Blind Oracular Quantum Computation

In the standard oracle model, an oracle efficiently evaluates an unknown classical function independent of the quantum algorithm itself. Quantum algorithms have a complex interrelationship to their oracles; for example the possibility of quantum speedup is affected by the manner by which oracles are implemented. Therefore, it is physically meaningful to separate oracles from their quantum algorithms, and we introduce one such separation here. We define the Blind Oracular Quantum Computation (BOQC) scheme, in which the oracle is a distinct node in a quantum network. Our work augments the client-server setting of quantum computing, in which a powerful quantum computer server is available on the network for discreet use by clients on the network with low quantum power. In BOQC, an oracle is another client that cooperates with the main client so that an oracular quantum algorithm is run on the server. The cooperation between the main client and the oracle takes place (almost) without communication. We prove BOQC to be blind: the server cannot learn anything about the clients' computation. This proof is performed within the composable security definitions provided by the formalism of Abstract Cryptography. We enhance the BOQC scheme to be runnable with minimal physical qubits when run on a solid-state quantum network; we prove that this scheme, which we refer to as BOQCo (BOQC-optimized), possesses the same security as BOQC.


Introduction
Oracle constructions in quantum algorithms provide an essential conceptual framework for understanding quantum speedups.The detailed interrelationship between oracle properties and algorithmic efficiency is complex: an interesting example arises in the Grover algorithm, where the quantum speedup becomes impossible if the oracle has a small probability of failing on every call [1].Moreover, for some quantum algorithms, adding internal dice to an oracle introduces a strong separation.For example, Simon's algorithm, when Figure 1: [5] Alice (left) wants to run a private oracular quantum algorithm, but she has neither a powerful quantum computer nor the knowledge needed to construct her oracle function.Oscar (right) is equipped with a device that evaluates the oracle functions, e.g., it computes stocks' prediction, gives access to a database, or performs massive classical computations.Bob (top), who owns a powerful quantum computer, offers a quantum computing service.However, Alice and Oscar do not trust Bob's quantum computer, and they do not risk revealing information about their computation while running it.Therefore, they execute the computation within the BOQC scheme in which Bob is blinded to the computation.All players are connected to an insecure classical channel (the wireless).Alice and Oscar still need a small quantum power -the small boxes in the bottom, making their computation power "almost classical."Such power is necessary because blindness is impossible for a purely classical client [6].
the oracle has internal dice, is unsolvable on classical computers while it is solvable in a linear time on quantum computers [2].In the standard model, a quantum oracle is specified as a unitary map |x, y → |x, y ⊕ f (x) , where f : {0, 1} n → {0, 1} indicates a subroutine whose code we cannot usefully examine or a "black box" whose properties we would like to estimate. 1 While oracle constructions have been considered artificial, we aim to introduce and analyze a multiparty setting for which the oracle paradigm is physically meaningful.
Our view of the near-term situation in the development of quantum processing is that there will be quantum computers of some moderate power (the servers of the discussion below) owned by particular organizations which offer their service on a quantum internet to clients with small quantum power.We will further assume that there will be nodes on the quantum internet, also with modest quantum processing power, but in possession of some special information or data -the oracles.Consider Figure 1 for an illustration.
We introduce a protocol where a client (Alice), who is aware of these oracle resources on the network, needs to delegate her oracular quantum algorithm to an untrustworthy server.We refer to our scheme as Blind Oracular Quantum Computation (BOQC).The BOQC protocol views the oracle as a trustworthy third party. 2 We will consider the server quantum computer (Bob) to be an untrustworthy party, therefore we adopt the concept of blindness [7][8][9][10], where the server can learn nothing about the algorithm that is running and nothing about the measurement outcomes.Our protocol is set to run any of the family of quantum oracular algorithms, an extensive catalog of which can be found in [11].
BOQC is an extension of Universal Blind Quantum Computation (UBQC) [8], enabling computation controlled by two cooperating clients (the main client and the oracle) that are not interacting during the execution of the computation.We will show that BOQC is composably blind using the Abstract Cryptography (AC) framework [12]; references closely related to our work are [13,14].UBQC allows the desired delegation of computation by a client to an untrustworthy server, where the algorithms are implemented within a measurement-based computation model, that is the One-way Quantum Computer (1WQC) [15,16].The essential resource of 1WQC is a highly entangled qubit state, i.e., a graph state or a cluster state.
The idea of our choice to use the 1WQC model for our protocol stems from an important property of quantum maps over a graph state: combining two quantum operators (graphs) is performed by simply connecting the graphs.Thus, outsourcing a quantum operation to another party means outsourcing the corresponding graph.This outsourcing is not so straightforward in the conventional gate-based quantum computation model.
Initially, the 1WQC paradigm was tailored to perform quantum computations on ultracold atoms in optical lattice systems on which the resource state (cluster states) can be generated efficiently [17].In the 1WQC paradigm, the computation is done by systematically "consuming" the resource via measurements -thus, it is called a "one-way computer."It turns out that the 1WQC paradigm can also be efficiently performed on linear optics systems, whose qubits are memoryless.Several small-scale 1WQC computations have been experimentally conducted on linear optical systems [18][19][20][21][22][23].
However, performing adaptive measurement using memoryless qubits remains challenging.In our companion paper [24], we have sought possibilities beyond memoryless qubits by considering solid-state qubits, since here performing adaptive measurements can be more feasible.However, producing graph states is very demanding, e.g., running an exact quantum search algorithm within a BOQC scheme needs more than 90 qubits for searching one item within five [24].Those motivate us to push forward the implementations of 1WQC using solid-state qubits and to diminish the massive requirement for physical qubits: we propose to prepare a graph state by parts, in a "just-in-time" fashion in which qubits are prepared only when needed. 3 We call our scheme lazy 1WQC, for which we require qubits that possess permanence and can be rapidly re-initialized.
Note that, the reusing-qubits scheme has been analyzed in in [25], which obtains bounds on the number of physical qubits needed.However, here, we provide lazy 1WQC as a clear-cut and explicit scheme that is provably correct.Then, we integrate lazy 1WQC into the BOQC scheme, producing BOQCo (BOQC-optimized).BOQCo is BOQC in which the number of physical qubits is minimal, given that Bob's quantum computer is a solid-state system whose qubits possess permanence and can be rapidly re-initialized.In the BOQCo scheme, the exact search of one item within five exactly requires 4 physical qubits [24].

