Secure Two-Party Quantum Evaluation of Unitaries Against Specious Adversaries Fr´ed´eric Dupuis1⋆, Jesper Buus Nielsen2, and Louis Salvail3⋆⋆ 1 Institutefor Theoretical Physics, ETH Zurich, Switzerland [email protected] 2 DAIMI,AarhusUniversity,Denmark [email protected] 3 Universit´edeMontr´eal (DIRO),QC, Canada [email protected] Abstract. Wedescribehowanytwo-partyquantumcomputation,spec- ifiedbyaunitarywhichsimultaneouslyactsontheregistersofbothpar- ties,canbeprivatelyimplementedagainstaquantumversionofclassical semi-honest adversaries thatwe callspecious. Ourconstruction requires two ideal functionalities to garantee privacy: a private SWAP between registersheldbythetwopartiesandaclassicalprivateAND-boxequiva- lenttooblivioustransfer.IftheunitarytobeevaluatedisintheClifford group then only one call to SWAP is required for privacy. On the other hand, any unitary not in the Clifford requires one call to an AND-box perR-gateinthecircuit.SinceSWAPisitselfintheCliffordgroup,this functionalityisuniversalfortheprivateevaluationofanyunitaryinthat group. SWAP can be built from a classical bit commitment scheme or an AND-box but an AND-box cannot be constructed from SWAP. It follows that unitaries in the Clifford group are to some extent the easy ones. Wealso show that SWAPcannot beimplemented privately in the bare model. 1 Introduction Inthispaper,weaddresstheproblemofprivatelyevaluatingsomeunitarytrans- form U upon a joint quantum input state held by two parties. Since unitaries model what quantum algorithms are implementing, we can see this problem as a natural extension of secure two-party evaluation of functions to the quantum realm.Suppose that a state φin is the initial sharedstate where Alice | i∈A⊗B holds register and Bob holds register . Let U U( ) be some unitary A B ∈ A⊗B transform acting upon and . What cryptographic assumptions are needed A B for a private evaluationof φout =U φin where private means that eachplayer | i | i learnsnomorethaninthe idealsituationdepictedinFig.1?Ofcourse,answers to this question depend upon the adversary we are willing to tolerate. ⋆ Supported byCanada’s NSERCPostdoctoral Fellowship Program. ⋆⋆ SupportedbyCanada’sNSERCdiscoverygrant,MITACS,andtheQuantumWorks networks(NSERC). In [18], it was shown that unitaries cannot be used to implement classical cryptographic prim- |φini(A U A )|φouti B B itives. Any non-trivial primitive implemented by unitaries will necessarily leak information toward Fig.1. Ideal Functionality one party. Moreover, this leakage is available to a for unitary U. weak class of adversaries that can be interpreted asthe quantumversionofclassicalsemi-honestad- versaries.Itfollowsthatquantumtwo-partycomputationofunitariescannotbe used to implement classicalcryptographic primitives. This opens the possibility that the cryptographic assumptions needed for private evaluations of unitaries are weakerthan for their classicalcounterpart. So, what classicalcryptographic assumptions, if any, are required to achieve privacy in our setting? Are there unitaries more difficult to evaluate privately than others? In this work, we answer these questions against a class of weak quantum adversaries,called specious, related to classical semi-honestadversaries.We say that a quantum adversary is specious if at any step during the execution of a protocol,itcanprovideajudgewithsomestatethat,whenjoinedwiththestate held by the honest player, will be indistinguishable from a honest interaction. In other words, an adversary is specious if it can pass an audit with success at anystep.Mostknownimpossibilityproofsinquantumcryptographyapplywhen the adversary is restricted to be specious. Definitions similar to ours have been proposed for the quantum setting and usually named semi-honest. However, translating our definition to the classical setting produces a strictly stronger class of adversaries than semi-honest4 which justifies not adopting the term semi-honest. We