Quantum Private Function Evaluation

Private function evaluation is a task that aims to obtain the output of a function while keeping the function secret. So far its quantum analogue has not yet been articulated. In this study, we initiate the study of quantum private function evaluation, the quantum analogue of classical private function evaluation. We give a formal definition of quantum private function evaluation and present two schemes together with their security proofs. We then give an experimental demonstration of the scheme. Finally we apply quantum private function evaluation to quantum copy protection to illustrate its usage.


I. INTRODUCTION
Consider the following scenario.A software company wishes to provide a charged quantum software service on the cloud to the customers, but it does not wish to reveal the code of the quantum software as the users will just download the code and not pay any money for the web service.The customer, on the other hand, wishes to apply the software on their quantum data for some information processing, but does not wish to reveal their private data to the software company as the data may contain sensitive information.For the classical version of the scenario, it can be dealt with by classical private function evaluation, which has been widely studied since 1990 [1,2].
Quantum private function evaluation (QPFE) is a quantum version of private function evaluation (PFE).While private function evaluation has been extensively studied in classical cryptography, somewhat surprisingly, up till now, QPFE has not yet been studied.The setting of QPFE is as follows.Party 1 has the quantum function E and part of the quantum state ρ 1 .Party 2 has the other part of the quantum state ρ 2 .(The case of N parties is similar.Here we explain the case of two parties for simplicity.) The goal of the two parties is to obtain without revealing each party's private quantum inputs.
The protocol needs to satisfy the following correctness and privacy properties: 1. Correctness: the malicious parties A cannot influence the results of the honest parties other than changing A's own inputs.
2. Privacy: The privacy contains two parts.For privacy against malicious party 2, we require party 2 to obtain no information on party 1's inputs and * Electronic address: caozhu@ecust.edu.cn functions beyond E (2) (ρ 1 , ρ 2 ).For party 1, since it can change the function, privacy against malicious party 1 can only be achieved when party 1 has no function output.Otherwise, we can only consider privacy against semi-honest party 1, namely party 1 that does exactly as the protocol dictates, but is curious about the other party's private input.
A formal formulation of the above statements will be presented later in the paper.
In this work, we initiate the study of QPFE.We first define QPFE.Then we present two QPFE schemes together with their security proofs.The first scheme is more modular in the sense that it uses multi-party quantum computation (MPQC) as a black box.Usually modularity makes schemes simpler and less error-prone in real implementations.This scheme only relies on the same assumption as MPQC.(Currently it is known that a quantum one-way function is sufficient for MPQC [3].)The second scheme does not use MPQC as a black box, and hence has the potential of being more efficient.We then give an experimental demonstration of QPFE based on the second scheme.To show the usefulness of QPFE, we also apply the QPFE scheme to the task of quantum copy protection.We hope our work would stimulate further research on developing alternative QPFE schemes and finding use of QPFE in other applications.
The organization of the rest of the paper is as follows.In Sec.II, we review some related works.In Sec.III, we fix the notation and restate some results from the literature that will be used later in the paper.In Sec.IV, we present the definition of QPFE.In Sec.V, we present two protocols of QPFE together with some extensions.In Sec.VI, we present the security proofs of the QPFE protocols.In Sec.VII, we give an experimental demonstration of QPFE.In Sec.VIII, we give an example application of QPFE to quantum copy protection.Finally, in Sec.IX, we conclude the paper and give a few outlooks.

II. RELATED WORK A. Classical private function evaluation
Classical PFE has been widely studied since 1990 [1].Currently there are roughly two classes of classical PFE.One class of classical PFE is based on universal circuits and multi-party computation (MPC) [4,5].This line of work focuses on optimizing the implementation of universal circuits to achieve higher efficiency of PFE.Once the universal circuit part is done, one puts the private function also as part of the input into the universal circuit and then applies ordinary MPC.The security proof for this type of PFE is almost trivial which is one of the benefits of such schemes.
The other class of classical PFE does not rely on universal circuits [2,6,7].Compared to the previous type of PFE, this type of PFE can achieve higher efficiency by opening the black box of MPC.We refer the reader to the related work section of Ref. [7] for a recent review of this line of PFE.We only add the remark here that these classical PFEs usually involve copying the output of a gate several times as the inputs of further gates.This makes it unclear how to transfer these classical PFE schemes to the quantum scenario.

B. Multi-party quantum computation
PFE is related to MPC.Both tasks consider the task of computing a joint function with multiple parties.Both tasks wish to protect the privacy of the participants' data.There are however also essential differences between PFE and MPC.The function to be computed is private information in PFE, while it is public in MPC.The quantum analogue of MPC, called MPQC, has been studied since 2002 [8].
Since MPQC is closely related to quantum PFE, we give a brief review of MPQC here.A more comprehensive review of the field of MPQC can be found in Ref. [9].In the first work of MPQC [8], Crepeau et al. present an information-theoretically secure MPQC protocol when the proportion of malicious parties is less than 1/6.Since then, the results have been strengthened in various directions.In 2006, Ben-Or et al. [10] showed that MPQC can be done information theoretically with a strict honest majority.This work is tight in the sense that, even with one more malicious party, MPQC will be completely impossible information theoretically.In 2020, Dulek et al. [11] showed that with computational assumptions, MPQC can be done with a dishonest majority (even if just one party is honest).The computation assumption needed for MPQC is that a quantum one-way function exists [3].There are also works concerning the efficiency of MPQC.For example, in 2021, a constantround MPQC is given for the case of a dishonest majority [9], reducing the round complexity of previous works.

