Semiquantum key distribution with secure delegated quantum computation

Semiquantum key distribution allows a quantum party to share a random key with a “classical” party who only can prepare and measure qubits in the computational basis or reorder some qubits when he has access to a quantum channel. In this work, we present a protocol where a secret key can be established between a quantum user and an almost classical user who only needs the quantum ability to access quantum channels, by securely delegating quantum computation to a quantum server. We show the proposed protocol is robust even when the delegated quantum server is a powerful adversary, and is experimentally feasible with current technology. As one party of our protocol is the most quantum-resource efficient, it can be more practical and significantly widen the applicability scope of quantum key distribution.

Conventionally quantum key distribution requires that two remote parties (usually called Alice and Bob) should have somewhat quantum capabilities to establish a shared key, such as the ability of preparing and measuring qubits in different bases. However, not all of the users own enough quantum resources or have equal quantum technologies in reality. Moreover, a protocol sometimes may not need to be completely quantum to obtain a significant advantage over all its classical counterparts. Based on these two points, not fully quantum key distribution was first introduced by Boyer et al. 1 where secure key distribution becomes possible when one party Alice is quantum, yet the other party Bob has only "classical" capabilities, which means someone is limited to perform the following four operations: (1) prepare qubits in the computational basis , { 0 1 }, (2) measure qubits in the computational basis , { 0 1 }, (3) reorder qubits, and (4) access quantum channels. The party Bob with such limitation is customarily called "classical" Bob, and this kind of protocol is termed as "quantum key distribution with classical Bob" or "semiquantum key distribution (SQKD)".
The first SQKD protocol was proposed in 2007 by using four quantum states, each of which is randomly prepared in the rectilinear or diagonal basis 1 . The idea was extended further and two similar protocols were presented in ref. 2. One is based on measurement and the other is based on randomization. Almost simultaneously, ref. 3 showed the SQKD protocol in ref. 1 can be simplified by employing less than four quantum states and proposed five different SQKD protocols using three quantum states, two quantum states, and one quantum state, respectively. In 2011, a more efficient SQKD protocol was proposed based on entangled states 4 , where the qubit efficiency is improved to 50%, compared with 25% of the protocol in ref. 1. Recently,ref. 5 proposed an SQKD protocol in which the "classical" party does not need the measurement capability, and just needs preparing, sending and reordering qubits. All these SQKD protocols generally assume the existence of an authenticated classical channel, which can be removed by preshareing a master secret key between two communicants 6 . Furthermore, several multiuser SQKD protocols were put forward [7][8][9] . The protocol in ref. 7 allows quantum Alice to share a key with several "classical" participants Bob 1 , Bob 2 , , Bob n . The protocols in refs 8,9 allow two "classical" participants to generate a shared key with the aid of an untrusted quantum server. In addition, other semiquantum cryptographic issues beyond SQKD have also been studied to some extent 10-14 . However, in the all above-mentioned semiquantum cryptographic protocols, so-called "classical" users are not really classical since they still need some quantum ability of preparing and measuring qubits in the computational basis, or quantum memory to reorder qubits. That means they still require corresponding quantum devices to perform certain operations. Then we give a protocol for a nearly classical party Bob who does not possess any quantum device except those necessary for accessing quantum channels to share a key with quantum Alice by the delegation of quantum computations (DQC). In other words, such Bob does not need to implement operations (1), (2), and (3), and only requires the ability to perform the operation (4). But in the presented protocol, there may be not only an independent eavesdropper Eve attempting to obtain some information about the shared key, the delegated server Charlie also may become a powerful adversary. Note that the delegated server can be Alice if she can implement some complicated quantum operations that Charlie needs. But in this case, Charlie becomes a trusted quantum server and Eve is the only attacker. It is obvious that any attack that Eve tries to do may be absorbed into the untrusted Charlie's attack. Therefore, we will show the proposed SQKD protocol is robust like typical SQKD protocols even when Charlie is malicious.