propose the name specious as the core of the definition is that the adversary must appear to act honestly. Contributions. First, we define two-party protocols for the evaluation of uni- taries having access to oracle calls. This allows us to consider protocols with securityrelyingonsomeidealfunctionalities inordertobe private.We thensay that a protocol is in the bare model if it does not involve any call to an ideal functionality. We then formally define what we mean by specious adversaries. Privacyis then defined via simulation.We saythat a protocolfor the two-party evaluation of unitary U is private against specious adversaries if, for any joint input state and at any step of the protocol, there exists a simulator that can reproduce the adversary’s view having only access to its own part of the joint input state. Quantum simulation must rely on a family of simulators for the view of the adversary rather than one because quantum information does not accumulate but can vanish as the protocol evolves. For instance, consider the 4 As an example, assume there exist public key cryptosystems where you can sample a public key without learning the secret key. Then this is a semi-honest oblivious transform:Thereceiver,withchoicebitc,samplespkc inthenormalwayandlearns its corresponding secret key and samples pk1−c without learning its secret key. He sends (pk0,pk1). Then the sender sends (Epk0(m0),Epk1(m1)) and the receiver de- crypts Epkc(mc). This is not secure against a specious adversary who can sample pk1−c along with its secret keysk1−c and then delete sk1−c before theaudit. trivialprotocolthatletAlicesendherinputregistertoBobsothathecanapply locally φout = U φin before returning her register. The final state of such a | i | i protocolis certainly private,as Bob cannotclone Alice’s input and keepa copy, yet at some point Bob had access to Alice’s input thus violating privacy. No simulator can possibly reproduce Bob’s state after he received Alice’s register without having access to her input state. Second, we show that no protocol can be shown statistically private against specious adversariesin the bare model for a very simple unitary: the swap gate. As the name suggests, the swap gate simply permutes Alice’s and Bob’s input states. Intuitively, the reason why this gate is impossible is that at some point during the execution of such protocol, one party that still has almost all its own input state receives a non-negligible amount of information (in the quan- tum sense) about the other party’s input state. At this point, no simulator can possibly re-produce the complete state held by the receiving party since a call to the ideal functionality only provides access to the other party’s state while no call to the ideal functionality only provides information about that party’s owninput. Therefore,any simulatorcannot re-producea state that contains in- formation about the input states of both parties. It follows that cryptographic assumptions are needed for the private evaluation of unitaries against specious adversaries. On the other hand, a classical bit commitment is sufficient to im- plement the swap privately in our model. Finally, we give a very simple protocolfor the private evaluation of any uni- tarybasedonideas introducedby [8,7]inthe contextoffaulttolerantquantum computation. Our construction is similar to Yao’s original construction in the classical world[23,10]. We represent any unitary U by a quantum circuit made outofgatestakenfromtheuniversalset = X,Y,Z,CNOT,H,P,R [14].The UG { } protocol evaluates each gate of the circuit upon shared encrypted input where the encryption uses the Pauli operators X,Y,Z together with the identity. In addition to the Pauli gates X,Y, and Z{, gates C}NOT, H, and P can easily be performed over encrypted states without losing the ability to decrypt. Gates of thatkindbelongtowhatiscalledtheClifford group.TheCNOTgateistheonly gatein