Table Of ContentSecure Two-Party Quantum Evaluation of
Unitaries Against Specious Adversaries
Fr´ed´eric Dupuis1⋆, Jesper Buus Nielsen2, and Louis Salvail3⋆⋆
1 Institutefor Theoretical Physics, ETH Zurich, Switzerland
[email protected]
2 DAIMI,AarhusUniversity,Denmark
[email protected]
3 Universit´edeMontr´eal (DIRO),QC, Canada
[email protected]
Abstract. Wedescribehowanytwo-partyquantumcomputation,spec-
ifiedbyaunitarywhichsimultaneouslyactsontheregistersofbothpar-
ties,canbeprivatelyimplementedagainstaquantumversionofclassical
semi-honest adversaries thatwe callspecious. Ourconstruction requires
two ideal functionalities to garantee privacy: a private SWAP between
registersheldbythetwopartiesandaclassicalprivateAND-boxequiva-
lenttooblivioustransfer.IftheunitarytobeevaluatedisintheClifford
group then only one call to SWAP is required for privacy. On the other
hand, any unitary not in the Clifford requires one call to an AND-box
perR-gateinthecircuit.SinceSWAPisitselfintheCliffordgroup,this
functionalityisuniversalfortheprivateevaluationofanyunitaryinthat
group. SWAP can be built from a classical bit commitment scheme or
an AND-box but an AND-box cannot be constructed from SWAP. It
follows that unitaries in the Clifford group are to some extent the easy
ones. Wealso show that SWAPcannot beimplemented privately in the
bare model.
1 Introduction
Inthispaper,weaddresstheproblemofprivatelyevaluatingsomeunitarytrans-
form U upon a joint quantum input state held by two parties. Since unitaries
model what quantum algorithms are implementing, we can see this problem as
a natural extension of secure two-party evaluation of functions to the quantum
realm.Suppose that a state φin is the initial sharedstate where Alice
| i∈A⊗B
holds register and Bob holds register . Let U U( ) be some unitary
A B ∈ A⊗B
transform acting upon and . What cryptographic assumptions are needed
A B
for a private evaluationof φout =U φin where private means that eachplayer
| i | i
learnsnomorethaninthe idealsituationdepictedinFig.1?Ofcourse,answers
to this question depend upon the adversary we are willing to tolerate.
⋆ Supported byCanada’s NSERCPostdoctoral Fellowship Program.
⋆⋆ SupportedbyCanada’sNSERCdiscoverygrant,MITACS,andtheQuantumWorks
networks(NSERC).
In [18], it was shown that unitaries cannot be
used to implement classical cryptographic prim- |φini(A U A )|φouti
B B
itives. Any non-trivial primitive implemented by
unitaries will necessarily leak information toward
Fig.1. Ideal Functionality
one party. Moreover, this leakage is available to a
for unitary U.
weak class of adversaries that can be interpreted
asthe quantumversionofclassicalsemi-honestad-
versaries.Itfollowsthatquantumtwo-partycomputationofunitariescannotbe
used to implement classicalcryptographic primitives. This opens the possibility
that the cryptographic assumptions needed for private evaluations of unitaries
are weakerthan for their classicalcounterpart. So, what classicalcryptographic
assumptions, if any, are required to achieve privacy in our setting? Are there
unitaries more difficult to evaluate privately than others?
In this work, we answer these questions against a class of weak quantum
adversaries,called specious, related to classical semi-honestadversaries.We say
that a quantum adversary is specious if at any step during the execution of a
protocol,itcanprovideajudgewithsomestatethat,whenjoinedwiththestate
held by the honest player, will be indistinguishable from a honest interaction.
In other words, an adversary is specious if it can pass an audit with success at
anystep.Mostknownimpossibilityproofsinquantumcryptographyapplywhen
the adversary is restricted to be specious. Definitions similar to ours have been
proposed for the quantum setting and usually named semi-honest. However,
translating our definition to the classical setting produces a strictly stronger
class of adversaries than semi-honest4 which justifies not adopting the term
semi-honest. We propose the name specious as the core of the definition is that
the adversary must appear to act honestly.
