On the Round Complexity of Secure Quantum Computation∗

James Bartusek† Andrea Coladangelo‡ Dakshita Khurana§ Fermi Ma¶

Abstract We construct the first constant-round protocols for secure quantum computation in the two-party (2PQC) and multi-party (MPQC) settings with security against malicious adversaries. Our protocols are in the common random string (CRS) model. • Assuming two-message oblivious transfer (OT), we obtain (푖) three-message 2PQC, and (푖푖) five- round MPQC with only three rounds of online (input-dependent) communication; such OT is known from quantum-hard Learning with Errors (QLWE). • Assuming sub-exponential hardness of QLWE, we obtain (푖) three-round 2PQC with two online rounds and (푖푖) four-round MPQC with two online rounds. • When only one (out of two) parties receives output, we achieve minimal interaction (two messages) from two-message OT; classically, such protocols are known as non-interactive secure computation (NISC), and our result constitutes the first maliciously-secure quantum NISC. Additionally assuming reusable malicious designated-verifier NIZK arguments for NP (MDV-NIZKs), we give the first MDV-NIZK for QMA that only requires one copy of the quantum witness. Finally, we perform a preliminary investigation into two-round secure quantum computation where each party must obtain output. On the negative side, we identify a broad class of simulation strategies that suffice for classical two-round secure computation that are unlikely to work in the quantum setting. Next, as a proof-of-concept, we show that two-round secure quantum computation exists with respect to a quantum oracle.

∗This paper subsumes an earlier version [BCKM20] that only considers secure two-party quantum computation. †UC Berkeley. Email: [email protected] ‡UC Berkeley. Email: [email protected] §UIUC. Email: [email protected] ¶Princeton University and NTT Research. Email: [email protected]

1 Contents

1 Introduction 3 1.1 Our Results...... 3

2 Technical Overview 5 2.1 Quantum Background...... 5 2.2 Why is Malicious Security Hard to Achieve?...... 7 2.3 A Garbling Scheme for C + M Circuits...... 7 2.4 A Three-Message Protocol with Malicious Security...... 8 2.5 Application: Reusable MDV-NIZK for QMA...... 10 2.6 Challenges in Achieving a Two-Round Protocol in the Quantum Setting...... 10 2.7 A Two-Round Protocol with Pre-Processing...... 11 2.8 The Multi-Party Setting...... 14 2.9 Two Round 2PQC Without Pre-Processing: Challenges and Possibilities...... 16

3 Preliminaries 18 3.1 Notation...... 18 3.2 Clifford Authentication Code...... 18 3.3 Multi-Party Quantum Computation...... 19 3.4 Useful Lemmas...... 19 3.5 Two-Message Two-Party Classical Computation...... 20 3.6 Round-Optimal MPC for Classical Reactive Functionalities...... 22 3.7 Quantum Multi-Key Fully-Homomorphic Encryption...... 23 3.8 Non-Interactive Equivocal Commitment...... 24 3.9 Garbled Circuits...... 25

4 A Garbling Scheme for Clifford + Measurement Circuits 25

5 Quantum Non-Interactive Secure Computation 31 5.1 The Protocol...... 31 5.2 Security...... 34

6 Application: Reusable Malicious Designated Verifier NIZK for QMA 37

7 Two-Round Two-Party Quantum Computation with Preprocessing 39 7.1 The Protocol...... 39 7.2 Security...... 43

8 Multi-Party Quantum Computation in Five Rounds 48 8.1 The Protocol...... 48 8.2 Security...... 52

9 Multi-Party Quantum Computation in Four Rounds 58 9.1 The Protocol...... 58 9.2 Security...... 61

10 Two Rounds Without Pre-Processing: Challenges and Possibilities 68 10.1 An Oblivious Simulation Barrier for Two Round Protocols...... 68 10.2 A Two-Round Protocol from Quantum VBB Obfuscation...... 73

2 1 Introduction

Secure computation allows mutually distrusting parties to compute arbitrary functions on their private inputs, revealing only the outputs of the computation while hiding all other private information [Yao86, GMW87, BGW88, CCD88]. With the emergence of quantum computers, it becomes important to understand the landscape of secure quantum computation over distributed, private quantum (or classical) states. In the most general setting, 푛 parties hold (possibly entangled) quantum inputs x1,..., x푛, and would like to evaluate a quantum circuit 푄(x1,..., x푛). The output is of the form (y1,..., y푛), so at the end of the protocol party 푖 holds state y푖. Secure computation with classical inputs and circuits forms a centerpiece of classical cryptography. So- lutions to this problem in the classical setting were first obtained nearly 35 years ago, when [Yao86] built garbled circuits to enable secure two-party computation, and [GMW87, BGW88, CCD88] obtained the first secure multi-party computation protocols. Since then, there has been an extensive body of work in this area, of which a large chunk focuses on understanding the amount of back-and-forth interaction required to implement these protocols. Notably, the work of Beaver, Micali and Rogaway [BMR90] obtained the first constant- round classical multi-party computation protocols in the dishonest majority setting. There have been several subsequent works including but not limited to [KO04, GMPP16, ACJ17, BHP17, BGJ+18, CCG+20] that have nearly completely characterized the exact round complexity of classical secure computation. The problem of secure quantum computation on distributed quantum states is not nearly as well- understood as its classical counterpart. The quantum setting was first studied by [CGS02, BCG+06], who obtained unconditional maliciously-secure multi-party quantum computation with honest majority. Just like the classical setting, when half (or more) of the players are malicious, secure quantum computation also requires computational assumptions due to the impossibility of unconditionally secure quantum bit commitment [May97, LC98, DSWK06]. In the dishonest majority setting, [DNS10] gave a two-party quantum computation (2PQC) protocol secure against the quantum analogue of semi-honest adversaries (specious adversaries); this was later extended to the malicious setting by [DNS12]. A work of [DGJ+20] constructed maliciously-secure multi-party quantum computation (MPQC) with dishonest majority from any maliciously-secure post-quantum classical MPC, where the round complexity grows with the size of the circuit and the number of participants. Very recently, [ACC+20] constructed MPQC with identifiable abort, and with round complexity that does not grow with the circuit size but grows with the number of participants. However, the feasibility of maliciously-secure MPQC with constant rounds has remained open until this work. In addition to settling this question, we also make several headways in understanding the exact round complexity of secure quantum computation with up to all-but-one malicious corruptions.

1.1 Our Results We assume that parties have access to a common random string (CRS), and obtain answers to a range of fundamental questions, as we discuss next1.

1.1.1 Quantum Non-Interactive Secure Computation Our first result pertains to the most basic setting for secure (quantum) computation: a sender holdsinput y, a receiver holds input x, and the goal is for the receiver to obtain 푄(x, y) for some quantum circuit 푄. We construct a protocol achieving minimal interaction — commonly known as non-interactive secure computation (NISC) [IKO+11] — where the receiver publishes an encryption of x, the sender replies with an encryption of y, and the receiver subsequently obtains 푄(x, y). Our result constitutes the first maliciously- secure NISC for quantum computation (Q-NISC).

1We point out that the post-quantum MPC protocol of [ABG+20] can be used to generate a CRS in constant rounds. This, combined with our results, yields the first constant round multi-party quantum computation protocols without trusted setup in the standard model.

3 Theorem 1.1. (Informal) Maliciously-secure NISC for quantum computation exists assuming post-quantum maliciously-secure two-message oblivious transfer (OT) with straight-line simulation.

Such OT protocols are known from the post-quantum hardness of Learning with Errors (LWE) [PVW08]. We remark that our Q-NISC result also extends to the reusable setting where the receiver has a classical input that they would like to reuse across multiple quantum computations on different sender inputs.

Application: Malicious Designated-Verifier NIZK Arguments for QMA. As an application of our maliciously-secure Q-NISC, we construct (reusable) malicious designated-verifier non-interactive zero- knowledge arguments (MDV-NIZKs) for QMA in the common random string model. Specifically, our MDV- NIZK enables the following interaction for any QMA language: a verifier can publish a classical public key pk that enables a prover to send an instance 푥 and quantum message m, such that the verifier holding the corresponding secret key sk can determine if 푥 is a valid instance. Theorem 1.2. (Informal) There exists a reusable MDV-NIZK for QMA with a classical CRS and classical proving key assuming the existence of post-quantum maliciously-secure two-message oblivious transfer with straight-line simulation in the CRS model, and post-quantum (adaptively sound) reusable MDV-NIZK for NP. All of the underlying primitives exist assuming the quantum hardness of learning with errors.

We briefly elaborate on the security guarantees of our reusable MDV-NIZK. Reusability meansthat soundness holds for multiple proofs (of potentially different statements) computed with respect to the same setup (i.e., the common random string and the public key), even if the prover learns whether or not the verifier accepted each proof; we remark that reusable security is sometimes referred to as multi-theorem security. Malicious security means that the zero-knowledge property holds even against verifiers that generate the public key maliciously. Previously, such a reusable MDV-NIZK for QMA required the prover to have access to multiple copies of the quantum witness [Shm20], while our MDV-NIZK only requires the prover to have a single copy.

1.1.2 Constant-round 2PQC and MPQC Our next set of results concerns the general setting for 2PQC and MPQC where all parties obtain output. We focus on minimizing total round complexity as well as online round complexity, where the latter refers to the number of input-dependent rounds; if a protocol has round complexity 푑 and online round complexity 푘, then the parties can perform the first 푑 − 푘 rounds before they receive their inputs.2 We obtain various results, some from the generic assumption of quantum polynomially-secure two-message oblivious transfer, and others from the specific assumption of sub-exponential QLWE. Our results inthis section are summarized in Table1. 3

Table 1: Maliciously-Secure Quantum Computation in the CRS Model

From OT From sub-exp QLWE Two-party 3 rounds (3 online) 3 rounds (2 online) Multi-party 5 rounds (3 online) 4 rounds (2 online)

In order to prove the security of these protocols, we develop a delayed simulation technique, which we call “simulation via teleportation”, which may be of independent interest.

2We remark that a 푘-online round protocol can also be viewed as a 푘-round protocol in a quantum pre-processing model, i.e. a model where parties receive some quantum correlations as setup. 3The results below are in the setting of security with abort, as opposed to security with unanimous abort (which is only a distinction in the multi-party setting). If one wants security with unanimous abort, the overall round complexity will not change, but one more round of online communication will be required.

4 1.1.3 Is Two-Round Secure Quantum Computation Possible? A natural next question is whether it is possible to construct two-round secure quantum computation without pre-processing. This appears to be a challenging question to resolve, either positively or negatively. We provide some preliminary results on both fronts: we give a negative result indicating that common simulation strategies from the classical setting will not suffice in the quantum setting, but we also provide a proof-of- concept positive result, with a new simulation strategy, assuming virtual-black-box obfuscation of quantum circuits. We stress that the latter result is primarily to give intuition, as virtual-black-box obfuscation is known to be impossible even for classical circuits [BGI+01]. We limit the scope of this preliminary investigation to the two-party setting. First, we give some intuition for why it seems hard to design a two-round two-party protocol by showing that, under a plausible quantum information-theoretic conjecture, a large class of common simulation techniques would not suffice. We consider any simulator that learns which player (between Alice and Bob)is corrupted only after it has generated the simulated CRS. We call such a simulator an oblivious simulator. To the best of our knowledge, all existing classical and quantum two-party computation protocols in the CRS model either (1) already admit oblivious simulation, or (2) can generically be transformed to admit oblivious simulation via post-quantum NIZK proofs of knowledge for NP. In the quantum setting, we show, roughly, that any two-round 2PQC protocol for general quantum functionalities with an oblivious simulator would yield an instantaneous nonlocal quantum computation protocol [Vai03, BK11, Spe16, GC20] for general quantum functionalities, with polynomial-size pre-processing. Instantaneous nonlocal quantum computation is well-studied in the quantum information literature [Vai03, BK11, Spe16, GC20], and the best known protocols for general functionalities require exponential- size pre-processing [BK11]. Thus, a two-round 2PQC for general functionalities with oblivious simulation would immediately yield an exponential improvement in the size of the pre-processing for this task. Theorem 1.3. (Informal) Under the conjecture that there exists a quantum functionality that does not admit an instantaneous nonlocal quantum computation protocol with polynomial-size pre-processing, there exists a quantum functionality that cannot be securely computed in two rounds in the classical CRS model with an oblivious simulator.

Towards getting around this potential barrier, we give a proof-of-concept construction of a protocol with non-oblivious simulation. Specifically, we assume a (strong) form of VBB obfuscation for quantum circuits that contain unitary and measurement gates, where the former may be classically controlled on the outcome of measurement gates. We point out, however, that VBB-obfuscation of circuits with measurement gates is potentially even more powerful than the VBB obfuscation for unitaries that was formalized in [AF16] (see discussion in Section 10.2). Under this assumption, we obtain a two-round two-party secure quantum computation protocol in the CRS model (that is straightforward to extend to the multi-party setting). Theorem 1.4. (Informal) Two-round two-party secure quantum computation in the common reference string model exists assuming a strong form of VBB or ideal obfuscation for quantum circuits as discussed above.

We remark that while there exist (contrived) examples of functionalities that cannot be VBB obfuscated [AF16, ABDS20, ALP20], it is still plausible that many quantum functionalities can be obfuscated. However, without any candidate constructions of obfuscation for quantum circuits, we stress that our result should only be taken as a proof-of-concept.

2 Technical Overview 2.1 Quantum Background We briefly recap some relevant concepts from quantum computation.

5 Notation. We use bold letters to write the density matrix of a quantum state x. We use the shorthand 푈(x) to mean 푈x푈 †, the result of applying unitary 푈 to x. The notation (x, y) denotes a state on two registers, where x and y are potentially entangled. The 푘-fold tensor product of a state x ⊗ x ⊗ · · · ⊗ x will be written as x푘.

The Pauli Group. The Pauli group on a single qubit, denoted by P1, is generated by the unitary [︂0 1]︂ [︂1 0 ]︂ operations 푋 (bit flip) and 푍 (phase flip), defined as 푋 = , 푍 = . The Pauli group on 푛 1 0 0 −1 qubits, denoted by P푛, is the 푛-fold tensor product of the single qubit Pauli group. Any unitary in the ਀ 푟푖 푠푖 푛 Pauli group P푛 can be written (up to global phase) as 푖∈[푛] 푋 푍 for 푟, 푠 ∈ {0, 1} .

The Clifford Group. The Clifford group on 푛 qubits, denoted by C푛, is the group of unitaries that † normalize P푛, i.e. 퐶 ∈ C푛 if and only if for all 푈 ∈ P푛, we have 퐶푈퐶 ∈ P푛. Alternatively, we can think of a Clifford unitary 퐶 as an operation where for any choice of 푟, 푠 ∈ {0, 1}푛, there exists a choice of 푟′, 푠′ ∈ {0, 1}푛 such that ⎛ ⎞ ⎛ ⎞ ਁ 푟 푠 ਁ 푟′ 푠′ 퐶 ⎝ 푋 푖 푍 푖 ⎠ = ⎝ 푋 푖 푍 푖 ⎠ 퐶. 푖∈[푛] 푖∈[푛] Intuitively, this means that with a suitable update of the Pauli operation, one can swap the order in which a Clifford and a Pauli are applied.

Clifford Authentication Codes. We will make extensive use of Clifford authentication codes. Clifford authentication codes are an information-theoretic encoding scheme for quantum states that provides both secrecy and authentication. An 푛-qubit quantum state x can be encoded in a Clifford authentication code as follows: prepare a 휆-qubit all 0’s state which we denote as 0휆 (where 휆 is a security parameter), sample 휆 a random Clifford unitary 퐶 ← C푛+휆, and output 퐶(x, 0 ). The Clifford 퐶 serves as a secret key, while the 0휆 qubits enable authentication, and are called “trap” qubits. A party without knowledge of 퐶 cannot modify the encoding without modifying the trap qubits (except with negligible probability). Therefore, decoding works by applying 퐶† and then measuring the 휆 trap qubits in the computational basis. If these measurements are all 0, this ensures that with all but negligible probability, the 푛 remaining registers hold the originally encoded state x.

Clifford + Measurement Circuits. We will rely heavily on the “Clifford + Measurement” representation of quantum circuits (henceforth “C+M circuits”) due to [BK05]. In this representation, a quantum circuit can be decomposed into layers. Each layer consists of a Clifford unitary whose output wires are partitioned into wires that will be fed as inputs into the next layer, and wires that will be measured. The latter group of wires are measured in the computational basis, resulting in a classical bitstring that is used to select the Clifford unitary to be applied in the subsequent layer. The first layer takes√ in all of the inputstothe quantum circuit, ancilla 0 states, and “magic” T states defined as T := (|0⟩ + 푒푖휋/4 |1⟩)/ 2. The final layer only produces output wires (i.e. its output registers have no wires to be measured), which are interpreted as the output of the circuit. [BK05] demonstrate that, with constant multiplicative factor overhead in size, any quantum circuit can be written as a “C + M circuit” or equivalently, in a magic state representation. Therefore, for the purposes of this technical overview, we will assume that any quantum circuit 퐹 is 푘 푘 written as a C+M circuit 퐹CM, and its evaluation on an input x is computed as 퐹 (x) = 퐹CM(x, T , 0 ). For simplicity, we use the same 푘 to denote the number of T states and the number of ancilla 0 states.

Magic State Distillation. In settings where malicious parties are tasked with providing the T states, we will use cryptographic techniques such as “cut-and-choose” to ensure that 퐹CM is evaluated on an input of the form (x, T̂︁푘, 0푘) where T̂︁푘 is a state guaranteed to be “somewhat” close to T푘. However, correctness of 퐹CM will require states that are negligibly close to real magic states. To that end, we will make use of

6 a magic state distillation C+M circuit 퐷 due to [DGJ+20] which takes in somewhat-close magic states T̂︁푘 ′ and outputs states negligibly close to T푘 , for 푘′ < 푘. Therefore, the representation of any functionality 퐹 푘 will in fact be a C+M circuit 퐹CM,퐷 that first applies 퐷 to T̂︁ , and then runs 퐹CM.

2.2 Why is Malicious Security Hard to Achieve? We begin this technical overview by describing our results in the two-party setting. Before this, we briefly explain why malicious security does not follow readily from existing techniques. Indeed, a candidate two- message 2PQC (where one party receives output) with specious security (the quantum analogue of classical semi-honest security [DNS10]) was recently proposed in [BY20]. Alternatively, any construction of quantum fully-homomorphic encryption (QFHE) naturally yields a two-message 2PQC protocol: (1) Alice QFHE- encodes her input and sends it to Bob, (2) Bob evaluates the functionality on his input and Alice’s encoded input, and (3) Bob sends Alice the encryption of her output. One might hope to compile this QFHE-based protocol or the [BY20] protocol into a maliciously secure protocol by having the parties include proofs that their messages are well-formed. Unfortunately, it is unclear how to implement this in the quantum setting. In both of these approaches, the parties would have to prove (in zero-knowledge) statements of the form “y is the result of evaluating quantum circuit 퐶 on x.” Crucially, the statement the parties need to prove explicitly makes reference to a quantum state. This is beyond the reach of what one can prove with, say, NIZKs for QMA, in which witnesses are quantum but the statements are entirely classical. Therefore, we design our malicious 2PQC so that parties do not have to prove general statements about quantum states. A core ingredient in our protocol is a quantum garbled circuit construction sketched in [BY20, §2.5], where the circuit garbling procedure is entirely classical.4 Combining this with a post- quantum maliciously-secure classical 2PC, we will ensure valid circuit garbling against malicious quantum adversaries.

2.3 A Garbling Scheme for C + M Circuits Our first step is to formalize the proposal sketched in[BY20, §2.5] for garbling C + M circuits. The starting point for the [BY20, §2.5] construction is a simple technique for garbling any quantum circuit that consists of a single Clifford unitary 퐹 .5 The idea is to sample a random Clifford 퐸 and give out 퐹 퐸† as the garbled circuit; note that the description of 퐹 퐸† will be entirely classical. Since the Clifford unitaries form a group, 퐹 퐸† is a uniformly random Clifford unitary independent of 퐹 . To garble the input quantum state x, simply compute 퐸(x). The construction in [BY20, §2.5] extends this simple construction to any circuit. To build intuition, we will consider a two-layer C + M circuit 푄 = (퐹1, 푓), where 퐹1 is the first layer Clifford unitary, and 푓 is a classical circuit that takes as input a single bit measurement result 푚, and outputs a classical description of 퐹2, the second layer Clifford unitary. On input x, the circuit operates as follows:

1. Apply 퐹1 to x. 2. Measure the last output wire in the computational basis to obtain 푚 ∈ {0, 1}, and feed the remaining wires to the next layer. Compute the second layer Clifford unitary 퐹2 = 푓(푚).

3. Apply 퐹2 to the non-measured output wires from the first layer. Return the result. One could try to extend the simple idea for one-layer garbling to this circuit. We still sample a random † input-garbling Clifford 퐸0 and compute 퐹1퐸0. To hide the second layer Clifford, a natural idea is to sample 4We remark that the 2PQC proposed in [BY20] is based on their “main” quantum garbled circuit construction, which crucially does not have a classical circuit garbling procedure. The advantage of their main construction is that garbling can be done in low depth, whereas the alternative construction requires an expensive but classical garbling procedure. 5[BY20] call this group-randomizing quantum randomized encoding.

7 yet another random Clifford 퐸1 to be applied to the non-measured output wires of 퐹1. That is, we replace † † † 퐹1퐸0 with (퐸1 ⊗ I)퐹1퐸0, and release the description of a function 푔 such that 푔(푚) = 푓(푚)퐸1. (0) However, this may in general be insecure. Let 퐹2 be the Clifford output by function 푓 when 푚 = 0, (1) (0) (1) and 퐹2 the Clifford output by function 푓 when 푚 = 1. Suppose 퐹2 − 퐹2 = 퐴 for some invertible matrix (0) † (1) † −1 퐴. Then, an attacker with access to 푔 could obtain 퐹2 퐸1 − 퐹2 퐸1, and multiplying the result by 퐴 −1 (0) † (1) † −1 † † yields 퐴 (퐹2 퐸1 − 퐹2 퐸1) = 퐴 퐴퐸1 = 퐸1. Therefore, instead of giving out 푔, the construction of [BY20, §2.5] gives out a classical garbling of 푔. To accommodate this, the output wire from the first layer that is measured to produce 푚 ∈ {0, 1} must be replaced by a collection of wires that produces the corresponding label lab푚 for the garbled circuit. This can be easily achieved by applying a suitable “label unitary” to the 푚 wire (and ancilla wires) within the garbled gate for the first layer. There is one last issue with this approach: an attacker that chooses not to measure the wires containing lab푚 can obtain a superposition over two valid labels. Recall that the standard definition of security for classical garbled circuits only guarantees simulation of one label, not a quantum superposition of both labels. To ensure the attacker cannot get away with skipping the computational basis measurement, the [BY20, §2.5] construction applies a 푍-twirl to 푚 before the “label unitary” is applied. Recall that a 푍-twirl is simply a random application of a Pauli 푍 gate, i.e. 푍푏 for a uniformly random bit 푏; applying 푍푏 to a wire is equivalent to performing a computational basis measurement (without recording the result). To recap, a garbled 2-layer C + M circuit 푄 consists of three components: an “input garbling” Clifford † 퐸0, an initial Clifford unitary to be applied to the garbled input 퐷0 := (퐸1 ⊗ I)퐹1퐸0, and a classical garbled circuit 푔̃︀. Extrapolating, we see that in general a garbled C + M circuit takes the form

(퐸0, 퐷0, 푔̃︀1,..., 푔̃︀푑) := (퐸0, 푄̃︀),

where the 푔̃︀푖’s are garblings of classical circuits. Crucially, all of these components can be generated by an entirely classical circuit. The only quantum operation involved in the garbling process is the application of 퐸0 to the input x to garble the input. Next, we show how we can take advantage of this mostly classical garbling procedure to obtain maliciously-secure 2PQC.

2.4 A Three-Message Protocol with Malicious Security In this section, we describe a three-message 2PQC protocol where both parties obtain output. This implies the two-message 2PQC result with one-sided output described in the first part of our results section, and fills in the upper left corner of Table1. We begin with a plausible but insecure construction of a three-message 2PQC based on the above quantum garbled circuit construction. We will then highlight the ways a malicious attacker might break this construction, and arrive at our final construction by implementing suitable modifications. Our protocol relies only on a classical two-message 2PC with one-sided output that is (post-quantum) secure against malicious adversaries; this can be realized by combining (post-quantum) classical garbled circuits [Yao86] with (post-quantum) two-message oblivious transfer [PVW08] following eg. [IKO+11]. We will consider two parties: Alice with input x퐴 and Bob with input x퐵. They wish to jointly compute a quantum circuit 푄 on their inputs whose output is delivered to both players. 푄 is represented as a 푘 푘 Clifford+Measurement circuit that takes input (x퐴, x퐵, T , 0 ). We denote by (y퐴, y퐵) the joint outputs of Alice and Bob. At a high level, the parties will use the first two messages (Bob → Alice, Alice → Bob) to jointly encode their quantum inputs, while in parallel computing a two-message classical 2PC that outputs the classical description of a quantum garbled circuit to Bob. By evaluating the garbled circuit, Bob can learn his own output, as well as Alice’s encoded output, which he sends to Alice in the 3rd message. In more detail, the classical functionality ℱ[푄] to be computed by the classical 2PC is defined as follows. It takes as input (the classical description of) a Clifford unitary 퐶퐵,in from Bob and Clifford unitaries 휆 (퐶퐴,in, 퐶퐴,out) from Alice. Let 푄퐵 be a modification of 푄 that outputs (퐶퐴,out(y퐴, 0 ), y퐵) in place of (y퐴, y퐵); looking ahead, this will enable Bob to evaluate (a garbling of) 푄퐵 on (a garbling of) their joint

8 inputs without learning Alice’s output. The functionality computes a garbling (퐸0, 푄̃︂퐵) of 푄퐵. Finally, it −1 −1 computes 푊 := 퐸0 · (I ⊗ 퐶퐵,in ⊗ I) · 퐶퐴,in (where the registers implied by the tensor product will become clear below), and outputs (푊, 푄̃︂퐵) to Bob. The (insecure) protocol template is as follows:

• First Message (Bob → Alice). Bob picks a random Clifford 퐶퐵,in and uses it to encrypt and 휆 authenticate his input x퐵 as m1 := 퐶퐵,in(x퐵, 0 ). He also computes the first round message 푚1 of the classical 2PC, using 퐶퐵,in as his input. He sends (m1, 푚1) to Alice.

• Second Message (Alice → Bob). After receiving (m1, 푚1), Alice picks a random Clifford 퐶퐴,in and uses it to encrypt her input x퐴 along with Bob’s encoding m1, 푘 copies of a T state, and 푘 + 휆 copies 푘 푘+휆 of a 0 state. The result of this is m2 := 퐶퐴,in(x퐴, m1, T , 0 ). Alice also samples another random Clifford 퐶퐴,out that will serve to encrypt and authenticate her output, and computes the second round message 푚2 of the classical 2PC using input (퐶퐴,in, 퐶퐴,out). She sends (m2, 푚2) to Bob.

• Third Message (Bob → Alice). After receiving (m2, 푚2), Bob can compute his output of the classical 2PC, which is (푊, 푄̃︂퐵). He computes

−1 −1 (︀ 푘 푘+휆 )︀ 푘 푘+휆 푊 (m2) = 퐸0 · (I ⊗ 퐶퐵,in ⊗ I) · 퐶퐴,in 퐶퐴,in(x퐴, m1, T , 0 ) = 퐸0(x퐴, x퐵, T , 0 ).

푘 푘+휆 Recall that 퐸0(x퐴, x퐵, T , 0 ) corresponds to a garbled input for 푄̃︂퐵. He evaluates 푄̃︂퐵 on this 휆 garbled input and obtains (퐶퐴,out(y퐴, 0 ), y퐵). 휆 At this point, Bob has his output y퐵 in the clear. Next he sets m3 = 퐶퐴,out(y퐴, 0 ), and sends m3 −1 to Alice. Upon receiving m3, Alice can recover her output by computing 퐶퐴,out(m3). The above protocol can already be shown to be secure against malicious Bob by relying on security of the classical two-party computation protocol against malicious adversaries. But malicious Alice can break security by generating ill-formed auxiliary states. We now describe this issue in some more detail and then present modifications to address the problem.

Malicious Generation of Auxiliary States. In the second message of the protocol, Alice is instructed 푘 푘+휆 to send a quantum state 퐶퐴,in(x퐴, m1, T , 0 ). A malicious Alice can deviate from honest behavior by submitting arbitrary states in place of the magic T states and the auxiliary 0 states, either of which may compromise security. We therefore modify the classical 2PC to include randomized checks that will enable Bob to detect if Alice has deviated from honest behavior. We check validity of 0 states using the “random linear map” technique of [DGJ+20]. The classical 2PC 푘×푘 will sample a uniformly random matrix 푀 ∈ F2 , and apply a unitary 푈푀 that maps the quantum state 푘 푘×푘 v = |푣⟩⟨푣| for any 푣 ∈ F2 to the state Mv = |푀푣⟩⟨푀푣|. For any 푀 ∈ F2 , there exists an efficient 푘 푘 Clifford unitary 푈푀 implementing this map. This check takes advantage of the fact that 푈푀 (0 ) = 0 for 푘 푘 any 푀, but on any other pure state v = |푣⟩⟨푣| for non-zero 푣 ∈ F2 , we have 푈푀 (v) ≠ 0 with overwhelming probability in 푘. More precisely, our protocol will now ask Alice to prepare twice (2푘) the required number of 0 states. 2푘×2푘 The classical 2PC will generate a Clifford unitary 푈푀 implementing a random linear map 푀 ∈ F2 , and −1 −1 incorporate 푈푀 into its output Clifford 푊 , which is now 푊 = (퐸0 ⊗ I) · (I ⊗ 퐶퐵,in ⊗ I) · (I ⊗ 푈푀 ) · 퐶퐴,in. 휆 푘 2푘 Now when Bob applies 푊 to Alice’s message 퐶퐴,in(x퐴, 퐶퐵,in(x퐵, 0 ), T , 0 ), it has the effect of stripping −1 off 퐶퐴,in by applying 퐶퐴,in, and then applying 푈푀 to the last 2푘 registers. The rest of the application of 푊 has the same effect as before the modification, so it undoes the application of 퐶퐵,in, and then re-encodes all but the last 푘 registers under the input garbling Clifford 퐸0 to produce a garbled input. Crucially, the last 푘 registers are designated “0-state check registers”, which Bob can simply measure in the computational basis to detect if Alice prepared the 0 states properly.

9 Unfortunately, this technique does not extend to checking validity of T states. To do so, we would have to map T states to 0 states, but there is no Clifford unitary that realizes this transformation.6 The problem with using a non-Clifford unitary is that security of 푊 relies on the fact that it is the product of a random ′ Clifford 퐶퐴,in and some other Clifford 푊 . Since the Clifford unitaries form a group, multiplication bya ′ ′ random 퐶퐴,in perfectly masks the details of 푊 , but only when 푊 is Clifford. We will therefore employ the “cut-and-choose” technique from [DGJ+20]. The protocol will now have Alice prepare 휆(푘+1)-many T states instead of just 푘. The classical 2PC will generate a random permutation 휋 on [휆(푘 + 1)], which will move a random selection of 휆 of the T states into “T-state check registers.” The application of 휋 will be implemented by a unitary 푈휋 incorporated into 푊 . After applying 푊 , Bob will apply a projective measurement onto T to each of the T-state check registers, and will abort if any of the 휆 measurements fails. If all of the 휆 measurements pass, this means the remaining 휆푘 un-tested T states are “somewhat close” to being real T states. However, being “somewhat close” will not be sufficient; for instance, an attacker who prepares exactly one completely invalid T state will only be caught with 1/(푘 + 1) probability. We will therefore need to apply magic-state distillation to transform these into states which are negligibly close to real T states. For this, we use a magic-state distillation circuit of [DGJ+20, §2.5] (which builds on [BK05]). This circuit consists solely of Clifford gates and computational basis measurements. To apply this circuit we modify our underlying functionality, so that we now give out a garbling of a circuit that first implements magic-state distillation and only then applies 푄퐵. This completes an overview of our protocol, and a formal construction and analysis can be found in Section5.

2.5 Application: Reusable MDV-NIZK for QMA Now we briefly describe how the above techniques readily give a reusable malicious designated-verifier NIZK for QMA in the CRS model. Note that NIZK for QMA is a special case of two-party quantum computation, where the functionality being computed is the verification circuit 풱 for some QMA language, the prover (previously Alice) has the quantum witness w as input, and the verifier (previously Bob) has no input and receives a binary output indicating whether 풱(푥, w) accepts or rejects, where 푥 is the (classical) description of the instance they are considering. Since the prover does not receive output, there is no need for the third message in the protocol of Section 2.4. Furthermore, since the verifier has no input, there is no need for any quantum message from him inthe first message. The verifier only needs to send a first-round classical 2PC message which then functionsasa proving key. The (classical) left-over state is the verifier’s secret verification key. After this, the prover just sends one quantum message (the Second Message in the above protocol), proving that 풱(푥, w) = 1. In order to make the above template reusable, we can first instantiate the underlying classical 2PC with a reusable 2PC. Once this is in place, the verifier’s first-round message is necessarily instance-indepedent. Then, to ensure that a cheating prover cannot break soundness by observing whether the verifier accepts its proofs or not, we modify the classical functionality to take as input a PRF key from the verifier, and generate all required randomness (used for the 0 and T checks, and the quantum garbling procedure) by applying this PRF to the (classical) description of the instance 푥. By security of the reusable 2PC and the PRF, a verifier will never accept a maliciously sampled proof for any instance 푥 not in the language.

2.6 Challenges in Achieving a Two-Round Protocol in the Quantum Setting The previous sections show that we can achieve 2PQC in two messages if only one party receives output, which is optimal in terms of round complexity. Now we ask whether both parties can obtain output with just two rounds of simultaneous exchange. Indeed, in the classical setting, there is a natural approach to obtaining a two-round protocol, given a two-message protocol where one party receives output. The parties

6The existence of such a Clifford would imply that Clifford + Measurement circuits without magic states are universal for quantum computing, contradicting the Gottesman–Knill theorem (assuming BPP ̸= BQP).

10 simply run two parallel executions of the two-message protocol on the same inputs - one in which Alice speaks first and the functionality only computes her part of the output, and another in which Bob speaksfirstand the functionality only computes his part of the output. Unfortunately, this natural approach completely fails in the quantum setting, for at least two reasons.

• Running two parallel executions of the same protocol on the same set of inputs seems to require cloning those inputs, which is in general impossible if the inputs may be arbitrary quantum states. • Running two parallel executions of a randomized functionality requires the parties to fix the same random coins to be used in each execution, as otherwise their outputs may not be properly jointly distributed. This is not possible in the quantum setting, since randomness can come from measurement, and measurement results cannot be fixed and agreed upon beforehand.

These issues motivate the rest of our work. Since running two protocols in parallel on the same inputs is problematic, we take as our guiding principle that one party must be performing the actual computation at some point in the protocol, and then distributing the outputs. Interestingly, while the first issue mentioned above is unique to the setting of quantum inputs, thesecond issue applies even if the parties wish to compute a quantum circuit over just classical inputs, which we regard as a very natural setting. Thus, while this paper focuses on the most general case of secure quantum computation over potentially quantum inputs, we stress that all the results we achieve are the best known even for the classical input setting. Furthermore, note that both issues also exist in the specious setting, so it doesn’t appear to be straightforward to achieve two-round 2PQC even in this setting. While the focus of this paper is on the setting of malicious security, exploring these questions in the specious setting is also an interesting direction.

2.7 A Two-Round Protocol with Pre-Processing Our next result is a three-round protocol for 2PQC which requires only two online rounds of communication, filling in the upper right corner of Table1. In fact, we construct a protocol in which the pre-input phase only consists of a single message from Bob to Alice (computed with respect to a CRS). We take our three sequential message protocol as a starting point, and introduce several modifications. The first modification will immediately achieve the goal ofremoving input-dependence from Bob’s first message, and all the subsequent modifications will be necessary to restore correctness and security.