C. Quantum fully homomorphic encryption
Quantum fully homomorphic encryption (QFHE) considers the following scenario.One party, called the user, has private quantum data x and wishes to get the result of F (x) but it does not have the computational resource to do so.Instead, it asks the server to do the computation but does not wish to reveal x to the server.The user encrypts the data x as E(x) and sends it to the server.The server computes homomorphically on E(x) to obtain E(F (x)) which is sent back to the user.The user decrypts E(F (x)) as F (x).A notable distinction between QFHE and blind quantum computation is that QFHE does not allow interactions between the user and the server in the middle.The only interaction allowed is the message that the user sends to the server at the beginning, and the message that the server sends to the user at the end.
It has been shown that quantum FHE is not possible for general functions [12].Hence, the research on QFHE is mainly divided into two classes.The first class of research considers adding computational assumptions for achieving QFHE.For example, in 2015, Broadbent et al. [13] proposed a QFHE scheme with a constant number of T gates based on computational assumptions.Later, in 2016, the restriction on the number of T gates is removed by Dulek et al. [14].Several further improvements are made [15][16][17].The second class of research considers QFHE with special functions instead of general functions.For example, Ouyang et al. showed an informational-theoretically secure QFHE scheme with a constant number of T gates in 2018 [18].
QFHE [14] can be used to fulfill the goal of QPFE, but suffers from the problems of high complexity and strong assumptions.All known protocols of QFHE for general functions [14][15][16][17] rely on the assumption that learning with errors is quantum hard.Later in our paper, we will show that for QPFE with a dishonest majority, the existence of a quantum one-way function is enough, just as the case for MPQC [3].

III. PRELIMINARIES
In this section, we present some definitions and results from the literature which will be used later in the paper.In the first subsection, we review a security framework that will be later used to define the security of QPFE.The remaining three subsections describe three primitives that will be later used to construct QPFE protocols.

A. General secure protocol
We begin by reviewing how to define the security of a general secure protocol Π.Before presenting the security definition, we first define a few notations.Let λ be the security parameter.For two classes of binary random variables {X λ } λ and {Y λ } λ , we write X λ ≈ Y λ as a shorthand for where Pr stands for probability and µ is a negligible function of λ.Here, a negligible function of λ is defined as a positive function which tends to 0 faster than the inverse of any positive polynomial function as λ goes to infinity.An example of a negligible function of λ is 2 −λ , which satisfies this definition.We employ the simulation-based security proof framework [19] to define the security of a general protocol.In this framework, a protocol is considered secure if any environment with a bounded amount of computational resources cannot distinguish between the actual protocol execution (usually called the real world) and an ideal protocol execution (usually called the ideal world) with a high probability.In an ideal world, there is a trusted third-party that fulfills all security properties that the protocol should satisfy, which is usually called the ideal functionality.To ensure the environment cannot distinguish the two cases, one plausible way is to add a simulator wrapping the adversary such that the interaction of the environment with the simulator and the ideal functionality in the ideal world is identical to the interaction of the environment with the adversary and the protocol in the real world.
In more details, let Exec[Π, A, Z] be the output distribution of the environment Z for a protocol Π and an adversary A compatible with the protocol Π.The relations among Z, Π, and A are shown in Fig. 1  We say that a protocol Π realizes an ideal functionality F if for all adversary A, there exists a simulator S that may depend on A such that When the output distributions are non-binary, the notation ≈ can be naturally extended to imply that the total variational distance between the two distributions is a negligible function of the security parameter λ.With this security definition, we only need to specify the ideal functionality to define any secure protocol.

B. Two-party computation
The syntax of the two-party computation (2PC) functionality is as follows [20].Initially, Bob holds a private input x B and Alice holds a private input x A .They aim to compute the output (y A , y B ) = F (x A , x B ) without revealing their private inputs to each other.Here, y A is the output for Alice and y B is the output for Bob.
There are three rounds in the 2PC functionality with the following syntax.
A ).The simulator uses Sim A to generate m B and sends it to Alice.On receiving m A , the simulator calculates Sim A and sends x ′ A to the ideal functionality I[x B ](•).The ideal functionality calculates y = F (x ′ A , x B ) and sends it to the simulator.The simulator then sends y to Alice.The random variable IDEAL A consists of Alice's view in the ideal world, and the random variable REAL A consists of Alice's view in the real world.The security against malicious Alice holds if The simulator for Bob has the form Sim B = (Sim B ).
On receiving m B from Bob, Sim C. Quantum garbled circuit Here, we consider only the quantum garbled circuit for Clifford + Measurement (C + M ) circuits, which are circuits that only consist of Clifford gates and standardbasis measurements.
The syntax of the quantum garbled circuit consists of a triad of functions (QGarble, QGEval, QGSim).The C +M quantum circuit is denoted as Q.The quantum input of the circuit is denoted as x inp .The C+M quantum circuit consists of d layers and initially contains n 0 := n 1 + k 1 qubits.In layer i (1 ≤ i ≤ d), first a Clifford is operated on the n i−1 qubits and then the first k i qubits are measured.The number of remaining qubits is denoted as n i and satisfies n The three functions have the following syntax: Here, QGarble is the function that turns a quantum circuit into its garbled version, E 0 is the unitary operation to be applied to the quantum input, λ is the security parameter, and Q is the garbled version of the quantum circuit Q.

