Universal Single Server Blind Quantum Computation Revisited

Transcription

1 Universal Single Server Blind Quantum Computation Revisited Durgesh Pandey Aditya Jain ABSTRACT In this paper, we present an improvised protocol for achieving Blind Quantum Computation which is secure against various kinds of attacks. We also provide a modification to the Xu Protocol to prevent different kinds of server attacks. We explore two different cases - one in which client has minimal quantum ability and the second in which the client is entirely classical with some extra assumptions in place. Followed by this we provide an extensive security analysis and performance comparison with all other existing protocols. Keywords Blind Quantum Computation, Entanglement swapping, Teleportation 1. INTRODUCTION Quantum Computation is a field that stands at the confluence of Physics and Computer Science and has gained importance in the past 0 years. We exploit the laws of Quantum Mechanics to achieve significant speedup in finding solutions to various problems. There have been various Quantum algorithms in the past which provide advantage over classical algorithms in problems like Searching in an unsorted database (Grover s Search) [1], factoring any given integer (Shor s Algorithm) [] and so on. One of the major hurdles faced by the field involves building scalable hardware to achieve Quantum Computation. The present setup available is very complicated and massive in nature. Thus, it is assumed that in near future there will be a need to delegate computation to the few servers that will have the capability to do such computations. However, this raises both security and privacy issues which need to be addressed. CSTAR, International Institute of Information Technology, Hyderabad (IIIT-H) CCNSB, International Institute of Information Technology, Hyderabad (IIIT-H) Blind Quantum Computation (BQC) is a model where a client without much quantum technologies can delegate the computation to a server. The demands from any general BQC protocol are as follows : The server should not have any idea about the computation being performed. The server should not know about the input as well as the output if the computation. The communication between all the parties must be secure. The quantum ability of the client should be minimal. We first review Xu et al protocol [3] which is Universal Single-Server Blind Quantum Computation for Classical Client. However the given protocol is prone to various kinds of server attacks. We provide a modification to their protocol which prevents the attacks and achieves the given purpose respecting all other demands. Towards the end we provide some future directions which can be pursued followed by our piece of work.. PRELIMINARIES We first explain some basic concepts which are required for understanding the protocol completely..1 Passive adversary An adversary is said to be a passive adversary if it can only eavesdrop while an active adversary can also modify (disrupt) the information in the channel.. Entanglement In Quantum Mechanics, entanglement is a physical phenomenon in which a pair or a group of particles interact with each other in a specific way so that it is impossible to describe their individual states independently. In Quantum computation, particles are modelled using Qubits or Quantum bits. The most common example of an entangled state is the Bell State or EPR state. ψ =

2 Figure 1: Brickwork state.3 Bell State Measurement -BSM BSM is a special kind of Projective measurement in the bell basis. The bell basis comprises of the following states : φ + = φ = ψ + = ψ = The measurement results in the falling of the original state into one of the above mentioned states..4 Teleportation Teleportation is a technique to transport quantum states from one place to another using Quantum Entanglement and classical communication as resources. The broad steps in the protocol are as follows : 1. Alice and Bob share an EPR pair ψ AB = Alice wants to send a state ψ U = α 0 + β 1 3. The combined state of both the parties is ψ ABU = ψ AB ψ U 4. Alice performs Bell state measurement on her pair of qubits. 5. Followed by this Alice communicates the results of her measurement using two classical bits. 6. According to the information received Bob performs unitary operations on his side to recover ψ U..5 Graph state Graph state is a special kinds of state which is represented in terms of graphs. The nodes in the graph represent qubits and there is an edge between two nodes if they are interacting. It is convenient to represent certain kinds of entanglement using graph states..6 Brickwork state A major hurdle in BQC is that the server should not be aware of the input and the computation being performed. Hence, there should be no impression of the unitary operation being performed on the input state. This was not possible using Graph/ Cluster states. Hence Broadbent et al came up with a state called Brickwork state (Fig 1) which is similar to a cluster state but contains a universal unit cell and has the advantage that the impression left by all unitary operations on this state are same..7 Entanglement Swapping Suppose there are two autonomous sources S1 and S which are capable of generating entangled pair of qubits. Let us assume that at a specific time t1, they generated two Bell pairs (A1-B1) and (A-B).If we perform Bell state measurement on the qubits B1 and A, they will fall into entangled state. Now, The qubits A1 and B will also form an entangled state regardless of the fact that they never interacted with each other in the past.this phenomenon is known as Entanglement swapping, as the pairs between which entanglement is existing now is swapped. 