order of 1000 server qubits for masking a single gate of the target client computation.

Our work explores a different approach based on the hardware security assumption to derive a practical secure DQC protocol with a fully-classical client setting. We explore the modular approach introduced in ref. 23 that defines the remote state preparation (RSP) as the main building block for DQC protocol. It is worth noting that in ref. 24 an RSP protocol was also proposed using a classical channel between client and server but assuming a resource called measurement buffer, which externalizes a quantum state measurement from the server-side. However, such a resource can not be realized classically, as was proven in ref. 25. Indeed, it is known that it is impossible to construct a composable secure RSP protocol using only a classical channel between the client and the server without any hardware assumption, which confirms our approach to be the only way forward to construct an efficient DQC protocol with a classical client from the RSP module. One could also take a different approach to define a hardware security module that securely implements the measurement buffer (on the server-side) and then uses the protocol introduced in ref. 24. However, there are two fall-backs for such protocol. First, it is desired that the hardware assumption be as simple as possible and as we discuss later, securing the measuring device leads to an unnecessarily complicated architecture. A more severe issue, however, is that, as mentioned before, due to the usage of LWE-based encryption, the protocol of ref. 24 requires a huge overhead on the server-side.

With these constraints in mind, we introduce our Quantum TEE, called QEnclave, as a practical way to make DQC secure with a classical client. Remarkably only one call to our simple hardware module is enough to create one remote blind qubit. Our QEnclave only transforms single qubit states without generating or measuring them. Nevertheless, it can be composed with the universal blind quantum computing protocol of ref. 15 to achieve secure DQC with perfect blindness (assuming minimal hardware assumption) whiles using only classical communication between the client and the server with optimal server overhead. Surprisingly, the blindness of the protocol holds even if the server controls the qubit source.

Results

QEnclave as an ideal functionality: remote state rotation

The contributions of our work are twofold. The first one is the introduction of an ideal functionality named remote state rotation (RSR). The only operation performed by this functionality is to rotate a quantum state with arbitrary angles chosen uniformly at random from a fixed set. Compared to the other ideal functionalities, RSR is even weaker . While RSP generates quantum states by itself, RSR only allows rotations of single qubit states generated by the server.

Definition 1

(See Fig. 1) The ideal resource named remote state rotation for blindness (RSRB) has two interfaces A and B. After receiving a single qubit state ρin from interface B, it performs a rotation Z(θ) with θ chosen uniformly at random from the set \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\). It then outputs (ρout) at the server’s interface and the angle θ at the client’s interface.

Fig. 1: Ideal Functionality of QEnclave: Remote State Rotation.
figure 1

Remote State Rotation (RSR) perform sarbitrary single qubit rotation with angel θ on income quantum state, outputs the angle at interface A and the post-rotation quantum state at interface B.

Full size image

Similar to RSPB and MRSPB (See Section Remote state preparation for DQC for further details), this functionality removes any quantum capability for the client. In particular, using RSRB removes the assumption of a quantum communication channel between the client and the server.

We further define a two-party protocol π = (πA, πB) to prepare quantum states with RSRB in which πA only receives the angle θ from the interface A of RSRB, and πB takes as input a classical bit c and a quantum state from the server.

If c = 0, the server is honest, and πB accepts \(\left|+\right\rangle \left\langle +\right|\) as input from the server. If c = 1, the dishonest server prepares an arbitrary quantum state \(\rho ={{\Omega }}(\left|+\right\rangle \left\langle +\right|\otimes {\rho }_{{\mathrm{aux}}}){{{\Omega }}}^{{\dagger} }\). Here, Ω is an arbitrary unitary representing the server’s deviation, and ρaux is an auxiliary state of the server.

After tracing out the auxiliary state of ρ, we get ρin, the input to RSRB, which is a single qubit chosen by the dishonest server. In particular, this state can be entangled with the server’s auxiliary system.

As a result, we show how to build RSP from RSR in the abstract cryptography (AC) framework26. In combination with previous results on the security of RSP, it implies that a classical client, using RSR, can achieve DQC with perfect blindness solely relying on classical communication even if the source that generates the state is compromised. In Section Composability of remote state rotation, it contains the detailed proof.

In practice, RSR reduces the client’s quantum technology requirements compared to previously proposed RSP resources, usually requiring the client to generate or measure quantum states. This makes this functionality of independent interest for the study of practical quantum cryptographic protocols.

QEnclave: a practical design with secure processors

Our second contribution consists of a proposal to build our QEnclave using a standard classical TEE, with a protection of the flow between TEE and the quantum device that implements the single qubit rotations. That is to say, the QEnclave implements the ideal functionality RSR and uses the enclave and its hardware assumption to ensure the security of the construction. Moreover, it communicates with the client classically and returns a quantum state to the server, as shown in Fig. 2. For convenience, we assume that the client can choose the input angles uniformly at random, rather than letting the QEnclave choose them (as in RSRB). This transformation does not change the security since, in our setup, both the client and QEnclave are expected to be honest.

Fig. 2: Specification of QEnclave.
figure 2

The structure of QEnclave on the server’s side is divided into two areas: the trusted and untrusted areas. The rotation angles from the client can not be revealed until the rotation is performed inside the trusted area. The quantum source is external to the QEnclave.

Full size image

By abstracting the functionality of secure processors as attested execution Gatt, we demonstrate how Gatt securely constructs outsourcing computation protocol under composition. By considering a simple two-party outsourcing computation Foutsrc[C, S] with target function y = f(x), where the client C outsources f and x with encoding and finally obtains the output y while the server S or any other adversary only knows the size of inputs and outputs (f + x, y) during the computation process. A Gatt-hybrid protocol Protoutsrc is given in ref. 27 and proven to UC-realized Foutsrc when C is honest and S is a static adversary. The probabilistic polynomial time indistinguishability of ideal-world and real-world executions is reduced to the decisional Diffie-Hellman (DDH) assumption for secure key exchange28 and authenticated encryption. The indistinguishability is also equivalent under the AC framework without instantiating a DDH-based secure key exchange protocol but assuming the existence of a secure key exchange between C and Gatt. In practice, as long as the key exchange scheme is post-quantum secure, Gatt-based RSR is feasible in terms of security.