Modification 1: Removing Input-Dependence via Teleportation. Before sending his first message, Bob samples 푛 EPR pairs, where 푛 is the number of qubits of the input x퐵. We denote these EPR pairs by (epr1, epr2), where epr1 denotes the left 푛 qubits, and epr2 denotes the right 푛 qubits. In place of sending 휆 휆 퐶퐵,in(x퐵, 0 ), Bob sends m퐵,1 := 퐶퐵,in(epr1, 0 ). Note that the classical 2PC only requires input 퐶퐵,in, which is a random Clifford that Bob samples for himself, so Bob’s entire first round message (m퐵,1, 푚퐵,1) can now be sent before Bob receives his input. The idea is that later on, when Bob learns his input x퐵, he will perform Bell measurements on (x퐵, epr2) to teleport x퐵 into epr1.

Issue: Incorporating Bob’s Teleportation Errors. Teleporting x퐵 into epr1 will require Bob to somehow correct epr1 later in the protocol using the results of his Bell measurements on (x퐵, epr2). But enabling Bob to do this in a way that does not compromise security will be tricky, as we now explain. After receiving the second round message from Alice in our original malicious 2PQC protocol, Bob learns the output of the classical 2PC, which includes (1) a (classical description of a) quantum garbled circuit 푄̃︀, and (2) a Clifford unitary 푊 . Bob applies 푊 to Alice’s quantum message m퐴,2, performs the appropriate 0 and T state checks, and conditioned on the checks passing, is left with a state of the form 퐸0(x퐴, x퐵, T̂︀, 0), where T̂︀ is a state “somewhat close” to T푘. But at this point in our newly modified protocol, Bob is holding the state 퐸0(x퐴, epr1, T̂︀, 0). To restore correctness, we somehow need to modify the protocol so that Bob

11 푥inp 푧inp can apply 푋 푍 to epr1 “inside” the 퐸0 mask, where 푥inp, 푧inp are the result of Bell basis measurements on (x퐵, epr2). † Recall that the structure of 푊 is 푊 = 퐸0 · 푈dec−check, where 퐸0 is the input garbling Clifford for the quantum garbled circuit, and 푈dec−check is the matrix that undoes 퐶퐴,in, undoes 퐶퐵,in, and then applies a permutation 휋 and a random linear map 푀, and rearranges all the to-be-checked registers to the last few (rightmost) register slots. The multiplication by 퐸0 is applied only to the non-checked registers. Thus, it seems like correctness would have to be restored by inserting the unitary (I ⊗ 푋푥inp 푍푧inp ⊗ I) † 푥inp 푧inp † in between 퐸0 and 푈dec−check. But if Bob can learn 퐸0(I ⊗ 푋 푍 ⊗ I)푈dec−check for even two different values of 푥inp and 푧inp, security of the input garbling Clifford 퐸0 may be lost entirely.

Modification 2: Classical Garbling + Quantum Multi-Key Fully Homomorphic Encryption In 푥inp 푧inp † order to resolve this issue, we will split up the matrix 퐸0(I ⊗ 푋 푍 ⊗ I)푈dec−check into two matrices

푥inp 푧inp † 푈푥inp,푧inp := 퐸0(I ⊗ 푋 푍 ⊗ I)푈rand † 푈check := 푈rand푈dec−check where 푈rand is a “re-randomizing” Clifford. The matrix 푈check is independent of Bob’s teleportation errors, and will now be output to Bob by the classical 2PC. But to preserve security, we will have Bob obtain 푈푥inp,푧inp by evaluating a classical garbled circuit 푓̃︀inp where 푓inp(푥inp, 푧inp) := 푈푥inp,푧inp ; the garbled circuit 푓̃︀inp is included in the output of the classical 2PC. But now we are faced with a new problem: how does Bob obtain the (classical) labels for 푓̃︀inp? Since we only have one round of interaction remaining, Bob won’t be able to run an OT to learn the correct labels (Bob could learn the labels by the end of the two online rounds, but then we would still need another round for Bob to send Alice her encrypted output). We resolve this problem with quantum multi-key fully-homomorphic encryption (QMFHE), which we will use in tandem with our classical garbled circuit 푓̃︀inp to enable Bob to compute (a homomorphic encryption of)

푈푥inp,푧inp without leaking anything else. Before we continue, we give a brief, intuition-level recap of QMFHE (we refer the reader to Section 3.7for a formal description). Recall that a standard fully-homomorphic encryption (FHE) allows one to apply arbitrary efficient computation to encrypted data (without needing tofirst decrypt). Multi-key FHE (MFHE) extends FHE to enable computation over multiple ciphertexts encrypted under different keys; the output of such a homomorphic computation is a “multi-key” ciphertext whichcan only be decrypted given all the secret keys for all of the ciphertexts involved in the computation [LTV12]. Fi- nally, QMFHE extends MFHE a step further to allow arbitrary efficient quantum computation over encrypted (classical or quantum) data [Goy18, Bra18, Mah18, ABG+20]. We will encrypt each of the garbled circuit labels for 푓̃︀inp under an independent QMFHE key. All of these encrypted labels along with the corresponding QMFHE public keys (to enable quantum computations over these ciphertexts) will also be output to Bob as part of the classical 2PC. We remark that this requires a QMFHE scheme where encryptions of classical plaintexts are themselves classical; such schemes are known assuming the quantum hardness of the learning with errors (QLWE) assumption [ABG+20].7 To recap, Bob obtains from the classical 2PC a collection of QMFHE ciphertexts, one for each of the garbled circuit labels for 푓̃︀inp. Bob picks out the ciphertexts corresponding to 푥inp, 푧inp and performs quantum multi-key evaluation of 푓̃︀inp over these ciphertexts, obtaining a QMFHE encryption of the output of 푓̃︀inp, i.e.

QMFHE.Enc(pk푥inp,푧inp , 푈푥inp,푧inp ) where pk푥inp,푧inp denotes the collection of QMFHE public keys corresponding to 푥inp, 푧inp. The classical 2PC output also includes 푈check in the clear, which Bob can apply to m퐴,2 to obtain 푈rand(x퐴, epr1, T̂︀, 0) (after performing appropriate measurement checks). Then Bob can homomorphically compute the ciphertext QMFHE.Enc(pk푥inp,푧inp , 퐸0(x퐴, x퐵, T̂︀, 0)), and proceed to homomorphically 휆 evaluate his quantum garbled circuit to obtain QMFHE.Enc(pk푥inp,푧inp , (퐶퐴,out(y퐴, 0 ), y퐵)).

7We only require leveled QMFHE, which can be based solely on the QLWE assumption. Unleveled QMFHE requires an additional circularity security assumption.

12 In order for Bob to obtain his final output in the clear, we will have Bob send Alice 푥inp, 푧inp in the first online round. In response, in the second online round Alice will reply with sk푥inp,푧inp ; security of the QMFHE will guarantee that Bob cannot decrypt ciphertexts corresponding to any other choice of the teleportation 휆 errors. In the second online round, Bob will send Alice QMFHE.Enc(pk푥inp,푧inp , (퐶퐴,out(y퐴, 0 )), which she can decrypt to obtain y퐴. Finally, Bob produces his output by performing QMFHE decryption with sk푥inp,푧inp .

Issue: Simulating a Quantum Garbled Circuit with Unknown Output. At this point, we have a correct protocol whose first round is completely input-independent. However, we will run into issues when attempting to prove malicious security. The problem arises in the security proof for a malicious Bob. In the original three-round maliciously secure protocol, the simulator is able to extract x퐵 from Bob’s first round message to Alice; this is doneby −1 first extracting 퐶퐵,in from Bob’s first round classical message for the classical 2PC, and then applying 퐶퐵,in to Bob’s first round quantum message. Extracting x퐵 from Bob’s first round message to Alice is crucial for proving security, since it enables the simulator to query the ideal functionality on x퐵, learn the output y퐵, and finally simulate the quantum garbled circuit using Bob’s output y퐵 before computing Alice’s simulated second round message to be sent to Bob. This second round message reveals to Bob the quantum garbled circuit, so it is crucial that the quantum garbled circuit simulator has been executed at this point. Not surprisingly, this simulation strategy runs into a major problem in our newly modified protocol. Bob’s first message is independent of x퐵, so the simulator cannot query the ideal functionality, and therefore seemingly cannot simulate the quantum garbled circuit before computing Alice’s message, which in particular reveals the quantum garbled circuit to Bob. In summary, the simulator must provide Bob with the quantum garbled circuit (part of Alice’s first online round message), before it has enough information to extract Bob’s input. This appears quite problematic since simulating a garbled circuit certainly requires knowing the output. However, since Bob can only obtain an encryption of the output of the garbled circuit after receiving Alice’s first message, it is still reasonable to expect that the protocol is secure.

Modification 3: Simulation via Teleportation. We fix this problem through a new technique wecall simulation via teleportation. The idea is as follows. Instead of running the quantum garbled circuit simulator on the output of the circuit (which the simulator does not yet know), the simulator will first prepare fresh ′ ′ 휆 ′ EPR pairs epr1, epr2 and then run the quantum garbled circuit simulator on (퐶퐴,out(0, 0 ), epr1) (where ′ 0 takes the place of Alice’s input x퐴 and epr1 takes the place of Bob’s output y퐵). In the following round, after Bob has teleported over his input state x퐵, the simulator will query the ideal functionality, learn y퐵, ′ and then teleport y퐵 into epr1. Implementing the final teleportation step requires some care. When the simulator learns y퐵, it performs ′ Bell measurements on (y퐵, epr2), obtaining measurement outcomes 푥out, 푧out. It must then find some way ′ to apply 푥out, 푧out to the state epr1 so that Bob can obtain his correct output. So we further modify the protocol so that the garbled circuit Bob receives from the classical 2PC is 휆 푥out 푧out 휆 modified to output (퐶퐴,out(y퐴, 0 ), 푋 푍 y퐵) instead of (퐶퐴,out(y퐴, 0 ), y퐵), as before. That is, in the real protocol, an honest Alice will sample random 푥out, 푧out, and then the 2PC will output the circuit implementing this functionality. Alice will send 푥out, 푧out to Bob in the second online round, and Bob 푥out 푧out will first apply Pauli corrections 푋 푍 to his output to obtain y퐵. In the simulated protocol, however, 푥out, 푧out are not sampled by the simulator. Instead, they are the result of the simulator’s Bell measurements ′ 휆 ′ on (y퐵, epr2). The simulator thus simulates a garbled circuit that outputs (퐶퐴,out(0, 0 ), epr1), and then sends 푥out, 푧out in the second online round. Note that this teleportation step occurs exclusively within the simulation.

Modification 4: Alice (Equivocally) Commits to Pauli Corrections. To arrive at a fully secure protocol, we need to address one last issue. As currently described, there is nothing that prevents a malicious Alice from misreporting her choice of 푥out, 푧out. This can introduce arbitrary Pauli errors into Bob’s output that he has no way of detecting. However, this can easily be fixed using equivocal commitments. That is, Alice inputs 푥out, 푧out to the classical 2PC, along with commitment randomness 푠. Bob obtains the

13 commitment as part of the output of the classical 2PC, and later when Alice sends 푥out, 푧out in the second online round, she must also send along 푠. The equivocality property enables the simulation strategy to work as before, as the simulator will have the power to send Bob a commitment to an arbitrary value, and after learning 푥out, 푧out from its Bell measurements, use equivocation to produce a valid opening.

2.8 The Multi-Party Setting In this section, we describe our results in the multi-party setting, filling in the bottom row of Table1. We begin by describing our approach to obtaining a five-round protocol from quantum-secure OT. Our approach follows the same high-level idea as the three-message 2PQC protocol described in Section 2.4, where one party (the “designated party”, or 푃1) will evaluate a quantum garbled circuit on encodings of each party’s input, and then distribute the encoded outputs to each party. However, implementing this template in the multi-party setting requires resolving a host of new challenges.

Input Encoding. Recall that in our two-party protocol, Alice received an encoding of Bob’s input, con- catenated their own input, re-randomized the entire set of registers with a random Clifford 퐶, and then sent the re-randomized state to Bob. This re-randomization ensures that the only meaningful computation Bob can perform is to apply the quantum garbled circuit, whose classical description is re-randomized with 퐶†. A natural extension of this idea to the multi-party setting goes as follows. First, each party sends their encoded input to 푃1. Then 푃1 concatenates all inputs together and re-randomizes the resulting set of registers with their own random Clifford 퐶1. Then, these registers are passed around in a circle, each party 푃푖 applying their own re-randomizing Clifford 퐶푖. Finally, 푃1 receives the fully re-randomized state, along with some classical description of a quantum garbled circuit obtained via classical MPC, and re-randomized † † with 퐶1 . . . 퐶푛. The fact that each party applies their own re-randomizing Clifford is necessary, since we are in the dishonest majority setting. Indeed, if only one party 푃푖 is honest, their security will crucially rely on the fact that the adversary does not know their re-randomizing Clifford 퐶푖. This approach of encrypting and sending a state around the circle of parties for re-randomization is similar to [DGJ+20]’s “input encoding” protocol, in which each individual party’s input is sent around the circle of parties for re-randomization. Unfortunately, the round complexity of this encoding step will grow linearly with the number of parties. To obtain a constant-round protocol, our idea is to round-collapse this input-encoding via the use of quantum teleportation. In the first round, parties will send EPR pairs to each other following the topology ofthe computation described above. That is, each party sets up EPR pairs with 푃1 that will be used to teleport their encoded inputs to 푃1, and each consecutive pair of parties will set up EPR pairs that will be used to teleport the encoded state around the circle. After this setup, the parties can simultaneously apply re- randomization Cliffords and teleport the encoded state around the circle. This will introduce teleportation errors, but since the re-randomization operations are Clifford, these can be later corrected. Indeed, this correction will be facilitated by a classical MPC protocol that takes as input each party’s Clifford and set of teleportation errors.

0 and T State Checks. The next challenge is how to enforce 0 and 푇 state checks in the multi-party setting. Recall that in the two-party setting, we had the non-evaluator party (Alice) prepare the 0 and 푇 states, which were then checked by the garbled circuit evaluator (Bob). This approach works because we know that if Alice is malicious and tried to cheat during preparation of these states, then Bob must be honest and will then refuse to evaluate the garbled circuit. However, this does not carry over to the multi-party setting. If we try to fix some party 푃푖 to prepare the 0 and 푇 states and then have the evaluator 푃1 check them, it may be the case that both 푃푖 and 푃1 are malicious, which would be problematic. Thus, we take a different approach, instructing 푃1 to prepare the 0 and 푇 states, and designing a distributed checking protocol, similar to that of [DGJ+20]. We now briefly describe the 푇 state check, leaving a description of the 0 state check to the body. 푃1 will be instructed to concatenate all parties’ inputs with their own 푇 states, and then send the resulting state around the circle for re-randomization. Later,

14 they receive the re-randomized state, along with a unitary from the classical MPC that i) undoes the re- randomization, ii) samples a different subset of 푇 states for each party, iii) Clifford-encodes each subset, and iv) garbles the inputs together with the remaining 푇 states. Thus, 푃1 obtains 푛 encoded subsets of 푇 states, and is supposed to send one to each party. Each party will then receive their encoded subset, decode (using information obtained from the classical MPC), and measure in the 푇 -basis. Each party will then abort the protocol if their check failed. Only if no parties abort will the classical MPC send information to each party allowing them to decrypt their output from the quantum garbled circuit. It is crucial that no party receives output until all honest parties indicate that their 푇 state check passed, because using malformed 푇 states in the quantum garbled circuit could result in outputs that leak information about honest party inputs.

The Five-Round Protocol. We give a high-level overview of the five rounds of the protocol.

• Round 1: Each party 푃푖 generates EPR pairs and sends half of each pair to its neighbor 푃푖+1. Ad- ditionally, party 푃1 generates enough EPR pairs so that it can send EPR pair halves to every other party 푃푖 for 푖 ≠ 1.

• Round 2: Teleport inputs to 푃1 and teleport the resulting state around the circle (with re-randomization Cliffords 퐶푖 applied along the way). Input teleportation errors and {퐶푖}푖∈[푛] to the classical MPC.

• Round 3: Classical MPC delivers unitary to 푃1 that samples subsets of 푇 states and garbles inputs, along with classical description of the quantum garbled circuit.

• Round 4: 푃1 evaluates the unitary and garbled circuit, then delivers encoded subsets of 푇 states and encrypted outputs to each party.

• Round 5: If no parties abort after their 푇 state check, the classical MPC delivers key to each party allowing them to decrypt their output.

Note that the distributed 푇 state check is the reason that the protocol requires five rounds. The first round is used for setting up EPR pairs. At this point the parties can perform quantum teleportation and obtain their Pauli errors. Now, these must be corrected by the classical MPC, which takes a minimum of two rounds. Thus, 푃1 can only obtain output from the MPC, and thus from the quantum garbled circuit, after Round 3. Then, Round 4 must be used to distribute subsets of 푇 states, and Round 5 must be used to deliver decryption keys conditioned on all parties being happy with their 푇 states. As we describe in the body, the actual computation of the garbled circuit can be delayed one round (at the cost of settling for security with abort rather than unanimous abort), giving a five-round protocol with three online rounds. Now we discuss how to instantiate the classical MPC. We are going to need an MPC that supports reactive functionalities, where inputs may depend on previous outputs obtained from the MPC. Moreover, we need the MPC to be round-optimal, in the sense that outputs delivered in round 푖 may depend on inputs from round 푖 − 1. We observe that the round-collapsing compiler of [GS18] gives exactly this — an ℓ + 1 round MPC for a reactive functionality with ℓ rounds of output. Thus, we can rely solely on quantum-secure two-message OT to construct the above five-round quantum MPC. See Section 3.6 for more discussion about the classical reactive MPC.

The Four-Round Protocol. Finally, we observe that there is some slack in the aforementioned protocol. Indeed, 푃1 does not obtain any output from the classical MPC until after round 3, when in principle the classical MPC can be used to compute some output in only two rounds. The reason we waited three rounds is that we wanted to include the parties’ teleportation errors in the computation performed by the MPC, and these are not known until the beginning of the second round. However, we can use ideas similar to those in Section 2.7 in order to allow the MPC to compute something meaningful during the first two rounds without yet knowing the teleportation errors. In particular, wemake use of classical garbled circuits and quantum multi-key FHE to provide a mechanism by which the classical MPC can output information allowing 푃1 to (homomorphically) compute a function of the teleportation

15 errors after Round 2. This allows us to collapse the total number of required rounds to 4. Moreover, a similar idea allows the parties to delay teleportation of their inputs another round, giving a four-round protocol with (optimal) two rounds of online interaction. Equivalently, our protocol can be seen as two-round MPQC in a quantum pre-processing model.

2.9 Two Round 2PQC Without Pre-Processing: Challenges and Possibilities In this section, we explore the possibility of achieving a two-round 2PQC protocol in the CRS model without pre-processing. We stress that this model does not permit pre-shared entanglement between the two parties, as we consider sharing of entanglement to be a pre-processing step.

The Challenge of Oblivious Simulation. In the classical setting, all known two-round two-party computation protocols (in the CRS model) can be modified so that security is proven via (what we call)an oblivious simulator.8 That is, the simulator (1) only makes black-box queries to the adversary, (2) is straight-line (meaning it only runs the adversary a single time without rewinding), and (3) it generates the simulated CRS independently of the choice of corrupted party (between Alice and Bob). By focusing on protocols with oblivious simulation, we can highlight an apparent difficulty of building secure two-round protocols for quantum functionalities in the CRS model. Assume without loss of generality that Alice is adversarial (the identical argument applies to Bob). Observe that if the first message that Alice sends is not computationally binding to her input x퐴, she can potentially cheat by equivocating, i.e. acting as if she had received a different input, and subsequently learn multiple outputs of the functionality. If the simulation is oblivious, then this reasoning applies simultaneously to Alice and Bob — that is, both parties must, in the first round, send computationally-binding commitments to their respective inputs. This is immediately problematic for quantum inputs, since no-cloning implies that their leftover states will have no (computationally) useful information about their original inputs. Thus, it is unclear how a general computation can be performed on their joint inputs before the start of the second round, as the parties have effectively swapped their initial states. And somehow, after just one more round of messaging, theymust hold their correctly computed output states. Our negative result formalizes this intuitive difficulty. If the simulator is oblivious, then by roughly following the above reasoning, at the end of the first round:

• Alice holds a computationally binding commitment to Bob’s input x퐵,

• Bob holds a computationally binding commitment to Alice’s input x퐴, and • Neither party has information about their original inputs. Moreover, the correctness of oblivious simulation implies that for a computationally indistinguishable CRS, there exists a “trapdoor” that would enable Alice to extract x퐵 and would enable Bob to extract x퐴. But now their states can be viewed as the states of two parties at the beginning of a one-round protocol with polynomial-size pre-processing in which the parties’ inputs are swapped; the pre-processing step is necessary to give both parties the trapdoor information of the simulator. The resulting one-round protocol no longer satisfies any meaningful security guarantees, but crucially, it still satisfies correctness. Moreover, theone- round protocol falls into a model of “instantaneous non-local computation” that has been previously studied in the quantum information literature [BK11]. It is currently open whether this model enables general quantum computation with only polynomial-size preprocessing, and a positive result for two-round 2PQC with oblivious simulation would affirmatively answer this question.

8Each party will use a NIZK proof of knowledge to prove that their first message is well-formed, using their input and randomness as witness. Then, a simulator programming the CRS may extract either party’s input.

16 A Proof-of-Concept Construction from Quantum VBB Obfuscation. Given the above barrier, one could attempt to construct a two-round protocol whose security relies crucially on a non-oblivious simulation strategy. In this work, we take an initial step in this direction by providing a proof-of-concept construction from a strong form of quantum VBB obfuscation that handles obfuscation of quantum circuits that include both unitary gates and measurement gates (see Definition 10.4 and the discussion preceding it). In our construction, Alice will send an encryption of her input to Bob in round 1, who will then homomorphically compute the functionality over their joint inputs and respond with Alice’s encrypted output in round 2. Alice will also send a message in round 2 that allows Bob to decrypt his output. However, the key is that this interaction will actually be indistinguishable from an interaction in which the opposite flow of computation is occuring. In particular, if the CRS if sampled differently (but in an indistinguishable way), it will be the case that Bob is actually sending his encrypted input to Alice in the first round, and then Alice homomorphically computes the functionality and sends Bob’s encrypted output back in the second round. To instantiate this template, we provide a number of quantum obfuscations in the CRS, three per party. First, there are the “input” obfuscations 풪퐴,inp and 풪퐵,inp. 풪퐴,inp will take as input Alice’s input x퐴 along with a “dummy” input d퐴, and output Clifford encodings of each. Alice is instructed to send the first output of this obfuscation as her first message, and keep the second output as her state. In the real protocol, the obfuscated functionality will be such that the first output will be the Clifford encoding of the firstinput (Alice’s real input x퐴), and the second output will be the Clifford encoding of the second input (Alice’s dummy input d퐴). On the other hand, 풪퐵,inp will obfuscate the functionality that does the exact opposite, setting its first output to be a Clifford encoding of its second input, and its second output tobeaClifford encodings of its first input. Thus, in round 1, Alice sends a Clifford encoding of her real input andkeepsa Clifford encoding of her dummy input in her state, while Bob sends a Clifford encoding of hisdummyinput and keeps a Clifford encoding of his real input in his state. The next obfuscations 풪퐴,cmp and 풪퐵,cmp share secret randomness with the input obfuscations (in the form of PRF keys) and can thus decrypt Clifford encodings output by the input obfuscations. They each are defined to decrypt and check the authenticity of their inputs, apply the functionality 푄 that the parties wish to compute, and then encode the outputs with freshly sampled Cliffords. Each party will run their respective obfuscation on their state and the other party’s first round message. Note that then Alice is just using 풪퐴,cmp to compute 푄 over dummy inputs, while Bob is using 풪퐵,cmp to compute 푄 over their real inputs. Alice will send an encrypted dummy output to Bob in round 2, while Bob will send an encrypted real output to Alice. Finally, each party applies their respective output obfuscation 풪퐴,out and 풪퐵,out to their final state and other party’s second round message. 풪퐴,out will ignore Alice’s state (which contains Alice’s dummy output) and decrypt and output Bob’s second round message (which contains Alice’s real output). On the other hand, 풪퐵,out will ignore Alice’s second round message and decrypt and output Bob’s state. Now, it is possible to argue (under the assumption that the obfuscations in the CRS are in fact VBB obfuscations9) that, because all intermediate states and messages are Clifford-encoded, “switching the direction” of the input and output obfuscations cannot be noticed by the parties. Note that if each of 풪퐴,inp and 풪퐵,inp are re-defined to permute the order of their outputs, then the flow of computation will becompletely reversed. In particular, Alice will be computing the functionality over real inputs with 풪퐴,cmp, and Bob will be computing the functionality over dummy inputs with 풪퐵,cmp. Thus, depending on how the simulator programs the CRS, it can either extract directly from Alice’s first round message OR it can extract directly from Bob’s first round message, but it could never extract from both simultaneously. Thus, this template represents a potential method for securely computing a quantum functionality in two rounds, where one of the two parties actually performs the computation between rounds 1 and 2 and then distributes the output in round 2. In other words, it is an instantiation of our guiding principle mentioned in Section 2.6 in a model without pre-processing.

9Attempting to prove this based on just indistinguishability obfuscation runs into issues that arise due to the inherently probabilistic nature of the functionalities obfuscated. In particular, they generate randomness via measurement and then use this randomness to generate Clifford matrices. In the classical setting, one could usually generate the required randomness with a PRF applied to the input, but it is unclear how to do this when the input is a quantum state.

17 Of course, since VBB obfuscation of quantum circuits is in general impossible [AF16], one may wonder how to interpret this result. One may view this construction, in conjunction with our impossibility result for oblivious simulators, as suggesting a particular template for designing two-round 2PQC that with new ideas may eventually be instantiated to give a construction from plausible assumptions. On the other hand, one may view the construction as a potential barrier to obtaining a more general impossibility result. Indeed, showing that it is impossible to securely compute a particular quantum functionality 푄 in two rounds now requires showing that (strong) VBB obfuscation of certain functionalities is impossible. Currently, we only know that some very specific functionalities are un-obfuscatable [AF16, ABDS20, ALP20].

3 Preliminaries 3.1 Notation Following [BY20], we define a Quantum Random Variable, or QRV, to be a density matrix x on register X. We will generally refer to QRVs with lowercase bold font and to registers with uppercase gray font. A collection of QRVs (x, y, z) on registers X, Y, Z is also a QRV, and x, y, z may or may not be entangled with each other. Let 휆 denote the security parameter. We will consider non-uniform quantum polynomial-time adversaries, denoted by Adv = {Adv휆, 휌휆}휆∈N, where each Adv휆 is the classical description of a poly(휆)-size quantum circuit, and each 휌휆 is some (not necesarily efficiently computable) non-uniform poly(휆)-qubit quantum advice. We will denote the trace distance between two QRVs x and y with ‖x − y‖1 and for infinite sequences of

QRVs {x휆}휆∈N and {y휆}휆∈N we write {x휆}휆∈N ≈푠 {y휆}휆∈N to indicate that there exists a negligible function 휇(·) such that ||x휆 − y휆||1 ≤ 휇(휆). Here, the 푠 refers to “statistical” indistinguishability. In addition, we write

{x휆}휆∈N ≈푐 {y휆}휆∈N to indicate that there exists a negligible function 휇(·) such that for all QPT distinguishers 풟 = {풟휆, d휆}휆,

|Pr[풟휆(d휆, x휆) = 1] − Pr[풟휆(d휆, y휆) = 1]| ≤ 휇(휆).

Here, the 푐 refers to “computational” indistinguishability. Let C푛 and P푛 denote the 푛-qubit Clifford and Pauli groups, respectively. Let 0 refer to a 0 state and T refer to a 푇 state. 0푛 denotes 푛 copies of a single qubit 0 state and likewise for T푛. Let 푋 and 푍 be the Pauli matrices, i.e. [︂0 1]︂ [︂1 0 ]︂ 푋 = , 푍 = . 1 0 0 −1

3.2 Clifford Authentication Code Definition 3.1 (Clifford Authentication Code). The 푛-qubit 휆-trap Clifford authentication code consists of the following algorithms, which encode an 푛-qubit state x with key 퐶 ∈ C푛+휆.

휆 • Enc(퐶, x): Compute 퐶(x, 0 ) := x̂︀. ′ † ′ • Dec(퐶, x̂︀): Compute (x , y) := 퐶 (x̂︀) (where x is the first 푛 registers of the result and y is the final 휆) and measure y in the standard basis. If the outcome is 0휆, return x′, and otherwise return |⊥⟩ ⟨⊥|. This authentication code satisfies the following property. For any QRV (x, z) and any CPTP map Adv acting on the encoding and side-information z, there exist maps ℬ0, ℬ1 acting on z such that ℬ0 + ℬ1 is CPTP (completely positive trace preserving), and

18 ⃦ ⃦ ⃦ ⃦ ⃦ E [Dec(퐶, Adv(Enc(퐶, x), z))] − ((x, ℬ0(z)) + (|⊥⟩ ⟨⊥| , ℬ1(z)))⃦ = negl(휆). ⃦퐶←C푛+휆 ⃦1 3.3 Multi-Party Quantum Computation Below we give a definition of maliciously-secure multi-party quantum computation with abort, following the standard real/ideal world paradigm for defining secure computation [Gol04]. It can be strengthened to security with unanimous abort by changing the interface of the ideal functionality ℐ so that its final input is abort or ok, and it either outputs all honest party outputs (if ok) or none (if abort).

Consider an 푛-party quantum functionality specified by a family of quantum circuits 풬 = {푄휆}휆∈N where 푄휆 has 푚1(휆) + ··· + 푚푛(휆) input qubits and ℓ1(휆) + ··· + ℓ푛(휆) output qubits. We will consider a QPT adversary Adv = {Adv휆}휆∈N that corrupts any subset 푀 ⊂ [푛] of parties. Let Π be an 푛-party protocol for computing 푄. For security parameter 휆 and any collection of (potentially entangled) quantum states (x1,..., x푛, auxAdv, aux풟), where x푖 is 푃푖’s input to 푄휆 (on 푚푖(휆) registers), auxAdv is some side information (on an arbitrary number of registers) given to the adversary, and aux풟 is some information (on an arbitrary number of registers) given to the distinguisher, we define the quantum random variable REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv) as follows. Adv휆({x푖}푖∈푀 , auxAdv) interacts with honest party algorithms on inputs {x푖}푖∈[푛]∖푀 participating in protocol Π, after which the honest parties output {y푖}푖∈[푛]∖푀 and Adv outputs a final state z (an arbitrary function computed on an arbitrary subset of the registers that comprise its view). The random variable REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv) then consists of {y푖}푖∈[푛]∖푀 along with z. For any Adv, we require the existence of a simulator Sim = {Sim휆}휆∈N that takes as input ({x푖}푖∈푀 , auxAdv), has access to an ideal functionality ℐ[{x푖}푖∈[푛]∖푀 ](·), and outputs a state z. The ideal functionality accepts an input {x푖}푖∈푀 , applies 푄휆 to (x1,..., x푛) to recover (y1,..., y푛), and returns {y푖}푖∈푀 to Sim휆. Then, for each 푖 ∈ [푛] ∖ 푀, it waits for either an abort푖 or ok푖 message from Sim휆. In the case of ok푖 it includes y푖 in its output and in the case of abort푖 it includes ⊥ (note that these outputs are not given to Sim휆). Now, we define the quantum random variable IDEALΠ,Q(Sim휆, {x푖}푖∈[푛], auxAdv) to consist of the output of ℐ[{x푖}푖∈[푛]∖푀 ](·) ℐ[{x푖}푖∈[푛]∖푀 ](·) and the final state z of Sim휆 ({x푖}푖∈푀 , auxAdv). Definition 3.2 (Secure Multi-Party Quantum Computation). A protocol Π securely computes 푄 if for all

QPT Adv = {Adv휆}휆∈N corrupting subset of parties 푀 ⊂ [푛], there exists a QPT Sim = {Sim휆}휆∈N such that for all {x1,휆,..., x푛,휆, auxAdv,휆, aux풟,휆}휆∈N and all QPT 풟 = {풟휆}휆∈N, there exists a negligible function 휈(·) such that

⃒ ⃒ [︀ (︀ )︀ ]︀ ⃒ Pr 풟휆 aux풟,휆, REALΠ,Q(Adv휆, {x푖,휆}푖∈[푛], auxAdv,휆) = 1 ⃒ ⃒ [︀ (︀ )︀ ]︀ ⃒ − Pr 풟휆 aux풟,휆, IDEALΠ,Q(Sim휆, {x푖,휆}푖∈[푛], auxAdv,휆) = 1 ⃒ ≤ 휈(휆). ⃒

3.4 Useful Lemmas Lemma 3.3 (Magic State Distillation [BK05, DGJ+20]). Let 푝(·) be a polynomial. Then there exists a poly(휆) size C + M circuit 푄 from 휆푝(휆) input qubits to 푝(휆) output qubits such that the following holds. Take any state x on 휆푝(휆) + 휆 qubits. Apply a uniformly random permutation to the registers of x and then measure the final 휆 qubits in the 푇 -basis to obtain a bitstring 푠. Let x̃︀ be the remaining 휆푝(휆) registers. Then there exist negligible functions 휇, 휈 such that [︁ (︁⃦ ⃦ )︁]︁ Pr (푠 = 0) ∧ ⃦푄(x) − T푝(휆)⃦ > 휇(휆) ≤ 휈(휆). ⃦ ̃︀ ⃦1 Proof. This follows from applying [DGJ+20, Lemma I.1] with parameters 푛 = 휆푝(휆), 푘 = 휆, 훿 = 1/2 followed by [DGJ+20, Lemma 2.7] with parameters 푚 = 휆푝(휆), ℓ = 푚/2, 푡 = 푝(휆).

19 Lemma 3.4 ([DGJ+20]). For any 푛 ∈ N and projector Π on 2푛 qubits, define the quantum channel ℒΠ by Π 2푛 ℒ (x) := ΠxΠ + |⊥⟩ ⟨⊥| Tr[(I − Π)x], 푛 2푛 2푛 where |⊥⟩ is a distinguished state on 2푛 qubits with Π |⊥⟩ = 0. For any 푡 ∈ {0, 1} , let Π푡,Full := |0 ⟩⟨0 | 푛 푛 if 푡 = 0 and Π푡,Full := 0 otherwise. Let Π푡,Half := I ⊗ |푡⟩⟨푡|. Then for any QRV x on 2푛 registers and 푡 ∈ {0, 1}푛, ⃦ ⃦ ⃦ Π [︀ Π ]︀⃦ ⃦ℒ 푡,Full (x) − E ℒ 푡,Half (푈(x)) ⃦ = negl(푛). ⃦ 푈←GL(2푛,F2) ⃦1 This implies the following lemma, which is stated in terms of an interactive game between adversary and challenger. Lemma 3.5. Consider the following experiment. An adversary Adv outputs a state xM1,M2 on 2푛 qubits. (︁ )︁ 푛 M1 M2 푟 푠 Then, the challenger samples 푈 ← GL(2푛, F2), 푟, 푠 ← {0, 1} , computes y1 , y2 := (I ⊗ 푋 푍 )푈(x), ′ ′ and returns y2. Finally, the adversary outputs a string 푟 . The experiment accepts if 푟 = 푟 and otherwise rejects. Then there exist negligible functions 휇, 휈 such

′ 푛 Pr [(푟 = 푟) ∧ (‖y1 − 0 ‖1 > 휇(푛))] ≤ 휈(푛). (︀ M ,M Z)︀ Proof. We can specify any adversary by a starting state x 1 2 , z and an attack unitary 퐴, where 퐴 is ′ applied to (y2, z) and then followed by a computational basis measurement to produce 푟 . Then we can write the experiment in the lemma as sampling 푈, 푟, 푠, computing

(︀ M1 푟 푠 Z)︀ (︀ M1 M2,Z)︀ (︀ M1 푟 푠 Z)︀ (︀ Z)︀ I ⊗ 푋 푍 ⊗ I I ⊗ 퐴 I ⊗ 푋 푍 ⊗ I 푈 ⊗ I (x, z), 푛 measuring the M2 register and rejecting if the result is not 0 . Now, one can apply the Pauli twirl (see for example [DGJ+20, Lemma A.2]) to argue that

(︀ M1 푟 푠 Z)︀ (︀ M1 M2,Z)︀ (︀ M1 푟 푠 Z)︀ I ⊗ 푋 푍 ⊗ I I ⊗ 퐴 I ⊗ 푋 푍 ⊗ I

can be written as a classical mixture of Pauli attacks on register M2. Thus, we can write the state on registers M1, M2 that results from this experiment as

∑︁ Π푡,Half 푝푡ℒ (푈(x)), 푡∈{0,1}푛

where 푝푡 is the probability the the 푥-value in the adversary’s mixture of Pauli attacks is equal to 푡. Now, by Lemma 3.4, this state is negligibly close to

∑︁ Π푡,Full 푝푡ℒ (x). 푡∈{0,1}푛

Finally, observe that this state is either |⊥⟩ ⟨⊥| (a reject), or |02푛⟩⟨02푛| (an accept), so the event stated in the lemma will occur with probability 0.