3. LITERATURE SURVEY The study of this field was initiated by Andrew M. Child. In 005, he proposed the first protocol for blind quantum Computation.They assumed that the client should possess Quantum memory and the ability to perform SWAP operation. Arrighi and Salvail [4] also proposed a protocol for BQC but their protocol was not universal and the client needed to have the ability to prepare and measure multiqubit entangled state. A lot of protocols have been proposed in literature post this. The next protocol was proposed by Brodbent, Fitzsimmons and Kashefi[5]. It was the first single server BQC protocol but client was expected to have the capability of generating qubits. The protocol was modified and appeared as Double server BFK [6] with the restriction that those servers should be in entangled state and they should be non-communicating. Q.Li proposed a triple server protocol [7] for BQC., but in this protocol client was expected to communicate with three servers just for a single computation, and hence seemed unrealistic. Followed by this, Xu proposed a Universal single server BQC protocol which seemed practical but had its own drawbacks. We will review this protocol here and explain the problem with this protocol. 3.1 Xu s protocol: A brief Review Suppose Alice, a client with limited quantum capability, wants to delegate her computation to a server, Bob, without revealing its input,output and the algorithm to be executed. Charlie is a trusted source which is capable of generating m- qubit graph state. The outline of the protocol is as follows : 1. Charlie generates 4m bell pairs B Alice,Bob and sends the first part to Alice and the second part to Bob.. Alice, on receiving the qubit, decides whether to send it to Bob or to discard it. She will choose only m qubits and will discard the remaining m qubits. From 1 to m, she will choose m qubits and from m to 4m, she will choose another m qubits. Let these Qubits be A s1, A s, A s3, A s4,...a sm and A t1, A t, A t3, A t4,...a tm. 3. Alice will ask Bob to perform Bell state measurement on pair (A si, A tm+i ). 4. On measurement, due to entanglement swapping, they will fall into entangled state and the corresponding Bob s qubits will also fall into entangled state. The information about Bob s qubit will be available to Alice when Bob will send the measurement results back to Alice.

3 After this step, Alice will try to establish randomness by sending m classical messages to Bob and by receiving the results of measurement on those messages. At the end, Bob will have m qubit graph state θ si + b si π and only Alice will know the values of θ si and b si. Thus Alice can run BFK protocol now for getting her computation done. The problem with this protocol is that server attacks cannot be prevented here.the server attack can be modelled as an eavesdropping attack. In this protocol, since we are assuming that client,alice, possesses only limited amount of quantum capability (in special case, completely classical), so Alice will not possess any quantum memory. So whenever Charlie will send a qubit to Alice, she has to decide at once whether to discard it or to send it to Bob. If Bob eavesdrops the quantum channel between Alice and Charlie, then Bob will know the position s i and t i and accordingly he will be able to identify the subset of qubits that has been sent to him and the alternate subset that has been discarded. Similarly, the Trojan horse attack can also be applied to this protocol by inserting invisible photon and after measuring it, although it can be removed easily. In the next section, we provide some improvement for removing the eavesdropping attack on Xu s protocol as well as a new protocol for BQC. 4. THE PROPOSED PROTOCOL In section 4.1, we will provide cases where Xu s protocol can be freed from server s attack. In section 4., we will present a new protocol for BQC based on teleportation. 4.1 Improvement in Xu s protocol: In this protocol, if we assume that the client, Alice, possesses small amount of quantum memory ( say one qubit), server attack can be reduced significantly. Suppose, Alice possess quantum memory for storing one qubit. Whenever she receives a qubit, she can either store it, discard it or send it to Bob for measurement. If Bob is eavesdropping on the channel between Alice and charlie, he can guess that next received qubit incorrectly with probability 1. So if there are n qubits which are being dropped, this uncertainty will increase by a multiplicative factor. Probability that after dropping of n qubits by Alice, Bob guesses all the qubits correctly will be ( 1 )n, which is significantly small if n is very large. Another approach for removing the eavesdropping attack is that we should use an asynchronous channel between Alice and Bob. In this case, in spite of knowing the position of qubits by eavesdropping, Bob will not be able to conclude that the received qubit is same as the eavesdropped qubit with complete certainty because of asynchronous nature of the channel. 