Measurement-based computation and formalism
Here we review one-way quantum computing (1WQC) [15,16], the measurement calculus [26], and deterministic computations made possible by the existence of flow [27].A computation within 1WQC is executed by consecutively measuring qubits in a cluster state: a highly entangled quantum state, which can be efficiently parameterized by mathematical graphs [28].A cluster state corresponds to the space-time layout of the quantum computer, and consecutive measurements define quantum operations.In this study, we use measurement calculus to describe processes within a 1WQC computation, and we use flow to specify measurement-dependency structure.
A graph is used to represent the resource (cluster state) of a 1WQC computation.The graph's vertices represent qubits whose states are initially in the xy-plane of Bloch sphere, and its edges represent CPHASE gates applied to the corresponding nodes.We will interchangeably use graph and graph state.In particular, open graph is used as a 1WQC resource, that is a triplet (G, I, O), with a set of quantum input nodes I and quantum output nodes O that may intersect, where G = (V, E) is a simple graph4 with a set of vertices V and edges E, I ⊂ V and O ⊂ V , where I = ∅, and O = ∅.For a subset K ⊂ V , G[K] denotes the induced subgraph whose vertex set is K and whose edge set is those from E whose endpoints are both in K -denoted as E(K).Given a node k, we define the following notations: Another formalism that we use here is measurement calculus on measurement patterns (or patterns) [26] in order to describe processes within the 1WQC scheme.A pattern comprises commands: (i) N θ j := prepare qubit j in state |+ θ , (ii) E ij := apply CPHASE between qubits i, j. (iii) M θ j := measure j in the basis |± θ .Finally (iv) X s i , Z s i are Pauli corrections on qubit i for signal s; that is, if s = 1, the corrections X 1 i = X i , Z 1 i = Z i are done, and if s = 0 no corrections are done since In addition, we denote N θ Q := i∈Q N θ i i as preparing a set of qubits Q accordingly.
Apart from those commands, we introduce the following extra notations.First, Z i (θ) signifies rotation about z-axis on qubit i with angle θ; in particular Second, given a graph G = (V, E) with an ordering > on the nodes, for any subgraph where E ij is the entangling command (ii) in measurement calculus; E ij are all mutually commuting.
Note that Pauli corrections can be absorbed into measurement angles [26]: where −θ and θ + π are understood to be evaluated modulo 2π.
A set of angles θ = {θ j } j∈N specifies quantum operations; angle θ j can denote the parameter of a projective measurement performed on node j with projectors where θ j ∈ [0, 2π).The two projectors in (Equation ( 6)) will be reported as outcomes 0 and 1 respectively.We also refer to such a measurement as "measure in basis |± θ j ".An angle θ j may be dependent on signals s <j , that is, measurement outcomes obtained previous to measuring qubit j.It is inevitable that measurements introduce indeterminacies.Thus, adaptive measurements -measurements which are depending on some prior signals -are performed.The adaptive measurement in θ j may be X i -or Z i -dependent on a signal i.If it is X i -dependent, θ j is replaced by (−1) s i θ j ; if it is Z i -dependent, θ j is replaced by θ j + s i π; these replacements are indicated in Equation ( 5).This dependency structure is captured within the notion of flow.It is worth mentioning that it is possible in 1WQC to perform measurements other than those in the xy-plane, such as those in the xz-or yz-plane [29].However, we consider only xy-plane measurements here.
A flow f is a map from the measured qubit to the prepared qubit.f : O c → I c , where A c denotes the complement of set A. More specifically for cluster states, f (j) indicates the X correction and N G (f (j)) indicate Z corrections for the measured node j.By its definition, we will see that a flow induces a partial order that covers V .The state of an open graph (G, I, O) has flow if there exists a map f : O c → I c together with a partial order over nodes V such that for all j ∈ O c [27,29]: Hence, a 1WQC computation can be described with a set where (G, I, O) denotes an open graph with flow f , φ signifies a set of measurement angles, and ρ in is a quantum state assigned to nodes I.
Reference [27] also characterizes an interesting family of patterns as follows.
Theorem 1. [27] Suppose the open graph state (G, I, O) has flow (f, ), then the pattern: is runnable and deterministic for all θ and s.It realizes the isometry A pattern is said to be runnable [27] if it satisfies the following conditions: (R0) no command depends on an outcome not yet measured, (R1) no command acts on a qubit already measured or not yet prepared (except preparation commands), and (R2) a qubit i is measured (prepared) if and only if i is not an output (input).
Theorem 1 provides a sufficient condition in which the existence of flow guarantees a deterministic computation.Notice that in Equation ( 9) we introduce the notation −→ −→ , signifying an ordered product with respect to any given ordering .

Abstract cryptography
Abstract Cryptography (AC) [12] is a mathematical framework that we use to model the security of our protocols.The AC framework ensures composability: a secure protocol in AC is guaranteed to be secure when composing a larger cryptographic system.AC is a constructive cryptography [30], i.e., we are constructing a resource from other weaker resources.To assess the security in such a construction, AC implements an "ideal-world real-world" paradigm in which the distance of resources is used as the security metric.Simply put, we want to construct an ideal resource (resources with desired security in the ideal world) from a real resource (resources found in the real world), while minimizing the distance between the two worlds (or systems).Perfect (or unconditional) security is achieved when both systems are completely indistinguishable.
AC uses a top-down approach: it starts from the highest-level possible of abstraction, then proceeds downwards, introducing in each level the minimum necessary specializations.The framework defines a system as an abstract object with interfaces.There are two types of systems: resources and converters.A resource is a system with a set of interfaces I = {A, B, C, . . .}; each element i ∈ I is associated with a player, which models how party i can access the resource.A converter is a system with two interfaces: an inside interface that is connected to a resource and the outside interface that receives inputs and gives outputs.
A (cryptographic) protocol is a set of converters possessed by honest parties {π i }.Converters π i , π j can be appended to a resource R via their inside interfaces,5 forming a new resource π i π j R with the same set of interfaces. 6Resources and converters can be instantiated with any mathematical object that follows the AC composition defined in [12]; in our case, we can instantiate them with quantum combs [31].The quantum comb generalizes quantum channels, mapping quantum circuits to quantum circuits rather than quantum states to quantum states.Thus, here the compositions may be defined as the operations of quantum combs as well.
A practical view of a protocol is seeing it as an effort to obtain the ideal-world functionalities from the real-world functionalities.Note that this framework does not capture the kind of failure, the severity of failure, nor the cheating strategy.Instead, we ask if the defined ideal resource captures all the security features that we need; otherwise, we define it differently.
Consider a three-party protocol π with players Alice(A), Oscar(O), and Bob(B), where Bob can be dishonest.There are two security requirements that we want to achieve with the protocol π: correctness (or completeness) and security (or soundness).Correctness is a property that can be present only when all parties are honest (no adversary present), defined in Definition 1. Security is a property involving the presence of an adversary (or adversaries), defined in Definition 2 for a cheating Bob.Definition 1. [12] Let π = (π A , π O , π B ) be a protocol with no adversary and R, S be resources.Protocol π is ε-correct if it constructs an ideal resource within ε, viz., R Definition 2. [12] Let π = (π A , π O ) be a protocol with an adversary B and R, S be resources.Protocol π is ε-secure, that is, it constructs an ideal resource within ε, viz., R π,ε − − → S , if there exists a converter σ B (called simulator), such that Here, d signifies a pseudo-metric such that: d(R, R) = 0, d(R, S) = d(S, R), and d(R, S) ≤ d(R, T) + d(T, S).If both definitions above are fulfilled, we say protocol π is ε-secure in producing tasks defined in S, using resources R, and ε is the probability of failing.For ε = 0, we call the protocol π unconditionally secure.
In Definition 2, with Bob being dishonest, an arbitrary system (simulator σ B ) is appended to S at the B-interface in order to make both systems (S and π A π O R) comparable.
The system S σ B is also called a relaxation of S [32], where the definition of simulator σ B is independent of Bob's cheating strategies.A simulator assures that none of these relaxations can be more useful to Bob than the ideal resource.As all relaxations are defined in the ideal world, a real-world system is secure when it is indistinguishable from at least one relaxation of the ideal system.
It now remains for us to practically specify "distinguishing two resources"; here, we use the notion of advantage. 7Two resources R and S are indistinguishable if the rest of the world cannot tell whether it is interacting with R or S; a distinguisher captures the rest of the world.One can think of a distinguisher as a referee who has some access to and can freely interact with an unknown system (R or S).A distinguisher can read outputs, give inputs, take the role of an adversary, generate an arbitrary joint system, measure a joint system, and measure a purification. 8The distinguisher is then asked whether it is interacting with R (B = 0) or S (B = 1).In this setting, the distance metric is called distinguishing advantage.Given D as a random variable that signifies the distinguisher's guess, the distinguishing advantage is defined as 7 Advantage here defined as the probability of guessing correctly minus guessing erroneously. 8Involvement of purification systems is related to hiding information explained in [33].
which is the difference between guessing correctly and erroneously.Perfect security is accomplished when the distinguishing advantage is zero.