3.5 Two-Message Two-Party Classical Computation As a building block, we will use post-quantum maliciously-secure two-message two-party classical computation in the CRS model where one party receives output. We will require that the simulator is straight-line and black-box. We will refer to such a protocol simply as 2PC. 2PC is defined by four algorithms (2PC.Gen, 2PC1, 2PC2, 2PCout). We will keep the convention that party 퐵, with input 푥퐵, first computes 2PC1, then party 퐴, with input 푥퐴, computes 2PC2, and finally party 퐵 recovers its output 푦 with 2PCout. The syntax of these algorithms is as follows, where 퐶 is the description of the circuit to be computed.

20 • crs ← 2PC.Gen(1휆). 휆 • (푚1, st) ← 2PC1(1 , 퐶, crs, 푥퐵). 휆 • 푚2 ← 2PC2(1 , 퐶, crs, 푚1, 푥퐴). 휆 • 푦 ← 2PCout(1 , st, 푚2).

Let 퐶 = {퐶휆}휆∈N be a (potentially randomized) family of classical circuits where 퐶휆 takes as input 푛퐴(휆)+푛퐵 (휆) (푥퐴, 푥퐵) ∈ {0, 1} and outputs 푦. Consider the case of an adversary Adv = {Adv휆}휆∈N corrupting party 퐴. For every 휆 ∈ N, the the view of the environment in the real execution is denoted by a random variable REALΠ,C,퐴(Adv휆, 푥퐴, 푥퐵, auxAdv), where 푥퐴 is party 퐴’s input, 푥퐵 is party 퐵’s input, and auxAdv is some potentially quantum side information that may be entangled with the distinguisher’s side information aux풟. The random variable consists of (z, 푦퐵), where z is Adv휆’s final output after interacting with an 휆 honest 퐵 algorithm 퐵(1 , 푥퐵), and 푦퐵 is 퐵’s output. (︁ (1) (2))︁ We require the existence of a QPT simulator Sim퐴 = Sim퐴 , Sim퐴 that interacts with any QPT adversary Adv = {Adv휆}휆∈N corrupting party 퐴. Sim퐴 has the following syntax.

(1) 휆 • Sim퐴 (1 ) generates (crs, 휏, 푚1), sends (crs, 푚1) to Adv휆(푥퐴, auxAdv), and receives back 푚2.

(2) 휆 ′ • Sim퐴 (1 , 푥퐴, 휏, 푚2) computes either 푥퐴 or ⊥, which it forwards to an ideal functionality ℐ퐴[푥퐵](·). ′ ℐ[푥퐵](·) operates as follows. It takes an input 푥퐴 or ⊥, and in the non-⊥ case it computes and outputs ′ 푦 ← 퐶휆(푥퐴, 푥퐵) (note this is not returned to the simulator), and in the ⊥ case it outputs ⊥. The random variable IDEALΠ,C,퐴(Sim퐴, 푥퐴, 푥퐵, auxAdv) consists of the output of Adv휆(푥퐴, auxAdv) after interacting with the simulator, along with the output of ℐ[푥퐵](·). We require an analogous security property in the case that Adv corrupts party 퐵. Here, the syntax of (︁ (1) (2))︁ Sim퐵 = Sim퐵 , Sim퐵 is as follows.

(1) 휆 • Sim퐵 (1 ) generates (crs, 휏), sends crs to Adv휆(푥퐵, auxAdv), and receives back 푚1.

(2) 휆 ′ • Sim퐵 (1 , 휏, 푚1) takes the adversary’s message 푚1 and either extracts an input 푥퐵 or ⊥, which it forwards to an ideal functionality ℐ[푥퐴](·). In the non-⊥ case, ℐ[푥퐴] computes and returns 푦 ← ′ 퐶(푥퐴, 푥퐵) to the simulator and outputs ok. In the ⊥ case it outputs abort, and the simulator send ⊥ to Adv and simulation ends. (3) 휆 • Sim퐵 (1 , 휏, 푦) receives an output 푦 from the ideal functionality and uses it to form a second round message 푚2, which it sends to Adv휆. Definition 3.6 (Post-Quantum Two-Message Two-Party Computation). A protocol Π securely computes 퐶

against malicious party 푃 ∈ {퐴, 퐵} if for all QPT Adv = {Adv휆}휆∈N corrupting party 푃 , there exists a QPT Sim푃 = {Sim푃,휆}휆∈N such that for all {푥퐴,휆, 푥퐵,휆, auxAdv,휆, aux풟,휆}휆∈N and all QPT 풟 = {풟휆}휆∈N, there exists a negligible function 휈(·) such that

⃒ ⃒ ⃒ Pr [풟휆 (aux풟,휆, REALΠ,C,푃 (Adv휆, 푥퐴,휆, 푥퐵,휆, auxAdv,휆)) = 1] ⃒ ⃒ ⃒ − Pr [풟휆 (aux풟,휆, IDEALΠ,C,푃 (Sim푃,휆, 푥퐴,휆, 푥퐵,휆, auxAdv,휆)) = 1] ⃒ ≤ 휈(휆). ⃒ A secure two-party computation protocol satisfying Definition 3.6 can be obtained based on any post- quantum maliciously-secure two-message OT with straight-line simulation, via [IPS08, IKO+11]. The non- interactive secure two-party protocol from [IPS08, Appendix B] is based on Yao’s garbled circuit technique [Yao86] along with a cut-and-choose mechanism for proving that a garbled circuit is computed correctly. The cut-and-choose is non-interactive in the OT-hybrid model. This can be cast in the simpler setting

21 of two-party computation with a CRS, where we replace the ideal calls to the OT with a post-quantum secure two-message OT with straight-line simulation (that is auxiliary-input secure). The latter can be based on the quantum hardness of the learning with errors (QLWE) problem [PVW08]. In Section6, we will rely on reusable post-quantum two-party computation with straight-line simulation, in order to obtain reusable malicious designated-verifier NIZKs for QMA. We point out that[LQR+19] build reusable (post-quantum) two-party computation (with straight-line simulation) assuming (post-quantum) malicious MDV-NIZKs for NP, and (post-quantum) oblivious transfer. Both can be obtained from QLWE [LQR+19, PVW08].

3.6 Round-Optimal MPC for Classical Reactive Functionalities

We, define a 푑-level 푛-party randomized functionality ℱ = (ℱ1,..., ℱ푑) as follows. Let 푟 be random coins. Then each ℱ푗 can be defined as

(︁ (푗) (푗))︁ (︁(︁ (1) (푗))︁ (︁ (1) (푗))︁ (푗) )︁ 푦1 , . . . , 푦푛 := ℱ푗 푥1 , . . . , 푥1 ,..., 푥푛 , . . . , 푥푛 , 푤 , 푟 ,

(︁ (1) (푑))︁ (1) (푑) where 푥푖 , . . . , 푥푖 are the set of party 푖’s private inputs, (푤 , . . . , 푤 ) are some public inputs, and (︁ (1) (푑))︁ (푗) (1) (푗−2) 푦푖 , . . . , 푦푖 are the set of party 푖’s outputs. We allow 푥푖 to be an arbitrary function of 푦푖 , . . . , 푦푖 . Now, we define an ideal functionality ℐℱ for computing ℱ in 푑 + 1 rounds. Let ℋ ⊂ [푛] be a subset of honest parties and ℳ := [푛] ∖ ℋ be the corresponding subset of malicious parties. ℐℱ is initialized with {︁ (1)}︁ honest party inputs 푥푖 . 푖∈ℋ

{︁ (1)}︁ • In round 1, accept and store private inputs 푥푖 . 푖∈ℳ • In round 푗, for 푗 ∈ {2, . . . , 푑}, do the following. Accept public input 푤(푗−1) and compute

(︁ (푗−1) (푗−1))︁ (︁(︁ (1) (푗−1))︁ (︁ (1) (푗−1))︁ (푗−1) )︁ 푦1 , . . . , 푦푛 := ℱ푗 푥1 , . . . , 푥1 ,..., 푥푛 , . . . , 푥푛 , 푤 , 푟 . (︂ )︂ {︁ (푗−1)}︁ {︁ (푗)}︁ Output 푦푖 . Accept either ok, 푥푖 or abort as input. If ok, set level 푗 − 1 honest 푖∈ℳ 푖∈ℳ {︁ (푗−1)}︁ {︁ (푗)}︁ party outputs to 푦푖 and compute the next set of honest party inputs 푥푖 . If abort, 푖∈ℋ 푖∈ℋ set honest party outputs to ⊥ for each level 푘 ≥ 푗 − 1. • In round 푑 + 1, accept public input 푤(푑) and compute

(︁ (푑) (푑))︁ (︁(︁ (1) (푑))︁ (︁ (1) (푑))︁ (푑) )︁ 푦1 , . . . , 푦푛 := ℱ푗 푥1 , . . . , 푥1 ,..., 푥푛 , . . . , 푥푛 , 푤 , 푟 .

{︁ (푑)}︁ Output 푦푖 . Accept either ok or abort as input. If ok, set level 푑 honest party outputs to 푖∈ℳ {︁ (푑)}︁ 푦푖 . If abort, set level 푑 honest party outputs to ⊥. 푖∈ℋ

We observe that the protocol of [GS18] can be used to implement this ideal functionality for any 푑-level 푛-party functionality. If [GS18] is instantiated with post-quantum maliciously-secure two-message oblivious transfer in the CRS model with straight-line black-box simulation, the resulting 푑 + 1 round MPC protocol will be quantum-secure and admit a straight-line black-box simulator. To see this, recall that [GS18] is a compiler that operates on any underlying MPC protocol. One can fix the underlying MPC protocol to support reactive functionalities. Such an MPC can be obtained from any non-reactive MPC by having the non-reactive MPC output a fresh set of secret shares of each party’s input between each execution. We will rely on a maliciously-secure reactive MPC from OT [CvT95, IPS08]. Then,

22 the first round of the [GS18]-compiled protocol will consist of first round OT messages committing each party to the randomness they will use throughout the execution of the underlying reactive MPC protocol, as in the original [GS18] protocol. Each subsequent round will consist of the [GS18] second-round messages for computing the appropriate portion of the reactive functionality, along with encryptions of each party’s input for the next round. During the security proof, in each round the simulator can simply invoke the simulator for the appropriate portion of the underlying reactive MPC. Thus, we will construct each of our multi-party quantum computation protocols with respect to a 푑-level 푛-party classical ideal functionality, that can be implemented by [GS18].

3.7 Quantum Multi-Key Fully-Homomorphic Encryption We use a quantum multi-key fully-homomorphic encryption scheme that supports classical encryption of classical ciphertexts. We do not require compactness or the classicality-preserving property as required by [ABG+20], but we do require a form a circuit-privacy, presented below as ciphertext re-randomization. Definition 3.7 (Quantum Multi-Key Fully-Homomorphic Encryption [Mah18, ABG+20]). A quantum multi-key fully-homomorphic encryption scheme is given by seven algorithms (QMFHE.Gen, QMFHE.KeyGen, QMFHE.CEnc, QMFHE.Enc, QMFHE.Eval, QMFHE.Rerand, QMFHE.Dec) with the following syntax.

• crs ← QMFHE.Gen(1휆): A PPT algorithm that outputs a classical common reference string. • (pk, sk) ← QMFHE.KeyGen(1휆, crs) : A PPT algorithm that given a security parameter, samples a classical public key and a classical secret key.

• ct ← QMFHE.CEnc(pk, 푥) : A PPT algorithm that takes as input a bit 푥 and outputs a classical ciphertext.

• ct ← QMFHE.Enc(pk, x) : A QPT algorithm that takes as input a qubit x and outputs a quantum ciphertext.

• ct̂︀ ← QMFHE.Eval((pk1,..., pk푛), 푄, (ct1,..., ct푛)): A QPT algorithm that takes as input a set of 푛 public keys, a quantum circuit 푄, and a set of 푛 (classical or quantum) ciphertexts, and outputs an evaluated ciphertext ct̂︀ .

• ct̃︀ ← QMFHE.Rerand((pk1,..., pk푛), ct): A QPT algorithm that re-randomizes a ciphertext ct encrypted under a set of 푛 public keys

• x ← QMFHE.Dec((sk1,..., sk푛), ct): A QPT algorithm that takes as input a set of 푛 secret keys and a quantum ciphertext ct and outputs a qubit. The scheme satisfies the following. 1. Quantum Semantic Security: The encryption algorithm maintains quantum semantic security.

2. Quantum Homomorphism: For any polynomial-size quantum circuit 푄, input state x1,..., x푛, 휆 휆 crs crs ∈ QMFHE.Gen(1 ), and key pairs (pk1, sk1),..., (pk푛, sk푛) ∈ QMFHE.KeyGen(1 , crs), it holds that y0 ≈푠 y1, where y0, y1 are QRVs defined as follows:

• y0: For each 푖 ∈ [푛], encrypt each classical bit of x푖 with QMFHE.CEnc(pk푖, ·) and the rest with QMFHE.Enc(pk푖, ·). Execute QMFHE.Eval((pk1,..., pk푛), 푄, ·) on the 푛 encryptions to obtain ct̂︀ . Then output QMFHE.Dec((sk1,..., sk푛), QMFHE.Rerand(ct̂︀ )).

• y1: Output 푄(x1,..., x푛).

휆 3. Ciphertext Re-randomization: For any crs ∈ QMFHE.Gen(1 ), key pairs (pk1, sk1),..., (pk푛, sk푛) ∈ 휆 QMFHE.KeyGen(1 , crs), and ciphertexts ct1, ct2 such that

QMFHE.Dec((sk1,..., sk푛), ct1) = QMFHE.Dec((sk1,..., sk푛), ct2),

23 it holds that

QMFHE.Rerand((pk1,..., pk푛), ct1) ≈푠 QMFHE.Rerand((pk1,..., pk푛), ct2).

We now sketch how to add the ciphertext re-randomization property to the QMFHE scheme constructed in [ABG+20] via “noise-flooding”. An evaluated ciphertext encrypting the quantum state 휌 will have the form 푥 푧 MFHE.Enc((pk1,..., pk푛), (푥, 푧)), 푋 푍 휌, where MFHE is a classical multi-key fully-homomorphic encryption scheme. Thus, it suffices to show how to add ciphertext re-randomization to the classical multi-key FHE scheme of [MW16]. It is well-known that standard single-key FHE schemes from the literature ([GSW13]) are statistically re-randomizable. Now to construct MFHE with ciphertext re-randomization, we can append to each MFHE public key a freshly sampled GSW encryption of its corresponding secret key. To re-randomize a MFHE ciphertext encrypted under public keys pk1,..., pk푛, one can compute the partial decryption under each corresponding GSW ciphertext, resulting in 푛 ciphertexts whose plaintexts sum to 휇(푞/2) + 푒, where 휇 was the bit encrypted under MFHE. Then, add a random additive secret sharing of 푒′ for a large enough 푒′ under the encryptions and re-randomize each. The result is an random additive sharing of 휇(푞/2) + 푒 + 푒′ under ′ ′′ ′′ re-randomized GSW ciphertexts, where 푒+푒 ≈푠 푒 for some distribution 푒 independent of the computation.

3.8 Non-Interactive Equivocal Commitment Definition 3.8 (Equivocal Commitment). A quantum-secure statistically-binding non-interactive equivocal commitment is given by three algorithms (Com.Gen, Com.Enc, Com.Ver) with the following syntax. • crs ← Com.Gen(1휆). • cmt := Com.Enc(1휆, crs, 푚; 푟). • 푏 ← Com.Ver(1휆, crs, cmt, 푚, 푟). It satisfies the following notion of correctness. For any 푚 ∈ {0, 1}*,

[︂ crs ← Com.Gen(1휆), 푟 ← {0, 1}휆 ]︂ Pr 푏 = 1 : = 1 − negl(휆). cmt := Com.Enc(1휆, crs, 푚; 푟), 푏 ← Com.Ver(1휆, crs, cmt, 푚, 푟)

It satisfies the statistical binding property. [︂ ]︂ ∃(cmt, 푚0, 푚1, 푟0, 푟1), 푚0 ≠ 푚1 s.t. Pr 휆 휆 = negl(휆). crs←Com.Gen(1휆) Com.Ver(1 , crs, cmt, 푚0, 푟0) = 1 = Com.Ver(1 , crs, cmt, 푚1, 푟1)

Finally, it satisfies the following notion of security (hiding). There exists algorithms Com.Sim.Gen, Com.Sim.Open such that for any 푚 ∈ {0, 1}*,

[︂ (crs, cmt, 휏) ← Com.Sim.Gen(1휆) ]︂ Pr 푏 = 1 : 휆 휆 = 1 − negl(휆), 푟푚 ← Com.Sim.Open(1 , 휏, 푚), 푏 ← Com.Ver(1 , crs, cmt, 푚, 푟푚) and

{︂ 휆 }︂ crs ← Com.Gen(1 ) {︀ 휆 }︀ (crs, cmt): 휆 ≈푐 (crs, cmt):(crs, cmt, 휏) ← Com.Sim.Gen(1 ) . cmt ← Com.Enc(1 , crs, 푚) 휆∈N 휆∈N A commitment scheme satisfying the above definition can be based on any quantum-secure one-way function [Nao91].

24 3.9 Garbled Circuits Definition 3.9 (Garbled Circuit). A garbling scheme for circuits is a tuple of PPT algorithms (Garble, GEval). Garble is the circuit garbling procedure and GEval is the corresponding evaluation procedure. More formally:

(︀ 휆 )︀ 휆 • (퐶,̃︀ {lab푖,푏}푖∈[푛],푏∈{0,1}) ← Garble 1 , 퐶 : Garble takes as input a security parameter 1 , a classical circuit 퐶, and outputs a garbled circuit 퐶̃︀ along with labels {lab푖,푏}푖∈[푛],푏∈{0,1}, where 푛 is the length of the input to 퐶. (︁ )︁ • 푦 ← GEval 퐶,̃︀ {lab푖,푥푖 }푖∈[푛] : Given a garbled circuit 퐶̃︀ and a sequence of input labels {lab푖,푥푖 }푖∈[푛], GEval outputs a string 푦.

Correctness. For correctness, we require that for any classical circuit 퐶 and input 푥 ∈ {0, 1}푛 we have that: [︁ (︁ )︁]︁ Pr 퐶(푥) = GEval 퐶,̃︀ {lab푖,푥푖 }푖∈[푛] = 1,

(︀ 휆 )︀ where (퐶,̃︀ {lab푖,푏}푖∈[푛],푏∈{0,1}) ← Garble 1 , 퐶 .

Security. For security, we require that there exists a PPT simulator GSim such that for any classical circuit 퐶 and input 푥 ∈ {0, 1}푛, we have that

(︁ )︁ (︁ 휆 푛 |퐶| )︁ 퐶,̃︀ {lab푖,푥푖 }푖∈[푛] ≈푐 GSim 1 , 1 , 1 , 퐶(푥) ,

(︀ 휆 )︀ where (퐶,̃︀ {lab푖,푏}푖∈[푛],푏∈{0,1}) ← Garble 1 , 퐶 .

4 A Garbling Scheme for Clifford + Measurement Circuits

In this section, we formalize and prove the security of a method sketched in [BY20, §2.5] for garbling Clifford plus measurement circuits. Note that this is not the main garbling scheme analyzed in [BY20], but it is a scheme that is sketched there informally. We begin by giving the formal definition of a Clifford + measurement circuit, as well as our definition of a garbling scheme for such circuits. Definition 4.1 (Clifford + Measurement (C + M) Circuit). A Clifford + MeasurementC ( + M) circuit with parameters {푛푖, 푘푖}푖∈[푑] operates on 푛0 := 푛1 + 푘1 input qubits and applies 푑 alternating layers of Clifford unitary and computational basis measurements, during which a total of 푘 := 푘1 + ··· + 푘푑 of the input qubits are measured. It is specified by (퐹0, 푓1, . . . , 푓푑), where 퐹0 is a Clifford unitary, and each 푓푖 is a classical circuit which takes as input the result of computational basis measurements on the 푖th layer, and outputs a Clifford unitary 퐹푖. In layer 푖 ∈ [푑], 푘푖 qubits are measured and 푛푖 qubits are left over. The circuit is evaluated by first applying 퐹0 to the 푛0 input qubits. Then the following steps are performed for 푖 = 1, . . . , 푑:

푘푖 • Measure the remaining 푘푖 qubits in the computational basis, resulting in outcomes 푚푖 ∈ {0, 1} .

• Evaluate 푓푖(푚푖) to obtain a classical description of a Clifford 퐹푖 ∈ C푛푖 .

• Apply 퐹푖 to the first 푛푖 registers.

The output of the circuit is the result of applying 퐹푑 to the final 푛푑 registers. It is well-known ([BK05]) that any polynomial-size quantum circuit can be written as a C + M circuit with polynomial-size parameters {푛푖, 푘푖}푖∈[푑]. The transformation maintains correctness as along as sufficient T states are appended to the input during evaluation. Definition 4.2 (Garbling Scheme for C + M Circuits). A Garbling Scheme for C + M Circuits consists of three procedures (QGarble, QGEval, QGSim) with the following syntax.

25 휆 • (퐸0, 푄̃︀) ← QGarble(1 , 푄):A classical PPT procedure that takes as input the security parameter and a C + M circuit and outputs a Clifford “input garbling” matrix 퐸0 and a quantum garbled circuit 푄̃︀.

• xout ← QGEval(x̃︀inp, 푄̃︀): A QPT procedure that takes as input a garbled input x̃︀inp and a garbled C + M circuit 푄̃︀, and outputs a quantum state xout.

휆 • (x̃︀inp, 푄̃︀) ← QGSim(1 , {푛푖, 푘푖}푖∈[푑], xout): A QPT procedure that takes as input the security parameter, parameters for a C + M circuit, and an output state, and outputs a simulated garbled input and garbled circuit.

Correctness. For any C + M circuit 푄 with parameters {푛푖, 푘푖}푖∈[푑], and 푛0-qubit input state xinp along with (potentially entangled) auxiliary information z,

{︁(︁ (︁ (︀ 푘휆)︀ )︁ )︁ (︁ )︁ (︀ 휆 )︀}︁ QGEval 퐸0 xinp, 0 , 푄̃︀ , z : 퐸0, 푄̃︀ ← QGarble 1 , 푄 ≈푠 (푄 (xinp) , z) .

Security. For any C + M circuit 푄 with parameters {푛푖, 푘푖}푖∈[푑], and 푛0-qubit input state xinp along with (potentially entangled) auxiliary information z,

{︁(︁ (︀ 푘휆)︀ )︁ (︁ )︁ (︀ 휆 )︀}︁ (︀ (︀ 휆 )︀ )︀ 퐸0 xinp, 0 , 푄,̃︀ z : 퐸0, 푄̃︀ ← QGarble 1 , 푄 ≈푐 QGSim 1 , {푛푖, 푘푖}푖∈[푑], 푄(xinp) , z .

Before formally describing the concrete garbling scheme for C + M circuits, we give a formal definition of a process LabEnc for sampling a “label encoding” unitary given a set of classical garbled circuit labels. For 푠0,푠1 휆-bit strings 푠0, 푠1 and a bit 푏, let 퐶푏 be the Clifford acting on 휆 + 1 qubits, operating as follows:

• Apply 푍푏 to the first qubit. Looking ahead, 푏 will be chosen at random so that 푍푏 will have the effect of a 푍-twirl, which is equivalent to a measurement in the computational basis.

휆 휆 • Map |0, 0 ⟩ to |0, 푠0⟩, and |1, 0 ⟩ to |1, 푠1⟩.

LabEnc(lab): Takes as input lab = {lab푖,0, lab푖,1}푖∈[푛], where the lab푖,푏 are 휆-bit strings. Draws 푛 random 푏 , . . . , 푏 ← { , } ਀ 퐶lab0,푖,lab1,푖 bits 1 푛 0 1 , and outputs 푖∈[푛] 푏푖 ,

Lemma 4.3. Let 푚 > 푛. For any 푚-qubit state |휑⟩ and set of labels lab = {lab푖,0, lab푖,1}푖∈[푛], where the lab푖,푏 are 휆-bit strings,

′ ′ † ′ ′ 퐿 |휑 ⟩⟨휑 | 퐿 = Einp |휑inp⟩⟨휑inp| ⊗ |lab1,inp1 ,..., lab푛,inp푛 ⟩⟨lab1,inp1 ,..., lab푛,inp푛 | ,

′ ′ where 퐿 ← LabEnc(lab), |휑 ⟩ is the (푚 + 푛휆)-qubit state consisting of |휑⟩ and 푛휆 ancillary 0 states, |휑inp⟩ is the post-measurement state on the first 푚−푛 qubits, conditioned on measuring the last 푛 qubits and obtaining outcome inp, and the expectation is taken over inp ∈ {0, 1}푛 distributed according to the result of measuring the last 푛 qubits of |휑⟩ in the computational basis.

Proof. We can write |휑′⟩ as follows: ′ ∑︁ |휑 ⟩ = 훼푥 |휑푥⟩ |푥⟩ . 푥∈{0,1}푛 for some 훼푥 ∈ C. Then, ⎛ ⎞ ⎛ ⎞ ′ ′ † 푧 ∑︁ ∑︁ 푧 E퐿←LabEnc(lab)퐿 |휑 ⟩⟨휑 | 퐿 = E푧←{0,1}푛 I⊗푍 ⊗I ⎝ 훼푥 |휑푥⟩ |푥⟩ |lab푥⟩⎠ ⎝ 훼푥′ ⟨휑푥′ | ⟨푥| ⟨lab푥′ |⎠ I⊗푍 ⊗I , 푥∈{0,1}푛 푥′∈{0,1}푛

where |lab푥⟩ = |lab1,푥1 ,..., lab1,푥푛 ⟩.

26 By a well-known property of the Pauli-Z twirl, the above is equal to:

∑︁ 2 |훼푥| |휑푥⟩⟨휑푥| ⊗ |푥⟩⟨푥| ⊗ |lab푥⟩⟨lab푥| , 푥∈{0,1}푛

which implies the desired statement. Now, we are ready to describe formally the garbling scheme (QGarble, QGEval, QGSim) for C + M circuits sketched by [BY20]. Let (Garble, GEval, GSim) be a classical garbling scheme.

휆 QGarble(1 , 푄): Takes as input a C + M circuit 푄 with parameters {푛푖, 푘푖}푖∈[푑]. ∑︀푖 1. For 푖 ∈ [0, . . . , 푑], define ℎ푖 := 푘 − 푗=1 푘푗, so that ℎ0 = 푘, ℎ1 = 푘 − 푘1, ℎ2 = 푘 − 푘1 − 푘2, and so on.

2. For each 푖 ∈ [0, . . . , 푑], sample 퐸푖 ← C푛푖+ℎ푖휆.

3. For each 푖 ∈ [푑], let 푓푖 be the classical circuit (derived from the description of 푄) that takes as input 푘푖 bits interpreted as the outcomes of computational basis measurements in layer 푖 and outputs a Clifford

circuit 퐹푖 ∈ C푛푖 to be applied on the remaining 푛푖 qubits. † 4. Let 푔푑 be a classical circuit outputting descriptions of Clifford circuits, defined so that 푔푑(푥) = 푓푑(푥)퐸푑. 휆 Compute (lab푑, 푔̃︀푑) ← Garble(1 , 푔푑). 휆 5. For each 푖 from 푑 − 1 to 1, sample 퐿푖+1 ← LabEnc(lab푖+1) and compute (lab푖, 푔̃︀푖) ← Garble(1 , 푔푖), where 푔푖 is a classical circuit that outputs descriptions of Clifford circuits,

ℎ푖휆 † 푔푖(푥) = (퐸푖+1 ⊗ 퐿푖+1)(푓푖(푥) ⊗ I )퐸푖 .

6. Let 퐹0 be the initial Clifford to be applied to the input qubits, sample 퐿1 ← LabEnc(lab1) and output (︁ )︁ ℎ0휆 † 퐸0, 푄̃︀ = (퐸1 ⊗ 퐿1)(퐹0 ⊗ I )퐸0, 푔̃︀1,..., 푔̃︀푑 .

QGEval(x̃︀inp, 푄̃︀) Takes as input a garbled input x̃︀inp and a garbled C + M circuit 푄̃︀.

1. Write 푄̃︀ = (퐷0, 푔̃︀1,..., 푔̃︀푑) and set x0 := x̃︀inp. For 푖 from 1 to 푑, compute 퐷푖−1(x푖−1), measure the last 푘푖휆 qubits to obtain a set of labels lab̃︁ 푖, compute 퐷푖 ← GEval(˜푔푖, lab̃︁ 푖), and set x푖 to be the remaining 푛푖 + ℎ푖휆 qubits of the state.

2. Output 퐷푑(x푑).

휆 QGSim(1 , {푛푖, 푘푖}푖∈[푑], xout): Takes as input parameters for a C + M circuit and a state xout.

∑︀푖 1. For each 푖 ∈ [0, . . . , 푑], sample 퐷푖 ← C푛푖+ℎ푖휆, where recall that ℎ푖 := 푘 − 푗=1 푘푗.

† 휆 푘푖 |푔푖| † 2. Let x푑 = 퐷푑(xout). For 푖 from 푑 to 1, compute lab̃︁ 푖, 푔˜푖 ← GSim(1 , 1 , 1 , 퐷푖 ) and set x푖−1 := † 퐷푖−1(x푖, |lab̃︁ 푖⟩⟨lab̃︁ 푖|).

3. Output x0, 퐷0, 푔˜1,..., 푔˜푑.

Theorem 4.4. The triple (QGarble, QGEval, QGSim) defined above satisfies Definition 4.2. To prove Theorem 4.4, we need the following additional lemma. Lemma 4.5. For any state x on 푛 qubits and any Clifford 푅 on 푛 qubits. The following two states are identical:

27 (︀ †)︀ • E퐶←C푛 퐶(x), 푅퐶

(︀ † )︀ • E퐷←C푛 퐷 푅(x), 퐷

Proof. The proof is straightforward. Notice first that, because C푛 is a group, we have that

(︀ †)︀ (︀ †)︀ E퐶←C푛 퐶(x), 푅퐶 = E퐶←C푛·푅 퐶(x), 푅퐶 , where we denote by C푛 · 푅 the group {퐶푅 : 퐶 ∈ C푛}. We can equivalently rewrite the RHS as

(︀ †)︀ E퐷←C푛 퐷푅(x), 푅(퐷푅) , which, upon simplification, is equal to (︀ †)︀ E퐷←C푛 퐷푅(x), 퐷 .

Finally, using again that C푛 is a group, the latter equals

(︀ † )︀ E퐷←C푛 퐷 푅(x), 퐷 , as desired.

Proof of Theorem 4.4. We will show this by induction on the number of measurement layers 푑 in the circuit 푄 (we use the same notation as above for the components of 푄).

Base step (푑 = 0): When 푑 = 0, the LHS of the equation defining security in Definition 4.2 is:

{︁ (︁ †)︁ }︁ 퐸0 (xinp) , 푄̃︀ : 퐸0, 푄̃︀ = 퐹0퐸0 ← QGarble(푄) (1)

By definition of QGarble, the latter is equivalent to: {︂ }︂ † 퐸0 (xinp) , 푄̃︀ : 푄̃︀ = 퐹0퐸0, 퐸0 ← C푛0 (2)

By Lemma 4.5, the latter is identical to: {︂ }︂ † 퐷0퐹0 (xinp) , 퐷0 : 퐷0 ← C푛0 . (3)

Inductive step (푑 ⇒ 푑 + 1): Suppose that for some 푑 the following two distributions are identical for any C+M circuit 푄 with 푑 measurements (where we use the same notation as in definition 4.1 for the components of 푄), and any input state xinp.

• {︁ (︁ (︁ )︁)︁ }︁ (︀ 푘휆)︀ ℎ0휆 † 퐸0 xinp, 0 , 푄̃︀ : 퐸0, 푄̃︀ = (퐸1 ⊗ 퐿1)(퐹0 ⊗ I )퐸0, 푔̃︀1,..., 푔̃︀푑 ← QGarble(푄) • {︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ † )︁ 퐷0 퐷1 ⊗ I ··· 퐷푑−1 ⊗ I (퐷푑 ⊗ I)(푄 (xinp) ⊗ lab푑) ⊗ lab푑−1 ⊗ · · · ⊗ lab1 , 퐷0, 푔̃︀1,..., 푔̃︀푑 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑}, }︂ (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑]

28 Let 푄 be a C + M circuit with 푑 + 1 measurements, and let xinp be an input to the circuit. Consider the distribution of input encoding + garbled circuit: {︁ (︁ (︁ )︁)︁ }︁ (︀ 푘휆)︀ ℎ0휆 † 퐸0 xinp, 0 , 푄̃︀ : 퐸0, 푄̃︀ = (퐸1 ⊗ 퐿1)(퐹0 ⊗ I )퐸0, 푔̃︀1,..., 푔̃︀푑+1 ← QGarble(푄)

Let 푄푑 be the circuit that runs 푄 up to (and including) the adaptive Clifford controlled on the 푑-th measurement outcome. For ease of notation, we simply write lab푖,푥 to denote the encoding label for measurement 푥 푖 lab lab ,..., lab 푛 푔 outcome at the -th layer. More precisely, 푖,푥 = ( 푖,푥1 푖,푥푛 ) for an appropriate . Since ̃︀푑+1 is independent of the random Clifford 퐸푑, we can apply the inductive hypothesis to the 푑-measurement circuit (퐸푑+1 ⊗ 퐿푑+1) 푄푑 on input xinp). We deduce that the above distribution is computationally indistinguishable from: {︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ )︁ 퐷0 퐷1 ⊗ I ··· 퐷푑 ⊗ I (퐸푑+1 ⊗ 퐿푑+1)(푄푑 (xinp)) ⊗ lab푑 ⊗ · · · ⊗ lab1 , 퐷0, 푔̃︀1,..., 푔̃︀푑, 푔̃︀푑+1 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑}, 퐸푑+1 ← C푛푑+1 (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑], (︀ )︀ (︁ † )︁ lab푑+1 = {lab푑+1,푥}푥∈{0,1}휆 , 푔̃︀푑+1 ← Garble 푔푑+1 : 푔푑+1(푥) = 푓푑+1(푥)퐸푑+1 , }︂ 퐿푑+1 ← LabEnc(lab푑+1)

푥 Let 푄푑 (xinp) be the post-measurement state upon executing circuit 푄 up to the 푑-th measurement, conditioned on the 푑-th measurement outcome being 푥. By Lemma 4.3, the above distribution is identical to: {︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ 푥 )︁ 퐷0 퐷1 ⊗ I ··· 퐷푑 ⊗ I E푥←Meas(푄푑(xinp)) [(퐸푑+1 ⊗ I)(푄푑 (xinp) ⊗ lab푑+1,푥)] ⊗ lab푑 ⊗ · · · ⊗ lab1 ,

퐷0, 푔̃︀1, .., 푔̃︀푑+1 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑}, 퐸푑+1 ← C푛푑+1 , (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑], }︂ (︀ )︀ (︁ † )︁ lab푑+1 = {lab푑+1,푥}푥∈{0,1}휆 , 푔̃︀푑+1 ← Garble 푔푑+1 : 푔푑+1(푥) = 푓푑+1(푥)퐸푑+1

We apply the simulation property of the classical garbling scheme (for each 푥), and deduce that the latter is computationally indistinguishable from: {︂ [︂{︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ 푥 )︁ E푥←Meas(푄푑(xinp)) 퐷0 퐷1 ⊗ I ·· 퐷푑 ⊗ I (퐸푑+1 ⊗ I)(푄푑 (xinp) ⊗ lab푑+1,푥) ⊗ lab푑 ⊗ · · ⊗lab1 , ]︂ 퐷0, 푔̃︀1,..., 푔̃︀푑, 푔̃︀푑+1,푥 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑}, 퐸푑+1 ← C푛푑+1 , (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑], }︂ (︁ † )︁ 휆 (lab푑+1,푥, 푔̃︀푑+1,푥) ← GSim 푓푑+1(푥)퐸푑+1 , for 푥 ∈ {0, 1}

29 We apply Lemma 4.5 (for each 푥) to deduce that the latter is identical to: {︂ [︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ † 푥 )︁ E푥←Meas(푄푑(xinp)) 퐷0 퐷1 ⊗ I ·· 퐷푑 ⊗ I (퐷푑+1,푥 ⊗ I)(푓푑+1(푥)푄푑 (xinp) ⊗ lab푑+1,푥) ⊗ lab푑 ⊗ · · ⊗lab1 , ]︂ 퐷0, 푔̃︀1,..., 푔̃︀푑, 푔̃︀푑+1,푥 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑}, 휆 퐷푑+1,푥 ← C푛푑+1 , 푥 ∈ {0, 1} , (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑], }︂ 휆 (lab푑+1,푥, 푔̃︀푑+1,푥) ← GSim (퐷푑+1,푥) , for 푥 ∈ {0, 1}

It is straightforward to see that latter is the same distribution as: {︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ † (︀ 푥 )︀ )︁ 퐷0 퐷1 ⊗ I ·· 퐷푑 ⊗ I (퐷푑+1 ⊗ I) E푥←Meas(푄푑(xinp)) [푓푑+1(푥)푄푑 (xinp)] ⊗ lab푑+1 ⊗ lab푑 ⊗ · · ⊗lab1 , ]︂ 퐷0, 푔̃︀1,..., 푔̃︀푑, 푔̃︀푑+1 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑 + 1}, }︂ (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑 + 1]

i.e. sampling the same 퐷푑+1 and simulated garbling output for all 푥 results in the same distribution. Finally, we can rewrite the latter as: {︂ (︂ )︂(︂ )︂ † † (︁ † )︁(︁ † )︁ 퐷0 퐷1 ⊗ I ·· 퐷푑 ⊗ I (퐷푑+1 ⊗ I)(푄 (xinp) ⊗ lab푑+1) ⊗ lab푑 ⊗ · · ⊗lab1 , ]︂ 퐷0, 푔̃︀1,..., 푔̃︀푑, 푔̃︀푑+1 :

퐷푖 ← C푛푖+ℎ푖휆, 푖 ∈ {0, . . . , 푑 + 1}, }︂ (lab푖, 푔̃︀푖) ← GSim(퐷푖), for 푖 ∈ [푑 + 1] ,

as desired.

