Flow Ambiguity: A Path Towards Classically Driven Blind Quantum Computation

Flow Ambiguity: A Path Towards Classically Driven Blind Quantum Computation PHYSICAL REVIEW X 7, 031004 (2017) 1,2 1,2,† 3,4,* 1,2,‡ Atul Mantri, Tommaso F. Demarie, Nicolas C. Menicucci, and Joseph F. Fitzsimons Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372 Centre for Quantum Technologies, National University of Singapore, Block S15, 3 Science Drive 2, Singapore 117543 Centre for Quantum Computation and Communication Technology, School of Science, RMIT University, Melbourne, Victoria 3001, Australia School of Physics, The University of Sydney, Sydney, New South Wales 2006, Australia (Received 1 September 2016; revised manuscript received 4 April 2017; published 11 July 2017) Blind quantum computation protocols allow a user to delegate a computation to a remote quantum computer in such a way that the privacy of their computation is preserved, even from the device implementing the computation. To date, such protocols are only known for settings involving at least two quantum devices: either a user with some quantum capabilities and a remote quantum server or two or more entangled but noncommunicating servers. In this work, we take the first step towards the construction of a blind quantum computing protocol with a completely classical client and single quantum server. Specifically, we show how a classical client can exploit the ambiguity in the flow of information in measurement-based quantum computing to construct a protocol for hiding critical aspects of a computation delegated to a remote quantum computer. This ambiguity arises due to the fact that, for a fixed graph, there exist multiple choices of the input and output vertex sets that result in deterministic measurement patterns consistent with the same fixed total ordering of vertices. This allows a classical user, computing only measurement angles, to drive a measurement-based computation performed on a remote device while hiding critical aspects of the computation. DOI: 10.1103/PhysRevX.7.031004 Subject Areas: Quantum Information I. INTRODUCTION ensured with high probability are known as verifiable quantum computing protocols [5]. Large-scale quantum computers offer the promise of The first blind quantum computing protocol was proposed quite extreme computational advantages over conventional by Childs [6]. While functional, this scheme put a rather computing technologies for a range of problems spanning heavy burden on the client’s side in terms of resources, with cryptanalysis [1], simulation of physical systems [2], and the client required to control a quantum memory and to machine learning [3]. Recently, however, a new application perform SWAP gates. A subsequent protocol, from Arrighi has emerged for quantum computers: secure delegated and Salvail [7], introduced mechanisms for both verification computation [4]. and blindness for a limited range of functions and can be Consider a user wishing to have a computation performed seen as the start of an intimate link between blindness on a remote server. Two main security concerns arising for and verifiability. This link was further established with the the user relate to the privacy and the correctness of the discovery of the universal blind quantum computing computation. The privacy concern is that the description of (UBQC) protocol [8], which allows a client, equipped only their computation, both the program and any input data, with the ability to produce single-qubit states, to delegate an remains hidden even from the server. The correctness concern is that a malicious server might tamper with their arbitrary quantum computation to a universal quantum server while making it blind with unconditional security. computation, sending them a misleading result; hence, This scheme has been modified and extended several times ideally such behavior would be detectable. Quantum proto- cols have been proposed that can mitigate both of these in the last few years, with works investigating robustness concerns. In the literature, protocols that allow for program [9–11], optimality [12–14], and issues related to physical and data privacy are known as blind quantum computing implementations [15,16]. Importantly, the blind computation protocols, while protocols that allow for correctness to be protocols have proven a powerful tool in the construction of verifiable quantum computing protocols, with a number of protocols emerging in recent years based on the UBQC ncmenicucci@gmail.com protocol [17–19] and on an alternative blind protocol from tommaso_demarie@sutd.edu.sg joseph_fitzsimons@sutd.edu.sg Morimae and Fujii [20] in which the client performs single- qubit measurements rather than state preparations [21–23]. Published by the American Physical Society under the terms of The relatively low overhead in such schemes has made it the Creative Commons Attribution 3.0 License. Further distri- possible to implement both blind and verifiable quantum bution of this work must maintain attribution to the author(s) and the published article’s title, journal citation, and DOI. computing protocols in quantum optics [24–26]. 2160-3308=17=7(3)=031004(15) 031004-1 Published by the American Physical Society MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) server. The server then performs a quantum computation The question of verifiability, directly rather than as a using the received data and returns the classical output to consequence of blindness, has also attracted attention. This the client, who decrypts the result using her encryption key. problem was first studied by Aharonov et al. [27],who For this setting, it was shown that secure blind quantum considered the use of a constant-sized quantum computer to computing cannot be achieved unless BPP ¼ BQP (i.e., verify a larger device. Subsequent work by Broadbent [28] unless a classical computer can efficiently simulate a reduced the requirements on the prover to mirror those quantum computer). While this is an interesting result, it used in the UBQC protocol. An entirely distinct route to imposes strong assumptions on the operational method of verification has also emerged, which considers a classical blind quantum computation with a classical client and user but requires multiple entangled but noncommuni- therefore does not seem to limit further studies in this cating servers [29,30]. Surprisingly, perhaps, many of these direction. Additionally, Aaronson et al. [39] have recently schemes are also blind, though often this was not the aim suggested that information-theoretically blind quantum of the paper. In fact, only a few examples of verifiable com- computing with a classical client is not likely to be possible puting schemes exist that are not naturally blind [31,32], because the existence of such a scheme implies unlikely and it is tempting to conjecture a fundamental link between containments between complexity classes. Additional blindness and verifiability. implications that the development of a classical-client The verification methods discussed above provide a very blind-computation protocol would have in complexity strong form of certification, amounting to interactive proofs theory are discussed in Ref. [40]. for correctness, which do not rely on any assumptions Here, we provide evidence in the opposite direction. We about the functioning of the device to be tested. From an introduce a form of delegated quantum computation using experimental point of view, the first nonclassically simu- measurement-based quantum computing (MBQC) as the lable evolution of quantum systems will most likely be underlying framework. This allows us to introduce a implemented by means of nonuniversal quantum simula- model-specific protocol that achieves a satisfying degree tors rather than fully universal quantum computers. Here, of security by directly exploiting the structure of MBQC. too, the problem arises of certifying the correct functioning We show that the classical communication received by the of a device [33] that cannot be efficiently simulated. party performing quantum operations is insufficient to However, in this regime, interactive proofs have proven reconstruct a description of the computation. This insuffi- more difficult to construct. Nonetheless, progress has been ciency remains even when the server is required only to made in developing a range of certification techniques for identify the computation up to pre- and post-processing by various physical systems. These include feasible quantum polynomial-sized classical computation, under plausible state tomography of matrix product states [34], certification complexity-theoretic assumptions. We call our scheme of the experimental preparation of resources for photonic classically driven blind quantum computing (CDBQC). quantum technologies [35], certification of simulators of The paper is structured as follows: In Sec. II, we present frustration-free Hamiltonians [36], and derivation of a a short introduction to MBQC. In Sec. III, we describe the statistical benchmark for boson sampling experiments [37]. steps of the CDBQC protocol. In Sec. IV, we use mutual A common feature among all blind quantum computing information to analyze the degree of blindness for a single protocols and interactive proofs of correctness for quantum round of the CDBQC protocol. In Sec. V, we introduce the computation is that they require that at least two parties concept of flow ambiguity, and we show how this is used by possess quantum capabilities. Removing this requirement the client to hide information from the quantum server. Our and allowing a purely classical user to interact with a single conclusions are presented in Sec. VI. quantum server would greatly expand the practicality of delegated quantum computation since it would remove large- II. MEASUREMENT-BASED scale quantum networks as a prerequisite for verifiability. In QUANTUM COMPUTATION the present work, we focus specifically on the question of In MBQC, a computation is performed by means of blind computation with a completely classical client, but single-qubit projective measurements that drive the quan- given the historic links between progress in blindness and tum information across a highly entangled resource state. verification, it is natural to expect that progress in either The most general resources for MBQC are graph states direction will likely be reflected in the other. [41]. A graph state is defined by a simple and undirected While it is presently unknown if such a protocol graph, i.e., a mathematical object G ¼ðV;EÞ composed of can exist, a negative result in this context is a scheme- a vertex set V and an edge set E, with cardinality jVj and dependent impossibility proof presented in Ref. [38]. jEj, respectively. The vertices of the graph represent the There, the author considered a scenario where a classical qubits, while their interactions are symbolized by the edges. user and a quantum server exchange classical information A graph state jGi is an N-qubit state, where N ¼jVj. Each in a two-step process. First, the classical client encodes her pffiffi qubit is initialized in the state jþi ¼ ðj0iþ j1iÞ and description of the computation using an affine encryption scheme and then sends all the classical encrypted data to the then entangled with its neighbors by controlled-Z gates, 031004-2 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) ˆ ˆ ˆ ˆ ˆ positive branch corresponds to the target computation. In C ¼j0ih0j ⊗ I þj1ih1j ⊗ Z , where I and Z are Zi;j i j i j general, however, these bases need to be updated based on the single-qubit identity and Pauli-Z gate, respectively. ⊗N outcomes of earlier measurements in order to ensure the Explicitly, jGi¼ C jþi . Equivalently, a graph ði;jÞ∈E Zi;j correct computation is performed. The description of the state jGi can be defined by the stabilizer relations resource state, the order of measurements, and the dependency K jGi¼jGi, with stabilizers [41] of the measurementbases on previous measurement outcomes are collectively known as a measurement pattern. ˆ ˆ ˆ K ¼ X Z ; ∀ v ∈ V; ð1Þ v v w Projective measurements are inherently random in quan- w∈N ðvÞ tum mechanics, and one needs a procedure to correct for this randomness. We show that this need for adaptation of where N ðvÞ denotes the neighborhood of v in G. Without future measurements based on previous outcomes is what loss of generality, the vertices in G can be labeled ð1; …;NÞ prevents Bob from knowing the protocol perfectly. Not in the order that the corresponding qubits are to be incidentally, it is also what circumvents the no-go result measured. We take this ordering to be implicit in the from Ref. [38]. This is because only Alice knows how she definition of the graph, for example, as the order in which is choosing to adapt future measurement bases dependent the vertices appear in the adjacency matrix for G. It is also on previous measurement outcomes: Our observation is useful to define a specific type of graph state that will be that different choices of adaptation strategy correspond to used later. An N-qubit cluster state jCSi is the graph n;m different computations in general. state corresponding to an n × m regular square-lattice graph The structure that determines how to recover determin- G . For such a graph, N ¼ nm. n;m istic evolution from a MBQC measurement pattern is called In the MBQC framework, given a resource state with g-flow [44], from “generalized quantum-information flow.” graph G, the standard procedure to perform a computation Rigorously, given some resource state jGi and a measure- is to first identify two sets of qubits fI; Og on G. This ment pattern on it, if the associated open graph GðI; OÞ procedure defines an open graph GðI; OÞ, such that I, O⊆V satisfies certain g-flow conditions (to be described later), for a given G. The set I corresponds to the input set, while then the pattern is runnable, and it is also uniformly, O denotes the output set. In general, 0 < jIj ≤ jOj ≤ jVj. strongly, and stepwise deterministic. This means that each Note that the input and output sets can overlap. The branch of the pattern can be made equal to the positive complement of I is written I , and similarly, the comple- c c branch after each measurement by application of local ment of O is O . We also denote by PðI Þ the power set of corrections, independently of the measurement angles. We all the subsets of elements in I , and we define use “deterministic” without ambiguity to indicate all these OddðKÞ ≔ fi∶jN ðiÞ ∩ Kj¼ 1 mod 2gð2Þ attributes. Note also that satisfying the g-flow conditions is a necessary and sufficient condition for determinism. as the odd neighborhood of a set of vertices K ⊆ V.In In practice, the g-flow assigns a set of local Pauli this work, we are only interested in MBQC protocols corrections to a subset of unmeasured qubits after a that implement unitary embeddings. Hence, for us, measurement. See Ref. [45] for the fine details regarding jIj¼jOj ≤ N. Intuitively, the state of the qubits in the the practicalities of g-flow. For simplicity, in the definition input set corresponds to the input state of a computation. of g-flow below adapted from Ref. [44], we assume all Similarly, the qubits in the output set will contain the qubits are measured in the XY-plane of the Bloch sphere. quantum information corresponding to the result of the The idea behind g-flow is to determine whether one can computation once all the qubits in O have been measured. find a correction operator (related to a correcting set on the In the process, the quantum information is transformed by graph) that, in the case of a nonzero measurement outcome, the same principle that governs the generalized one-bit can revert the quantum state onto the projection corre- teleportation scheme [42,43]. sponding to the zero outcome. This is done by applying For our purposes, we restrict the measurements to be stabilizer operators on the state. The g-flow conditions projective measurements in the XY-plane of the Bloch sphere, j determine whether the geometrical structure of an open denoted M ¼fj ih j g for qubit j,where j i¼ α α α j j graph allows for these corrections after each measurement. 