The review of DQC
In order to design the new SQKD protocol, we will utilize the technique of DQC. It is quite useful and attracts much attention recently [15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33] since it can enable users with limited quantum power to perform quantum computation while still keeping users' data private. For instance, Broadbent et al. presented the first universal protocol for DQC where the client only needs to be able to prepare single-qubite states, and a double-server protocol where the client can be totally classical with the assumption that two servers should be non-communicating 19 . Morimae and Fujii utilized the one-way hashing distillation model to skillfully realize entanglement distillation for the double-server protocol in ref. 19 and gave a modified protocol 20 to adapt to the case after entanglement distillation. Then Sheng et al. employed hyperentanglement to give a much simpler way to achieve secure distillation for the same double-server protocol with the success probability of 100% 21 , which will greatly increase the practical application for the protocol in a noisy quantum channel. Recently, Li et al. removes the demanding requirement that two servers cannot communicate with each other in double-server BQC protcols and gave a more practical DQC protocol 30 . Although many protocols have been proposed, there are mainly three kinds of methods to achieve DQC, including applying universal quantum gates on encrypted qubits 15,16 , hiding from the remote quantum server a circuit to be implemented, known as blind quantum computation [17][18][19][20][21][22][23][24][25][26][27][28][29][30][31] , and computing on encrypted qubits by multiple-round quantum communication and complicated verification mechanism 32,33 . We will use the idea of the typical DQC protocol on encrypted data in ref. 15. This protocol can allows a user whose quantum power is limited to encryption and preparing random BB84 states, to delegate the execution of any quantum computation on encrypted data to a remote quantum server with only one round of quantum communication. It offers perfect privacy against any adversarial server, although it does not provide a method to verify the result. We briefly review the protocol in the following. More details can be found in ref. 15.
(D1) A client encrypts her qubits φ with the quantum one-time pad and then sends the encrypted qubits φ enc to a quantum server. Specifically, for each qubit φ i , the client performs a combination of Pauli X and Z operations on it to obtain φ φ = X Z (D2) The server implements an agreed on quantum computation U on the encrypted qubits to get φ ( ) U enc . U can be universal and achieved in a general quantum circuit which can be decomposed into a serial of the following operations: quantum gates in a universal gate set {X, Z, CNOT, H, P, R}, auxiliary qubits prepared in 0 , and single-qubit computational basis measurements, where the Pauli gates X and Z, the two-qubit gate CNOT, the single-qubit Hadamard gate H, the single-qubit phase gate P, and the non-Clifford gate R, have the following actions: For any Clifford gate including X, Z, CNOT, H, and P on encrypted qubits, the client does not require any additional classical or quantum resource, and only needs to know what gates are implemented to update the decryption key. But for the non-Clifford gate R on encrypted data, the client needs preparing auxiliary qubits and classical interactions to modify the decryption key.
(D3) The server returns the output state φ ( ) U enc to the client who will obtain φ ( ) U by decrypting it with the updated decryption key that she can compute.