Contributions. First, we define two-party protocols for the evaluation of uni-
taries having access to oracle calls. This allows us to consider protocols with
securityrelyingonsomeidealfunctionalities inordertobe private.We thensay
that a protocol is in the bare model if it does not involve any call to an ideal
functionality. We then formally define what we mean by specious adversaries.
Privacyis then defined via simulation.We saythat a protocolfor the two-party
evaluation of unitary U is private against specious adversaries if, for any joint
input state and at any step of the protocol, there exists a simulator that can
reproduce the adversary’s view having only access to its own part of the joint
input state. Quantum simulation must rely on a family of simulators for the
view of the adversary rather than one because quantum information does not
accumulate but can vanish as the protocol evolves. For instance, consider the
4 As an example, assume there exist public key cryptosystems where you can sample
a public key without learning the secret key. Then this is a semi-honest oblivious
transform:Thereceiver,withchoicebitc,samplespkc inthenormalwayandlearns
its corresponding secret key and samples pk1−c without learning its secret key. He
sends (pk0,pk1). Then the sender sends (Epk0(m0),Epk1(m1)) and the receiver de-
crypts Epkc(mc). This is not secure against a specious adversary who can sample
pk1−c along with its secret keysk1−c and then delete sk1−c before theaudit.
trivialprotocolthatletAlicesendherinputregistertoBobsothathecanapply
locally φout = U φin before returning her register. The final state of such a
| i | i
protocolis certainly private,as Bob cannotclone Alice’s input and keepa copy,
yet at some point Bob had access to Alice’s input thus violating privacy. No
simulator can possibly reproduce Bob’s state after he received Alice’s register
without having access to her input state.
Second, we show that no protocol can be shown statistically private against
specious adversariesin the bare model for a very simple unitary: the swap gate.
As the name suggests, the swap gate simply permutes Alice’s and Bob’s input
states. Intuitively, the reason why this gate is impossible is that at some point
during the execution of such protocol, one party that still has almost all its
own input state receives a non-negligible amount of information (in the quan-
tum sense) about the other party’s input state. At this point, no simulator can
possibly re-produce the complete state held by the receiving party since a call
to the ideal functionality only provides access to the other party’s state while
no call to the ideal functionality only provides information about that party’s
owninput. Therefore,any simulatorcannot re-producea state that contains in-
formation about the input states of both parties. It follows that cryptographic
assumptions are needed for the private evaluation of unitaries against specious
adversaries. On the other hand, a classical bit commitment is sufficient to im-
plement the swap privately in our model.
Finally, we give a very simple protocolfor the private evaluation of any uni-
tarybasedonideas introducedby [8,7]inthe contextoffaulttolerantquantum
computation. Our construction is similar to Yao’s original construction in the
classical world[23,10]. We represent any unitary U by a quantum circuit made
outofgatestakenfromtheuniversalset = X,Y,Z,CNOT,H,P,R [14].The
UG { }
protocol evaluates each gate of the circuit upon shared encrypted input where
the encryption uses the Pauli operators X,Y,Z together with the identity. In
addition to the Pauli gates X,Y, and Z{, gates C}NOT, H, and P can easily be
performed over encrypted states without losing the ability to decrypt. Gates of
thatkindbelongtowhatiscalledtheClifford group.TheCNOTgateistheonly
gatein actinguponmorethanonequbitwhiletheR-gateistheonlyonethat
UG
does not belong to the Clifford group. In order to evaluate it over an encrypted
state while preserving the ability to decrypt, we need to rely upon a classical
idealfunctionalitycomputingsecurelyanadditivesharingfortheANDofAlice’s
and Bob’s input bits. We call this ideal functionality an AND-box. Upon input
x 0,1 forAliceandy 0,1 forBob,itproducesa 0,1 andb 0,1
R
∈{ } ∈{ } ∈ { } ∈{ }
to Alice and Bob respectively such that a b=x y. An AND-box can be ob-
⊕ ∧
tained from any flavor of oblivious transfer and is defined the same way than
an NL-box[15,16] without the property that its output can be obtained before
the input of the other player has been provided to the box (i.e., NL-boxes are
non-signaling). The equivalence between AND-boxes, NL-boxes, and oblivious
transfer is discussed in [22]. At the end of the protocol, each part of the shared
key allowing to decrypt the output must be exchanged in a fair way. For this
task,Alice and Bobrely upon an idealswapfunctionality calledSWAP. The re-
sultisthatanyU canbeevaluatedprivatelyuponanyinputprovidedAliceand
Bob have access to one AND-box per R-gate and one call to the an ideal swap.