30 5 Quantum Non-Interactive Secure Computation 5.1 The Protocol In what follows, we describe our protocol for two-party quantum computation in the setting of sequential messages. This protocol requires three messages of interaction when both players desire output, and two messages in a setting where only one party obtains an output, which can be seen as a Q-NISC (Quantum Non-interactive Secure Computation) protocol.

Ingredients. Our protocol will make use of the following cryptographic primitives: (1) Quantum-secure two-message two-party classical computation in the CRS model (2PC.Gen, 2PC1, 2PC2, 2PCout) with a straight- line black-box simulator (Section 3.5), and (2) a garbling scheme for C + M circuits (QGarble, QGEval, QGSim).

Notation. The protocol below computes a two-party quantum functionality represented by a C + M circuit 푄 that takes 푛퐴 +푛퐵 input qubits, produces 푚퐴 +푚퐵 output qubits, and requires 푛푍 auxiliary 0 states and 푛푇 auxiliary T states. Let 휆 be the security parameter. The total number of quantum registers used will be 푠 = 푛퐴 + (푛퐵 + 휆) + (2푛푍 + 휆) + (푛푇 + 1)휆, and we’ll give a name to different groups of these registers. In round 1, 퐵 operates on 푛퐵 + 휆 registers, partitioned as (B, TrapB), and sends these registers to 퐴. In round 2, 퐴 operates on these registers, along with A of size 푛퐴, ZA of size 2푛푍 , TrapA of size 휆, and TA of size (푛푇 + 1)휆. An honest party 퐴 will return all registers to 퐵 in the order (A, B, TrapB, ZA, TrapA, TA). During party 퐵’s subsequent computation, the register ZA will be partitioned into two registers (Zinp, Zcheck), where each has size 푛푍 , and register TA will be partitioned into two registers (Tinp, Tcheck), where Tinp has size 푛푇 휆 and Tcheck has size 휆.

Given a C + M circuit 푄 and a Clifford 퐶out ∈ C푚퐴+휆, we define another C + M circuit 푄dist[퐶out]. This circuit takes as input 푛퐴 +푛퐵 +푛푍 +휆+푛푇 휆 qubits (x퐴, x퐵, zinp, trap퐴, tinp) on registers (A, B, Zinp, TrapA, Tinp). It will first apply the magic state distillation circuit from Lemma 3.3 with parameters (푛푇 휆, 휆) to tinp to produce QRV t of size 푛푇 . It will then run 푄 on (x퐴, x퐵, zinp, t) to produce (y퐴, y퐵). Finally, it will output (퐶out(y퐴, trap퐴), y퐵).

31 Protocol1: Classical Functionality ℱ[푄]

Common Information: Security parameter 휆, and C + M circuit 푄 to be computed with 푛퐴 + 푛퐵 input qubits, 푚퐴 + 푚퐵 output qubits, 푛푍 auxiliary 0 states, and 푛푇 auxiliary T states. Let 푠 = 푛퐴 + (푛퐵 + 휆) + (2푛푍 + 휆) + (푛푇 + 1)휆.

Party A Input: Classical descriptions of 퐶퐴 ∈ C푠 and 퐶out ∈ C푚퐴+휆.

Party B Input: Classical description of 퐶퐵 ∈ C푛퐵 +휆.

The Functionality:

1. Sample the unitary 푈dec−check as follows:

• Sample a random permutation 휋 on (푛푇 + 1)휆 elements.

• Sample a random element 푀 ← GL(2푛푇 , F2).

• Compute a description of the Clifford 푈check that operates as follows on registers (A, B, TrapB, ZA, TrapA, TA).

(a) Rearrange the registers of TA according to the permutation 휋 and then partition the registers into (Tinp, Tcheck). (b) Apply the linear map 푀 to the registers ZA and then partition the registers into (Zinp, Zcheck).

• Define 푈dec−check as: (︁ )︁ 푛퐴 † (2푛푍 +휆)+(푛푇 +1)휆 † 푈dec−check := 푈check I ⊗ 퐶퐵 ⊗ I 퐶퐴.

휆 2. Sample (퐸0, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGarble(1 , 푄dist[퐶out]).

(︀ (푛푍 +휆)+휆)︀ † 3. Compute a description of 푈dec−check−enc := 퐸0 ⊗ I 푈dec−check.

Party B Output: (1) A unitary 푈dec−check−enc on 푠 qubits (to be applied on registers (A, B, TrapB, ZA, TrapA, TA)), and (2) A QGC (퐷0, 푔̃︀1,..., 푔̃︀푑) (to be applied to registers (A, B, Zinp, TrapA, Tinp)).

Figure 1: Classical functionality to be used in Protocol2.

32 Protocol2: Three-message two-party quantum computation

Common Information: (1) Security parameter 휆, and (2) a C + M circuit 푄 over 푛퐴 + 푛퐵 input qubits, 푚퐴 + 푚퐵 output qubits, 푛푍 auxiliary 0 states, and 푛푇 auxiliary T states. Let 푠 = 푛퐴 + (푛퐵 + 휆) + (2푛푍 + 휆) + (푛푇 + 1)휆.

Party A Input: x퐴 Party B Input: x퐵

The Protocol: Setup. Run classical 2PC setup: crs ← 2PC.Gen(1휆).

Round 1. Party 퐵:

휆 1. Sample 퐶퐵 ← C푛퐵 +휆 and compute m퐵,1 := 퐶퐵(x퐵, 0 ).

휆 2. Compute (푚퐵,1, st) ← 2PC1(1 , ℱ[푄], crs, 퐶퐵).

3. Send to Party 퐴: (푚퐵,1, m퐵,1). Round 2. Party 퐴:

1. Sample 퐶퐴 ← C푠 and 퐶out ← C푚퐴+휆.

2푛푍 휆 (푛푇 +1)휆 2. Compute m퐴,2 := 퐶퐴(x퐴, m퐵,1, 0 , 0 , T ).

휆 3. Compute 푚퐴,2 ← 2PC2(1 , ℱ[푄], crs, 푚퐵,1, (퐶퐴, 퐶out)).

4. Send to Party 퐵: (푚퐴,2, m퐴,2). Round 3. Party 퐵:

휆 1. Compute (푈dec−check−enc, 퐷0, 푔˜1,..., 푔˜푑) ← 2PCout(1 , st, 푚퐴,2).

2. Compute (minp, zcheck, trap퐵, tcheck) := 푈dec−check−enc(m2), where

• minp is on registers (A, B, Zinp, TrapA, Tinp),

• (zcheck, trap퐵, tcheck) is on registers (Zcheck, TrapB, Tcheck).

3. Measure each qubit of (zcheck, trap퐵) in the standard basis and abort if any measurement is not zero.

4. Measure each qubit of tcheck in the 푇 -basis and abort if any measurement is not zero.

5. Compute (ŷ︀퐴, y퐵) ← QGEval((퐷0, 푔˜1,..., 푔˜푑), minp), where ŷ︀퐴 consists of 푚퐴 + 휆 qubits and y퐵 consists of 푚퐵 qubits.

6. Send to Party 퐴: ŷ︀퐴. Output Reconstruction.

† • Party 퐴: Compute (y퐴, trap퐴) := 퐶out(ŷ︀퐴), where y퐴 consists of 푚퐴 qubits and trap퐴 consists of 휆 qubits. Measure each qubit of trap퐴 in the standard basis and abort if any measurement is not zero. Otherwise, output y퐴.

• Party 퐵: Output y퐵.

Figure 2: Three-message two-party quantum computation. 33 5.2 Security Theorem 5.1. Assuming post-quantum maliciously-secure two-message oblivious transfer, there exists maliciously- secure NISC for quantum computation and maliciously-secure three-message two-party quantum computation. Proof. Let Π be the protocol described in Protocol2 computing some quantum circuit 푄. We first show that Π satisfies Definition 3.2 for any Adv corrupting party 퐴.

The simulator. Consider any QPT adversary Adv = {Adv휆}휆∈N corrupting party A. The simulator Sim is defined as follows. Whenever we say that the simulator aborts, we mean that itsends ⊥ to the ideal functionality and to the adversary.

ℐ[x퐵 ](·) Sim (x퐴, auxAdv):

(1) 휆 푛퐵 휆 • Compute (crs, 휏, 푚퐵,1) ← 2PC.Sim퐴 (1 ), sample 퐶퐵 ← C푛퐵 +휆, compute m퐵,1 := 퐶퐵(0 , 0 ), and send (crs, 푚퐵,1, m퐵,1) to Adv휆(x퐴, auxAdv).

(1) 휆 • Receive (푚퐴,2, m퐴,2) from Adv휆 and compute out ← 2PC.Sim퐴 (1 , 휏, 푚퐴,2). If out = ⊥ then abort. Otherwise, parse out as (퐶퐴, 퐶out).

• Using (퐶퐴, 퐶퐵), sample 푈dec−check as in the description of ℱ[푄]. Compute

′ ′ (x퐴, x퐵, zinp, trap퐴, tinp, zcheck, trap퐵, tcheck) := 푈dec−check(m퐴,2).

Measure each qubit of zcheck and trap퐵 in the standard basis and each qubit of tcheck in the 푇 -basis. If any measurement is non-zero, then abort.

′ • Forward x퐴 to ℐ[x퐵](·) and receive back y퐴. Compute ŷ︀퐴 := 퐶out(y퐴, trap퐴), send ŷ︀퐴 to Adv휆, send ok to ℐ[x퐵], and output the output of Adv휆.

We consider a sequence of hybrid distributions, where the first hybrid ℋ0 is REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv), 휆 i.e. the real interaction between the adversary Adv휆(x퐴, auxAdv) and an honest party 퐵(1 , x퐵). In each hybrid, we describe the differences from the previous hybrid.

(1) (2) • ℋ1: Simulate 2PC as described in Sim, using 2PC.Sim퐴 to compute 푚퐵,1 and 2PC.Sim퐴 to extract an input (퐶퐴, 퐶out) (or abort). Use (퐶퐴, 퐶out) to sample an output (푈dec−check−enc, 퐷0, 푔̃︀1,..., 푔̃︀푑) of the classical functionality. Use this output to run party 퐵’s honest Message 3 algorithm.

• ℋ2: In this hybrid, we change how 퐵’s third round message ŷ︀퐴 is sampled. In particular, rather than evaluating the quantum garbled circuit on minp, we will directly evaluate 푄dist[퐶out] on the input. In more detail, given m퐴,2 returned by Adv휆, (퐶퐴, 퐶out) extracted from Adv휆, and 퐶퐵 sampled in Message 1, ŷ︀퐴 is sampled as follows. Sample 푈dec−check as in Step 1 of ℱ[푄]. Compute ′ ′ (x퐴, x퐵, zinp, trap퐴, tinp, zcheck, trap퐵, tcheck) := 푈dec−check(m퐴,2)

and carry out the checks on zcheck, trap퐵, tcheck as described in Steps 3.(c) and 3.(d) of Protocol2, aborting if needed. Then, compute

′ ′ (ŷ︀퐴, y퐵) ← 푄dist[퐶out](x퐴, x퐵, zinp, trap퐴, tinp)

and return ŷ︀퐴 to Adv휆.

푛퐵 휆 ′ • ℋ3: Compute m퐵,1 as 퐶퐵(0 , 0 ), and substitute x퐵 for x퐵 before applying 푄dist[퐶out] to the registers described above in ℋ2.

′ • ℋ4: Rather than directly computing 푄dist[퐶out], query the ideal functionality with x퐴, receive y퐴, and send ŷ︀퐴 := 퐶out(y퐴, trap퐴) to Adv휆. This hybrid is IDEALΠ,Q,퐴(Sim, 휌휆, x퐴, x퐵, aux).

34 We show indistinguishability between each pair of hybrids.

• ℋ0 ≈푐 ℋ1: This follows from the security against corrupted 퐴 of 2PC.

• ℋ1 ≈푠 ℋ2: This follows from the statistical correctness of QGC.

• ℋ2 ≈푠 ℋ3: First, by the security of the Clifford authentication code, conditioned on all measurements ′ 푛퐵 of qubits in trap퐵 returning 0, we have that x퐵 ≈푠 x퐵. Next, switching x퐵 to 0 in 퐵’s first message is perfectly indistinguishable due to the perfect hiding of the Clifford authentication code.

• ℋ3 ≈푠 ℋ4: First, by Lemma 3.4, conditioned on all measurements of qubits in zcheck returning 0, we 푛푍 have that zinp ≈푠 0 . Next, the above observation, along with Lemma 3.3, implies that, conditioned on all 푇 -basis measure- ′ ments of qubits in tcheck returning 0, it holds that the output of 푄dist[퐶out](x퐴, x퐵, zinp, trap퐴, tinp) is sta- ′ 푛푍 푛푇 tistically close to the result of computing (y퐴, y퐵) ← 푄(x퐴, x퐵, 0 , T ) and returning (퐶out(y퐴, trap퐴), y퐵). This is precisely what is being computed in ℋ4.

On Reusable Security against Malicious A. We remark that the two-message special case of the above protocol, that is, our Quantum NISC protocol, can be lightly modified to also achieve reusable security. A reusable classical NISC protocol (see, eg. [CDI+19]) retains security against malicious A in a setting where A and B execute many instances of secure computation that reuse the first message of B. A natural quantum analogue of this protocol enables computation of quantum circuits while guaranteeing security against malicious A, in a setting where A and B execute many instances of secure computation that reuse the first message of B. Here we assume that B’s input is classical, and so functionality will hold overrepeated executions. We note that our protocol can be lightly modified to achieve reusable security against malicious A, by replacing the underlying classical 2PC with a reusable classical 2PC. The proof of security remains identical, except that the indistinguishability between hybrids 0 and 1 relies on the reusable security of the underlying classical two-party computation protocol. In Section6, we discuss how to achieve reusable MDV-NIZKs for NP, which can be viewed as a special case of reusable Q-NISC. Next, we show that Π satisfies Definition 3.2 for any Adv corrupting party 퐵.

The simulator. Consider any QPT adversary Adv = {Adv휆}휆∈N corrupting party 퐵. The simulator Sim is defined as follows.

ℐ[x퐴](·) Sim (x퐵, auxAdv): • Simulate CRS and extract from adversary’s round 1 message:

(1) 휆 – Compute (crs, 휏) ← 2PC.Sim퐵 (1 ) and send crs to the adversary Adv휆(x퐵, auxAdv). (2) 휆 – Receive (푚퐵,1, m퐵,1) from Adv휆 and compute inp ← 2PC.Sim퐵 (1 , 휏, 푚퐵,1). If inp = ⊥ then ′ † abort. Otherwise, parse inp as 퐶퐵 and compute (x퐵, trap퐵) := 퐶퐵(m퐵,1). • Query ideal functionality and compute simulated round 2 message:

′ – Forward x퐵 to ℐ[x퐴](·) and receive back y퐵. – 퐶 ← y′ 퐶 0푚퐴+휆 Sample out C푚퐴+휆 and compute ̂︀퐴 := out( ). (︀ 휆 ′ )︀ – Compute (m̃︀ inp, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , {푛푖, 푘푖}푖∈[푑], (ŷ︀퐴, y퐵) , where m̃︀ inp is the simulated quantum garbled input on registers (A, B, Zinp, TrapA, Tinp), and {푛푖, 푘푖}푖∈[푑] are the parameters of C + M circuit 푄dist[퐶out].

† 푛푍 휆 – Sample 푈dec−check−enc ← C푠 and compute m퐴,2 := 푈dec−check−enc(m̃︀ inp, 0 , trap퐵, T ).

35 (3) 휆 – Compute 푚퐴,2 ← 2PC.Sim퐵 (1 , 휏, (푈dec−check−enc, 퐷0, 푔̃︀1,..., 푔̃︀푑)). – Send (푚퐴,2, m퐴,2) to Adv휆. • Check for abort: † – Receive ŷ︀퐴 from Adv휆 and measure the last 휆 qubits of 퐶out(ŷ︀퐴). If any measurement is not zero, send abort to the ideal functionality and otherwise send ok.

– Output the output of Adv휆. Theorem 5.2. Let Π be the protocol described in Protocol2 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting party 퐵.

Proof. We consider a sequence of hybrid distributions, where ℋ0 is REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv), i.e. the 휆 real interaction between Adv휆(x퐵, auxAdv) and an honest party 퐴(1 , x퐴). In each hybrid, we describe the differences from the previous hybrids.

(1) (2) • ℋ1: Simulate 2PC, using 2PC.Sim퐵 to sample 2PC.crs, 2PC.Sim퐵 to extract the adversary’s input (3) 퐶퐵, and 2PC.Sim퐵 to sample party 퐴’s message 푚퐴,2. Use 퐶퐵 and freshly sampled (퐶퐴, 퐶out) to (3) sample the output of the classical functionality that is given to 2PC.Sim퐵 .

• ℋ2: In this hybrid, we make a (perfectly indistinguishable) switch in how m퐴,2 is computed and how ′ † 푈dec−check−enc (part of the classical 2PC output) is sampled. Define (x퐵, trap퐵) := 퐶퐵(m퐵,1), where 퐶퐵 was extracted from 푚퐵,1. Note that in ℋ1, by the definition of ℱ[푄],

′ 푛푍 +휆 푛푇 휆 푛푍 휆 푈dec−check−enc(m퐴,2) := (퐸0(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

† Moreover, there exists a Clifford unitary 푈 such that 푈dec−check−enc = 푈퐶퐴, where 퐶퐴 was sampled uniformly at random from C푠. Thus, since the Clifford matrices form a group, an equivalent sampling procedure would be to sample 푈dec−check−enc ← C푠 and define

† ′ 푛푍 +휆 푛푇 휆 푛푍 휆 m퐴,2 := 푈dec−check−enc(퐸0(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

This is how ℋ2 is defined.

• ℋ3: In this hybrid, we simulate the quantum garbled circuit. In particular, compute

′ 푛푍 +휆 푛푇 휆 (ŷ︀퐴, y퐵) ← 푄dist[퐶out](x퐴, x퐵, 0 , T ), followed by 휆 (m̃︀ inp, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim(1 , {푛푖, 푘푖}푖∈[푑], (ŷ︀퐴, y퐵)).

′ 푛푍 +휆 푛푇 휆 Finally, substitute m̃︀ inp for 퐸0(x퐴, x퐵, 0 , T ) in the computation of m퐴,2 so that

† 푛푍 휆 m퐴,2 := 푈dec−check−enc(m̃︀ inp, 0 , trap퐵, T ).

′ 푛푍 +휆 푛푇 휆 • ℋ4: Note that 푄dist[퐶out](x퐴, x퐵, 0 , T ) may be computed in two stages, where the first outputs 휆 휆 (y퐴, y퐵, 0 , 퐶out) and the second outputs (퐶out(y퐴, 0 ), y퐵). In this hybrid, compute only the first ′ 푚퐴+휆 stage, set y퐴 aside and re-define the final output tobe (ŷ︀퐴, y퐵) := (퐶out(0 ), y퐵). Now, during 퐴’s output reconstruction step, if the check (step 4.(b) of Protocol2) passes, output y퐴, and otherwise abort.

′ 푛푍 +휆 푛푇 휆 • ℋ5: Instead of directly computing y퐵 from the first stage of 푄dist[퐶out](x퐴, x퐵, 0 , T ), forward ′ x퐵 to ℐ[x퐴](·) and receive back y퐵. Now, during party 퐴’s output reconstruction step, if the check passes, send ok to the ideal functionality, and otherwise send abort to the ideal functionality. This is IDEALΠ,Q,퐵(Sim, 휌휆, x퐴, x퐵, aux).

36 We show indistinguishability between each pair of hybrids.

• ℋ0 ≈푐 ℋ1: This follows directly from the security against corrupted 퐵 of 2PC.

• ℋ1 ≡ ℋ2: This is argued above.

• ℋ2 ≈푐 ℋ3: This follows directly from the security of the QGC.

• ℋ3 ≈푠 ℋ4: This follows directly from the (perfect) hiding and (statistical) authentication of the Clifford code.

• ℋ4 ≡ ℋ5: This follows from the definition of ℐ[x퐴](·).

6 Application: Reusable Malicious Designated Verifier NIZK for QMA

In this section, we show how a small tweak to the protocol from last section gives a reusable MDV-NIZK for QMA. Features of our construction differ from those of[Shm20] in the following ways.

• It assumes post-quantum OT and reusable MDV-NIZK for NP, whereas [Shm20] assumed (levelled) fully-homomorphic encryption (note that both assumptions are known from QLWE). • The prover only requires a single copy of the witness state, whereas [Shm20] required the prover to have access to polynomially-many identical copies of the witness.

Definition 6.1 (MDV-NIZK Argument for QMA). A non-interactive computational zero-knowlege argument for a language ℒ = (ℒyes, ℒno) ∈ QMA in the malicious designated-verifier model consists of 4 algorithms (Setup, VSetup, Prove, Verify) with the following syntax.

• crs ← Setup(1휆): A classical PPT algorithm that on input the security parameter samples a common uniformly random string crs.

• (pvk, svk) ← VSetup(crs): A classical PPT algorithm that on input crs samples a pair of public and secret verification keys.

• 휋 ← Prove(crs, pvk, 푥, w): A QPT algorithm that on input crs, the public verification key, an instance 푥 ∈ ℒyes, and a quantum witness w, outputs a quantum state 휋.

• Verify(crs, svk, 푥, 휋): A QPT algorithm that on input crs, secret verification key svk, and instance 푥 ∈ ℒ, and a quantum proof 휋, outputs a bit indicating acceptance or rejection.

The protocol satisfies the following properties.

• Statistical Completeness: There exists a negligible function 휇(·) such that for any 휆 ∈ N, 푥 ∈ 휆 휆 ℒyes ∩ {0, 1} , w ∈ ℛℒ(푥), crs ∈ Setup(1 ), (pvk, svk) ∈ VSetup(crs),

Pr [Verify(crs, svk, 푥, 휋)] ≥ 1 − 휇(휆). 휋←Prove(crs,pvk,푥,w)

37 • Reusable (Non-Adaptive) Soundness:10 For every quantum polynomial-size adversarial prover * * 풫 = {풫휆, p휆}휆∈N and {푥휆}휆∈N where for each 휆 ∈ N, 푥휆 ∈ ℒno, there exists a negligible function 휇(·) such that for every 휆 ∈ N,

Pr [1 = Verify(crs, svk, 푥, 휋)] ≤ 휇(휆). crs←Setup(1휆) (pvk,svk)←VSetup(crs) * Verify(crs,svk,·,·) 휋←풫휆(p휆,crs,pvk)

• Malicious Zero-Knowledge: There exists a QPT simulator Sim such that for every QPT distin-

guisher 풟 = {풟휆, d휆}휆∈N, there exists a negligible function 휇(·) such that for every 휆 ∈ N, ⃒ ⃒ ⃒ [︁ Prove(crs,·,·,·)]︁ [︁ Sim(휏,·,·)]︁⃒ ⃒ Pr 풟휆(d휆, crs) − Pr 풟휆(d휆, crs) ⃒ ≤ 휇(휆), ⃒crs←Setup(1휆) (crs,휏)←Sim(1휆) ⃒

where,

* * – Every query 풟휆 makes to the oracle is of the form (pvk , 푥, w), where pvk is arbitrary, 푥 ∈ 휆 ℒyes ∪ {0, 1} , and w ∈ ℛℒ(푠). – Prove(crs, ·, ·, ·) is the honest prover algorithm and Sim(휏, ·, ·) acts only on 휏, pvk*, and 푥. Theorem 6.2. Assuming post-quantum maliciously-secure two-message oblivious transfer and post-quantum reusable MDV-NIZK for NP (see the discussion following Definition 3.6), there exists a reusable MDV-NIZK satisfying Definition 6.1.

Proof. For 푥 ∈ ℒ, let 풱ℒ[푥](·) be the QMA verification circuit that takes as input a potential witness w and outputs a bit indicating acceptance or rejection. For any 푥, we will use Protocol2 to compute the functionality 풱ℒ[푥](·) (where Alice has input w and only Bob obtains output) in two messages. Note that Bob has no input, and thus his first message is entirely classical, only consisting of the first message ofthe classical 2PC. This already gives a one-time MDV-NIZK. Now, we argue how to achieve reusability, while maintaining soundness and zero-knowledge. First, we will instantiate the classical 2PC with one that is reusable and post-quantum secure [LQR+19]. Given such a 2PC protocol, Bob can compute his first message independently of the statement to be proven by Alice, and Alice can subsequently re-use this first message to prove any number of statements. This already satisfies zero-knowledge, as the MDV-NIZK simulator can always just query the 2PQC simulator with output 1. To achieve reusable soundness, we alter the classical functionality ℱ[풱ℒ[푥]] computed by the 2PC. It now takes as input a PRF key 푘 from Bob and generates all of Bob’s randomness via PRF(푘, 푥), i.e., the PRF applied to the (classical) instance 푥. This includes the auxiliary state checking randomness (permutation 휋 and linear map 푀) along with Bob’s contribution to the classical randomness used to generate the quantum * * garbled circuit. To prove reusable soundness, let 풫 be a cheating prover, 푥 ∈ ℒno be a no instance, and consider the following hybrids.

• ℋ1: The crs and the verifier’s classical 2PC message are generated by the 2PC simulator, and the prover’s oracle Verify(crs, svk, ·, ·) is now answered with help from the 2PC simulator. That is, the 2PC simulator extracts from the classical part of the prover’s proof and computes the functionality specified by the instance 푥, which outputs the classical part of the quantum garbled circuit. This classical part is then used to compute the verifier’s output on the quantum part of the prover’s proof. Indistinguishability from the real game follows by security of the reusable classical 2PC.

• ℋ2: The PRF calls made during computation of the classical functionality are replaced with calls to a uniformly random function. Indistinguishability from the real game follows by security of the PRF.

10A previous version of this paper defined and claimed to achieve adaptive soundness from polynomially-hard assumptions. However, we actually only achieve non-adaptive soundness from polynomially-hard QLWE. Similar to [Shm20], we could upgrade security to adaptive soundness if we use complexity leveraging and assume sub-exponentially secure QLWE.

38 * In ℋ2, whenever the prover submits a proof for 푥 , the randomness used to generate the 0 and T state checks and the quantum garbled circuit will be a string that is uniform and independent of the prover’s view. Thus, by soundness of these checks, along with statistical correctness of the quantum garbled circuit, the verification oracle will output 0 with overwhelming probability. Thus, 푃 * could not be making the verifier output 1 on any proof for 푥*, except with negligible probability.

7 Two-Round Two-Party Quantum Computation with Prepro- cessing

This section presents a three-round protocol that only requires two rounds of online communication. This protocol can be equivalently interpreted as a two-round protocol with (quantum) pre-processing.

7.1 The Protocol Ingredients. Our protocol will make use of the following cryptographic primitives, which are all assumed 휖 to be sub-exponentially secure (i.e. there exists 휖 such that the primitive is (2−휆 )-secure).

• Quantum-secure two-message two-party classical computation in the CRS model where one party receives output (2PC.Gen, 2PC1, 2PC2, 2PCout) and with a straight-line black-box simulator (Section 3.5). • A garbling scheme for C + M circuits (QGarble, QGEval, QGSim). • A quantum multi-key FHE scheme QMFHE = (KeyGen, CEnc, Enc, Eval, Rerand, Dec) with ciphertext re-randomization and classical encryption of classical messages.

• A quantum-secure equivocal commitment Com = (Com.Gen, Com.Enc, Com.Ver). • A quantum-secure classical garbled circuit (Garble, GEval, GSim).

푥out 푧out Notation. The circuit 푄dist[퐶out, 푥out, 푧out] is defined like 푄dist[퐶out] from Section 5.1 except that 푋 푍 is applied to 퐵’s output y퐵. 푓inp−cor[퐸0, 푈rerand] is a classical “input correction” circuit that takes as input 푛퐵 (︀ 푛퐴 푥inp 푧inp 푛푍 +휆+푛푇 휆)︀ † 푥inp, 푧inp ∈ {0, 1} and outputs 푈rerand−enc := 퐸0 I ⊗ 푋 푍 ⊗ I 푈rerand. 푛 (푥) For a 2 × 푛 set of elements {푎푖,푏}푖∈[푛],푏∈{0,1}, and a string 푥 ∈ {0, 1} , we let 푎 := {푎푖,푥푖 }푖∈[푛]. We will use this notation below to refer to sets of public keys pk(푥out,푧out), secret keys sk(푥out,푧out), labels lab(푥out,푧out), (푥out,푧out) and random strings 푟 . Let 푐lev be a constant satisfying 푐lev > 1/휖.

39 Protocol3: Classical Functionality 풢[푄, Com.crs]

Common Information: (1) Security parameter 휆, (2) a C + M circuit 푄 on 푛퐴 + 푛퐵 input qubits, 푚퐴 + 푚퐵 output qubits, 푛푍 auxiliary 0 states, and 푛푇 auxiliary T states, and (3) a crs Com.crs 푐 for an equivocal commitment. Let 푠 = 푛퐴+(푛퐵 +휆)+(2푛푍 +휆)+(푛푇 +1)휆. Let 휆lev = max{휆, (2푛퐵) lev }.

휆lev 4푛퐵 Party A Input: Classical descriptions of 퐶퐴 ∈ C푠, 퐶out ∈ C푚퐴+휆, {푟푖,푏}푖∈[2푛퐵 ],푏∈{0,1} ∈ ({0, 1} ) , 푚퐵 휆 푥out, 푧out ∈ {0, 1} , 푠 ∈ {0, 1} lev .

Party B Input: Classical description of 퐶퐵 ∈ C푛퐵 +휆.

The Functionality:

1. Sample 푈dec−check as in ℱ[푄], using 퐶퐴 and 퐶퐵.

휆lev 2. Sample (퐸0, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGarble(1 , 푄dist[퐶out, 푥out, 푧out]).

3. Sample 푈rerand ← C푛퐴+푛퐵 +푛푍 +휆+푛푇 .

(︀ (푛푍 +휆)+휆)︀ 4. Compute a description of 푈dec−check−rerand := 푈rerand ⊗ I 푈dec−check.

휆lev 5. Compute ({lab푖,푏}푖∈[2푛퐵 ],푏∈{0,1}, 푓̃︀inp−cor) ← Garble(1 , 푓inp−cor[퐸0, 푈rerand]).

휆lev 6. For each 푖 ∈ [2푛퐵], 푏 ∈ {0, 1}, compute (pk푖,푏, sk푖,푏) := QMFHE.Gen(1 ; 푟푖,푏) and ct푖,푏 ← QMFHE.CEnc(pk푖,푏, lab푖,푏).

7. Compute cmt := Com.Enc(Com.crs, (푥out, 푧out); 푠).

Party B Output: (1) A unitary 푈dec−check−rerand to be applied to 푠 qubits, partitioned as registers (A, B, TrapB, ZA, TrapA, TA), (2) a classical garbled circuit along with encryptions of its {pk , ct } , 푓 퐷 , 푔 ,..., 푔 labels 푖,푏 푖,푏 푖∈[2푛퐵 ],푏∈{0,1} ̃︀inp−cor, (3) a QGC ( 0 ̃︀1 ̃︀푑) to be applied to registers (A, B, Zinp, TrapA, Tinp), and (4) a commitment cmt.

Figure 3: Classical functionality to be used in Protocol5.

40 Protocol5: Two-party quantum computation with two online rounds

Common Information: Security parameter 휆, and C + M circuit 푄 to be computed with 푛퐴 + 푛퐵 input qubits, 푚퐴 + 푚퐵 output qubits, 푛푍 auxiliary 0 states, and 푛푇 auxiliary T states. Let 푐 푠 = 푛퐴 + (푛퐵 + 휆) + (2푛푍 + 휆) + (푛푇 + 1)휆. Let 휆lev = max{휆, (2푛퐵) lev }.

Party 퐴 input: x퐴 Party 퐵 input: x퐵

The Protocol: Setup. Run classsical 2PC setup: 2PC.crs ← 2PC.Gen(1휆lev ), Com.crs ← Com.Gen(1휆lev ).

Round 0 (pre-processing). Party 퐵:

{︁(︁ (푖) (푖))︁}︁ (푖) (푖) 1. Prepare 푛퐵 EPR pairs e1 , e2 . Let e1 denote (e1 )푖∈[푛퐵 ] and e2 denote (e2 )푖∈[푛퐵 ]. 푖∈[푛퐵 ]

휆 2. Sample 퐶퐵 ← C푛퐵 +휆 and compute m퐵,1 := 퐶퐵(e1, 0 ).

휆 3. Compute (푚퐵,1, st) ← 2PC1(1 lev , 풢[푄, Com.crs], 2PC.crs, 퐶퐵).

4. Send to Party 퐴: (푚퐵,1, m퐵,1). Round 1. Party 퐴:

1. Sample the following:

• a random Clifford 퐶퐴 ← C푠,

• a random Clifford 퐶out ← C푚퐴+휆,

• 4푛퐵 random length-휆lev bitstrings {푟푖,푏}푖∈[2푛퐵 ],푏∈{0,1},

• one random length-휆lev bitstring 푠,

• two random length-푚퐵 bitstrings 푥out, 푧out.

2푛푍 휆 (푛푇 +1)휆 2. Compute m퐴,2 := 퐶퐴(x퐴, m퐵,1, 0 , 0 , T ). 3. Compute

휆lev 푚퐴,2 ← 2PC2(1 , 풢[푄, Com.crs], 2PC.crs, 푚퐵,1, (퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠)).

4. Send to Party 퐵: (푚퐴,2, m퐴,2). Party 퐵:

1. Perform Bell measurements on each pair of corresponding qubits in (x퐵, e2), obtaining measurement outcomes (푥inp, 푧inp).

2. Send to Party 퐴: (푥inp, 푧inp).

Figure 4: Two-party quantum computation with two online rounds.

41 Protocol5: Two-party quantum computation with two online rounds

Round 2. Party 퐴:

(︀ (푥inp,푧inp) )︀ 1. Send to Party 퐵: 푟 , 푥out, 푧out, 푠 . Party 퐵:

1. Compute (︂ 푈 , {pk , ct } , )︂ dec−check−rerand 푖,푏 푖,푏 푖,푏 휆lev ← 2PCout(1 , st, 푚퐴,2). 푓̃︀inp−cor, 퐷0, 푔˜1,..., 푔˜푑, cmt

2. Compute (minp, zcheck, trap퐵, tcheck) := 푈dec−check−rerand(m퐴,2), where

• minp is on registers (A, B, Zinp, TrapA, Tinp),

• (zcheck, trap퐵, tcheck) is on registers (Zcheck, TrapB, Tcheck).