3.
x out ← QGEval( x inp , Q).Here, QGEval is the evaluation function of the garbled circuit, and x out is the output after evaluating the garbled circuit Q on the encrypted input x inp .

( x
Here, QGSim is the simulation function of the garbled circuit.
Correctness: Essentially, the correctness holds when the output of the evaluation of the garbled circuit is identical to the output when running the original circuit directly on the original inputs.This is equivalent to saying that where ≈ s denotes statistical indistinguishability. Here, two density matrices x λ and y λ with the security parameter λ are said to be statistically indistinguishable x λ ≈ s y λ if they satisfy where || • || 1 is the trace distance and µ(•) is a negligible function.
Security: Essentially, the security will be guaranteed if the garbled circuit and the garbled input can be reproduced by the output of the circuit, thus revealing no extra information on each party's private inputs.This is equivalent to saying that (8) where ≈ c denotes computational indistinguishability. Here, two density matrices x λ and y λ with the security parameter λ are said to be computionally indistinguishable x λ ≈ c y λ if for any probabilistic polynomial-time distinguisher D λ and any auxiliary quantum advice d λ , the inequality always holds for some negligible function µ(•).
The construction of a quantum garbled circuit first appears in Ref. [21], and is then rigorously proved in Ref. [9].

D. Two-party quantum computation
The syntax of two-party quantum computation (2PQC) is as follows.Initially, Bob holds a private quantum input x B and Alice holds a private quantum input x A .They aim to compute the quantum output (y A , y B ) = F (x A , x B ) without revealing their private quantum inputs to each other.
The 2PQC protocol consists of three functions 2PQC 1 , 2PQC 2 , 2PQC out and three rounds as follows: 1. Bob generates (m B , st) = 2PQC 1 (x B ) and sends a quantum message m B to Alice.Here st is a quantum state that Bob keeps for himself for later use.

Bob computes (y ′
A , y ′ B ) = 2PQC out (m A , st) and sends y ′ A to Alice.

Correctness:
The correctness means that the output of the protocol should be identical to the output of just computing the function F on x A and x B directly.This is equivalent to saying that Security: The security consists of two parts, security against malicious Alice, and security against malicious Bob.Let us start from Alice's side.The simulator for Alice has the form Sim A = (Sim A ).The simulator uses Sim  A to Alice.Here F A is almost identical to F except it only outputs the output for Alice.The random variable IDEAL A consists of Alice's view, and let REAL A be the transcript of Alice in the real execution.The security is satisfied if The simulator for Bob has the form Sim B = (Sim B ).
On receiving m B from Bob, Sim IV. DEFINITION OF QPFE One of our first contributions is to formally define the task of QPFE and the security properties it should satisfy.Let us start by describing its setup.In a QPFE, there are n (n ≥ 2) parties.Party 1 holds a private function E and a private quantum input ρ 1 .Party i (2 ≤ i ≤ n) holds a private quantum input ρ i .Note that ρ 1 , • • • , ρ n can be entangled.An illustration of QPFE is shown in Fig. 2(a).After a few communication and computation rounds, party i gets a quantum output σ i .Here, σ 1 , • • • , σ n can also be entangled.In the introduction, we have informally described the security properties that a QPFE should satisfy: correctness and privacy.To give a formal definition, we adopt the simulation-based security framework.For the convenience of the readers who are not familiar with this framework, we briefly review it here.In this framework, there is a real world and an ideal world.The real world is where the protocol actually takes place and there is an adversary that tries to attack the protocol.The ideal world, on the other hand, contains an ideal functionality that fulfills the task at hand (e.g., QPFE), and there is a simulator that interacts with the ideal functionality.Now say that the ideal functionality fulfills the security requirements of correctness and privacy against any adversary by its construction, and there is no way to tell the real world and the ideal world apart, then the adversary in the real world also cannot break the security of the protocol.
The above reasoning is quite high-level.We now give more details of this framework in the specific case of QPFE.As explained previously, the ideal functionality F QP F E should fulfill the conditions of correctness and privacy against any adversary.To model possible collusion between dishonest parties, we assume there is a single adversary controlling all dishonest parties.In other words, we can consider the collection of all dishonest parties as the adversary.After elucidating the adversary, we are now ready to provide further details of the ideal functionality.First of all, the ideal functionality F QP F E has the following input and output: 1. Input: The ideal functionality takes input from both honest parties and the adversary.Note that the adversary sends the inputs of dishonest parties on behalf of the dishonest parties.As said before, Party 1 provides inputs E and ρ 1 to the ideal functionality, and Party i provides inputs ρ i to the ideal functionality where 2 ≤ i ≤ n.