Ifthe circuithappens to haveonly gatesinthe Cliffordgroupthen onlyonecall
to an ideal swap is required for privacy. In other words, SWAP is universal for
the privateevaluationofcircuitsintheCliffordgroup(i.e.,thosecircuitshaving
no R-gate) and itself belongs to that group (SWAP is not a classical primitive).
To some extent, circuits in the Clifford group are the easy ones. Privacy for cir-
cuits containing R-gateshoweverneeds a classicalcryptographicprimitive to be
evaluated privately by our protocol. It means that AND-boxes are universal for
theprivateevaluationofanycircuitagainstspeciousadversaries.Wedon’tknow
whether there exist some unitary transforms that are universal for the private
evaluation of any unitary against specious adversaries.
Previous works. Allimpossibilityresultsinquantumcryptographyweareaware
ofapplytoclassicalprimitives.Infact,theimpossibilityproofsusuallyrelyupon
the fact that an adversary with a seemingly honest behavior can force the im-
plementation of classicalprimitives to behave quantumly. The result being that
implemented that way, the primitive must leak information to the adversary.
This is the spirit behind the impossibility of implementing oblivious transfer
securely using quantum communication[11]. In that same paper the impossi-
bility of any one-sided private evaluation of non-trivial primitives was shown.
All these results can be seen as generalizations of the impossibility of bit com-
mitment schemes based on quantum communication[12,13]. The most general
impossibility result we are aware of applies to any non-trivial two-party classi-
cal function[18]. It states that it suffices for the adversary to purify its actions
in order for the quantum primitive to leak information. An adversary purify-
ing its actions is specious as defined above. None of these impossibility proofs
apply to quantum primitives characterized by some unitary transform applied
to joint quantum inputs. Blind quantum computation is a primitive that shows
similaritiestoours.In[5],aprotocolallowingaclientto getitsinputto aquan-
tum circuit evaluated blindly has been proposed. The security of their scheme
is unconditional while in our setting almost no unitary allows for unconditional
privacy.
An unpublished work of Smith[20] shows how one can devise a private pro-
tocol for the evaluation of any unitary that seems to remain private against all
quantumadversaries.However,thetechniquesusedrequirestrongcryptographic
assumptionslike homomorphicencryptionschemes,zero-knowledgeandwitness
indistinguishableproofsystems.Theconstructionisinthespiritofprotocolsfor
multiparty quantum computation[4,6] and fault tolerant quantum circuits[19,
2]. Although our protocol only guarantees privacy against specious adversaries,
it is obtained using much weaker cryptographic assumptions.