Pre-protocol
This paper aims to provide a mechanism for a client to privately delegate her oracular computation with the cooperation of a separate oracle client.For this we propose our scheme, which we call Blind Oracular Quantum Computation (BOQC).There are several BOQC protocols provided here, which vary based on the used resources, e.g., solid-state qubits, photonic qubits, classical or quantum inputs, and based on whether the outputs are classical or quantum.
Consider the following illustration to give a picture of a situation in which a BOQC will be used.Alice wants to run a private oracular quantum algorithm,9 but she has neither a powerful quantum computer nor the resources needed to construct her oracle function.On the other hand, Oscar has the information necessary to generate an oracle quantum circuit.Also, Bob has a quantum computer, offered to clients as a service.While building a reliable quantum computer is very hard, in our idealized setting Alice and Oscar will be motivated to use Bob's quantum computer.However, they do not wish to risk revealing information about their computation while running it on Bob's quantum computer.Hence, they run the computation using the BOQC scheme.Consider Figure 1 that pictures this situation.
We assume that Alice and Oscar (the clients) possess the same level of quantum power, and are always honest.The client-cooperation scheme is implemented with minimal shared information, where Alice and Oscar are not communicating during the protocol run; this is possible by the nature of an oracle in an algorithm, which is a computation independent of the algorithm itself.Since the algorithm is run within the 1WQC scheme, Alice and Oscar represent their algorithms as graphs and measurement angles.In particular, their preparations are captured in Definition 3, the pre-protocol steps, which are performed before the protocol runs.

Definition 3.
[5] Pre-protocol steps.Given that Oscar agreed to provide oracle information for a quantum computation that Alice wishes to run, the following steps are done via an authentic channel before starting a BOQC protocol: (B3) Alice determines a total ordering > that is consistent with the partial ordering .This step is optional for the BOQC protocols (Protocols 1 and 3), but it is necessary for optimized protocols such as BOQCo protocols (Protocols 2 and 4).
(B4) Alice publicly informs Bob of {(G, Ĩ, Õ), V A , V O , , >, b}, where Ĩ ⊆ I is a set of nodes assigned with quantum input ρ in , Õ ⊆ O is a set unmeasured nodes that will be sent to Alice, V A ≡ V (A), and , respectively; simply put, Oscar does not give quantum input and does not receive quantum output.The total order > is given if step (B3) is executed.
Notice that we introduce Ĩ and Õ in addition to I and O.While variables I and O are required to define a 1WQC computation (Equation ( 8)) such that one can describe the resulting computation per Theorem 1, variables Ĩ and Õ signify nodes whose quantum information is associated with Alice.Set Ĩ comprises nodes assigned with Alice's quantum input and Õ is a set of nodes whose state is received by Alice as the final output.For a classical input c = c n . . .c 2 c 1 , where c i ∈ {0, 1}, we can consider it as quantum input with state n i=1 |c i c i | in the formalism used in Theorem 1. Also, a classical output can be considered as quantum output -in the formalism used in Theorem 1 -with a density of states whose matrix is diagonal.
Example 1. Alice wants to run a 2-qubit Grover algorithm and Oscar has the 4-element database.The algorithm comprises one oracle call and is implementable with circuit where A , O f (π) and D(π) indicate preparation, oracle, and diffusion operators respectively.The following steps show the steps in Definition 3 to run a 2-qubit Grover algorithm; the algorithm (the graph state) is taken from [5].

G,
, 10 See Example 1 that shows the process of this step explicitly.
{4}, and a total ordering, e.g., 5 In this example, neither Alice nor Oscar provide classical or quantum input, and I ⊂ V O ; this is consistent with Definition 3 since Ĩ = ∅.Instead, here the input is implicit, i.e., two zeros |00 00|.

The protocol
The BOQC protocol involves three players: Alice, Bob, and Oscar, indicated with A, B, and O, respectively.In the language of AC, we denote the protocol as π boqc = (π A , π B , π O ) -with an honest Bob -which uses a real-world resource R. The resource R comprises three channels: a secure key channel between Alice and Oscar, a two-way insecure classical channel between each client and Bob, and one-way quantum channels between each client and Bob.If Alice expects quantum outputs, a two-way quantum channel between Alice and Bob is needed.
The BOQC protocol is provided in Protocol 1, in a clear-cut style with explicit adaptive measurements.For generality, Protocol 1 admits the case in which Alice requires quantum input and quantum output; integrating classical inputs and outputs to the protocol is straightforward, and it is also discussed.Note that symbol ⊕ is defined as modulo 2 addition.
Every usage of a resource in R -interactions with communication channels -is depicted in Figure 2, where a circled number corresponds to the indicated part in Protocol 1. Figure 2 shows that Alice and Oscar alternately take over the computation (transmitting qubits and giving commands with measurement angles) without communicating with each other, apart from sharing a key in the beginning.In Protocol 1 Bob receives input from Alice as {(G, I, O), f, φ, ρ in A } and input from Oscar as {ψ}, where G is the total graph with flow f , I is a set of input nodes that will be  Alice computes φ i = (−1) s invf (i) φi + z(i)π.

25:
end if 26: Bob measures qubit i in |± δ i basis, then sends Alice and Oscar the outcome si.

27:
Alice and Oscar set si = si ⊕ ri.28: end for 4 Output transmission and correction 29: Bob sends Alice output qubits ρ out B (all qubits i ∈ O). 30: Alice corrects the final output P (ρ out B ) =: ρ out A , where P ≡ i∈O X .
assigned with input state ρ in A , O is a set of output nodes, φ is a set of measurement angles of Alice's nodes, and ψ is a set of measurement angles of Oscar's nodes.Prior to the protocol, we assume pre-protocol steps in Definition 3 have been successfully done.
Protocol 1 comprises five steps: 0 pre-preparation, 1 state preparation, 2 graph state formation, 3 classical interaction and measurements, and 4 output transmission and correction.The interactions of players via a channel at each step are depicted in Figure 2. The protocol is initiated by establishing a symmetric key between Alice and Oscar via a secure key channel -step 0 .This step allows them to privately delegate their joint computation: in particular, it allows them to know the actual measurement outcomes so that their adaptive measurements can be computed independently.Step 1 -4 comprises the delegated computation process: 1 the clients send Bob the encrypted qubits, 2 Bob entangles the received qubits, 3 the clients communicate to Bob the measurement angles, and 4 Bob sends the output qubits if necessary, i.e., quantum outputs.
The following lemma (Lemma 1) shows that, for any computation, the obtained pattern in Protocol 1 without randomness is identical to the obtained pattern in the 1WQC scheme.The proof of Lemma 1 is available in Appendix A. Lemma 1. [5] Suppose the open graph state (G, I, O) has flow (f, ), then the following patterns P 1 , P 2 are identical ∀φ i : where z(i , and invf (i) = 0 for all i ∈ I.
Patterns P 1 and P 2 give different points of view in writing the corrections: Pattern P 1 shows the obtained correction from measuring i, while pattern P 2 shows the corrections that can be done before measuring i. 11 Those points of view were first introduced in [34].
See Table 1 for an illustration.

G,
Table 1: Correction terms in Lemma 1 with graph (G, I, O) from Example 1.In pattern P 1 , upon measuring i, X-correction goes to node f (i) and Z-corrections go to nodes N G (f (i)) \ {i}.In pattern P 2 , before measuring i, X-correction is performed based on measurement invf (i) and Z-correction based on measurements z(i).
Using Lemma 1, we obtain Theorem 1, which states that an algorithm run within the BOQC implements the same map as when the algorithm is run directly within the 1WQC, without requiring Alice and Oscar to share any of their secrets.The proof of Theorem 2 is available in Appendix A. Theorem 2. [5] The BOQC protocol π boqc defined in Protocol 1 delegates a computation with the isometry defined in Theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computations to each other.

