Relating non-local quantum computation to information theoretic cryptography

Non-local quantum computation (NLQC) is a cheating strategy for position-verification schemes, and has appeared in the context of the AdS/CFT correspondence. Here, we connect NLQC to the wider context of information theoretic cryptography by relating it to a number of other cryptographic primitives. We show one special case of NLQC, known as $f$-routing, is equivalent to the quantum analogue of the conditional disclosure of secrets (CDS) primitive, where by equivalent we mean that a protocol for one task gives a protocol for the other with only small overhead in resource costs. We further consider another special case of position verification, which we call coherent function evaluation (CFE), and show CFE protocols induce similarly efficient protocols for the private simultaneous message passing (PSM) scenario. By relating position-verification to these cryptographic primitives, a number of results in the cryptography literature give new implications for NLQC, and vice versa. These include the first sub-exponential upper bounds on the worst case cost of $f$-routing of $2^{O(\sqrt{n\log n})}$ entanglement, the first example of an efficient $f$-routing strategy for a problem believed to be outside $P/poly$, linear lower bounds on entanglement for CDS in the quantum setting, linear lower bounds on communication cost of CFE, and efficient protocols for CDS in the quantum setting for functions that can be computed with quantum circuits of low $T$ depth.


Introduction
In a position-verification scenario, a verifier attempts to determine the location of a prover by communicating with them remotely [1][2][3].Position-verification may be of interest as a goal in itself, or may serve as an authentication mechanism for use towards further cryptographic goals.In the most widely studied setting, where the prover holds no secret key, an adversary may use a strategy known as non-local quantum computation to simulate the actions of the prover.A non-local quantum computation replaces local actions within a designated spacetime region with actions outside that region along with entanglement shared across it.The basic setting is shown in figure 1.
Non-local quantum computation has also been understood to arise naturally in the context of quantum gravity [4][5][6], in particular within the context of the AdS/CFT correspondence.There, a higher dimensional theory with gravity is given an equivalent description without gravity.In these two descriptions, processes that occur as local interactions in the higher dimensional theory are reproduced in the dual, lower dimensional description as non-local computations.This connection has lead to consequences for the gravitational theory [7,8], and discussion around consequences for non-local computation [9].
Because of the connections to position-verification and quantum gravity, positionverification and the related task of non-local computation have been studied by a number of authors, but basic questions remain open.In particular we have linear lower bounds on entanglement [10] in a non-local computation, and exponential upper bounds [11], with only a little known in between.For a special case of a non-local computation known as frouting, where each instance is defined by a classical Boolean function f , the entanglement cost has been upper bounded by the size of span program computing f [12], so that the class M od k L/poly1 can be achieved efficiently. 2For general unitaries, Clifford unitaries can be implemented with linear entanglement, and circuits with T depth of log n can be implemented with polynomial entanglement [14].
In this article we prove connections between two well studied cryptographic primitives, conditional disclosure of secrets (CDS) [15] and private simultaneous message passing (PSM) [16], and non-local quantum computation.These primitives are studied in the context of information theoretic cryptography, in particular in their relationship to secure multiparty computation [17,18], private information retrieval [15], secret sharing [19], and other cryptographic goals [20].We illustrate their functionality in figure 2. Both settings generally involve k parties along with a referee, but in this work we focus on the k = 2 case, which is the setting we relate to non-local computation.In CDS, two non-communicating parties, Alice and Bob, receive inputs x and y respectively.Alice additionally holds a secret s.Alice and Bob compute messages m 0 (x, s, r) and m 1 (y, r) based on their inputs and shared randomness, which are then sent to the referee.The referee should be able to recover the secret s if and only if f (x, y) = 1.PSM is a similar setting.There, Alice and Bob have inputs x and y along with shared randomness.They send messages m 0 (x, r) and m 1 (y, r) to the referee.The referee should be able to compute f (x, y) from the messages, but not learn anything else about the inputs (x, y) than is implied by the value of f (x, y).We give formal definitions of both primitives in section 2.2.
To relate these primitives to non-local computation, we first show that the natural quantum generalization of CDS, which we denote as conditional disclosure of quantum secrets (CDQS), is equivalent to the f -routing task.More specifically, protocols for CDQS induce similarly efficient protocols for f -routing, and vice versa.Further, we show that classical CDS protocols induce similarly efficient quantum protocols.We also introduce a special case of non-local quantum computation known as a coherent function evaluation (CFE), which we show is closely related to the PSM model: efficient CFE Figure 2: (a) A conditional disclosure of secrets (CDS) protocol.In the classical setting, Alice and Bob share randomness but do no communicate.They receive inputs x and y respectively.Alice additionally holds a secret s.
They send messages to the referee.The protocol is correct if the referee can recover s from the messages if and only if f (x, y) = 1.In the quantum setting, the randomness may be replaced by entanglement and the messages and secret can be quantum.(b) A private simultaneous message protocol (PSM).Again Alice and Bob do not communicate but share randomness.They hold inputs x and y respectively.The referee should be able to learn f (x, y) but nothing else about (x, y).In the quantum setting the randomness is replaced with entanglement, and the messages can be quantum.
protocols induce efficient PSM protocols using quantum resources (PSQM).We also give a weak converse that shows good PSQM protocols induce CFE protocols that succeed with constant (independent of the input size) probability. 3The status of the relationship among these primitives is shown in figure 3.
Our results relate position-verification to the wider setting of information-theoretic cryptography.This provides a partial explanation of the difficulty of finding better upper and lower bounds in non-local computation, since we now see that doing so would resolve other long-standing questions in cryptography 4 .In a positive direction, we use results in NLQC to give new results on CDS and PSM, and vice versa.Our key results are, • Sub-exponential upper bounds on entanglement cost in f -routing for an arbitrary function (corollary 68) • Efficient CDQS and f -routing protocols for the quadratic residuosity problem, the first problem not known to be in P/poly with an efficient non-local computation protocol (corollaries 57 and 58) These results represent significant changes in our understanding of the efficiency of frouting protocols.Previously the best upper bounds for arbitrary functions were exponential, and the highest complexity functions with known efficient schemes were in Mod k L/poly.From our connections between CDS, PSM, and NLQC, we also obtain a number of other implications, • Linear lower bounds on communication complexity in CFE (corollary 46) • Linear lower bounds on entanglement in CDQS and PSQM for random functions (corollaries 48 and 49), and logarithmic lower bounds on entanglement for the inner product function (corollary 51 and 52) Figure 3: Implications among primitives: an arrow from X to Y says that a protocol for X implies a protocol for Y with the same efficiencies (up to constant overheads).All implications shown in blue hold in the robust setting where we allow small errors and leakages.The dashed red line indicates that a perfect PSQM protocol that succeeds with high probability implies a CFE protocol that succeeds with constant probability.The subset symbol ⊂ indicates that f -routing and CFE are special cases of NLQC.Primitive abbreviations (DRE, PSM, ...) and theorem numbers link to relevant proofs or definitions.
• An entanglement efficient protocol for CDQS and PSQM when the target function f can be evaluated by a quantum circuit with low T -depth (corollaries 63 and 65) More broadly our results take position-verification from being an 'island' in the space of cryptographic primitives, with no known classical analogues or connections to other more standard notions, to being richly connected to a web of interrelated primitives, which themselves are related to central goals in information theoretic cryptography.We hope these results lead to new perspectives on position-verification, and new perspectives in the study of CDS, PSM and related primitives.In particular a number of classical results on CDS and PSM may find natural quantum extensions in the context of NLQC.In the discussion we comment on some cases where quantum analogues in the NLQC setting of classical cryptographic results are not yet known.