1 iα pffiffi ðj0i e j1iÞ. As a convention, we use b ¼ 0 for the measured qubit collapsing to jþ i and b ¼ 1 for collapsing α j j Definition 1. [g-flow] For an open graph GðI; OÞ, there to j− i . The computation to be performed is specified both by exists a g-flow ðg;≻Þ if one can define a function g∶O → c c the choice of open graphGðI; OÞ and by a vector α specifying PðI Þ and a partial order ≻ on V such that ∀i ∈ O all of the measurement basis α for each qubit i. Note that these are the following conditions hold: the measurements that would be made directly on the cluster state if all the measurement outcomes were zero for nonoutput (G1) if j ∈ gðiÞ and j ≠ i, then j ≻ i; qubits—i.e., if one were to implement the positive branch of (G2) if j ⊁ i and i ≠ j, then j ∉ Odd(gðiÞ); and the MBQC computation. Importantly, by convention, the (G3) i ∉ gðiÞ and i ∈ Odd(gðiÞ). 031004-3 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) The successor function gðiÞ indicates what measurements (G1)–(G3). This process of course only provides a lower will be affected by the outcome of the measurement of qubit bound on the number of flows rather than the exact number, i, while the partial order≻ should be thought of as the causal but it will be sufficient for our purposes. order of measurements. The condition (G1) says that if a With these four criteria in place, we can define a g-flow vertex j is in the correcting set of the vertex i, then j should graph path, in this restricted version of g-flow, as an be measured after the vertex i. In other words, a correction ordered set of adjacent edges of the graph, starting from should happen after the assigned measurement. Condition an element of the input set and ending on an element of the (G2) makes sure that if the correcting set of a vertex i is output set, such that for each edge ij of the path, we have connected to a vertex j, and j is measured before the vertex i, j ∈ gðiÞ, with j ≻ i. Then, it follows that (G4) does not then the vertex j should have an even number of con- allow the g-flow graph paths to cross. To help the under- nections with the correcting set of vertex i. Then, vertex j standing of MBQC, one could think of a g-flow graph path receives an even number of equal Pauli corrections, which as a representation of a wire in the quantum circuit picture. is equivalent to receiving none; hence, no correction can This intuition will be used later in this work to count how affect earlier corrections. Finally, condition (G3) ensures many ways one could define an open graph with g-flow for that each vertex i has an odd number of connections with its our choice of total ordering, which in turn provides a link to correcting set, such that a correction is indeed performed on the idea that different open graphs with g-flow lead to i [45]. In this sense, the g-flow conditions are understood in different quantum computations. terms of geometrical conditions on the open graph. Guided by these conditions, for cluster states, here and in III. CLASSICALLY DRIVEN BLIND the following, we always adopt the same choice of vertex QUANTUM COMPUTATION labeling on the graph as shown in Fig. 1. This choice is motivated by our later goal of counting how many choices We start from the situation where Alice, the client, wants of open graphs satisfy the g-flow conditions on a given to obtain the result of a particular quantum computation. cluster state. Since a vertex labeling corresponds to a total Having no quantum devices of her own, the quantum order of measurement, it is easy to check that, in order to computation must have a classical output. We allow Alice satisfy the g-flow conditions, for any vertex i, the quantum to control a probabilistic polynomial-time universal Turing information can only move towards the right, move towards machine (i.e., a classical computer with access to random- the bottom, or stay on that vertex. Furthermore, condition ness). Alice has classical communication lines to and from (G3) imposes that the information from a vertex cannot Bob, the server. Bob has access to a universal (and move simultaneously towards the right and towards the noiseless) quantum computer. Bob could help Alice, but bottom. In order to further simplify the process of counting she does not trust him. Alice wishes to ask Bob to perform a flows, we introduce an additional criterion, which is not quantum computation for her in a way that Bob obtains as strictly required by g-flow: little information as possible about her choice of compu- tation. Without loss of generality, we assume that the (G4) If k ∈ N ðiÞ ∪ N ðjÞ, and if k ∈ gðiÞ, then k ∉ gðjÞ. quantum systems used in the protocol are qubits (two-level quantum systems [46]). In general, here and in the For G , as we shall see later, it will prove easier to n;m following, we denote by count flows satisfying (G1)–(G4) than those satisfying Δ ¼fρ ; U ;Mgð3Þ A I A the classical description of Alice’s computation, where ρ is the n-qubit input state of the computation, U is the unitary ˆ ˆ embedding that maps ρ to the output state ρ ¼ U ρ U , I O A I and M is the final set of measurements on ρ required to extract the classical output. Note that we are implying that the input state can be efficiently described classically. For instance, it could be a standard choice of input such as the ⊗n n-qubit computational basis ρ ¼j0ih0j . We also (rather pedantically) assume that the number of computational steps is at most polynomial in the input size. Making the process abstract, Alice’s desired task becomes equal to sampling the string FIG. 1. Total order of the measurements for a generic n × m ˆ ˆ p ¼fp g¼ πðΔ Þ ≔ MðU ρ U Þ; ð4Þ i A A I cluster state used as a resource state in Protocol 1. 031004-4 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) Protocol 1 CDBQC ðG;AÞ: Classically Driven Blind Quantum of Alice’s would-be measurements. Nonetheless, Alice can Computation. pick a canonical set of angles Protocol parameters: α ≔ ðα ; …; α Þ ∈ A ð6Þ 1 N (i) A graph G with an implicit total ordering of vertices. (ii) A set of angles A satisfying Eq. (19). corresponding to the positive branch case where b ¼ 0.As Alice’s input: discussed earlier, it is possible that the angle for qubit j must (i) A target computation Δ implemented using MBQC as be modified based on the outcomes of the preceding j − 1 Δ ¼fG; α; fg; measurements, which we denote representing a measurement pattern on G compatible with b ≔ ðb ; …;b Þ: ð7Þ <j 1 j−1 the total ordering of measurements implicit in G, which describes a unitary embedding U . The set α represents a We account for this adaptation in dependency sets sequence of N measurement angles over the graph G, with each angle chosen from a set A, which is also taken to be a x x x N s ≔ ðs ; …;s Þ ∈ Z ; ð8Þ parameter of the protocol and is known to both parties. The 1 N 2 g-flow construction f fully determines the input state ρ , in z z z N through the location of the input and output qubit sets on s ≔ ðs ; …;s Þ ∈ Z ; ð9Þ 1 N 2 the graph (I and O, respectively) and the dependency sets x z ðs ; s Þ. which depend on the b and also on the g-flow construction, <j Steps of the protocol: here represented by a bit string 1. State preparation (a) Bob prepares the graph state jGi. f ≔ ðf ; …;f Þ ∈ Z ð10Þ 2. Measurements 1 M For i ¼ 1; …;N, repeat the following: (a) Alice picks a binary digit r ∈ Z uniformly at random. i 2 of length M called the flow control bits (or just “flow bits”). x z Then, using r , s , s , and the function in Eq. (18), she At this point, we still have to quantify the value of M.Note, 0 0 computes the angle α . Alice transmits α to Bob. i i though, that it represents the number of bits needed to (b) Bob measures the ith qubit in the basis fj ig and enumerate all the possible combinations of input and output transmits to Alice the measurement outcome b ∈ Z . i 2 that satisfy the g-flow conditions [44,47]. Hence, for a fixed (c) Alice records b ¼ b ⊕ r in b and then updates the i i i x z total order of the measurements, it is a function of N. dependency sets ðs ; s Þ.If i ∈ O, then she also records Explicitly, the X and Z corrections associated with the b in p . measurement angle of each qubit j are determined by the 3. Post-processing of the output (a) Alice implements the final round of corrections on the dependency sets: C Z Z output string by calculating p ¼ p ⊕ s ,with s O O the set of Z corrections on the output at the end of the s ∶ D½b  × D½f → Z ; ð11Þ j <j 2 protocol. s ∶ D½b  × D½f → Z ; ð12Þ <j 2 where π is a map that describes the blind operation where the function D denotes the domain of the argument. z x performed by the protocol, which outputs the correct Without loss of generality, we choose s ¼ s ¼ 0 since there 1 1 probability distribution fp g on the joint measurement are no previous outcomes on which these could depend. For a outcomes given Δ as Alice’s delegated target computa- fixedopengraph GðI; OÞ, the form of the dependency sets is tion. An outline of the protocol is presented in Protocol 1. uniquely defined by the g-flow [4]. Analogously, the flow bits Let us now introduce the relevant definitions for the f fully specify the dependency sets (as functions of b). As variables used in the protocol and describe the steps such, the quantum circuit that Alice intends to implement is thoroughly. The initial step of the protocol is for Bob to specified by the information prepare the resource state jGi that will be used to implement the MBQC. Once the graph state jGi is prepared by Bob, the N M ðα; fÞ ∈ A × Z ; ð13Þ interactive part of the protocol starts with Alice communicat- ing to Bob the angles to be measured, one by one. Because of consisting of N measurement angles and M flow bits for the randomness introduced by the results of the projective a given graph with fixed total order of measurement. measurements, there exists the possibility that these angles Consequently, once the graph G is known, there exists a must be corrected based on the outcomes one-to-one correspondence GðI; OÞ ↔ f, and we can n;m accordingly denote the corresponding MBQC measure- b ≔ ðb ; …;b Þ ∈ Z ð5Þ 1 N ment pattern as follows: 031004-5 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) Δ ¼ðG ; α; fÞ: ð14Þ where ⊕ indicates addition modulo 2 for each bit. We n;m can identify the data that Bob receives during the interactive part of the protocol (some from Alice, some from his own Explicitly, note that by choosing f, Alice is defining a measurements) as unique choice of the input and output on the graph state before the protocol begins. In line with the computation 0 0 N N description from Eq. (3), we call ρ the input state on G. ðdata Bob receivesÞ ≔ ðb ; α Þ ∈ Z × A : ð21Þ I 2 We now turn our attention to what kind of information Bob receives when Alice asks him to perform the mea- The interactive part of the protocol ends when all the surements on her behalf. The interactive part of the protocol qubits have been measured and Alice holds the binary consists of N steps. At each step i, Alice requests Bob to register b, derived from b to account for the one-time pad measure, in the XY-plane of the Bloch sphere, the ith qubit, r. Since Alice knows the output set O, whenever the ith according to the total order implied by G, and he sends back qubit belongs to the set of output qubits, Alice saves b into a bit for each measurement. We identify the measurement a second binary sequence of length jOj: instructions Bob receives as a list of angles jOj p ≔ ðp ; …;p Þ ∈ Z ; ð22Þ 1 jOj B 2 0 0 0 N α ≔ ðα ; …; α Þ ∈ A ; ð15Þ 1 N where p ¼ b , ∀i ∈ O. If Bob is honest, then p is i i and we label the string of bits Alice receives from Bob as equivalent to p . At the end of the protocol, this string contains the classical result of the computation, up to 0 0 0 N b ≔ ðb ; …;b Þ ∈ Z ; ð16Þ 1 N 2 classical post-processing. This is accounted for by calcu- C Z Z lating p ¼ p ⊕ s , where s is used to represent the final O O while remembering that they are communicated alternately set of Z corrections on the output qubits. Clearly, the 0 0 0 0 (α to Bob, b to Alice, α to Bob, b to Alice, etc.). Note 1 1 2 2 classical nature of the client allows us to consider only that in the case of a dishonest Bob, the string b does not quantum computations with classical output. need to correspond to real measurement outcomes but In order for the protocol to have any utility, we require could have been generated by Bob through some alternative that the output p satisfies Eq. (4), a property known as process. correctness. The correctness of this protocol can be proved Realizing that measuring α can just as easily be effected by straightforwardly. Note that the positive branch of the asking Bob to measure α þ π and then flipping the returned MBQC pattern Δ [that is, where all the measurement outcome bit, we introduce a uniformly random N-bit string outcomes happen to be equal to zero (b ¼ 0)] implements Alice’s target computation Δ by definition. In the circuit r ≔ ðr ; …;r Þ ∈ Z ð17Þ 1 N model, this corresponds to a quantum circuit that imple- ments the unitary U over the correct input state ρ and a A I that Alice will use to pad the angles in an attempt to conceal final round of measurements whose output is the binary the measurement outcomes. All that remains is to specify string p [49]. Below, we give a proof of the correctness of how α depends on α. This is specified by the following the CDBQC protocol. functional dependence [17,47,48]: Theorem 1. [correctness] For honest Alice and Bob, the outcome of Protocol 1 is correct. 0 s z α ¼ð−1Þ α þðs þ rÞπ mod 2π; ð18Þ Proof.—There are only two differences between Protocol 1 and a conventional MBQC implementation of Δ . which follows from the g-flow construction and shows how The first is the use of r to hide measurement outcomes. corrections change subsequent measurement angles. Here, The effect of r is to add an additional π to the measurement we have used multi-index notation to present the result angle on certain qubits, resulting in a bit flip on the x z concisely as a vector. Note that the dependency sets ðs ; s Þ corresponding measurement result b . However, since this are updated by Alice after each measurement. To make the is immediately undone, it has no effect on the statistics of analysis of the protocol meaningful, we construct a domain the measurement results obtained after decoding b. for α such that the domain of all valid α is the same. Thus, in The other difference is that the g-flow construction, and general, hence the dependency sets, is only known to Alice and not to Bob. However, this does not affect the input state, which is A ¼fð−1Þ θ þ zπjθ ∈ A;x ∈ Z ;z ∈ Z g: ð19Þ 2 2 equivalent to the usual case if Alice is honest (i.e., if she correctly performs her role in implementing the protocol). Also note that now Furthermore, if Alice updates the measurement angles correctly using the dependency sets as dictated by the b ¼ b ⊕ r; ð20Þ g-flow, and Bob measures them accordingly, every branch 031004-6 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) of Δ is equivalent to the positive branch. Then, the In addition, we use B for the eventual measurement outcomes and R for the (uniformly random) string of measurement pattern correctly implements the unitary trans- π-shift bits that is known only to Alice. In any given run of ˆ ˆ formation ρ ¼ U ρ U . The protocol also allows Alice to out A in C the protocol, A and F are drawn from a joint prior identify the elements of the output string p in b since she probability Prðα; fÞ, which is known to Bob. Thus, knows the position of the output on thegraph. Hence, when both HðA; FÞ ≤ n þ n bits, with equality if and only if the A F Alice and Bob follow the protocol, the output string p ¼ p ⊕ prior is uniform over F and A. Note that we do not make s is the desired probability distribution that follows from the any assumptions about this prior in what follows. joint measurement of the correct quantum output. □ We have seen before that a single instance of the data 0 0 Bob receives at the end of Protocol 1 is equal to ðG; b ; α Þ. IV. BLINDNESS ANALYSIS In a stand-alone setting, this is the only data available to Bob from which he might be able to gain some information We now look at the degree of blindness for a single round about the circuit chosen by Alice. If this protocol were to be of Protocol 1. In this setting, we consider a cheating Bob used as a subroutine or in parallel with another protocol, with unbounded computational power, able to deviate from then one must analyze the security in a composable the protocol and follow any strategy allowed by the laws of framework. Such an analysis is beyond the scope of the physics. Our aim, however, is not to verify that Bob is present work and is left as an open problem. Note that the indeed performing the correct quantum computation as graph is considered a parameter of the protocol and not part requested. Instead, we want to quantify the amount of of Alice’s secret. Bob’s useful information at the end of a information that Bob can access when Protocol 1 is run single run of Protocol 1 is then equal to the mutual infor- only once (stand-alone) and compare it against the total 0 0 mation IðB ; A ; A; FÞ between the variables associated amount of information needed to describe the computation. 