The quantum power
Like UBQC, BOQC is a protocol that involves a clear separation of quantum power between client and server, where a client is only capable of producing and transmitting quantum states of the form |+ θ , while the server is presumed to posses unlimited quantum power.While this formulation is exactly true for classical input and output ( Ĩ = Õ = ∅), a client needs higher quantum power for quantum input and output, i.e., Ĩ = ∅ or Õ = ∅.Table 2 summarizes the minimal quantum power requirement of running BOQC protocols with various input-output types.recall that Z |+ = |+ π .Since the quantum one-time pad is unnecessary, the random string t is omitted (or setting t i = 0, ∀i).Thus, requirements (C3) and (S3) vanish.Now, when Õ = ∅ (entirely classical output), measurements will be performed on all qubits i ∈ V and Bob does not need to prepare state |+ himself nor to send Alice the final outcome ρ out B .The first removes requirement (C2), which replaces the loop in line 18 with "for i ∈ V which follows partial ordering ." The latter eliminates requirement (S2), which removes line 16 and removes step 4 entirely.
Therefore, the lowest quantum power demand occurs for the entirely classical input and output case, i.e., Ĩ = Õ = ∅, requiring only (C1) and (S1).We provide an explicit BOQC protocol for entirely classical input and output in Protocol 3, Appendix B.

BOQC optimized: BOQC on solid-state qubits
The 1WQC -as well as BOQC -can efficiently perform computations on memoryless quantum computers, such as photonic qubits, which is shown by successful experimental demonstrations on linear optics quantum computers: 1-and 2-qubit gates [18], 2-qubit Grover's algorithm [20], Deutsch's algorithm [21], blind quantum computing [22], and verification of quantum computations [35].However, extending the experiments to perform more complex computations is very hard since the individual qubit control is tricky in memoryless qubit systems.Individual-qubit control on solid-state systems are more promising, but scalability remains challenging.This problem motivates us to come up with an "optimized" version of the BOQC, which we will call BOQCo (Blind Oracular Quantum Computation-Optimized ).
BOQCo allows us to perform BOQC algorithms with a minimal number of physical (solidstate) qubits.BOQCo is runnable on an appropriate platform 12 whose qubits possess permanence and can be rapidly re-initialized.
We prepare the graph in parts to minimize the number of physical qubits; the qubits are initialized only when needed.We call such a strategy lazy 1WQC in which the server only needs to prepare the closed neighborhood of the qubit about to be measured. 13Note that such a graph preparation has been introduced in [37] but restricted to graphs with the same number of inputs and outputs (|I| = |O|); here, we extend it to arbitrary graphs with flow.

Lazy 1WQC computation
The lazy 1WQC is a 1WQC-computation scheme that allows one to prepare parts of the graph state as needed such that the number of physical qubits is minimal.The lazy 1WQC scheme is shown in Algorithm 1 with input where (G > , I, O) is an open graph with total ordering > that follows the flow f , φ is the set of measurement angles, and ρ in is the state assigned to I. Note that to describe a lazy 1WQC, one needs an additional parameter, total ordering >, compared with the description of a 1WQC computation in Equation (8).That is, the user must settle on a total ordering > beforehand. 14Any two valid total orderings will result in the same computation and have same requirement on the number of physical qubits, but they might require different coherence time for the qubits, as we have illustrated on our work on the Grover algorithm [24].
Algorithm 1 shows the general case, where the input and output are quantum. 15If the input is classical, one can trivially encode as a quantum state ρ in implemented as the following.Given the input state as a bit string c, one can implement by setting the input Algorithm 1 Lazy 1WQC computation (III) s invf (i) = 0 for all i ∈ I.
1: Assign ρ in to the input nodes I.
2: for i ∈ V with ordering > do 3: assign state |+ to node k 5: end for 6: Apply entangling operations E > iN G (i) .7: Measure i in basis |± φ and obtain measurement outcome si.10: else 11: Correct output i applying X . 12: end if 13: end for nodes as |+ c i π for all i ∈ I.If the output is classical, all nodes in O will be measured, i.e., the loop in line 2 is replaced with   The allocation of fresh physical qubits, which corresponds to grey nodes in Example 2, occurs in Algorithm 1 in lines 3-5; these qubits are then initialized with state |+ .We denote such a set of nodes as which is a closed neighborhood, excluding the ones that have been assigned before.We assume that the input nodes i ∈ I are assigned with the desired quantum input ρ in before the scheme starts.As it is obvious that A(i) ⊆ V , the lazy 1WQC scheme does not construct the whole graph state at once. 16n the following, we establish the correctness of the lazy 1WQC.That is, we show that it results in the same computation as the standard 1WQC scheme.Then we derive bounds on the number of physical qubits needed.
First, note that we can write the resulting pattern of Algorithm 1 by consecutively placing the initialization, entanglement, Pauli-correction, and measurement commands: where z(i) := k<i,i∈N G (f (k)) s k and invf (i) = 0 for all i ∈ I.Note that the specification of Pauli operators before measurement follows Equation ( 5).
Theorem 3 formally states the correctness of the lazy 1WQC, with the help of Lemmas 1 to 3. The proof of each lemma is available in Appendix A.
Lemma 2 shows that in every time-step, one must assign at least one fresh qubit.Followed by Lemma 3 which shows that every non-input qubit is assigned once.Lemma 4 proves that we recover the whole graph.Note that, these lemmas (Lemmas 2 and 3) consider the general case -quantum input and output -in which the input nodes are initialized beforehand.Finally, we prove the correctness of lazy 1WQC in the following theorem.
[5] The lazy 1WQC scheme and the 1WQC scheme implement the same map, they produce the same output for the same input.
Proof.The following proof is similar to the one in [5].Let {(G > , I, O), f, φ, ρ in } := I be the input of the lazy scheme (Algorithm 1), where > is consistent with the flow (f, ), i.e., the flow of the open graph (G, I, O).Since > is consistent with , I is a valid input of the 1WQC scheme.
One can prove the map equality by comparing the patterns, e.g., we will show that P 1wqc in Equation ( 9) can be reduced to pattern P lazy in Equation (15).Using previous results, we have Lem. 1 Note that in the third equality, the partial ordering is replaced with the total ordering >; this is valid since > is consistent with .Now we need to commute the entangling and preparation operators such that they are distributed according to the lazy scheme.First, consider any two nodes i and k, where i, k ∈ O c and i < k.The preparation and entangling operators are commuting, i.e., However, we need to check if the condition of causality holds: there is no entanglement operation involving qubits that are already measured or not yet created.Denote the set of edges e(i) , edges that correspond to entangling operations E > iN G (i) .By definition, set e(i) does not contain any node that has already been measured, namely any k < i.The nodes that correspond to edges e(i) are By definition, A(i) contains all nodes in N G [i] minus the ones that have already been created I ∪ k<i N G [k], thus ∀x ∈ e(i), x ∈ {(i, j) | j ∈ ∪ j≤i A(j)}, which means every qubit connected by an edge in e(i) is already initialized.Thus, there is no entanglement involving a qubit that has not yet been created.Therefore, Equation ( 20) is causal.
Considering the measurement operator and the Pauli corrections, we need to commute the entangling operation through them, namely which is true if and only if i ∈ n(k).By definition of n(k) (see Equation ( 21)), i < k, thus, i ∈ n(k).Thus, we can distribute the entangling and preparation operators in Equation ( 16) with respect to the ordering > and obtain j∈O (X Since the minimal number of physical qubits is the pivot in the lazy 1WQC, it is natural to ask for a bound on the number of physical qubits for an arbitrary 1WQC computation.We provide Conjecture 1 to immediately suggest an answer.The intuition behind Conjecture 1 stems from a property of a graph with flow; namely, the number of nodes per layer cannot shrink.It is due to non-colliding correction nodes: two distinct nodes i, j can not have the same X-correction node, f (i) = f (j); otherwise, it violates the flow criteria (Equation ( 7)).
Conjecture 1.The number of physical qubits required to run lazy 1WQC in Algorithm 1, regardless the input and output type -whether classical or quantum -is bounded by |O| + 1.