Outline of this article
In section 2, we present some relevant background.Section 2.1 gives a summary of the quantum information tools we exploit.Section 2.2 summarizes the various cryptographic primitives which we study and relate.Section 2.3 gives the already known relations among these primitives.
In section 3 we prove new relationships among our set of cryptographic primitives.The full set of connections is presented as figure 3. The relationships between CDS and CDQS, CDQS and f -routing, CFE and PSQM, and CDQS and PSQM are new to the best of our knowledge.
In section 4 we summarize the known results on the complexity of efficiently achievable functions in the PSQM, CDQS and f -routing settings.The status of the complexity of efficiently achievable functions in the general case is not too changed by our results: existing CDS protocols give f -routing protocols, but in the existing literature on both f -routing and CDS the most efficient protocols have a cost like (log p) • SP p (f ) where SP (f ) denotes the minimal size of a span program over Z p computing f [12,15].
Sections 5 and 6 spell out the implications for non-local computation and its special cases that follow from known results in CDS and PSM, and conversely the implications for CDS and PSM that follow from known results in non-local computation.In section 5 we give new lower bounds that follow in this way.In section 6 we give new upper bounds.Our new upper bounds include the most significant implications that follow from the connections we find, which are sub-exponential upper bounds on f -routing for arbitrary functions and an efficient scheme for a function believed to be outside of P/poly.Section 7 concludes with some discussion and open problems, in particular commenting on connections to quantum gravity and to some results in the classical cryptography literature that may have quantum analogues relevant to the NLQC setting.

Tools from quantum information theory
In this section we briefly recall some standard tools of quantum information theory.We follow the conventions of [21], where an overview of these tools and further references can also be found.

Probability distributions
Given a random variable X, we label a probability distribution of X by P X .For the distribution of X conditioned on Y , we use P X|Y .When the conditioning distribution Y takes the value y ∈ Y we denote the resulting distribution on X by P X|y=Y ≡ P X|y .

Quantum one-time pad
The quantum one-time pad [22] uses classical randomness to conceal quantum information.To understand this, suppose that Alice wishes to give Bob a quantum system B, but wants Bob to only obtain B if he also knows a classical key k.Supposing that B consists of qubits, Alice can do this by applying a random Pauli string P k B .If Bob does not know k, B is hidden to him since where the index k ranges over all choices of Pauli strings, and I represents the identity operator.On the other hand, if Bob knows k he can undo the Pauli string and recover the B system.