0 0 with the circuit ðA; FÞ and Bob’s data ðB ; A Þ. To completely identify Alice’s computation, Bob needs to In other words, we are modeling the leakage of know the description Δ . information as an unintentional classical channel between We identify variables with uppercase letters and particular Alice and Bob, where ðA; FÞ is the input of the channel instances of such variables with lowercase letters. The 0 0 and ðB ; A Þ is the output at Bob’s side. Then, the mutual probability of a given instance x of a random variable X is information tells us how many bits of the original mes- denoted PrðxÞ, and averaging over X is denoted h·i or h·i sage Bob receives on average, when averaged over many when there is no ambiguity. Given a random variable X,we uses of the channel. Importantly, one cannot recover, from call N the number of possible outcomes for the variable and mutual information, what bits of the original message are n ≔ log N the number of bits required to enumerate them. X 2 X passed to Bob. For our protocol, the mutual information We denote the Shannon entropy [50] of a random satisfies the following bound, which does not rely on any variable X by HðXÞ ≔ h− log PrðxÞi ≤ n , with equal- 2 X computational assumption but is entirely derived from ity if and only if X is uniformly random. For two ran- information theory. dom variables X and Y, their joint entropy is written Theorem 2. [blindness] In a single instance of Protocol HðX; YÞ ≔ h−log Prðx; yÞi , and the conditional en- 2 X;Y 1, the mutual information between the client’s secret input tropy of X given Y is HðXjYÞ ≔ h−log PrðxjyÞi . 2 X;Y fα; fg and the information received by the server is These satisfy bounded by 0 0 0 HðXjYÞ¼ HðX; YÞ − HðYÞ: ð23Þ IðB ; A ; A; FÞ ≤ HðA Þ: ð25Þ The mutual information of X and Y is Proof.—From the definition of mutual information, we have IðX; YÞ ≔ HðXÞþ HðYÞ − HðX; YÞ 0 0 0 0 0 0 IðB ; A ; A; FÞ¼ HðB ; A Þ − HðB ; A jA; FÞ: ¼ HðXÞ − HðXjYÞ Applying the inequality HðX; YÞ ≤ HðXÞþ HðYÞ, ¼ HðYÞ − HðYjXÞ; ð24Þ together with the fact that HðB Þ ≤ n 0 ¼ N, to the above equation yields which will be our main tool of analysis. Intuitively, IðX; YÞ measures how much information Y has about X. More 0 0 0 0 0 IðB ; A ; A; FÞ ≤ HðA Þþ N − HðB ; A jA; FÞ: ð26Þ precisely, it quantifies how much the entropy of X is 0 0 reduced, on average, when the value of Y is known. What remains to be shown is that HðB ; A jA; FÞ ≥ N. Because of the symmetry of the definition, these statements This result is proved as Lemma 4 in the Appendix by 0 0 −N also hold when the roles of X and Y are swapped. bounding Prðb ; α jα; fÞ ≤ 2 based on the full joint Let us call the angles variable A and the flow variable F. probability for the protocol. With this bound in place, Specifying Δ , in general, therefore requires n þ n bits. Eq. (25) directly follows. □ A F 031004-7 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) 0 0 The conditional entropy HðA; FjB ; A Þ quantifies the exponentially in the dimensions of the cluster state such amount of information that, on average, remains unknown that n ∝ N. to Bob about Alice’s computation at the end of Protocol 1. Theorem 3. For a cluster state corresponding to G n;m As mentioned previously, in the case where Alice chooses with fixed total order as depicted in Fig. 1, the number the measurement angles A uniformly randomly from a of different open graphs GðI; OÞ satisfying conditions finite set, one A for each qubit, and she chooses the flow F (G1)–(G4) is given by uniformly randomly from the set of all flows compatible with the total order implicit in G, then minðn;mÞ jn−mj #GðI; OÞ ¼ F F ; ð31Þ n;m 2 minðn;mÞþ1 2μ HðA; FÞ¼ n þ n : ð27Þ A F μ¼2 In this case, by calculating the conditional entropy where F is the ith Fibonacci number. 0 0 0 0 HðA; FjB ; A Þ¼ HðA; FÞ − IðB ; A ; A; FÞ; ð28Þ Proof.—The proof of this theorem is somewhat involved. We begin by considering a set of diagonal cuts acrossG ,as n;m 0 0 we have HðA; FjB ; A Þ ≥ n because of Theorem 2. Note depicted in Fig. 2(a). As we are considering only those flows that Theorem 2 guarantees zero mutual information for a that satisfy condition (G4), there is a straightforward con- single run of Protocol 1 only if n ¼ 0, which means only straint on the information flow, which can be seen by isolating one choice of measurement angle for each qubit. However, a single cut and the vertices linked by edges that the cut passes the structure of the domain of α and α [see Eq. (19)] through [see Fig. 2(b)]. In the following discussion, we forbids such a choice. A minimal choice of angles that is consider only the vertices connected by edges through which not classically simulable (via the Gottesman-Knill theorem a particular cut passes. Because of the total ordering imposed [51])is given by on the vertices of G , conditions (G1)–(G3) ensure that n;m information can only pass through a cut from the left side to π 3π 5π 7π A ¼ ; ; ; : ð29Þ the right side and not in the reverse direction. Condition (G4) 4 4 4 4 then allows exactly the set of flows where for any vertex k on In this case, for each angle α , one has n ¼2,so n ¼2N. the right side of the cut, information flows to k from at j α A Since HðA Þ ≤ n ¼ n , Bob gains at most two bits of A A information per qubit measured, with this information (a) being a nontrivial function of both α and f. V. APPLICATION TO CLUSTER STATES To conclude the security analysis of the stand-alone scenario, it is necessary to calculate the exact value of N , which in turn gives us the value of n and hence the lower bound of the conditional entropy for the case of uniform variables A, F as explained above. Clearly, this depends on the choice of G. Here, we consider the case of cluster states, where G is taken to be G with implicit total ordering of n;m vertices as illustrated in Fig. 1. Note that M, the length of (b) the bit string f, is equal to log N . When condition (G4) is 2 F included, the g-flows we consider correspond to focused g-flows [52]. Hence, there is a one-to-one correspondence between an instance of a g-flow f of F and a choice of input and output sets on the graph [52]. Here, we place a lower bound on M by counting flows that satisfy conditions (G1)–(G4). The use of the additional constraint (G4), which is not implicit in the definition of g-flow, implies that we are undercounting the total number of flows; hence, N ≥ #GðI; OÞ ; ð30Þ n;m FIG. 2. (a) A cluster-state graph G with diagonal cuts n;m where #GðI; OÞ corresponds to the number of possible n;m imposed. The flow across each cut is independent, and the ways one can define an open graph that satisfies conditions number of possible flows across each cut is indicated. (b) Several (G1)–(G4). We now show that this quantity can grow cuts with their neighboring vertices isolated. 031004-8 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) most one of its neighbors on the left side of the cut. So, if i, j ∈ N ðkÞ,then k ∉ gðiÞ ∩ gðjÞ. We divide the cuts into three types: (i) those having one less neighboring vertex on the left side of the cut than on the right, (ii) those having one more neighboring vertex on the left side of the cut than on the right, and (iii) those having an equal number of neighboring vertices on both sides of the cut. We label the total number of flows for each type as A , B , and C , respectively, where μ indicates the μ μ μ number of neighboring vertices on the left side of the cut, as → → FIG. 3. A and A can be constructed recursively, as shown shown in Fig. 2(b). μ μ above. Here, arrows indicate information flow, while edges In order to quantify these, we begin by noting that → → → indicate the possibility of information flow. A ¼ A þ A , where A denotes the number of flows μ μ μ μ with the restriction that information flows from the upper- most neighboring vertex on the left side of the cut to the The Fibonacci numbers can be written exactly in terms of pffiffiffi uppermost neighboring vertex on the right side of the cut, 1 the golden ratio ϕ ¼ ð1 þ 5Þ as and A denotes the number of flows where this constraint is not satisfied. These quantities can be calculated using a k −k ϕ − ð−ϕÞ F ¼ pffiffiffi : ð33Þ simple recursion relation, as follows. Here, A allows precisely one possibility for flow between the uppermost vertices of the cut, precluding For large cluster states (n, m ≫ 1), the number of possible flow from the uppermost vertex on the left side of the flows is given by cut to lower vertices on the right side. Hence, the remaining μ − 1 vertices on the left side and μ − 1 on the right side will 4ν −jn−mj=2 ð2λþ1Þjn−mj be isolated and identical to the situation where the cut #GðI; OÞ ≈ 5 ϕ ð34Þ n;m partitions one fewer vertex on each side. Thus,A ¼ A ¼ ν¼2 μ μ−1 → → A þ A . μ−1 μ−1 −ðnþm−2Þ=2 2mnþmþn−4 ¼ 5 ϕ ; ð35Þ Calculating A is a little more involved, as there are two possibilities to consider. The first is that no information where λ ¼ minðn; mÞ. The above approximation is pffiffiffi flows from the uppermost vertex on the left side of the cut k −k obtained by noting that F ≈ ϕ = 5, since jð−ϕÞ j≪1 across the cut (in which case, it is an output). In this case, for large k, and using this to approximate Eq. (31). isolation of the lower vertices occurs as in the analysis of A ; Taking N ¼ nm and assuming m grows polynomially in → → hence, there are A þ A possible flows. In the second μ−1 μ−1 n, then m ¼ polyðnÞ, and case, no information can flow into the second uppermost vertex on the right side of the cut; hence, only A flows are 2N log ϕþOðN Þ μ−1 2 #GðI; OÞ ¼ 2 ð36Þ n;m → → → → → possible. Thus, A ¼ A þ 2A ¼ A þ A . These μ μ μ−1 μ−1 μ−1 correspondences are depicted in Fig. 3. for some ϵ < 1. In such a case, using Eq. (30) and → → Note that A and A satisfy the same recursion relation μ μ evaluating to leading order, → → as the Fibonacci sequence when ordered as ðA ;A ; 1 1 → → → → A ;A ; …Þ and starting with A ¼ 1 ¼ F and A ¼ 2 n ≥ log #GðI; OÞ ≈ 1.388N: ð37Þ 2 2 1 1 F 2 n;m 2 ¼ F . It follows that A ¼ F . By similar arguments, 3 μ 2μþ2 we have B ¼ F and C ¼ F . This result implies that the conditional entropy μ 2μ μ 2μþ1 0 0 It remains only to be noted that the configuration of the HðA; FjB ; A Þ ≥ 1.388N. For the case of a computation information flow across one cut is independent of the chosen uniformly at random by Alice, the total number information flow across other cuts; hence, the total number of bits required to entirely describe her computation is of possible flows is given by the product of the possible approximately equal to 3.388N. However, Bob only flows across each cut. Therefore, receives exactly 2N bits of information from Alice (the angles α ). From Theorem 2.1 in Ref. [53], it is easy to #GðI; OÞ verify that Bob cannot decode Alice’s computation entirely n;m with unit probability. Additionally, Theorem 2.4 in minðn;mÞ−1 minðn;mÞ Y Y jn−mj Ref. [54] shows that Bob cannot guess Alice’s computation ¼ F F F ; ð32Þ 2μþ2 2ν 2 minðn;mÞþ1 −1.388N with probability greater than 2 . μ¼1 ν¼2 To make sense of this result, one should remember which simplifies to Eq. (31) as required. □ that a particular deterministic MBQC computation is 031004-9 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) characterized by identifying an input and output set on the underlying graph of the resource state, together with an information flow construction. This structure determines how the quantum information is deterministically trans- ferred via projective measurements from the physical location of the input to the output. Furthermore, once the input and output systems are fixed on the graph, the flow, if it can be constructed, is unique. Hence, in the canonical approach to MBQC, the usual procedure is to fix the input and the output and assign a partial order of measurements that guarantees determinism under a specific set of rules. Consequently, the flow construction imposes a total order of measurements, which must respect the FIG. 4. A 2 × 2 cluster state with measurement angles partial one. fα; β; γ; δg. In this example, we show how to encode two Here, we have reversed this point of view. As such, different computations using a fixed total order of measure- Theorem 3 is based on the nontrivial observation that, for a ments f1; 2; 3; 4g. The difference follows from the choice of given MBQC resource state with a fixed total order of the GðI; OÞ. In diagram (a), the input set is f1; 3g,and the measurements, choices of g-flow, i.e., choices of input and output set is f2; 4g, with g-flow function gð1Þ¼f2g and output vertices on the graph that correspond to different gð3Þ¼f4g. The equivalent circuit associated with the positive deterministic quantum computations, are generally not branch of this MBQC pattern is shown below. Note that any unique. Nonetheless, Alice’s choice of input and output final round of corrections is pushed into the classical post- enforces a unique computation among all the possible processing of the output. In diagram (b), the input set is f1; 2g, the output set is f3; 4g, gð1Þ¼f3g,and gð2Þ¼f4g. choices. This choice of g-flow is not communicated to the Similarly to (a), we show the circuit of the positive branch of server and is kept hidden by Alice, who uses it to update the MBQC pattern, and the final round of corrections is the classical instructions sent to Bob. This observation classically post-processed. makes it possible for a client to conceal the flow of quantum information from a quantum server classically instructed on what operations to perform. In particular, since a large number of other computations are still compatible with the information Bob receives, the achieved blindness follows from the ambiguity about the flow of information on the graph. Furthermore, our protocol circumvents the scheme-dependent no-go theo- rem for classical blind quantum computing stated in Ref. [38]. Here, we do not make use of any affine encryption on the client’s side, but as mentioned above, we use flow ambiguity to encode a part of the client’s computation. As a consequence of this encoding, Protocol 1 requires multiple rounds of communication between the client and server. This requirement is in direct contrast with the assumptions of Ref. [38], where only one round of communication is allowed. We can additionally make two important observations. The first is that the circuits implementable on G are not n;m classically simulable unless BPP ¼ BQP. This stems from the fact that the cluster state is universal with only XY-plane measurements, as has recently been proven in Ref. [55]. The above bound provides an exponential lower bound on the number of consistent flows for all cluster states. The second observation is that the computations corresponding FIG. 5. List of the nine possible GðI; OÞ combinations 2;2 to different choices of flow are not equivalent, even when (and associated patterns) with g-flow for the cluster state classical post-processing is allowed. This can most easily jCSi . The arrows indicate the direction of the quantum 2;2 be seen by considering an example. We consider the information flow. Note that overlapping input and output sets simplest case of the 2 × 2 plaquette jCSi . In Fig. 4, 2;2 are allowed. All the patterns implement unitary embeddings on we show an example of two different choices of open the input state. 