The BOQCo protocol
Executing a 1WQC computation within the lazy scheme reduces the number of physical qubits vastly, bounded to |O| + 1 per Conjecture 1.Here we integrate the lazy 1WQC paradigm into BOQC, producing a protocol that we call BOQCo (BOQC-optimized).BOQCo allows the server to prepare the graph state as needed, employing the minimal number of physical qubits while maintaining the blindness of the multi-party scheme.17 The BOQCo protocol is shown in Protocol 2; in AC language, we address it as π boqco = {π A , π B , π O }.The scheme employs a strategy identical to BOQC to provide blindness; it is apparent from the introduced randomness: r, t, α, β.The distinguishing feature of BOQCo lies in the distribution of the computation, which follows the lazy 1WQC.Alice computes φ i = (−1) s invf (i) φi + z(i)π.

23:
Bob measures i in |± δ i basis, sends Alice and Oscar the outcome si.

28:
end if 29: else output qubit transmissions and corrections 30: Bob sends Alice qubit i.

31:
Alice corrects qubit i by applying X .

32:
end if 33: end for In the BOQCo, we divide the process into three main steps: 0 pre-preparation that is identical to BOQC, 1 computation part by part, which is BOQC (excluding prepreparation) done one part at a time, and 2 output transmission and correction that is also identical to BOQC.The input and output of the BOQCo protocol is identical to the BOQC, i.e., it receives input from Alice as {(G, I, O), f, φ, ρ in A } and input from Oscar as ψ.
We define the correctness of a BOQCo computation as if it is run in the 1WQC scheme.Formally, we state the correctness in Theorem 4, where the proof is provided in Appendix A. Theorem 4. [5] The BOQCo protocol π boqco defined in Protocol 2 delegates a computation with the isometry defined in Theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computation to each other.
In terms of quantum power between clients and servers, BOQCo has requirements identical to those of BOQC as discussed in Section 3.3.This is because BOQC and BOQCo differ only in the ordering among qubit transmissions, entanglements, and measurements.

Security analysis
This section elaborates on the security of BOQC and BOQCo using the AC framework.We promise composable blindness for our protocols.For that, we need to achieve two statements: correctness and security (blindness).We separately discuss each statement: Section 5.1 for correctness and Section 5.2 for blindness.In the end, we investigate the consequences of our security definition; the issue of leaked information in the ideal resource puts limits on the permitted graph states of oracles.

Correctness
We use Definition 1 to state the correctness -also know as completeness -of BOQC and BOQCo protocols.Here, we prove that both protocols are perfectly correct (ε = 0) and realize an ideal resource S, denoted as R π boqc ,0 where R is the real-world resource connected to the protocols and S is defined in Figure 4.In both protocols, resource R comprises a secure key channel, quantum channels, and insecure classical channels.
, where E is the resulting superoperator of the algorithm, i.e., E is the isometry described in Theorem 1.Some classical information AO = {(G, Ĩ, Õ), f, V A , V O , , >, b} leaks on Bob's interface, which corresponds to public information in Definition 3, and is necessary to set up the protocol.
The ideal resource S describes the BOQC system in the ideal world when Bob is honest.Resource S has an identical description of inputs and outputs with the BOQC protocol in Protocol 1. Resource S also describes the BOQCo system in the ideal world.It also has an identical configuration of inputs and outputs with Protocol 2. The leaked information AO is not apparent in the protocols (Protocol 1 and Protocol 2); however this leakage is revealed in the proofs of the correctness theorems: Theorem 5 for the BOQC and Theorem 6 for the BOQCo.Theorem 5. [5] The BOQC protocol π boqc = (π A , π O , π B ) defined in Protocol 1 is perfectly correct and emulates the ideal resource S defined in Figure 4.
Proof.The following proof is similar to the one in [5].Protocol π boqc is correct if it satisfies Definition 1: d(π A π O Rπ B , S) = 0, i.e., resources π A π O Rπ B and S must be perfectly indistinguishable, where d is a pseudo-metric with properties discussed in Section 2.2.Which means, we show that the distinguishing advantage (defined in Equation ( 10)) is zero.For that, we show that both resources have the same -or statistically the sameinputs and outputs.
First, we show that π boqc and S have an identical description of inputs.As shown in Protocol 1, the protocol receives inputs {(G, I, O), f, φ, ρ in A } from Alice, ψ from Oscar, and no honest input from Bob.These inputs are identical to the inputs of S.
Second, S sends an output , where E is the superoperator with an isometry given in Theorem 1; using Theorem 2, BOQC also implements that isometry.
Finally we show that BOQC leaks the same information as S, which is AO .Bob receives information {(G, Ĩ, Õ), V A , V O , , >, b} in the protocol, which is public information obtained from the pre-protocol steps defined in Definition 3 before the protocol starts.The public information is identical to leak AO .Bob is not curious in this setting, thus there is no additional information obtained beyond AO .
We note here that Bob does not erase the received information, as it is required to run the protocol and to provide the bill for his clients. 18he resource S models a general case in which Alice expects quantum input and quantum output, i.e., Ĩ = I and Õ = O.If Alice needs only classical outputs, Bob will measure all output nodes O and her output density matrix ρ out A has diagonal form in the security model S. The same applies to the classical input, e.g., for a bit string c = c n . . ., c 2 c 1 , we set ρ in A = n i=1 |c i c i | in the security model.Note that, per Definition 3, Bob knows beforehand the input-output type, which is captured in the leaked information Ĩ and Õ.For instance, Bob knows the input is entirely classical if Ĩ = ∅.Such information is necessary for Bob to prepare his channel.
As the counterpart of Theorem 5, we prove the correctness of BOQCo protocol in Theorem 6: Theorem 6. [5] The BOQCo protocol π boqco = (π A , π O , π B ), defined in Protocol 2 is perfectly correct, and emulates ideal resource S defined in Figure 4.
Proof.The following proof is similar to the one in [5].Using Definition 1, correctness is achieved when d(π A π O Rπ B , S) = 0. We prove this condition by reducing BOQCo to BOQC.
First, Protocol 2 (BOQCo) has the same inputs as Protocol 1 (BOQC).Applying Theorem 4, BOQCo also results in the same computation as BOQC, thus, the same output.Secondly, BOQCo and BOQC differ only in the ordering among transmissions, entanglements, and measurements; thus, there is no additional leak introduced beyond AO (Figure 4).In terms of correctness, BOQCo is reducible to BOQC.Finally, since BOQC is perfectly correct within the composable definitions, BOQCo is also perfectly correct within the composable definitions.