4. A new Protocol We propose a new protocol for BQC which is classified into two different cases. In the first case, we have assumed that the client, Alice, has quantum capability of measuring qubits in arbitrary basis. In second case, we have assumed that client Alice is completely classical. In second case, we have to put some restrictions on Bob, which we will explain while explaining the second case. Henceforth, we will refer case Figure : Proposed Scheme 1 as first protocol and case as second protocol until and unless specified otherwise. The setup is explained in fig. Alice is a client who wants to delegate her computation to the server Bob who has immense quantum capabilities. Charlie is trusted source who has the ability to generate the entangled qubits. Charlie shares an entangled state with Bob needed for teleportation. Protocol: The steps involved are as follows : 1. Alice will send Charlie the information about the graph states or input state that need to be created on server Bob using secure channel between Alice and charlie.. Charlie will generate the number of Bell pairs that are needed for complete creation of the graph state using only one qubit i.e. suppose number of qubits required for creation of the graph state is m. Charlie will generate m bell pairs. 3. Suppose the generated i th Bell pair are B ci,b i. Charlie will teleport the b i to Bob and send the classical information related to this teleportation to Alice using the secure channel. 4. Using the information about the graph state sent by Alice in the first step, Charlie will create that graph state on Bob s side. So he will perform suitable measurement on his part of the qubit. The qubit on Bob s part will change accordingly and after a certain number of measurements, Bob will have the graph state that is required for computation in subsequent steps. 5. Alice will convey the information regarding the required operation to be performed on the graph state on Bob s side created in the previous step. After measurement, Bob will inform the measurement result to Alice and using the classical information sent by charlie, Alice will know the actual measurement results. 5. SECURITY ANALYSIS The problem with Xu s protocol was the possibility of a server attack on the channel between Charlie and Alice. We will show how our protocol is safe from server attacks. In the first case, we are assuming that Alice has the capability of measuring qubits in arbitrary basis. In this case we can

4 1. Sender will send those t+1 points to all of its neighbors. In the same round all the intermediate nodes n ij will generate a random r ij and will send it to their neighbors. j represents the path index and i represents the node index in that path. i ranges from 0 to n j 1 where n j represents the total number of nodes in a path j. Figure 3: Second case simply use QKD (Quantum Key Distribution) protocols for creating a secure channel between Alice and Charlie. QKD protocols [8] are capable of providing secure communication between Alice and Charlie with small amount of leakage of information (depending on which protocol we are using). So in this case, server attacks will not be able to extract any useful information and thus the protocol is secure. In the second case, suppose the client Alice is completely classical. In this case, we apply some restrictions on the server, Bob. We can model the problem of server attack as a secure communication over distributed network. We are assuming Bob as an passive adversary, who is capable of listening on at most t nodes in the network. Assuming that Bob is a dynamic adversary and initially is was listening on node n1. Now, if Bob wants to change it s position from node n1 to another node, it will require at least t1 time. Let Charlie (Alice) be the sender and Alice(Charlie) be the receiver. A round is described as the process when a node sends a message to it s neighbor. If an adversary is corrupting a node n1 in round r, he will only get information which is being received (or we can assume that adversary will only get that information which is being received. Both these assumptions are equivalent and any one of them will work here.) by that node in the same round r. No past information will be known to the adversary in this case. Lemma: The necessary and sufficient condition for the secure communication between Alice and charlie is that there should be at least t+1 paths between Alice and Bob with the capability that all the neighboring nodes of receiver must be able to send the classical information to receiver in time less than t1. Proof of necessity: This proof is trivial. If there are no more than t paths between sender and receiver, adversary will simply corrupt all the neighboring nodes of the sender and get all the information that is being sent by sender to its neighboring node in the first round. The time limit t1 is also important which will be obvious in the proof of sufficiency. Proof of sufficiency : The proof of sufficiency is establishe din the following proposed protocol. Suppose the protocol is