031004-10 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) computations. Since in this particular case the input state (C jþþi) is equivalent, the difference is dictated by the unitary transformation (specified by the measurement angles) that acts on it. As can be seen from Fig. 4, the corresponding circuits are different and perform different unitaries. Because of the flow ambiguity and the obfusca- tion due to the one-time pad, a quantum server that was to perform the measurements following Protocol 1, at the end of the procedure, would not have enough information to exactly identify Alice’s choice of open graph. For G , 2;2 there are nine possible flow configurations as expected from Eq. (31), which are depicted in Fig. 5. Given any fixed transcript of the protocol, for each flow there exists a choice of α such that it is consistent with the transcript. An example run of Protocol 1 is presented in Fig. 6 for the G case. 2;2 As a final comment, it is clear that there exist cases where, for a fixed graph and choice of angles, different choices of flows will correspond to the same computation. For instance, referring to Fig. 5, measuring all qubits with the same angle would give a two-to-one correspondence for some of the computations. However, it is reasonable to conjecture that when the angles are chosen from sets of large cardinality, the mapping will be close to one to one. The full characterization of the mapping is left as an open problem. VI. DISCUSSION AND CONCLUSIONS Our overall motivation in this work has been to explore the possibility of classically driven blind quantum com- putation. While this may seem an impossible task, the fact that multiple nonequivalent computations in the MBQC model can yield the same transcript of measurement angles and results, even when the resource state and order of measurements are fixed, allows the tantalizing FIG. 6. Illustration of an exemplary run of Protocol 1. At the start possibility that it may be possible for a classical user to of the protocol, Alice’s computation is expressed as a measurement hide a computation from a quantum server. Protocol 1 pattern on a graph, in this case, G . This is communicated to Bob, 2;2 makes use of this flow ambiguity to provide some who prepares the initial state. The computation then proceeds in x z measure of hiding for quantum computations chosen rounds with Alice computing the relevant entries of s and s and, from certain restricted sets. Our intention in introducing using these together with r , the measurement angle α .The this protocol is not to provide a practical cryptographic measurement angle α is communicated to Bob, who performs the measurement and returns the result to Alice as b .From this, protocol but rather to demonstrate that it is indeed Alice computes b as b ⊕ r . This process is repeated until all qubits i i possible to hide nonequivalent quantum computations have been measured. At the end of the protocol, for any fixed using this flow ambiguity. As such, we concentrate on 0 0 transcript of the communication (composed ofα andb ), it is always showing that in a single run of the protocol, the amount of possible to find a choice for α consistent with the transcript for any information obtained by the server is bounded, rather than choice of f. In other words, for any of the possible g-flow introducing a composable security definition, which is configurations shown in Fig. 5, Bob can find an α that would have led to the transcript he recorded, which means any of those g-flows is nontrivial given the dependence of the leaked information possible. This ambiguity is responsible for partially hiding Alice’s on the responses of the server. computation from Bob. Our results provoke a couple of questions. The first and most obvious is whether the flow ambiguity effect can be graphs compatible with the underlying total order of exploited to hide a universal set of computations even after measurements. Both choices satisfy the g-flow conditions, the measurement angles have been communicated to the and as a result, they correspond to two deterministic server. A second and perhaps even more important question MBQC patterns, i.e., two different and well-defined is whether this phenomenon can be used as a building block 031004-11 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) for verification of quantum computers by completely With these direct-dependency limitations, we can classical users. immediately write down the form of the full joint probability for the entire protocol: ACKNOWLEDGMENTS 0 0 Prðb ; α ; α; f; b; rÞ The authors thank Rafael Alexander, Niel de Beaudrap, Michal Hajdušek, Elham Kashefi, Simon Perdrix, and 0 0 0 0 ¼ Prðα; fÞ Prðb jb ; α Þ Prðα jα ; f; b ;r Þ j <j j j <j ≤j j Carlos Pérez-Delgado for interesting discussions and j¼1 valuable insights. T. F. D. thanks Yingkai Ouyang for carefully reading an early version of this manuscript ×Prðb jb ;r Þ Prðr Þ: ðA1Þ j j j and for his helpful comments. J. F. F. acknowledges support from the Air Force Office of Scientific Research Furthermore, we can explicitly write several of these under Grant No. FA2386-15-1-4082. N. C. M. is supported probabilities: by the Australian Research Council under Grant No. DE120102204, by the Australian Research Council Prðb jb ;r Þ¼ δ ; ðA2Þ j j j b ⊕r Centre of Excellence for Quantum Computation and j Communication Technology (Project No. CE170100012), and by the U.S. Defense Advanced Research Projects Prðα jα ; f; b ;r Þ¼ δ ; ðA3Þ j j <j j Agency (DARPA) Quiness program under Grant G ðα ;f;b ;r Þ j j <j j No. W31P4Q-15-1-0004. This material is based on research funded by the Singapore National Research Foundation under NRF Award No. NRF-NRFF2013-01. Prðr Þ¼ ; ðA4Þ A. M. and T. F. D. contributed equally to this work. with the deterministic function APPENDIX: FULL JOINT PROBABILITY FOR G ðα ; f; b ;r Þ j j <j j THE PROTOCOL AND CONDITIONAL s ðf;b Þ z <j ENTROPY BOUND ≔ ð−1Þ α þ πs ðf; b Þþ πr mod 2π ðA5Þ j <j j 0 0 Lemma 4. HðB ; A jA; FÞ ≥ N regardless of Bob’s obtained from Eq. (18). These hold for all j. At this point, strategy. we have the most general form of the full joint probability Proof.—We construct the full joint probability for all of consistent with the protocol: the variables in Protocol 1 and use it to explicitly derive the desired result. Direct dependencies in the joint 0 0 Prðb ; α ; α; f; b; rÞ probability will be limited by causality and the assump- tions that Alice’sand Bob’s laboratories are secure and Y 0 Prðα; fÞ α b 0 0 0 free of each others’ espionage. These limitations are as ¼ δ Prðb jb ; α Þδ ; ðA6Þ j <j ≤j N b ⊕r G ðα ;f;b ;r Þ j j <j j follows: j¼1 (i) The flow bits F and ideal measurement angles A directly depend on no other variables. They are where we have left Bob’s strategy arbitrary but consistent inputs to the problem chosen by Alice and can be with the direct-dependency restrictions given above. correlated. Marginalizing over B gives (ii) Each π-shift bit R in R is chosen by flipping a fair coin; thus, it directly depends on no other variables. 0 0 Prðb ; α ; α; f; rÞ (iii) Alice assigns A based directly on the current A , all 0 0 flow bits F, the current R , and any prior decoded j ¼ Prðb ; α ; α; f; b; rÞðA7Þ bits B . b <j (iv) Each decoded bit B directly depends only on R j j (the π-shift bit) and the bit B received from Bob. j Y Prðα; fÞ α 0 0 0 0 (v) Each bit B that Bob returns to Alice directly ¼ Prðb jb ; α Þδ : ðA8Þ j j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j depends only on the information Bob has on hand j¼1 0 0 at the time (specifically, B and A ), as well as any <j ≤j (classical or quantum) stochastic strategy he wishes From this joint probability distribution, we can to employ. compute 031004-12 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) 0 0 Prðb ; α ; α; f; rÞ 0 0 Prðb ; α jα; fÞ¼ ðA9Þ Prðα; fÞ X X XX Y 1 α 0 0 0 ¼ … Prðb jb ; α Þδ ðA10Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j r r r r j¼1 1 N−2 N−1 N N N−1 Y X XX Y 1 α 0 0 0 ¼ Prðb jb ; α Þ … δ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j r r r j¼1 j¼1 1 N−2 N−1 0 0 α α N N × ðδ þ δ Þ ðA11Þ 0 0 G ðα ;f;b ⊕r ;0Þ G ðα ;f;b ⊕r ;1Þ j N <N j N <N <N <N |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} at most one term is nonzero N N−1 Y X XX Y 0 1 α 0 0 0 ≤ Prðb jb ; α Þ … δ ðA12Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j j¼1 r r r j¼1 1 N−2 N−1 N N−2 Y X X Y 0 1 α 0 0 0 ≤ Prðb jb ; α Þ … δ 0 ðA13Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j j¼1 r r j¼1 1 N−2 Y X 1 α 0 0 0 1 ≤ Prðb jb ; α Þ δ ðA14Þ j <j ≤j N G ðα ;f;r Þ 1 1 1 j¼1 r 0 0 0 ≤ Prðb jb ; αÞðA15Þ j <j ≤j j¼1 ≤ : ðA16Þ [4] V. Dunjko, J. Fitzsimons, C. Portmann, and R. Renner, In theabove,wehaverepeatedlyusedthe fact that G has Advances in Cryptology—ASIACRYPT 2014 (Springer, at most one r that makes it equal to α for any given j j Berlin, Heidelberg, 2014). ðα ; f; b Þ. Therefore, substituting the above bound into j <j [5] Formal definitions of blindness and verifiability can be the conditional entropy formula gives found in [4]. X [6] A. Childs, Secure Assisted Quantum Computation, Quantum 0 0 0 0 HðB ; A jA; FÞ¼ Prðα; fÞHðB ; A jA ¼ α; F ¼ fÞ Inf. Comput. 5, 456 (2005). α;f [7] P. Arrighi and L. Salvail, Blind Quantum Computation, Int. J. Quantum. Inform. 04, 883 (2006). ≥ Prðα; fÞN ¼ N: ðA17Þ [8] A. Broadbent, J. Fitzsimons, and E. Kashefi, Universal α;f Blind Quantum Computation,in Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE, Atlanta, 2009), pp. 517–526. [9] T. Morimae and K. Fujii, Blind Topological Measurement- Based Quantum Computation, Nat. Commun. 3, 1036 [1] P. W. Shor, Polynomial-Time Algorithms for Prime (2012). Factorization and Discrete Logarithms on a Quantum [10] T. Sueki, T. Koshiba, and T. Morimae, Ancilla-Driven Computer, SIAM Rev. 41, 303 (1999). Universal Blind Quantum Computation, Phys. Rev. A 87, [2] S. Lloyd, Universal Quantum Simulators, Science 273, 1073 (1996). 060301 (2013). [3] S. Lloyd, M. Mohseni, and P. Rebentrost, Quantum Algo- [11] C.-H. Chien, R. V. Meter, and S.-Y. Kuo, Fault-Tolerant rithms for Supervised and Unsupervised Machine Learning, Operations for Universal Blind Quantum Computation, arXiv:1307.0411 [Phys. Rev. X (to be published)]. J. Emerg. Technol. Comput. Syst. 12, 26 (2015). 031004-13 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) [12] A. Mantri, C. Perez-Delgado, and J. Fitzsimons, Optimal [33] P. Hauke, F. M. Cucchietti, L. Tagliacozzo, I. Deutsch, and Blind Quantum Computation, Phys. Rev. Lett. 111, 230502 M. Lewenstein, Can One Trust Quantum Simulators?, Rep. (2013). Prog. Phys. 75, 082401 (2012). [13] V. Giovannetti, L. Maccone, T. Morimae, and T. Rudolph, [34] M. Cramer, M. B. Plenio, S. T. Flammia, R. Somma, Efficient Universal Blind Quantum Computation, Phys. D. Gross, S. D. Bartlett, O. Landon-Cardinal, D. Poulin, Rev. Lett. 111, 230501 (2013). and Y.-K. Liu, Efficient Quantum State Tomography, Nat. [14] C. Perez-Delgado and J. Fitzsimons, Iterated Gate Commun. 1, 149 (2010). Teleportation and Blind Quantum Computation, Phys. [35] L. Aolita, C. Gogolin, M. Kliesch, and J. Eisert, Reliable Rev. Lett. 114, 220502 (2015). Quantum Certification of Photonic State Preparations, Nat. [15] T. Morimae, Continuous-Variable Blind Quantum Compu- Commun. 6, 8498 (2015). tation, Phys. Rev. Lett. 109, 230502 (2012). [36] D. Hangleiter, M. Kliesch, M. Schwarz, and J. Eisert, Direct [16] V. Dunjko, E. Kashefi, and A. Leverrier, Blind Quantum Certification of a Class of Quantum Simulations, Quantum Computing with Weak Coherent Pulses, Phys. Rev. Lett. Science Technology 2, 015004 (2017). 108, 200502 (2012). [37] M. Walschaers, J. Kuipers, J.-D. Urbina, K. Mayer, M. C. [17] J. Fitzsimons and E. Kashefi, Unconditionally Verifiable Tichy, K. Richter, and A. Buchleitner, Statistical Benchmark Blind Computation, arXiv:1203.5217 [Phys. Rev. X (to be for Boson Sampling, New J. Phys. 18, 032001 (2016). published)]. [38] T. Morimae and T. Koshiba, Impossibility of Secure Cloud [18] M. Hajdušek, C. Perez-Delgado, and J. Fitzsimons, Device- Quantum Computing for Classical Client, arXiv:1407.1636. Independent Verifiable Blind Quantum Computation, [39] S. Aaronson, A. Cojocaru, A. Gheorghiu, and E. Kashefi, arXiv:1502.02563v1 [Phys. Rev. X (to be published)]. On the Implausibility of Classical Client Blind Quantum [19] A. Gheorghiu, E. Kashefi, and P. Wallden, Robustness and Computing, arXiv:1704.08482v1. Device Independence of Verifiable Blind Quantum Comput- [40] V. Dunjko and E. Kashefi, Blind Quantum Computing with ing, New J. Phys. 17, 083040 (2015). Two Almost Identical States, arXiv:1604.01586. [20] T. Morimae and K. Fujii, Blind Quantum Computation [41] R. Raussendorf and H. J. Briegel, A One-Way Quantum Protocol in which Alice Only Makes Measurements, Phys. Computer, Phys. Rev. Lett. 86, 5188 (2001). Rev. A 87, 050301 (2013). [42] D. Gottesman and I. L. Chuang, Demonstrating the Viability [21] T. Morimae, Verification for Measurement-Only Blind of Universal Quantum Computation Using Teleportation Quantum Computing, Phys. Rev. A 89, 060302 (2014). and Single-Qubit Operations, Nature (London) 402, 390 [22] M. Hayashi and T. Morimae, Verifiable Measurement-Only (1999). Blind Quantum Computing with Stabilizer Testing, Phys. [43] X. Zhou, D. W. Leung, and I. L. Chuang, Methodology for Rev. Lett. 115, 220502 (2015). Quantum Logic Gate Constructions, Phys. Rev. A 62, [23] M. Hayashi and M. Hajdusek, Self-Guaranteed Measurement- 052316 (2000). Based Quantum Computation, arXiv:1603.02195 [Phys. [44] D. Browne, E. Kashefi, M. Mhalla, and S. Perdrix, Rev. X (to be published)]. Generalized Flow and Determinism in Measurement-Based [24] S. Barz, E. Kashefi, A. Broadbent, J. Fitzsimons, A. Quantum Computation, New J. Phys. 9, 250 (2007). Zeilinger, and P. Walther, Demonstration of Blind Quantum [45] D. Markham and E. Kashefi, Entanglement, Flow and Computing, Science 335, 303 (2012). Classical Simulatability in Measurement Based Quantum [25] S. Barz, J. Fitzsimons, E. Kashefi, and P. Walther, Exper- Computation, arXiv:1311.3610. imental Verification of Quantum Computation, Nat. Phys. 9, [46] M. Nielsen and I. Chuang, Quantum Computation and 727 (2013). Quantum Information (Cambridge University Press, [26] C. Greganti, M.-C. Roehsner, S. Barz, T. Morimae, and P. Cambridge, England, 2000). Walther, Demonstration of Measurement-Only Blind [47] V. Danos and E. Kashefi, Determinism in the One-Way Quantum Computing, New J. Phys. 18, 013020 (2016). Model, Phys. Rev. A 74, 052310 (2006). [27] D. Aharonov, M. Ben-Or, and E. Eban, in Proceedings of [48] V. Danos, E. Kashefi, and P. Panangaden, The Measurement Innovations in Computer Science (Tsinghua University Calculus, J. ACM 54, 8 (2007). Press, Beijing, 2010). [49] R. Raussendorf, D. E. Browne, and H. J. Briegel, [28] A. Broadbent, How to Verify a Quantum Computation, Measurement-Based Quantum Computation on Cluster arXiv:1509.09180. States, Phys. Rev. A 68, 022312 (2003). [29] B. Reichardt, F. Unger, and U. Vazirani, Classical Com- [50] T. M. Cover and J. A. Thomas, Elements of Information mand of Quantum Systems, Nature (London) 496, 456 Theory (John Wiley & Sons, New York, 2012). (2013). [51] D. Gottesman, The Heisenberg Representation of Quantum [30] M. McKague, Interactive Proofs for BQP via Self-Tested Computers, arXiv:quant-ph/9807006. Graph States, Theo. Comput. 12, 1 (2016). [52] M. Mhalla, M. Murao, S. Perdrix, M. Someya, and P. S. [31] J. F. Fitzsimons and M. Hajdušek, Post Hoc Verification of Turner, Which Graph States are Useful for Quantum Quantum Computation, arXiv:1512.04375 [Phys. Rev. Lett. Information Processing?,in Theory of Quantum Compu- (to be published)]. tation, Communication, and Cryptography, edited by D. [32] T. Morimae and J. F. Fitzsimons, Post Hoc Verification with Bacon, M. Martin-Delgado, and M. Roetteler, Lecture a Single Prover, arXiv:1603.06046 [Phys. Rev. Lett. (to be Notes in Computer Science Vol. 6745 (Springer, Berlin, published)]. Heidelberg, 2014), p. TQC 2011. 031004-14 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) [53] A. Ambainis, A. Nayak, A. Ta-Shma, and U. Vazirani, Dense Annual Symposium on Foundations of Computer Science Quantum Coding and a Lower Bound for 1-Way Quantum (FOCS ’99) (IEEE Computer Society, Washington, DC, Automata,in Proceedings of the 31st Annual ACM Sympo- 1999), p. 369. sium on Theory of Computing, 1999, pp. 376–383. [55] A. Mantri, T. F. Demarie, and J. F. Fitzsimons, Universality [54] A. Nayak, Optimal Lower Bounds for Quantum Automata, of Quantum Computation with Cluster States and (X, Y)- and Random Access Codes,in Proceedings of the 40th Plane Measurements, Sci. Rep. 7, 42861 (2017). 031004-15 http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Physical Review X American Physical Society (APS)