2 Preliminaries
TheN-dimensionalcomplexEuclideanspace(i.e.,Hilbertspace)willbedenoted
by .Wedenotequantumregistersusingcalligraphictypeset .Asusual,
N
H A A⊗
denotesthespaceoftwosuchquantumregisters.Wewrite when and
B A≈B A
are such that dim( ) = dim( ). A register can undergo transformations
B A B A
as a function of time; we denote by the state of space at time i. When a
i
A A
quantum computation is viewedas a circuit accepting input in , we denote all
wires in the circuit by w . If the circuit accepts input in A then the set
of all wires is denoted w ∈A . A⊗B
∈A∪B
Thesetofalllinearmappingsfrom to is denotedbyL( , )whileL( )
A B A B A
stands for L( , ). To simplify notation, for ρ L( ) and M L( , ) we
A A ∈ A ∈ A B
write M ρ for MρM . We denote by Pos( ) the set of positive semi-definite
†
· A
operators in . The set of positive semi-definite operators with trace 1 acting
A
on isdenotedD( );D( ) isthesetofallpossiblequantumstatesforregister
A. AAn operator A AL( ,A) is called a linear isometry if A A=11 . The set of
†
∈ A B A
unitary operators (i.e., linear isometries with = ) acting in is denoted by
B A A
U( ).The identityoperatorin isdenoted11 andthe completelymixedstate
inAD( ) is denoted by I . ForAany positive inAteger N > 0, 11 and I denote
N N
A A
the identity operator respectively the completely mixed state in . When the
N
H
context requires, a pure state ψ will be written ψ AB to make explicit
| i ∈ AB | i
the registers in which it is stored.
AlinearmappingΦ:L( ) L( )iscalledasuper-operator since itbelongs
A 7→ B
to L(L( ),L( )). Φ is said to be positive if Φ(A) Pos( ) for all A Pos( ).
A B ∈ B ∈ A
The super-operator Φ is said to be completely positive if Φ 11 is positive
L( )
for every choice of the Hilbert space . A super-operator Φ⊗canZbe physically
Z
realized or is admissible if it is completely positive and preserves the trace:
tr(Φ(A)) = tr(A) for all A L( ). We call such a super-operator a quantum
∈ A
operation. Another wayto representanyquantumoperationis througha linear
isometry W L( , ) such that Φ(ρ) = tr (W ρ), for some extra space
∈ A B⊗Z Z ·
. Any such isometry W can be implemented by a physical process as long as
Z
the resource to implement is available. This is just a unitary transform in
Z
U( ) where the system in is initially in known state 0 .
AFo⊗rZtwostatesρ ,ρ D( ),Zwedenoteby∆(ρ ,ρ )thet|raZcienormdistance
0 1 0 1
∈ A
between ρ and ρ : ∆(ρ ,ρ ):= 1 ρ ρ . If ∆(ρ ,ρ ) ε then any quantum
0 1 0 1 2k 0− 1k 0 1 ≤
process applied to ρ behaves exactly as for ρ except with probability at most
0 1
ε [17].
LetX,Y,andZ bethethreenon-trivialone-qubitPaulioperators. TheBell
measurement is a complete orthogonal measurement on two qubits made out
of the measurement operators Ψ Ψ where Ψ := 1 (0,x +
{| x,yih x,y|}x,y∈{0,1} | x,yi √2 | i
( 1)y 1,x ).WesaythattheoutcomeofaBellmeasurementis(x,y) 0,1 2if
− | i ∈{ }
Ψ Ψ has been observed. The quantum one-time-padis a perfectly secure
x,y x,y
| ih |
encryption of quantum states[3]. It encrypts a qubit ψ as XxZz ψ , where the
| i | i
key is two classical bits, (x,z) 0,1 2 and X0Z0 =11, X0Z1 =Z, X1Z0 =X
∈{ }
and X1Z1 =Y are the Pauli operators.
2.1 Modeling two-party strategies
Consider an interactive two-party strategy ΠO between parties A and B and
oracle calls O. ΠO can be modeled by a sequence of quantum operations for
eachplayertogetherwithsomeoraclecallsalsomodeledbyquantumoperations.
Eachquantum operationin the sequence correspondsto the action ofone party
at a certain step of the strategy. The following definition is a straightforward
adaptation of n-turn interactive quantum strategies as described in [9]. The
main difference is that here, we provide a joint input state to both parties and
that quantum transmissions taking place during the execution is modeled by a
quantum operation; one that is moving a state on one party’s side to the other
party.