3. Measure (zcheck, trap퐵) in the standard basis and abort if any measurement is not zero.

4. Measure each qubit of tcheck in the 푇 -basis and abort if any measurement is not zero.

(푥inp,푧inp) 5. Compute a ciphertext QMFHE.Enc(pk , 푈rerand−enc) via homomorphic evaluation, where (푥inp,푧inp) 푈rerand−enc ← GEval(푓̃︀inp−cor, lab ).

(푥inp,푧inp) 6. Compute a ciphertext QMFHE.Enc(pk , (ŷ︀퐴, y퐵)) via homomorphic evaluation, where (ŷ︀퐴, y퐵) ← QGEval((퐷0, 푔˜1,..., 푔˜푑), 푈rerand−enc(minp)).

(푥inp,푧inp) 7. Apply QMFHE.Rerand to the encryption of ŷ︀퐴 and send the result QMFHE.Enc(pk , ŷ︀퐴). Output Reconstruction.

(푥inp,푧inp) (푥inp,푧inp) • Party 퐴: Use sk to decrypt QMFHE.Enc(pk , ŷ︀퐴). If decryption fails, then abort. † Compute (y퐴, trap퐴) := 퐶out(ŷ︀퐴), where y퐴 consists of 푚퐴 qubits and trap퐴 consists of 휆 qubits. Measure each qubit of trap퐴 in the standard basis and abort if any measurement is not zero. Otherwise, output y퐴.

• Party 퐵: Use 푟(푥inp,푧inp) to generate pk(푥inp,푧inp), sk(푥inp,푧inp) and check that these public keys match the public keys obtained from the output of 2PC in Round 2. If not, then abort. Use sk(푥inp,푧inp) (푥inp,푧inp) 휆lev to decrypt QMFHE.Enc(pk , y퐵). If Com.Ver(1 , Com.crs, cmt, (푥out, 푧out), 푠) = 1, then 푥out 푧out compute and output y퐵 := 푋 푍 y퐵, and otherwise abort.

Figure 5: Two-party quantum computation with two online rounds (continued).

42 7.2 Security Theorem 7.1. Assuming post-quantum maliciously-secure two-message oblivious transfer and (levelled) multi-key quantum fully homomorphic encryption with sub-exponential security, there exists maliciously- secure three-round two-party quantum computation. Both of the above assumptions are known from the sub-exponential hardness of QLWE.

Proof. Let Π be the protocol described in Protocol5 computing some quantum circuit 푄. First, we show that Π satisfies Definition 3.2 for any Adv corrupting party 퐴.

The simulator. Consider any QPT adversary {Adv휆}휆∈N corrupting party 퐴. The simulator Sim is defined as follows.

ℐ[x퐵 ](·) Sim (x퐴, auxAdv):

(1) 휆lev 푛퐵 휆 • Compute (crs, 휏, 푚퐵,1) ← 2PC.Sim퐴 (1 ), sample 퐶퐵 ← C푛퐵 +휆, compute m퐵,1 := 퐶퐵(0 , 0 ), 푛퐵 sample 푥inp, 푧inp ← {0, 1} , and send (푚퐵,1, m퐵,1), (푥inp, 푧inp) to the adversary Adv휆(x퐴, auxAdv).

(1) 휆 • Receive (푚퐴,2, m퐴,2) from Adv휆 and compute out ← 2PC.Sim퐴 (1 , 휏, 푚퐴,2). If out = ⊥ then abort. Otherwise, parse out as (퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠).

• Using (퐶퐴, 퐶퐵), sample 푈dec−check as in the description of ℱ[푄]. Compute

′ ′ (x퐴, x퐵, zinp, trap퐴, tinp, zcheck, trap퐵, tcheck) := 푈dec−check(m퐴,2).

Measure each qubit of zcheck and trap퐵 in the standard basis and each qubit of tcheck in the 푇 -basis. If any measurement is non-zero, then abort.

′ • Forward x퐴 to ℐ[x퐵](·) and receive back y퐴. Compute ŷ︀퐴 := 퐶out(y퐴, trap퐴), and send a re-randomized (푥inp,푧inp) (푥inp,푧inp) (푥inp,푧inp) QMFHE.Enc(pk , ŷ︀퐴) to Adv휆, where pk are generated from 푟 . (︀ ′ ′ ′ ′)︀ • Receive {푟푖}푖∈[2푛퐵 ], 푥out, 푧out, 푠 from Adv and check that:

′ ′ ′ 휆lev ′ – For all 푖 ∈ [2푛퐵], pk푖 is equal to pk푖, where (pk푖, sk푖) := QMFHE.Gen(1 ; 푟푖) and (pk푖, sk푖) := 휆lev QMFHE.Gen(1 ; 푟푖,(푥inp,푧inp)푖 ).

휆lev ′ ′ ′ 휆lev – Com.Ver(1 , Com.crs, cmt, (푥out, 푧out), 푠 ) = 1, where cmt := Com.Enc(1 , Com.crs, (푥out, 푧out); 푠).

If the checks pass send ok to ℐ[x퐵] and otherwise send abort.

We consider a sequence of hybrid distributions, where ℋ0 is REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv), i.e. the 휆 real interaction between Adv휆(x퐴, auxAdv) and an honest party 퐵(1 , x퐵). In each hybrid, we describe the differences from the previous hybrid.

(1) (2) • ℋ1: Simulate 2PC as described in Sim, using 2PC.Sim퐴 to compute 푚퐵,1 and 2PC.Sim퐴 to extract an input (퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠) (or abort). Use (퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠) to sample an output (푈dec−check−rerand, 퐷0, 푔̃︀1,..., 푔̃︀푑) of the classical functionality. Use this output to run party 퐵’s honest Round 2 algorithm.

(푥inp,푧inp) • ℋ2: In this hybrid, we change how 퐵’s second round message QMFHE.Enc(pk , ŷ︀퐴) is sampled. In particular, rather than evaluating the classical garbled circuit and quantum garbled circuit under QMFHE, we will directly evaluate 푄dist[퐶out, 푥out, 푧out] on the input. In more detail, given m퐴,2 returned by Adv휆, (퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠) extracted from Adv휆, and 퐶퐵 sampled in Message 0, ŷ︀퐴 is sampled as follows. Sample 푈dec−check as in Step 1 of ℱ[푄]. Compute

′ ′ (x퐴, x퐵, zinp, trap퐴, tinp, zcheck, trap퐵, tcheck) := 푈dec−check(m퐴,2)

43 and carry out the checks on zcheck, trap퐵, tcheck as described in Steps 3 and 4 of Protocol5, aborting if ′ 푥inp 푧inp ′ needed. Then, set x퐵 := 푋 푍 x퐵 and compute

′ ′ (ŷ︀퐴, y퐵) ← 푄dist[퐶out, 푥out, 푧out](x퐴, x퐵, zinp, trap퐴, tinp)

(푥inp,푧inp) and return a re-randomized QMFHE.Enc(pk , ŷ︀퐴) to Adv휆.

푛퐵 휆 푛퐵 • ℋ3: Compute m퐵,1 as 퐶퐵(0 , 0 ), and sample 푥inp, 푧inp ← {0, 1} rather than computing them ′ based on Bell measurement outcomes. Furthermore, substitute x퐵 for x퐵 before applying 푄dist[퐶out, 푥out, 푧out] to the registers described above in ℋ2.

푥inp 푧inp • ℋ4: Do not compute y퐵 followed by y퐵 := 푋 푍 y퐵 (in party 퐵’s reconstruction). Rather, compute

푚퐵 푚퐵 ′ (ŷ︀퐴, y퐵) ← 푄dist[퐶out, 0 , 0 ](x퐴, x퐵, zinp, trap퐴, tinp).

푚퐵 푚퐵 ′ • ℋ5: Instead of directly computing 푄dist[퐶out, 0 , 0 ], query the ideal functionality with x퐴, receive (푥inp,푧inp) (︀ ′ ′ ′ ′)︀ y퐴, and send QMFHE.Enc(pk , 퐶out(y퐴, trap퐴)) to Adv휆. After receiving {푟푖}푖∈[2푛퐵 ], 푥out, 푧out, 푠 from Adv, carry out the checks described in Sim and send ok or abort to ℐ[x퐵]. This hybrid is IDEALΠ,Q,퐴(Sim, 휌휆, x퐴, x퐵, aux).

We show indistinguishability between each pair of hybrids.

• ℋ0 ≈푐 ℋ1: This follows directly from the security against corrupted 퐴 of 2PC.

• ℋ1 ≈푠 ℋ2: This follows directly from the statistical correctness of the classical garbled circuit, the statistical correctness of the quantum garbled circuit, and the statistical ciphrerext re-randomization of QMFHE.

• ℋ2 ≈푠 ℋ3: First, by the correctness of teleportation, and by the security of the Clifford authentication ′ code, conditioned on all measurements of qubits in trap퐵 returning 0, we have that x퐵 ≈푠 x퐵. Next, 푛퐵 switching e1 to 0 in 퐵’s first message is perfectly indistinguishable due to the perfect hiding ofthe Clifford authentication code.

• ℋ3 ≈푠 ℋ4: This follows from the statistical binding of Com.

• ℋ4 ≈푠 ℋ5: First, by Lemma 3.4, conditioned on all measurements of qubits in zcheck returning 0, we 푛푍 have that zinp ≈푠 0 . Next, the above observation, along with Lemma 3.3, implies that, conditioned on all 푇 -basis measure- ′ ments of qubits in tcheck returning 0, it holds that the output of 푄dist[퐶out](x퐴, x퐵, zinp, trap퐴, tinp) is sta- ′ 푛푍 푛푇 tistically close to the result of computing (y퐴, y퐵) ← 푄(x퐴, x퐵, 0 , T ) and returning (퐶out(y퐴, trap퐴), y퐵). This is precisely what is being computed in ℋ4.

Next, we show that Π satisfies Definition 3.2 for any Adv corrupting party 퐵.

The simulator. Consider any QPT adversary {Adv휆}휆∈N corrupting party 퐵. The simulator Sim is defined as follows.

44 ℐ[x퐴](·) Sim (x퐵, auxAdv): • Simulate CRS and extract from adversary’s round 0 message:

(1) 휆lev 휆lev – Compute (2PC.crs, 2PC.휏) ← 2PC.Sim퐵 (1 ), (Com.crs, Sim.cmt, Com.휏) ← Com.Sim.Gen(1 ), and send (2PC.crs, Com.crs) to Adv휆(x퐵, auxAdv).

(2) 휆lev – Receive (푚퐵,1, m퐵,1) and then compute inp ← 2PC.Sim퐵 (1 , 2PC.휏, 푚1). If inp = ⊥, then † abort, if not parse inp as 퐶퐵 and compute (x퐵, trap퐵) := 퐶퐵(m퐵,1). • Compute quantum part of simulated round 1 message:

– 퐶 ← y′ 퐶 0푚퐴+휆 Sample out C푚퐴+휆 and compute ̂︀퐴 := out( ). {︁(︁ (푖) (푖) )︁}︁ – Prepare 푚퐵 EPR pairs eSim,1, eSim,1 , and let 푖∈[푚퐵 ]

(︁ (1) (푚퐵 ))︁ (︁ (1) (푚퐵 ))︁ eSim,1 := eSim,1,..., eSim,1 , eSim,2 := eSim,2,..., eSim,1 .

(︀ 휆lev ′ )︀ – Compute (m̃︀ inp, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , {푛푖, 푘푖}푖∈[푑], (ŷ︀퐴, eSim,1) , where m̃︀ inp is the simulated quantum garbled input on registers (A, B, Zinp, TrapA, Tinp), and {푛푖, 푘푖}푖∈[푑] are the parameters of C + M circuit 푄dist[·, ·, ·].

– Sample 푈rerand−enc ← C푛퐴+푛퐵 +푛푍 +휆+푛푇 휆. – Sample 푈dec−check−rerand ← C푆 and compute

† † 푛푍 휆 m퐴,2 := 푈dec−check−rerand(푈rerand−enc(m̃︀ inp), 0 , trap퐵, T ). • Compute classical part of simulated round 1 message:

휆lev 2푛퐵 |푓inp−cor| – Compute ({lab̃︁ 푖}푖∈[2푛퐵 ], 푓̃︀inp−cor) ← GSim(1 , 1 , 1 , 푈rerand−enc).

휆lev 4푛퐵 – Sample {푟푖,푏}푖∈[2푛퐵 ],푏∈{0,1} ← ({0, 1} ) .

휆lev – For 푖 ∈ [2푛퐵], 푏 ∈ {0, 1}, compute (pk푖,푏, sk푖,푏) := QMFHE.Gen(1 ; 푟푖,푏) and ct푖,푏 ← QMFHE.CEnc(pk푖,푏, lab̃︁ 푖). – Compute (︂ (︂ 푈 , {pk , ct } , )︂)︂ (3) 휆lev dec−check−rerand 푖,푏 푖,푏 푖,푏 푚퐴,2 ← 2PC.Sim퐵 1 , 2PC.휏, . 푓̃︀inp−cor, 퐷0, 푔̃︀1,..., 푔̃︀푑, Sim.cmt • Send round 1 message and extract adversary’s input:

– Send (푚퐴,2, m퐴,2) to Adv휆.

′ 푥inp 푧inp – Receive (푥inp, 푧inp) from Adv휆 and compute x퐵 := 푋 푍 x퐵. • Query ideal functionality and send simulated round 2 message: ′ – Forward x퐵 to ℐ[x퐴](·) and receive back y퐵. – Perform Bell measurements on each pair of corresponding qubits in (y퐵, eSim,2) and let 푥out, 푧out ∈ {0, 1}푚퐵 be the measurement outcomes. 휆 – Compute 푠 ← Com.Sim.Open(1 lev , Com.휏, (푥out, 푧out)).

(︀ (푥inp,푧inp) )︀ – Send 푟 , 푥out, 푧out, 푠 to Adv휆. • Check for abort:

(푥inp,푧inp) (푥inp,푧inp) – Receive QMFHE.Dec(sk , ŷ︀퐴) from Adv휆 and use sk to decrypt the ciphertext. If decryption fails, then abort. † – Measure the last 휆 qubits of 퐶out(ŷ︀퐴) in the standard basis. If any measurement is not zero, send abort to the ideal functionality and otherwise send continue.

– Output the output of Adv휆.

45 Notation. For any adversary {Adv휆}휆∈N and set of inputs (x퐴, x퐵, auxAdv), we partition the distributions REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv) and IDEALΠ,Q(Sim, x퐴, x퐵, auxAdv) by the first round message (푥inp, 푧inp) (푥inp,푧inp) sent by the adversary. That is, we define the distribution REALΠ,Q (Adv휆, x퐴, x퐵, auxAdv) to be the distribution REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv) except that the output of the distribution is replaced with ⊥ if (푥inp,푧inp) the adversary did not send (푥inp, 푧inp) in round 1. We define IDEALΠ,Q (Sim, x퐴, x퐵, auxAdv) analogously. We now prove the following lemma, which is the main part of the proof of security against malicious 퐵. For notational convenience, we drop the indexing of inputs and teleportation errors by 휆.

Lemma 7.2. There exists a negligible function 휇 such that for any QPT Adv = {Adv휆}휆∈N, QPT distinguisher 풟 = {풟휆}휆∈N, inputs (x퐴, x퐵, auxAdv, aux풟), and teleportation errors 푥inp, 푧inp,

⃒ ⃒ [︁ (︁ (푥inp,푧inp) )︁ ]︁ ⃒ Pr 풟휆 aux풟, REAL (Adv휆, x퐴, x퐵, auxAdv) = 1 ⃒ Π,Q ⃒ [︁ (︁ (푥inp,푧inp) )︁ ]︁ ⃒ 휇(휆) − Pr 풟휆 aux풟, IDEALΠ,Q (Sim휆, x퐴, x퐵, auxAdv) = 1 ⃒ ≤ . ⃒ 22푛퐵

Proof. First note that by the definition of 휆lev, a 풟 violating the lemma distinguishes with probability at (︁ )︁ (1/푐 ) 1 −휆lev lev 1 ≥ 휖 . least poly(휆) 2 2휆lev Now fix any collection 풟, Adv, x퐴, x퐵, auxAdv, aux풟, 푥inp, 푧inp. We show the indistinguishability via a (푥inp,푧inp) sequence of hybrids, where ℋ0 is the distribution REALΠ,Q (Adv휆, x퐴, x퐵, auxAdv). In each hybrid, we describe the differences from the previous hybrid.

(1) (2) • ℋ1: Simulate 2PC, using 2PC.Sim퐵 to sample 2PC.crs, 2PC.Sim퐵 to extract the adversary’s input 퐶퐵, (3) and 2PC.Sim퐵 to sample party 퐴’s message 푚퐴,2. Use 퐶퐵 and freshly sampled 퐶퐴, 퐶out, {푟푖,푏}푖,푏, 푥out, 푧out, 푠 (3) to sample the output of the classical functionality that is given to 2PC.Sim퐵 .

• ℋ2: Simulate Com, using Com.Sim.Gen to sample Com.crs and the commitment Sim.cmt. Note that Sim.cmt is now used directly in computing the output of 2PC, and 푠 is no longer sampled by party 퐴. Open the commitment in the second round to (푥out, 푧out) using Com.Sim.Open.

• ℋ3: In this hybrid, we make a (perfectly indistinguishable) switch in how m퐴,2 is computed and how ′ † 푈dec−check−rerand (part of the 2PC output) is sampled. Define (x퐵, trap퐵) := 퐶퐵(m퐵,1), where 퐶퐵 was extracted from 푚퐵,1. Note that in ℋ2, by the definitions of ℱ[푄] and 풢[푄],

′ 푛푍 푛푇 휆 푛푍 휆 푈dec−check−rerand(m퐴,2) := (푈rerand(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

† Moreover, there exists a Clifford unitary 푈 such that 푈dec−check−rerand = 푈퐶퐴, where 퐶퐴 was sampled uniformly at random from C푠. Thus, since the Clifford matrices form a group, an equivalent sampling procedure would be to sample 푈dec−check−rerand ← C푠 and define

† ′ 푛푍 +휆 푛푇 휆 푛푍 휆 m퐴,2 := 푈dec−check−rerand(푈rerand(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

This is how ℋ3 is defined.

(1) (2푛퐵 ) (푖) • ℋ4 ,..., ℋ4 : In ℋ4 , let ct푖,1−(푥inp,푧inp)푖 ← QMFHE.CEnc(pk푖,1−(푥inp,푧inp)푖 , 0).

• ℋ5: Simulate the classical garbled circuit. In particular, let

(︀ 푛퐴 푥inp 푧inp 푛푍 +휆+푛푇 휆)︀ † 푈rerand−enc := 퐸0 I ⊗ 푋 푍 ⊗ I 푈rerand,

휆lev 2푛퐵 |푓inp−cor| and compute ({lab̃︁ 푖}푖∈[2푛퐵 ], 푓̃︀inp−cor) ← GSim(1 , 1 , 1 , 푈rerand−enc). Now, each ct푖,(푥inp,푧inp)푖 be will an encryption of lab̃︁ 푖.

46 (1) (2푛퐵 ) (푖) • ℋ6 ,..., ℋ6 : In ℋ6 , let ct푖,1−(푥inp,푧inp)푖 ← QMFHE.CEnc(pk푖,1−(푥inp,푧inp)푖 , lab̃︁ 푖).

• ℋ7: In this hybrid, we make another perfectly indistinguishable switch in how m퐴,2 is computed. Let ′ 푥inp 푧inp ′ † x퐵 := 푋 푍 x퐵, and compute 푈rerand−enc := 퐸0푈rerand and

† ′ 푛푍 +휆 푛푇 휆 푛푍 휆 m퐴,2 := 푈dec−check−rerand(푈rerand(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

• ℋ8: Simulate the quantum garbled circuit. In particular, compute

′ 푛푍 푛푇 휆 (ŷ︀퐴, y퐵) ← 푄dist[퐶out, 푥out, 푧out](x퐴, x퐵, 0 , T ), followed by 휆lev (m̃︀ inp, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim(1 , {푛푖, 푘푖}푖∈[푑], (ŷ︀퐴, y퐵)),

where {푛푖, 푘푖}푖∈[푑] are the parameters of the C + M circuit 푄dist[퐶out, 푥out, 푧out].

Sample 푈rerand−enc ← C푛퐴+푛퐵 +푛푍 +휆+푛푇 휆 and compute

† † ′ 푛푍 +휆 푛푇 휆 푛푍 휆 m퐴,2 := 푈dec−check−rerand(푈rerand−enc(x퐴, x퐵, 0 , T ), 0 , trap퐵, T ).

′ 푛푍 +휆 푛푇 휆 • ℋ10: Note that 푄dist[퐶out, 푥out, 푧out](x퐴, x퐵, 0 , T ) may be computed in two stages, where the 휆 휆 푥out 푧out first outputs (y퐴, y퐵, 0 , 퐶out, 푥out, 푧out) and the second outputs (ŷ︀퐴, y퐵) := (퐶out(y퐴, 0 ), 푋 푍 y퐵). In this hybrid, we make the following perfectly indistinguishable switch to the second part of this com- {︁(︁ (푖) (푖) )︁}︁ (︁ (1) (푚퐵 ))︁ putation. Prepare 푚퐵 EPR pairs eSim,1, eSim,1 , and let eSim,1 := eSim,1,..., eSim,1 and 푖∈[푚퐵 ] (︁ (1) (푚퐵 ))︁ 휆 eSim,2 := eSim,2,..., eSim,1 . Then set (ŷ︀퐴, y퐵) = (퐶out(y퐴, 0 ), eSim,1) and let 푥out, 푧out be the result of Bell measurements applied to corresponding pairs of qubits of (y퐵, eSim,2). Note that these Bell measurements do not have to be performed until the simulator sends its simulated round 2 message.

′ 푛푍 +휆 푛푇 휆 • ℋ11: After computing the first stage of 푄dist[퐶out, 푥out, 푧out](x퐴, x퐵, 0 , T ), set y퐴 aside and re- ′ 푚퐴+휆 define the final output tobe (ŷ︀퐴, y퐵) = (퐶out(0 ), eSim,1). Now, during 퐴’s output reconstruction step, if the check (step 3) passes, output y퐴, and otherwise abort.

′ 푛푍 +휆 푛푇 휆 • ℋ12: Rather than directly computing y퐴 from the first stage of 푄dist[퐶out, 푥out, 푧out](x퐴, x퐵, 0 , T ), ′ forward x퐵 to ℐ[x퐴](·) and receive back y퐵, which gives the same distribution as ℋ11. Now, during 퐴’s reconstruction step, if the check passes, send ok to the ideal functionality, and otherwise send abort. (푥inp,푧inp) This is IDEALΠ,Q (Sim, x퐴, x퐵, auxAdv).

Theorem 7.3. Let Π be the protocol described in Protocol5 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting party 퐵.

Proof. Assume towards contradiction the existence of a QPT 풟 = {풟휆}휆∈N, a QPT Adv = {Adv휆}휆∈N, and (x퐴, x퐵, auxAdv, aux풟) such that ⃒ ⃒ ⃒ Pr [풟휆 (aux풟, REALΠ,Q (Adv휆, x퐴, x퐵, auxAdv)) = 1] ⃒ ⃒ ⃒ − Pr [풟휆 (aux풟, IDEALΠ,Q (Sim휆, x퐴, x퐵, auxAdv)) = 1] ⃒ ≥ 1/poly(휆). ⃒

Define REAL := REALΠ,Q(Adv휆, x퐴, x퐵, auxAdv) and IDEAL := IDEALΠ,Q(Sim, x퐴, x퐵, auxAdv). Further- (푥inp,푧inp) more, let EREAL be the event that Adv sends (푥inp, 푧inp) as its first round message in REAL and define (푥inp,푧inp) (abort) (abort) (abort) EIDEAL , EREAL . Let EREAL and EIDEAL be the event that the adversary fails to report some of its

47 teleporation errors, causing the honest party to abort. The above implies that either there exists some 푛퐵 2 (푥inp, 푧inp) ∈ ({0, 1} ) such that ⃒ ⃒ [︁ ⃒ (푥inp,푧inp)]︁ [︁ (푥inp,푧inp)]︁ ⃒ Pr 풟휆(aux풟, REAL) = 1⃒E Pr E ⃒ REAL REAL ⃒ [︁ ⃒ (푥inp,푧inp)]︁ [︁ (푥inp,푧inp)]︁ ⃒ 1 − Pr 풟휆(aux풟, IDEAL) = 1⃒EIDEAL Pr EIDEAL ⃒ ≥ ⃒ poly(휆)(22푛퐵 + 1) or that

⃒ ⃒ [︁ ⃒ (abort)]︁ [︁ (abort)]︁ ⃒ Pr 풟휆(aux풟, REAL) = 1⃒E Pr E ⃒ REAL REAL ⃒ [︁ ⃒ (abort)]︁ [︁ (abort)]︁ ⃒ 1 − Pr 풟휆(aux풟, IDEAL) = 1⃒EIDEAL Pr EIDEAL ⃒ ≥ . ⃒ poly(휆)(22푛퐵 + 1) Simulating the distribution conditioned on an abort is trivial, so the second case cannot occur, and the first case immediately contradicts Lemma 7.2, completing the proof.

8 Multi-Party Quantum Computation in Five Rounds

In this section, we show the existence of a five-round protocol for multi-party quantum computation, assuming quantum-secure two-message oblivious transfer in the CRS model with a straight-line black-box simulator. The protocol we present satisfies security with abort, and only requires three rounds of online communication (that is, three rounds of communication once the parties receive their inputs). Thus, this implies the existence of a three-round protocol for multi-party quantum computation given some input-independent quantum pre- processing. We also note that the protocol can be adjusted to give security with unanimous abort with four rounds of online communication (while keeping the total number of rounds at five), though we do not provide a formal description of this protocol. Roughly, this follows because if parties receive their inputs one round earlier, they will be able to receive and check the authenticity of their (encrypted) outputs at the end of round four, rather than checking the authenticity of their (unencrypted) outputs at the end of round five.

8.1 The Protocol Ingredients.

• Round-optimal quantum-secure multi-party computation for classical reactive functionalities in the CRS model, to be treated as an oracle called MPC (see Section 3.6). • A garbling scheme for C + M circuits (QGarble, QGEval, QGSim).

Notation. We use the following parameters and notation throughout: • Let 푛 be the number of parties.

• Let 푄 be a C + M circuit with 푚 = 푚1 + ··· + 푚푛 input qubits and ℓ = ℓ1 + ··· + ℓ푛 output qubits. [︂ ]︂ {︁ inp out}︁ Let 푄dist 퐶푖 , 퐶푖 be the C + M circuit that 푖∈[푛]

– first applies 푇 -state distillation (taking as input 휆 times as many 푇 states as 푄), inp – then Clifford decodes each input using the 퐶푖 , outputting ⊥ if any of the decodings fail, – then applies 푄,

48 out – then Clifford encodes each part of the output using 퐶푖 . [︂ ]︂ {︁ inp out}︁ Let 푘0 be the total number of 0 states necessary to garble 푄dist 퐶푖 , 퐶푖 (which includes 푖∈[푛] auxiliary 0 states for the computation itself, as well as extra 0states used for the garbling operation). inp out Let 푘푇 be the total number of 푇 states that 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] takes as input.

• Let 푣 = (푚 + 휆푛) + 2(푘0 + 휆푛) + (푘푇 + 휆푛) be the number of registers teleported around the circle of parties, which includes all Clifford-encoded inputs, 0 states, and T states. We will refer to thefirst 푚 + 휆푛 registers as N, the next 2(푘0 + 휆푛) registers as Z, and the final 푘푇 + 휆푛 registers as T. • During the protocol, these 푣 registers will be manipulated. At one point (before the application of the quantum garbled circuit), we will rename the registers to N, Zinp, Tinp, Ztest, Ttest,1,..., Ttest,n, where

– N has size 푚 + 휆푛 and holds each party’s Clifford-encoded input.

– Zinp has size 푘0 and holds the auxiliary 0 states that will be used in the computation of the quantum garbled circuit.

– Tinp has size 푘푇 and holds the auxiliary T states that will be used in the computation of the quantum garbled circuit.

푘0+휆 – Ztest has size 푘0 + 휆푛 and holds the result of the 0-state check (will be 0 if all parties are honest).

– Each Ttest,1,..., Ttest,n has size 2휆 and holds the result of the T-state check (each will be a Clifford- encoding of T⊗휆 if all parties are honest).

Offline Round 1. In the first offline round of communication, the parties send EPR pair halvestoeach other as follows.

• Party 푃1. For each 푖 ∈ [푛], party 푃1 generates 푚푖 + 휆 EPR pairs

⊗푚 +휆 (︁ (1↔푖) (1↔푖))︁ 푖 e푅 , e푆 ,

where the (1 ↔ 푖) superscript indicates that these EPR pairs will be shared between party 1 and party 푖, and the 푅 and 푆 subscripts designate which halves of the EPR pairs will be for receiving teleported qubits and which halves will be for sending teleported qubits. It also generates 푣 EPR pairs

⊗푣 (︁ (푛↔1) (푛↔1))︁ e푅 , e푆 .

⊗푚 +휆 ⊗푣 (︁ (1↔푖))︁ 푖 (︁ (푛↔1))︁ For each 푖 ∈ [푛] ∖ {1}, party 푃1 sends e푆 to party 푃푖. 푃1 also sends e푆 to party circle circle 푃푛. Finally, 푃1 samples 퐶1 ← C푣 and sends input 퐶1 to MPC.

• Party 푃푖 for 푖 ∈ {2, 3, . . . , 푛}. Every other party 푃푖 will generate 푣 EPR pairs

⊗푣 (︁ ((푖−1)↔푖) ((푖−1)↔푖))︁ e푅 , e푆

and send ⊗푣 (︁ ((푖−1)↔푖))︁ e푆

circle circle to party 푃푖−1. In addition, 푃푖 will sample 퐶푖 ← C푣 and send input 퐶푖 to MPC.

49 Protocol6: Classical Functionality for Five-Round Quantum MPC

Public Parameters: Security parameter 휆, number of parties 푛, C + M circuit 푄, and parameters (푚, ℓ, 푘0, 푘푇 , 푣) defined above.

Shared Randomness: Random strings for 0 state check 푟, 푠 ← {0, 1}푘0+휆푛, re-randomization 푇 matrix 푈enc ← C푚+휆푛+푘0+푘푇 , Cliffords for 푇 -state checks {퐶푖 ← C2휆}푖∈[푛], Cliffords for outputs out {퐶푖 ← Cℓ푖+휆}푖∈[푛].

circle Offline Round 1: Obtain input 퐶푖 from each party 푖. circle circle Offline Round 2: Obtain input (푥푖 , 푧푖 ) from each party 푖. inp inp inp Online Round 1: Obtain input (푥푖 , 푧푖 , 퐶푖 ) from each party 푖.

circle† 푥circle 푧circle circle† 푥circle 푧circle • Compute the unitary 푈dec := 퐶1 푋 1 푍 1 . . . 퐶푛 푋 푛 푍 푛 , which will operate on registers N, Z, T, where N has size 푚 + 휆푛, Z has size 2(푘0 + 휆푛), and T has size (푘푇 + 휆푛).

• Compute the unitary 푈check that operates on registers Z, T as follows.

– Sample a random linear map 푀 ← GL(2(푘0 + 휆푛), F2), and apply it to the registers Z. Now refer to the first 푘0 qubits of Z as register Zinp, the following 푛 groups of 휆 qubits as Ttest,Z,1,..., Ttest,Z,n, and the final group of 푘0 + 휆푛 qubits as Ztest.

– Sample a random permutation 휋 on 푘푇 + 휆푛 elements and rearrange the registers of T according to the permutation 휋. Now refer to the first 푘푇 qubits of T as register Tinp and the following 푛 groups of 휆 qubits as Ttest,T,1,..., Ttest,T,n.

– Rearrange the registers in the order N, Zinp, Tinp, Ztest, Ttest,T,1, Ttest,Z,1,..., Ttest,T,n, Ttest,Z,n. 푟 푠 – Apply 푋 푍 to Ztest. 푇 – For each 푖 ∈ [푛], apply 퐶푖 to (Ttest,T,i, Ttest,Z,i) and re-name the combined registers Ttest,i. (︁ )︁ (︁ )︁ N,Zinp,Tinp Ztest,Ttest,1,...,Ttest,n Z,T N,Z,T • Output to party 1 the unitary 푈test := 푈enc ⊗ I I ⊗ 푈check 푈dec .

Online Round 2: Obtain input 푟′ from party 1.

휆 inp out • Compute (퐸0, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGarble(1 , 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]]).

(︁ inp inp inp inp )︁ 푥 푧 푥 푧 Zinp,Tinp † • Compute 푈garble := 퐸0 푋 1 푍 1 ⊗ · · · ⊗ 푋 푛 푍 푛 ⊗ I 푈enc.

푇 • Output 푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑 to party 1 and for each 푖 ∈ [푛] output 퐶푖 to party 푖. Online Round 3:

′ out • If 푟 = 푟 then output 퐶푖 to party 푖 for each 푖 ∈ [푛] and otherwise output ⊥ to each party.

Figure 6: Classical Functionality for Five-Round Quantum MPC.

Offline Round 2. In the second offline round, the parties perform local operations and then querythe classical MPC.

2(푘0+휆푛) 푘푇 +휆푛 • Party 푃1. Party 푃1 prepares the states 0 and T . It generates the 푣 qubit quantum state

(︂(︁ )︁⊗푚1+휆 (︁ )︁⊗푚2+휆 (︁ )︁⊗푚푛+휆 )︂ circle (1↔1) (1↔2) (1↔푛) 2(푘0+휆푛) 푘푇 +휆푛 퐶1 e푅 , e푅 ,..., e푅 , 0 , T ,

50 and begins the process of teleporting this state to party 푃2. That is, for each 푗 ∈ [푣], it measures positions (푗, 푣 + 푗) of

(︂ (︂(︁ )︁⊗푚1+휆 (︁ )︁⊗푚2+휆 (︁ )︁⊗푚푛+휆 )︂ (︁ )︁⊗푣)︂ circle (1↔1) (1↔2) (1↔푛) 2(푘0+휆푛) 푘푇 +휆푛 (1↔2) 퐶1 e푅 , e푅 ,..., e푅 , 0 , T , e푆

circle circle in the Bell basis. The result of these measurements is two classical 푣-length bitstrings 푥1 , 푧1 . circle circle Finally, it sends input (푥1 , 푧1 ) to MPC. circle • Party 푃푖 for 푖 ∈ {2, 3, . . . , 푛}. During this round, party 푃푖 will apply its own masking Clifford 퐶푖 to a state that has already been masked by parties 푃1, 푃2, . . . , 푃푖−1, and then teleport the resulting state along to 푃푖+1. Note that this is all happening simultaneously, and party 푃푖 does not “wait” until it ⊗푣 circle (︁ (푖−1)↔푖)︁ has received the state from party 푃푖−1. Precisely, party 푃푖 applies 퐶푖 to the state e푅 , and then for each 푗 ∈ [푣], it measures positions (푗, 푗 + 푣) of

(︂ (︂ ⊗푣)︂ ⊗푣)︂ circle (︁ (푖−1)↔푖)︁ (︁ (푖↔(푖+1)))︁ 퐶푖 e푅 , e푆

circle circle in the Bell basis. The result of these measurements is two classical 푣-length bitstrings 푥푖 , 푧푖 . circle circle Finally, it sends input (푥푖 , 푧푖 ) to MPC.

Parties Receive Inputs. After the offline rounds, each party 푃푖 receives a 푚푖-qubit input x푖.

Online Round 1.

inp • Party 푃푖 for 푖 ∈ [푛]. Each party 푃푖 samples a random Clifford 퐶푖 ← C푚푖+휆 and applies it to their input x푖 along with 휆-many 0 qubits. They then teleport this state into registers held by party 푃1. That is, for each 푗 ∈ [푚푖 + 휆], it measures positions (푗, 푗 + 푚푖 + 휆) of

(︁ inp (︀ 휆)︀ (︁ (1↔푖))︁)︁ 퐶푖 x푖, 0 , e푆

inp inp in the Bell basis. The result is two classical (푚푖 + 휆)-length bitstrings 푥푖 , 푧푖 . inp inp inp Each party 푃푖 inputs (푥푖 , 푧푖 , 퐶푖 ) to MPC. 푃1 receives an output 푈test from MPC.

Online Round 2.