Flow Ambiguity: A Path Towards Classically Driven Blind Quantum Computation

Free
15 pages

Loading next page...
 
/lp/aps_physical/flow-ambiguity-a-path-towards-classically-driven-blind-quantum-yBjAybVSGl
Publisher
The American Physical Society
Copyright
Copyright © Published by the American Physical Society
eISSN
2160-3308
D.O.I.
10.1103/PhysRevX.7.031004
Publisher site
See Article on Publisher Site

Abstract

PHYSICAL REVIEW X 7, 031004 (2017) 1,2 1,2,† 3,4,* 1,2,‡ Atul Mantri, Tommaso F. Demarie, Nicolas C. Menicucci, and Joseph F. Fitzsimons Singapore University of Technology and Design, 8 Somapah Road, Singapore 487372 Centre for Quantum Technologies, National University of Singapore, Block S15, 3 Science Drive 2, Singapore 117543 Centre for Quantum Computation and Communication Technology, School of Science, RMIT University, Melbourne, Victoria 3001, Australia School of Physics, The University of Sydney, Sydney, New South Wales 2006, Australia (Received 1 September 2016; revised manuscript received 4 April 2017; published 11 July 2017) Blind quantum computation protocols allow a user to delegate a computation to a remote quantum computer in such a way that the privacy of their computation is preserved, even from the device implementing the computation. To date, such protocols are only known for settings involving at least two quantum devices: either a user with some quantum capabilities and a remote quantum server or two or more entangled but noncommunicating servers. In this work, we take the first step towards the construction of a blind quantum computing protocol with a completely classical client and single quantum server. Specifically, we show how a classical client can exploit the ambiguity in the flow of information in measurement-based quantum computing to construct a protocol for hiding critical aspects of a computation delegated to a remote quantum computer. This ambiguity arises due to the fact that, for a fixed graph, there exist multiple choices of the input and output vertex sets that result in deterministic measurement patterns consistent with the same fixed total ordering of vertices. This allows a classical user, computing only measurement angles, to drive a measurement-based computation performed on a remote device while hiding critical aspects of the computation. DOI: 10.1103/PhysRevX.7.031004 Subject Areas: Quantum Information I. INTRODUCTION ensured with high probability are known as verifiable quantum computing protocols [5]. Large-scale quantum computers offer the promise of The first blind quantum computing protocol was proposed quite extreme computational advantages over conventional by Childs [6]. While functional, this scheme put a rather computing technologies for a range of problems spanning heavy burden on the client’s side in terms of resources, with cryptanalysis [1], simulation of physical systems [2], and the client required to control a quantum memory and to machine learning [3]. Recently, however, a new application perform SWAP gates. A subsequent protocol, from Arrighi has emerged for quantum computers: secure delegated and Salvail [7], introduced mechanisms for both verification computation [4]. and blindness for a limited range of functions and can be Consider a user wishing to have a computation performed seen as the start of an intimate link between blindness on a remote server. Two main security concerns arising for and verifiability. This link was further established with the the user relate to the privacy and the correctness of the discovery of the universal blind quantum computing computation. The privacy concern is that the description of (UBQC) protocol [8], which allows a client, equipped only their computation, both the program and any input data, with the ability to produce single-qubit states, to delegate an remains hidden even from the server. The correctness concern is that a malicious server might tamper with their arbitrary quantum computation to a universal quantum server while making it blind with unconditional security. computation, sending them a misleading result; hence, This scheme has been modified and extended several times ideally such behavior would be detectable. Quantum proto- cols have been proposed that can mitigate both of these in the last few years, with works investigating robustness concerns. In the literature, protocols that allow for program [9–11], optimality [12–14], and issues related to physical and data privacy are known as blind quantum computing implementations [15,16]. Importantly, the blind computation protocols, while protocols that allow for correctness to be protocols have proven a powerful tool in the construction of verifiable quantum computing protocols, with a number of protocols emerging in recent years based on the UBQC ncmenicucci@gmail.com protocol [17–19] and on an alternative blind protocol from tommaso_demarie@sutd.edu.sg joseph_fitzsimons@sutd.edu.sg Morimae and Fujii [20] in which the client performs single- qubit measurements rather than state preparations [21–23]. Published by the American Physical Society under the terms of The relatively low overhead in such schemes has made it the Creative Commons Attribution 3.0 License. Further distri- possible to implement both blind and verifiable quantum bution of this work must maintain attribution to the author(s) and the published article’s title, journal citation, and DOI. computing protocols in quantum optics [24–26]. 2160-3308=17=7(3)=031004(15) 031004-1 Published by the American Physical Society MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) server. The server then performs a quantum computation The question of verifiability, directly rather than as a using the received data and returns the classical output to consequence of blindness, has also attracted attention. This the client, who decrypts the result using her encryption key. problem was first studied by Aharonov et al. [27],who For this setting, it was shown that secure blind quantum considered the use of a constant-sized quantum computer to computing cannot be achieved unless BPP ¼ BQP (i.e., verify a larger device. Subsequent work by Broadbent [28] unless a classical computer can efficiently simulate a reduced the requirements on the prover to mirror those quantum computer). While this is an interesting result, it used in the UBQC protocol. An entirely distinct route to imposes strong assumptions on the operational method of verification has also emerged, which considers a classical blind quantum computation with a classical client and user but requires multiple entangled but noncommuni- therefore does not seem to limit further studies in this cating servers [29,30]. Surprisingly, perhaps, many of these direction. Additionally, Aaronson et al. [39] have recently schemes are also blind, though often this was not the aim suggested that information-theoretically blind quantum of the paper. In fact, only a few examples of verifiable com- computing with a classical client is not likely to be possible puting schemes exist that are not naturally blind [31,32], because the existence of such a scheme implies unlikely and it is tempting to conjecture a fundamental link between containments between complexity classes. Additional blindness and verifiability. implications that the development of a classical-client The verification methods discussed above provide a very blind-computation protocol would have in complexity strong form of certification, amounting to interactive proofs theory are discussed in Ref. [40]. for correctness, which do not rely on any assumptions Here, we provide evidence in the opposite direction. We about the functioning of the device to be tested. From an introduce a form of delegated quantum computation using experimental point of view, the first nonclassically simu- measurement-based quantum computing (MBQC) as the lable evolution of quantum systems will most likely be underlying framework. This allows us to introduce a implemented by means of nonuniversal quantum simula- model-specific protocol that achieves a satisfying degree tors rather than fully universal quantum computers. Here, of security by directly exploiting the structure of MBQC. too, the problem arises of certifying the correct functioning We show that the classical communication received by the of a device [33] that cannot be efficiently simulated. party performing quantum operations is insufficient to However, in this regime, interactive proofs have proven reconstruct a description of the computation. This insuffi- more difficult to construct. Nonetheless, progress has been ciency remains even when the server is required only to made in developing a range of certification techniques for identify the computation up to pre- and post-processing by various physical systems. These include feasible quantum polynomial-sized classical computation, under plausible state tomography of matrix product states [34], certification complexity-theoretic assumptions. We call our scheme of the experimental preparation of resources for photonic classically driven blind quantum computing (CDBQC). quantum technologies [35], certification of simulators of The paper is structured as follows: In Sec. II, we present frustration-free Hamiltonians [36], and derivation of a a short introduction to MBQC. In Sec. III, we describe the statistical benchmark for boson sampling experiments [37]. steps of the CDBQC protocol. In Sec. IV, we use mutual A common feature among all blind quantum computing information to analyze the degree of blindness for a single protocols and interactive proofs of correctness for quantum round of the CDBQC protocol. In Sec. V, we introduce the computation is that they require that at least two parties concept of flow ambiguity, and we show how this is used by possess quantum capabilities. Removing this requirement the client to hide information from the quantum server. Our and allowing a purely classical user to interact with a single conclusions are presented in Sec. VI. quantum server would greatly expand the practicality of delegated quantum computation since it would remove large- II. MEASUREMENT-BASED scale quantum networks as a prerequisite for verifiability. In QUANTUM COMPUTATION the present work, we focus specifically on the question of In MBQC, a computation is performed by means of blind computation with a completely classical client, but single-qubit projective measurements that drive the quan- given the historic links between progress in blindness and tum information across a highly entangled resource state. verification, it is natural to expect that progress in either The most general resources for MBQC are graph states direction will likely be reflected in the other. [41]. A graph state is defined by a simple and undirected While it is presently unknown if such a protocol graph, i.e., a mathematical object G ¼ðV;EÞ composed of can exist, a negative result in this context is a scheme- a vertex set V and an edge set E, with cardinality jVj and dependent impossibility proof presented in Ref. [38]. jEj, respectively. The vertices of the graph represent the There, the author considered a scenario where a classical qubits, while their interactions are symbolized by the edges. user and a quantum server exchange classical information A graph state jGi is an N-qubit state, where N ¼jVj. Each in a two-step process. First, the classical client encodes her pffiffi qubit is initialized in the state jþi ¼ ðj0iþ j1iÞ and description of the computation using an affine encryption scheme and then sends all the classical encrypted data to the then entangled with its neighbors by controlled-Z gates, 031004-2 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) ˆ ˆ ˆ ˆ ˆ positive branch corresponds to the target computation. In C ¼j0ih0j ⊗ I þj1ih1j ⊗ Z , where I and Z are Zi;j i j i j general, however, these bases need to be updated based on the single-qubit identity and Pauli-Z gate, respectively. ⊗N outcomes of earlier measurements in order to ensure the Explicitly, jGi¼ C jþi . Equivalently, a graph ði;jÞ∈E Zi;j correct computation is performed. The description of the state jGi can be defined by the stabilizer relations resource state, the order of measurements, and the dependency K jGi¼jGi, with stabilizers [41] of the measurementbases on previous measurement outcomes are collectively known as a measurement pattern. ˆ ˆ ˆ K ¼ X Z ; ∀ v ∈ V; ð1Þ v v w Projective measurements are inherently random in quan- w∈N ðvÞ tum mechanics, and one needs a procedure to correct for this randomness. We show that this need for adaptation of where N ðvÞ denotes the neighborhood of v in G. Without future measurements based on previous outcomes is what loss of generality, the vertices in G can be labeled ð1; …;NÞ prevents Bob from knowing the protocol perfectly. Not in the order that the corresponding qubits are to be incidentally, it is also what circumvents the no-go result measured. We take this ordering to be implicit in the from Ref. [38]. This is because only Alice knows how she definition of the graph, for example, as the order in which is choosing to adapt future measurement bases dependent the vertices appear in the adjacency matrix for G. It is also on previous measurement outcomes: Our observation is useful to define a specific type of graph state that will be that different choices of adaptation strategy correspond to used later. An N-qubit cluster state jCSi is the graph n;m different computations in general. state corresponding to an n × m regular square-lattice graph The structure that determines how to recover determin- G . For such a graph, N ¼ nm. n;m istic evolution from a MBQC measurement pattern is called In the MBQC framework, given a resource state with g-flow [44], from “generalized quantum-information flow.” graph G, the standard procedure to perform a computation Rigorously, given some resource state jGi and a measure- is to first identify two sets of qubits fI; Og on G. This ment pattern on it, if the associated open graph GðI; OÞ procedure defines an open graph GðI; OÞ, such that I, O⊆V satisfies certain g-flow conditions (to be described later), for a given G. The set I corresponds to the input set, while then the pattern is runnable, and it is also uniformly, O denotes the output set. In general, 0 < jIj ≤ jOj ≤ jVj. strongly, and stepwise deterministic. This means that each Note that the input and output sets can overlap. The branch of the pattern can be made equal to the positive complement of I is written I , and similarly, the comple- c c branch after each measurement by application of local ment of O is O . We also denote by PðI Þ the power set of corrections, independently of the measurement angles. We all the subsets of elements in I , and we define use “deterministic” without ambiguity to indicate all these OddðKÞ ≔ fi∶jN ðiÞ ∩ Kj¼ 1 mod 2gð2Þ attributes. Note also that satisfying the g-flow conditions is a necessary and sufficient condition for determinism. as the odd neighborhood of a set of vertices K ⊆ V.In In practice, the g-flow assigns a set of local Pauli this work, we are only interested in MBQC protocols corrections to a subset of unmeasured qubits after a that implement unitary embeddings. Hence, for us, measurement. See Ref. [45] for the fine details regarding jIj¼jOj ≤ N. Intuitively, the state of the qubits in the the practicalities of g-flow. For simplicity, in the definition input set corresponds to the input state of a computation. of g-flow below adapted from Ref. [44], we assume all Similarly, the qubits in the output set will contain the qubits are measured in the XY-plane of the Bloch sphere. quantum information corresponding to the result of the The idea behind g-flow is to determine whether one can computation once all the qubits in O have been measured. find a correction operator (related to a correcting set on the In the process, the quantum information is transformed by graph) that, in the case of a nonzero measurement outcome, the same principle that governs the generalized one-bit can revert the quantum state onto the projection corre- teleportation scheme [42,43]. sponding to the zero outcome. This is done by applying For our purposes, we restrict the measurements to be stabilizer operators on the state. The g-flow conditions projective measurements in the XY-plane of the Bloch sphere, j determine whether the geometrical structure of an open denoted M ¼fj ih j g for qubit j,where j i¼ α α α j j graph allows for these corrections after each measurement. 