Blindness: when Bob is malicious
It remains to provide the security -also known as soundness -statement for BOQC and BOQCo protocols to achieve a composable secure definition.The security that is aimed for is perfect blindness, meaning the adversary (Bob) can learn nothing about the computation or the measurement outcomes.The same principles used for proving correctness apply also to prove blindness.We set the security model in the ideal world Figure 5: [5] Ideal resource S , the ideal-world resource when Bob is malicious.The input and output setting on the clients' interfaces is identical to S -Figure 4. Resource S does not take any honest input from Bob, but he may entangle Alice's input with his state (ρ in AB ) and apply a superoperator of his choice (E), obtaining Ẽ(ρ in AB ).Variable B captures all Bob's dishonest inputs, which determines the final output ρ out A .Input B is used to send the extension ρ in B to S , and to determine map Ẽ.
that captures the desired blindness, and then prove that our protocols that live in the real world are indistinguishable to the ideal-world model.However, while the correctness captures the system when everyone is honest, the blindness captures the situation when in the presence of an adversary, i.e., when Bob cheats.
In the presence of an adversary, our protocols realize the ideal resource S that is defined in Figure 5. Resource S models the ideal system in the ideal world when Bob is malicious.On the clients' side, S has the same input and output configuration as S; however, in resource S , Bob provides dishonest inputs as he wishes, which is captured in B. Nevertheless, both resources S and S leak the same information AO .
Given that R is the real-world resource used in our protocols, we need to achieve statements R π boqc ,0 − −−−− → S where ε = 0 signifies perfect blindness.To prove that, we must satisfy Definition 2, i.e., there exists a simulator σ B , such that d(π A π O R, S σ B ) = 0. Recall that a simulator σ B is needed to make S and π A π O R become comparable, i.e., π A π O R has more inputs and outputs than S .See the proof of Theorem 7 for explicit details.Theorem 7 provides the security statement of the BOQC protocol, whose relaxation S σ B is defined in Protocol 5 and in Appendix B. Theorem 7. [5] The BOQC protocol with dishonest Bob π boqc = {π A , π O }, defined in Protocol 1, is perfectly blind and realizes the ideal resource S defined in Figure 5.
Proof.The following proof is similar to the one in [5].Applying Definition 2, R π boqc ,0 − −−− → S if there exists a simulator σ B such that d(π A π O R, S σ B ) = 0; thus, we must find a relaxation S σ B that is perfectly indistinguishable from π A π O R. Suppose the relaxation S σ B is defined in Protocol 5, then we proceed to prove that it is indistinguishable from π A π O R.
To simplify the problem, we first reduce the protocol to a one-client protocol as follows.Consider a pictorial representation of π boqc (in the absence of Bob) in Figure 6; it clearly shows that the common information between Alice and Oscar is the keys s, t, shared via a secure key channel.Since it is known that a secure key channel guarantees secrecy and authenticity, Alice and Oscar obtain their keys without leaking any information to Bob.
Each variable corresponds to the one in Protocol 1.We distinguish measurement outcomes on Alice's interface (s i ) and on Oscar's interface (s i ), because Bob is allowed to be dishonest, thus si and si may be different.The left-hand side denotes the outside interface of the converters.The righthand side indicates the inside interface connected to resources: secure key channel (dashed double arrow), classical channel (single arrow), and quantum channel (double arrow).The strike-through line indicates multiple qubits.
Therefore, we may think that Alice and Oscar have already shared the keys before the protocol starts.Thus, protocol π A π O is reducible to a one-client protocol π AO , shown in Figure 7, where the alternating part between Alice and Oscar is captured within functions θ(i), s(i), and δ(i).
Relaxation S σ B defined in Protocol 5 is pictured in Figure 8.Thus, we now can prove the statement d(π A π O R, S σ B ) = 0 by showing that Figure 7 and Figure 8 are indistinguishable.
Notice that Figures 6 and 7 clearly show identical inputs and outputs, indicated by the same configuration of arrows.Thus, it now remains for us to prove that the arrows with a circled letter are (statistically) the same.
Remark that we focus only on blindness without verifiability.Since verification is not involved, Alice does not care whether her computation is correct or not.That is, some information related to the computation can be arbitrary, such as ρ out B , si , si , and δ i .Consider the information sent by Bob: c ρ out B , e si , and f si .First, in both figures, ρ out B is an arbitrary state chosen by Bob (simulator).Second, in Figure 7, si and si signify measurement outcomes seen by Bob, which is random information independent of the actual measurement outcomes: s i = si ⊕ r i and s i = si ⊕ r i .The same is true in Figure 8; si , si are arbitrary information inputted to Bob's interface in S .
We now analyze the information received by Bob: a , b , and d δ i .First, in both figures, δ i are uniformly distributed random angles, independent of the actual measurement angles, φ i , ψ i .Second, consider the information at a , namely at input node i ∈ I.In Figure 7, a is an encrypted input state X t i Z i (α i )(ρ i ), where ρ i := tr I\i [ρ in A ].In Figure 8, a is an uncorrected teleported state which is identical to a in Figure 7. Third, for b , consider i ∈ V A .In Figure 7, b is |+ α i .In Figure 8, b is a remote state preparation [38] Finally, since both figures have the same inputs and outputs, it remains to show that the leak is given by AO .The leak of information AO is inputted to the simulator from Bob's interface.The simulator does not use the leak to create any useful information.Now we need to prove that the simulator does not learn anything beyond AO .For that, the information received by the simulator must be independent of the computation.First, δ i is an arbitrary angle, thus independent of the computation.Second, a and b are completely mixed states because of the randomness α i , β i ; thus, the simulator cannot guess α i or β i with complete certainty.A curious Bob might correctly guess other information such as the flow f , however it gives him no advantage.Therefore, there is no more leak than AO throughout the protocol.This concludes the proof.
Note that our strategy for constructing the simulator σ B in Protocol 5 comes to us from the work on composable security of delegated quantum computation by Dunjko et al. in Ref. [13].However, its usefulness in our case is only guaranteed by Theorem 2.
Here we consider the general case when Alice's input and output are quantum, i.e., Ĩ = I and Õ = O.The security is maintained as long as the input-output configuration admits the security model S .Thus, the security is maintained for Ĩ ⊂ I and Õ ⊂ O for the following reasons: Such a relaxation can be straightforwardly derived from Protocol 5 by rearranging the process order, viz., qubit transmissions, entanglements, and measurements according to the lazy computation in Algorithm 1 (the relaxation is shown explicitly in Protocol 6, Appendix B).
Since BOQCo and BOQC differ only by the process order, they have the same configuration of inputs and outputs.Therefore, π A π O R and S σ B have pictorial representations as Figure 7 and Figure 8, respectively, where the figures are proven to be indistinguishable in Theorem 7. The difference in the process order will not reveal any information about the computation because the ordering is determined before the protocol starts, arranged in pre-protocol steps (Definition 3).
Since we obtain an indistinguishable relaxation to π A π O R that has the same leak as BOQC, this concludes the proof.

The BOQC-compatible graph states
The BOQC and the BOQCo protocols provide simple cooperation between Alice and Oscar to delegate their blind computations, allowing the malicious Bob to learn no more that public information AO := {(G, Ĩ, Õ), V A , V O , , >, b}.The leaking information AO is insufficient to infer the computation, but there is a catch: Consider an example of a real-life situation in which Oscar's company is well-known for storing massive confidential databases.Thus, Bob might reasonably make an priori assumption that they are running a quantum search algorithm.If the oracle's graph varies according to the request being made, Bob might infer some information about Alice's request, such as, a simple graph marks a zeros state in the Grover algorithm.Thus, Oscar's oracle graphs must remain the same for all requests; he is only allowed to vary only the measurement angles for different queries.We call such graphs, i.e., a class of graphs that runs a set of different requests, "BOQC-compatible" graphs.
A BOQC-compatible graph is a standard oracle graph, determined by Oscar, for a class of requests.One can use a universal graph, e.g., a fixed-size brickwork state as introduced in Ref. [8]; however, the number of qubits increases rapidly with the circuit depth of the gate model representation.Another strategy is to optimize the graphs, constrained to the set of requests as done in Ref. [24], for 2-and 3-qubits exact Grover algorithms.The resulting graph is significantly more compact than the brickwork graph.