Furthermore, a quantum-safe digital signature scheme Σ29,30 is necessary for the remote attestation scheme since we assume that the quantum server is potentially malicious. Meanwhile, more practical remote attestation schemes provide post-quantum security31.

The confidentiality consists in hiding the rotation angles chosen by the client. The requirement of using quantum-safe encryption makes symmetric schemes more appropriate than asymmetric ones for this task. Instead of a key exchange protocol based on DDH, there are other key encapsulation mechanism (KEM) schemes32,33,34 available to share a secret key between the client and the QEnclave and proven to be secure against a quantum polynomial adversary for now.

Protocol 1

QEnclave-based RSP Protocol for Blindness with progrsr Gatt-enabled QEnclave Program progrsr:

   On input ("keyex”,pk):

 • let (k, Ck) = KEM.Enc(pk), seal k and return Ck

   On input* (“compute”,Ct):

 • let (fθ, x) := AES. Dec(k, Ct)

 • assert decryption success, Ct not seen before

 • let θ0θn := fθ(x), θ0θn is applied to quantum states from an external source:         

$$\left|e\right\rangle ={Z}_{1}({\theta }_{1})\otimes \ldots \otimes {Z}_{n}({\theta }_{n}){\left|+\right\rangle }^{\otimes n}$$

 Server S:

   On receive (“keyex”,pk) from C:

 • let eid := Gatt. install(sid, progrsr)

 • let (Ck, σ) := Gatt. resume(eid,(“keyex”,pk)) and send (eid, Ck, σ) to C

   On receive* (“compute”, Ct) from C:

 • let \(\left|e\right\rangle ={G}_{{{{\rm{att}}}}}\).resume(eid,(“compute”,Ct)) and keep \(\left|e\right\rangle\) for further computation

 Client C:

   On initialize:

 • let (pk, sk) ← KEM. KeyGen(1λ), mpk := Gatt. getpk()

 • send (“keyex”, pk) to S, await (eid, Ck, σ) from S

 • assert Σ. Vfmpk((sid, eid, progrsr, Ck), σ)

 • let k = KEM. Dec(sk, Ck)

   On receive* (“compute”,fθ, x):

 • let Ct := AES. Enc(k, fθ, x) and send (“compute”, Ct) to S

Once the secure channel is established between the client and QEnclave, the client can send the encrypted rotation angles to the QEnclave. QEnclave decrypts them and encodes the initial quantum state from the external source using the classical angles chosen by the client. At this stage, we assume that the trusted area, which includes the secure processor and minimal quantum devices. It leads to a remote state preparation protocol for delegated quantum computation with blindness using the QEnclave and classical communication between the client and the server. We summarize all the steps in Protocol 1 with a post-quantum secure digital signature scheme Σ with signature σ and a post-quantum secure key encapsulation mechanism KEM scheme with the key derivation function for generating a symmetric key for use, e.g., here we instantiate it as advanced encryption standard (AES).

Moreover, we assume that the communication between the secure processor and the quantum device is protected against a tampering server in terms of confidentiality. While this assumption may seem strong, the idea of sealing hardware components into a tamper-proof box is already well spread in the world of hardware security. In particular, the FIPS-140 certification for hardware security modules (HSM) includes criteria for physical tamper-evidence (level 2 certification), physical tamper-resistance (level 3), or even robustness against environmental attacks (level 4).

For the possible noise of quantum rotation inside QEnclave on the engineering level, the security definition of UBQC in terms of blindness16 permits irrelevant errors to the secret information of the client. That is to say, the UBQC protocol remains secure while there are unrelated errors on top of the process. Since QEnclave is expected to retain the confidentiality of the client’s secret information. Hence, the security of UBQC follows intuitively in theory. Still, this noise can not be verified throughout the protocol of RSR composing with UBQC. Also, since it is a multi-disciplined concept, especially more engineering-related. Plenty of open questions require inputs from different disciplines, e.g., controlling theory to solve. We leave this as one of our future work.

While our proposal of QEnclave implements the RSR ideal functionality, we have left aside a number of potential attacks that stem from the physical realization. Implicitly, we assume that QEnclave is fabricated correctly by a certified manufacturer, which ensures that an adversary cannot subvert the device before it is installed on the server. Besides, we exclude some hardware-dependent attacks in our work e.g., specific side-channel attacks on specific enclave products. Finally, we have not yet considered the possibility of counterfeiting the QEnclave.

The rest of the paper is organized as follows: We firstly conclude our paper with a discussion in Section Discussion. Here, we broadly discuss how our QEnclave can lead to a verifiable UBQC protocol35 in Section QEnclave and verifiable quantum computation, the analysis of implementation with current quantum computing technologies in Section QEnclave and quantum computing technologies and other potential applications of our QEnclave in Section QEnclave and other applications; in Section Preliminaries, we recall the basic concepts and notations used in our work; in Section Remote state preparation for DQC, we introduce the functionalities for RSP used in our construction and discuss their composable security in the abstract cryptography framework; in Section Composability of remote state rotation, we give formal proofs of security to show how RSRB builds a blind DQC protocol.

Discussion

We introduced a functionality called remote state rotation that can be used to achieve secure delegated quantum computing in a practical way compatible with the currently available quantum hardware platform in the cloud. Moreover, we have proposed a realistic hardware assumption of trustworthy quantum operations with classical secrets to circumvent the impossibility results of18,25 of implementing a composable RSR with a classical channel only. Our proposed ideal functionality with simple rotations lowers the minimal requirement on the client’s operations while keeping minimal overhead on the server-side. Finally, we gave a complete specification of QEnclave that implements the RSR functionality using a secure processor to control the quantum devices required for the blindness of delegated quantum computation.

QEnclave and verifiable quantum computation

Besides privacy, another desirable property of delegated quantum computing is verifiability. In general, a DQC protocol is verifiable if the client can verify the result from the server (See Definition 4). A verifiable universal blind quantum computing protocol was proposed in ref. 35 where the client could insert in the target computation a set of trap qubits that are isolated from the computation. This construction ensures that the measurement results of trap qubits are always deterministic and can be used as a test of the correctness of the entire computation as they are known only by the client.