1 iα pffiffi ðj0i e j1iÞ. As a convention, we use b ¼ 0 for the measured qubit collapsing to jþ i and b ¼ 1 for collapsing α j j Definition 1. [g-flow] For an open graph GðI; OÞ, there to j− i . The computation to be performed is specified both by exists a g-flow ðg;≻Þ if one can define a function g∶O → c c the choice of open graphGðI; OÞ and by a vector α specifying PðI Þ and a partial order ≻ on V such that ∀i ∈ O all of the measurement basis α for each qubit i. Note that these are the following conditions hold: the measurements that would be made directly on the cluster state if all the measurement outcomes were zero for nonoutput (G1) if j ∈ gðiÞ and j ≠ i, then j ≻ i; qubits—i.e., if one were to implement the positive branch of (G2) if j ⊁ i and i ≠ j, then j ∉ Odd(gðiÞ); and the MBQC computation. Importantly, by convention, the (G3) i ∉ gðiÞ and i ∈ Odd(gðiÞ). 031004-3 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) The successor function gðiÞ indicates what measurements (G1)–(G3). This process of course only provides a lower will be affected by the outcome of the measurement of qubit bound on the number of flows rather than the exact number, i, while the partial order≻ should be thought of as the causal but it will be sufficient for our purposes. order of measurements. The condition (G1) says that if a With these four criteria in place, we can define a g-flow vertex j is in the correcting set of the vertex i, then j should graph path, in this restricted version of g-flow, as an be measured after the vertex i. In other words, a correction ordered set of adjacent edges of the graph, starting from should happen after the assigned measurement. Condition an element of the input set and ending on an element of the (G2) makes sure that if the correcting set of a vertex i is output set, such that for each edge ij of the path, we have connected to a vertex j, and j is measured before the vertex i, j ∈ gðiÞ, with j ≻ i. Then, it follows that (G4) does not then the vertex j should have an even number of con- allow the g-flow graph paths to cross. To help the under- nections with the correcting set of vertex i. Then, vertex j standing of MBQC, one could think of a g-flow graph path receives an even number of equal Pauli corrections, which as a representation of a wire in the quantum circuit picture. is equivalent to receiving none; hence, no correction can This intuition will be used later in this work to count how affect earlier corrections. Finally, condition (G3) ensures many ways one could define an open graph with g-flow for that each vertex i has an odd number of connections with its our choice of total ordering, which in turn provides a link to correcting set, such that a correction is indeed performed on the idea that different open graphs with g-flow lead to i [45]. In this sense, the g-flow conditions are understood in different quantum computations. terms of geometrical conditions on the open graph. Guided by these conditions, for cluster states, here and in III. CLASSICALLY DRIVEN BLIND the following, we always adopt the same choice of vertex QUANTUM COMPUTATION labeling on the graph as shown in Fig. 1. This choice is motivated by our later goal of counting how many choices We start from the situation where Alice, the client, wants of open graphs satisfy the g-flow conditions on a given to obtain the result of a particular quantum computation. cluster state. Since a vertex labeling corresponds to a total Having no quantum devices of her own, the quantum order of measurement, it is easy to check that, in order to computation must have a classical output. We allow Alice satisfy the g-flow conditions, for any vertex i, the quantum to control a probabilistic polynomial-time universal Turing information can only move towards the right, move towards machine (i.e., a classical computer with access to random- the bottom, or stay on that vertex. Furthermore, condition ness). Alice has classical communication lines to and from (G3) imposes that the information from a vertex cannot Bob, the server. Bob has access to a universal (and move simultaneously towards the right and towards the noiseless) quantum computer. Bob could help Alice, but bottom. In order to further simplify the process of counting she does not trust him. Alice wishes to ask Bob to perform a flows, we introduce an additional criterion, which is not quantum computation for her in a way that Bob obtains as strictly required by g-flow: little information as possible about her choice of compu- tation. Without loss of generality, we assume that the (G4) If k ∈ N ðiÞ ∪ N ðjÞ, and if k ∈ gðiÞ, then k ∉ gðjÞ. quantum systems used in the protocol are qubits (two-level quantum systems [46]). In general, here and in the For G , as we shall see later, it will prove easier to n;m following, we denote by count flows satisfying (G1)–(G4) than those satisfying Δ ¼fρ ; U ;Mgð3Þ A I A the classical description of Alice’s computation, where ρ is the n-qubit input state of the computation, U is the unitary ˆ ˆ embedding that maps ρ to the output state ρ ¼ U ρ U , I O A I and M is the final set of measurements on ρ required to extract the classical output. Note that we are implying that the input state can be efficiently described classically. For instance, it could be a standard choice of input such as the ⊗n n-qubit computational basis ρ ¼j0ih0j . We also (rather pedantically) assume that the number of computational steps is at most polynomial in the input size. Making the process abstract, Alice’s desired task becomes equal to sampling the string FIG. 1. Total order of the measurements for a generic n × m ˆ ˆ p ¼fp g¼ πðΔ Þ ≔ MðU ρ U Þ; ð4Þ i A A I cluster state used as a resource state in Protocol 1. 031004-4 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) Protocol 1 CDBQC ðG;AÞ: Classically Driven Blind Quantum of Alice’s would-be measurements. Nonetheless, Alice can Computation. pick a canonical set of angles Protocol parameters: α ≔ ðα ; …; α Þ ∈ A ð6Þ 1 N (i) A graph G with an implicit total ordering of vertices. (ii) A set of angles A satisfying Eq. (19). corresponding to the positive branch case where b ¼ 0.As Alice’s input: discussed earlier, it is possible that the angle for qubit j must (i) A target computation Δ implemented using MBQC as be modified based on the outcomes of the preceding j − 1 Δ ¼fG; α; fg; measurements, which we denote representing a measurement pattern on G compatible with b ≔ ðb ; …;b Þ: ð7Þ <j 1 j−1 the total ordering of measurements implicit in G, which describes a unitary embedding U . The set α represents a We account for this adaptation in dependency sets sequence of N measurement angles over the graph G, with each angle chosen from a set A, which is also taken to be a x x x N s ≔ ðs ; …;s Þ ∈ Z ; ð8Þ parameter of the protocol and is known to both parties. The 1 N 2 g-flow construction f fully determines the input state ρ , in z z z N through the location of the input and output qubit sets on s ≔ ðs ; …;s Þ ∈ Z ; ð9Þ 1 N 2 the graph (I and O, respectively) and the dependency sets x z ðs ; s Þ. which depend on the b and also on the g-flow construction, <j Steps of the protocol: here represented by a bit string 1. State preparation (a) Bob prepares the graph state jGi. f ≔ ðf ; …;f Þ ∈ Z ð10Þ 2. Measurements 1 M For i ¼ 1; …;N, repeat the following: (a) Alice picks a binary digit r ∈ Z uniformly at random. i 2 of length M called the flow control bits (or just “flow bits”). x z Then, using r , s , s , and the function in Eq. (18), she At this point, we still have to quantify the value of M.Note, 0 0 computes the angle α . Alice transmits α to Bob. i i though, that it represents the number of bits needed to (b) Bob measures the ith qubit in the basis fj ig and enumerate all the possible combinations of input and output transmits to Alice the measurement outcome b ∈ Z . i 2 that satisfy the g-flow conditions [44,47]. Hence, for a fixed (c) Alice records b ¼ b ⊕ r in b and then updates the i i i x z total order of the measurements, it is a function of N. dependency sets ðs ; s Þ.If i ∈ O, then she also records Explicitly, the X and Z corrections associated with the b in p . measurement angle of each qubit j are determined by the 3. Post-processing of the output (a) Alice implements the final round of corrections on the dependency sets: C Z Z output string by calculating p ¼ p ⊕ s ,with s O O the set of Z corrections on the output at the end of the s ∶ D½b  × D½f → Z ; ð11Þ j <j 2 protocol. s ∶ D½b  × D½f → Z ; ð12Þ <j 2 where π is a map that describes the blind operation where the function D denotes the domain of the argument. z x performed by the protocol, which outputs the correct Without loss of generality, we choose s ¼ s ¼ 0 since there 1 1 probability distribution fp g on the joint measurement are no previous outcomes on which these could depend. For a outcomes given Δ as Alice’s delegated target computa- fixedopengraph GðI; OÞ, the form of the dependency sets is tion. An outline of the protocol is presented in Protocol 1. uniquely defined by the g-flow [4]. Analogously, the flow bits Let us now introduce the relevant definitions for the f fully specify the dependency sets (as functions of b). As variables used in the protocol and describe the steps such, the quantum circuit that Alice intends to implement is thoroughly. The initial step of the protocol is for Bob to specified by the information prepare the resource state jGi that will be used to implement the MBQC. Once the graph state jGi is prepared by Bob, the N M ðα; fÞ ∈ A × Z ; ð13Þ interactive part of the protocol starts with Alice communicat- ing to Bob the angles to be measured, one by one. Because of consisting of N measurement angles and M flow bits for the randomness introduced by the results of the projective a given graph with fixed total order of measurement. measurements, there exists the possibility that these angles Consequently, once the graph G is known, there exists a must be corrected based on the outcomes one-to-one correspondence GðI; OÞ ↔ f, and we can n;m accordingly denote the corresponding MBQC measure- b ≔ ðb ; …;b Þ ∈ Z ð5Þ 1 N ment pattern as follows: 031004-5 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) Δ ¼ðG ; α; fÞ: ð14Þ where ⊕ indicates addition modulo 2 for each bit. We n;m can identify the data that Bob receives during the interactive part of the protocol (some from Alice, some from his own Explicitly, note that by choosing f, Alice is defining a measurements) as unique choice of the input and output on the graph state before the protocol begins. In line with the computation 0 0 N N description from Eq. (3), we call ρ the input state on G. ðdata Bob receivesÞ ≔ ðb ; α Þ ∈ Z × A : ð21Þ I 2 We now turn our attention to what kind of information Bob receives when Alice asks him to perform the mea- The interactive part of the protocol ends when all the surements on her behalf. The interactive part of the protocol qubits have been measured and Alice holds the binary consists of N steps. At each step i, Alice requests Bob to register b, derived from b to account for the one-time pad measure, in the XY-plane of the Bloch sphere, the ith qubit, r. Since Alice knows the output set O, whenever the ith according to the total order implied by G, and he sends back qubit belongs to the set of output qubits, Alice saves b into a bit for each measurement. We identify the measurement a second binary sequence of length jOj: instructions Bob receives as a list of angles jOj p ≔ ðp ; …;p Þ ∈ Z ; ð22Þ 1 jOj B 2 0 0 0 N α ≔ ðα ; …; α Þ ∈ A ; ð15Þ 1 N where p ¼ b , ∀i ∈ O. If Bob is honest, then p is i i and we label the string of bits Alice receives from Bob as equivalent to p . At the end of the protocol, this string contains the classical result of the computation, up to 0 0 0 N b ≔ ðb ; …;b Þ ∈ Z ; ð16Þ 1 N 2 classical post-processing. This is accounted for by calcu- C Z Z lating p ¼ p ⊕ s , where s is used to represent the final O O while remembering that they are communicated alternately set of Z corrections on the output qubits. Clearly, the 0 0 0 0 (α to Bob, b to Alice, α to Bob, b to Alice, etc.). Note 1 1 2 2 classical nature of the client allows us to consider only that in the case of a dishonest Bob, the string b does not quantum computations with classical output. need to correspond to real measurement outcomes but In order for the protocol to have any utility, we require could have been generated by Bob through some alternative that the output p satisfies Eq. (4), a property known as process. correctness. The correctness of this protocol can be proved Realizing that measuring α can just as easily be effected by straightforwardly. Note that the positive branch of the asking Bob to measure α þ π and then flipping the returned MBQC pattern Δ [that is, where all the measurement outcome bit, we introduce a uniformly random N-bit string outcomes happen to be equal to zero (b ¼ 0)] implements Alice’s target computation Δ by definition. In the circuit r ≔ ðr ; …;r Þ ∈ Z ð17Þ 1 N model, this corresponds to a quantum circuit that imple- ments the unitary U over the correct input state ρ and a A I that Alice will use to pad the angles in an attempt to conceal final round of measurements whose output is the binary the measurement outcomes. All that remains is to specify string p [49]. Below, we give a proof of the correctness of how α depends on α. This is specified by the following the CDBQC protocol. functional dependence [17,47,48]: Theorem 1. [correctness] For honest Alice and Bob, the outcome of Protocol 1 is correct. 0 s z α ¼ð−1Þ α þðs þ rÞπ mod 2π; ð18Þ Proof.—There are only two differences between Protocol 1 and a conventional MBQC implementation of Δ . which follows from the g-flow construction and shows how The first is the use of r to hide measurement outcomes. corrections change subsequent measurement angles. Here, The effect of r is to add an additional π to the measurement we have used multi-index notation to present the result angle on certain qubits, resulting in a bit flip on the x z concisely as a vector. Note that the dependency sets ðs ; s Þ corresponding measurement result b . However, since this are updated by Alice after each measurement. To make the is immediately undone, it has no effect on the statistics of analysis of the protocol meaningful, we construct a domain the measurement results obtained after decoding b. for α such that the domain of all valid α is the same. Thus, in The other difference is that the g-flow construction, and general, hence the dependency sets, is only known to Alice and not to Bob. However, this does not affect the input state, which is A ¼fð−1Þ θ þ zπjθ ∈ A;x ∈ Z ;z ∈ Z g: ð19Þ 2 2 equivalent to the usual case if Alice is honest (i.e., if she correctly performs her role in implementing the protocol). Also note that now Furthermore, if Alice updates the measurement angles correctly using the dependency sets as dictated by the b ¼ b ⊕ r; ð20Þ g-flow, and Bob measures them accordingly, every branch 031004-6 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) of Δ is equivalent to the positive branch. Then, the In addition, we use B for the eventual measurement outcomes and R for the (uniformly random) string of measurement pattern correctly implements the unitary trans- π-shift bits that is known only to Alice. In any given run of ˆ ˆ formation ρ ¼ U ρ U . The protocol also allows Alice to out A in C the protocol, A and F are drawn from a joint prior identify the elements of the output string p in b since she probability Prðα; fÞ, which is known to Bob. Thus, knows the position of the output on thegraph. Hence, when both HðA; FÞ ≤ n þ n bits, with equality if and only if the A F Alice and Bob follow the protocol, the output string p ¼ p ⊕ prior is uniform over F and A. Note that we do not make s is the desired probability distribution that follows from the any assumptions about this prior in what follows. joint measurement of the correct quantum output. □ We have seen before that a single instance of the data 0 0 Bob receives at the end of Protocol 1 is equal to ðG; b ; α Þ. IV. BLINDNESS ANALYSIS In a stand-alone setting, this is the only data available to Bob from which he might be able to gain some information We now look at the degree of blindness for a single round about the circuit chosen by Alice. If this protocol were to be of Protocol 1. In this setting, we consider a cheating Bob used as a subroutine or in parallel with another protocol, with unbounded computational power, able to deviate from then one must analyze the security in a composable the protocol and follow any strategy allowed by the laws of framework. Such an analysis is beyond the scope of the physics. Our aim, however, is not to verify that Bob is present work and is left as an open problem. Note that the indeed performing the correct quantum computation as graph is considered a parameter of the protocol and not part requested. Instead, we want to quantify the amount of of Alice’s secret. Bob’s useful information at the end of a information that Bob can access when Protocol 1 is run single run of Protocol 1 is then equal to the mutual infor- only once (stand-alone) and compare it against the total 0 0 mation IðB ; A ; A; FÞ between the variables associated amount of information needed to describe the computation. 