Distance measures and inequalities
Let D(H A ) be the set of density matrices on the Hilbert space H A .Given two density matrices ρ, σ ∈ D(H A ), define the fidelity, which is related to the one norm distance ||ρ − σ|| 1 by the Fuchs van de Graff inequalities, It will also be useful to define the diamond norm distance, which is a distance measure on the space of quantum channels. where The diamond norm distance has an operational interpretation in the terms of the maximal probability of distinguishing quantum channels [21,23].

Decoupling and recovery
The basic idea underlying the connection between CDS and f -routing that we will give is the notion of decoupling and complementary recovery.To develop this, consider a quantum channel N B→C : L(H B ) → L(H C ).We would like to understand when this channel has an (approximate) inverse.Consider any unitary extension of the channel, call it V BE ′ →CE , which satisfies A classic result [24,25] says if we input a maximally entangled state |Ψ + ⟩ AB and find that I(A : E) N (Ψ + ) is small, say less than ϵ, then there exists an inverse channel N −1 B→C which works well in the sense that the fidelity The inverse channel is succeeding when acting on the maximally entangled state, which can also be understood as acting correctly in an averaged (over input states) sense.We will make use of a stronger notion of decoupling, which shows that a worst case notion of decoupling implies the existence of an inverse channel that always succeeds.The theorem was proved in [26].
Theorem 2 Let N A→B : L(H A ) → L(H B ) be a quantum channel, and let N c A→E be the complimentary channel.Let S A→E be a completely depolarizing channel, which traces out the input and replaces it with a fixed state σ E .Then we have that where the infimum is over all quantum channels D B→A .
The above should be understood as saying that if there is a good inverse to the channel N A→B , then the complementary channel is close to depolarizing, and vice versa.Intuitively, the depolarizing channel reveals no information about A, so this is saying the existence of an inverse is equivalent to not leaking information to the environment.

Definitions of the primitives
In this section we give the definitions of each of the primitives that we discuss in this article.Note that we focus on information theoretic definitions of security.In all cases there are meaningful versions of these primitives with computational security, but we have not explored their connections to non-local computation.

Conditional disclosure of secrets
We first define the classical CDS setting, which we also illustrate in figure 2a.
Definition 3 A conditional disclosure of secrets (CDS) task is defined by a choice of function f : {0, 1} 2n → {0, 1}.The scheme involves inputs x ∈ {0, 1} n given to Alice, and input y ∈ {0, 1} n given to Bob.Alice and Bob share a random string r ∈ R. Additionally, Alice holds a string s drawn from distribution S, which we call the secret.Alice sends message m 0 (x, s, r) ∈ M 0 to the referee, and Bob sends message m 1 (y, r) ∈ M 1 .We require the following two conditions on a CDS protocol.
• ϵ-correct: There exists a decoding function D(m 0 , x, m 1 , y) such that • δ-secure: There exists a simulator producing a distribution Sim on the random variable Notice that in our definition of CDS we have imposed that the secret be held only by Alice.We can easily transform protocols that succeed with the secret held on both sides to one where the secret is held only on one side.This is a standard remark about CDS, though we don't know a reference where this is shown in the imperfect setting, so we give the simple proof of this fact here.
Remark 4 A CDS task where s is initially held by Alice and Bob can be turned into one where only Alice holds s at the cost of |s| shared random bits, and |s| bits of communication.If the CDS protocol is ϵ-correct and δ-secure, the one-sided protocol will be ϵ-correct and O(δ) secure.
Proof.To see this, suppose we have a perfectly correct and secure CDS protocol which works when s is held on both sides.Then run this protocol on a randomly chosen s ′ , and have Alice send s ′ ⊕ s to the referee.Only Alice needs to know s to run this protocol.
Suppose our initial CDS protocol is ϵ-correct and δ-secure.Then the new CDS will also be ϵ-correct, since s can be computed deterministically from s ′ and the bit s = s ⊕ s ′ .To understand security, note that δ-security of the original protocol implies Using this, P S S = P S P S (from the properties of the one-time pad), and that S and M are independent conditioned on S, we have which is exactly δ security of the one sided CDS protocol.Finally, we remark that a CDS for secret s 1 and a CDS for secret s 2 can be run in parallel using fresh randomness while maintaining security and correctness of each CDS scheme.To see this, call the message for the first CDS M 1 and the message for the second CDS M 2 .If we consider how much the referee can learn about the secret s 1 , message M 2 doesn't reveal anything, because it depends only on the randomness r 2 , the inputs (which the referee knows already as part of the CDS for s 1 ), and s 2 .All of these variables are already known by the referee as part of the CDS for s 1 , or are uncorrelated with s 1 .More succinctly, the distribution on s 1 is independent of M 2 when conditioning on XY , so revealing M 2 doesn't help the referee learn s 1 , given that they already know XY , or in notation A similar statement establishes security of the CDS hiding s 2 in the presence of message M 1 .As a consequence of the above comments, the CDS hiding secret s = (s 1 , s 2 ) given by running the CDS for each secret in parallel has good security and correctness, as we capture in the next lemma. 5emma 5 Suppose we have a CDS for function f which is ϵ-correct and δ-secure, and hides k bits, and uses r bits of randomness and c bits of communication.Then we can build a CDS for function f that hides mk bits, is mϵ correct and mδ secure and which uses mr bits of randomness and mc bits of communication.
Proof.The strategy is to repeat the CDS protocol that hides k bits m times in parallel.To understand correctness of the new protocol, notice that on 1 instances the probability of the referee guessing s i correctly is at least 1 − ϵ, so their probability of guessing all m strings s i correctly is at least (1 − ϵ) m ≥ (1 − mk).To understand security, we define a simulator for the composed protocol by taking the product of the distributions for a single instance of the protocol, We also note that, using fresh randomness for each instance of the CDS, we can extend equation 11 to Figure 4: (a) Illustration of a CDQS protocol.Alice and Bob share an entangled resource state, illustrated as the solid curved line.Alice receives the classical string x ∈ {0, 1} n as input, and a quantum system Q, which we take to be maximally entangled with a reference R. Bob receives input y ∈ {0, 1} n .Alice and Bob prepare quantum systems M 0 and M 1 , which they pass to the referee.The protocol is correct if when f (x, y) = 1 the map from Q to M 0 M 1 can be reversed, and secure when for f (x, y) = 0 the M = M 0 M 1 system is independent of the input state on Q. See definition