Results
In this section, we first describe the protocol which will be shown to be realized with current technology, and then analyze its security and compare it with other typical SQKD protocols.
The proposed protocol. We begin to present the SQKD protocol where nearly classical Bob can generate a shared key with quantum Alice, by delegating his quantum computation to a quantum server Charlie. Let n and m be the desired number of sifted key bits and final shared key bits, δ > 0, θ > 0, and σ > 0 be certain fixed parameters, and l be the transmission speed threshold of qubits which will be useful for the security of the protocol. The detailed steps of the protocol are given as follows.
The Quantum transmission phase. (S1) Alice prepares δ = ( + ) N n 16 1 qubits at random and sends them to Bob w it h a sp e e d g re ate r t h an or e qu a l to l . E a ch qubit ψ i i s one of t he fou r st ate s . Here ψ i can been regarded as the encrypted result of another state. For example, Alice first randomly produces a state φ i , and then applies X a Z b on it to get ψ i , namely ψ φ = X Z (S2) As each qubit ψ i arrives, Bob randomly decides whether to discard the qubit directly or not. For the qubit ψ | 〉 s j that Bob did not throw away, Bob records its position s j θ ( ∈ , , , Charlie, and ask him to apply the Pauli gate u s j which is randomly chosen from , X Z { }. We should note that the transmission speed of qubits should be quick enough so that Charlie or other attackers cannot distinguish Bob's choices. We assume that the qubit-transmission speed threshold during Bob's reception is l for preventing attackers to learn Bob's random choices. If Bob observers the speed value is smaller than l, he aborts the protocol and starts a new one. (S3) After performing the operation u s j required by Bob, Charlie reflects the qubit ψ | 〉 u s s j j back to Bob still at a speed no less than l.
(S4) For each qubit coming from Charlie, Bob chooses either throws it away, or sends it to Charlie again and asks him to measure it in the rectilinear basis R or diagonal basis D. Bob also observes the transmission speed of qubits and then decides whether to continue.
(S5) Charlie performs corresponding measurements on the qubits and sends all the measurement results , and interprets it as b p k for the other two cases. By this method, Alice and Bob keep 2n bits. (S8) Alice and Bob publicly announce and compare n bits to check for eavesdropping and Charlie's dishonesty. If their disagreements exceed an acceptable number, they abort the protocol. Otherwise, they take the remaining n bits as a sifted key.
(S9) Alice and Bob perform purely classical information reconciliation and privacy amplification on the n-bit sifted key to obtain the final m-bit shared key.
The above protocol can be illustrated by a specific example as shown in Fig. 1. In addition, the presented protocol only needs simplified experimental requirements of quantum key distribution plus Pauli gates X and Z, which can be experimentally realized using today's technology 22 . As for the transmission speed threshold of qubits for ensuring attackers unable to know Bob's random choices, namely either to discard qubits or transmit them to the delegated server for further operations, it may be not difficult to achieve since one can currently expect at least 1.02M qubits per second for a fiber distance of 20 km and 10.1 K qubits per second for 100 km 34 .

Security analysis.
An SQKD protocol is usually said to be robust if for any attack of an adversary to gain information will necessarily induce some detectable errors. We show the robustness of the proposed protocol mainly in a reduction way, with the only difference that there is an assumption on the attacker. In this protocol, attackers are not all-powerful since they are supposed to be unable to distinguish the almost classical party's random choices when a string of unknown qubits arrive.