0 0 with the circuit ðA; FÞ and Bob’s data ðB ; A Þ. To completely identify Alice’s computation, Bob needs to In other words, we are modeling the leakage of know the description Δ . information as an unintentional classical channel between We identify variables with uppercase letters and particular Alice and Bob, where ðA; FÞ is the input of the channel instances of such variables with lowercase letters. The 0 0 and ðB ; A Þ is the output at Bob’s side. Then, the mutual probability of a given instance x of a random variable X is information tells us how many bits of the original mes- denoted PrðxÞ, and averaging over X is denoted h·i or h·i sage Bob receives on average, when averaged over many when there is no ambiguity. Given a random variable X,we uses of the channel. Importantly, one cannot recover, from call N the number of possible outcomes for the variable and mutual information, what bits of the original message are n ≔ log N the number of bits required to enumerate them. X 2 X passed to Bob. For our protocol, the mutual information We denote the Shannon entropy [50] of a random satisfies the following bound, which does not rely on any variable X by HðXÞ ≔ h− log PrðxÞi ≤ n , with equal- 2 X computational assumption but is entirely derived from ity if and only if X is uniformly random. For two ran- information theory. dom variables X and Y, their joint entropy is written Theorem 2. [blindness] In a single instance of Protocol HðX; YÞ ≔ h−log Prðx; yÞi , and the conditional en- 2 X;Y 1, the mutual information between the client’s secret input tropy of X given Y is HðXjYÞ ≔ h−log PrðxjyÞi . 2 X;Y fα; fg and the information received by the server is These satisfy bounded by 0 0 0 HðXjYÞ¼ HðX; YÞ − HðYÞ: ð23Þ IðB ; A ; A; FÞ ≤ HðA Þ: ð25Þ The mutual information of X and Y is Proof.—From the definition of mutual information, we have IðX; YÞ ≔ HðXÞþ HðYÞ − HðX; YÞ 0 0 0 0 0 0 IðB ; A ; A; FÞ¼ HðB ; A Þ − HðB ; A jA; FÞ: ¼ HðXÞ − HðXjYÞ Applying the inequality HðX; YÞ ≤ HðXÞþ HðYÞ, ¼ HðYÞ − HðYjXÞ; ð24Þ together with the fact that HðB Þ ≤ n 0 ¼ N, to the above equation yields which will be our main tool of analysis. Intuitively, IðX; YÞ measures how much information Y has about X. More 0 0 0 0 0 IðB ; A ; A; FÞ ≤ HðA Þþ N − HðB ; A jA; FÞ: ð26Þ precisely, it quantifies how much the entropy of X is 0 0 reduced, on average, when the value of Y is known. What remains to be shown is that HðB ; A jA; FÞ ≥ N. Because of the symmetry of the definition, these statements This result is proved as Lemma 4 in the Appendix by 0 0 −N also hold when the roles of X and Y are swapped. bounding Prðb ; α jα; fÞ ≤ 2 based on the full joint Let us call the angles variable A and the flow variable F. probability for the protocol. With this bound in place, Specifying Δ , in general, therefore requires n þ n bits. Eq. (25) directly follows. □ A F 031004-7 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) 0 0 The conditional entropy HðA; FjB ; A Þ quantifies the exponentially in the dimensions of the cluster state such amount of information that, on average, remains unknown that n ∝ N. to Bob about Alice’s computation at the end of Protocol 1. Theorem 3. For a cluster state corresponding to G n;m As mentioned previously, in the case where Alice chooses with fixed total order as depicted in Fig. 1, the number the measurement angles A uniformly randomly from a of different open graphs GðI; OÞ satisfying conditions finite set, one A for each qubit, and she chooses the flow F (G1)–(G4) is given by uniformly randomly from the set of all flows compatible with the total order implicit in G, then minðn;mÞ jn−mj #GðI; OÞ ¼ F F ; ð31Þ n;m 2 minðn;mÞþ1 2μ HðA; FÞ¼ n þ n : ð27Þ A F μ¼2 In this case, by calculating the conditional entropy where F is the ith Fibonacci number. 0 0 0 0 HðA; FjB ; A Þ¼ HðA; FÞ − IðB ; A ; A; FÞ; ð28Þ Proof.—The proof of this theorem is somewhat involved. We begin by considering a set of diagonal cuts acrossG ,as n;m 0 0 we have HðA; FjB ; A Þ ≥ n because of Theorem 2. Note depicted in Fig. 2(a). As we are considering only those flows that Theorem 2 guarantees zero mutual information for a that satisfy condition (G4), there is a straightforward con- single run of Protocol 1 only if n ¼ 0, which means only straint on the information flow, which can be seen by isolating one choice of measurement angle for each qubit. However, a single cut and the vertices linked by edges that the cut passes the structure of the domain of α and α [see Eq. (19)] through [see Fig. 2(b)]. In the following discussion, we forbids such a choice. A minimal choice of angles that is consider only the vertices connected by edges through which not classically simulable (via the Gottesman-Knill theorem a particular cut passes. Because of the total ordering imposed [51])is given by on the vertices of G , conditions (G1)–(G3) ensure that n;m information can only pass through a cut from the left side to π 3π 5π 7π A ¼ ; ; ; : ð29Þ the right side and not in the reverse direction. Condition (G4) 4 4 4 4 then allows exactly the set of flows where for any vertex k on In this case, for each angle α , one has n ¼2,so n ¼2N. the right side of the cut, information flows to k from at j α A Since HðA Þ ≤ n ¼ n , Bob gains at most two bits of A A information per qubit measured, with this information (a) being a nontrivial function of both α and f. V. APPLICATION TO CLUSTER STATES To conclude the security analysis of the stand-alone scenario, it is necessary to calculate the exact value of N , which in turn gives us the value of n and hence the lower bound of the conditional entropy for the case of uniform variables A, F as explained above. Clearly, this depends on the choice of G. Here, we consider the case of cluster states, where G is taken to be G with implicit total ordering of n;m vertices as illustrated in Fig. 1. Note that M, the length of (b) the bit string f, is equal to log N . When condition (G4) is 2 F included, the g-flows we consider correspond to focused g-flows [52]. Hence, there is a one-to-one correspondence between an instance of a g-flow f of F and a choice of input and output sets on the graph [52]. Here, we place a lower bound on M by counting flows that satisfy conditions (G1)–(G4). The use of the additional constraint (G4), which is not implicit in the definition of g-flow, implies that we are undercounting the total number of flows; hence, N ≥ #GðI; OÞ ; ð30Þ n;m FIG. 2. (a) A cluster-state graph G with diagonal cuts n;m where #GðI; OÞ corresponds to the number of possible n;m imposed. The flow across each cut is independent, and the ways one can define an open graph that satisfies conditions number of possible flows across each cut is indicated. (b) Several (G1)–(G4). We now show that this quantity can grow cuts with their neighboring vertices isolated. 031004-8 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) most one of its neighbors on the left side of the cut. So, if i, j ∈ N ðkÞ,then k ∉ gðiÞ ∩ gðjÞ. We divide the cuts into three types: (i) those having one less neighboring vertex on the left side of the cut than on the right, (ii) those having one more neighboring vertex on the left side of the cut than on the right, and (iii) those having an equal number of neighboring vertices on both sides of the cut. We label the total number of flows for each type as A , B , and C , respectively, where μ indicates the μ μ μ number of neighboring vertices on the left side of the cut, as → → FIG. 3. A and A can be constructed recursively, as shown shown in Fig. 2(b). μ μ above. Here, arrows indicate information flow, while edges In order to quantify these, we begin by noting that → → → indicate the possibility of information flow. A ¼ A þ A , where A denotes the number of flows μ μ μ μ with the restriction that information flows from the upper- most neighboring vertex on the left side of the cut to the The Fibonacci numbers can be written exactly in terms of pffiffiffi uppermost neighboring vertex on the right side of the cut, 1 the golden ratio ϕ ¼ ð1 þ 5Þ as and A denotes the number of flows where this constraint is not satisfied. These quantities can be calculated using a k −k ϕ − ð−ϕÞ F ¼ pffiffiffi : ð33Þ simple recursion relation, as follows. Here, A allows precisely one possibility for flow between the uppermost vertices of the cut, precluding For large cluster states (n, m ≫ 1), the number of possible flow from the uppermost vertex on the left side of the flows is given by cut to lower vertices on the right side. Hence, the remaining μ − 1 vertices on the left side and μ − 1 on the right side will 4ν −jn−mj=2 ð2λþ1Þjn−mj be isolated and identical to the situation where the cut #GðI; OÞ ≈ 5 ϕ ð34Þ n;m partitions one fewer vertex on each side. Thus,A ¼ A ¼ ν¼2 μ μ−1 → → A þ A . μ−1 μ−1 −ðnþm−2Þ=2 2mnþmþn−4 ¼ 5 ϕ ; ð35Þ Calculating A is a little more involved, as there are two possibilities to consider. The first is that no information where λ ¼ minðn; mÞ. The above approximation is pffiffiffi flows from the uppermost vertex on the left side of the cut k −k obtained by noting that F ≈ ϕ = 5, since jð−ϕÞ j≪1 across the cut (in which case, it is an output). In this case, for large k, and using this to approximate Eq. (31). isolation of the lower vertices occurs as in the analysis of A ; Taking N ¼ nm and assuming m grows polynomially in → → hence, there are A þ A possible flows. In the second μ−1 μ−1 n, then m ¼ polyðnÞ, and case, no information can flow into the second uppermost vertex on the right side of the cut; hence, only A flows are 2N log ϕþOðN Þ μ−1 2 #GðI; OÞ ¼ 2 ð36Þ n;m → → → → → possible. Thus, A ¼ A þ 2A ¼ A þ A . These μ μ μ−1 μ−1 μ−1 correspondences are depicted in Fig. 3. for some ϵ < 1. In such a case, using Eq. (30) and → → Note that A and A satisfy the same recursion relation μ μ evaluating to leading order, → → as the Fibonacci sequence when ordered as ðA ;A ; 1 1 → → → → A ;A ; …Þ and starting with A ¼ 1 ¼ F and A ¼ 2 n ≥ log #GðI; OÞ ≈ 1.388N: ð37Þ 2 2 1 1 F 2 n;m 2 ¼ F . It follows that A ¼ F . By similar arguments, 3 μ 2μþ2 we have B ¼ F and C ¼ F . This result implies that the conditional entropy μ 2μ μ 2μþ1 0 0 It remains only to be noted that the configuration of the HðA; FjB ; A Þ ≥ 1.388N. For the case of a computation information flow across one cut is independent of the chosen uniformly at random by Alice, the total number information flow across other cuts; hence, the total number of bits required to entirely describe her computation is of possible flows is given by the product of the possible approximately equal to 3.388N. However, Bob only flows across each cut. Therefore, receives exactly 2N bits of information from Alice (the angles α ). From Theorem 2.1 in Ref. [53], it is easy to #GðI; OÞ verify that Bob cannot decode Alice’s computation entirely n;m with unit probability. Additionally, Theorem 2.4 in minðn;mÞ−1 minðn;mÞ Y Y jn−mj Ref. [54] shows that Bob cannot guess Alice’s computation ¼ F F F ; ð32Þ 2μþ2 2ν 2 minðn;mÞþ1 −1.388N with probability greater than 2 . μ¼1 ν¼2 To make sense of this result, one should remember which simplifies to Eq. (31) as required. □ that a particular deterministic MBQC computation is 031004-9 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) characterized by identifying an input and output set on the underlying graph of the resource state, together with an information flow construction. This structure determines how the quantum information is deterministically trans- ferred via projective measurements from the physical location of the input to the output. Furthermore, once the input and output systems are fixed on the graph, the flow, if it can be constructed, is unique. Hence, in the canonical approach to MBQC, the usual procedure is to fix the input and the output and assign a partial order of measurements that guarantees determinism under a specific set of rules. Consequently, the flow construction imposes a total order of measurements, which must respect the FIG. 4. A 2 × 2 cluster state with measurement angles partial one. fα; β; γ; δg. In this example, we show how to encode two Here, we have reversed this point of view. As such, different computations using a fixed total order of measure- Theorem 3 is based on the nontrivial observation that, for a ments f1; 2; 3; 4g. The difference follows from the choice of given MBQC resource state with a fixed total order of the GðI; OÞ. In diagram (a), the input set is f1; 3g,and the measurements, choices of g-flow, i.e., choices of input and output set is f2; 4g, with g-flow function gð1Þ¼f2g and output vertices on the graph that correspond to different gð3Þ¼f4g. The equivalent circuit associated with the positive deterministic quantum computations, are generally not branch of this MBQC pattern is shown below. Note that any unique. Nonetheless, Alice’s choice of input and output final round of corrections is pushed into the classical post- enforces a unique computation among all the possible processing of the output. In diagram (b), the input set is f1; 2g, the output set is f3; 4g, gð1Þ¼f3g,and gð2Þ¼f4g. choices. This choice of g-flow is not communicated to the Similarly to (a), we show the circuit of the positive branch of server and is kept hidden by Alice, who uses it to update the MBQC pattern, and the final round of corrections is the classical instructions sent to Bob. This observation classically post-processed. makes it possible for a client to conceal the flow of quantum information from a quantum server classically instructed on what operations to perform. In particular, since a large number of other computations are still compatible with the information Bob receives, the achieved blindness follows from the ambiguity about the flow of information on the graph. Furthermore, our protocol circumvents the scheme-dependent no-go theo- rem for classical blind quantum computing stated in Ref. [38]. Here, we do not make use of any affine encryption on the client’s side, but as mentioned above, we use flow ambiguity to encode a part of the client’s computation. As a consequence of this encoding, Protocol 1 requires multiple rounds of communication between the client and server. This requirement is in direct contrast with the assumptions of Ref. [38], where only one round of communication is allowed. We can additionally make two important observations. The first is that the circuits implementable on G are not n;m classically simulable unless BPP ¼ BQP. This stems from the fact that the cluster state is universal with only XY-plane measurements, as has recently been proven in Ref. [55]. The above bound provides an exponential lower bound on the number of consistent flows for all cluster states. The second observation is that the computations corresponding FIG. 5. List of the nine possible GðI; OÞ combinations 2;2 to different choices of flow are not equivalent, even when (and associated patterns) with g-flow for the cluster state classical post-processing is allowed. This can most easily jCSi . The arrows indicate the direction of the quantum 2;2 be seen by considering an example. We consider the information flow. Note that overlapping input and output sets simplest case of the 2 × 2 plaquette jCSi . In Fig. 4, 2;2 are allowed. All the patterns implement unitary embeddings on we show an example of two different choices of open the input state. 