Conditional disclosure of quantum secrets
To the best of our knowledge the quantum analogue of the CDS model has not been studied explicitly in the literature. 6We give a definition here which features quantum resources and a quantum secret.The CDQS primitive is illustrated in figure 4a.
Definition 6 A conditional disclosure of quantum secrets (CDQS) task is defined by a choice of function f : {0, 1} 2n → {0, 1}, and a d Q dimensional Hilbert space H Q which holds the secret.The task involves inputs x ∈ {0, 1} n and system Q given to Alice, and input y ∈ {0, 1} n given to Bob.Alice sends message system M 0 to the referee, and Bob sends message system M 1 .Label the combined message systems as M = M 0 M 1 .Label the quantum channel defined by Alice and Bob's combined actions N xy Q→M .We put the following two conditions on a CDQS protocol.
• ϵ-correct: There exists a channel D x,y M →Q , called the decoder, such that • δ-secure: There exists a quantum channel S x,y ∅→M , called the simulator, such that The notions of ϵ-correctness and δ-security given here mimic the classical ones closely.In words, the correctness condition is saying that when f (x, y) = 1 the referee can reverse the effect of Alice and Bob's actions on the Q system.The security condition is saying that when f (x, y) = 0 the system M seen by the referee is close to one that they could have prepared with no access to Q.
In our definition of CDQS, we require a quantum system Q be taken as the secret, and allow the use of quantum resources.Another quantum variant of CDS we could have defined would allow quantum resources but restrict to a classical secret.We could call this CDQS'.This variant is in fact equivalent to the above definition.This follows from our proof below that classical CDS protocols gives quantum CDS protocols, which is easily modified to show a CDQS' gives CDQS with similar resources.Then one can observe that a CDQS protocol can be modified to a CDQS' protocol by choosing the secret to be a state in a chosen basis.Taken together these observations give that CDQS' and CDQS are equivalent.

Private simultaneous message passing
Next we move on to discuss another basic cryptographic primitive of interest in this article, which is private simultaneous message passing.This primitive is illustrated in figure 2b.
Definition 7 A private simultaneous message (PSM) task is defined by a choice of function f : X × Y → Z.The inputs to the task are n bit strings x and y given to Alice and Bob, respectively.Alice then sends a message m 0 (x, r) to the referee, and Bob sends message m 1 (y, r).From these inputs, the referee prepares an output bit z.We require the task be completed in a way that satisfies the following two properties.
• ϵ-correctness: There exists a decoder Dec such that • δ-security: There exists a simulator producing a distribution Sim on the random variable M = M 0 M 1 such that Stated differently, the distribution of the message systems is δ-close to one that depends only on the function value, for every choice of x, y.
In PSM we can allow the function f to take Boolean or other values.For instance we can take f to be natural number valued and defined by a counting problem.Another comment is that PSM protocols can be run in parallel, in the sense that ϵ-correct and δ-secure protocols for f 1 (x, y) and f 2 (x, y) can be run together to give a 2ϵ-correct and 2δ-secure protocol for the function f (x, y) = (f 1 (x, y), f 2 (x, y)).This is straightforward to show from the security definition.

