 Hi, everyone. Welcome to this Contributed Talk for Eurocrypt 2020. My name is Yfka Dulek, and I will tell you about the protocol for secure multi-party quantum computation with a dishonest majority. So it's a good idea to start with the classical setting. So I will first briefly explain the task of classical multi-party computation before moving on to the quantum setting. With multiple players, indexed by i, each with their own input x sub i. In this example, I drew six players who each have an integer number as their input. Now, the players want to compute some function f jointly on all the inputs. For example, they may want to know what the highest number is that any player has as input. Or more generally, they may want to compute individualized functions f sub i so that each player learns some different piece of information. For example, they may want to know was my input the highest, in which case only the player with input 102 will get the output true and while all other players get false. And the goal in multi-party computation is to compute some such functions while keeping your own input a secret. If there is some trusted third party represented by this figure in the middle here, then this is of course easy. All the players can just tell their input to the trusted party and the trusted party can announce the output. Or in the case of individual outputs communicate with each player individually. So the functionality I describe here with the trusted third party is the ideal setting. But in reality, such a trusted third party is of course not generally available. So an MPC protocol tries to achieve this functionality without the trusted third party. We still have our six players, but now they only communicate with each other. I didn't draw all the arrows here, but everybody can talk to everybody. There are two main properties that we want to achieve. The first one, as I already mentioned, is input privacy. And this privacy should be guaranteed even if multiple corrupted players work together and actively deviate from the protocol to try to learn information about the other players. Importantly, what we can guarantee is that the corrupted player should not learn anything about your input, except what they can already infer from the output. So consider the example of computing the maximum. If you're the player with the input 11 and the other players learn that the maximum input is 102, then they also learn that your input is at most 102. So they necessarily learn some information about your input, but nothing more than what they would have already learned from an interaction with the trusted third party in the ideal setting. And the second property that we want to achieve is some kind of verifiability, namely that the players can be sure that their output is actually correct. For this top, we will consider NPC with a board, meaning that one of two things can happen from the point of view of an honest player. Either the honest player detects that some cheating is going on and he clears an abort, or if he doesn't detect any cheating, the honest player has the guarantee that their output is correct with very high probability. So in other words, the corrupted players cannot force the evaluation of a different function than f sub i without player i noticing. Now there are also a few inherent limitations to this setting. So first of all, we cannot prevent that the honest players lie about their input. That simply falls outside of the model of NPC, and you can also know that in the ideal setting, the players were also given the freedom to choose what they wanted to submit to the trusted third party. Another thing that we cannot prevent, if more than half of the players is corrupted, is something called unfairness. Informally, what this means is that it's possible that the corrupted players learn their outputs and then immediately just abandon the protocol so that the honest players never learn their outputs. And this is something that's impossible to prevent in the case of a dishonest majority, which is the setting that we will consider today. So now that we've reviewed the definition of classical NPC, I'm ready to talk about what we're really here for, which is quantum multi-party computation. The setup is very similar, except that now each player gets a quantum register holding an input and they want to compute some efficient quantum map by on the joint state of the players. Note that I do not make any assumptions on whether or not these inputs are entangled or whether or not they can even be efficiently prepared. During this talk, I'll present to you a protocol for multi-party quantum computation, or MPQC, that has as a subroutine a classical NPC protocol that will be called several times. This classical NPC protocol needs to satisfy the properties on the previous slide, even if all but one of the players are corrupted. And there are protocols that achieve this, although their security against quantum adversaries is still kind of under active investigation. Throughout this talk, I will assume that we will have it as a black box. So in essence, I assume that this ideal trusted third party actually exists as a separate trustworthy player in our protocol. The protocol I will present is secure against coalitions of up to K minus one corrupted players, where K is the total number of players. And it's computationally secure. So there is some underlying hard problem that we assume cannot be solved by quantum computer in all the time. And I want to stress here that this computational assumption only comes from the underlying classical NPC. Our protocol works gate by gate, so we assume that the map phi is given in terms of some quantum circuit. The amount of quantum communication necessary for computing this circuit is in the order of K times D, where K is the number of players, and D is the depth of the circuit in terms of some specific gates, C naught and T. There's also an extra factor