Output:
The ideal functionality gives outputs to both honest parties and dishonest parties.As said before, Party i receives To satisfy the correctness and privacy properties, the ideal functionality works as follows.
1.After receiving the inputs from all parties, compute 2. The ideal functionality receives a message "abort" or "continue" from the adversary.If "abort" is received, the process halts.If "continue" is received, the ideal functionality sends By the definition of this ideal functionality, it is clear that it always computes the outputs correctly and it does not leak any private information to any party.An illustration of this ideal functionality is shown in Fig. 2(b).Note that this ideal functionality does not provide guaranteed output delivery, as the honest parties will not get any output if the adversary sends the message "abort" in the second step.We can modify the ideal functionality into an ideal functionality with guaranteed output delivery by removing the ability of the adversary to halt the process.
Using this ideal functionality, we are now ready to define the security property of QPFE.We say that a protocol Π realizes QPFE if for all polynomial-time adversary A, there exists a polynomial-time simulator S that may depend on A such that More precisely, let λ be the security parameter.If for any probabilistic polynomial-time distinguisher D λ and any auxiliary quantum advice d λ , the inequality always holds for some negligible function µ(•), we say the protocol Π is a secure QPFE.

A. Comparison with the classical analogue
To understand the similarity and difference between QPFE and PFE, we compare their definitions in this section.Recall that PFE has the following ideal functionality [22].
Input: Party A: a circuit C f encoding the function f , its input x A ; Party B: its input x B .
1.If either party sends abort to the ideal functionality F, F broadcasts ⊥ and halts.
2. If the C f received from A satisfies the preagreement, the ideal functionality stores C f .
3. Check if x A and x B are received and C f is stored.
If not, the process halts.The adversary A sends a message continue or abort to F. If F receives continue, it computes C f (x A , x B ) and delivers C f (x A , x B ) to all parties, otherwise the process halts.
By comparing the ideal functionalities of PFE and QPFE, it is clear that these two tasks are almost the same, except that the inputs and function/algorithm in QPFE are quantum, while the inputs and function/algorithm in PFE are classical.Note however that the two tasks of QPFE and PFE are not directly comparable in terms of their performance as they consider different objects (classical objects for PFE and quantum objects for QPFE).While there might be quantum algorithms which are more advantageous than any classical algorithm, this is orthogonal to our work and outside the scope of our paper.

B. Variants
There are several variants of QPFE definitions that can be considered.Before explaining these variants, note however that these discussions of variants are not used in the rest of the paper.The reader may skip this section and directly go to the next section with no loss.
For the first variant, the private function might be distributed among several parties instead of just one.For this case, the ideal functionality should be modified as follows: it should first collect part of the private function E i from party i for all 1 ≤ i ≤ n.Then the ideal functionality use a combining mechanism Combine(•) to yield the complete quantum function The rest procedures of the ideal functionality is the same as the standard ideal functionality of QPFE.
For the second variant, some participants may go offline during the process.A good QPFE protocol should ideally address the security issue in this situation.For this case, the ideal functionality should be modified as follows: Instead of sending Party i the result E (i) (ρ 1 , • • • , ρ n ) directly, the ideal functionality first waits for a message from Party i which can either be "online" or "offline".Only if the message "online" is received, the ideal functionality sends For the third variant, both the function and the inputs in QPFE might be time-dependent instead of invariant with respect to time.For this case, the ideal functionality should be modified as follows: First of all, the inputs from all parties are sent to the ideal functionality simultaneously and instantly (or within a short time interval ∆ 1 ).Second, the ideal functionality performs the calculation instantly (or within a short time interval ∆ 2 ).Third, the ideal functionality sends the outputs to the parties simultaneously and instantly (or within a short time interval ∆ 3 ).The most important difference from the standard definition is that every step is timestamped in this scenario.

V. SCHEME OF QPFE
In this section, we present two schemes of QPFE.In Sec.V A, we present the first scheme of QPFE, which utilizes MPQC as a black box.In Sec.V B, we present the second scheme of QPFE, which builds directly on smaller primitives.In Sec.V C, we extend the schemes to the reusable scenario, where multiple runs of QPFE are executed.We show that the average communication cost can be lowered in this multiple-run scenario.

A. First protocol
In this section, we present the first QPFE scheme.In Sec.V A 1, we describe the procedures of the first QPFE scheme.In Sec.V A 2, we give the implementation of the first QPFE scheme on a quantum computer.In Sec.V A 3, we give an example of the first QPFE scheme for specific quantum functions and inputs.