Secure against an eavesdropper Eve between Alice and Bob. We first consider a special case that
Eve exists only between Alice and Bob without knowing the delegated server. Then from the perspective of Eve, since nearly classical Bob can delegates all his quantum operations to Charlie for obtaining the corresponding results, the proposed protocol (Protocol 1) can be reduced to a protocol (Protocol 2) where Alice and Bob implement a quantum key distribution protocol, similar to the famous BB84 protocol 35 with modifications that Bob randomly discards some qubits, or applies Pauli gates on them and measures some of them in the bases R or D at random. Thus Protocol 2 can obtain the similar level of security as the BB84 protocol, but sacrificing qubit efficiency, and so is the Protocol 1 in this case. For example, we can suppose Eve intercepts all the qubits and measures them in the bases chosen by himself. As Eve cannot know which positions Bob chose to apply Pauli operators and perform measurements, in each position she only has a probability of 1/4 to guess the two choices right and escapes from being detected with the probability / + / * / + / * / + / * / = / 1 4 1 4 1 2 1 4 1 2 1 4 1 2 5 8. Then the probability that Eve goes undetected is ( / ) 5 8 n , compared with ( / ) 3 4 n of the BB84 protocol.
Secure against an untrusted server Charlie. In a more general scenario, Charlie may be dishonest and also attempt to obtain some information about the shared key between Alice and Bob. We can assume there is no other third-party eavesdroppers since their attacks can be absorbed into an attack initiated by a malicious Charlie. In addition, there should be an authenticated classical channel between Alice and Bob that is normal in SQKD protocols. The classical channel from Charlie to Bob is unnecessary but better to be authenticated, since an authenticated channel can increase the successful rate of the protocol. From the server Charlie's view of Protocol 1, he preforms the protocol similar to the reviewed DQC protocol 15 with Bob, and also can intercept and operate on all the qubits that were sent by Alice to Bob like an eavesdropper. We consider the security in two cases according to whether Charlie initiates eavesdropping on the quantum channel between Alice and Bob. If Charlie does not wiretap when Alice sends qubits to Bob, the security of Protocol 1 mainly depends on the employed DQC protocol. Thus Protocol 1 can be reduced to a modified DQC protocol, namely Protocol 3, which can be modeled as follows: (D1') Alice sends to Bob a state ψ of N qubits, each of which is either 0 , 1 , + , or − . The state ψ can be obtained by applying quantum one-time pad on another state φ with two key strings K1 and K2, namely . When Bob receives each qubit, he randomly decides to discard it or transmit it to Charlie. So the state ϕ that Charlie receives is a totally random subsystem of ψ . It can be seen that Bob encrypts ψ to get ϕ .
(D3') Different from the step D3 in the reviewed protocol, Charlie not only returns Bob the resultant state ϕ U , but also sends Bob the measurement outcomes of half qubits of ϕ U randomly chosen by Bob. According to the security analysis in ref. 15, Charlie cannot learn anything about ψ U and ψ from ϕ U . Even if in the step D3' , Charlie are required to perform measurements on some quibts, which can be regarded as that Bob asks for classical output instead of quantum output, Bob still should not find any information about ψ U and ψ , otherwise the reviewed DQC protocol 15 cannot keep the client's data private. Thus, Protocol 1 is as secure as Protocol 3 before public discussion.
The process of public discussion is not only used for Alice and Bob to obtain the shared sifted key bits, but also provides a method to verify whether Charlie follows the protocol to some extent. Although Alice and Bob reveal the bases of qubits where they have the same choices, Charlie still cannot learn the bits since he does not know which qubits Bob chose Pauli X or Z operations and thus cannot know whether he should flip the measurement outcomes or not. In addition, if Charlie alters the transmission or does not perform the operations as required, extra disagreements will be induced on some of the bits that Alice and Bob think they should agree.
If Charlie controls the quantum channel from Alice to Bob, the security of Protocol 1 does not just depend on the employed DQC protocol since the qubits that Bob receives may not be the real ones from Alice. We consider the worst case that Charlie intercepts all the qubits sent by Alice and replaces them with his own ones, such as those randomly chosen from , { 0 1 } instead of , { 0 1 }, | + , − }. Then no matter which qubits Bob chose to forward in step S2, Charlie can distinguish these orthogonal states and learn Bob's choices. Similarly, Charlie also can figure out Bob's further choices in step S4 by measuring all the coming qubits in the same basis R. By doing so, Charlie can learn whatever Bob does. However, during the public discussion, for each position that Alice and Bob chose the same basis, there still has a disagreement between Alice and Bob with a probability 1/2 since Charlie did not know the original states that Alice prepared. So the probability that Charlie is not noticed is ( / ) 1 2 n which approaches zero when n is big enough.

Comparisons.
In existing SQKD protocols 1-9 , one party with limited quantum power usually needs to perform three or four of the following quantum operations: (1) prepare qubits in the computational basis , { 0 1 }, (2) measure qubits in the computational basis , { 0 1 }, (3) reorder qubits, and (4) access quantum channels, while in the proposed protocol, the party needs to implement only operation (4). In other words, compared with the related work, our main contribution is that the quantum requirement that one party should have the ability of preparing and measuring qubits in the computational basis, or reordering qubits in typical SQKD protocols is removed and thus such party is more classical. The detailed comparisons between the given protocol and some typical ones are shown in Fig. 2.

Discussion
We have proposed an SQKD protocol by employing secure DQC where almost classical Bob who does not require quantum capability or quantum memory and only needs to access quantum channels can establish a shared key with quantum Alice. The quantum resources of one party in our protocol is restricted to the minimum, so more users will have chances to participate quantum key distribution and enjoy its advantage. We also have provided an application of the DQC protocol on encrypted data recently presented in ref. 15 and offered a verification method for it to some extent. Furthermore, this is the first time to build a bridge between QKD and DQC, the combination of which will play a significant role in the advancement of secure distributed quantum applications, and throw lights on designing future quantum hybrid networks where quantum cryptographic communication and quantum computation are to be implemented. However, we have to achieve this more practical SQKD protocol at the cost of sacrificing qubit efficiency which is only 12.5%, compared with 25% of the typical SQKD protocol 1 . It can be significantly improved if relaxing quantum requirements of the party with restricted power, such as allowing him to have memory for reordering qubits, but quantum memory is not an easy task with current technology. How to increase the key rate in the proposed SQKD protocol will be the future work.