• Party 푃1. Party 푃1 first computes

(︁ )︁ (︂(︁ )︁⊗푣)︂ N,Zinp,Tinp Ztest Ttest,1 Ttest,n (푛↔1) y , y푍 , y푇,1 ,..., y푇,푛 := 푈test e푅 .

For each 푖 ∈ {2, . . . , 푛}, it sends y푇,푖 to party 푃푖. Then, measure y푍 in the computational basis to ′ ′ obtain a classical string 푟 of length 푘0 + 휆푛, and input 푟 to MPC.

푃1 receives output (푈garble, 퐷0, 푔˜1,..., 푔˜푑) from MPC.

푇 • Party 푃푖 for 푖 ∈ [푛]. Every party receives output 퐶푖 from MPC.

51 Online Round 3.

• Party 푃1. Compute garbled input yinp = 푈garble(y) and run the quantum garbled circuit (퐷0, 푔˜1,..., 푔˜푑) on the resulting (푚+푛휆+푘0 +푘푇 )-qubit state yinp. The result of running the quantum garbled circuit is an ℓ + 푛휆-state. Party 푃1 partitions this state into 푛 different encrypted output states yout,1,..., yout,푛 where each yout,푖 is an (ℓ푖 + 휆)-qubit state. For each 푖 ∈ {2, . . . , 푛}, party 푃1 sends yout,푖 to party 푃푖.

• Party 푃푖 for 푖 ∈ [푛]. After the conclusion of Online Round 2, every party 푃푖 for 푖 ∈ {1, 2, . . . , 푛} has 푇 a “푇 -check Clifford” 퐶푖 from MPC, as well as a 2휆-qubit state y푇,푖 from party 푃1. It computes 푇 † 휆 퐶푖 (y푇,푖), and then performs the binary projection that projects the first 휆 qubits onto T and the 휆 last 휆 qubits onto 0 . If this projection fails, party 푃푖 asks the MPC to abort. Otherwise, receive out output 퐶푖 from MPC.

Output Reconstruction.

• Party 푃푖 for 푖 ∈ [푛]. After the conclusion of Online Round 3, each party 푃푖 has obtained an output out decryption Clifford 퐶푖 from the classical MPC, along with an (ℓ푖 + 휆)-qubit state yout,푖. It computes out† 퐶푖 (yout,푖) and measures whether the last 휆 trap qubits are all 0. If not, it outputs ⊥. Otherwise, its output is the remaining ℓ푖 qubits.

8.2 Security Theorem 8.1. Assuming post-quantum maliciously-secure two-message oblivious transfer, there exists five- round maliciously-secure multi-party quantum computation.

We split the security proof into two cases based on the set of honest parties ℋ ⊂ [푛]. In the first case, 푃1 is corrupted and in the second case, the only honest party is 푃1.

8.2.1 Case 1: 푃1 is corrupted Simulator. Let ℋ ⊂ [푛] be the set of honest parties and 푘 ≠ 1 be arbitrary such that 푘 ∈ ℋ. Let ℳ = [푛] ∖ ℋ be the set of corrupted parties. The simulator will act as party 푘, altering its actions as described below. All actions of parties 푖 ∈ ℋ ∖ {푘} will be honest except for those explicitly mentioned in the simulation (essentially just switching out their inputs for 0). Also note that the simulator will be implementing the ideal functionality for the classical MPC, so we allow the simulator to intercept the adversary’s inputs to MPC and compute the outputs.

• Offline Round 1. – Following honest party 푘’s behavior, prepare 푣 EPR pairs

⊗푣 (︁ ((푘−1)↔푘) ((푘−1)↔푘))︁ e푅 , e푆

and send ⊗푣 (︁ ((푘−1)↔푘))︁ e푘 := e푆

to party 푃푘−1.

– Receive state e푘+1 of 푣 qubits from 푃푘+1.

– For each 푖 ∈ ℋ, receive a state einp,푖 of 푚푖 + 휆 qubits from 푃1. circle circle – Obtain {퐶푖 }푖∈ℳ from the adversary’s query to MPC, and let {퐶푖 }푖∈ℋ be the values sampled by honest parties. • Offline Round 2.

52 푘0+휆푛 푇 – Sample 푟, 푠 ← {0, 1} , {퐶푖 ← C2휆}푖∈[푛], 푀 ← GL(2(푘0 + 휆푛), F2), and a permutation 휋 on 푘푇 + 휆푛 elements. Use these values to compute 푈check as in the computation in Online Round 1 of Protocol6. (︁ )︁ † † N Zinp Tinp Ztest Ttest,1 Ttest,n circle circle – Compute n , z , t , ztest , ttest,1 ,..., ttest,푛 := (I ⊗ 푈check)퐶1 ··· 퐶푘−1 (e푘), and discard zZinp , tTinp .

– Sample 푈test ← C푣 and 푈garble ← C푚+푛휆+푘0+푘푇 . {︁(︁ (푖) (푖) )︁}︁ – Prepare 푚 + 휆푛 + 푘0 + 푘푇 EPR pairs eSim,1, eSim,2 , and let 푖∈[푚+휆푛+푘0+푘푇 ]

(︁ (1) (푚+휆푛+푘0+푘푇 ))︁ (︁ (1) (푚+휆푛+푘0+푘푇 ))︁ eSim,1 := eSim,1,..., eSim,1 , eSim,2 := eSim,2,..., eSim,2 .

– Compute

circle† circle† † † w := 퐶푘+1 (··· 퐶푛 (푈test(푈garble(eSim,2), ztest, ttest,1,..., ttest,푛)) ··· ).

circle circle circle circle – Teleport w into e푘+1, and let 푥푘 , 푧푘 be the teleportation errors. Let {푥푖 , 푧푖 }푖∈ℋ∖{푘} be the teleportation errors obtained by the other honest parties. circle circle – Send {푥푖 , 푧푖 }푖∈ℋ to the adversary. circle circle – Receive {푥푖 , 푧푖 }푖∈ℳ from the adversary. • Online Round 1.

– Let 푥̂︀1, 푧̂︀1 be such that † circle circle † circle circle † † circle 푥1 푧1 circle 푥푘−1 푧푘−1 푥1 푧1 circle circle (I ⊗ 푈check)퐶1 푋 푍 ··· 퐶푘−1 푋 푍 = 푋̂︀ 푍̂︀ (I ⊗ 푈check)퐶1 ··· 퐶푘−1 .

Write 푥̂︀1 as 푥̂︀inp,1,..., 푥̂︀inp,푛, 푥̂︀푍 , 푥̂︀푇 , 푥̂︀test,푍 , 푥̂︀test,푇,1,..., 푥̂︀test,푇,푛, and same for 푧̂︀1. Here, each 푚푖+휆 푘0 푘푇 푘0+휆푛 푥̂︀inp,푖 ∈ {0, 1} , 푥̂︀푍 ∈ {0, 1} , 푥̂︀푇 ∈ {0, 1} , 푥̂︀test,푍 ∈ {0, 1} , and each 푥̂︀test,푇,푖 ∈ {0, 1}2휆. – Let 푥̂︀2, 푧̂︀2 be such that circle circle † circle circle † circle circle † † 푥푘 푧푘 circle 푥푘+1 푧푘+1 circle 푥푛 푧푛 푥2 푧2 circle circle 푋 푍 퐶푘+1 푋 푍 . . . 퐶푛 푋 푍 = 푋̂︀ 푍̂︀ 퐶푘+1 . . . 퐶푛 .

푥2 푧2 – Let 푈̂︀test := 푈test푋̂︀ 푍̂︀ and use 푈̂︀test in place of 푈test.

푇 푇 푥test,푇,푖 푧test,푇,푖 푇 푇 – For each 푖 ∈ [푛], let 퐶̂︀푖 := 퐶푖 푋̂︀ 푍̂︀ , and use 퐶̂︀푖 in place of 퐶푖 (in Online Round 2). – Let 푟̂︀ := 푟 ⊕ 푥̂︀test,푧 and use 푟̂︀ in place of 푟 (in Online Round 3). inp inp 푚푖+휆 inp inp – Sample 퐶푖 ← C푚푖+휆. For 푖 ∈ ℋ, teleport 퐶푖 (0 ) into einp,푖. Let 푥푖 , 푧푖 be the teleportation errors. inp inp inp – Send {퐶푖 , 푥푖 , 푧푖 }푖∈ℋ and 푈̂︀test to the adversary. inp inp inp – Receive {퐶푖 , 푥푖 , 푧푖 }푖∈ℳ from the adversary. • Online Round 2.

† inp inp inp 푥 푧 푥inp,푖 푧inp,푖 – Parse n := (n1,..., n푛). For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 푋 푖 푍 푖 푋̂︀ 푍̂︀ (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥). Otherwise, ℓ푖 query the ideal functionality with {x푖}푖∈ℳ and let {y푖}푖∈ℳ be the output. Set y푖 := 0 for each 푖 ∈ ℋ. out – Sample {퐶푖 ← Cℓ푖+휆}푖∈[푛] and set

out 휆 out 휆 y := (퐶1 (y1, 0 ), ··· , 퐶푛 (y푛, 0 )).

53 – Compute N,Zinp,Tinp (︀ 휆lev )︀ (x̃︀ , 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , 푄dist, y . – Perform Bell measurements between x̃︀ and eSim,1 and let 푥Sim, 푧Sim be the teleportation errors.

푇 푥Sim 푧Sim – Send {퐶̂︀푖 }푖∈ℳ, 푋 푍 푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑 to the adversary. – Receive {y푇,푖}푖∈ℋ from the adversary. • Online Round 3.

푇 – For each 푖 ∈ ℋ, compute 퐶̂︀푖 (y푇,푖), and then perform the binary projection that projects the first 휆 qubits onto T휆 and the last 휆 qubits onto 0휆. If this projection fails, then send abort to the ideal functionality (i.e. send {abort푖}푖∈ℋ to the ideal functionality, and don’t send a final round message to the adversary). out – Send {퐶푖 }푖∈ℳ to the adversary.

– Receive {yout,푖}푖∈ℋ from the adversary.

out • Output Reconstruction. On behalf of each 푖 ∈ ℋ, compute 퐶푖 (yout,푖) and measure whether the last 휆 trap qubits are all 0. If not, then send abort푖 to the ideal functionality and otherwise send ok푖.

Lemma 8.2. Let Π be the protocol described in Section 8.1 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting parties 푀 ⊂ [푛] where 1 ∈ 푀.

Proof. Fix any collection 풟, Adv, {x푖}푖∈[푛], auxAdv, aux풟. We show the indistinguishability via a sequence of hybrids, where ℋ0 is the distribution REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv). In each hybrid, we describe the differences from the previous hybrid, and why each is indistinguishable.

circle • ℋ1: Re-define 퐶푘 .

During Offline Round 2,

– Sample 푈enc, 푈check honestly and sample 푈test ← C푣. Define

circle circle† circle† † circle† circle† 퐶푘 := 퐶푘+1 . . . 퐶푛 푈test(푈enc ⊗ I)(I ⊗ 푈check)퐶1 . . . 퐶푘−1 , ⊗푣 circle (︁ ((푘−1)↔푘))︁ and apply 퐶푘 to e푘 := e푆 .

During Online Round 1,

– Let 푥̂︀1, 푧̂︀1 be such that

† circle circle † circle circle † † circle 푥1 푧1 circle 푥푘−1 푧푘−1 푥1 푧1 circle circle (I ⊗ 푈check)퐶1 푋 푍 ··· 퐶푘−1 푋 푍 = 푋̂︀ 푍̂︀ (I ⊗ 푈check)퐶1 ··· 퐶푘−1 .

푚+휆푛+푘0+푘푇 Write 푥̂︀1 as 푥̂︀enc, 푥̂︀test,푍 , 푥̂︀test,푇,1,..., 푥̂︀test,푇,푛, and same for 푧̂︀1. Here, 푥̂︀enc ∈ {0, 1} , 푘0+휆푛 2휆 푥̂︀test,푍 ∈ {0, 1} , and each 푥̂︀test,푇,푖 ∈ {0, 1} . – Let 푥̂︀2, 푧̂︀2 be such that

circle circle † circle circle † circle circle † † 푥푘 푧푘 circle 푥푘+1 푧푘+1 circle 푥푛 푧푛 푥2 푧2 circle circle 푋 푍 퐶푘+1 푋 푍 . . . 퐶푛 푋 푍 = 푋̂︀ 푍̂︀ 퐶푘+1 . . . 퐶푛 .

푥2 푧2 – Let 푈̂︀test := 푈test푋̂︀ 푍̂︀ and use 푈̂︀test in place of 푈test (in Online Round 1).

푥enc 푧enc – Let 푈̂︀enc := 푈enc푋̂︀ 푍̂︀ and use 푈̂︀enc in place of 푈enc (in Online Round 2).

푇 푇 푥test,푇,푖 푧test,푇,푖 푇 푇 – For each 푖 ∈ [푛], let 퐶̂︀푖 := 퐶푖 푋̂︀ 푍̂︀ , and use 퐶̂︀푖 in place of 퐶푖 (in Online Round 2).

54 – Let 푟̂︀ := 푟 ⊕ 푥̂︀test,푧 and use 푟̂︀ in place of 푟 (in Online Round 3). circle This switch is perfectly indistinguishable from ℋ0 due to the fact that in ℋ0, 퐶푘 is a uniformly 푇 random Clifford, and in ℋ1, 푈test is a uniformly random Clifford, and that 푈enc, {퐶푖 }푖∈[푛] and 푟 are uniformly random.

• ℋ2: Re-define 푈enc.

During Offline Round 2,

– 푈 ← 퐸 , 퐷 , 푔 ,..., 푔 ← QGarble 휆, 푄 {퐶inp, 퐶out} Sample garble C푚+휆푛+푘0+푘푇 , compute ( 0 0 ̃︀1 ̃︀푑) (1 dist[ 푖 푖 푖∈[푛]]), † and use 푈garble퐸0 in place of 푈enc. Thus, we now have

circle† circle† † † circle† circle† 퐶푘 := 퐶푘+1 . . . 퐶푛 푈test(푈garble ⊗ I)(퐸0 ⊗ I)(I ⊗ 푈check)퐶1 . . . 퐶푘−1 .

During Online Round 2,

– Let 푥̂︀inp, 푧̂︀inp be such that

(︁ inp inp inp inp )︁ 푥enc 푧enc 푥 푧 푥 푧 Zinp,Tinp 푥inp 푧inp 퐸0푋̂︀ 푍̂︀ 푋 1 푍 1 ⊗ · · · ⊗ 푋 푛 푍 푛 ⊗ I := 푋̂︀ 푍̂︀ 퐸0.

푥inp 푧inp – Let 푈̂︀garble := 푋̂︀ 푍̂︀ 푈garble, and use 푈̂︀garble in place of 푈garble.

This switch is perfectly indistinguishable from ℋ2 due to the fact that in ℋ1, 푈enc is a uniformly random Clifford, and in ℋ2, 푈garble is a uniformly random Clifford.

• ℋ3: Introduce new Pauli errors.

During Offline Round 2,

푚+휆푛+푘0+푘푇 – Sample 푥Sim, 푧Sim ← {0, 1} , and define

† † † † circle circle † † 푥Sim 푧Sim circle circle 퐶푘 := 퐶푘+1 . . . 퐶푛 푈test(푈garble ⊗ I)(푋 푍 ⊗ I)(퐸0 ⊗ I)(I ⊗ 푈check)퐶1 . . . 퐶푘−1 .

During Online Round 2,

푥 푧 푥inp 푧inp – Let 푈̂︀garble := 푋 Sim, 푍 Sim 푋̂︀ 푍̂︀ 푈garble.

This switch is perfectly indistinguishable since 푈garble is a uniformly random Clifford.

• ℋ4: Introduce new EPR pairs. {︁(︁ (푖) (푖) )︁}︁ During Offline Round 2, prepare 푚 + 휆푛 + 푘0 + 푘푇 EPR pairs eSim,1, eSim,2 , and 푖∈[푚+휆푛+푘0+푘푇 ] let (︁ (1) (푚+휆푛+푘0+푘푇 ))︁ (︁ (1) (푚+휆푛+푘0+푘푇 ))︁ eSim,1 := eSim,1,..., eSim,1 , eSim,2 := eSim,2,..., eSim,2 .

circle This hybrid will now compute 퐶푘 in three parts, as follows.

– First, compute

(︁ )︁ † † N Zinp Tinp Ztest Ttest,1 Ttest,n circle circle n , z , t , ztest , ttest,1 ,..., ttest,푛 := (I ⊗ 푈check)퐶1 . . . 퐶푘−1 (e푘).

55 – Second, compute (︀ N,Zinp,Tinp )︀ x := 퐸0 (n, z, t) . – Third, compute

circle† circle† † † 퐶푘+1 . . . 퐶푛 푈test(푈garble ⊗ I)(eSim,2, ztest, ttest,1,..., ttest,푛).

In addition, perform Bell measurements between x and eSim,1 to obtain teleportation errors, which will be defined to be 푥Sim, 푧Sim.

The second part of the computation (on registers N, Zinp, Tinp) will now be delayed until Online Round 2, since the teleportation errors are not used until the definition of 푈̂︀garble, which is given to the adversary in Online Round 2. Thus, this is identically distributed to ℋ3.

• ℋ5: Move around Pauli errors. During Online Round 2, – Change the computation to

(︁ inp inp inp inp )︁ (︁ )︁ 푥 푧 푥 푧 Zinp,Tinp 푥enc 푧enc x := 퐸0 푋 1 푍 1 ⊗ · · · ⊗ 푋 푛 푍 푛 ⊗ I 푋̂︀ 푍̂︀ (n, z, t).

푥 푧 – Let 푈̂︀garble := 푋 Sim 푍 Sim 푈garble.

This is again identically distributed to ℋ4 since 푈garble is a uniformly random Clifford.

• ℋ6: Simulate the quantum garbled circuit. During Online Round 2, rather than applying 퐸0, do the following. – Compute

(︁ inp inp inp inp )︁ (︁ )︁ 푥 푧 푥 푧 Zinp,Tinp 푥enc 푧enc (ninp, zinp, zinp) := 푋 1 푍 1 ⊗ · · · ⊗ 푋 푛 푍 푛 ⊗ I 푋̂︀ 푍̂︀ (n, z, t).

– Compute inp out y := 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]](ninp, zinp, zinp). – Compute N,Zinp,Tinp (︀ 휆lev )︀ (x̃︀ , 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , 푄dist, y . – Perform Bell measurements between x̃︀ and eSim,1 as before.

This is indistinguishable from ℋ5 due to security of the quantum garbled circuit.

• ℋ7: Switch honest party inputs to 0.

inp 푚푖+휆 inp 휆 – During Online Round 1, for each 푖 ∈ ℋ, teleport 퐶푖 (0 ) to Party 1 rather than 퐶푖 (x푖, 0 ). inp out – During Online Round 2, instead of directly applying 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] to (ninp, zinp, tinp), do inp† inp† the following. First apply 퐶1 ⊗· · ·⊗퐶푛 to n. Then, swap out the honest party input registers inp out for {x푖}푖∈ℋ, and continue with the computation of 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]].

ℋ7 is statistically indistinguishable from ℋ6 due to properties of the Clifford authentication code. In particular, since the code is perfectly hiding, the adversary cannot tell that the inputs where switched inp out to 0. Thus the adversary can only distinguish if the output of 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] differs between ℋ7 inp out and ℋ6. However, if any Clifford authentication test that happens within 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] fails, then the output is (⊥ ... ⊥). In both ℋ7 and ℋ6, conditioned on these tests passing, the honest party inputs to 푄dist are statistically close to {x푖}푖∈ℋ, due to the authentication property of the Clifford code.

56 inp out • ℋ8: Query ideal functionality. In Online Round 2, rather than computing 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] on (ninp, zinp, tinp), do the following.

inp – Parse ninp := (n1,..., n푛). For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥).

– Otherwise, query the ideal functionality with {x푖}푖∈ℳ and let {y푖}푖∈ℳ be the output. Set ℓ푖 y푖 := 0 for each 푖 ∈ ℋ. out – Sample {퐶푖 ← Cℓ푖+휆}푖∈[푛] and set

out 휆 out 휆 y := (퐶1 (y1, 0 ), ··· , 퐶푛 (y푛, 0 )).

– Apply QGSim to y as before.

In the Output Reconstruction step, do the following.

out out – For each 푖 ∈ ℋ, compute 퐶푖 (y푖 ) and measure whether the last 휆 trap qubits are all 0. If not, then send abort푖 to the ideal functionality and otherwise send ok푖.

Observe that one difference between ℋ7 and ℋ8 is that zinp and tinp are not used in the computation of C + M circuit 푄dist. Instead, the ideal functionality directly computes 푄 on the inputs. This will result in statistically close outputs if i) the QGC satisfies statistical correctness, ii) zinp is statistically close ⊗푘0 ⊗푘푇 /휆 to 0 , and iii) the result of applying the distillation circuit to tinp is statistically close to T . Lemma 3.5 implies that the second requirement holds conditioned on the adversary submitting the correct 푟 to the classical MPC in Online Round 1 (and otherwise, all honest parties abort). Lemma 3.3 plus Clifford authentication implies that the third requirement holds conditioned on the honest party 푇 -state checks in Online Round 3 all passing (and if any one of them fails, the honest parties abort). The other difference is that honest party outputs are determined by the ideal functionality’s computation. First, the adversary cannot tell that {y푖}푖∈ℋ are switched to 0 within the quantum garbled out circuit, by perfect hiding of the Clifford authentication code (using Cliffords {퐶푖 }푖∈ℋ). Next, in ℋ7, the adversary cannot make an honest party accept a state noticeably far from their real output y푖, by authentication of the Clifford code. Thus, ℋ7 is statistically close to ℋ8. This completes the proof, as ℋ8 is the simulator described above.

8.2.2 Case 2: 푃1 is the only honest party Simulator. The simulator will act as party 1 and maintain the classical MPC oracle. It will compute MPC honestly throughout, and will compute honest party 1 actions throughout except for what is described below.

• Online Round 1. Rather than Clifford-encoding and teleporting in 푃1’s input x1, the simulator will inp ℓ1+휆 teleport 퐶1 (0 ).

• Online Round 3. Rather than evaluating the quantum garbled circuit (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑) on y, the simulator will run the following computation on y. † – Compute (n1,..., n푛, z, t) := 퐸0푈garble(y), where (n1,..., n푛) are the parties’ Clifford-encoded inputs. inp† – For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥). Otherwise, query the ideal functionality with {x푖}푖∈[2,...,푛] and let {y푖}푖∈[2,...,푛] be the output.

57 out out 휆 out out ℓ1+휆 – For each 푖 ∈ [2, . . . , 푛] set y푖 := 퐶푖 (y푖, 0 ), set y1 := 퐶1 (0 ), and continue as the honest party 1. Lemma 8.3. Let Π be the protocol described in Section 8.1 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting parties [2, . . . , 푛].

Proof. We consider a sequence of hybrid distributions, where ℋ0 is REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv), i.e. 휆 the real interaction between Adv휆({x푖}푖∈[2,...,푛], auxAdv) and an honest party 푃1(1 , x1). In each hybrid, we describe the differences from the previous hybrids.

inp out • ℋ1 : Directly compute 푄dist[{퐶푖 , 퐶푖 }] in place of garbled circuit evaluation During Online Round 3, † inp out this hybrid computes (n1,..., n푛, z, t) := 퐸0푈garble(y) and then applies 푄dist[{퐶푖 , 퐶푖 }] to produce out out outputs (y1 ,..., y푛 ). Statistical indistinguishability follows from the statistical correctness of the QGC.

inp 푚푖+휆 • ℋ2 : Replace 푃1’s input with 0 During Online Round 1, this hybrid teleports in 퐶1 (0 ). Then, during Online Round 2, this hybrid inserts 푃1’s input x1 before the computation of 푄. This switch is perfectly indistinguishable due to the perfect hiding of the Clifford code. inp out • ℋ3 : Query ideal functionality During Online Round 3, this hybrid computes 푄dist[{퐶푖 , 퐶푖 }] as described in the simulator, by using the ideal functionality to compute 푄. This switch is statistically indistinguishable as long as i) z is statistically close to 0⊗푘0 (which follows from Lemma 3.5), and ii) the result of applying the distillation circuit to t to statistically close to T⊗푘푇 /휆 (which follows from Lemma 3.3, as 푃1 checks its own subset of T states). This hybrid is the simulator, completing the proof.

9 Multi-Party Quantum Computation in Four Rounds

In this section, we show the existence of a four-round protocol for multi-party quantum computation, assuming the sub-exponential hardness of LWE. The protocol we present satisfies security with abort, and only requires two rounds of online communication (that is, two rounds of communication once the parties receive their inputs). Thus, this implies the existence of a two-round protocol for multi-party quantum computation given some input-independent quantum pre-processing. We also note that the protocol can be adjusted to give security with unanimous abort with three rounds of online communication (while keeping the total number of rounds at four), though we do not provide a formal description of this protocol. Roughly, this follows because if parties receive their inputs one round earlier, they will be able to receive and check the authenticity of their (encrypted) outputs at the end of round three, rather than checking the authenticity of their (unencrypted) outputs at the end of round four.

9.1 The Protocol Ingredients. Our protocol will make use of the following cryptographic primitives, which are all assumed 휖 to be sub-exponentially secure (i.e. there exists 휖 such that the primitive is (2−휆 )-secure). • Round-optimal quantum-secure multi-party computation for classical reactive functionalities in the CRS model, to be treated as an oracle called MPC (see Section 3.6). • A garbling scheme for C + M circuits (QGarble, QGEval, QGSim). • A quantum multi-key FHE scheme QMFHE = (KeyGen, CEnc, Enc, Eval, Rerand, Dec) with ciphertext rerandomization and classical encryption of classical messages. • A quantum-secure classical garbled circuit (Garble, GEval, GSim).

58 Notation. We use the same notation as described in Section 8.1.

Protocol7: Classical Functionality for Four-Round Quantum MPC

Public Parameters: Security parameter 휆, number of parties 푛, C + M circuit 푄, and parameters 푐 (푚, ℓ, 푘0, 푘푇 , 푣, 휖) defined above. Let 휆lev = (2푛푣 + 2푚) for some 푐 > 1/휖.

(︁ circle inp)︁ Offline Round 1: Obtain input 퐶푖 , 퐶푖 from each party 푖. (︀ circle circle)︀ Offline Round 2: Obtain input 푥푖 , 푧푖 from each party 푖.

• Sample a random linear map 푀 ← GL(2(푘0 + 휆푛), F2), and a random permutation 휋 on 푘푇 + circle 푇 휆푛 elements. Let 푓test[{퐶푖 }푖∈[푛], 푟, 푠, 푈enc, {퐶푖 }푖∈[푛], 푀, 휋] be the classical circuit that takes circle circle as input {푥푖 , 푧푖 }푖∈[푛] and outputs 푈test, following the computation in Online Round 1 of Protocol6.

test 휆lev circle 푇 • Compute ({lab푖,푏 }푖∈[2푛푣],푏∈{0,1}, 푓̃︀test) ← Garble(1 , 푓test[{퐶푖 }푖∈[푛], 푟, 푠, 푈enc, {퐶푖 }푖∈[푛], 푀, 휋]).

test test 휆lev test • For each 푖 ∈ [2푛푣], 푏 ∈ {0, 1}, compute (pk푖,푏 , sk푖,푏 ) ← QMFHE.Gen(1 ) and ct푖,푏 ← test test QMFHE.CEnc(pk푖,푏 , lab푖,푏 ).

(︁ test test )︁ • Output {pk푖,푏 , ct푖,푏 }푖∈[2푛푣],푏∈{0,1}, 푓̃︀test to party 1.

(︁ inp inp)︁ Online Round 1: Obtain input 푥푖 , 푧푖 from each party 푖 and additional input ct푟 from party 1.

inp out inp inp • Let 푓QGC[푈enc, {퐶푖 , 퐶푖 }푖∈[푛]] be the circuit that takes as input {푥푖 , 푧푖 }푖∈[푛] and outputs (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑), following the computation in Online Round 2 of Protocol6.

QGC 휆lev inp out • Compute ({lab푖,푏 }푖∈[2푚],푏∈{0,1}, 푓̃︀QGC]) ← Garble(1 , 푓QGC[푈enc, {퐶푖 , 퐶푖 }푖∈[푛]]).

QGC QGC 휆lev QGC • For each 푖 ∈ [2푚], 푏 ∈ {0, 1}, compute (pk푖,푏 , sk푖,푏 ) ← QMFHE.Gen(1 ) and ct푖,푏 ← QGC QGC QMFHE.CEnc(pk푖,푏 , lab푖,푏 ).

circle circle circle circle circle test • Let 푡 := (푥1 , 푧1 , . . . , 푥푛 , 푧푛 ), and let sktest = {sk circle }푖∈[2푛푣]. 푖,푡푖

(︁ QGC QGC )︁ 푇 • Output {pk푖,푏 , ct푖,푏 }푖∈[2푚],푏∈{0,1}, 푓̃︀QGC to party 1 and (퐶푖 , sktest) to party 푖 for each 푖 ∈ [푛].

Online Round 2:

inp inp inp inp inp QGC • Let 푡 := (푥1 , 푧푖 , . . . , 푥푛 , 푧푛 ), and let skQGC = {sk inp }푖∈2푚. 푖,푡푖 ′ ′ out • Decrypt ct푟 with sktest to obtain a value 푟 . If 푟 = 푟 then output (퐶푖 , skQGC) to party 푖 for each 푖 ∈ [푛], and otherwise output ⊥ to each party.

Figure 7: Classical Functionality for Four-Round Quantum MPC.

59 Offline Round 1. The parties send EPR halves to each other exactly as described in Offline Round 1of circle inp the five-round protocol from Section8. In addition, each party 푖 samples 퐶푖 ← C푣 and 퐶푖 ← C푚푖+휆 circle inp and inputs (퐶푖 , 퐶푖 ) to the classical MPC.

Offline Round 2.

circle • Party 푃푖 for 푖 ∈ [푛]. The parties apply 퐶푖 to their registers and teleport the results around the circle, exactly as described in Offline Round 2 of the five-round protocol from Section8. This results circle circle in teleportation errors 푥푖 , 푧푖 , which party 푖 broadcasts to all parties. (︂ )︂ {︁ test test}︁ • Party 푃1. 푃1 receives output pk푖,푏 , ct푖,푏 , 푓̃︀test from MPC. 푖∈[2푛푣],푏∈{0,1}

Parties Receive Inputs. After the offline rounds, each party 푃푖 receives an 푚푖-qubit input x푖.

Online Round 1.

• Party 푃푖 for 푖 ∈ [푛]. The parties Clifford encode their inputs and teleport the encodings exactly as described in Online Round 1 of the five-round protocol from Section8. This results in teleportation inp inp (︀ 푇 )︀ errors 푥푖 , 푧푖 , which party 푖 broadcasts to all parties. Each party 푖 receives output 퐶푖 , sktest from MPC.

• Party 푃1. 푃1 first homomorphically evaluates 푓̃︀test using encryptions of the labels corresponding to {︀ circle circle}︀ the 푥푖 , 푧푖 푖∈[푛] that were broadcast last round. This results in QMFHE.Enc(sktest, 푈test), where recall from Protocol7 that sktest is a set of 2푛푣 secret keys. Now, 푃1 homomorphically evaluates 푈test on its registers, exactly as in Online Round 2 of the five-round protocol from Section8 (except here the computation is performed homormophically under sktest). This results in the following encryptions:

′ QMFHE.Enc(sktest, y), QMFHE.Enc(sktest, 푟 ), QMFHE.Enc (sktest, y푇,1) ,..., QMFHE.Enc (sktest, y푇,푛) .

′ 푃1 sends QMFHE.Enc (sktest, y푇,푖) to party 푃푖 and inputs QMFHE.Enc(sktest, 푟 ) to MPC. Finally, it (︂ )︂ {︁ QGC QGC}︁ receives pk푖,푏 , ct푖,푏 , 푓̃︀QGC from MPC. 푖∈[2푚],푏∈{0,1}

Online Round 2.

• Party 푃푖 for 푖 ∈ [푛]. Each party 푃푖 decrypts the state QMFHE.Enc (sktest, y푇,푖) received from 푃1 using 푇 sktest received from MPC. It computes 퐶푖 (y푇,푖), and then performs the binary projective measurement that projects the first 휆 qubits onto T휆 and the last 휆 qubits onto 0휆. If this measurement returns 0, out party 푃푖 sends abort to MPC. If no parties send abort, then they each receive (퐶푖 , skQGC) from MPC.

• Party 푃1. 푃1 first decrypts QMFHE.Enc(sktest, y) using sktest. Then, it homomorphically evaluates 푓̃︀QGC {︁ inp inp}︁ using encryption of the labels corresponding to the 푥푖 , 푧푖 that were broadcast last round. 푖∈[푛] This results in QMFHE.Enc(skQGC, (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑)), where recall from Protocol7 that skQGC is a set of 2푚 secret keys. Now, 푃1 homomorphically evaluates the quantum garbled circuit on y to obtain encryptions QMFHE.Enc(skQGC, yout,1),..., QMFHE.Enc(skQGC, yout,푛). For each 푖 ∈ [2, . . . , 푛], apply QMFHE.Rerand to QMFHE.Enc(skQGC, yout,푖) and send the resulting ciphertext to 푃푖.

Output Reconstruction

• Party 푃푖 for 푖 ∈ [푛]. Each party 푃푖 decrypts their state QMFHE.Enc(skQGC, yout,푖) using skQGC. Then, out it computes 퐶푖 (yout,푖) and measures whether the last 휆 trap qubits are all 0. If not, it outputs ⊥. Otherwise, its output is the remaining ℓ푖 qubits.

60 9.2 Security Theorem 9.1. Assuming post-quantum maliciously-secure two-message oblivious transfer and (levelled) multi-key quantum fully-homomorphic encryption with sub-exponential security, there exists four-round multi- party quantum computation. Both of the above assumptions are known from the sub-exponential hardness of QLWE. We split the security proof into two cases based on the set of honest parties ℋ ⊂ [푛]. In the first case, 푃1 is corrupted and in the second case, the only honest party is 푃1.

9.2.1 Case 1: 푃1 is corrupted Simulator. Let ℋ ⊂ [푛] be the set of honest parties and 푘 ≠ 1 be arbitrary such that 푘 ∈ ℋ. The simulator will act as party 푘, altering its actions as described below. All actions of parties 푖 ∈ ℋ ∖ {푘} will be honest except for those explicitly mentioned in the simulation (essentially just switching out their inputs for 0).

• Offline Round 1. {︁(︁ (푖) (푖))︁}︁ – Following honest party 푘’s behavior, prepare 푣 EPR pairs e푅 , e푆 , let 푖∈[푣]

(︁ (1) (푣))︁ (︁ (1) (푣))︁ e푅 := e푅 ,..., e푅 , e푆 := e푆 ,..., e푆 ,

and send e푆 to party 푘 − 1. Receive a state e푘+1 of 푣 qubits from 푃푘+1

– For each 푖 ∈ ℋ, receive a state einp,푖 of 푚푖 + 휆 qubits from 푃1. circle inp circle inp – Obtain {퐶푖 , 퐶푖 }푖∈[푛]∖ℋ from the adversary’s query to MPC, and let {퐶푖 , 퐶푖 }푖∈ℋ be the values sampled by honest parties. • Offline Round 2.

푘0+휆푛 푇 – Sample 푟, 푠 ← {0, 1} , {퐶푖 ← C2휆}푖∈[푛], 푀 ← GL(2(푘0 + 휆푛), F2), and a permutation 휋 on 푘푇 + 휆푛 elements. Use these values to compute 푈check as in the computation in Online Round 1 of Protocol6. (︁ )︁ † † N Zinp Tinp Ztest Ttest,1 Ttest,n circle circle – Compute n , z , t , ztest , ttest,1 ,..., ttest,푛 := (I ⊗ 푈check)퐶1 ··· 퐶푘−1 (e푆), and discard zZinp , tTinp . {︁(︁ (푖) (푖) )︁}︁ – Prepare ℓ + 휆푛 EPR pairs eSim,1, eSim,2 , and let 푖∈[ℓ+휆푛]

(︁ (1) (ℓ+휆푛))︁ (︁ (1) (ℓ+휆푛))︁ eSim,1 := eSim,1,..., eSim,1 , eSim,2 := eSim,2,..., eSim,2 .

– Sample 푈test ← C푣 and 푈garble ← C푚+푛휆+푘0+푘푇 .