031004-10 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) computations. Since in this particular case the input state (C jþþi) is equivalent, the difference is dictated by the unitary transformation (specified by the measurement angles) that acts on it. As can be seen from Fig. 4, the corresponding circuits are different and perform different unitaries. Because of the flow ambiguity and the obfusca- tion due to the one-time pad, a quantum server that was to perform the measurements following Protocol 1, at the end of the procedure, would not have enough information to exactly identify Alice’s choice of open graph. For G , 2;2 there are nine possible flow configurations as expected from Eq. (31), which are depicted in Fig. 5. Given any fixed transcript of the protocol, for each flow there exists a choice of α such that it is consistent with the transcript. An example run of Protocol 1 is presented in Fig. 6 for the G case. 2;2 As a final comment, it is clear that there exist cases where, for a fixed graph and choice of angles, different choices of flows will correspond to the same computation. For instance, referring to Fig. 5, measuring all qubits with the same angle would give a two-to-one correspondence for some of the computations. However, it is reasonable to conjecture that when the angles are chosen from sets of large cardinality, the mapping will be close to one to one. The full characterization of the mapping is left as an open problem. VI. DISCUSSION AND CONCLUSIONS Our overall motivation in this work has been to explore the possibility of classically driven blind quantum com- putation. While this may seem an impossible task, the fact that multiple nonequivalent computations in the MBQC model can yield the same transcript of measurement angles and results, even when the resource state and order of measurements are fixed, allows the tantalizing FIG. 6. Illustration of an exemplary run of Protocol 1. At the start possibility that it may be possible for a classical user to of the protocol, Alice’s computation is expressed as a measurement hide a computation from a quantum server. Protocol 1 pattern on a graph, in this case, G . This is communicated to Bob, 2;2 makes use of this flow ambiguity to provide some who prepares the initial state. The computation then proceeds in x z measure of hiding for quantum computations chosen rounds with Alice computing the relevant entries of s and s and, from certain restricted sets. Our intention in introducing using these together with r , the measurement angle α .The this protocol is not to provide a practical cryptographic measurement angle α is communicated to Bob, who performs the measurement and returns the result to Alice as b .From this, protocol but rather to demonstrate that it is indeed Alice computes b as b ⊕ r . This process is repeated until all qubits i i possible to hide nonequivalent quantum computations have been measured. At the end of the protocol, for any fixed using this flow ambiguity. As such, we concentrate on 0 0 transcript of the communication (composed ofα andb ), it is always showing that in a single run of the protocol, the amount of possible to find a choice for α consistent with the transcript for any information obtained by the server is bounded, rather than choice of f. In other words, for any of the possible g-flow introducing a composable security definition, which is configurations shown in Fig. 5, Bob can find an α that would have led to the transcript he recorded, which means any of those g-flows is nontrivial given the dependence of the leaked information possible. This ambiguity is responsible for partially hiding Alice’s on the responses of the server. computation from Bob. Our results provoke a couple of questions. The first and most obvious is whether the flow ambiguity effect can be graphs compatible with the underlying total order of exploited to hide a universal set of computations even after measurements. Both choices satisfy the g-flow conditions, the measurement angles have been communicated to the and as a result, they correspond to two deterministic server. A second and perhaps even more important question MBQC patterns, i.e., two different and well-defined is whether this phenomenon can be used as a building block 031004-11 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) for verification of quantum computers by completely With these direct-dependency limitations, we can classical users. immediately write down the form of the full joint probability for the entire protocol: ACKNOWLEDGMENTS 0 0 Prðb ; α ; α; f; b; rÞ The authors thank Rafael Alexander, Niel de Beaudrap, Michal Hajdušek, Elham Kashefi, Simon Perdrix, and 0 0 0 0 ¼ Prðα; fÞ Prðb jb ; α Þ Prðα jα ; f; b ;r Þ j <j j j <j ≤j j Carlos Pérez-Delgado for interesting discussions and j¼1 valuable insights. T. F. D. thanks Yingkai Ouyang for carefully reading an early version of this manuscript ×Prðb jb ;r Þ Prðr Þ: ðA1Þ j j j and for his helpful comments. J. F. F. acknowledges support from the Air Force Office of Scientific Research Furthermore, we can explicitly write several of these under Grant No. FA2386-15-1-4082. N. C. M. is supported probabilities: by the Australian Research Council under Grant No. DE120102204, by the Australian Research Council Prðb jb ;r Þ¼ δ ; ðA2Þ j j j b ⊕r Centre of Excellence for Quantum Computation and j Communication Technology (Project No. CE170100012), and by the U.S. Defense Advanced Research Projects Prðα jα ; f; b ;r Þ¼ δ ; ðA3Þ j j <j j Agency (DARPA) Quiness program under Grant G ðα ;f;b ;r Þ j j <j j No. W31P4Q-15-1-0004. This material is based on research funded by the Singapore National Research Foundation under NRF Award No. NRF-NRFF2013-01. Prðr Þ¼ ; ðA4Þ A. M. and T. F. D. contributed equally to this work. with the deterministic function APPENDIX: FULL JOINT PROBABILITY FOR G ðα ; f; b ;r Þ j j <j j THE PROTOCOL AND CONDITIONAL s ðf;b Þ z <j ENTROPY BOUND ≔ ð−1Þ α þ πs ðf; b Þþ πr mod 2π ðA5Þ j <j j 0 0 Lemma 4. HðB ; A jA; FÞ ≥ N regardless of Bob’s obtained from Eq. (18). These hold for all j. At this point, strategy. we have the most general form of the full joint probability Proof.—We construct the full joint probability for all of consistent with the protocol: the variables in Protocol 1 and use it to explicitly derive the desired result. Direct dependencies in the joint 0 0 Prðb ; α ; α; f; b; rÞ probability will be limited by causality and the assump- tions that Alice’sand Bob’s laboratories are secure and Y 0 Prðα; fÞ α b 0 0 0 free of each others’ espionage. These limitations are as ¼ δ Prðb jb ; α Þδ ; ðA6Þ j <j ≤j N b ⊕r G ðα ;f;b ;r Þ j j <j j follows: j¼1 (i) The flow bits F and ideal measurement angles A directly depend on no other variables. They are where we have left Bob’s strategy arbitrary but consistent inputs to the problem chosen by Alice and can be with the direct-dependency restrictions given above. correlated. Marginalizing over B gives (ii) Each π-shift bit R in R is chosen by flipping a fair coin; thus, it directly depends on no other variables. 0 0 Prðb ; α ; α; f; rÞ (iii) Alice assigns A based directly on the current A , all 0 0 flow bits F, the current R , and any prior decoded j ¼ Prðb ; α ; α; f; b; rÞðA7Þ bits B . b <j (iv) Each decoded bit B directly depends only on R j j (the π-shift bit) and the bit B received from Bob. j Y Prðα; fÞ α 0 0 0 0 (v) Each bit B that Bob returns to Alice directly ¼ Prðb jb ; α Þδ : ðA8Þ j j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j depends only on the information Bob has on hand j¼1 0 0 at the time (specifically, B and A ), as well as any <j ≤j (classical or quantum) stochastic strategy he wishes From this joint probability distribution, we can to employ. compute 031004-12 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) 0 0 Prðb ; α ; α; f; rÞ 0 0 Prðb ; α jα; fÞ¼ ðA9Þ Prðα; fÞ X X XX Y 1 α 0 0 0 ¼ … Prðb jb ; α Þδ ðA10Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j r r r r j¼1 1 N−2 N−1 N N N−1 Y X XX Y 1 α 0 0 0 ¼ Prðb jb ; α Þ … δ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j r r r j¼1 j¼1 1 N−2 N−1 0 0 α α N N × ðδ þ δ Þ ðA11Þ 0 0 G ðα ;f;b ⊕r ;0Þ G ðα ;f;b ⊕r ;1Þ j N <N j N <N <N <N |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} at most one term is nonzero N N−1 Y X XX Y 0 1 α 0 0 0 ≤ Prðb jb ; α Þ … δ ðA12Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j j¼1 r r r j¼1 1 N−2 N−1 N N−2 Y X X Y 0 1 α 0 0 0 ≤ Prðb jb ; α Þ … δ 0 ðA13Þ j <j ≤j N G ðα ;f;b ⊕r ;r Þ j j <j j <j j¼1 r r j¼1 1 N−2 Y X 1 α 0 0 0 1 ≤ Prðb jb ; α Þ δ ðA14Þ j <j ≤j N G ðα ;f;r Þ 1 1 1 j¼1 r 0 0 0 ≤ Prðb jb ; αÞðA15Þ j <j ≤j j¼1 ≤ : ðA16Þ [4] V. Dunjko, J. Fitzsimons, C. Portmann, and R. Renner, In theabove,wehaverepeatedlyusedthe fact that G has Advances in Cryptology—ASIACRYPT 2014 (Springer, at most one r that makes it equal to α for any given j j Berlin, Heidelberg, 2014). ðα ; f; b Þ. Therefore, substituting the above bound into j <j [5] Formal definitions of blindness and verifiability can be the conditional entropy formula gives found in [4]. X [6] A. Childs, Secure Assisted Quantum Computation, Quantum 0 0 0 0 HðB ; A jA; FÞ¼ Prðα; fÞHðB ; A jA ¼ α; F ¼ fÞ Inf. Comput. 5, 456 (2005). α;f [7] P. Arrighi and L. Salvail, Blind Quantum Computation, Int. J. Quantum. Inform. 04, 883 (2006). ≥ Prðα; fÞN ¼ N: ðA17Þ [8] A. Broadbent, J. Fitzsimons, and E. Kashefi, Universal α;f Blind Quantum Computation,in Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE, Atlanta, 2009), pp. 517–526. [9] T. Morimae and K. Fujii, Blind Topological Measurement- Based Quantum Computation, Nat. Commun. 3, 1036 [1] P. W. Shor, Polynomial-Time Algorithms for Prime (2012). Factorization and Discrete Logarithms on a Quantum [10] T. Sueki, T. Koshiba, and T. Morimae, Ancilla-Driven Computer, SIAM Rev. 41, 303 (1999). Universal Blind Quantum Computation, Phys. Rev. A 87, [2] S. Lloyd, Universal Quantum Simulators, Science 273, 1073 (1996). 060301 (2013). [3] S. Lloyd, M. Mohseni, and P. Rebentrost, Quantum Algo- [11] C.-H. Chien, R. V. Meter, and S.-Y. Kuo, Fault-Tolerant rithms for Supervised and Unsupervised Machine Learning, Operations for Universal Blind Quantum Computation, arXiv:1307.0411 [Phys. Rev. X (to be published)]. J. Emerg. Technol. Comput. Syst. 12, 26 (2015). 031004-13 MANTRI, DEMARIE, MENICUCCI, and FITZSIMONS PHYS. REV. X 7, 031004 (2017) [12] A. Mantri, C. Perez-Delgado, and J. Fitzsimons, Optimal [33] P. Hauke, F. M. Cucchietti, L. Tagliacozzo, I. Deutsch, and Blind Quantum Computation, Phys. Rev. Lett. 111, 230502 M. Lewenstein, Can One Trust Quantum Simulators?, Rep. (2013). Prog. Phys. 75, 082401 (2012). [13] V. Giovannetti, L. Maccone, T. Morimae, and T. Rudolph, [34] M. Cramer, M. B. Plenio, S. T. Flammia, R. Somma, Efficient Universal Blind Quantum Computation, Phys. D. Gross, S. D. Bartlett, O. Landon-Cardinal, D. Poulin, Rev. Lett. 111, 230501 (2013). and Y.-K. Liu, Efficient Quantum State Tomography, Nat. [14] C. Perez-Delgado and J. Fitzsimons, Iterated Gate Commun. 1, 149 (2010). Teleportation and Blind Quantum Computation, Phys. [35] L. Aolita, C. Gogolin, M. Kliesch, and J. Eisert, Reliable Rev. Lett. 114, 220502 (2015). Quantum Certification of Photonic State Preparations, Nat. [15] T. Morimae, Continuous-Variable Blind Quantum Compu- Commun. 6, 8498 (2015). tation, Phys. Rev. Lett. 109, 230502 (2012). [36] D. Hangleiter, M. Kliesch, M. Schwarz, and J. Eisert, Direct [16] V. Dunjko, E. Kashefi, and A. Leverrier, Blind Quantum Certification of a Class of Quantum Simulations, Quantum Computing with Weak Coherent Pulses, Phys. Rev. Lett. Science Technology 2, 015004 (2017). 108, 200502 (2012). [37] M. Walschaers, J. Kuipers, J.-D. Urbina, K. Mayer, M. C. [17] J. Fitzsimons and E. Kashefi, Unconditionally Verifiable Tichy, K. Richter, and A. Buchleitner, Statistical Benchmark Blind Computation, arXiv:1203.5217 [Phys. Rev. X (to be for Boson Sampling, New J. Phys. 18, 032001 (2016). published)]. [38] T. Morimae and T. Koshiba, Impossibility of Secure Cloud [18] M. Hajdušek, C. Perez-Delgado, and J. Fitzsimons, Device- Quantum Computing for Classical Client, arXiv:1407.1636. Independent Verifiable Blind Quantum Computation, [39] S. Aaronson, A. Cojocaru, A. Gheorghiu, and E. Kashefi, arXiv:1502.02563v1 [Phys. Rev. X (to be published)]. On the Implausibility of Classical Client Blind Quantum [19] A. Gheorghiu, E. Kashefi, and P. Wallden, Robustness and Computing, arXiv:1704.08482v1. Device Independence of Verifiable Blind Quantum Comput- [40] V. Dunjko and E. Kashefi, Blind Quantum Computing with ing, New J. Phys. 17, 083040 (2015). Two Almost Identical States, arXiv:1604.01586. [20] T. Morimae and K. Fujii, Blind Quantum Computation [41] R. Raussendorf and H. J. Briegel, A One-Way Quantum Protocol in which Alice Only Makes Measurements, Phys. Computer, Phys. Rev. Lett. 86, 5188 (2001). Rev. A 87, 050301 (2013). [42] D. Gottesman and I. L. Chuang, Demonstrating the Viability [21] T. Morimae, Verification for Measurement-Only Blind of Universal Quantum Computation Using Teleportation Quantum Computing, Phys. Rev. A 89, 060302 (2014). and Single-Qubit Operations, Nature (London) 402, 390 [22] M. Hayashi and T. Morimae, Verifiable Measurement-Only (1999). Blind Quantum Computing with Stabilizer Testing, Phys. [43] X. Zhou, D. W. Leung, and I. L. Chuang, Methodology for Rev. Lett. 115, 220502 (2015). Quantum Logic Gate Constructions, Phys. Rev. A 62, [23] M. Hayashi and M. Hajdusek, Self-Guaranteed Measurement- 052316 (2000). Based Quantum Computation, arXiv:1603.02195 [Phys. [44] D. Browne, E. Kashefi, M. Mhalla, and S. Perdrix, Rev. X (to be published)]. Generalized Flow and Determinism in Measurement-Based [24] S. Barz, E. Kashefi, A. Broadbent, J. Fitzsimons, A. Quantum Computation, New J. Phys. 9, 250 (2007). Zeilinger, and P. Walther, Demonstration of Blind Quantum [45] D. Markham and E. Kashefi, Entanglement, Flow and Computing, Science 335, 303 (2012). Classical Simulatability in Measurement Based Quantum [25] S. Barz, J. Fitzsimons, E. Kashefi, and P. Walther, Exper- Computation, arXiv:1311.3610. imental Verification of Quantum Computation, Nat. Phys. 9, [46] M. Nielsen and I. Chuang, Quantum Computation and 727 (2013). Quantum Information (Cambridge University Press, [26] C. Greganti, M.-C. Roehsner, S. Barz, T. Morimae, and P. Cambridge, England, 2000). Walther, Demonstration of Measurement-Only Blind [47] V. Danos and E. Kashefi, Determinism in the One-Way Quantum Computing, New J. Phys. 18, 013020 (2016). Model, Phys. Rev. A 74, 052310 (2006). [27] D. Aharonov, M. Ben-Or, and E. Eban, in Proceedings of [48] V. Danos, E. Kashefi, and P. Panangaden, The Measurement Innovations in Computer Science (Tsinghua University Calculus, J. ACM 54, 8 (2007). Press, Beijing, 2010). [49] R. Raussendorf, D. E. Browne, and H. J. Briegel, [28] A. Broadbent, How to Verify a Quantum Computation, Measurement-Based Quantum Computation on Cluster arXiv:1509.09180. States, Phys. Rev. A 68, 022312 (2003). [29] B. Reichardt, F. Unger, and U. Vazirani, Classical Com- [50] T. M. Cover and J. A. Thomas, Elements of Information mand of Quantum Systems, Nature (London) 496, 456 Theory (John Wiley & Sons, New York, 2012). (2013). [51] D. Gottesman, The Heisenberg Representation of Quantum [30] M. McKague, Interactive Proofs for BQP via Self-Tested Computers, arXiv:quant-ph/9807006. Graph States, Theo. Comput. 12, 1 (2016). [52] M. Mhalla, M. Murao, S. Perdrix, M. Someya, and P. S. [31] J. F. Fitzsimons and M. Hajdušek, Post Hoc Verification of Turner, Which Graph States are Useful for Quantum Quantum Computation, arXiv:1512.04375 [Phys. Rev. Lett. Information Processing?,in Theory of Quantum Compu- (to be published)]. tation, Communication, and Cryptography, edited by D. [32] T. Morimae and J. F. Fitzsimons, Post Hoc Verification with Bacon, M. Martin-Delgado, and M. Roetteler, Lecture a Single Prover, arXiv:1603.06046 [Phys. Rev. Lett. (to be Notes in Computer Science Vol. 6745 (Springer, Berlin, published)]. Heidelberg, 2014), p. TQC 2011. 031004-14 FLOW AMBIGUITY: A PATH TOWARDS CLASSICALLY … PHYS. REV. X 7, 031004 (2017) [53] A. Ambainis, A. Nayak, A. Ta-Shma, and U. Vazirani, Dense Annual Symposium on Foundations of Computer Science Quantum Coding and a Lower Bound for 1-Way Quantum (FOCS ’99) (IEEE Computer Society, Washington, DC, Automata,in Proceedings of the 31st Annual ACM Sympo- 1999), p. 369. sium on Theory of Computing, 1999, pp. 376–383. [55] A. Mantri, T. F. Demarie, and J. F. Fitzsimons, Universality [54] A. Nayak, Optimal Lower Bounds for Quantum Automata, of Quantum Computation with Cluster States and (X, Y)- and Random Access Codes,in Proceedings of the 40th Plane Measurements, Sci. Rep. 7, 42861 (2017). 031004-15

Journal

Physical Review XAmerican Physical Society (APS)

Published: Jul 1, 2017

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 12 million articles from more than
10,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Unlimited reading

Read as many articles as you need. Full articles with original layout, charts and figures. Read online, from anywhere.

Stay up to date

Keep up with your field with Personalized Recommendations and Follow Journals to get automatic updates.

Organize your research

It’s easy to organize your research with our built-in tools.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve Freelancer

DeepDyve Pro

Price
FREE
$49/month

$360/year
Save searches from
Google Scholar,
PubMed
Create lists to
organize your research
Export lists, citations
Read DeepDyve articles
Abstract access only
Unlimited access to over
18 million full-text articles
Print
20 pages/month
PDF Discount
20% off