Protocol description
The critical idea is to convert the quantum function E into a quantum state ρ E .Then we can apply MPQC to obtain a secure protocol of QPFE.This can indeed be done by the Choi-Jamiolkowski (C-J) transform [23,24].
Let us review the C-J transform.To describe the C-J transform, we need to first define the Choi matrix Υ E corresponding to a quantum channel E, which has the form |k⟩⟨l| ⊗ E(|k⟩⟨l|), (16) where |ψ⟩ = k |kk⟩ is an unnormalized Bell state and Υ E is positive definite as E is a completely positive map.Note that Υ E is not necessarily a quantum state as its trace may not be 1.We are now ready to present the C-J transform.It can be expressed as are the Hilbert space over the systems A and B respectively, and Tr A is the partial trace over the A system.The C-J transform establishes an equivalence between the channel E and its corresponding Choi matrix Υ E .
Based on the C-J transform, we can define the following G functionality where According to the property of MPQC, the function E of party 1 is kept secret, as well as the private quantum states of the two parties.
Note that since the transpose operation (ρ → ρ T ) is not completely positive, it cannot be realized as a quantum map.Hence, we assume the classical description of ρ is known.Compared with the protocol that utilizes classical PFE solely, the cost of the online phase of this protocol becomes polynomial instead of exponential.This is because the preparation of ρ T A and ρ T B involves no communication and can all be done offline by the parties themselves.
For ease of notation, let us define ρ = ρ A ⊗ ρ B .For proving the correctness of the protocol, let us show that G(ρ 1 , ρ 2 , ρ 3 ) = E(ρ)/Tr(Υ E ) as follows, In the second equality, we have utilized the identity (A ⊗ B) This protocol can be easily extended to the multi-party case.We only need to change the G functionality to Here, ρ i (3 ≤ i ≤ n + 1) belongs to party i. ρ 1 and ρ 2 belong to party 1.

Implementation on a quantum computer
Now, we consider how to implement the functionality G. First we make a decomposition on the state ρ = ρ 1 ⊗ ρ 3 .It can be decomposed as which can be viewed as a part of a positive operatorvalued measure (POVM).The reason is as follows.For each i, we can expand |ψ i ⟩ into a basis of H AB as , where d is the dimension of H AB .By the definition of a basis, we have Hence, This expression is positive definite as each summand is positive definite.Hence, {ρ, I − ρ} forms a POVM.By preparing ρ 2 and measuring the subsystem H AB with the POVM {(I AB − ρ), ρ}, which corresponds to the outcomes 0 and 1 respectively.We post-select the outcome of the remaining quantum system when we get the measurement result ρ ⊗ I C .Then we obtain the quantum state E(ρ).The procedure is illustrated in Fig. 3.Note that this procedure is probabilistic.The success probability is given by 1/Tr(Υ E ).

Example
Let us now give an example of the first QPFE scheme.
In the example, we consider the depolarizing channel, which has the form Here party A does not have any input, party B has input ρ B = ρ.We decompose ρ as Apparently, (ρ, 1−ρ) form a complete set of POVM when ρ is a qubit.This is because we can write 1 − ρ as This matrix is a mixture of pure states.In addition, it has trace 1 as all ψ ⊥ i ψ ⊥ i have trace 1 and p i = 1.This phenomenon can easily be extended to n qubits.The difference is that, while 1 qubit corresponds to 2 bases, n qubits correspond to 2 n bases.For concreteness, let us take We have the following claim: Theorem 1.For ρ defined in Eq. ( 27) and E defined in Eq. ( 24), the identity holds.
Proof.First, the right-hand side (RHS) of Eq. ( 28) equals We are left to show that the left-hand side (LHS) also equals this value.Before calculating the LHS, we first compute Υ E explicitly.By Eq. ( 24) and Eq. ( 16), we have More precisely, the depolarizing channel E satisfies Hence we get With the expression of Υ E at hand, we are now ready to calculate the LHS of Eq. ( 28).It equals )) )).
(35) The first term amounts to measure |+⟩ on the first qubit of the Bell state |Φ + ⟩ and then to take the second qubit.
Apparently, the second qubit should be |+⟩ and the probability that the first qubit has measurement outcome |+⟩ is 1/2, so the first term becomes p|+⟩⟨+|.For the second term, it amounts to measure |+⟩ on the first qubit of I/4 and then take the second qubit.The second qubit should be I/2 and the probability that the first qubit has measurement outcome |+⟩ is 1/2 too, so the first term becomes (1 − p)I/2.Overall, the LHS of Eq. ( 28) becomes which equals the RHS of Eq. ( 28).

B. Second protocol
Without loss of generality, we restrict the private circuit of Bob to be a Clifford + Measurement (C+M) circuit Q acting on two parties' private inputs and some ancillary zero states, |0⟩, and T states, (|0⟩ + e iπ/4 |1⟩)/ √ 2. We first describe the classical functionality used in the second protocol.Before the classical functionality, Alice randomly selects two Cliffords C A,in and C A,out and Bob randomly selects a Clifford C B,in .Let be the circuit that performs C A,out on Alice's output after applying the circuit Q.Let (E 0 , Q B ) be the garbled circuit of Q B .Bob and Alice calculate the garbled circuit through a classical 2PC with syntax (2PC 1 , 2PC 2 ), as detailed in Protocol 1.Here C A,in , C A,out are only known to Alice, and Q, C B,in are only known to Bob.