Adapting the same approach for RSR is not trivial as a malicious server controlling the source is now enabled to perform correlated attacks before and after the call to RSR. Hence the proof technique from ref. 35 does not directly apply. In principle, such deviations can be chosen to affect certain types of computation qubits but leave trap qubits unchanged, then change the execution of the protocol but remain unnoticed by the client at the same time, which means the protocol is not verifiable. However, there exist many other approaches to verifiability, such as the ones based on self-testing that might prove more suitable for RSR. We leave this question open for future work. It is worth mentioning that one could trivially add a trusted measurement device or a trusted source to the construction of the QEnclave to remove the possibility of such a correlated attack implementing directly the RSP resource instead. It will define directly an efficient classical client verifiable delegated computing protocol with an extended hardware assumption addressing the current challenge of demonstrating certifiable quantum supremacy. However, we believe keeping the QEnclave construction as simple as possible is a more interesting option to be explored.

QEnclave and quantum computing technologies

In this subsection, we discuss the integration of the QEnclave in different quantum computing technologies. Our current QEnclave only implements a single qubit rotation, and it interacts with the server’s quantum computer while residing at the server’s computing facility. Therefore, QEnclave always requires a quantum communication channel to interact with the source and the server’s quantum computer. The linear optics-based photonics platforms are efficient for both quantum communication and single qubit rotation36. Hence we predict that the photonics-based platform would be ideal for implementing the QEnclave. Such QEnclaves would fit perfectly with photonics-based quantum computing technologies.

However, for the other kinds of quantum computing technologies, like ion traps-based processors, or superconducting-based qubits, we need to use an external interface for the interaction between the server and the QEnclave. Note that a promising approach to scaling ion-trap quantum computers to arbitrarily large numbers of qubits is to use many similar ion-trap processors (nodes) connected together in a modular network. Such a quantum network can produce ion-photon entanglement37. A naive idea for designing the interface between QEnclave and ion-trap-based quantum computer would be to use such an ion-photon entanglement to teleport the outcome of the QEnclave to the ion qubits. The detailed description of such an interface is beyond the scope of this paper. We leave this interesting study for our future work.

QEnclave and other applications

In this section, we discuss the other protocols that can exploit QEnclave rather than UBQC protocols. In general, the concept of QEnclave can be used for any client-server-based protocol38 with quantum communication channels. First of all, QEnclave can be exploited in the prepare-and-send universal blind quantum computation with multiple clients to replace the multiple quantum communication channels from a server to the clients39 for scalability. In this protocol, the security of blindness that the server doesn’t learn the delegated computation and its input/output is guaranteed against either a dishonest server or a coalition of dishonest clients. In the case of the dishonest server, the protocol is equivalent to thinking of all honest clients as one with multiple input qubits. The blindness of DQC with QEnclave can be obtained intuitively.

In the case of the coalition of dishonest clients, the quantum channels among clients are replaced by RSP by QEnclave on the server-side. Meanwhile, since the clients are assumed to have secure access to verifiable secret sharing (VSS) in the protocol as a classical multiparty computation protocol, by committing classically every round of rotation angles during the RSP stage via VSS, the correctness of committed values can be verified by the honest server and the rest of honest clients. Note that the restriction to performing multiparty quantum computation for blindness with this protocol is that the collusion of a dishonest server and clients is impossible.

Secondly, in terms of quantum homomorphic encryption (QHE), which is formalized by ref. 40, it permits an evaluation of quantum circuits on encrypted quantum data in the DQC setting. Furthermore, a protocol of prepare-and-send QHE is proposed in41 with quantum communication between client and server. Unlike UBQC, the quantum circuit is not hidden from the server, but the client can verify the computation by the decryption of the output. However, the composition of QEnclave and QHE is tricky since QHE requires the encryption and decryption of quantum data with confidentiality and integrity, as well as a trusted quantum source. Alternatively, one can put the encryption, evaluation, and decryption circuit fully inside the QEnclave. With such a powerful assumption, any classical client can run a secure QHE protocol using just classical communication. However, our primary goal here is to reduce the assumptions on the QEnclave functionality, i.e., we try to make the quantum circuit inside the QEnclave as simple as possible. For example, the QEnclave contains only a single qubit rotation gate in our current setup. Making the QEnclave circuit simple for the QHE without losing security is challenging and beyond the scope of this paper. However, this is an interesting direction for our future research.

Finally, we think it can be relevant to use it in quantum money schemes42, especially the protocol43 considers that the bank mints the quantum states used as banknotes on the user’s side and verifies their validity using only classical interactions. It matches our definition of remote state preparation once the problem of verifiability is also addressed. Then using a QEnclave, a bank might be able to authenticate the banknote by remotely performing quantum operations but using only classical communication.

Methods

Preliminaries

Trusted execution environment

A TEE is a tamper-resistant processing environment that runs on a kernel44 separated from its environment, named the rich execution environment (REE). It can be treated as a secure processor that guarantees the authenticity of the executed code, the integrity of the run-time states, and the confidentiality of its code and data. It can also provide remote attestations of its trustworthiness to third parties. A TEE should resist all software and physical attacks performed on the system’s main memory. On the one hand, the OS and most of the applications are executed in the REE might be easily tampered with by the virus, trojans, malware, tools of rooting/reflashing, keystrokes logging, etc. On the other hand, running applications in the TEE is less efficient than on the REE.

There are many ways to implement a TEE in practice45. The smartcards we use daily are a prototype of TEE, with the smartcards themselves being the trusted area while the peripherals (e.g., POS terminal) do not need to be trusted46. Smartcards are completely isolated, providing high levels of trust, but are also very limited due to their size. The second type of familiar TEE is the trusted platform module (TPM)47. A TPM is a co-processor specialized for cryptographic tasks, including key generation, encryption, decryption, etc. The trusted components should include isolated engines for cryptography (e.g., SHA-1 engine, RSA engine, HMAC engine, etc.) and a random number generator. In addition, a TPM includes an isolated execution engine, platform configuration registers, and persistent memory for identification.