actinguponmorethanonequbitwhiletheR-gateistheonlyonethat UG does not belong to the Clifford group. In order to evaluate it over an encrypted state while preserving the ability to decrypt, we need to rely upon a classical idealfunctionalitycomputingsecurelyanadditivesharingfortheANDofAlice’s and Bob’s input bits. We call this ideal functionality an AND-box. Upon input x 0,1 forAliceandy 0,1 forBob,itproducesa 0,1 andb 0,1 R ∈{ } ∈{ } ∈ { } ∈{ } to Alice and Bob respectively such that a b=x y. An AND-box can be ob- ⊕ ∧ tained from any flavor of oblivious transfer and is defined the same way than an NL-box[15,16] without the property that its output can be obtained before the input of the other player has been provided to the box (i.e., NL-boxes are non-signaling). The equivalence between AND-boxes, NL-boxes, and oblivious transfer is discussed in [22]. At the end of the protocol, each part of the shared key allowing to decrypt the output must be exchanged in a fair way. For this task,Alice and Bobrely upon an idealswapfunctionality calledSWAP. The re- sultisthatanyU canbeevaluatedprivatelyuponanyinputprovidedAliceand Bob have access to one AND-box per R-gate and one call to the an ideal swap. Ifthe circuithappens to haveonly gatesinthe Cliffordgroupthen onlyonecall to an ideal swap is required for privacy. In other words, SWAP is universal for the privateevaluationofcircuitsintheCliffordgroup(i.e.,thosecircuitshaving no R-gate) and itself belongs to that group (SWAP is not a classical primitive). To some extent, circuits in the Clifford group are the easy ones. Privacy for cir- cuits containing R-gateshoweverneeds a classicalcryptographicprimitive to be evaluated privately by our protocol. It means that AND-boxes are universal for theprivateevaluationofanycircuitagainstspeciousadversaries.Wedon’tknow whether there exist some unitary transforms that are universal for the private evaluation of any unitary against specious adversaries. Previous works. Allimpossibilityresultsinquantumcryptographyweareaware ofapplytoclassicalprimitives.Infact,theimpossibilityproofsusuallyrelyupon the fact that an adversary with a seemingly honest behavior can force the im- plementation of classicalprimitives to behave quantumly. The result being that implemented that way, the primitive must leak information to the adversary. This is the spirit behind the impossibility of implementing oblivious transfer securely using quantum communication[11]. In that same paper the impossi- bility of any one-sided private evaluation of non-trivial primitives was shown. All these results can be seen as generalizations of the impossibility of bit com- mitment schemes based on quantum communication[12,13]. The most general impossibility result we are aware of applies to any non-trivial two-party classi- cal function[18]. It states that it suffices for the adversary to purify its actions in order for the quantum primitive to leak information. An adversary purify- ing its actions is specious as defined above. None of these impossibility proofs apply to quantum primitives characterized by some unitary transform applied to joint quantum inputs. Blind quantum computation is a primitive that shows similaritiestoours.In[5],aprotocolallowingaclientto getitsinputto aquan- tum circuit evaluated blindly has been proposed. The security of their scheme is unconditional while in our setting almost no unitary allows for unconditional privacy. An unpublished work of Smith[20] shows how one can devise a private pro- tocol for the evaluation of any unitary that seems to remain private against all quantumadversaries.However,thetechniquesusedrequirestrongcryptographic assumptionslike homomorphicencryptionschemes,zero-knowledgeandwitness indistinguishableproofsystems.Theconstructionisinthespiritofprotocolsfor multiparty quantum computation[4,6] and fault tolerant quantum circuits[19, 2]. Although our protocol only guarantees privacy against specious adversaries, it is obtained using much weaker cryptographic assumptions. 