Private simultaneous quantum message passing (PSQM)
As with CDS, there is a natural quantum version of PSM.In this case the functionality of the protocol is unchanged, but the allowed resources are now quantum mechanical.A PSQM protocol is shown in figure 6a.
Definition 8 A private simultaneous quantum message (PSQM) task is defined by a choice of function f : X ×Y → Z.The inputs to the task are n bit strings x and y given to Alice and Bob, respectively, each of which are chosen independently and at random.Alice then sends a quantum message system M 0 to the referee, and Bob sends quantum message system M 1 .From the combined message system M = M 0 M 1 , the referee prepares an output bit z.We require the task be completed in a way that satisfies the following two properties.
• ϵ-correctness: There exists a decoding map V M →Z M such that where ρ M (x, y) is the density matrix on M produced on inputs x, y.
• δ-security: There exists a simulator, which is a quantum channel S Z→M (•), such that Stated differently, the state of the message systems is δ-close to one that depends only on the function value, for every choice of input.
Just like in the classical case, PSQM protocols can be run in parallel with only small relaxations in security and correctness.

Decomposable randomized encodings
A related primitive, which we will make briefer use of, is the notion of a decomposable randomized encoding.We recall some definitions given in [28].
Definition 9 Let X, Y, Ŷ , R be finite sets and let f : • ϵ-correctness: There exists a function Dec called a decoder such that for every x ∈ X we have where the probability is over R and any randomness in the decoder Dec.
• δ-privacy: There exists a randomized function, called a simulator, producing the random variable Sim such that Definition 10 A decomposable randomized encoding (DRE) for a function f : A DRE is ϵ-correct and δ-secure under the same conditions as a randomized encoding, given above.
We will in fact only use that certain randomized encodings are decomposable across a single splitting of the inputs.That is we are interested in functions f : X × Y → Z and need the randomized encoding to take the form f (x, y; r) = ( f1 (x, r), f2 (y, r)) (23) In this setting we will say f (x, y) has a randomized encoding decomposable across X × Y .

Non-local computation
Finally we come to the notion of a non-local computation, which was first studied in the context of cheating strategies for position-verification tasks.The general setting is shown in figure 1.A non-local computation takes the form shown in figure 1b, with the goal being to simulate the action of a local unitary (figure 1a).
We will not give a formal definition of a fully general NLQC here, but instead focus on two special cases.The first, f -routing, was introduced in [2] and studied further in [13].It has been especially well studied in the non-local computation literature because it is of interest in developing practical position-verification schemes.We will also see that it is closely related to the CDQS primitive. 7efinition 11 A f -routing task is defined by a choice of Boolean function f : {0, 1} 2n → {0, 1}, and a d dimensional Hilbert space H Q .Inputs x ∈ {0, 1} n and system Q are given to Alice, and input y ∈ {0, 1} n is given to Bob.Alice and Bob exchange one round of communication, with the combined systems received or kept by Bob labelled M and the systems received or kept by Alice labelled M ′ .Label the combined actions of Alice and Bob in the first round as N x,y Q→M M ′ .The f -routing task is completed ϵ-correctly if there exists a channel D x,y M →Q such that, and there exists a channel D x,y M ′ →Q such that In words, Bob can recover The second special case we study is coherent function evaluation.We introduce this as the special case of NLQC that implies the PSQM primitive, as we show below.As well, it is similar to non-local computations studied in [30], which used Banach space techniques to study lower bounds on quantum resources in these non-local computations.
Definition 12 A coherent function evaluation (CFE) task is defined by a choice of Boolean function f : {0, 1} 2n → {0, 1}.The task is to implement the isometry in the non-local form of figure 1b.We say a CFE protocol is ϵ-correct if the diamond norm distance between V f and the implemented channel is not larger than ϵ.

Secret sharing
An important tool throughout cryptography, and in particular in our context, is the notion of a secret sharing scheme.We introduce this next.
Definition 13 A secret sharing scheme S is a map from a domain K and randomness R to variables S 1 , ..., S n , here called shares.Let A be a subset of the S i , S A the distribution on the shares A, and A a set of subsets of the S i .Then a scheme S realizes access structure A with ϵ-correctness if, for each subset of shares A ∈ A there exists a decoding map A scheme S is δ-secure if, whenever U / ∈ A, there exists a map producing a distribution Sim on U such that If ϵ = δ = 0 we say that the scheme S is perfect.
The access structure of a secret scheme can be specified as a set of subsets of shares, as in the above definition, or equivalently in terms of an indicator function.The indicator function is defined by We can observe that if A ∈ A then necessarily A ∪ S i ∈ A. This follows because if we can reconstruct the secret from A, we can also reconstruct it from a larger set.This means that valid indicator functions will always be monotone.

The garden hose game
The garden hose game [13] is a model of communication complexity defined, informally, as follows.Alice and Bob are neighbours, and wish to compute a function f (x, y), where Alice holds the input x and Bob the input y.They have a set of m pipes that run through their fence and connect the two yards.Alice has a tap, which she can connect to any of the pipe openings on her side of the fence.Alice and Bob additionally have hoses, which they can use to connect ends of pipes on the same side of the fence.Their strategy is to choose how to connect the tap to the pipes, and connect pipes to each other with hoses, in a way that depends on their respective inputs.Then, Alice turns on the tap.Alice and Bob win the garden hose game if the water spills on Alice's side of the fence when f (x, y) = 0, and on Bob's side of the fence when f (x, y) = 1.For a formal definition of the garden-hose game, we refer the reader to [13].
The garden hose game gives an interesting notion of the communication complexity of a function, which we formalize next.