Apart from smartcards and TPMs, another type of TEE consists of designing processors with different execution environments and allowing inter-communication among environments with flow control (Fig. 3). Intel SGX, for example, allows users to instantiate a secure processor (enclave) to protect an application48. The code from outside the enclave cannot alter the application inside the enclave, even if executed with high privileges. Intel SGX also includes security measures such as remote attestation, crypto-based memory protection, sealing, etc. Another example is ARM TrustZone, which is implemented in most ARM processors nowadays. The system bus with ARM TrustZone uses an extended protected NS bit to distinguish the instructions of the trusted area from the untrusted area49. ARM TrustedZone can also protect specific peripherals by hiding them from untrusted applications.

Fig. 3: TEE with co-existing execution environments.
figure 3

The trusted area on the right-hand side includes all trusted components used for executing trusted functions. Everything outside the trusted area are treated to be untrusted.

Full size image

We introduce a feature that is important for our discussion: remote attestation. Remote attestation is a mechanism that allows proving the TEE integrity of a prover to a verifier. It provides an attestation signed by the TEE manufacturer. For instance, consider a client (verifier) aiming to delegate some application to the TEE on the server (prover) side. The client can challenge the server to provide him with an attestation signed specifically by the TEE manufacturer allowing the establishment of an authenticated channel between the client and the TEE before running a trusted application. The identity and hash of the TEE is a proof of integrity, signed with a hard-coded built-in private key50. The proof sent back by the server allows the client to verify the authenticity of the attestation message. Once the attestation is verified, the trusted application runs securely inside the TEE. It also allows anonymous attestation, where a user can verify an attestation generated by a valid enclave without identifying which one. The remote attested execution schemes are given in previous works27,51 to capture the properties of enclave-like secure processors in the real world.

We exploit the abstraction of anonymous attested execution (See Functionality 1) as introduced in ref. 27 to formalize cryptographically the secure processors. Gatt is parameterized by a signature scheme Σ and a register reg that captures all parties P that equips with a secure enclave. For the activation points of Gatt, the starred ones are reentrant activation points, otherwise, it can be only executed once. In the registry stage, the secure processor enables the distribution of the manufacturer’s public key of key pair (mpk, msk) to P upon the query. For enclave operations, the activation point install denotes an installation of enclave application with a program prog from P, it generates an identifier eid to P for identifying the enclave instance; the activation point resume enables the execution of prog upon the input inp by Gatt. Gatt then signs the output outp to be attested with msk using Σ. The attestation σ is returned to P for verification.

Functionality 1

Anonymous Attested Execution Gatt[Σ, reg]

 Registry:

   // initialization

   On initialize: (mpk, msk):= Σ. KeyGen(1λ), T = 0

   // public query interface

   On receive* getpk() from some P : send mpk to P

 Enclave Operations:

   //install an enclave program

   On receive* install(idx, prog) from some Preg:

 • if P is honest, assert idx = sid

 • generate nonce eid  {0, 1}λ, store T[eid, P] := (eid, prog, 0), send eid to P

   //resume an enclave program

   On receive* resume(eid, inp) from some Preg: 

 • let (idx, prog, mem) := T[eid, P], abort if not found

 • let (outp, mem) := prog(inp, mem), update T[eid, P] := (idx, prog, mem)

 • σ := Σ. Sigmsk(idx, eid, prog, outp), and send (outp, σ) to P

Quantum tools

We introduce the basic concepts required here. Interested readers can refer to standard textbooks on this topic52. In quantum computation, a quantum bit or (qubit) is a quantum system analogous to a classical bit. It lives in a two-dimensional Hilbert space H. In particular, the qubits of the computational basis of H are denoted as:

$$\left|0\right\rangle =\left[\begin{array}{c}1\\ 0\end{array}\right],\quad \quad \left|1\right\rangle =\left[\begin{array}{c}0\\ 1\end{array}\right].$$

More generally, the state of an arbitrary qubit is described as \(\left|\psi \right\rangle =\alpha \left|0\right\rangle +\beta \left|1\right\rangle\) where \({\left|\alpha \right|}^{2}+{\left|\beta \right|}^{2}=1\). An alternative basis called the Hadamard basis consists of the following qubits:

$$\left|+\right\rangle =\frac{1}{\sqrt{2}}\left[\begin{array}{c}1\\ 1\end{array}\right],\quad \quad \left|-\right\rangle =\frac{1}{\sqrt{2}}\left[\begin{array}{c}1\\ -1\end{array}\right].$$

We will in particular make use of the transform Z(θ) that maps \(\left|\pm \right\rangle\) to \(\left|{\pm }_{\theta }\right\rangle =\frac{1}{\sqrt{2}}(\left|0\right\rangle \pm {{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }\left|1\right\rangle )\). A quantum state can also be described by its density matrix \(\rho =\left|\psi \right\rangle \left\langle \psi \right|\). Density matrices also capture mixed states of the form \(\rho ={\Sigma }_{s}{p}_{s}\left|{\psi }_{s}\right\rangle \left\langle {\psi }_{s}\right|\) where ps is a probability over pure states \(\left|{\psi }_{s}\right\rangle \left\langle {\psi }_{s}\right|\).

For multiple qubit systems, two states \(\left|v\right\rangle\) and \(\left|w\right\rangle\) in two Hilbert spaces V and W with dimension n and m can be assembled as \(\left|v\right\rangle \otimes \left|w\right\rangle\), or simply \(\left|vw\right\rangle\), which lives in VW, a nm dimensional Hilbert space. A quantum system \(\left|u\right\rangle\) is called separable if it can be written \(\left|v\right\rangle \otimes \left|w\right\rangle\). A multiple qubit system that is not separable is entangled. For example, \(\left|\phi \right\rangle =\frac{1}{\sqrt{2}}(\left|00\right\rangle +\left|11\right\rangle )\) is an entangled state.

The measurement of a quantum state is defined by a set of operators {Mi} satisfying \({\sum }_{i}{M}_{i}^{{\dagger} }{M}_{i}=I\) with its conjugate transpose operator M. The probability of getting measurement result i on quantum state \(\left|\psi \right\rangle\) is:

$$P(i)=\left\langle \psi \right|{M}_{i}^{{\dagger} }{M}_{i}\left|\psi \right\rangle =\left\langle \psi \right|{M}_{i}\left|\psi \right\rangle .$$
(1)

In particular, if \(B=\{\left|u\right\rangle ,\left|v\right\rangle \}\) is a basis of qubit states, then the measurement defined by the operators \(\{\left|u\right\rangle \left\langle u\right|,\left|v\right\rangle \left\langle v\right|\}\) is usually referred to as a projection onto basis B.