followed and the network is as described below: Sender takes a t degree polynomial and adds the message m that is required to be sent to receiver as the coefficient of x 0. Take t+1 points on this polynomial and follow the steps as described below:. All the nodes that will receive the points in form of (p j, q j), will transform it to (p j r i 1j r ij, q j r i 1j r ij ) and forward it to their next neighbor, where, for a node n ij,r i 1j is the random number received from it s previous neighbor i.e. n i 1j and will be donlyifitisavailableandr ij is the random number that it has generated itself in the first step. 3. In the last round of step, All the t+1 points will be in form of (p j r (nj 1) j, q j r (nj 1) j ) where r (nj 1) j represents the random number generated by the last node in j-th path. And receiver will have the r (nj 1) j for every j because of the processing in first step. Now when all the nodes will deliver the message to receiver, he will simply XOR it with corresponding r (nj 1) j for each j and will get (p j, q j). The total number of points received by the receiver will t+1 and using it he Can uniquely create a polynomial of t degree and thus can get the value of the message that was intended to be received. Notice that, because we have assumed that All the neighboring nodes of receiver are capable of sending classical information to receiver in time less than t1, there will be at least one randomness r which will not be available to the adversary. It can only listen on t node in one round and let us assume he is listening on all the neighboring node receivers in step 1. Thus by the time he tries to switch to achieve the only remaining random r, the information would have been already transferred according to the assumption taken above. The Above protocol works because it follows the fact that For determining a polynomial of t degree, we need at least t+1 points on it. Notice that, by the end of the protocol, receiver will have t+1 points on that polynomial while the adversary will have only t points on that polynomial because of which he will not be able to determine that polynomial uniquely and will not be able to get the required message. Thus we have shown that using this method, Bob will not able to perform server attack on the channel between Alice and Charlie provided some restrictions on the Bob s strength. The restrictions are completely realistic since once can always increase the number of paths between Alice and Charlie. 6. PERFORMANCE COMPARISON We have shown that our protocol is secure than the protocol presented by Xu because our protocol is not prone to server attacks given some reasonable assumptions in palce. In Xu s protocol, Alice was able to create a graph state directly on the server s side while in our protocol, Alice needs to inform Charlie about the graph state and then Charlie

5 will create input state on Bob s side. Due to the two step approach, there may be some time delay in this process and this appears to be only drawback of this protocol. 7. CONCLUSION AND FUTURE WORK In this paper, we have established a scheme to achieve BQC which is both secure and at the same time does not compromise on the classical ability of the client. However, there is scope for improvement in the second case where we provide a protocol for a purely classical client at the cost of assuming that the server can only eavesdrop on at most t nodes simultaneously.the case where Bob have unlimited classical Ability to attack on the channel between Alice and charlie, How we should perform the communication between Alice and charlie without Alice possessing any quantum Ability would be an interesting problem. One of the possible places where this protocol can be deployed is in verifying the results of any quantum computation performed by an untrusted quantum processor. A new scenario whereby both Alice and Bob are potential servers as well as clients but with different abilities and mutually orthogonal needs would also be an interesting problem for future research. 8. REFERENCES [1] Lov K. Grover, A fast quantum mechanical algorithm for database search, Bell Labs, Murray Hill NJ Proceedings, 8th Annual ACM Symposium on the Theory of Computing (STOC), May 1996, pages 1-19 [] Peter W. Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer, ATT Research Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, Nov. 0, 1994 [3] Hai-Ru Xu, Bang-Hai Wang Universal Single-Server Blind Quantum Computation for Classical Client, arxiv: [4] Pablo Arrighi, Louis Salvail Blind Quantum Computation, Int. J. of Quantum Information, Vol. 4, No. 5, (006), pp [5] Anne Broadbent, Joseph Fitzsimons, Elham Kashefi Universal blind quantum computation, Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS 009), pp [6] Tomoyuki Morimae, Keisuke Fujii Secure entanglement distillation for double-server blind quantum computation, Phys. Rev. Lett. 111, 0050 âăş Published 9 July 013 [7] Qin Li, Wai Hong Chan, Chunhui Wu, and Zhonghua Wen Triple-server blind quantum computation using entanglement swapping Phys. Rev. A 89, 04030(R) âăş Published 18 April 014 [8] C.H. Bennet and G. Brassard, Quantum cryptography: public key distribution and coin tossing, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, pp , Dec