Definition 14
The garden hose complexity of a function f : {0, 1} n × {0, 1} n → {0, 1} is the minimal number of pipes needed to complete the garden hose game for the function f (x, y) deterministically.
All functions can be computed in the garden hose game.To see why, observe that for any f (x, y) Alice and Bob can carry out the following strategy.They prepare 2 n+1 pipes, which we label as {p i , p ′ i } n i=1 .Upon receiving input x, Alice connects her tap to pipe p x .Bob connects pipe p i to p ′ i whenever f (i, y) = 0, and leaves it open otherwise.Upon turning on the tap then, water flows through pipe p x , then back to Alice if f (x, y) = 0 and spills on the right otherwise, as needed.A sightly smarter strategy lowers the worst case garden hose complexity to 2 n + 1. See [13].

Other related primitives
Each of the primitives discussed above is in turn related to others in various ways.Reviewing these further connections is outside the scope of this article.Instead, we have included in our discussion only new connections among primitives, or primitives for which we have found the connection to NLQC gives a new result on NLQC, or for which NLQC implies a new result on the primitive.We briefly mention however some settings with natural relationships to the ones discussed here; our list and references are not exhaustive.CDS and PSM are related to zero-knowledge proofs [31], secret sharing [32], communication complexity [33], private information retrieval [16], and secure multiparty computation [16].A useful review of these primitives and the broader context of information theoretic cryptography is given in [34].Quantum secret sharing was related to f -routing in [12].All of these connections may be interesting to revisit in the quantum setting, and in light of the connection to non-local computation and position-verification.

SS gives CDS
In [15], the authors upper bound the randomness complexity of a CDS scheme in terms of the size of a secret sharing scheme whose access structure is related to f .We recall their result next, narrowing their result to the two player case for simplicity.
Let S be a perfect secret sharing scheme realizing the access structure f M , in which the total share size is c, and let s denote a secret (from the domain of S) which is known to all players.Then there exists a CDS protocol for disclosing s subject to the condition f with randomness c, and a (perhaps different) protocol with communication complexity bounded above by c.
The protocol which establishes this theorem is, heuristically, the following.We start by illustrating the case where f = f M is already a monotone function, and so can be realized as the indicator function of some secret sharing scheme S. Then the protocol is as follows.Without loss of generality take Alice and Bob to both hold the secret s (see Remark 4).To carry out the protocol, both parties prepare a secret sharing scheme S which has indicator function f M , using their shared randomness as the randomness R needed to prepare the scheme.Then, Alice sends those shares S i to the referee for which x i = 1, and Bob sends those shares S i+n for which y i = 1.Then if f M (x, y) = 1, following this local rule they will have collectively sent an authorized set of shares and the referee can reconstruct the secret s.If f M (x, y) = 0, they will have sent an unauthorized set of shares and the referee cannot learn the secret.To extend this to non-monotone functions, Alice and Bob first locally compute g 1 and g 2 respectively, and then perform the same secret sharing protocol now with bits of g 1 (x) or g 2 (y) controlling which shares are sent to the referee.Notice that the communication complexity is at most the total size of the shares of the secret sharing scheme.
To see the protocol that gives an upper bound for the randomness complexity 8 , we now have only Alice prepare the shares of the secret sharing scheme.For shares i ≤ n, she sends share S i if x i = 1 as before.For shares i > n, she sends S i ⊕ r i , where the XOR is taken bitwise with a random string r i of length |S i |. Bob then sends r i iff y i = 1.Notice that the randomness complexity is now at most i r i ≤ i |S i |, which is just the size of the scheme.The communication complexity is now somewhat larger, but is bounded by twice the size.
We can also generalize the above theorem to the case of approximate secret sharing schemes.In particular, if we use an approximate secret sharing scheme in the second of the protocols above we find that an ϵ-correct and δ-secure secret sharing scheme of size c for an indicator function f I leads to an ϵ-correct and δ-secure CDS for the same function, using randomness complexity c.A similar observation holds for the protocol bounding the communication complexity.We collect these observations as the following remark.
Let S be an ϵ-correct and δ-secure secret sharing scheme realizing the access structure f M , in which the total share size is c, and let s denote a secret (from the domain of S) which is known to all players.Then there exists an ϵ-correct and δ-secure CDS protocol disclosing s subject to the condition f with randomness c, and a (perhaps different) ϵ-correct and δ-secure protocol with communication complexity bounded above by c.