The transformation of a quantum state can be described by a unitary operator U. These transforms preserve the norm of a vector and hence map a quantum state onto another quantum state.

We use the letters X/Y/Z to denote some particular unitary operators called Pauli operators. For single qubit, the Pauli operators, as well as identity I, are given in the following matrices:

$$I=\left(\begin{array}{cc}1&0\\ 0&1\end{array}\right),X=\left(\begin{array}{cc}0&1\\ 1&0\end{array}\right),Y=\left(\begin{array}{cc}0&{{{\rm{i}}}}\\ -{{{\rm{i}}}}&0\end{array}\right),Z=\left(\begin{array}{cc}1&0\\ 0&-1\end{array}\right).$$
(2)

The other operators relevant here are the Hadamard (H) gate, which maps the computational basis to the Hadamard basis, and the control-U (CU) gates, which use two qubits as input: a control qubit and target qubit. It operates U on the target qubit when the control qubit is set to \(\left|1\right\rangle\).

Furthermore, A completely positive and trace-preserving (CPTP) map \({{{\mathcal{E}}}}\) is a generalization of unitary operators to density matrices. It can always be described as a linear combination of Kraus operators {Ek}, which can be written as Ek = Σiαiσi, where αi is a complex number and σi is a Pauli operator.

Finally, we briefly introduce a model of quantum computation called measurement-based quantum computation (MBQC), originally proposed by Raussendorf and Briegel53,54,55. The DQC protocols discussed in our work are well described in the MBQC computation model. In this model, a computation is described by a series of commands involving single qubits or two qubits: preparations of single qubits in the state \(\left|+\right\rangle\); entanglements of two qubits with the CZ operator; measurements on single qubits with basis \(\left|{+}_{\theta }\right\rangle\) and \(\left|{-}_{\theta }\right\rangle\) with measurement results 0 and 1 respectively, corrections on single qubits with operators X, Z depending on signals56.

The entangled state used for computation in MBQC is called a graph state. An MBQC computation is a sequence of commands on a graph state that includes a subset of input and output qubits. In the family of graph state, cluster states are introduced in ref. 54 and brickwork states introduced in ref. 15 are proved to be universal for MBQC.

Abstract cryptography

The abstract cryptography (AC, also called Constructive Cryptography) framework was introduced in ref. 26 by Maurer and Renner for getting composable security properties. Compared to UC framework57,58 that is built in a bottom-up approach, the AC framework is formalized with a top-down approach, where it considers the highest level of abstraction first, then the lower levels to instantiate particular objects of the protocol. UC can be realized by instantiating the abstraction of the AC framework. However, it is not our goal to compare different approaches in this paper but to show the idea behind composable security.

In the AC framework, the functionality is called a resource. A resource has a set of interface I corresponding to the parties that the resource interacts with. Since we focus on two-party communication between the client and the server as our protocol, our resources have two interfaces I = {A, B} to the client and the server respectively.

A protocol \(\pi ={\{{\pi }_{i}\}}_{i\in I}\) is a set of converters indexed by I. A converter has two interfaces—an inside interface and an outside interface, where the inside interface is connected to the resource and the outside interface is connected to the outside world. Intuitively, a dishonest party in a protocol has more access to the functionalities of a resource than an honest one. We denote by a filter used to enforce the honest behavior of a party. In this case, the functionalities accessed by the dishonest party are so-called filtered functionalities.

An important concept of the AC framework is the distinguisher (D), which measures the distance between two resources. For instance, consider a resource R and a protocol πA, πB, and denote πARπB as their composition. We say that two resources R, S are ε-closed, or R ≈ εS if there is no distinguisher D that can distinguish between R and S with an advantage greater that ε. If ε is negligible, we say that we can construct S from R with the protocol πA, πB. Furthermore, if the resource S is secure, we say that the resource R securely constructs S. The following definition formally defines this.

Definition 2

(See ref. 26) Given two resources R and S, we say that a protocol π = {πA, πB} constructs S from R within ε if the two following properties are satisfied:

  • Correctness:

    $${\pi }_{A}R{\pi }_{B}\,{\approx }\,_{\varepsilon }S\perp ,$$
    (3)

  • Security: if there exists a converter, where it is called a simulator σ such that

    $${\pi }_{A}R\,{\approx }\,_{\varepsilon }S\sigma .$$
    (4)

We denote this:

$$R\mathop{\longrightarrow }\limits^{\pi ,\; \varepsilon }S$$
(5)

Delegated quantum computing

In a client-server DQC protocol, a client with limited computational power asks a server to run a quantum computation, whose result is then returned to the client. There exist two types of DQC protocols. The first ones are prepare-and-send protocols, in which the client prepares a certain number of quantum states and sends them to the server. The second class is receive-and-measurement protocols59, where the client receives single qubits from the server and measures them.

When delegating its computation, a client expects some security guarantees. The first one is blindness, which means that the server does not learn anything about the computation, input, and output. The second one is verifiability, which means a client can verify the correctness of the result returned by the server.

Ideal functionalities of DQC

The following definition from ref. 60 specifies an ideal resource for two-party delegated quantum computing with blindness.

Definition 3

(See Fig. 4a) The ideal resource for DQC Sblind provides both correctness and blindness. It takes an input ψA at the client’s interface, and at the server’s interface, a filtered control bit c (set by default to 0) and a pair that consists of a state ψB and a description of a CPTP map \({{{\mathcal{E}}}}\). It outputs the allowed leak \({\ell }^{{\psi }_{A}}\) at the server’s interface. If c = 0, it outputs the correct result U(ψA) at the client’s interface; otherwise, it outputs the server’s choice, \({{{\mathcal{E}}}}({\psi }_{AB})\)

Fig. 4: DQC ideal resources with blindness and DQC ideal resources with both blindness and verifiability.
figure 4

The filtered control bit c = 0/1 denotes the honest/dishonest behavior of the server. The filtered functionalities with the input \(\psi_{B}, E\) and output \(\ell^{\psi_{A}}\) of resource (a), and the output \(\ell^{\psi_{A}}\) of resource (b) are accessible only to the dishonest server with \(c=1\).