(︀ 휆lev )︀ – Compute (x̃︀inp, 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , 푄dist, eSim,2 , and let

circle† circle† † † w := 퐶푘+1 (··· 퐶푛 (푈test(푈garble(x̃︀inp), ztest, ttest,1,..., ttest,푛)) ··· ). (︂ )︂ test (︀ 휆lev 2푛푣 |푓test| )︀ – Compute {lab^푖 }푖∈[2푛푣], 푓̃︀test ← GSim 1 , 1 , 1 , 푈test .

– For 푖 ∈ [2푛푣], 푏 ∈ {0, 1}, sample

test test 휆lev test test test (pk푖,푏 , sk푖,푏 ) ← QMFHE.Gen(1 ), ct푖,푏 ← QMFHE.CEnc(pk푖,푏 , lab^푖 ).

61 circle circle test test – Send {푥푖 , 푧푖 }푖∈ℋ, {pk푖,푏 , ct푖,푏 }푖∈[2푛푣],푏∈{0,1}, 푓̃︀test to the adversary. circle circle – Receive {푥푖 , 푧푖 }푖∈[푛]∖ℋ from the adversary. • Online Round 1.

– Let 푥̂︀1, 푧̂︀1 be such that

푚푖+휆 Write 푥̂︀1 as 푥̂︀inp,1,..., 푥̂︀inp,푛, 푥̂︀푧, 푥̂︀푡, 푥̂︀test, and same for 푧̂︀1. Here, each 푥̂︀inp,푖 ∈ {0, 1} , 푥̂︀푧 ∈ 푘0 푘푇 푘0+3휆푛 {0, 1} , 푥̂︀푡 ∈ {0, 1} , and 푥̂︀test ∈ {0, 1} . – Let 푥̂︀2, 푧̂︀2 be such that

(︁ )︁ circle circle circle circle circle circle 푥test 푧test 푥푛 푧푛 circle 푥푘+1 푧푘+1 circle 푥푘 푧푘 푥2 푧2 circle circle I ⊗ 푋̂︀ 푍̂︀ 푈test푋 푍 퐶푛 ··· 푋 푍 퐶푘+1 푋 푍 = 푋̂︀ 푍̂︀ 푈test퐶푛 ··· 퐶푘+1 .

푚+휆푛+푘0+푘푇 Write 푥̂︀2 as 푥̂︀garble, 푥̂︀test,푧, 푥̂︀test,푇,1,..., 푥̂︀test,푇,푛, and same for 푧̂︀2. Here, 푥̂︀garble ∈ {0, 1} , 푘0+휆푛 2휆 푥̂︀test,푍 ∈ {0, 1} , and each 푥̂︀test,푇,푖 ∈ {0, 1} . – Let 푟̂︀ := 푟 ⊕ 푥̂︀test,푍 .

푇 푇 푥test,푇,푖 푧test,푇,푖 – For each 푖 ∈ [푛], let 퐶̂︀푖 := 퐶푖 푋̂︀ 푍̂︀ .

^QGC 휆lev 2푚 |푓QGC| 푥garble 푧garble – Compute ({lab푖 }푖∈[2푛푣], 푓̃︀QGC) ← GSim(1 , 1 , 1 , (푈garble푋̂︀ 푍̂︀ , 퐷0, 푔̃︀1,..., 푔̃︀푑)). – For 푖 ∈ [2푚], 푏 ∈ {0, 1}, sample

QGC QGC 휆lev QGC QGC ^QGC (pk푖,푏 , sk푖,푏 ) ← QMFHE.Gen(1 ), ct푖,푏 ← QMFHE.CEnc(pk푖,푏 , lab푖 ).

inp 푚푖+휆 inp inp – For 푖 ∈ ℋ, teleport 퐶푖 (0 ) into einp,푖. Let 푥푖 , 푧푖 be the teleportation errors. inp inp 푇 QGC QGC – Send {푥푖 , 푧푖 }푖∈ℋ, {퐶̂︀푖 }푖∈[푛]∖ℋ, sktest, {pk푖,푏 , ct푖,푏 }푖∈[2푚],푏∈{0,1}, 푓̃︀QGC to the adversary (where circle circle sktest, defined in Protocol7, is the set of secret keys corresponding to {푥푖 , 푧푖 }푖∈[푛]). inp inp – Receive ct푍 , {ct푇,푖}푖∈ℋ, {푥푖 , 푧푖 }푖∈[푛]∖ℋ from the adversary (where skQGC, defined in Protocol7, inp inp is the set of secret keys corresponding to {푥푖 , 푧푖 }푖∈[푛]). • Online Round 2.

푇 – For each 푖 ∈ ℋ, decrypt ct푇,푖 with sktest to obtain y푇,푖. Compute 퐶̂︀푖 (y푇,푖), and then perform the binary projection that projects the first 휆 qubits onto T휆 and the last 휆 qubits onto 0휆. If this projection fails, then abort (i.e. send {abort푖}푖∈ℋ to the ideal functionality, and don’t send a final round message to the adversary). ′ ′ – Decrypt ct푍 with sktest to obtain 푟 . Check if 푟 = 푟̂︀. If not, then send ⊥ to the adversary, send {abort푖}푖∈ℋ to the ideal functionality, and exit. Otherwise, continue. inp inp inp 푥 푧 푥inp,푖 푧inp,푖 – Parse n := (n1,..., n푛). For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 푋 푖 푍 푖 푋̂︀ 푍̂︀ (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥). Otherwise, ℓ푖 query the ideal functionality with {x푖}푖∈[푛]∖{ℋ} and let {y푖}푖∈[푛]∖{ℋ} be the output. Set y푖 := 0 for each 푖 ∈ ℋ. out – Sample {퐶푖 ← Cℓ푖+휆}푖∈[푛]. out 휆 out 휆 out out out out – Teleport (퐶1 (y1, 0 ), ··· , 퐶푛 (y푛, 0 )) into eSim,1, and let (푥1 , 푧1 , ··· , 푥푛 , 푧푛 ) be the tele- out out out out 푥푖 푧푖 portation errors. For each 푖 ∈ [푛], let 퐶̂︀푖 := 퐶푖 푋 푍 . out – Send skQGC, {퐶̂︀푖 }푖∈[푛]∖ℋ to the adversary.

62 • Output Reconstruction

– Receive {ct푦,푖}푖∈ℋ from the adversary. out – For each 푖 ∈ ℋ, decrypt ct푦,푖 using skQGC to obtain yout,푖. Then, compute 퐶̂︀푖 (yout,푖) and measure whether the last 휆 trap qubits are all 0. If not, then send abort푖 to the ideal functionality and otherwise send ok푖.

Notation. For any adversary {Adv휆}휆∈N and inputs (x1,..., x푛, auxAdv, aux풟), we partition the distributions REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv) and IDEALΠ,Q(Sim, {x푖}푖∈[푛], auxAdv) by the set of teleportation circle circle inp inp errors {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛] broadcast by all parties throughout the protocol. That is, we define the circle circle inp inp {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] distribution REALΠ,Q (Adv휆, {x푖}푖∈[푛], auxAdv) to be REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv) except that the output of the distribution (which is a state z) is replaced with ⊥ if the set of teleportation circle circle inp inp errors broadcast during execution of the protocol were not exactly {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛]. We define circle circle inp inp {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] the distribution IDEALΠ,Q (Sim, {x푖}푖∈[푛], auxAdv) analogously. We now prove the following lemma, which is the main part of the proof of security for this case. For notational convenience, we drop the indexing of inputs and teleportation errors by 휆.

Lemma 9.2. For any QPT Adv = {Adv휆}휆∈N, QPT distinguisher 풟 = {풟휆}휆∈N, inputs (x1,..., x푛, auxAdv, aux풟), circle circle inp inp and teleportation errors {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛], there exists a negligible function 휇 such that

⃒ [︂ (︂ circle circle inp inp )︂ ]︂ ⃒ {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] (︀ )︀ ⃒ Pr 풟휆 aux풟, REAL Adv휆, {x푖}푖∈[푛], auxAdv = 1 ⃒ Π,Q [︂ (︂ circle circle inp inp )︂ ]︂ ⃒ 휇 휆 {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] (︀ )︀ ⃒ ( ) − Pr 풟휆 aux풟, IDEAL Sim휆, {x푖}푖∈[푛], auxAdv = 1 ⃒ ≤ . Π,Q ⃒ 22푛푣+2푚

Proof. First note that by the definition of 휆lev, a 풟 violating the lemma distinguishes with probability at (︁ )︁ (1/푐) 1 −휆lev ) 1 ≥ 휖 . least poly(휆) 2 2휆lev circle circle inp inp Now fix any collection 풟, Adv, {x푖}푖∈[푛], auxAdv, aux풟, {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛]. We show the indistin- circle circle inp inp {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] guishability via a sequence of hybrids, where ℋ0 is the distribution REALΠ,Q (Adv휆, {x푖}푖∈[푛], auxAdv). In each hybrid, we describe the differences from the previous hybrid, and why each is indistinguishable.

circle circle circle circle circle • ℋ1: Switch half of QMFHE ciphertexts to encryptions of 0. Let 푡 := (푥1 , 푧1 , . . . , 푥푛 , 푧푛 ) inp inp inp inp inp and let 푡 := (푥1 , 푧푖 , . . . , 푥푛 , 푧푛 ). For each 푖 ∈ [2푛푣], compute circle circle ct circle ← QMFHE.CEnc(pk circle , 0), 푖,1−푡푖 푖,1−푡푖 and for each 푖 ∈ [2푚], compute inp inp ct inp ← QMFHE.CEnc(pk inp , 0). 푖,1−푡푖 푖,1−푡푖 Note that the corresponding secret keys are not needed to produce the distribution conditioned on circle circle inp inp the set of teleportation errors being {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛], so indistinguishability of ℋ0 and ℋ1 reduces to semantic security of QMFHE.

• ℋ2: Simulate the two classical garbled circuits. – During Offline Round 2, the classical functionality computes circle 푇 circle circle 푈test := 푓test[{퐶푖 }푖∈[푛], 푟, 푈enc, {퐶푖 }푖∈[푛], 푀, 휋]({푥푖 , 푧푖 }푖∈[푛]) and then (︂ )︂ (︁ )︁ test 휆lev 2푛푣 |푓test| {lab^푖 }푖∈[2푛푣], 푓̃︀test ← GSim 1 , 1 , 1 , 푈test .

63 – During Online Round 1, the classical functionality computes

inp out inp inp (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑) := 푓QGC[푈enc, {퐶푖 , 퐶푖 }푖∈[푛]]({푥푖 , 푧푖 }푖∈[푛]) and then

^QGC 휆lev 2푚 |푓QGC| ({lab푖 }푖∈[2푛푣], 푓̃︀QGC) ← GSim(1 , 1 , 1 , (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑)).

Indistinguishability of ℋ1 and ℋ2 reduces to the security of the garbling scheme.

• ℋ3: Switch half of QMFHE ciphertexts to encryptions of simulated labels. For each 푖 ∈ [2푛푣], compute circle circle test ct circle ← QMFHE.CEnc(pk circle , lab^푖 ), 푖,1−푡푖 푖,1−푡푖 and for each 푖 ∈ [2푚], compute

inp inp ^QGC ct inp ← QMFHE.CEnc(pk inp , lab푖 ). 푖,1−푡푖 푖,1−푡푖

Indistinguishability of ℋ2 and ℋ3 reduces to semantic security of QMFHE.

circle • ℋ4: Re-define 퐶푘 . First, sample 푈test ← C푣 and then define

(︁ circle circle circle circle circle circle )︁† circle 푥푛 푧푛 circle 푥푘+1 푧푘+1 circle 푥푘 푧푘 † 퐶푘 := 푋 푍 퐶푛 . . . 푋 푍 퐶푘+1 푋 푍 푈test(푈enc ⊗ I)(I ⊗ 푈check)

(︁ circle circle circle circle )︁† 푥푘−1 푧푘−1 circle 푥1 푧1 circle 푋 푍 퐶푘−1 . . . 푋 푍 퐶1 .

circle Note that when 퐶푘 is plugged into 푈dec (see Online Round 1 of Protocol6), we have that

(푈enc ⊗ I)(I ⊗ 푈check) 푈dec := 푈test.

circle This switch is perfectly indistinguishable given the fact that in ℋ3, 퐶푘 is a uniformly random Clifford, and in ℋ4, 푈test is a uniformly random Clifford. ℋ 푈 푈 ← 퐸 , 퐷 , 푔 ,..., 푔 ← • 5: Re-define enc. First, sample garble C푚+휆푛+푘0+푘푇 , then compute ( 0 0 ̃︀1 ̃︀푑) inp † (︁ inp inp inp inp )︁ 휆 out 푥1 푧1 푥푛 푧푛 QGarble(1 , 푄[dist, {퐶푖 , 퐶푖 }푖∈[푛]]), and set 푈enc := 푈garble퐸0 푋 푍 ⊗ · · · ⊗ 푋 푍 ⊗ I . Note (︁ 푥inp 푧inp 푥inp 푧inp )︁ † that (see Online Round 2 of Protocol6) 퐸0 푋 1 푍 1 ⊗ · · · ⊗ 푋 푛 푍 푛 ⊗ I 푈enc := 푈garble. Moreover, circle we can now write 퐶푘 as

(︁ circle circle † circle circle † circle circle )︁ (︁ )︁ circle 푥푘 푧푘 circle 푥푘+1 푧푘+1 circle 푥푛 푧푛 † † 퐶푘 := 푋 푍 퐶푘+1 푋 푍 . . . 퐶푛 푋 푍 푈test 푈garble ⊗ I (퐸0 ⊗ I)

(︁ inp inp inp inp )︁ (︁ † circle circle † circle circle )︁ 푥1 푧1 푥푛 푧푛 circle 푥1 푧1 circle 푥푘−1 푧푘−1 푋 푍 ⊗ · · · ⊗ 푋 푍 ⊗ I (I ⊗ 푈check) 퐶1 푋 푍 . . . 퐶푘−1 푋 푍 .

This switch is perfectly indistinguishable given the fact that in ℋ4, 푈enc is a uniformly random Clifford and in ℋ5, 푈garble is a uniformly random Clifford.

circle • ℋ6: Simulate the quantum garbled circuit. Rather than directly apply 퐶푘 as described above during Offline Round 2, the simulator will do the following. – Apply the first part

(︁ inp inp inp inp )︁ (︁ † circle circle † circle circle )︁ 푥1 푧1 푥푛 푧푛 circle 푥1 푧1 circle 푥푘−1 푧푘−1 푋 푍 ⊗ · · · ⊗ 푋 푍 ⊗ I (I ⊗ 푈check) 퐶1 푋 푍 . . . 퐶푘−1 푋 푍

(︀ N,Z ,T Z ,T ,...,T )︀ to obtain state x inp inp , z test test,1 test,n .

64 inp out – Compute the circuit 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] on x to obtain output y.

N,Zinp,Tinp (︀ 휆lev )︀ – Compute (x̃︀ , 퐷0, 푔̃︀1,..., 푔̃︀푑) ← QGSim 1 , 푄dist, y . – Apply the final part

(︁ circle circle † circle circle † circle circle )︁ (︁ )︁ 푥푘 푧푘 circle 푥푘+1 푧푘+1 circle 푥푛 푧푛 † † 푋 푍 퐶푘+1 푋 푍 . . . 퐶푛 푋 푍 푈test 푈garble ⊗ I

to state (x̃︀, z).

Note that (퐷0, 푔̃︀1,..., 푔̃︀푑) are later used to simulate 푓̃︀QGC. Indistinguishability of ℋ5 and ℋ6 follows from the security of the quantum garbled circuit.

circle circle • ℋ7: Move the teleportation errors {푥푖 , 푧푖 }푖∈[푛]. Let 푥̂︀1, 푧̂︀1 be such that

푚푖+휆 푘0 Write 푥̂︀1 as 푥̂︀inp,1,..., 푥̂︀inp,푛, 푥̂︀푧, 푥̂︀푡, 푥̂︀test, and same for 푧̂︀1. Here, each 푥̂︀inp,푖 ∈ {0, 1} , 푥̂︀푧 ∈ {0, 1} , 푘푇 푘0+3휆푛 푥̂︀푡 ∈ {0, 1} , and 푥̂︀test ∈ {0, 1} . Let 푥̂︀2, 푧̂︀2 be such that

(︁ inp inp inp inp )︁ † † 푥1 푧1 푥inp,1 푧inp,1 푥푛 푧푛 푥inp,푛 푧inp,푛 푥푡 푧푡 푥푧 푧푧 circle circle 푋 푍 푋̂︀ 푍̂︀ ⊗ · · · ⊗ 푋 푍 푋̂︀ 푍̂︀ ⊗ 푋̂︀ 푍̂︀ ⊗ 푋̂︀ 푍̂︀ ⊗ I (I ⊗ 푈check)퐶1 ··· 퐶푘−1 ,

and the final part of 퐶푘 will be computed as

circle† circle† † (︁ † )︁ 퐶푘+1 . . . 퐶푛 푈test 푈garble ⊗ I .

Moreover, define

푥 푧 – 푈̂︀garble := 푈garble푋̂︀garble 푍̂︀garble , and use 푈̂︀garble in place of 푈garble when simulating 푓̃︀QGC, – 푟̂︀ := 푟 ⊕ 푥̂︀test,푧, and use 푟̂︀ in place of 푟 in Online Round 2,

푇 푇 푥test,푇,푖 푧test,푇,푖 푇 푇 – for each 푖 ∈ [푛], 퐶̂︀푖 := 퐶푖 푋̂︀ 푍̂︀ and use 퐶̂︀푖 in place of 퐶푖 in Online Round 1. 푇 This switch is perfectly indistinguishable. In particular, 푈garble and the 퐶푖 are uniformly random 푇 Cliffords, so adversary will not notice the switch to 푈̂︀garble and 퐶̂︀푖 . Also the 푍-test positions are 푟 푠 randomized with 푋 푍 during computation of 푈check, where 푟 and 푠 are uniformly random, so adversary will not notice the switch to 푟̂︀.

out out ℓ푖+휆 • ℋ8: Introduce new Pauli errors. For each 푖 ∈ [푛], sample 푥푖 , 푧푖 ← {0, 1} . Now, rather than 푥out 푧out 푥out 푧out running QGSim directly on y, run it on 푋 1 푍 1 . . . 푋 푛 푍 푛 (y). Then, for each 푖 ∈ [푛], define out out out out 푥푖 푧푖 out out 퐶̂︀푖 := 퐶푖 푋 푍 , and use 퐶̂︀푖 in place of 퐶푖 in Online Round 2. This switch is perfectly out indistinguishable given that {퐶푖 }푖∈[푛] are uniformly random.

65 out out • ℋ9: Introduce new EPR pairs. Prepare eSim,1, eSim,2 as described in the simulator. Let {푥푖 , 푧푖 }푖∈[푛] now be the result of teleportation errors obtained across these EPR pairs, as described in the simulator. Now, we can delay the computation of

(︁ 푥inp 푧inp 푥 푧 푥inp 푧inp 푥 푧 푥 푧 푥 푧 )︁ 푋 1 푍 1 푋̂︀inp,1 푍̂︀inp,1 ⊗ · · · ⊗ 푋 푛 푍 푛 푋̂︀inp,푛 푍̂︀inp,푛 ⊗ 푋̂︀푡 푍̂︀푡 ⊗ 푋̂︀푧 푍̂︀푧 ⊗ I

inp out N Zinp Tinp and 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] on state (n , z , t ) to Online Round 2. This distribution is identical to the previous one.

inp 푚푖+휆 • ℋ10: Switch honest party inputs to 0. For each 푖 ∈ ℋ, in Online Round 1, teleport 퐶푖 (0 ) inp 휆 to Party 1, rather than 퐶푖 (x푖, 0 ). Now, during Online Round 2, instead of directly applying inp out inp† inp† 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] to (n, z, t), this hybrid will do the following. First apply 퐶1 ⊗ · · · ⊗ 퐶푛 to n. Then, swap out the honest party input registers for {x푖}푖∈ℋ, and continue with the computation inp out of 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] on (n, z, t). ℋ9 is statistically indistinguishable from ℋ10 due to properties of the Clifford authentication code. In particular, since the code is perfectly hiding, the adversary cannot tell that the inputs where switched to 0. Thus the adversary can only distinguish if the output of inp out 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] differs between ℋ9 and ℋ10. However, if any Clifford authentication test that inp out happens within 푄dist[{퐶푖 , 퐶푖 }푖∈[푛]] fails, then the output is (⊥ ... ⊥). In both ℋ9 and ℋ10, conditioned on these tests passing, the honest party inputs to 푄dist are statistically close to {x푖}푖∈ℋ, due to the authentication property of the Clifford code.

• ℋ11: Query ideal functionality. Consider the EPR pairs halves e푆 sent from party 푘 to party 푘 − 1 in Offline Round 1. In this hybrid, we alter the computation that is performedon e푆 in Offline Round 2 and Online Round 2. First, in Offline Round 2, this hybrid computes

circle† circle† (n, z, t, ztest, ttest,2,..., ttest,푛) := (I ⊗ 푈check)퐶1 ··· 퐶푘−1 (e푆).

Then, z, t are discarded, and ztest, ttest,2,..., ttest,푛 are operated on as in ℋ10. Then, in Online Round 2, this hybrid does the following.

inp inp inp 푥inp,푖 푧inp,푖 – Parse n := (n1,..., n푛). For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 푋푖 푍푖 푋̂︀ 푍̂︀ (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥). Otherwise, ℓ푖 query the ideal functionality with {x푖}푖∈[푛]∖{ℋ} and let {y푖}푖∈[푛]∖{ℋ} be the output. Set y푖 := 0 for each 푖 ∈ ℋ. out – Sample {퐶푖 ← Cℓ푖+휆}푖∈[푛]. out 휆 out 휆 – Teleport (퐶1 (y1, 0 ), ··· , 퐶푛 (y푛, 0 )) into eSim,1. We also add the following behavior to Output Reconstruction.

out out out – For each 푖 ∈ ℋ, decrypt ct푦,푖 using skQGC to obtain y푖 . Then, compute 퐶̂︀푖 (y푖 ) and measure whether the last 휆 trap qubits are all 0. If not, then send abort푖 to the ideal functionality and otherwise send ok푖.

Observe that one difference between ℋ10 and ℋ11 is that z and t are not used in the computation of C + M circuit 푄dist. Instead, the ideal functionality directly computes 푄 on the inputs. This will result in statistically close outputs if i) the QGC satisfies statistical correctness, ii) z is statistically close to 0⊗푘0 , and iii) the result of applying the distillation circuit to t is statistically close to T⊗푘푇 /휆. Lemma 3.5 implies that the second requirement holds conditioned on the adversary submitting the correct 푟 to the classical MPC in Online Round 1 (and otherwise, all honest parties abort). Lemma 3.3 plus Clifford authentication implies that the third requirement holds conditioned on the honest party 푇 -state checks in Online Round 2 all passing (and if any one of them fails, all honest parties abort). The other difference is that honest party outputs are determined by the ideal functionality’s computation. First, the adversary cannot tell that the honest party outputs are switched to 0 within

66 the quantum garbled circuit, by perfect hiding of the Clifford authentication code (using Cliffords out {퐶푖 }푖∈ℋ). Next, in ℋ10, the adversary cannot make an honest party accept a state noticeably far from their real output y푖, by authentication of the Clifford code. Thus, ℋ11 is statistically close to ℋ10. This completes the proof, as ℋ11 is the simulator described above.

Lemma 9.3. Let Π be the protocol described in Section 9.1 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting parties 푀 ⊂ [푛] where 1 ∈ 푀.

Proof. Assume towards contradiction the existence of a QPT 풟 = {풟휆}휆∈N, a QPT Adv = {Adv휆}휆∈N, and (x1,..., x푛, auxAdv, aux풟) such that ⃒ ⃒ [︀ (︀ (︀ )︀)︀ ]︀ ⃒ Pr 풟휆 aux풟, REALΠ,Q Adv휆, {x푖}푖∈[푛], auxAdv = 1 ⃒ ⃒ [︀ (︀ (︀ )︀)︀ ]︀ ⃒ − Pr 풟휆 aux풟, IDEALΠ,Q Sim휆, {x푖}푖∈[푛], auxAdv = 1 ⃒ ≥ 1/poly(휆). ⃒

Define REAL := REALΠ,Q(Adv휆, {x푖}푖∈[푛], auxAdv) and IDEAL := IDEALΠ,Q(Sim휆, {x푖}푖∈[푛], auxAdv). Fur- circle circle inp inp {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] circle circle inp inp thermore, let EREAL be the event that the parties report teleportation errors {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛] circle circle inp inp {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] (abort) (abort) in REAL and define EIDEAL analogously. Let EREAL and EIDEAL be the event that the adversary fails to report some of its teleporation errors, causing the honest parties to abort. The above implies circle circle inp inp that either there exists some {푥푖 , 푧푖 , 푥푖 , 푧푖 }푖∈[푛] such that

⃒ [︂ circle circle inp inp ]︂ [︁ ]︁ ⃒ ⃒ {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] (푥inp,푧inp) ⃒ Pr 풟휆(aux풟, REAL) = 1⃒E Pr E ⃒ REAL REAL [︂ circle circle inp inp ]︂ [︁ ]︁ ⃒ ⃒ {푥푖 ,푧푖 ,푥푖 ,푧푖 }푖∈[푛] (푥inp,푧inp) ⃒ 1 − Pr 풟휆(aux풟, IDEAL) = 1⃒E Pr E ⃒ ≥ IDEAL IDEAL ⃒ poly(휆)(22푛푣+2푚 + 1) or that ⃒ ⃒ [︁ ⃒ (abort)]︁ [︁ (abort)]︁ ⃒ Pr 풟휆(aux풟, REAL) = 1⃒E Pr E ⃒ REAL REAL ⃒ [︁ ⃒ (abort)]︁ [︁ (abort)]︁ ⃒ 1 − Pr 풟휆(aux풟, IDEAL) = 1⃒E Pr E ⃒ ≥ . IDEAL IDEAL ⃒ poly(휆)(22푛푣+2푚 + 1)

Simulating the distribution conditioned on an abort is trivial, so the second case cannot occur, and the first case immediately contradicts Lemma 9.2, completing the proof.

9.2.2 Case 2: 푃1 is the only honest party Simulator. The simulator will act as party 1 and maintain the classical MPC oracle. It will compute MPC honestly throughout, and will compute honest party 1 actions throughout except for what is described below.

• Online Round 1. Rather than Clifford-encoding and teleporting in 푃1’s input x1, the simulator will inp ℓ1+휆 teleport 퐶1 (0 ).

• Online Round 2. Rather than homomorphically evaluating the quantum garbled circuit (푈garble, 퐷0, 푔̃︀1,..., 푔̃︀푑) on its encrypted state y, the simulator will run the following computation (homomorphically) on y.

† – Compute (n1,..., n푛, z, t) := 퐸0푈garble(y), where (n1,..., n푛) are the parties’ Clifford-encoded inputs.

67 inp† – For each 푖 ∈ [푛], compute (x푖, z푖) := 퐶푖 (n푖) and measure z푖. If any measurements are not all 0, then set (y1,..., y푛) := (⊥, ··· , ⊥). Otherwise, query the ideal functionality with {x푖}푖∈[2,...,푛] and let {y푖}푖∈[2,...,푛] be the output.

out out 휆 out out ℓ1+휆 – For each 푖 ∈ [2, . . . , 푛] set y푖 := 퐶푖 (y푖, 0 ), set y1 := 퐶1 (0 ), and continue as the honest party 1.

Lemma 9.4. Let Π be the protocol described in Section 9.1 computing some quantum circuit 푄. Then Π satisfies Definition 3.2 for any Adv corrupting parties [2, . . . , 푛].

inp out • ℋ1 : Directly compute 푄dist[{퐶푖 , 퐶푖 }] in place of garbled circuit evaluation During Online Round 2, † inp out this hybrid computes (n1,..., n푛, z, t) := 퐸0푈garble(y) and then applies 푄dist[{퐶푖 , 퐶푖 }] to produce out out outputs (y1 ,..., y푛 ). Statistical indistinguishability follows from the statistical correctness of the QGC, and statistical ciphertext re-randomization of QMFHE.

inp out • ℋ3 : Query ideal functionality During Online Round 2, this hybrid computes 푄dist[{퐶푖 , 퐶푖 }] as described in the simulator, by using the ideal functionality to compute 푄. This switch is statistically indistinguishable as long as i) z is statistically close to 0⊗푘0 (which follows from Lemma 3.5), and ii) the result of applying the distillation circuit to t to statistically close to T⊗푘푇 /휆 (which follows from Lemma 3.3, as 푃1 checks its own subset of T state). This hybrid is the simulator, completing the proof.

10 Two Rounds Without Pre-Processing: Challenges and Possi- bilities 10.1 An Oblivious Simulation Barrier for Two Round Protocols We begin with our negative result showing that any two-round 2PQC protocol with an oblivious simulator supporting general quantum functionalities would imply new protocols for the setting of instantaneous non- local quantum computation [Vai03, BK11, Spe16, GC20].

Instantaneous Non-local Quantum Computation. Instantaneous non-local quantum computation of a unitary 푈 on 푛퐴 + 푛퐵 qubits is an information-theoretic task where parties 퐴 and 퐵, who may share some initial entangled quantum state, receive as input quantum states x퐴, x퐵 and wish to compute the functionality 푈(x퐴, x퐵) = (y퐴, y퐵) with only one round of simultaneous communication. For a family of

unitaries {푈휆}휆∈N on {푛퐴,휆 +푛퐵,휆}휆∈N qubits, we say that an instantaneous non-local quantum computation protocol must satisfy the following properties:

′ ′ • Correctness. For all input states (x퐴,휆, x퐵,휆), the joint outputs (y퐴,휆, y퐵,휆) obtained by 퐴 and ′ ′ 퐵 after engaging in the protocol are such that (y퐴,휆, y퐵,휆) ≈푠 (y퐴,휆, y퐵,휆), where (y퐴,휆, y퐵,휆) := 푈휆(x퐴,휆, x퐵,휆). • Efficiency. The size of the entangled quantum state initially shared by 퐴 and 퐵 in the protocol for computing 푈휆 is bounded by some polynomial in 휆 (note that the running time of 퐴 or 퐵 in the protocol does not need to be polynomial).

68 Conjecture 1. There exists a family of efficiently-computable unitaries {푈휆}휆∈N for which no correct and efficient instantaneous non-local quantum computation protocol exists. As noted in the introduction, the best known instantaneous non-local quantum computation protocols for general functionalities on 푛-qubit inputs for 푛 > 2 require exponentially many EPR pairs in both 푛 and in log(1/휖), where 휖 is the desired correctness error [BK11]. Moreover, there has been recent progress on proving lower bounds for particular classes of unitaries [GC20]. While current lower bounds on the size of input-independent pre-processing are linear in the number of input qubits, the current state of the art leaves open the possibility that exponentially-many EPR pairs are necessary for general functionalities. To the best of the authors’ knowledge, known results give no indication as to whether Conjecture1 is more likely to be true or false. Nevertheless, the fact that it remains unresolved provides some indication that positive progress on two-round 2PQC with oblivious simulation will require new ideas.

Two-Round 2PQC in the CRS Model. Consider a generic two-round two-party protocol for computing an arbitrary functionality 푈 in the (classical) CRS model assuming simultaneous messages. Such a protocol is described by the algorithms (퐴1, 퐴2, 퐴3, 퐵1, 퐵2, 퐵3) where 퐴1, 퐴2, 퐴3 are (respectively) Alice’s first message algorithm, second message algorithm, and output reconstruction algorithm (and likewise for Bob with 퐵1, 퐵2, 퐵3). As usual, Alice’s input is x퐴 and Bob’s input is x퐵. They compute a unitary 푈 and obtain 푈(x퐴, x퐵) = (y퐴, y퐵) where y퐴 and y퐵 are their respective outputs. We stress that since this model does not allow pre-processing, Alice and Bob may not share entanglement before receiving their inputs. An execution of such a two-round protocol proceeds as follows:

1. Setup. Run crs ← Gen.

(퐴) (퐴) 2. Round 1. Alice and Bob generate their first round messages and leftover states as (m1 , st1 ) ← (퐵) (퐵) 퐴1(crs, x퐴) and (m1 , st1 ) ← 퐵1(crs, x퐵). They send their messages to each other, which has the (퐴) (퐵) effect of interchanging/swapping m1 and m1 .

(퐴) (퐴) 3. Round 2. Alice and Bob generate their second round message and leftover states as (m2 , st2 ) ← (퐴) (퐵) (퐵) (퐵) (퐵) (퐴) 퐴2(st1 , m1 ) and (m2 , st2 ) ← 퐵2(st1 , m1 ). They send their messages to each other, which (퐴) (퐵) swaps m2 and m2 .

(퐴) (퐵) (퐵) (퐴) 4. Output. y퐴 ← 퐴3(st2 , m2 ) and y퐵 ← 퐵3(st2 , m2 ).

Oblivious Simulation. We now define a natural class of black-box, straight-line simulators that wecall oblivious simulators. Recall that a simulator is black-box if it only makes query access to the attacker (and does not need the code/state of the attacker), and is straight-line if it only runs a single time in the forward direction. The defining property of an oblivious simulator is that it learns which player (outof 퐴 or 퐵) is corrupted only after it has generated (and committed to) a simulated CRS. No matter which party is corrupted, such a simulator must use its committed CRS to generate a view for the corrupt party that is computationally indistinguishable from the party’s view in the real world. As discussed in Section 2.9, a negative result for oblivious simulation demonstrates that a natural strategy for constructing two-round two-party computation in the classical setting does not extend to the quantum setting. The following definition specifies the additional requirements for a simulator to be “oblivious”; an oblivious simulator must still satisfy the standard real/ideal indistinguishability notion in Definition 3.2, which we will not repeat here. Definition 10.1 (Syntactic Requirements for Oblivious Simulation). A simulator for a two-round two-party quantum computation protocol in the classical CRS model is oblivious if it can be described by a tuple of algo- (퐴) (퐵) (퐴) (퐴) (퐴) (퐴) (퐵) (퐵) (퐵) (퐵) rithms (Sim0, Sim , Sim ) where Sim = (Sim1 , Sim2 , Sim3 ) and Sim = (Sim1 , Sim2 , Sim3 ), simulation proceeds as follows.

69 (Sim) (Sim) 1. The simulator runs (crs, st0 ) ← Sim0 to generate the CRS and leftover simulator state st0 . Next, the simulator “learns” whether it should simulate the view of party 퐴 or party 퐵. If the simulator is (퐴) (퐴) (퐴) (퐴) simulating the view of party 퐴, it proceeds using Sim = (Sim1 , Sim2 , Sim3 ), and if it is simulating (퐵) (퐵) (퐵) (퐵) the view of party 퐵, it proceeds with Sim = (Sim1 , Sim2 , Sim3 ). We write out the case for simulating the view of party 퐴 below (the case for party 퐵 is identical).

(퐵) (Sim) (퐴) (Sim) 2. (m1 , st1 ) ← Sim1 (st0 ) (퐵) (퐴) Then query 퐴1 on (crs, m1 ) and receive m1 .