Definition 2.1. A n–step two party strategy with oracle calls denoted ΠO =
(A,B,O,n) consists of:
1. input spaces and for parties A and B respectively,
0 0
A B
2. memory spaces ,..., and ,..., for A and B respectively,
1 n 1 n
A A B B
3. an n-tuple of quantum operations (A ,...,A ) for A, A : L( )
1 n i i 1
A− 7→
L( ), (1 i n),
i
A ≤ ≤
4. an n-tuple of quantum operations (B ,...,B ) for B, B : L( )
1 n i i 1
L( ), (1 i n), B− 7→
i
B ≤ ≤
5. memory spaces ,..., and ,..., can be written as = O
and = O A1, (1 Ain n),Ba1nd OB=n(O ,O ,...,O ) isAain nA-tiup⊗leAo′if
quanBtuim oBpiera⊗tiBoni′s: O≤:L≤( O O) L( 1O 2 O), (1n i n).
i Ai ⊗Bi 7→ Ai ⊗Bi ≤ ≤
If Π =(A,B,n) is a n-turn two-party protocol then the final state of the inter-
action upon input stateρ D( ), where is a system of dimension
in 0 0
∈ A ⊗B ⊗R R
dim =dim dim , is:
0 0
R A B
[A ⊛B](ρin):=(11L( ′ ′ ) On)(An Bn 11 )
An⊗Bn⊗R ⊗ ⊗ ⊗ R
...(11L( ′ ′ ) O1)(A1 B1 11 )(ρin) .
A1⊗B1⊗R ⊗ ⊗ ⊗ R
Step i of the strategy corresponds to the actions of A and B followed by the
i i
oracle call O .
i
Note that we consider input states defined on the input systems together
with a reference system ; this allows us to show the correctness and privacy
R
of the protocol not only for pure inputs, but also for inputs that are entangled
withathirdparty.Thisisthemostgeneralcaseallowedbyquantummechanics.
Atwo-partystrategyisthereforedefinedbyquantumoperationtuples(A ,...,A ),
1 n
(B ,...,B ), and (O ,...,O ). These operations also define working spaces
1 n 1 n
,..., , ,..., together with the input-output spaces to the oracle calls
0 n 0 n
AO andAOBfor 1 Bi n.
Ai Bi ≤ ≤
O
A communication oracle from Alice to Bob is modeled by having
O and letting O move the state in O to O and erase O. SimilarAlyi fo≈r
Bi i Ai Bi Ai
communicationintheotherdirection.Wedefineabare model protocoltobeone
which only uses communication oracles.
3 Specious Quantum Adversaries
3.1 Protocols for two-party evaluation
Letusconsidertwo-partyprotocolsforthequantumevaluationofunitarytrans-
form U U( ) between parties A and B upon joint input state ρ
0 0 in
∈ A ⊗B ∈
D( ):
0 0
A ⊗B ⊗R
Definition 3.1. A two-party protocol ΠO =(A,B,O,n) for U U( )
U ∈ A0⊗B0
is an n–step two-party strategy with oracle calls, where and .
n 0 n 0
A ≈ A B ≈ B
It is said to be ε–correct if
∆([A ⊛B](ρ ),(U 11 ) ρ ) ε for all ρ D( ) .
in in in 0 0
⊗ R · ≤ ∈ A ⊗B ⊗R
We denote by Π a two-party protocol in the bare model where, without loss of
U
generality, we assume that O (0 i n ) implements a communication
channel from A to B and O2i+1(1 ≤i ≤ ⌊n2⌋) implements a communication
channel from B to A. Commu2niicati≤on o≤rac⌊le2s⌋are said to be trivial.