Full size image

The blindness means there is at most \({\ell }^{{\psi }_{A}}\) of information leaked to the server during the interactions. The other property of DQC that we are interested in is verifiability. It means that if a dishonest server returns an incorrect result, the probability that the client accepts it is negligible. The following definition formalizes the definition of verifiable DQC.

Definition 4

(See Fig. 4b) The ideal resource DQC resource \({S}_{{{{\rm{verif}}}}}^{{{{\rm{blind}}}}}\) provides correctness, blindness and verifiability. It takes an input ψA at the client’s interface and filtered control bits c (set by default to 0) at the server’s interface. It outputs the allowed leak \({\ell }^{{\psi }_{A}}\) at the server’s interface. If c = 0, it simply outputs U(ψA) at the client’s interface. If c = 1, it outputs an error message at the client’s interface.

Universal blind quantum computation

Universal delegated quantum computation (UBQC), originally introduced in ref. 15 is a quantum computation model whose operations can easily be described in the MBQC model. At the start of a UBQC protocol, the client produces a sequence of single qubit states of the form \(\left|{+}_{\theta }\right\rangle\) with θ chosen uniformly at random from \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\). After receiving N such qubits from the client through a quantum channel, the server entangles them to build a brickwork state.

The computational stage is interactive and uses only classical communication. During this stage, the client continuously sends the measurement angle for each qubit to the server, which returns the measurement result to the client. The client then computes the following measurement angle. At the end of the computation, the server returns the quantum outputs to the client. Dunjko, Fitzsimons, Portmann, and Renner60 showed the security of a UBQC protocol providing perfect blindness in the AC framework.

Remote state preparation for DQC

In this section, we review the works on ideal functionalities of RSP and their security in the AC framework. Using remote state preparation (RSP) as an ideal functionality allows replacing a quantum channel between a client and a server with a classical one.

Remote state preparation for blindness

The UBQC protocol introduced above requires the server to get a number of states of the form \(\left|{+}_{\theta }\right\rangle \left\langle {+}_{\theta }\right|\). These states are then entangled as a brickwork state. Dunjko and Kashefi23 have introduced the concept of weak correlations, which is a necessary and sufficient condition on the set of states sent by the client to obtain the blindness of the protocol. The following theorem formally introduces this notion.

Theorem 1

(See23) The UBQC protocol with classical input and computation of size N, where the client’s preparation stage is replaced by the preparation of N states of the form \({\sigma }_{AB}^{i}\)

$${\sigma }_{AB}^{i}=\frac{1}{| \Theta | }{\Sigma }_{{\theta }_{i}\in \Theta }\left|{\theta }_{i}\right\rangle \left\langle {\theta }_{i}\right|\otimes {\rho }_{i}^{{\theta }_{i}},$$
(6)

is blind if and only if the following conditions hold:

  1. 1.

    ρθ is a normalized quantum state, for all θ,

  2. 2.

    \({\rho }^{\theta }+{\rho }^{\theta +\pi }={\rho }^{{\theta }^{\prime}}+{\rho }^{{\theta }^{\prime}+\pi }\) for all θ, \({\theta }^{\prime}\in \Theta\)\((\Theta \in \{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\})\),

  3. 3.

    Θ is the size of the set Θ.

The ideal resource random RSP for blindness is specified as follows23. If the server is honest, the functionality outputs \(\left|{+}_{\theta }\right\rangle \left\langle {+}_{\theta }\right|\) to the server. If not, it takes as input from the server the classical description of a quantum state [ρθ] and outputs the corresponding quantum state ρθ to the server. In both cases, the client receives the classical angle θ. It is formalized in the following definition:

Definition 5

(See Fig. 5a) The ideal resource random remote state preparation for blindness, denoted RSPB, has two interfaces, A to the client and B to the server. The resource chooses an angle of rotation θ uniformly at random from the set \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\). There is a filtered functionality at interface B and a classical bit c. If c = 0, the server is honest and the resource outputs a state \(\left|{+}_{\theta }\right\rangle \left\langle {+}_{\theta }\right|\) on B. If c = 1, the ideal functionality takes as input the set \({\{(\theta ,[{\rho }^{\theta }])\}}_{\theta }\) from the server.

Fig. 5: RSP ideal resources for blindness and measured-based RSP for blindness.
figure 5

The filtered control bit c = 0/1 denotes the honest/dishonest behavior of the server. The filtered functionalities with the input \({\{(\theta,[\rho^{\theta}])\}}_\theta\) of resource (a), and {Πθ}, ρ of resource (b) are accessible only to the dishonest server with c = 1.

Full size image

If the states provided by the server do not satisfy the conditions from Theorem 1, RSPB ignores the input and waits for a new valid set. Once the set is received, the functionality outputs ρθ at B. In both case, RSPB outputs the angle θ at the client’s interface.

Dunjko and Kashefi also introduced another resource that is better suited for our purpose. It is a variant of RSPB allows more operations by a dishonest server.

Definition 6

(See Fig. 5b) The ideal resource measurement-based remote blind state preparation (MRSPB) has two interfaces A and B. The resource chooses an angle of rotation θ uniformly at random from the set \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\). There is a filtered functionality at interface B and a classical bit c. If c = 0, the server is honest and the resource outputs a state \(\left|{+}_{\theta }\right\rangle \left\langle {+}_{\theta }\right|\) on B. If c = 1, the ideal functionality takes as input the descriptions of eight positive operators {Πθ}, such that for all θ in \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\), Πθ + Πθ+π = I. In addition, it accepts an arbitrary quantum state ρ of the same dimension as the operator Πθ.

If the server’s input does not satisfy the properties of Theorem 1, MRSPB ignores it and waits for a new valid set. Once a valid input is received, MRSPB applies the measurement Πθ, Πθ+π corresponding to the chosen angle θ to ρ. Finally, MRSPB outputs the measurement result \({\theta }^{\prime}\), whose value is either θ or θ + π, at the client’s interface and the post-measurement state \({\rho }^{{\theta }^{\prime}}\) at the server’s interface.