2 Preliminaries TheN-dimensionalcomplexEuclideanspace(i.e.,Hilbertspace)willbedenoted by .Wedenotequantumregistersusingcalligraphictypeset .Asusual, N H A A⊗ denotesthespaceoftwosuchquantumregisters.Wewrite when and B A≈B A are such that dim( ) = dim( ). A register can undergo transformations B A B A as a function of time; we denote by the state of space at time i. When a i A A quantum computation is viewedas a circuit accepting input in , we denote all wires in the circuit by w . If the circuit accepts input in A then the set of all wires is denoted w ∈A . A⊗B ∈A∪B Thesetofalllinearmappingsfrom to is denotedbyL( , )whileL( ) A B A B A stands for L( , ). To simplify notation, for ρ L( ) and M L( , ) we A A ∈ A ∈ A B write M ρ for MρM . We denote by Pos( ) the set of positive semi-definite † · A operators in . The set of positive semi-definite operators with trace 1 acting A on isdenotedD( );D( ) isthesetofallpossiblequantumstatesforregister A. AAn operator A AL( ,A) is called a linear isometry if A A=11 . The set of † ∈ A B A unitary operators (i.e., linear isometries with = ) acting in is denoted by B A A U( ).The identityoperatorin isdenoted11 andthe completelymixedstate inAD( ) is denoted by I . ForAany positive inAteger N > 0, 11 and I denote N N A A the identity operator respectively the completely mixed state in . When the N H context requires, a pure state ψ will be written ψ AB to make explicit | i ∈ AB | i the registers in which it is stored. AlinearmappingΦ:L( ) L( )iscalledasuper-operator since itbelongs A 7→ B to L(L( ),L( )). Φ is said to be positive if Φ(A) Pos( ) for all A Pos( ). A B ∈ B ∈ A The super-operator Φ is said to be completely positive if Φ 11 is positive L( ) for every choice of the Hilbert space . A super-operator Φ⊗canZbe physically Z realized or is admissible if it is completely positive and preserves the trace: tr(Φ(A)) = tr(A) for all A L( ). We call such a super-operator a quantum ∈ A operation. Another wayto representanyquantumoperationis througha linear isometry W L( , ) such that Φ(ρ) = tr (W ρ), for some extra space ∈ A B⊗Z Z · . Any such isometry W can be implemented by a physical process as long as Z the resource to implement is available. This is just a unitary transform in Z U( ) where the system in is initially in known state 0 . AFo⊗rZtwostatesρ ,ρ D( ),Zwedenoteby∆(ρ ,ρ )thet|raZcienormdistance 0 1 0 1 ∈ A between ρ and ρ : ∆(ρ ,ρ ):= 1 ρ ρ . If ∆(ρ ,ρ ) ε then any quantum 0 1 0 1 2k 0− 1k 0 1 ≤ process applied to ρ behaves exactly as for ρ except with probability at most 0 1 ε [17]. LetX,Y,andZ bethethreenon-trivialone-qubitPaulioperators. TheBell measurement is a complete orthogonal measurement on two qubits made out of the measurement operators Ψ Ψ where Ψ := 1 (0,x + {| x,yih x,y|}x,y∈{0,1} | x,yi √2 | i ( 1)y 1,x ).WesaythattheoutcomeofaBellmeasurementis(x,y) 0,1 2if − | i ∈{ } Ψ Ψ has been observed. The quantum one-time-padis a perfectly secure x,y x,y | ih | encryption of quantum states[3]. It encrypts a qubit ψ as XxZz ψ , where the | i | i key is two classical bits, (x,z) 0,1 2 and X0Z0 =11, X0Z1 =Z, X1Z0 =X ∈{ } and X1Z1 =Y are the Pauli operators. 2.1 Modeling two-party strategies Consider an interactive two-party strategy ΠO between parties A and B and oracle calls O. ΠO can be modeled by a sequence of quantum operations for eachplayertogetherwithsomeoraclecallsalsomodeledbyquantumoperations. Eachquantum operationin the sequence correspondsto the action ofone party at a certain step of the strategy. The following definition is a straightforward adaptation of n-turn interactive quantum strategies as described in [9]. The main difference is that here, we provide a joint input state to both parties and that quantum transmissions taking place during the execution is modeled by a quantum operation; one that is moving a state on one party’s side to the other party. Definition 2.1. A