In other words, a two-party protocol ΠO for unitary U is a two-party interac-
U
tive strategy where, at the end, the output of the computation is stored in the
memory of the players. ΠO is correct if, when restricted to the output registers
U
(and ), the final quantum state shared by A and B is (U 11 ) ρ .
in
R ⊗ R ·
As it will become clear when we discuss privacy in Sect. 3.3, we need to
consider the joint state at any step during the evolution of the protocol:
ρ1(ρin):=(11L( ′ ′ ) O1)(A1 B1 11L( ))(ρin),
A1⊗B1⊗R ⊗ ⊗ ⊗ R
ρi+1(ρin):=(11L( ′ ′ ) Oi+1)(Ai+1 Bi+1 11L( ))(ρi(ρin)) , (1)
Bi+1⊗Ai+1⊗R ⊗ ⊗ ⊗ R
for 1 i < n. We also write the final state of ΠO upon input state ρ as
ρ (ρ ≤)=[A ⊛B](ρ ). U in
n in in
3.2 Modeling Specious Adversaries
Intuitively, a specious adversary acts in any way apparently indistinguishable
fromthehonestbehavior,inthesensethatnoauditcandistinguishthebehavior
of the adversaryfrom the honest one.
More formally, a specious adversary in ΠO = (A,B,O,n) may use an ar-
U
bitrary large quantum memory space. However, at any step 1 i n, the
≤ ≤
adversary can transform its own current state to one that is indistinguishable
from the honest joint state. These transforms are modeled by quantum opera-
tions, one for each step of the adversary in ΠO, and are part of the adversary’s
U
specification. We denote by (T ,...,T ) these quantum operations where T
1 n i
produces a valid transcript at the end of the i–th step.
Let A˜and B˜ be adversaries in ΠO. We denote by ΠO(A˜) = (A˜,B,O,n)
U U
andΠO(B˜)=(A,B˜,O,n)theresultingn–steptwo-partystrategies.Wedenote
U
by ρ˜(A˜,ρ ) the state defined in (1) for protocol ΠO(A˜) and similarly by
i in U
ρ˜(B˜,ρ ) that state for protocol ΠO(B˜).
i in U
Adding the possibility for the adversary to be ε-close to honest, we get the
following definition:
Definition 3.2. Let ΠO = (A,B,O,n) be an n–step two-party protocol with
U
oracle calls for U U( ). We say that:
0 0
∈ A ⊗B
– A˜is ε–specious if ΠO(A˜) = (A˜,B,O,n) is an n–step two-party strategy
U
with ˜ = andthereexistsasequenceofquantumoperations(T ,...,T )
0 0 1 n
A A
such that:
1. for every 1 i n, T :L( ˜) L( ),
i i i
≤ ≤ A 7→ A
2. for every input state ρ D( ), and for all 1 i n,
in 0 0
∈ A ⊗B ⊗R ≤ ≤
∆ (T 11 ) ρ˜(A˜,ρ ) ,ρ (ρ ) ε .
i⊗ L(Bi⊗R) i in i in ≤
(cid:16) (cid:16) (cid:17) (cid:17)
– B˜ is ε–specious if ΠO(B˜) = (A,B˜,O,n) is a n–step two-party strategy
U
with ˜ = andthereexistsasequenceofquantumoperations(T ,...,T )
0 0 1 n
definBed asBbefore with , ˜, and ρ˜(B˜,ρ ) replacing , ˜, and ρ˜(A˜,ρ )
i i i in i i i in
B B A A
respectively.
If a party is ε(m)–specious with ε(m) negligible for m a security parameter then
we say that this party is statistically specious.
3.3 Privacy
Privacy for ΠO is defined as the ability for a simulator, having only access to
U
the adversary’s input and the ideal functionality U, to reproduce the state of
the adversary at any step in the execution of ΠO. Our definition is similar to
U
the one introduced in [21] for statistical zero-knowledge proof systems.
AsimulatorforanadversaryinΠO isrepresentedbyasequenceofquantum
U
operations(S )n ,whereS re-producesthe viewofthe adversaryafterstepi.
i i=1 i
S initiallyreceivestheadversary’sinputandhasaccesstotheidealfunctional-
i
ity for U evaluated upon the jointinput of the adversaryandthe honest player.