(Sim) (퐴) (Sim) (퐴) 3. (x퐴, st2 ) ← Sim2 (st1 , m1 ) Then query the ideal functionality on x퐴 and receive y퐴

(퐵) (퐴) (Sim) 4. m2 ← Sim3 (st2 , y퐴) (퐵) Then query 퐴2 on m2 . In short, for an oblivious simulator, the distribution of the simulated CRS is completely independent of whether 퐴 is corrupt or 퐵 is corrupt. Moreover, because the simulator is straight-line, it is possible to (︁ (Sim,퐴) (Sim,퐵))︁ define a (possibly inefficient) algorithm Simcomb that computes crs, st1 , st1 , where each of the two simulator states computed is with respect to the same classical crs. This can be done for example by running many iterations of Sim0 until two of them output the same classical crs. Thus, one would obtain a “first-round-only” simulator with the following syntax for the first round:

(︁ (Sim,퐴) (Sim,퐵))︁ 1. crs, st1 , st1 ← Simcomb. (퐴) (퐵) (send crs to 퐴1 and receive m1 and send crs to 퐵1 and receive m1 )

(Sim,퐴) (퐴) (Sim,퐴) (퐴) 2. (x퐴, st2 ) ← Sim2 (st1 , m1 ). Then send x퐴 to the ideal functionality and receive y퐴

(Sim,퐵) (퐵) (Sim,퐵) (퐵) 3. (x퐵, st2 ) ← Sim2 (st1 , m1 ). Then send x퐵 to the ideal functionality and receive y퐵

Non-Local Computation from Two-Round 2PQC with Oblivious Simulation. We now describe how to turn two-round 2PQC for general functionalities with oblivious simulation (in the CRS model) into an instantaneous non-local quantum communication protocol. In the following theorem, we will only make use of the “first-round-only” simulator discussed above. Theorem 10.2. Assuming Conjecture1, there does not exist a two-round two-party quantum computation protocol for general functionalities in the classical CRS model, with an oblivious simulator.11

Proof. Given any family of unitaries 푈 = {푈휆}휆∈N on {푛퐴,휆 +푛퐵,휆}휆∈N qubits promised by Conjecture1, we define the functionality C-SWAP-U = {C-Swap-U휆}휆∈N as follows. C-SWAP-U휆 takes a (푛퐴,휆 + 푛퐵,휆)-qubit state (x퐴, x퐵) as input along with an additional two classical bits of input 푧퐴, 푧퐵. If 푧퐴 ⊕ 푧퐵 = 0, it applies 푈휆 to (x퐴, x퐵) to produce (y퐴, y퐵), and then swaps the output states, outputting (y퐵, y퐴). If 푧퐴 ⊕ 푧퐵 = 1, it simply swaps the input states, outputting (x퐵, x퐴). In what follows, we will show that any two-round two- party quantum computation protocol for C-SWAP-U implies a correct and efficient instantaneous non-local quantum computation protocol for 푈, violating Conjecture1. Consider the oblivious simulator for the protocol computing C-SWAP-U. We will only be interested in the simulated first round and subsequent input extraction. We will not be concerned with simulating the second round at all. Furthermore, we will only care about simulating the view of a specific type of adversary:

11A previous version of this work incorrectly claimed an unconditional version of this theorem. We thank Mi-Ying Huang as well as anonymous reviewers for pointing this issue out to us.

70 one that simply runs the honest 퐴 (resp. 퐵) algorithm. Such an “adversary” does not rush, i.e. the first (퐵) message algorithm of the (honestly behaving) adversary is independent of 퐵’s first round message m1 . Therefore for simplicity we will suppress mention of this message being generated by the simulator (since we are also not concerned with simulation of the second round). Now, we will combine the “first-round-only” simulator discussed above with the first-message algorithms of parties 퐴 and 퐵 to produce the following algorithm 푈extract (which can be written as a unitary), which will * be applied to (x퐴, x퐵) (tensored with sufficiently many 0 states, which we write as 0 ). Technically, 푈extract is a family of unitaries parameterized by the security parameter 휆, and the inputs (x퐴, x퐵) are families of input states, though for simplicity we will drop the explicit indexing by 휆. * 푈extract, on input (x퐴, x퐵, 0 ) works as follows:

(︁ (Sim,퐴) (Sim,퐵))︁ 1. Compute crs, st1 , st1 ← Simcomb.

(퐴) (퐴) 2. Compute (m1 , st1 ) ← 퐴1(x퐴, crs).

(퐵) (퐵) 3. Compute (m1 , st1 ) ← 퐵1(x퐵, crs).

′ (Sim,퐴) (퐴) (Sim,퐴) (퐴) 4. Compute (x퐴, st2 ) ← Sim2 (st1 , m1 ).

′ (Sim,퐵) (퐵) (Sim,퐵) (퐵) 5. Compute (x퐵, st2 ) ← Sim2 (st1 , m1 ).

′ ′ (퐴) (퐵) (Sim,퐴) (Sim,퐵) 6. Output (x퐴, x퐵, st1 , st1 , st2 , st2 ).

Now, we show that for any pair of pure states (x퐴, x퐵) that can be deterministically efficiently generated (i.e. can be generated by applying an efficient unitary to 0 states), the (traced out) portion of * ′ ′ ′ 푈extract(x퐴, x퐵, 0 ) consisting of (x퐴, x퐵) is statistically close to (x퐴, x퐵). First, we argue that x퐴 ≈푠 x퐴. Recall that regardless of 퐴’s classical input bit 푧퐴, there is always a possibility that, depending on 퐵’s classical input bit 푧퐵, the functionality computed will simply be swapping x퐴 and x퐵 (from the definition ′ of our C-SWAP-U unitary). In this case, the value x퐴 queried by Sim to the ideal functionality will be ′ forwarded to 퐵 as its output in the simulated world. 퐵’s output in the real world is x퐴, and thus x퐴 ≈푠 x퐴, since otherwise the real and ideal worlds would be distinguishable by the measurement {x퐴, I − x퐴}; note that projecting onto x퐴 can be performed efficiently since x퐴 is a (deterministically) efficiently generated ′ pure state. An identical argument shows that x퐵 ≈푠 x퐵. Now, we can apply Lemma 10.3 below to 푈extract; since the above argument applies to the case where x퐴, x퐵 are deterministically efficiently generated pure states, it in particular applies to the states required by Lemma 10.3 (i.e. all computational basis states and all uniform superpositions of two computational basis states). Lemma 10.3 applied to 푈extract allows us to conclude that for any input state (x퐴, x퐵), the states (퐴) (퐵) (Sim,퐴) (Sim,퐵) (st1 , st1 , st2 , st2 ) are (statistically) independent of (x퐴, x퐵). This fact can be used to design a correct and efficient instantaneous non-local quantum computation protocol for 푈, as described below.

′ ′ (퐴) (퐵) (Sim,퐴) (Sim,퐵) ′ • Setup: Execute 푈extract on all 0 states to produce (0 , 0 , st1 , st1 , st2 , st2 ), where 0 ′ ′ (퐵) (Sim,퐴) denotes a state that is statistically indistinguishable from 0. Discard (0 , 0 ), send (st1 , st2 ) to (퐴) (Sim,퐵) party 퐴, and send (st1 , st2 ) to party 퐵.

• Party 퐴, on input x퐴, does the following.

(Sim,퐴) (퐴) (퐴)† (Sim,퐴) 1. Compute (st1 , m1 ) := Sim2 (x퐴, st2 ). (퐵) (퐵) (퐵) (퐴) 2. Compute (m2 , st2 ) ← 퐵2(st1 , m1 ). (퐵) 3. Send m2 .

• Party 퐵, on input x퐵, does the following.

71 (Sim,퐵) (퐵) (퐵)† (Sim,퐵) 1. Compute (st1 , m1 ) := Sim2 (x퐴, st2 ). (퐴) (퐴) (퐴) (퐵) 2. Compute (m2 , st2 ) ← 퐴2(st1 , m1 ). (퐴) 3. Send m2 . (퐵) (퐴) • Party 퐴 computes and outputs y퐵 ← 퐵3(st2 , m2 ). (퐴) (퐵) • Party 퐵 computes and outputs y퐴 ← 퐴3(st2 , m2 ). Observe that the above protocol produces a transcript that is statistically close to the transcript between an honest 퐴 and 퐵. Fix 퐴 and 퐵’s classical inputs 푧퐴, 푧퐵 to be such that 푧퐴 ⊕ 푧퐵 = 0. Since 퐴 is receiving 퐵’s output and 퐵 is receiving 퐴’s output, the parties are then computing a statistically close approximation to 푈(x퐴, x퐵) in one round of online communication. The size of the initial entangled state held by 퐴 and 퐵 is bounded by the size of the honest 퐴 and 퐵 algorithms and the size of the simulator algorithms, which are all polynomial-size. Thus, the above is a correct and efficient instantaneous non-local quantum computation protocol for computing 푈.

Lemma 10.3. Let 푈 AB be a unitary over registers A, B, and suppose that there exists 휖 between 0 and 1 such that for any |푥⟩A that is (the density matrix of) either a computational basis state |푖⟩, or a uniform superposition of two computational basis states √1 | ⟩ |푖⟩ , 2 ( 0 + )

⃒ AB A B A⃒ ⃒TrB(푈 (|푥⟩ ⊗ |0⟩ )) − |푥⟩ ⃒ ≤ 휖. ⃒ ⃒1 B A Then there exists a constant 훿 > 0 and a pure state |푦⟩ such that for every state |푥⟩ ,

⃒ A B A B ⃒ ⃒푈 AB(|푥⟩ ⊗ |0⟩ ) − (|푥⟩ ⊗ |푦⟩ )⃒ ≤ 휖훿. ⃒ ⃒1 A Proof. If 푈 AB satisfies the conditions of the lemma statement, then for any computational basis state |푖⟩ B on the A registers, there exists a pure state |푦푖⟩ and a polynomial poly(·) such that

⃒ AB A B A B ⃒ ⃒푈 (|푖⟩ ⊗ |0⟩ ) − (|푖⟩ ⊗ |푦푖⟩ )⃒ ≤ poly(휖). ⃒ ⃒1 B Moreover, for each 푖 there must exist a state |푦0,푖⟩ such that ⃒ (︂ )︂ (︂ )︂⃒ ⃒ AB 1 A A B 1 A A B ⃒ ⃒푈 √ (|0⟩ + |푖⟩ ) ⊗ |0⟩ − √ (|0⟩ + |푖⟩ ) ⊗ |푦0,푖⟩ ⃒ ≤ poly(휖). ⃒ 2 2 ⃒1 By linearity, we also have that ⃒ (︂ )︂ (︂ )︂⃒ ⃒ AB 1 A A B 1 A B 1 A B ⃒ ⃒푈 √ (|0⟩ + |푖⟩ ) ⊗ |0⟩ − √ (|0⟩ ⊗ |푦0⟩ ) + √ (|푖⟩ ⊗ |푦푖⟩ ) ⃒ ≤ poly(휖). ⃒ 2 2 2 ⃒1 B B B This implies that for each 푖, |푦0,푖⟩ is within poly(휖) trace distance of both |푦0⟩ and |푦푖⟩ , which means B B B that |푦0⟩ is within poly(휖) trace distance of |푦푖⟩ . Thus, |푦0⟩ satisfies the condition in the lemma statement, A ∑︀ A since for an arbitrary state |푥⟩ = 푖 훼푖 |푖⟩ , we have that ⃒ (︃ )︃ ⃒ ⃒ ⃒ ⃒ AB ∑︁ A B ∑︁ A B ⃒ ⃒푈 훼푖 |푖⟩ ⊗ |0⟩ − 훼푖(|푖⟩ ⊗ |푦푖⟩ )⃒ ≤ poly(휖), ⃒ 푖 푖 ⃒1 which implies that ⃒ (︃ )︃ ⃒ ⃒ ⃒ ⃒ AB ∑︁ A B A B ⃒ ⃒푈 훼푖 |푖⟩ ⊗ |0⟩ − (|푥⟩ ⊗ |푦0⟩ )⃒ ≤ poly(휖). ⃒ 푖 ⃒1

72 10.2 A Two-Round Protocol from Quantum VBB Obfuscation In what follows, we describe a two-round two-party protocol in the common reference string model, assuming the existence of a (strong form of) VBB obfuscation of quantum circuits. We note that it is straightforward to adapt this protocol to the multi-party setting. However, the main idea is already present in the two-party case, so for simplicity we describe only this case.

10.2.1 VBB Obfuscation of Quantum Circuits We consider virtual black-box obfuscation of quantum circuits, which was defined (and shown to be impossible in general) by [AF16]. In fact, we consider a potentially stronger version than that given by [AF16], who only consider VBB obfuscation of unitaries. We consider quantum functionalities 푄 from 푛 qubits to 푛 qubits that include not just unitary gates, but also measurement gates, and unitary gates that may be classically controlled on the outcome of the measurement gates. While one can always push any measurement to the end of the computation so that the circuit becomes unitary, doing so would not necessarily preserve the security of obfuscation, as it would introduce new auxiliary input registers that a malicious evaluator may initialize in a non-zero state. Thus, obfuscation for unitary + measurement circuits is potentially stronger than obfuscation for unitaries. We model black-box access to a unitary+measurement circuit as an oracle that accepts a quantum state on 푛 registers, manipulates it according to 푄, and returns those same 푛 registers. We allow the obfuscation itself to be either a quantum circuit with a purely classical description, or a quantum circuit along with some quantum state. We refer to this obfuscation as 풪(푄), and write 풪(푄)(x) to indicate evaluation of the obfuscation on an 푛-qubit input x, with the understanding that this operation may either be directly applying a quantum circuit to x, or first augmenting x with additional registers, applying a circuit to the expanded system, and then discarding the extra registers.

Definition 10.4 (Quantum VBB Obfuscation). Let {풬푛}푛∈N be a family of polynomial-size quantum circuits, where each 푄 ∈ 풬푛 maps 푛 qubits to 푛 qubits. A quantum black-box obfuscator 풪 is a quantum algorithm that takes as input an input length 푛 ∈ N, a security parameter 휆 ∈ N, and a quantum circuit 푄, and outputs an obfuscated quantum circuit. 풪 should satisfy the following properties.

푛 휆 • Polynomial expansion: for every 푛, 휆 ∈ N and 푄 ∈ 풬푛, the size of 풪(1 , 1 , 푄) is at most poly(푛, 휆). 푛 휆 • Functional equivalence: for every 푛, 휆 ∈ N, 푄 ∈ 풬푛, and x on 푛 qubits, 풪(1 , 1 , 푄)(x) ≈푠 푄(x). • Virtual black-box: for every (non-uniform) QPT Adv, there exists a (non-uniform) QPT 풮 such that for each 푛 ∈ N and 푄 ∈ 풬푛, ⃒ 푛 휆 푄 푛 휆 ⃒ ⃒Pr[Adv(풪(1 , 1 , 푄)) = 1] − Pr[풮 (1 , 1 ) = 1]⃒ = negl(휆).

We now make a few remarks on the definition that will allow us to simplify the constructions givenin the next section.

• We will consider functionalities that discard, or trace out, some subset of registers. In order to implement this with a circuit from 푛 qubits to 푛 qubits, we can have the functionality measure the subset of qubits to be traced out and then “randomize” the outcomes (since we don’t want the evaluator to know these measurement results) by applying Hadamard to each register and measuring again. Thus, we will consider obfuscation of functionalities from 푛 qubits to 푚 ≤ 푛 qubits. • We will consider functionalities represented by quantum circuits that require the use of auxiliary 0 states. We do not want the evaluator to be able to run such a functionality using non-zero auxiliary states, so we’ll have the functionality first measure any auxiliary states input by the evaluator. Ifall measurements are 0, then the circuit will be run on the all registers, otherwise the functionality can “abort” by discarding all registers as explained above. Thus, we will suppress mention of auxiliary input registers, and assume the functionality has access to any auxiliary 0 states that it needs.

73 • We will consider functionalities that can sample classical bits uniformly at random. This can be accomplished by applying Hadamard to a 0 state and measuring. Note that this is a uniquely quantum phenomenon - one cannot obfuscate classical circuits that produce their own randomness.

10.2.2 The Protocol We present a two-round protocol for two-party quantum computation in the common reference string model. Let 푄 be the two-party quantum functionality to be computed, and assume for simplicity that it takes 푛 qubits from each party and outputs 푛 qubits to each party. The common reference string will consist of obfuscations of six quantum functionalities

(푏) (푏) (푏) (푏) ℱ퐴,inp, ℱ퐵,inp, ℱ퐴,cmp, ℱ퐵,cmp, ℱ퐴,out, ℱ퐵,out, three to be used by each party. Each functionality has hard-coded some subset of 8 PRF keys

(퐴,퐴) (퐴,퐵) (퐵,퐴) (퐵,퐵) (퐴,퐴) (퐴,퐵) (퐵,퐴) (퐵,퐵) 푘inp , 푘inp , 푘inp , 푘inp , 푘out , 푘out , 푘out , 푘out .

(·,·) We take each PRF(푘inp , ·) to be a mapping from a 휆-bit string to a classical description of a Clifford 퐶 ∈ C푛+휆. Each PRF key is used in two of the six obfuscated circuits, and the pair of letters in the superscript refers to the identity of the party associated with the first obfuscation it is used in, followed by the identify ofthe party associated with the second obfuscation it is used in. (푏) (푏) (푏) (푏) Below we describe only ℱ퐴,inp, ℱ퐴,cmp, and ℱ퐴,out since ℱ퐵,inp, ℱ퐵,cmp, and ℱ퐵,out are defined exactly the same with 퐴 and 퐵 switched.

(푏) [︁ (퐴,퐴) (퐴,퐵)]︁ • ℱ퐴,inp 푘inp , 푘inp :

1. Take as input (x퐴, d퐴) which consists of 퐴’s input x퐴 on 푛 qubits and a “dummy” input d퐴 on 푛 qubits. (퐴,퐴) (퐴,퐵) 휆 2. Sample classical strings 푟inp , 푟inp ← {0, 1} . (퐴,퐴) (퐴,퐴) (퐴,퐴) (퐴,퐵) (퐴,퐵) (퐴,퐵) 3. Compute 퐶inp := PRF(푘inp , 푟inp ), 퐶inp := PRF(푘inp , 푟inp ). 4. Output ⎧(︁ (퐴,퐴) (퐴,퐴) 휆 (퐴,퐵) (퐴,퐵) 휆 )︁ ⎨ 푟inp , 퐶inp (x퐴, 0 ), 푟inp , 퐶inp (d퐴, 0 ) if 푏 = 0 . (︁ (퐴,퐴) (퐴,퐴) 휆 (퐴,퐵) (퐴,퐵) 휆 )︁ ⎩ 푟inp , 퐶inp (d퐴, 0 ), 푟inp , 퐶inp (x퐴, 0 ) if 푏 = 1

[︁ (퐴,퐴) (퐵,퐴) (퐴,퐴) (퐴,퐵)]︁ • ℱ퐴,cmp 푄, 푘inp , 푘inp , 푘out , 푘out :

(︁ (퐴,퐴) (퐵,퐴) )︁ 1. Take as input 푟inp , x̂︀퐴, 푟inp , x̂︀퐵 , where x̂︀퐴 and x̂︀퐵 are (푛 + 휆)-qubit states. (퐴,퐴) (퐴,퐴) (퐴,퐴) (퐵,퐴) (퐵,퐴) (퐵,퐴) 2. Compute 퐶inp := PRF(푘inp , 푟inp ), 퐶inp := PRF(푘inp , 푟inp ). (퐴,퐴) 3. Compute 퐶inp (x̂︀퐴) and measure the final 휆 qubits. If each is zero, let x퐴 be the remaining 푛-qubit state. Otherwise, abort. (퐵,퐴) 4. Compute 퐶inp (x̂︀퐵) and measure the final 휆 qubits. If each is zero, let x퐵 be the remaining 푛-qubit state. Otherwise, abort.

5. Compute (y퐴, y퐵) := 푄(x퐴, x퐵). (퐴,퐴) (퐴,퐵) 휆 6. Sample classical strings 푟out , 푟out ← {0, 1} . (퐴,퐴) (퐴,퐴) (퐴,퐴) (퐴,퐵) (퐴,퐵) (퐴,퐵) 7. Compute 퐶out := PRF(푘out , 푟out ), 퐶out := PRF(푘out , 푟out ). 8. Output (︁ (퐴,퐴) (퐴,퐴) 휆 (퐴,퐵) (퐴,퐵) 휆 )︁ 푟out , 퐶out (y퐴, 0 ), 푟out , 퐶out (y퐵, 0 ) .

74 (푏) [︁ (퐴,퐴) (퐵,퐴)]︁ • ℱ퐴,out 푘out , 푘out :

(︁ (퐴,퐴) (0) (퐵,퐴) (1))︁ (0) (1) 1. Take as input 푟out , ŷ︀퐴 , 푟out , ŷ︀퐴 , where ŷ︀퐴 and ŷ︀퐴 are (푛 + 휆)-qubit states. (퐴,퐴) (퐴,퐴) (퐴,퐴) (퐵,퐴) (퐵,퐴) (퐵,퐴) 2. Compute 퐶out := PRF(푘out , 푟out ), 퐶out := PRF(푘out , 푟out ). (퐴,퐴) (0) (0) 3. Compute 퐶out (ŷ︀퐴 ) and measure the final 휆 qubits. If each is zero, let y퐴 be the remaining 푛-qubit state. Otherwise, abort. (퐵,퐴) (1) (1) 4. Compute 퐶out (ŷ︀퐴 ) and measure the final 휆 qubits. If each is zero, let y퐴 be the remaining 푛-qubit state. Otherwise, abort. (푏) 5. Output y퐴 .

Now we are ready to describe the protocol.

75 Protocol8

Common Information: Quantum circuit 푄 to be computed with 2푛 input qubits and 2푛 output qubits.

Party A Input: x퐴 Party B Input: x퐵

The Protocol: Setup.

(퐴,퐴) (퐴,퐵) (퐵,퐴) (퐵,퐵) (퐴,퐴) (퐴,퐵) (퐵,퐴) (퐵,퐵) 1. Sample 8 PRF keys 푘inp , 푘inp , 푘inp , 푘inp , 푘out , 푘out , 푘out , 푘out . 2. Publish the following obfuscations:

(︁ (1) [︁ (퐴,퐴) (퐴,퐵)]︁)︁ (︁ (0) [︁ (퐵,퐵) (퐵,퐴)]︁)︁ 풪퐴,inp := 풪 ℱ퐴,inp 푘inp , 푘inp , 풪퐵,inp := 풪 ℱ퐵,inp 푘inp , 푘inp (︁ [︁ (퐴,퐴) (퐵,퐴) (퐴,퐴) (퐴,퐵)]︁)︁ 풪퐴,cmp := 풪 ℱ퐴,cmp 푄, 푘inp , 푘inp , 푘out , 푘out ,

(︁ [︁ (퐵,퐵) (퐴,퐵) (퐵,퐵) (퐵,퐴)]︁)︁ 풪퐵,cmp := 풪 ℱ퐵,cmp 푄, 푘inp , 푘inp , 푘out , 푘out ,

(︁ (1) [︁ (퐴,퐴) (퐵,퐴)]︁)︁ (︁ (0) [︁ (퐵,퐵) (퐴,퐵)]︁)︁ 풪퐴,out := 풪 ℱ퐴,out 푘out , 푘out , 풪퐵,out := 풪 ℱ퐵,out 푘out , 푘out .

Round 1. Party 퐴:

푛 푛 1. Compute (푠푡퐴,1, st퐴,1, 푚퐴,1, m퐴,1) ← 풪퐴,inp(x퐴, 0 ), where 0 is the “dummy input”.

2. Send to Party 퐵: (푚퐴,1, m퐴,1). Party 퐵:

푛 푛 1. Compute (푠푡퐵,1, st퐵,1, 푚퐵,1, m퐵,1) ← 풪퐵,inp(x퐵, 0 ), where 0 is the “dummy input”.

2. Send to Party 퐴: (푚퐵,1, m퐵,1). Round 2. Party 퐴:

1. Compute (푠푡퐴,2, st퐴,2, 푚퐴,2, m퐴,2) ← 풪퐴,cmp(푠푡퐴,1, st퐴,1, 푚퐵,1, m퐵,1).

2. Send to Party 퐵: (푚퐴,2, m퐴,2). Party 퐵:

1. Compute (푠푡퐵,2, st퐵,2, 푚퐵,2, m퐵,2) ← 풪퐵,cmp(푠푡퐵,1, st퐵,1, 푚퐴,1, m퐴,1).

2. Send to Party 퐴: (푚퐵,2, m퐵,2). Output Reconstruction.

• Party 퐴: Compute y퐴 ← 풪퐴,out(푠푡퐴,2, st퐴,2, 푚퐵,2, m퐵,2).

• Party 퐵: Compute y퐵 ← 풪퐵,out(푠푡퐵,2, st퐵,2, 푚퐴,2, m퐴,2).

Figure 8: Two-round two-party quantum computation.

76 Theorem 10.5. Assuming quantum VBB obfuscation (Definition 10.4), the protocol described in Protocol8 satisfies security against a malicious 퐴 and malicious 퐵.

Proof. (Sketch) First observe where the computation is taking place in an honest execution of the protocol. In the first round, 퐴 executes 풪퐴,inp and sends a Clifford encoding of its input x퐴 to 퐵, while 퐵 executes 푛 풪퐵,inp and sends a Clifford encoding of its dummy input 0 to 퐴 while keeping a Clifford encoding of its input x퐵 in its state. In the second round, 퐵 executes 풪퐵,cmp to produce a Clifford encoding of the output (y퐴, y퐵), while 퐴 executes 풪퐴,cmp to produce a Clifford encoding of a dummy output. 퐵 sends the encoding of y퐴, which is decrypted by 퐴 using 풪퐴,out and 퐵 decrypts its output y퐵 using 풪퐵,out. Now note that it is straightforward to perfectly simulate a malicious 퐴. The simulator can sample the CRS (so in particular it knows all the PRF keys) and then emulate an honest 퐵, receiving 퐴’s encoded input, decrypting it, evaluating the circuit, and finally encoding 퐴’s output and sending it back. Now consider sampling the CRS to be obfuscations of the functionalities

(0) (1) (0) (1) ℱ퐴,inp, ℱ퐵,inp, ℱ퐴,cmp, ℱ퐵,cmp, ℱ퐴,out, ℱ퐵,out.

This only differs from the real protocol in the superscript 푏 values of the inp and out functionality. However, this completely reverses the flow of computation in an honest execution of the protocol. Now, 퐴 is computing the functionality on the actual inputs, while 퐵 is computing on the dummy inputs. Thus with this sampling of the CRS, it is straightforward to perfectly simulate a malicious 퐵. It remains to show that these two methods of sampling the CRS are computationally indistinguishable. Consider an adversary that can distinguish obfuscations of

(1) (0) (1) (0) ℱ퐴,inp, ℱ퐵,inp, ℱ퐴,cmp, ℱ퐵,cmp, ℱ퐴,out, ℱ퐵,out from obfuscations of (0) (1) (0) (1) ℱ퐴,inp, ℱ퐵,inp, ℱ퐴,cmp, ℱ퐵,cmp, ℱ퐴,out, ℱ퐵,out. By the security of (our strong form of) VBB obfuscation, such an adversary implies a distinguisher that is only given oracle access to these functionalities. Now, since this distinguisher only has oracle access to the PRFs, one can replace them with truly random functions. At this point, due to the perfect hiding of the Clif- (0) (1) ford code, an adversary cannot obtain any information from the outputs of (ℱ퐴,inp, ℱ퐵,inp, ℱ퐴,cmp, ℱ퐵,cmp), except with negligible probability (this non-zero probability is due to the possibility of collision in sampling the 푟 values used as inputs to the PRFs / random functions). Furthermore, due to the statistical authenti- (푏) (1−푏) cation of the Clifford code, an adversary can only obtain an output from (ℱ퐴,out, ℱ퐵,out ) with non-negligible probability if it emulates an honest execution of the protocol, starting with arbitrary inputs (x퐴, d퐴) to (푏) (1−푏) (푏) (1−푏) ℱ퐴,inp and (x퐵, d퐵) to ℱ퐵,inp . But regardless of the value of 푏, the outputs of (ℱ퐴,out, ℱ퐵,out ) will be (y퐴, y퐵) := 푄(x퐴, x퐵). Thus switching the value of 푏 at this point will be statistically indistinguishable, completing the proof.

Acknowledgements

We thank anonymous reviewers for pointing out an issue with Theorem 10.2 in an earlier draft of this work. This material is based on work supported in part by DARPA under Contract No. HR001120C0024 (for DK). Any opinions, findings and conclusions or recommendations expressed in this material are thoseof the author(s) and do not necessarily reflect the views of the United States Government or DARPA. A.C. is supported by DoE under grant DOD ONR Federal. Part of this work was done while the authors were visiting the Simons Institute for the Theory of Computing in Spring 2020.

77 References

[ABDS20] Gorjan Alagic, Zvika Brakerski, Yfke Dulek, and Christian Schaffner. Impossibility of quantum virtual black-box obfuscation of classical circuits. arXiv preprint arXiv:2005.06432, 2020. [ABG+20] Amit Agarwal, James Bartusek, Vipul Goyal, Dakshita Khurana, and Giulio Malavolta. Post- quantum multi-party computation in constant rounds. To Appear in Eurocrypt, 2020. [ACC+20] Bar Alon, Hao Chung, Kai-Min Chung, Mi-Ying Huang, Yi Lee, and Yu-Ching Shen. Round efficient secure multiparty quantum computation with identifiable abort. Cryptology ePrint Archive, Report 2020/1464, 2020. https://eprint.iacr.org/2020/1464. [ACJ17] Prabhanjan Ananth, Arka Rai Choudhuri, and Abhishek Jain. A new approach to round-optimal secure multiparty computation. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 468–499. Springer, Heidelberg, August 2017. [AF16] Gorjan Alagic and Bill Fefferman. On quantum obfuscation. ArXiv, abs/1602.01771, 2016. [ALP20] Prabhanjan Ananth and Rolando L La Placa. Secure software leasing. arXiv preprint arXiv:2005.05289, 2020. [BCG+06] Michael Ben-Or, Claude Crépeau, Daniel Gottesman, Avinatan Hassidim, and Adam Smith. Secure multiparty quantum computation with (only) a strict honest majority. In 47th FOCS, pages 249–260. IEEE Computer Society Press, October 2006. [BCKM20] James Bartusek, Andrea Coladangelo, Dakshita Khurana, and Fermi Ma. On the round complexity of two-party quantum computation. Cryptology ePrint Archive, Report 2020/1471, 2020. https://eprint.iacr.org/2020/1471. [BGI+01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vad- han, and Ke Yang. On the (im)possibility of obfuscating programs. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 1–18. Springer, Heidelberg, August 2001. [BGJ+18] Saikrishna Badrinarayanan, Vipul Goyal, Abhishek Jain, Yael Tauman Kalai, Dakshita Khurana, and Amit Sahai. Promise zero knowledge and its applications to round optimal MPC. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part II, volume 10992 of LNCS, pages 459–487. Springer, Heidelberg, August 2018. [BGW88] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non- cryptographic fault-tolerant distributed computation (extended abstract). In 20th ACM STOC, pages 1–10. ACM Press, May 1988. [BHP17] Zvika Brakerski, Shai Halevi, and Antigoni Polychroniadou. Four round secure computation without setup. In Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS, pages 645–677. Springer, Heidelberg, November 2017. [BK05] Sergey Bravyi and Alexei Kitaev. Universal quantum computation with ideal clifford gates and noisy ancillas. Physical Review A, 71(2):022316, 2005. [BK11] Salman Beigi and Robert Koenig. Simplified instantaneous non-local quantum computation with applications to position-based cryptography. New Journal of Physics, 13(9):093036, sep 2011. [BMR90] Donald Beaver, Silvio Micali, and Phillip Rogaway. The round complexity of secure protocols (extended abstract). In 22nd ACM STOC, pages 503–513. ACM Press, May 1990. [Bra18] Zvika Brakerski. Quantum FHE (almost) as secure as classical. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part III, volume 10993 of LNCS, pages 67–95. Springer, Heidelberg, August 2018.

78 [BY20] Zvika Brakerski and Henry Yuen. Quantum garbled circuits. arXiv preprint arXiv:2006.01085, 2020. [CCD88] David Chaum, Claude Crépeau, and Ivan Damgård. Multiparty unconditionally secure protocols (abstract) (informal contribution). In Carl Pomerance, editor, CRYPTO’87, volume 293 of LNCS, page 462. Springer, Heidelberg, August 1988. [CCG+20] Arka Rai Choudhuri, Michele Ciampi, Vipul Goyal, Abhishek Jain, and Rafail Ostrovsky. Round optimal secure multiparty computation from minimal assumptions. In Theory of Cryptography - 18th International Conference, TCC 2020, Durham, NC, USA, November 16-19, 2020, Proceed- ings, Part II, pages 291–319, 2020. [CDI+19] Melissa Chase, Yevgeniy Dodis, Yuval Ishai, Daniel Kraschewski, Tianren Liu, Rafail Ostro- vsky, and Vinod Vaikuntanathan. Reusable non-interactive secure computation. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 462–488. Springer, Heidelberg, August 2019. [CGS02] Claude Crépeau, Daniel Gottesman, and Adam Smith. Secure multi-party quantum computation. In 34th ACM STOC, pages 643–652. ACM Press, May 2002. [CvT95] Claude Crépeau, Jeroen van de Graaf, and Alain Tapp. Committed oblivious transfer and private multi-party computation. In Don Coppersmith, editor, CRYPTO’95, volume 963 of LNCS, pages 110–123. Springer, Heidelberg, August 1995. [DGJ+20] Yfke Dulek, Alex B. Grilo, Stacey Jeffery, Christian Majenz, and Christian Schaffner. Secure multi-party quantum computation with a dishonest majority. In Anne Canteaut and Yuval Ishai, editors, EUROCRYPT 2020, Part III, volume 12107 of LNCS, pages 729–758. Springer, Heidelberg, May 2020. [DNS10] Frédéric Dupuis, Jesper Buus Nielsen, and Louis Salvail. Secure two-party quantum evaluation of unitaries against specious adversaries. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 685–706. Springer, Heidelberg, August 2010. [DNS12] Frédéric Dupuis, Jesper Buus Nielsen, and Louis Salvail. Actively secure two-party evaluation of any quantum operation. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012. Proceedings, volume 7417 of LNCS, pages 794–811. Springer, 2012. [DSWK06] Giacomo Mauro D’Ariano, D Schlingemann, RF Werner, and D Kretschmann. Quantum bit commitment revisited: the possible and the impossible. Technical report, 2006. [GC20] Alvin Gonzales and Eric Chitambar. Bounds on instantaneous nonlocal quantum computation. IEEE Trans. Inf. Theory, 66(5):2951–2963, 2020. [GMPP16] Sanjam Garg, Pratyay Mukherjee, Omkant Pandey, and Antigoni Polychroniadou. The exact round complexity of secure computation. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 448–476. Springer, Heidelberg, May 2016. [GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Alfred Aho, editor, 19th ACM STOC, pages 218–229. ACM Press, May 1987. [Gol04] Oded Goldreich. The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press, 2004. [Goy18] Rishab Goyal. Quantum multi-key homomorphic encryption for polynomial-sized circuits. Cryp- tology ePrint Archive, Report 2018/443, 2018. https://eprint.iacr.org/2018/443.

79 [GS18] Sanjam Garg and Akshayaram Srinivasan. Two-round multiparty secure computation from minimal assumptions. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 468–499. Springer, Heidelberg, April / May 2018. [GSW13] Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 75–92. Springer, Heidelberg, August 2013. [IKO+11] Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, Manoj Prabhakaran, and Amit Sahai. Effi- cient non-interactive secure computation. In Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 406–425. Springer, Heidelberg, May 2011.

[IPS08] Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 572–591. Springer, Heidelberg, August 2008. [KO04] Jonathan Katz and Rafail Ostrovsky. Round-optimal secure two-party computation. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 335–354. Springer, Heidelberg, August 2004. [LC98] Hoi-Kwong Lo and Hoi Fung Chau. Why quantum bit commitment and ideal quantum coin tossing are impossible. Physica D: Nonlinear Phenomena, 120(1-2):177–187, 1998. [LQR+19] Alex Lombardi, Willy Quach, Ron D. Rothblum, Daniel Wichs, and David J. Wu. New constructions of reusable designated-verifier NIZKs. In Alexandra Boldyreva and Daniele Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 670–700. Springer, Heidelberg, August 2019. [LTV12] Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC, pages 1219–1234. ACM Press, May 2012. [Mah18] Urmila Mahadev. Classical homomorphic encryption for quantum circuits. In Mikkel Thorup, editor, 59th FOCS, pages 332–338. IEEE Computer Society Press, October 2018. [May97] Dominic Mayers. Unconditionally secure quantum bit commitment is impossible. Physical review letters, 78(17):3414, 1997.

[MW16] Pratyay Mukherjee and Daniel Wichs. Two round multiparty computation via multi-key FHE. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 735–763. Springer, Heidelberg, May 2016. [Nao91] Moni Naor. Bit commitment using pseudorandomness. Journal of Cryptology, 4(2):151–158, January 1991. [PVW08] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and compos- able oblivious transfer. In David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 554–571. Springer, Heidelberg, August 2008. [Shm20] Omri Shmueli. Multi-theorem (malicious) designated-verifier nizk for qma, 2020.

[Spe16] Florian Speelman. Instantaneous non-local computation of low t-depth quantum circuits. In Anne Broadbent, editor, 11th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2016, September 27-29, 2016, Berlin, Germany, volume 61 of LIPIcs, pages 9:1–9:24. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2016.

80 [Vai03] Lev Vaidman. Instantaneous measurement of nonlocal variables. Phys. Rev. Lett., 90:010402, Jan 2003. [Yao86] Andrew Chi-Chih Yao. How to generate and exchange secrets (extended abstract). In 27th FOCS, pages 162–167. IEEE Computer Society Press, October 1986.