Protocol 1 Classical functionality
Alice Input: CA,in, CA,out.Bob Input: CB,in, Q.
We are now ready to present the second protocol.Let the quantum input of Alice be x A and that of Bob be x B .Denote k zero states as 0 k and k T states as T k .The complete protocol has three rounds which are as follows: where λ is the security parameter and C B,in is a unitary that acts on the joint quantum state of x B and 0 λ .

Alice sends Bob the messages m
where k is the number of ancilliary T states.
3. Bob first gets (W, Q B ) = 2PC out (m A ) with the first two rounds.Bob then calculates Note an important change compared to 2PQC is that in the classical functionality of QPFE, Q is Bob's private information, while in that of 2PQC, Q is common information of both parties.

C. Reuseable extensions
In this section, we consider the scenario where multiple runs of QPFE are executed.In this case, Bob's first message can be reused.This reduces subsequent executions to two rounds and reduces the average communication and computational consumption.In the initial executions, either Bob sends multiple quantum messages m for use in later executions, or sends only classical messages, which can be easily copied for use in later executions.

VI. SECURITY PROOFS OF QPFE A. Security proof of the first scheme
Since party 1 can change his private function E to E ′ (ρ A , ρ B ) = ρ B which completely undermines party 2's security, we only consider security against malicious party 2 and security against semi-honest party 1.
Let I 2P QC [G, ρ A , E, ρ B ] denote the ideal functionality of 2PQC for the function G(ρ 1 , ρ 2 , ρ 3 ), where the inputs are (ρ 1 , ρ 2 , ρ 3 ) = (ρ T A , Υ E /tr(Υ E ), ρ T B ).In the following proof, we will write Security Proof.First, we give the simulator that interacts with a malicious party 2. The simulator gives ρ B to the ideal functionality I[ρ A , E](•) and receives τ B .The simulator then sends τ B to party 2. Since the simulator is ignorant of party 1's private inputs, the simulator is secure.We denote the real execution as H 0 and the simulated execution as H 1 .
H 0 ≈ c H 1 : This results from the security of 2PQC.Next, we give the simulator that interacts with a semihonest party 1.The simulator gives ρ A , E to the ideal functionality The adversary has no extra information in this simulated world other than the circuit output and its inputs.We are left to show the real world is indistinguishable from the ideal world.This again results from the security of 2PQC.
B. Security proof of the second scheme Security against malicious Alice: Let the simulator of the classical 2PC be (Sim  A (1 λ ).The simulator sends Alice (m B,1 , m B,1 ).

Alice sends Sim (m
A (m A ).

By (C A,in , C
A,out , C B,in ), the simulator computes where Here Q is the description of the circuit known only to Bob), gets y A back, computes y A = C A,out (y A , 0 λ ), sends y A to Alice and outputs whatever Alice outputs.
The simulator is secure as it is completely ignorant of Bob's private inputs.We now define a series of hybrid executions: • H 0 : The real execution.
• H 1 : This hybrid is the same as the real execution, except that m B,1 is obtained through 2P C.Sim  A (m 2 ).Bob performs the garble procedure using this information and continues as in the real execution.
• H 2 : This hybrid is the same as H 1 except that, instead of the garbling procedure, Bob directly evaluates Q[C A,out ] on the input (x A , x B ).
• H 3 : This hybrid is the same as • H 4 : This hybrid is the same as H 3 except that instead of evaluating the circuit directly, send x ′ A to I[x B , Q](•) to receive y A and then compute y A = C A,out (y A , 0 λ ).This is exactly the simulated execution.
We now show the equivalences between these hybrids: • H 0 ≈ c H 1 : This results from the security of 2PC.
• H 1 ≈ s H 2 : This results from the correctness of the quantum garbled circuit.
• H 2 ≈ s H 3 : This results from the security of the Clifford authentication code.• P 2 is not certain whether P 1 is |0⟩ or |1⟩.
• The third party P 3 is ignorant of the quantum states of P 1 and P 2 .
For example, a wrong protocol that does not satisfy these three properties can be that P 2 directly outputs 1 2 {0}, 1 2 {1}.In that case, the third party P 3 would know that the quantum state of P 2 is 1 √ 2 (|0⟩ + e iϕ |1⟩) or their combinations.This is in conflict with the third property.Now we turn to the design of the correct protocol.For ease of implementation, we set the security parameter to be λ = 0.The protocol design consists of four steps.In the first step, we add a randomized Z s gate as a substitute of P 2 's measurement, as illustrated in Fig. 5(a).Here, s is randomly chosen from {0, 1}.Call the resulting circuit F 1 .In the second step, we apply a randomized Pauli rotations X a1 Z b1 and X a2 Z b2 to both P 1 and P 2 's private inputs, and then apply F 1 to these two qubits and obtain the outcome ρ 3 , as illustrated in Fig. 5