Becauseofno-cloning,asimulatorcallingU losesitsinput, andthe inputmight
be requiredto simulate e.g. earlysteps in the protocol,so we haveto allow that
S doesnotcallU.Forthispurposeweintroduceabitq 0,1 .Whenq =0,
i i i
S does not call U andwhen q =1, S must first call the∈i{deal}functionality U
i i i
before performing some post-processing. More precisely,
Definition 3.3. Let ΠO = (A,B,O,n) be an n–step two-party protocol for
U
U D( ). Then,
0 0
∈ A ⊗B
– S(A˜)= (S ,...,S ),q isasimulatorforadversaryA˜inΠO ifitconsists
h 1 n i U
of:
1. a sequence of quantum operations (S ,...,S ) where for 1 i n,
1 n
S :L( ) L( ˜), ≤ ≤
i 0 i
A 7→ A
2. a sequence of bits q 0,1 n determining if the simulator calls the ideal
∈{ }
functionality at step i: q =1 iff the simulator calls the ideal functional-
i
ity.
– Similarly, S(B˜) = (S ,...,S ),q is a simulator for adversary B˜ in
1 n ′
ΠO if it satisfies condhitions 1 and 2 aibove with q , , , and ˜ replacing
q,U , , and ˜ respectively. ′ B0 Bi Bi
0 i i
A A A
Given an input state ρ D( ), we define the A˜’s respectively B˜’s
in 0 0
∈ A ⊗B ⊗R
simulated views as:
ν (A˜,ρ ):=tr (S 11 )((Uqi 11 ) ρ ) ,
i in B0 i⊗ L(B0⊗R) ⊗ R · in
νi(B˜,ρin):=trA0(cid:0)(11L(A0⊗R)⊗Si) (Uqi′ ⊗11R)·ρin(cid:1) .
(cid:16) (cid:16) (cid:17)(cid:17)
We say that protocol ΠO is private against specious adversaries if there exits a
U
simulator for the view at any step of any such adversary.In more details,
Definition 3.4. Let ΠO =(A,B,O,n) be a protocol for U U( ) and
U ∈ A0⊗B0
let 0 δ 1. We say that ΠO is δ–private against ε–specious A˜if there ex-
≤ ≤ U
ists a simulator S(A˜) such that for all input states ρ D( )
in 0 0
∈ A ⊗ B ⊗ R
and for all 1 i n, ∆ ν (A˜,ρ ),tr (ρ˜(A˜,ρ )) δ. Similarly, we say
≤ ≤ i in Bi i in ≤
that Π is δ–private again(cid:16)st ε–specious B˜ if there e(cid:17)xists a simulator S(B˜)
U
such that for all input states ρ D( ) and for all 1 i
in 0 0
∈ A ⊗ B ⊗ R ≤ ≤
n, ∆ ν (B˜,ρ ),tr (ρ˜(B˜,ρ )) δ. Protocol ΠO is δ–private against ε–
i in Ai i in ≤ U
specio(cid:16)us adversaries if it is δ–pr(cid:17)ivate against both A˜ and B˜. For γ > 0, if
ΠO is 2 γm–private for m N+ a security parameter then we say that ΠO is
U − ∈ U
statistically private.
We show next that for some unitary, statistical privacy cannot be satisfied
by any protocol in the bare model.
4 Unitaries with no private protocols
In this section, we show that no statistically private protocol for the swap gate
existsinthebaremodel.Theswapgate,denotedSWAP,isthefollowingunitary
transform:
SWAP : φA A0 φB B0 φB A0 φA B0 ,
| i | i 7→| i | i
foranyonequbitstates φ and φ (i.e.,dim( )=dim( )=2).
A 0 B 0 0 0
NoticethatSWAPisint|heiC∈liffAordgro|upsiin∈ceBitcanbeimAplementedwBiththree
CNOT gates. It means that universality is not required (gates in the Clifford
groupsarenotuniversalforquantumcomputation)foraunitarytobeimpossible
to evaluate privately. The impossibility of SWAP essentially follows from no
cloning.