The connection between these two ideal resources follows from the construction of MRSPB from RSPB, which preserves both correctness and security. Consider a trivial protocol π = (πA, πB) in which πA does nothing and πB fixes the classical bit to c = 0. Following the conditions of Definition 2, it was shown that:

$${\pi }_{A}{{{{\rm{RSP}}}}}_{B}{\pi }_{B}={{{{\rm{MRSP}}}}}_{B}\perp \quad \quad and\quad \quad {\pi }_{A}{{{{\rm{RSP}}}}}_{B}={{{{\rm{MRSP}}}}}_{B}{\sigma }_{B}.$$
(7)

The inputs and outputs of these two ideal resources are trivially equivalent in the honest case, which implies correctness. To prove the security, the authors provided a simulator σB and showed that the outputs of A and B are the same actions for πARSPB and MRSPBσB. Moreover, the authors show that RSPB and MRSPB can be used for UBQC. This leads to a perfect blind DQC without a quantum channel between the client and the server. In this context, perfect blindness means that the protocol leaks nothing more than what is strictly required (such as the size of the computation). The formal definition can be found in ref. 23.

The following theorem formalizes this argument for MRSPB.

Theorem 2

(See ref. 23) The UBQC protocol in which the client has access to the ideal functionality MRSPB rather than to a quantum channel and a random generator of the \(\left|{+}_{\theta }\right\rangle\) states, exactly constructs DQC with perfect blindness.

Limitations of RSP with only classical channel

While RSPB and MRSPB remove the need for a quantum communication channel between the client and the server, we have not discussed how these resources can be implemented. For example, a fully-classical blind DQC protocol could be obtained by implementing one of the two resources with a classical communication channel. This idea is investigated by ref. 25. They introduce the following definition.

Definition 7

An ideal resource S is said to be ε-classical-realizable if it is realizable from a classical channel C, i.e. if there exists a protocol π = (πA, πB) between two parties interacting classically such that:

$$C\mathop{\longrightarrow }\limits^{\pi ,\; \varepsilon }S$$
(8)

In order to prove the composable security of ε-classical-realizable RSP, we need to show that no unbounded adversary can learn information on θ by accessing only the right interface B. Unfortunately, the authors show that there is no describable remote state preparation protocol with composable security. In this context, describable means extracting a classical approximate description of a quantum state [ρ] by accessing the state ρ on interface B. Since a protocol using only classical communication is describable, there is no classical-realizable RSP with composable security. It implies that UBQC with classical-realizable RSP cannot be composable and secure.

As a result, it is necessary to make additional assumptions to remove the quantum interaction between the client and the server. While25 considers additional computational assumptions to bound the adversary’s power, we take a different approach, introducing additional hardware assumptions such as tamper-proof quantum operations to get a secure DQC protocol with blindness using only classical communication.

Composability of remote state rotation

In this section, we elaborate on the composability of RSR in the AC framework. Compared to the other ideal functionalities of RSP, RSR is even weaker. While RSP generates quantum states by itself, RSR only allows rotations of single qubit states generated by the server.

We show the construction of DQC with RSRB that achieves perfect blindness in two steps. First, In Lemma 1, we prove that the outcome of RSRB satisfies the conditions for the blindness of Theorem 1. Then, in Theorems 3 and 4, we show the security of DQC with blindness obtained from RSRB.

Lemma 1

For any quantum states ρin as used as input of RSRB, the outcome system of the client and the server σAB satisfies the conditions of weak correlation of UBQC.

Proof

For simplicity, we first assume that ρin is not entangled with the server’s auxiliary system. Without loss of generality, we get \({\rho }_{{{{\rm{in}}}}}=| \alpha {| }^{2}\left|0\right\rangle \left\langle 0\right|+\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|+{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|+| \beta {| }^{2}\left|1\right\rangle \left\langle 1\right|\). In this case, the output of RSRB ρθ is

$${\rho }^{\theta }={\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|+{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|+{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|+{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|.$$
(9)

For any θ in the set \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\), we thus have

$${\rho }^{\theta }+{\rho }^{\theta +\pi }=2{\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|+2{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|.$$
(10)

Since this is independent of θ, the state satisfies the weak correlation conditions.

In the general case, ρin can be entangled with the server’s auxiliary system. we thus write \({\rho }_{{{{\rm{in}}}}}^{\prime}=| \alpha {| }^{2}\left|0\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{0}\right|+\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{1}\right|+{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{0}\right|+| \beta {| }^{2}\left|1\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{1}\right|\), where \(\left|{\psi }_{0}\right\rangle\) and \(\left|{\psi }_{1}\right\rangle\) are states of the server’s auxiliary system.

After the rotation of RSRB on the first subsystem, we get the following entangled state:

$$\begin{array}{lll}{\rho }^{\theta }={\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{0}\right|+{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{1}\right|\\ \qquad+\,{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{0}\right|+{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{1}\right|.\end{array}$$
(11)

For any θ in the set \(\{0,\frac{\pi }{4},\ldots \frac{7\pi }{4}\}\), we have

$${\rho }^{\theta }+{\rho }^{\theta +\pi }=2{\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{0}\right|+2{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{1}\right|.$$
(12)

Since the result ρθ + ρθ+π is again independent of θ, the joint state of the client and the server also satisfy the weak correlation conditions for any state σAB.

We now prove the security of RSRB with the UBQC protocol. We prove it by showing that the resource MRSPB introduced in Definition 6 can be constructed from RSRB. Since MRSPB can be composed with a UBQC protocol to get DQC with perfect blindness, so does RSRB

Theorem 3

The protocol π = (πA, πB) introduced above with ideal resource RSRB constructs the ideal resource MRSPB.

Proof

We show that both the correctness and the security condition are satisfied. More precisely, proving the security amounts to showing that a distinguisher cannot distinguish MRSPB from the protocol. This translates into the following equations for a simulator σB and the protocol π = (πA, πB) with RSRB.

$${\pi }_{A}{{{{\rm{RSR}}}}}_{B}{\pi }_{B}\,{\approx }\,_{\varepsilon }{{{{\rm{MRSP}}}}}_{B}\perp ,$$
(13)

and

$${\pi }_{A}{{{{\rm{RSR}}}}}_{B}\,{\approx }\,_{\varepsilon }{{{{\rm{MRSP}}}}}_{B}{\sigma }_{B}.$$
(14)

For correctness, when the server is honest, the ideal resources RSRB and MRSPB both output an angle θ at interface A and its corresponding quantum state \(\left|{+}_{\theta }\right\rangle \left\langle {+}_{\theta }\right|\) at interface B. Equation (13) is thus immediately satisfied.