n–step two party strategy with oracle calls denoted ΠO = (A,B,O,n) consists of: 1. input spaces and for parties A and B respectively, 0 0 A B 2. memory spaces ,..., and ,..., for A and B respectively, 1 n 1 n A A B B 3. an n-tuple of quantum operations (A ,...,A ) for A, A : L( ) 1 n i i 1 A− 7→ L( ), (1 i n), i A ≤ ≤ 4. an n-tuple of quantum operations (B ,...,B ) for B, B : L( ) 1 n i i 1 L( ), (1 i n), B− 7→ i B ≤ ≤ 5. memory spaces ,..., and ,..., can be written as = O and = O A1, (1 Ain n),Ba1nd OB=n(O ,O ,...,O ) isAain nA-tiup⊗leAo′if quanBtuim oBpiera⊗tiBoni′s: O≤:L≤( O O) L( 1O 2 O), (1n i n). i Ai ⊗Bi 7→ Ai ⊗Bi ≤ ≤ If Π =(A,B,n) is a n-turn two-party protocol then the final state of the inter- action upon input stateρ D( ), where is a system of dimension in 0 0 ∈ A ⊗B ⊗R R dim =dim dim , is: 0 0 R A B [A ⊛B](ρin):=(11L( ′ ′ ) On)(An Bn 11 ) An⊗Bn⊗R ⊗ ⊗ ⊗ R ...(11L( ′ ′ ) O1)(A1 B1 11 )(ρin) . A1⊗B1⊗R ⊗ ⊗ ⊗ R Step i of the strategy corresponds to the actions of A and B followed by the i i oracle call O . i Note that we consider input states defined on the input systems together with a reference system ; this allows us to show the correctness and privacy R of the protocol not only for pure inputs, but also for inputs that are entangled withathirdparty.Thisisthemostgeneralcaseallowedbyquantummechanics. Atwo-partystrategyisthereforedefinedbyquantumoperationtuples(A ,...,A ), 1 n (B ,...,B ), and (O ,...,O ). These operations also define working spaces 1 n 1 n ,..., , ,..., together with the input-output spaces to the oracle calls 0 n 0 n AO andAOBfor 1 Bi n. Ai Bi ≤ ≤ O A communication oracle from Alice to Bob is modeled by having O and letting O move the state in O to O and erase O. SimilarAlyi fo≈r Bi i Ai Bi Ai communicationintheotherdirection.Wedefineabare model protocoltobeone which only uses communication oracles. 3 Specious Quantum Adversaries 3.1 Protocols for two-party evaluation Letusconsidertwo-partyprotocolsforthequantumevaluationofunitarytrans- form U U( ) between parties A and B upon joint input state ρ 0 0 in ∈ A ⊗B ∈ D( ): 0 0 A ⊗B ⊗R Definition 3.1. A two-party protocol ΠO =(A,B,O,n) for U U( ) U ∈ A0⊗B0 is an n–step two-party strategy with oracle calls, where and . n 0 n 0 A ≈ A B ≈ B It is said to be ε–correct if ∆([A ⊛B](ρ ),(U 11 ) ρ ) ε for all ρ D( ) . in in in 0 0 ⊗ R · ≤ ∈ A ⊗B ⊗R We denote by Π a two-party protocol in the bare model where, without loss of U generality, we assume that O (0 i n ) implements a communication channel from A to B and O2i+1(1 ≤i ≤ ⌊n2⌋) implements a communication channel from B to A. Commu2niicati≤on o≤rac⌊le2s⌋are said to be trivial. In other words, a two-party protocol ΠO for unitary U is a two-party interac- U tive strategy where, at the end, the output of the computation is stored in the memory of the players. ΠO is correct if, when restricted to the output registers U (and ), the final quantum state shared by A and B is (U 11 ) ρ . in R ⊗ R · As it will become clear when we discuss privacy in Sect. 3.3, we need to consider the joint state at any step during the evolution of the protocol: ρ1(ρin):=(11L( ′ ′ ) O1)(A1 B1 11L( ))(ρin), A1⊗B1⊗R ⊗ ⊗ ⊗ R ρi+1(ρin):=(11L( ′ ′ ) Oi+1)(Ai+1 Bi+1 11L( ))(ρi(ρin)) , (1) Bi+1⊗Ai+1⊗R ⊗ ⊗ ⊗ R for 1 i < n. We also write the final state of ΠO upon input state ρ as ρ (ρ ≤)=[A ⊛B](ρ ). U in n in in 3.2 Modeling Specious Adversaries Intuitively, a specious adversary acts in any way apparently indistinguishable fromthehonestbehavior,inthesensethatnoauditcandistinguishthebehavior of the adversaryfrom the honest one. More formally, a specious adversary in ΠO = (A,B,O,n) may use an ar- U bitrary large quantum memory space. However, at any step 1 i n, the ≤ ≤ adversary can transform its own current state to one that is indistinguishable from the honest joint state. These transforms are modeled by quantum opera- tions, one for each step of the adversary in ΠO, and are part of the adversary’s U