Theorem 4.1 (Impossibility of swapping). There is no correct and statis-
tically private two-party protocol ΠSWAP =(A,B,O,n(m)) in the bare model.
Proof. Suppose that there exists an ε-correct, ε-private protocol in the bare
model for SWAP for sufficiently small ε; we will show that this implies that one
of the two players must lose information upon receiving a message, which is
clearly impossible.
Wewillconsiderthefollowingparticularpureinputstate: ϕ := Ψ0,0 A0RA
| i | i ⊗
Ψ0,0 B0RB, a maximally entangled state between 0 0 and the reference
| i A ⊗ B
system that is broken down into two subsystems for convenience.
RA ⊗ RB
Furthermore, we will consider the “purified” versions of the honest players for
thisprotocol;inotherwords,wewillassumethatthesuper-operatorsA ,...,A
1 n
andB ,...,B areinfactlinearisometriesandthatthereforetheplayersnever
1 n
discardanyinformationunlesstheyhavetosendittotheotherparty.Theglobal
state ρ (ϕ) after step i is therefore a pure state on .
i i i
A ⊗B ⊗RA⊗RB
Afterstepioftheprotocol(i.e.,aftertheithmessagehasbeensent),Alice’s
state must either depend only on her own original input (if q = 0 for her
i
simulator),oronBob’soriginalinput(ifq =1).Moreprecisely,bythedefinition
i
of privacy (Definition 3.4), we have that
∆(ν (A,ϕ),tr [ρ (ϕ)]) ε ,
i Bi i ≤
where ν (A,ϕ) is A’s simulated view after step i and ρ (ϕ) is the global state
i i
in the real protocol after step i. Now, suppose that q = 0, and let ξ
i i
be a purification of ν (A,ϕ) with being the purifyi|ngis∈ysAtem⊗,
′ i
aRnAd⊗RrBe⊗naZmedforupcomingtechnicalreasons.TZhepurestate ξ Ψ0,0 RBB0
has tRhBe same reduced density matrix as ν (A,ϕ) on | i⊗.|Hencie, by
i i
A ⊗RA⊗RB
Uhlmann’s theorem, there exists a linear isometry V : such
i 0 ′
that B →B ⊗Z ⊗RB
Vνi(A,ϕ)V† = ξ ξ Ψ0,0 Ψ0,0 B0RB
| ih |⊗| ih |
and hence
∆ Vρi(ϕ)V†, ξ ξ Ψ0,0 Ψ0,0 B0RB √2ε .
| ih |⊗| ih | ≤
(cid:16) (cid:17)
This means that if q = 0, then Bob is still capable of reconstructing his own
i
inputstateafterstepibyapplyingV tohisworkingregister.Clearly,thismeans
that q = 0 (i.e., Bob’s simulator must also not call SWAP), and therefore, by
i′
the same argument, Alice must also be able to reconstruct her own input with
an isometry V : . The same argument also holds if q = 1:
A i 0 ′ i
we then concludeAtha→t qB =⊗1Za⊗ndRtAhat Alice and Bob must have each other’s
i′
inputs; no intermediate situation is possible. We conclude that, at every step i
of the protocol, q =q .
i i′
Now, before the protocol starts, Alice must have her input, and Bob must
havehis,hence,q =q =0.Attheend,thetwoinputsmusthavebeenswapped,
0 0′
which means that q =q =1; there must therefore be a step k in the protocol
n n′
afterwhichthetwoinputsareswappedbutnotbefore,meaningthatq =1and
k
q = 0. But at each step, only one player receives information, which means
k 1
−
that at this step k, the playerwho receivedthe message must lose the ability to
reconstruct his own input, which is clearly impossible.
⊓⊔
Description:to this question depend upon the adversary we are willing to tolerate. ⋆ Supported by adversaries, called specious, related to classical semi-honest adversaries. We say .. that is broken down into two subsystems for convenience.