For security, we introduce the simulator σB, defined as follows: It accepts and sends c = 1 to MRSPB, as well as a set of projectors {Πθ}, where \({\Pi }^{\theta }=\left|{+}_{-\theta }\right\rangle \left\langle {+}_{-\theta }\right|\). After receiving a quantum system ρ from the server, the simulator takes the input ρin of the same dimension as {Πθ} and generates a qubit \(\left|0\right\rangle\). A CNOT gate is applied to these two qubits, where ρin is used as the control qubit (\(\left|{\phi }_{1}\right\rangle\)) and \(\left|0\right\rangle\) the target bit (\(\left|{\phi }_{2}\right\rangle\)). This gives the simulator state (\({\rho }_{{\sigma }_{B}}=\left|{\phi }_{12}\right\rangle \left\langle {\phi }_{12}\right|\)). Finally, σB sends the first qubit \(\left|{\phi }_{1}\right\rangle\) back as the outcome state to the server, whereas the second qubit, \(\left|{\phi }_{2}\right\rangle\), is sent to the resource MRSPB.

We show that the outcome is similar to the expression obtained in Lemma 1. Again, we start by considering the case where ρin is not entangled with the server’s auxiliary system. We then obtain the following expression for \(\left|{\phi }_{12}^{\prime}\right\rangle\) after the operation of MRSPB:

$$\begin{array}{lll}\left|{\phi }_{12}^{\prime}\right\rangle =\frac{{\Pi }_{2}^{\theta }}{\sqrt{\left\langle {\phi }_{12}\right|{\Pi }_{2}^{\theta }\left|{\phi }_{12}\right\rangle }}\left|{\phi }_{12}\right\rangle \\ \qquad\,\,=\frac{1}{\sqrt{2}}(\left|0\right\rangle +{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\left|1\right\rangle )(\left\langle 0\right|+{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }\left\langle 1\right|)(\alpha \left|00\right\rangle +\beta \left|11\right\rangle )\\ \qquad\,\,=\frac{1}{\sqrt{2}}(\alpha \left|00\right\rangle +{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha \left|01\right\rangle +{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }\beta \left|10\right\rangle +\beta \left|11\right\rangle )\end{array}$$
(15)

We obtain the outcome of the simulator by tracing out the second quantum subsystem.

$$\begin{array}{lll}{\rho }_{1}=T{r}_{2}(\left|{\phi }_{12}^{\prime}\right\rangle \left\langle {\phi }_{12}^{\prime}\right|)\\ \quad\,\,={\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|+{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|+{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|+{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|\end{array}$$
(16)

The outcome quantum state is exactly the same as the result as the outcome of RSRB in Eq. (9). Since a similar calculation holds for the projector Πθ+π, the outcome joint state of the client and the server of MRSPB is the same as RSRB.

Consider now an arbitrary entangled state \(\alpha \left|0\right\rangle \left|{\psi }_{0}\right\rangle +\beta \left|1\right\rangle \left|{\psi }_{1}\right\rangle\). The simulator σB takes the first single qubit subsystem as the control qubit, and performs the same operation as in the previous case. After the operation of MRSPB, we have:

$$\begin{array}{lll}\left|{\phi }_{12}^{\prime}\right\rangle &=&\frac{{\Pi }_{2}^{\theta }}{\sqrt{\left\langle {\phi }_{12}\right|{\Pi }_{2}^{\theta }\left|{\phi }_{12}\right\rangle }}\left|{\phi }_{12}\right\rangle \\ &=&\frac{1}{\sqrt{2}}(\left|0\right\rangle +{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\left|1\right\rangle )(\left\langle 0\right|+{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }\left\langle 1\right|)(\alpha \left|0\right\rangle \left|{\psi }_{0}\right\rangle \left|0\right\rangle +\beta \left|1\right\rangle \left|{\psi }_{1}\right\rangle \left|1\right\rangle )\\ &=&\frac{1}{\sqrt{2}}(\alpha \left|0\right\rangle \left|{\psi }_{0}\right\rangle \left|0\right\rangle +{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha \left|0\right\rangle \left|{\psi }_{0}\right\rangle \left|1\right\rangle +{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }\beta \left|1\right\rangle \left|{\psi }_{1}\right\rangle \left|0\right\rangle +\beta \left|1\right\rangle \left|{\psi }_{1}\right\rangle \left|1\right\rangle )\end{array}$$
(17)

Then, after tracing out the second qubit, we obtain:

$$\begin{array}{lll}{\rho }_{1}=T{r}_{2}(\left|{\phi }_{12}^{\prime}\right\rangle \left\langle {\phi }_{12}^{\prime}\right|)\\ \qquad={\left|\alpha \right|}^{2}\left|0\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{0}\right|+{{{{\rm{e}}}}}^{-{{{\rm{i}}}}\theta }\alpha {\beta }^{* }\left|0\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{0}\right\rangle \left\langle {\psi }_{1}\right|\\ \qquad+\,{{{{\rm{e}}}}}^{{{{\rm{i}}}}\theta }{\alpha }^{* }\beta \left|1\right\rangle \left\langle 0\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{0}\right|+{\left|\beta \right|}^{2}\left|1\right\rangle \left\langle 1\right|\otimes \left|{\psi }_{1}\right\rangle \left\langle {\psi }_{1}\right|.\end{array}$$
(18)

Again, The output quantum state is exactly equal to ρθ specified in Eq. (11). In consequence, the resource RSRB is perfectly indistinguishable from the resource MRSPB, that is, Equations (13) and (14) are satisfied with ϵ = 0.

Finally, combining the fact that we can perfectly construct MRSPB from RSRB with Theorem 2, we obtain the following result.

Theorem 4

The UBQC protocol with the client accessing the RSRB constructs the ideal functionality of DQC with perfect blindness.