specification. We denote by (T ,...,T ) these quantum operations where T 1 n i produces a valid transcript at the end of the i–th step. Let A˜and B˜ be adversaries in ΠO. We denote by ΠO(A˜) = (A˜,B,O,n) U U andΠO(B˜)=(A,B˜,O,n)theresultingn–steptwo-partystrategies.Wedenote U by ρ˜(A˜,ρ ) the state defined in (1) for protocol ΠO(A˜) and similarly by i in U ρ˜(B˜,ρ ) that state for protocol ΠO(B˜). i in U Adding the possibility for the adversary to be ε-close to honest, we get the following definition: Definition 3.2. Let ΠO = (A,B,O,n) be an n–step two-party protocol with U oracle calls for U U( ). We say that: 0 0 ∈ A ⊗B – A˜is ε–specious if ΠO(A˜) = (A˜,B,O,n) is an n–step two-party strategy U with ˜ = andthereexistsasequenceofquantumoperations(T ,...,T ) 0 0 1 n A A such that: 1. for every 1 i n, T :L( ˜) L( ), i i i ≤ ≤ A 7→ A 2. for every input state ρ D( ), and for all 1 i n, in 0 0 ∈ A ⊗B ⊗R ≤ ≤ ∆ (T 11 ) ρ˜(A˜,ρ ) ,ρ (ρ ) ε . i⊗ L(Bi⊗R) i in i in ≤ (cid:16) (cid:16) (cid:17) (cid:17) – B˜ is ε–specious if ΠO(B˜) = (A,B˜,O,n) is a n–step two-party strategy U with ˜ = andthereexistsasequenceofquantumoperations(T ,...,T ) 0 0 1 n definBed asBbefore with , ˜, and ρ˜(B˜,ρ ) replacing , ˜, and ρ˜(A˜,ρ ) i i i in i i i in B B A A respectively. If a party is ε(m)–specious with ε(m) negligible for m a security parameter then we say that this party is statistically specious. 3.3 Privacy Privacy for ΠO is defined as the ability for a simulator, having only access to U the adversary’s input and the ideal functionality U, to reproduce the state of the adversary at any step in the execution of ΠO. Our definition is similar to U the one introduced in [21] for statistical zero-knowledge proof systems. AsimulatorforanadversaryinΠO isrepresentedbyasequenceofquantum U operations(S )n ,whereS re-producesthe viewofthe adversaryafterstepi. i i=1 i S initiallyreceivestheadversary’sinputandhasaccesstotheidealfunctional- i ity for U evaluated upon the jointinput of the adversaryandthe honest player. Becauseofno-cloning,asimulatorcallingU losesitsinput, andthe inputmight be requiredto simulate e.g. earlysteps in the protocol,so we haveto allow that S doesnotcallU.Forthispurposeweintroduceabitq 0,1 .Whenq =0, i i i S does not call U andwhen q =1, S must first call the∈i{deal}functionality U i i i before performing some post-processing. More precisely, Definition 3.3. Let ΠO = (A,B,O,n) be an n–step two-party protocol for U U D( ). Then, 0 0 ∈ A ⊗B – S(A˜)= (S ,...,S ),q isasimulatorforadversaryA˜inΠO ifitconsists h 1 n i U of: 1. a sequence of quantum operations (S ,...,S ) where for 1 i n, 1 n S :L( ) L( ˜), ≤ ≤ i 0 i A 7→ A 2. a sequence of bits q 0,1 n determining if the simulator calls the ideal ∈{ } functionality at step i: q =1 iff the simulator calls the ideal functional- i ity. – Similarly, S(B˜) = (S ,...,S ),q is a simulator for adversary B˜ in 1 n ′ ΠO if it satisfies condhitions 1 and 2 aibove with q , , , and ˜ replacing q,U , , and ˜ respectively. ′ B0 Bi Bi 0 i i A A A Given an input state ρ D( ), we define the A˜’s respectively B˜’s in 0 0 ∈ A ⊗B ⊗R simulated views as: ν (A˜,ρ ):=tr (S 11 )((Uqi 11 ) ρ ) , i in B0 i⊗ L(B0⊗R) ⊗ R · in νi(B˜,ρin):=trA0(cid:0)(11L(A0⊗R)⊗Si) (Uqi′ ⊗11R)·ρin(cid:1) . (cid:16) (cid:16) (cid:17)(cid:17) We say that protocol ΠO is private against specious adversaries if there exits a U simulator for the view at any step of any such adversary.In more details, Definition 3.4. Let ΠO =(A,B,O,n) be a protocol for U U( ) and U ∈ A0⊗B0 let 0 δ 1. We say that ΠO is δ–private against ε–specious A˜if there ex- ≤ ≤ U ists a simulator S(A˜) such that for all input states ρ D( ) in 0 0 ∈ A ⊗ B ⊗ R and for all 1 i n, ∆ ν (A˜,ρ ),tr (ρ˜(A˜,ρ )) δ. Similarly, we say ≤ ≤ i in Bi i in ≤ that Π is δ–private again(cid:16)st ε–specious B˜ if there e(cid:17)xists a simulator S(B˜) U such that for all input states ρ D( ) and for all 1 i in 0 0 ∈ A ⊗ B ⊗ R ≤ ≤ n, ∆ ν (B˜,ρ ),tr (ρ˜(B˜,ρ )) δ. Protocol ΠO is δ–private against ε– i in Ai i in ≤ U specio(cid:16)us adversaries if it is δ–pr(cid:17)ivate against both A˜ and B˜. For γ > 0, if ΠO is 2 γm–private for m N+ a security parameter then we say that ΠO is U − ∈ U statistically private. We show next that for some unitary, statistical privacy cannot be satisfied by any protocol in the bare model. 