Conclusion
Here, we have introduced BOQC, a secure client-server oracle computation scheme with three parties, that is an extension of the UBQC.Our scheme provides a means for a client, without a quantum computer and without the capability of performing the oracle evaluation, to securely cooperate with an oracle client to delegate the oracular quantum algorithm to a malicious quantum server.We formally prove that BOQC is blind within composable definitions using the Abstract Cryptography framework.A drawback of our security definition is that it requires BOQC-compatible graphs as graph states.We extend BOQC to BOQCo (BOQC-optimized), which adapts the protocol for efficient use on a solid-state quantum network, which has the attributes that the server's qubits possess permanence and can be rapidly re-initialized.We provide explicit BOQC and BOQCo protocols that deal with both quantum and classical input and output.The BOQCo scheme allows the server to employ a minimal number of physical qubits; in separate work we show how the scheme enables the implementation of Grover and Simon algorithms in a realistic NV-center network.While our protocols promise blindness, we cannot tell whether the server is being malicious; thus, integrating verifiability into our protocol would be a desirable next step in this work.
Consider the X-corrections.After measuring i with output s i , the X-correction propagates to qubit f (i), that is, X s i f (i) will appear before measuring f (i), as seen in P 1 .Equivalently, 19 qubit f (i) receives X-correction from measurement outcome of qubit i, where i is the preimage of f (i).Thus, before measuring f (i), the correction from measuring i must be present, namely , which is the corresponding operator in P 2 .
The same treatment applies to the Z-corrections; however, the corrections propagate to a subset of nodes instead of a single node.From pattern P 1 , measuring i produces Zcorrections on nodes {N G (f (i)) \ {i}} =: K, which are the neighbors of f (i).From the perspective of k ∈ K, qubit k receives corrections from all measurement outcomes of i, where the set of neighbors of f (i) contains k.From the flow condition, we know that i ≺ k, meaning that i has already been measured.Thus, the Z-correction of qubit k must include all measurement outcomes from qubits {i Since every node is corrected by one Pauli operation, the correction of the output can be represented as an operator acting on the output qubits.Note that the output qubits lie in the last layer of the graph: for all k ∈ O, for all i ∈ O, we have k ≺ i; thus, the corrections can appear at the very end of the pattern.Theorem 2. [5] The BOQC protocol π boqc defined in Protocol 1 delegates a computation with the isometry defined in Theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computations to each other.
Proof of Theorem 2. Given are Alice's input {(G, I, O), φ} together with a flow f , and Oscar's input ψ.We can write the total computation as {(G, I, O), θ}, where θ = φ ∪ ψ contains measurement angles for all nodes i ∈ O c .We need to show that Protocol 1 results in pattern First, we consider Alice and Oscar as one client called super-Alice.Omitting the randomness r i = α i = β i = 0,20 running a computation with Protocol 1 results in the pattern where z(i) := k≺i,i∈N G (f (k)) s k .Thus, with the absence of randomness, P R = P S .
Second, consider γ, a random variable that contains α and β, thus γ = α ∪ β.Including γ and r in the computation, 21 we obtain pattern Thus, using Equation (5) and commutation 22 The random angle πr i is canceled out by flipping the measurement outcome, s i = s i ⊕ r i , which is expressed in the superscript of Z-corrections.Thus, equality P R = P S is maintained.
Third, we show that encryption of the quantum inputs X t i i Z i (α i )(ρ in ) is perfectly decrypted during the process.Random variable α i is cancelled out in the same manner as removing γ above.The random variable t i is canceled out by flipping the sign of the measurement angle23 M θ i X i ρ in = M −θ i ρ in .Thus, we conclude that ρ in is intact.Finally, we divide super-Alice into Alice and Oscar.Calculating corrected angles is separately done, since they know the real measurement outcomes s i = si ⊕ r i .Canceling out the z-rotations R z i (α i ) or R z i (β i ) is also done separately, see lines 21 and 24 of the Protocol.Thus, Alice and Oscar keep their measurement angles and the random variables to themselves.Lemma 2. [5]Suppose the open graph state (G > , I, O) has flow (f, ) and a proper total order >, then A(i) contains at least f (i) for all i ∈ O c and A(i) ∪ A(j) = ∅ for all i = j.
Proof of Lemma 2. We need to prove that f (i) ∈ A(i) and A(i) ∩ A(k) = ∅, k = i, for all i, k ∈ O c .Proof of the first part: Using the existence of flow f : O c → I c , thus f (i) =: j exists (where j ∈ I c ), and Equation ( 7) applies.It follows that j ∈ N G (i), and also j ∈ N G [i], where j i.But j ∈ ∪ k<i N G [k], because the flow condition k ∈ N G (j) \ {i}, k i (it is also true that k > i);24 then clearly j ∈ I. Thus, A(i) contains at least f (i).For i ∈ O c , by using Lemma 2, A(i) contains at least f (i).Note that f : O c → I c ; thus, invf (k) =: j exists, where j ∈ O c .Therefore, k ∈ A(j).Moreover, from Lemma 2 we know that S = ∅.
For i ∈ O, we have A(i) ⊂ O because if A(i) contains an element in O c , it is covered in the case i ∈ O c above.As output nodes also have a total ordering, ∪ i∈O A(i) covers all output nodes that are disjoint to O c nodes.
We arrive at a contradiction, so the assumption is incorrect, and we conclude that I c \S = ∅ or I c ⊆ S. Proof of Lemma 4. Note that we are employing the notation of Equation ( 4).Denote (i, j) as an edge in E(G) with end nodes i and j.If we represent i∈V E > iN G (i) as a collection of edges, we obtain i∈V {(i, k) | k ∈ N G (i), k > i} =: S. On the other hand, the Handshaking lemma [39] implies that, i∈V {(i, k) | k ∈ N G (i)} will result in a multiset that contains double copies of edges -∀a ∈ E(G) the multiplicity of a is 2, where signifies the union of multisets [40].Thus restricting to edges (i, k) where i < k eliminates the double counting; therefore S = E(G).Theorem 4. [5] The BOQCo protocol π boqco defined in Protocol 2 delegates a computation with the isometry defined in Theorem 1 for the same computation, without requiring Alice and Oscar to communicate their computation to each other.
Proof of Theorem 4. We use the same reasoning as in the proof of Theorem 2 by showing that the resulting pattern from Protocol 2 can be reduced to the pattern in Theorem 1.Note that, in this context, converters π A , π O , and π B correspond to procedures of the BOQCo protocol defined in Protocol 2; real resource R comprises the same elements as the BOQC viz. a secure key, two-way classical channels, and two-way quantum channels.
Consider Alice and Oscar as one party, which we call super-Alice, who has all information about the angles φ, ψ and the random variables α, β, r, t.We denote γ := α ∪ β and θ := φ ∪ ψ.
First, we omit randomness, so that r i = t i = α i = β i = 0 for all i; the resulting BOQCo pattern (P boqco ) can be written as where z(i) := k<i,i∈N G (f (k)) s k , invf (i) ≡ f −1 (i), P lazy is the resulting pattern of lazy 1WQC (Equation ( 15)), and P 1wqc is the resulting pattern of 1WQC (Equation ( 9)), where Thus, P boqco = P 1wqc holds in the absence of randomness.Note that total ordering > is consistent with partial ordering (partial ordering induced by the flow); thus we can interchangeably use both.Recall that operator allows for concurrency, whereas , −→ −→ , and which is identical to Equation (24).Thus, from this point, the proof proceeds identically to that of Theorem 2 from Equation (24).

( B1 )
Alice and Oscar determine the size of bit string b; the string must be long enough to indicate all possible measurement angles φ i , ψ i ∈ Ω.The allowed set of angles is Ω = {πk/2 b−1 } 0≤k<2 b .(B2) Alice and Oscar join their graphs in the following way.Given that Alice's oracular quantum algorithm needs k oracle queries, she marks each query as a black box on her graph A. Given that Oscar's graph O is a graph with k components, he sends Alice {O, f O }. Alice joins their graphs with a connection C by replacing each black box in A with a component of O according to C; she obtains G = A ∪ C O, and computes the total flow (f, ) for the entire graph G.The connection C is valid when the resulting graph G has flow. 10

First
Alice and Oscar agree upon the bit string size, e.g., b = 4.As Alice does not need any quantum input and output, so she sets Ĩ = Õ = ∅.Alice's graph state A contains a black box indicating the oracle.Then, Oscar tells Alice his graph and flow {O, f O }, where O is a graph with one component.The following shows graphs of Alice and Oscar whose flows are indicated with arrows.

Figure 2 :
Figure 2: Interactions within BOQC scheme; these also describe the access to the inside interface of resource R. Initials A, B, and O indicate the interface of Alice, Bob, and Oscar respectively.The double dashed line indicates a secure key channel; the double lines indicate classical channels, with arrow indicating direction of transmission; the wavy lines indicate quantum channels.The circled numbers 0 -4 correspond to the steps shown in Protocol 1.

Figure 3 :
Figure 3: Running Algorithm 1 with an open graph (G > , I, O).The arrows indicate the flow of G, the node number indicates total order >, T i indicates the time step when measuring i, s i signifies the measurement outcome of measuring i, the grey nodes are fresh qubits initialized with state |+ before measuring i, and the Pauli correction is shown on the corresponding node.The highest number of physical qubits requirements is 4, occurring at time-steps T 3 and T 4 .

Lemma 2 . [ 5 ]Lemma 3 . [ 5 ]Lemma 4 . [ 5 ]
Suppose the open graph state (G > , I, O) has flow (f, ) and a proper total order >, then A(i) contains at least f (i) for all i ∈ O c and A(i) ∪ A(j) = ∅ for all i = j.Suppose the open graph state (G > , I, O) has flow (f, ) and a proper total order >, then ∪ i∈V A(i) = I c .Suppose an open graph state (G > , I, O) has flow (f, ) and a proper total order >,

Figure 4 :
Figure 4: [5]The ideal BOQC resource S in the absence of an adversary.The left side is the interface of clients, and the top side is the server interface.Single-and doubleline arrows indicate quantum and classical information, respectively.The resource receives inputs from Alice: an open graph (G, I, O) with flow f , a quantum input ρ in A , and a set of measurement angles φ i ∈ Ω, where Ω = { kπ 2 b−1 } 0≤k<2 b for an integer b.Also, it receives input ψ i ∈ Ω from Oscar, and it does not take any inputs from Bob. Alice receives the final output ρ out A= E(ρ in A ), where E is the resulting superoperator of the algorithm, i.e., E is the isometry described in Theorem 1.Some classical information AO = {(G, Ĩ, Õ), f, V A , V O , , >, b} leaks on Bob's interface, which corresponds to public information in Definition 3, and is necessary to set up the protocol.

Figure 8 :
Figure 8: Pictorial representation of S σ B (Protocol 5).The variables correspond to those defined in Protocol 5. See Figure 6 for the notation; additionally, θ(i) = δ i − φ i , if i ∈ V A δ i − ψ i , if i ∈ V O .
Proof of the second part: Denotea i := N G [i], b i := I ∪ j<i N G [j], thus A(i) ≡ a i \ b i .Given that every node has an ordering, consider the case i < k:A(i) ∩ A(k) ≡ (a i \ b i ) ∩ (a k \ b k ) = [(a i \ b i ) \ b k ] ∩ a k b i ⊂b k = (a i \ b k ) ∩ a k a i ⊂b k = ∅.It is clear that b i ⊂ b k and a i ⊂ b k , since i < k.Lemma 3. [5]Suppose the open graph state (G > , I, O) has flow (f, ) and a proper total order >, then ∪ i∈V A(i) = I c .Proof of Lemma 3. Let G = (V, E).Recall that ∪ i∈V A(i) = I c ⇐⇒ ∪ i∈V A(i) ⊆ I c and ∪ i∈V A(i) ⊇ I c ; we assume the contrary, that is, let ∪ i∈V A(i) = S, thus S = I c , i.e., either S I c or S I c is true.Consider the first case, where S I c .Here, there exists k ∈ I c , such that k ∈ A(i) for all i ∈ I c .We split this first case proof into two parts: for i ∈ O c and for i ∈ O.
Consider the second case, where S I c .Here, there exists a k ∈ I c , such that A(k) contains m where m ∈ I c .By definition, A(k) contains at most its closed neighborhood excluding the inputs, viz.N G (k) \ I. Thus, A(k) must be in the graph, since G[N G (k)] is a subgraph of G; also, any element of I cannot be in A(k).We again arrive at a contradiction, and must conclude that S \ I c = ∅ or S ⊆ I c .Since S ⊆ I c and I c ⊆ S, it follows that S = I c .Lemma 4. [5]Suppose an open graph state (G > , I, O) has flow (f, ) and a proper total order >, then i∈V E > iN G (i) = E G , where E > iN G (i) := k∈N G (i),k>i E ik .

Table 2 :
[5]Minimal quantum power requirements of Alice and Bob to run a BOQC protocol.Oscar's requirement remains (C1) for all cases.Initial "c" indicates "entirely classical" and initial "q" indicates "entirely quantum".Resources K, C, Q, and Q2 are respectively signifying a secure key channel between Alice and Oscar, an insecure classical channel between each client and server, a one-way quantum channel (each client to server), and a two-way quantum channel between Alice and Bob.Other notations follow the notations in Protocol 1.Protocol 1 admits the general case, i.e., Ĩ = I and Õ = O.As shown in Table2, it has the highest requirement among all the cases.A few adjustments from Protocol 1 are needed if Ĩ ⊂ I or Õ ⊂ O.Given an entirely classical input case Ĩ = ∅, e.g., Alice's input is a binary string c = c 1 c 2 . . .c n , where c i ∈ {0, 1}, lines 6-8 in Protocol 1 turns into a single line: "Alice prepares |+ α i +πc i "; and t(i) := k∈I,i∈N G (k) t k .Alice and Oscar receive keys r, t via a secure key channel, where ri ∈ {0, 1}, i ∈ O c and tj ∈ {0, 1}, j ∈ I. Oscar prepares |+ β k k and send it to Bob, β k ∈ Ω is chosen at random.
First, letting Ĩ ⊂ I, we denote Alice's quantum input ρ in ∈ H Ĩ and quantum input of the security model ρ in A ∈ H I .Since H I ⊂ H Ĩ , she has another classical input in the form of a bit string c with length |I \ Ĩ| .As one may always encode classical information into qubits as we choose, we can set ρ in A = ρ in i∈I\I |c i c i |, where c i ∈ {0, 1}.Therefore, ρ in A is now entirely quantum as modeled by S .Finally, the same applies for Õ ⊂ O in which classical output can be represented as a diagonal density matrix.Now it remains to prove the blindness of BOQCo.The proof is rather straightforward because BOQC and BOQCo differ only in the ordering among qubit transmissions, entanglements, and measurements.Theorem 8 provides the security statement of BOQCo, whose relaxation S σ B is provided in Protocol 6, in Appendix B. Theorem 8.The BOQCo protocol with dishonest Bob π boqco = (π A , π O ), defined in Protocol 2 is perfectly blind, and realizes ideal resource S defined in Figure 5.