(b).
Here P 2 is ignorant of a 1 and b 1 , and P 1 is ignorant of a 2 and b 2 .By the QPFE scheme, we can apply an X a3 operation on ρ 3 and then perform computational-basis measurements to get the correct circuit output F (ρ 1 , ρ 2 ), as illustrated in Fig. 5(c).This is the fourth step.In the third step, we use classical PFE to calculate a 3 , as illustrated in Fig. 5(d).Here, we are not using classical MPC as that will leak sensitive information on Bob's private circuit.The classical PFE takes as inputs a 1 , b 1 , a 2 , b 2 , s and outputs a 3 .The combined protocol is summarized in Fig. 5(e).Here, ρ1 and ρ2 are locally processed by P 1 and P 2 respectively.Importantly, to keep Bob's private circuit secret, the encrypted circuit F is held by Bob.
In our experiment, we set P 1 's input to be either |0⟩ or |1⟩ and P 2 's input to be either |+⟩ or |−⟩.For this specific setting, we notice that the encoding turns the input qubit of the first party into either |0⟩ or |1⟩ and the input qubit of the second party into either |+⟩ or |−⟩.The additional Z s on the second qubit also leaves the second qubit as either |+⟩ or |−⟩.Hence, for this specific setup, the outcome result ρ 3 is already correct without any correction of X a3 , namely ρ 3 = F (ρ 1 , ρ 2 ).
After explaining the protocol and the experiment setup, we now perform the experiment on the IBM quantum experience.The quantum computer we use is ibmq lima.The connectivity of its qubits is shown in Fig. 6(a).We will use two of the five qubits in the computer for our experimental demonstration.We first run the plain circuit F , which is depicted in Fig. 6(b).The result is shown in Fig. 6(c).It can be seen that the outcomes of 0 and 1 have approximately the same probability.We then run the encrypted circuit depicted in Fig. 6 where y is short for F (ρ 1 , ρ 2 ).Since the experiment is repeated N = 1024 times, the standard deviation of the probability is 1/ √ N ≈ 0.03.Hence, the outcome distribution of the encrypted circuit is within the standard deviation of the true distribution 1 2 {0}, 1 2 {1}.A more faithful experimental demonstration of the QPFE scheme should set Alice and Bob at a distance, and consequently would involve quantum communication between the distant parties in addition to the quantum computation part.We leave this more faithful experimental demonstration of QPFE as future work.

VIII. APPLICATION: QUANTUM COPY PROTECTION
We now apply the QPFE scheme to the quantum copy protection (QCP) problem.A quantum copy protection problem considers the following scenario.A quantum software provider issues a quantum program F to the user.The user may query the quantum program F for many inputs x i and get the corresponding outputs F (x i ).Here, the goal of the provider is that their software F cannot be copied by the user so that other users will not be able to use the software unless they buy another copy of the software from the provider.
The quantum copy protection problem is conceived in Ref. [26].There, the author shows that the quantum copy protection is not possible for learnable programs.Indeed, if a program F is learnable, namely it can be recovered from input-output pairs {x i , F (x i )} 1≤i≤N , the user can simply reproduce the program by learning the inputoutput pairs and then create arbitrary number copies of the program.Later, it has been shown that even some unlearnable programs also intrinsically do not allow any quantum copy protection schemes [27].
On the positive side, Aaronson [26] has shown a quantum copy protection scheme based on the quantum random oracle model for unlearnable functions.Later, Aaronson et al. [28] the assumption and has provided a quantum copy protection scheme based on the classical random oracle model for unlearnable functions.Given the negative result above, the classical random oracle assumption is not always satisfied for unlearnable functions.Currently it is unknown for which class of functions the classical random oracle assumption is satisfied.
Before we turn to the formal discussion of QCP, let us first review its definition in the literature [28].A standard QCP consists of three procedures: • Setup(1 λ ) → (sk): Given a security parameter λ, the setup procedure generates a secret key sk for the vendor.
• Generate(sk, F ) → (ρ F , {U F,x } x∈[N ] ): Using the secret key sk, the vendor encrypts the program F into a quantum state and a series of quantum unitaries (ρ F , {U F,x } x ) and issue them to the user.
• Compute(ρ F , {U F,x } x∈[N ] , x) → F (x): To compute the program F on a specific input x, the user applies U F,x on the quantum state ρ F and measures the first qubit.
In this work, we relax this definition by only keeping its essentials, namely for any input x that the user wishes to compute, the vendor should return the result F (x).We however do not restrict how the vendor achieves this goal, e.g., the vendor does not have to release (ρ F , {U F,x } x ) before user's query.Next we define the security of QCP.The ideal functionality F QCP of QCP takes input x i from the user and input F from the vendor in the ith round.It then outputs F (x i ) to the user.A QCP protocol Π QCP is secure if for any independent and identically distributed (iid) adversary A, there exists a simulator S that fulfills We now turn to our construction of the quantum copy protection scheme, which is based on multi-runs of the QPFE scheme.In the ith run, Bob holds the private function F and gets no output.Alice provides a private quantum input x i and gets back a quantum output F (x i ).After N runs, Alice gets N pairs {x i , F (x i )} 1≤i≤N .The detailed process of this scheme is shown in Protocol 2.  Now let us examine the security of this QCP scheme.According to the security property of QPFE, in the ith run, we have where Π i is the QPFE protocol at the i-th run, F i is the corresponding ideal functionality, and S i is the corresponding simulator.Since any iid adversary A of QCP is a concatenation of A i , the simulator S of QCP can be constructed as a concatenation of S i , which results in This finishes the proof of the security of the QCP scheme.Note that this scheme fails for learnable functions, as one can still infer a function from multiple pairs of inputs and outputs if the function is learnable.However, for all unlearnable functions, it can well protect the function unlike previous schemes.This helps us enlarge the class of function that can be copy-protected.Note that this scheme does not contradict with the no-go theorem for some unlearnable functions [27].In the no-go theorem, it is assumed that the software provider has no interaction with the user beyond the initial software release stage, while there are interactions between the software provider and the user in our construction of the quantum copy protection scheme based on QPFE.Hence, there is a tradeoff between the number of interactions and the class of functions that can be copy protected.We leave the detailed investigation of this tradeoff as an interesting research problem.

IX. DISCUSSION
In conclusion, we have initiated the study of QPFE.We have formally defined the notion of QPFE as a quantum analogue of its classical counterpart.Then we presented two QPFE schemes together with their security proofs.The first scheme makes black-box use of MPQC, while the second one builds on smaller primitives.The schemes presented can be applied to various quantum tasks where the quantum function needs to be kept secret, such as quantum copy protection.An experimental demonstration of the scheme is also presented to facilitate its practical usage.
There are a few interesting avenues for future investigation.First, it is an interesting direction to improve the computation and communication cost of the QPFE schemes that we present in this work.Second, it is interesting to explore what is the minimum computational assumption that needs to be made to ensure the existence of a QPFE scheme against a dishonest majority.Recently, there have been some works that aim to build quantum schemes with even weaker assumptions than the existence of a quantum one-way function [29].Third, it is interesting to give a more faithful experimental demonstration of the schemes presented here.
(a).They are capable of communicating with each other in the real world.Let Exec[F, S, Z] be the output distribution of the environment Z for an ideal functionality F and a simulator S. The relations among Z, F, and S are shown in Fig. 1(b).They are capable of communicating with each other in the ideal world.

( 1 )
B (m B ) generates x ′ B and sends it to the ideal functionality I[x A ](•).The ideal functionality generates y ← I[x A ](x ′ B ) and gives it to the simulator.On receiving y, Sim

( 2 )
B (y) generates m A and gives it to Bob.The random variable IDEAL B consists of Bob's view in the ideal world, and the random variable REAL B consists of Bob's view in the real world.The security against malicious Bob holds if

( 1 )
A to generate m B and sends it to Alice.On receiving m A , the simulator calculates Sim

( 2 )
A (m A ) = x ′ A and sends x ′ A to the ideal functionality I[x B ](•).The ideal functionality calculates y ′ A = F A (x ′ A , x B ) and sends it to the simulator.The simulator then sends y ′

( 1 )
B (m B ) generates x ′ B and sends it to the ideal functionalityI[x A ](•).The ideal functionality generates y ← I[x A ](x ′B ) and gives it to the simulator.On receiving y, Sim

( 2 )
B (y) generates m A and gives it to Bob.The random variable IDEAL B consists of Bob's view.Let the random variable REAL B be the view of Bob in the real execution of the protocol.The security against malicious Bob holds if and only if

FIG. 2 :
FIG. 2: (a) The real scenario where mutually untrusted parties communicate with each other.(b) The ideal scenario where each party interacts with a trusted third-party.
and ρ 2 ∈ H ABC .To utilizes the G functionality, party 1 prepares his inputs as (ρ 1 , ρ 2 ) = (ρ T A , Υ E /tr(Υ E )) and party 2 prepares his input as ρ 3 = ρ T B .The two parties then perform an MPQC with the G functionality on their private inputs.

FIG. 3 :
FIG. 3: An illustration of the implementation of the first QPFE scheme.

and
Bob gets (C A,in , C A,out , E 0 ) through 2P C.Sim

FIG. 5 :
FIG. 5: (a)-(e) The design of the QPFE protocol for the example functionality.Details are explained in the main text.
Fig.6(a).We will use two of the five qubits in the computer for our experimental demonstration.We first run the plain circuit F , which is depicted in Fig.6(b).The result is shown in Fig.6(c).It can be seen that the outcomes of 0 and 1 have approximately the same probability.We then run the encrypted circuit depicted in Fig.6(d) on the encoded input.The resulting probability distribution is shown in Fig. 6(e).It can be seen that the outcomes of 0 and 1 are also approximately the same.More precisely, |Pr(y = 0) − Pr(y = 1)| ≤ 0.012, (45)

FIG. 6 :
FIG. 6: The experimental setups and results.(a) The connectivity diagram of the quantum computer ibmq lima.(b) The plain circuit.(c) The outcome distribution of the plain circuit.(d) The encrypted circuit.(e) The outcome distribution of the encrypted circuit.