4 Unitaries with no private protocols In this section, we show that no statistically private protocol for the swap gate existsinthebaremodel.Theswapgate,denotedSWAP,isthefollowingunitary transform: SWAP : φA A0 φB B0 φB A0 φA B0 , | i | i 7→| i | i foranyonequbitstates φ and φ (i.e.,dim( )=dim( )=2). A 0 B 0 0 0 NoticethatSWAPisint|heiC∈liffAordgro|upsiin∈ceBitcanbeimAplementedwBiththree CNOT gates. It means that universality is not required (gates in the Clifford groupsarenotuniversalforquantumcomputation)foraunitarytobeimpossible to evaluate privately. The impossibility of SWAP essentially follows from no cloning. Theorem 4.1 (Impossibility of swapping). There is no correct and statis- tically private two-party protocol ΠSWAP =(A,B,O,n(m)) in the bare model. Proof. Suppose that there exists an ε-correct, ε-private protocol in the bare model for SWAP for sufficiently small ε; we will show that this implies that one of the two players must lose information upon receiving a message, which is clearly impossible. Wewillconsiderthefollowingparticularpureinputstate: ϕ := Ψ0,0 A0RA | i | i ⊗ Ψ0,0 B0RB, a maximally entangled state between 0 0 and the reference | i A ⊗ B system that is broken down into two subsystems for convenience. RA ⊗ RB Furthermore, we will consider the “purified” versions of the honest players for thisprotocol;inotherwords,wewillassumethatthesuper-operatorsA ,...,A 1 n andB ,...,B areinfactlinearisometriesandthatthereforetheplayersnever 1 n discardanyinformationunlesstheyhavetosendittotheotherparty.Theglobal state ρ (ϕ) after step i is therefore a pure state on . i i i A ⊗B ⊗RA⊗RB Afterstepioftheprotocol(i.e.,aftertheithmessagehasbeensent),Alice’s state must either depend only on her own original input (if q = 0 for her i simulator),oronBob’soriginalinput(ifq =1).Moreprecisely,bythedefinition i of privacy (Definition 3.4), we have that ∆(ν (A,ϕ),tr [ρ (ϕ)]) ε , i Bi i ≤ where ν (A,ϕ) is A’s simulated view after step i and ρ (ϕ) is the global state i i in the real protocol after step i. Now, suppose that q = 0, and let ξ i i be a purification of ν (A,ϕ) with being the purifyi|ngis∈ysAtem⊗, ′ i aRnAd⊗RrBe⊗naZmedforupcomingtechnicalreasons.TZhepurestate ξ Ψ0,0 RBB0 has tRhBe same reduced density matrix as ν (A,ϕ) on | i⊗.|Hencie, by i i A ⊗RA⊗RB Uhlmann’s theorem, there exists a linear isometry V : such i 0 ′ that B →B ⊗Z ⊗RB Vνi(A,ϕ)V† = ξ ξ Ψ0,0 Ψ0,0 B0RB | ih |⊗| ih | and hence ∆ Vρi(ϕ)V†, ξ ξ Ψ0,0 Ψ0,0 B0RB √2ε . | ih |⊗| ih | ≤ (cid:16) (cid:17) This means that if q = 0, then Bob is still capable of reconstructing his own i inputstateafterstepibyapplyingV tohisworkingregister.Clearly,thismeans that q = 0 (i.e., Bob’s simulator must also not call SWAP), and therefore, by i′ the same argument, Alice must also be able to reconstruct her own input with an isometry V : . The same argument also holds if q = 1: A i 0 ′ i we then concludeAtha→t qB =⊗1Za⊗ndRtAhat Alice and Bob must have each other’s i′ inputs; no intermediate situation is possible. We conclude that, at every step i of the protocol, q =q . i i′ Now, before the protocol starts, Alice must have her input, and Bob must havehis,hence,q =q =0.Attheend,thetwoinputsmusthavebeenswapped, 0 0′ which means that q =q =1; there must therefore be a step k in the protocol n n′ afterwhichthetwoinputsareswappedbutnotbefore,meaningthatq =1and k q = 0. But at each step, only one player receives information, which means k 1 − that at this step k, the playerwho receivedthe message must lose the ability to reconstruct his own input, which is clearly impossible. ⊓⊔
Description: