 Okay, so I'll be talking about the round complexity of secure quantum computation. This is joint work with Andrea dakshida and for me. So it turns out that quantum information is pretty useful for cryptography, and probably the most famous example of this is information theoretic key exchange, but there are many other examples, including quantum money so unclonable currency. Other types of uncolonable cryptography so like encryption or signature schemes with uncolonable keys, for example, provable deletion of information, copy protection of programs and the list goes on and I'm probably missing many citations but the point is that quantum information can be used to perform like various tasks that are completely impossible. With only classical information. Okay, so, you know, one could imagine a world in which quantum information is being leveraged to perform all of these interesting tasks. So the, you know, one prominent goal of classical crypto has been, you know, one goal has been to distribute trust among multiple parties right in order to avoid like single points of failure or corruption, things like this so a pretty natural question to ask is whether these cryptographic tasks that make inherent use of quantum information can be securely distributed among multiple parties. As a concrete example, maybe you have a quantum money scheme, and where of course the banknote generation procedures of course quantum but now you might want to distribute this generation procedure so there isn't a single entity that is just able to generate banknotes right. But, okay, so this is just one one way to motivate a more general task that is the focus of this work, which is secure multi party quantum computation. Okay. So, what is this it's, you know, same as the classical you know well studied classical NPC, except that we're going to allow parties to have quantum computers and quantum inputs, and their goal is now to compute some quantum functionality over their quantum inputs to produce some some quantum output. You know, in its most general form right and, and here actually we could consider like these inputs and outputs also being being entangled. Okay. So, you know to do this of course they'll communicate with each other now over quantum channels right and security is the same as as classically we're going to say that an adversary is corrupting some set of parties say say two and three. They shouldn't learn anything about the honest party inputs, except for what is already implied by their output. Okay. And so of course like classical NPC is extremely well studied and as you know dates all the way back almost to the beginning of modern crypto. The quantum computation has also been studied but of course not as much. So what is known is that you know there are these two works in the early 2000s that constructed information theoretically secure protocols and honest majority setting. Okay. So the dishonest majority setting was considered. And these works DNS DJ JMS. They present basically compilers showing that if you have secure classical computation, you can construct secure quantum computation, even, you know, against malicious adversaries corrupting and arbitrary subset of the parties. You know these, these works really are works establishing the feasibility of secure multi party quantum competition. Right. And so this is kind of the state of affairs prior to our work. So, you know, one, you know potential issue or drawback with these protocols really is they're extremely interactive highly interactive protocols right so particularly like the number of rounds of communication required and keep in mind this communication is in general going to be quantum communication so these parties, you know sending quantum states to each other right. In general, in these protocols it grows with the depth of the quantum circuit. Okay. And so, you know, round complexity is a notion that's been heavily studied in the classical setting. So the starting point of our work our focus is on round efficient secure quantum computation. Okay, so we know these these feasibility results exist. Okay, so now we want to study, you know, whether whether we can really obtain round efficiency in the quantum setting. Right. So what's clear about the particular setting that we are interested in is this dishonest majority setting where adversary can corrupt arbitrary subset of parties can act arbitrarily maliciously during the protocol. Okay, and we're also going to assume some minimal trusted setup so so pretty common model of assuming like a common random string that that the parties of access to. Okay. And so this is the focus of this work. We have various results both in the two party and more than two party or multi party setting and all kind of split this talk into into those two parts. I'll be able to like give all our results statements along with some a little bit about like the techniques we use to get them, but we'll we'll leave a lot of the details to the paper. Okay. So let's begin with the two party case will first look at what's known about classical two party competition. Okay, so these results, you know, debate date back to y'all in the 80s who show that if you assume a two message oblivious transfer oblivious transfers are extremely simple two party functionality right where we have a receiver with a bit be sender with two strings, and the receiver at the end of the protocol learns one of the two center strings. Right so it's very simple oblivious transfer functionality that if you can do this in just two messages, then kind of amazingly you can compute any arbitrary classical functionality over it over to seven inputs xA and xB delivering output to a right so basically OT the simple functionality implies the ability to do secure computation of arbitrary functionalities and even in a round preserving way. Okay, and so sometimes this is called NISC this protocol a non interactive secure computation protocol, and kind of the malicious version like NISC with malicious security was formalized by this work and IPS. Okay, so our first result is just going to be a quantum analog of this right we're going to show that how to construct a quantum NISC protocol. In other words, assuming just the same assumption so well of course now post quantum so assuming post quantum to message oblivious transfer. So we can construct a two message protocol for computing any functionality, any quantum functionality that delivers output to one party. Okay, so quantum NISC. And I can say a few words about how we construct this protocol. To do that we'll need a little bit of background on classical garbled circuits. Right, so a classical garbled circuit is basically consists of two procedures garble and a vowel. And garble takes us input a circuit or functionality f and an input x and produces a garbled circuit f tilde and a garbled input x tilde. Okay, and the evaluation functionality takes this garbled information and produces from it, the output f of x. Okay, and security intuitively states that like this garbled information kind of only contains information about f of x and this is formalized by saying there's a simulator that just just given f of x but not x right can can produce something that is indistinguishable from this garbled information. So this is, you know, it's, it's only non trivial and garble has some is simpler lower complexity in some sense than f otherwise garble could just evaluate f already right but when when garble is sufficiently simple or efficient than this. This object has many applications. Right so this is a classical garbled circuit. It's like for the same thing in the quantum setting right and there's, there's many, there's probably many ways to formalize or like kind of specify what sort of properties you'd want out of a quantum garbled circuit and I will discuss one particular set of properties. So, you know, here, like so let's say you have say a classical description of the unitary you, but in general maybe a more general kind of operation as well. Let's say you have a quantum input x. Right. So, what we want out of our garbled procedure is going to be. Well, the procedure that garbles you and produces you tilde, we're going to require is going to be completely classical. Okay, so, you know, takes a classical description of you and outputs a classical description of you tilde. So, the procedure that takes the input x and produces a garbled input x should be simple in some sense which I'll be more specific about later. But this particular set of properties out of a garbled circuit like was considered in this recent work over Kerski UN. They sketched how you might construct this and then we go and formalize and prove security of it in our work. And this should be clear about what I meant by simple basically the garbling, the input garbling procedure just basically takes your input x appends some zero states and some so called like magic T states. And then re randomizes everything with a random Clifford and this is simple because like basically this Clifford computation is in general simpler than arbitrary and arbitrary quantum operation. Okay. Right, so. We're going to take this object as a starting point, a quantum garbling procedure down here with with a classical unitary or classical circuit garbling sub routine right and we're going to use it to to build the risk. Okay, so recall we have a two quantum parties each with their quantum input. And we want to, we want a to recover that it's output why at the end of interaction. Okay, so. So first we're going to have a send over an encrypted version of its quantum input for this will use something called an in Clifford encoding. And those basically have be send back a garbled input. Okay, so it's going to append like its input xb to a is input x a, and it's going to garble that input by appending zero and two states re randomizing of the Clifford. Right. So this gives a the garbled input we also have to give a the garbled unitary. Right. And so we're going to enable this with a classical to BC or a classical in this protocol. Okay. And this is possible because this procedure that garbles you into utility is completely classical. Okay, so we can kind of run this under a classical to BC and this is very helpful because we're going to get some, you know, malicious security out of our, you know, malicious secure classical and BC so we're going to basically be able to ensure that you till the is is computed properly. Okay. So, right, so a gets this garbled input gets this properly computed you till then and from that is able to obtain its output. So this is the basic idea there's still kind of one big issue that needs to be taken care of like this classical to BC isn't sharing the that you till those correctly computed but what about this garbled input. So, you know, in particular, a malicious party be might send a malformed garbled input, right. In particular, they might not be lying about or they might not send like proper zero and two states. So without going into details, we're going to need to include some extra two message protocols that basically allow a to check for these properly two zero and two states. Okay. And these, these checks are inspired by similar checks that were used in DG JMS in a more interactive setting, and we basically show like two message versions of these, these, these checks. Okay. So yeah, this gives this gives a picture of basically how our quantum this protocol is constructed. So before moving on I will mention a, we have a corollary of this is that we can use this to build a particular type of a designated verifier, a non attractive zero knowledge protocol for q amp a. And it has interesting properties like reasonable malicious security. And like the, you know, the actual statement we get is that like if we combine two message ability is transfer with MDV and is it for MP then we get this protocol for q amp a. Okay. And this is the same. This MDV is it for q amp a is the same object is also constructed by Schmeli also appearing at this crypto conference. So one difference, kind of the advantage of our protocols that the prover and our protocol only requires one copy of the quantum witness state. Okay. Whereas in this other protocol from Schmeli there's the proven needed multiple copies. Okay, so that but this is. Yeah, so this is just one application we have a very, very quantum this. So, good now. I'd like to move on and, and say, well we've so far we've just considered protocols where one party obtains an output. Right. So what if we want, you know, the more general setting where both parties are obtaining some output. And what if we, you know, for the more we want to maintain that the optimal round complexity of two. Right. So there's a pretty natural classical approach to doing this. So if you have some, you know, classical functionality. Now that has two outputs, you can basically consider writing it as two separate functionalities, one that just outputs like a is part of the output, and the other just outputs B is part of the output. And then you could consider running to NISC protocols in parallel. Okay, so you could have, you know, the blue NISC that's delivering a is output and the orange NISC that is delivering these output. This is a natural approach and it can be made to work on the classical setting. However, there are some significant barriers to making this work in the quantum setting. Okay. The reason what one reason is that this seems to require cloning inputs right you need to run these two parallel protocols on the same set of inputs, but if your inputs are quantum you can't in general clone them. Right. And kind of even worse. Like say that this functionality is is randomized. Well what what you're actually doing when you write it as two functionalities is is kind of fixing a particular random string. R, and then using that same random string in both of these like FA and FB, right, because if you didn't do this than these outputs why a YB wouldn't be properly jointly distributed. Okay. So this relies on the fact that you can really take a randomized protocol and make it deterministic by fixing the random string. And this is something also that you just cannot do in the quantum setting right because maybe randomness is coming from measurement. Okay. And so this, this issue, the fact that you can't kind of like fix the randomness and split up the protocol like this is, you know, it even comes up even if these, even if these inputs XA and XB are classical. And then the parties want to compute a quantum functionality over them. Okay, so these are kind of, you know, no cloning and not being able to fix the randomness or two, two issues that kind of prevent this natural approach from from working. Okay. So this is just to highlight, maybe some difficulties in getting a two round protocol. And now I'll basically, I won't be able to go into details about like our technical contributions here, but I'll be able to give results statements. So basically, the first thing we do is we relax the problem a little bit and we, we construct a two round protocol where pre processing is allowed, meaning that the parties can exchange some, you know, messages beforehand before they before they obtain their inputs. Okay. And then once they obtain their inputs is just a two round protocol. And so we construct this object from seven exponentially secure LWE. Okay. So two round two party quantum computation with free processing. Of course, we are also interested in, you know, what's actually happening in in the setting without pre processing like a, like can we actually obtain a truly two round protocol, right. And here it's still like pretty open. Okay, we only have like a partial negative result and a partial positive result. Okay, so our partial negative result is really an attempt to formalize this intuition I was I was mentioning before about what makes this problem possible. And this formalization is takes the form of saying, well, there is a particular like class of simulators, right. That is impossible in the sense that you can't construct a two round protocol with what we call an oblivious simulator and oblivious simulator is basically one that kind of programs the CRS independently of, of which the two parties is corrupt. This is kind of interesting and, or I should say, well we only obtain this results under a, a, a con an information that a conjecture. Okay. But this is interesting because this type of oblivious simulation is optimized for classical to round TPC. Okay, so it kind of shows under this conjecture, a separation between the classical and quantum cases. But we have a partial positive result as well that says that well, if you, you know, assume access to a quantum Oracle, in other words like basically assuming like ideal obfuscation of particular quantum functionality. We have constructed two round two party computation protocol on this necessarily uses not oblivious simulation. But I call it. I'd say this is a proof of concept because we don't even know any heuristic approaches to constructing, you know, obfuscation of quantum circuits right so this is kind of at this point it's not even a heuristic construction it's just a proof of concept and how, you know, maybe suggesting how one might construct such a protocol. Okay, so, again, yeah we have these partial positive and negative results but this question is, is remaining open. So I think that's all I wanted to say about the two party case, I can quickly say something about what we do in the multi party case, and really I'm just going to be focusing on one particular issue that comes up in the multi party case, which is that now we have to be worried about the number of rounds like in the end we want a constant round protocol right so we, we do not want this number of rounds to depend on the number of parties partaking. Right. And to see why this might be difficult. Generally in a PC, you know you have to each party is going to first commit to some input that's going to be used in the computation. Okay. So in a classical setting, you know, every party can like, you know, classically commit to their classical inputs and then broadcast their commitment to other parties, right, in a single round. But broadcasting quantum information is not possible. Again, due to digital cloning. Okay, so let's look at basically how prior work so dg jms how this this work approaches this input commitment commitment phase. So here you have, you know, you have your quantum parties and say you want your first party to commit to their input excellent. What's going to happen is each of the parties chooses their own uniform randomness in the form of a Clifford. And Party one is going to send a Clifford encoding to Party two of their input and then Party two is going to kind of re randomize this with their own Clifford and this is going to continue all the way around the circle of parties. And what we end up with is like Party one holds this encoded quantum state, but the parties all share the encoding key. Okay, so running key is kind of secret shared among all the parties, and this is a good enough commitment to allow a PC. So the issue with this is that like the number of rounds like really grows with a number of parties right you're sending this quantum state around in a circle. And the approach to round to collapse this step is to use teleportation. Okay, so, in the first round we'll have parties like set up API API pairs with each other. Okay. And then what we're going to do is have the parties, you know, teleport and apply their random Clifford's like simultaneously in a single round, right. So this basically leads to the same result as before except that there are teleportation errors now inserted between all of these cliffords. But this is okay because we can then use classical MPC again and like around efficient way to correct these teleportation errors. So this whole input commitment phase can be done in a constant number of rounds. And so this is kind of the one issue I wanted to highlight and I, you know, in the paper we, you know, leverage this and combine with other techniques to eventually arrive at a full fledged constant round multi party quantum computation protocol, in particular, assuming two message OT we get a five round and PCC protocol. And then we also have the same, you know, same sort of result as in the two party case we can do even just two rounds, as long as we allow some input independent pre processing to be able to again follows from sub exponential secure LWE. So this is our result statements in the multi party setting. So now yeah I just wanted to quickly recap. So basically, you know what this work is is an initiation of the study of round efficiency and multi party quantum computation. And there's another, you know, there's a concurrent work also appearing at the script a conference that also studies round efficiency. And I want to also remind you have like, there's basically a few interesting challenges that are that arise that are specific to the quantum setting, when you want to, you know, attempt to kind of come up with round efficient protocols. You know, things like functionalities can not be made deterministic which is quite useful in the classical setting inputs can't be cloned in for quantum information can't be broadcast and so like these are useful things in the classical setting and we need different techniques. In the quantum setting to obtain kind of similar results, right. And finally, this open question that I think is pretty interesting is like does does two round or like round optimal secure computation exist, right we have these, these two kind of partial results. And like kind of this partial negative result that I hope is kind of just eventually going to point to basically new methods for obtaining eventually a positive result but this question is is is remaining open. So, yeah, that's all I wanted to say so so thank you for listening.