log N, the venison security parameter, and that factor arises due to some research generation that the players have to do in an offline phase of the protocol in the beginning. So this is what we'll get to in this talk, but before I present to our protocol, I want to briefly discuss some previous approaches to this task. Essentially, in previous literature, there have been two main approaches to building mpqc protocols. The first approach is to use quantum secret sharing, and here the idea is that every player distributes their quantum input by dividing it up into multiple shares and sending one share to each other player. The secret sharing scheme has a guarantee that you need more than some threshold number of shares in order to learn the input. So these two corrupted players in the bottom will not know what the input of the talk player is as long as the threshold is higher than two. At the same time, if you do have that threshold number of shares, you can always recover the input. So in particular, even if these two corrupted players change their shares or even throw them out completely, the honest player will still have enough of the information to successfully continue the computation. This approach leads to some elegant protocols, but it also does have a limitation. So suppose that also a third player is corrupted. To make sure that the three corrupted players cannot corrupt the entire computation, the secret sharing scheme must have a threshold such that the input can be recovered only from the three remaining honest shares. However, this would pose a problem because the corrupted players would also be able to recover the input from their three shares. So not only does it violate the privacy of player one's input, it also violates the quantum of cloning theorem, because if you can recover from both the top three players and the bottom three players shares, if you can successfully recover the input from that, we would have essentially cloned player one's input. So NPC protocols based on secret sharing seem to run into a barrier where only a strict minority of players is allowed to be dishonest. There is a second different approach that does not have this limitation. It's based on quantum authentication codes. And the idea is that instead of distributing the input so that at most some fraction can be corrupted, the players encode their input into an authentication code. So that it can be sent freely around to the other players. And even if a corrupted player holds the entire authenticated state, it cannot access or alter its content without being detected. The hope is that with quantum authentication codes, we can break the barrier that we have with secret sharing and design protocol that secure up to K minus one out of K dishonest players. This idea was originally proposed in a two player setting where they could tolerate up to one out of two dishonest players. So for K plus two, at least that security seems to hold, but now the goal is to expand this to a protocol for a general K, which we do in this work. So now I've explained to you the setting of multiple quantum computation with a dishonest majority. I've explained how authentication codes seem more promising than secret sharing to achieve this for dishonest majority. Next I will explain in a bit more detail the quantum authentication code that we use, and I'll explain a key concept in our protocol. It will be a way for a player to publicly prove that he holds a publicly authenticated state, properly authenticated state. Later on, I'll give some more details on how the actual computation works, and I'll comment on how the players can jointly generate a resource that they will need called magic states. The specific code that we use is called the Clifford code, and the idea is fairly simple. The key is a random element C from the Clifford group on N plus one qubits, or N is the security parameter. It's not super important to know the exact definition of the Clifford group for this talk. It's efficient to know that it's a group of unitaries generated by a few single to two qubit gates. And that it looks random in the sense that if you apply a Clifford to a quantum state it acts as a kind of one time path to that state. The encoding of a single qubit state psi is done by simply apply, depending a number of zero qubit computation zero qubits to the state, and then applying the Clifford C to the entire state. We call these zero qubits traps to decode C inverse is applied and the traps are measured in the computational basis, if all the measurement between zero, then the authentication is accepted, I'm assuming the data hasn't changed. The guarantee that the Clifford code gives us is exactly this. For any attack a on an authenticated state of N plus one qubits, the probability that a changes the data psi, but is not detected that it still produces an all zero measurement is very inverse exponential in the security parameter. This is due to the structure of the Clifford group which actively randomly distributes an attack to all the qubits including the traps. As a bonus already hinted to it a little bit. The Clifford code also provides privacy. So it's also an encryption scheme and this is actually a property of all quantum authentication codes a quantum authentication code is necessarily also a quantum encryption scheme. So now the question becomes how can we use the Clifford code to achieve mpqc. As I already mentioned the basic idea is to have all players encode their inputs into the Clifford code. But immediately some questions arise with this. First of all, what can we say about the encoded inputs of a dishonest player, how can we trust that this state is actually a valid encoding. And secondly, an authentication code is used to guarantee that the data cannot be altered but in mpqc, we actually want to alter the data because we want to perform a computation. And the answer to both of these issues lies in the use of a classical multiparty computation through a classical mpc the honest players can kind of put a leash on the quantum actions of all the other players. They can pose classical challenges to check that the encoding is performed honestly, and they can use classical key updates to allow very specific alterations to the data, namely only those that are prescribed by the quantum circuit. In the next few slides, I'll tell you a little bit more about the first bullet point, how to test if an encoding encoding was applied honestly. We call this test the public authentication test and actually consists of two phases. The first is the encoding itself which becomes slightly more involved. And the second is the testing which is executed with the help of a classical mpc. Okay, so suppose the player one wants to encode his inputs. What he does is he prepares the Clifford code of this input as normal, except that he prepares double the amount of traps to and instead of them. Then he sends the quantum state to the next player who applies their own random Clifford C2 on top and it continues that way until every player has applied a random Clifford and sends it back to player one. So the state held by player one is now a Clifford encoding with twice the amount of traps and the key is C6 times C5, etc, up to C1. And this product which we'll call C is unknown to all the players as long as at least one player keeps their, their key C supply secrets. Okay, so now let's move on to the actual testing. Note that the traps these two n zeros were created only by player one. So we will ask player one to provide a proof that they were created in the whole zero state by having him sacrifice half of them and to a measurement. Using classical multi-party computation, we select a random linear map G on two n elements. But any such G as the property that G of Y is zero if and only if Y is zero. So on honestly generated traps applying G doesn't do anything. However, on this dishonestly generated traps, which have at least a one in there a random G maps them to a random non zero string. So then it suffices to only check half of that string, because if it's a random non zero string then with high probability, you will see already a one somewhere in the first half. So we're able to show a lemma that says roughly the following, applying a random G and then measuring half of the traps to check that they are zero gives you roughly the same guarantee as having measured all of the traps to check that they are zero. And concretely what we do is through a class. See, we ask player one to apply a Clifford consisting of three steps and do the quoting Clifford C, apply the random linear map G on the traps and the identity of the data. And then apply a fresh Clifford C prime on the data plus and of the traps. And the other end traps will get random bit flips indicated by random string bar. And player one is then asked to measure those last and bits in the computational basis and report the outcome to the classical PC. If you acted honestly then preparing the traps in the zero state applying Clifford instructed his measurement outcome will be are we can show that if he didn't act honestly. Then he cannot come up with this string are except if he guesses correctly, which is a very small probability. Okay, so after the public authentication test is passed. We have the guarantee that with high probability player one is now holding an authenticated state of the form C prime which is a new incoming key applied to the data and the n zero traps. The classical PC knows this key is C prime. Important to note that in second step, this product of CG and C prime is given as a group element of the Clifford group. So particular player one doesn't learn C or G or C prime in the clear and one has to show of course that the product of these three elements does not reveal any relevant information about the individual components, which is the case but I won't go into that today. So to step back a bit from the technical details, the public authentication test achieves the following one player performs the actual test in that he holds the quantum state applies the Clifford measures etc. Well, the, at the same time, all players can verify the test through the classical multi party competition. So even with only a single honest player in the group any cheating will be detected. The authentication test is used in various protocols. So for example, at the start to test whether everybody encode honestly like I described in the previous slide. But also we use a variant of this test during computations where the players can show that they executed a computation step honestly. That brings me to the next section of this talk. I'm going to outline how the classical PC can be used to compute on authenticated quantum data. Essentially computation will have a step by step or gate by gate. We define a collection of sub protocols one for each gated G that will update the encoding of side to an encoding of G applied to psi, possibly under a different key. So we define protocols for single cubit Clifford, which will be easy for the CNOT gate, which is a two cubit Clifford, and for the T gate, which is a non Clifford gate. Together, these three types of gates can be used to construct circuits for general quantum unitaries. We also give a protocol for computational basis measurements so that we can build general CPTP maps. We discussed the last one in this talk, but it's based on some very similar ideas to the public authentication test where one player measures and the rest can verify the measurement. All right, so let's start with the easiest case the single cubit Clifford. This one will feel a bit like cheating because of how simple it is. But let's say we want to apply single cubit Clifford G to an encoded state held by the first player, which is a form C applied to psi and some traps. So if the query computation knows the key C through classical NPC, the players can update their key to a key C prime, which is the product of C with the inverse of G. And if one would now decode the same quantum state using this new key C prime, you can verify that it would actually decode to the pre measurement state of G of psi tensor the zeros. You can measure the zeros to check that they're still in the correct state, and you would end up with G of psi. So that's all. The protocol for single cubit gate is really only a classical key update. And the simplicity is of course due to the fact that we're using the Clifford code so the keys themselves are already single cubit Cliffords. So next let's look at slightly more complicated case a two cubit Clifford the C not we still want to apply it to a state of this form. We have two data cubits psi one psi two each with their own traps and their own liver keys. And the same strategy as before with the classical key update does not work because the new key would not be in product form. In fact, we need to actually do some quantum action. This time and simplified version of the protocols the following. Both cubits get sent to a single player let's say one again, who applies a product of three Cliffords and decoding a C not on the relevant data cubits and encoding with fresh keys C one prime C two prime. And then executes a public authentication test to show that nothing happens to the trap cubit that wasn't supposed to happen. Now if you would spend some time staring at this you may see that this product here. We just told to player one in the first step doesn't necessarily perfectly hide all the information with the old keys C one C two or the new keys C one prime C two prime. In reality, our protocol is slightly more complicated and involves applying a big random Clifford of two and was too cubit on the entire state. And for this the quantum state needs to be sent around so that all players can apply a part of that big Clifford very much like what we did in the beginning of the encoding protocol. So in reality we do need some quantum communication to execute a C not. Finally, I'll show you the sub protocol for a non cliff okay this is the tea gate. This is actually the idea of magic state computation which is depicted by this circuit here. You start with some quantum side and some fixed state T of plus, which is called a magic state for the tea gate, and you execute the circuit consisting of a C not measurement and some classically controlled Clifford control measurement outcome. So what you will end up with on the other side is a state T applied to psi proof this not very involved you can verify for yourself just by computing the evolution of the state through the circuits. But for all these operations C not measurement Clifford, we actually already have protocols. So if we have an encoding of our input psi and an encoding of the magic state. Then, we can produce an encoding of T applied to psi simply by changing together the sub protocols for these gates and measurement. There's just one issue with this approach and that is that nobody can be trusted to honestly create encoded magic states. That brings me to the final part of this talk. How do we generate Clifford code encodings of magic states. I'm going to be pretty brief just giving you the high level overview with some intuitive notions. The generation precedes in two phases. One player creates a whole bunch of encoded magic states in the order of K times and more case number of players and it's the security parameter. Each magic state has their key and these entrusted magic states are in these two phases purified to a single trusted magic state. The first phase is a cutting cheese. The states are also into the next player who selects and random states and asks through the classical NPC for the key so that they can do crypt and test whether they're in the right state. And this continues around the table with every player testing and random states until they're on the left at the end. And in the end there's n states left. And these remaining n copies are pretty good in the sense that with very high probability only a small constant fraction is not in the correct state. And this promise is sufficient for the second phase, where we apply magic state distillation. This is a Clifford circuit that takes n pretty good states as input. And the players can execute the circuits through a multiple computation using the sub protocols for Clifford gates, because those don't require magic states. And in the end, this circuit produces a single magic state that is promised to me very good and with very good I mean that with very high probability the state is exponentially close to the correct state. So this is how to create a single magic state for a single ticket can be done way at the beginning of the protocol and it's known beforehand how many tickets will be executed. All these magic states can be generated in parallel. Okay, to summarize, I have presented the first protocol for multi party quantum computation that is secure, even if all but one of the players is dishonest, the security is computational based on the security of the underlying classical scheme. And the ideas of the protocol are based on a two party computation protocol to bring us and survive. But in contrast to a naive extension of the protocol are ciphertext or encoded states only require two and plus one qubits for security parameter and computation is done gate by gate where Clifford operations are relatively simple, although two qubit gates such as the CNOT, we do require some quantum communication and a public authentication test. A team gate requires more work. In particular, it needs an encoded magic state which we generate from K times and untrusted magic states. This is a big improvement over the end to the power K magic states that were needed in the naive extension of the two party computation protocol. And with that, I thank you for your attention, and I wish you a very rewarding virtual Europe experience.