DRE gives PSM
See for example [28] for the connection between DRE and PSM.We give a robust version of this connection as the next theorem.
Theorem 17 Suppose that f : X × Y → Z has an ϵ-correct and δ-secure decomposable randomized encoding using n R bits of randomness, and n M message bits.Then there is an ϵ-correct and δ-secure PSM protocol for f that uses the same amount of randomness and message bits.
Proof.Let the DRE for f be f (x, y; r) = ( fX (x, r), fY (y, r)) (30) To implement the PSM protocol, Alice prepares fX (x, r) and sends this to the referee, while Bob prepares fY (y, r) and sends this to the referee.The referee then uses the decoder for the DRE to determine f (x).Noticing that the conditions on the DRE and PSM are in fact exactly the same under these identifications, we have that the PSM is also ϵ-correct and δ-secure.
Notice that a PSM for f also gives a randomized encoding for the function f , albeit one that is decomposable across a particular splitting of the input bits into X × Y , and not necessarily decomposable bitwise, as required in the definition of a DRE.

PSM gives CDS
Next, we relate the PSM and CDS primitives.See for example [15,31].
Theorem 18 Suppose that an ϵ-correct and δ-private PSM protocol exists for f (x, y) using messages of at most n M bits and no more than n E shared random bits.Then a CDS protocol using n M + 1 bits of message and n E random bits exists which is ϵ-correct and O(δ log d R ) private, and hides one bit.
Proof.We wish to carry out the CDS task using the given PSM protocol.First, we note that by adding one bit of randomness we can assume s is held by both Alice and Bob.This is because of remark 4.
Next, we show that given the PSM protocol for f there is a similarly efficient PSM for the function f (x, y) ∧ s, with s held on both sides.To show this, first consider the case where f (x, y) is a constant function.Then Alice and Bob can follow a fixed strategy (reveal s or not) and we are done.Thus we assume f (x, y) is non-constant, and choose any input values for which it is 0 and label them (x * , y * ).Run the PSM on inputs To see ϵ-correctness, we have the referee output the outcome of the modified PSM protocol as their guess for the secret s.Then their success probability conditioned on Next consider security.Let the distribution of values of f (x, y) be F , the distribution of values of f (x ′ , y ′ ) be F ′ , and the distribution of x ′ and y ′ be X ′ and Y ′ respectively.Security of the original PSM protocol implies Then notice that because X ′ Y ′ are determined by XY S, we have Next, restrict to the distributions where f (x, y) = 0, leading to which is δ security of the CDS.

PSM gives PSQM
Next, we prove that a protocol for PSM also gives a protocol for PSQM.This might seem trivial, since the quantum resources available in the PSQM can simulate the classical resources used in the PSM, but establishing security requires we show the classical security definition is strong enough to enforce the quantum security definition.As far as we are aware this is not written in the literature (but see [35] for the introduction of PSQM), but is straightforward enough we include it in this section.
Theorem 19 Suppose we have a PSM protocol which is ϵ-correct and δ-secure.Then we can construct a PSQM protocol which is 2 √ ϵ correct and δ-secure.
Proof.Correctness of the PSM protocol implies that there exists a decoder Dec(m 0 , m 1 ) such that where the probability is over choices of the random string r.In quantum notation, we have that the message system is described by the density matrix and can write the output of the decoder as Then notice that where the last line follows because we see the fidelity is exactly the guessing probability, which is bounded from below by the classical correctness definition.Using the Fuchs van de Graff inequalities, we get that as needed.
Next recall security of the PSM means that there exists a simulator which takes in f (x, y) and produces output distribution Sim on the message system such that To get security of the PSQM, we need to upgrade this simulator to a quantum channel.In particular if the simulator is defined by the conditional probability distribution p(m|f ), define the Kraus operators Calling the corresponding simulator channel S, we have that so we have exactly δ security of the PSQM.

GH gives f -routing
In [13], the following statement is shown.

Theorem 20
The number of EPR pairs needed to implement a f -routing protocol for a function f is upper bounded by the garden hose complexity of f .
We won't reproduce a careful proof of this, but it is easy to see: each pipe in the garden hose protocol is replaced with an EPR pair in the f-routing strategy.Connecting pipes corresponds to measuring pairs of systems in the Bell basis.Doing so, the input system Q will end up recorded into the Hilbert space corresponding to spilling end of one of the pipes.Pauli corrections appear on this state, but the one round of communication in the f -routing strategy can be used to communicate all the measurement outcomes and then undo the corresponding corrections.

New relations among primitives
This section begins our study of the relationships among the cryptographic primitives introduced in section 2.2.

Garden hose strategies give CDS
We point out that the garden hose game defines strategies for CDS.

Theorem 21
The garden hose complexity of a function f (x, y) upper bounds the CDS cost, Proof.To show this, we construct a CDS protocol given a garden-hose protocol that uses a number of shared random bits equal to the number of pipes in the garden hose protocol.
Label the set of pipes used in the garden hose game p i with the tap labelled p 0 , the connections on Alice's side by C x = {(p i , p j )}, and the connections on Bob's side by C y = {(p i , p j )}.Note that because no pipe can be connected to two hoses, each p i appears in C x at most once, and in C y at most once.Correctness of the garden hose protocol means that for all (x, y), there is a path from the tap to the side labelled by f (x, y).
To turn this into a CDS protocol, we proceed as follows.Each pipe p i , i > 0, becomes a shared random bit held by Alice and Bob.The secret s corresponds to the tap p 0 .For each connection in C x , say (p i , p j ), Alice computes c ij = p i ⊕ p j and sends this to the referee.Bob does the same for each connection in C y .Finally, Bob sends each shared random bit p k not appearing in any connection in C y to the referee.In contrast, Alice's unused random bits are kept hidden from the referee.
To see why this is correct and secure, consider the chain of connection bits c i k i k+1 = p i k ⊕ p i k+1 , where p i 0 = s is the secret.If the chain is of length 0, this corresponds to an unconnected tap in the garden hose picture, so that f (x, y) = 0 and the water spills on the left.In the CDS protocol, the secret, being an un-XOR'd bit, is not sent to the referee, so that the referee cannot learn the secret, as needed.Now suppose the chain has length > 1.Then c i 0 i 1 = s ⊕ p i 1 is sent to the referee, and no other bits which are computed from s are sent, so that the referee learns s if and only if they learn p i 1 .Continuing in this way down the chain of connection bits, we see that the referee learns s if and only if they learn p im , the final random bit (corresponding to the final pipe in the waters path).But then p im is not used to compute any other bits (by virtue of being at the end of the chain), and is sent if and only if it is unused on the right.But it is unused on the right if and only if the corresponding pipe spills on the right, which by our assumption of correctness of the garden hose strategy is if and only if f (x, y) = 1

Classical CDS gives quantum CDS
In this section we observe that a classical CDS scheme immediately gives a quantum CDS scheme, via a use of the one-time pad.
Theorem 22 An ϵ-correct and δ-secure CDS protocol hiding 2n bits and using n M bits of message and n E bits of randomness gives a CDQS protocol which hides n qubits, is 2 √ ϵ correct and δ-secure using n M classical bits of message plus n qubits of message, and n E classical bits of randomness.
Proof.Let the quantum system to be hidden in the CDQS be labelled Q.The basic idea is to use the CDS protocol to hide the key of a one-time pad applied to the system Q.The encoded system Q is sent to the referee.The one-time pad key, call it s, consists of 2 log d Q bits, which we choose independently and at random and hide in the CDS.The channel applied by Alice and Bob's combined actions is then We first study correctness.To do this, we recall that correctness of the classical CDS guarantees the existence of a decoder which produces an outcome which is equal to the secret value with probability 1 − ϵ.In quantum notation, we can describe this channel as The correctness condition for CDS states that, for (x, y) ∈ f −1 (1) this produces a guess s ′ which agrees with the secret s, or more precisely, Relating this to the trace distance via the Fuchs van de Graff inequalities, this becomes, where δ s|s ′ = 1 if s = s ′ and is zero otherwise.We will use this statement in establishing correctness of the CDQS.Define the decoding channel for the CDQS by combining the classical decoder with a conditional application of P s ′ Q , then a trace over the register S holding the secret, so that our decoder is We need to bound the diamond norm From the definition of the diamond norm and the channels where we used equation 45 in the last line, which recall held for all (x, y) ∈ f −1 (1).
To establish security of the CDQS, we define the simulator channel as9 We need to show S xy ∅→M Q • tr Q is close to the channel 42 in diamond norm for all (x, y) ∈ f −1 (0).This follows from security of the CDQS and a simple calculation.Start with the definition of the diamond norm, where we used that To bound our remaining expression, we take the sum over s out of the trace distance and find where the last inequality is coming from security of the classical CDS.

Equivalence of f -routing and CDQS
Our main claim of this section is that the CDQS and f -routing scenarios are equivalent, in that a protocol for one induces a protocol for the other using similar resources.The basic idea underlying the equivalence, and labelling of the various subsystems used in the proof, is illustrated in figure 5.
Theorem 23 an ϵ-correct f -routing protocol that routes n qubits implies the existence of an ϵ-correct and δ = 2 √ ϵ-secure CDQS protocol that hides n qubits using the same entangled resource state and the same message size.An ϵ-correct and δ-secure CDQS protocol hiding secret Q using a n E qubit resource state n M qubit messages implies the existence of a max{ϵ, 2 √ δ}-correct f -routing protocol that routes system Q using n E qubits of resource state and 4(n M + n E ) qubits of message.
Figure 5: Corresponding CDQS (left) and f -routing (right) protocols.To define the CDQS protocol from the f -routing protocol, we have Alice and Bob trace out systems M ′ 0 and M ′ 1 .Systems M 0 and M 1 are sent to the referee rather than to Bob.To define the f -routing protocol from the CDQS, purify the local channels N L and N R to isometries V L and V R .Send the original outputs of the channel to Bob on the right, and the purifying systems to Alice on the left.We adopt the notation Proof.Begin by considering an f -routing protocol.Figure 5 establishes the subsystem labels we will use here.We will first show that an f -routing protocol is easily modified to construct a CDQS protocol.To do so, we send systems M 0 and M 1 that Bob would receive in the second round of the f -routing protocol to the referee of the CDQS protocol.Then, if f (x, y) = 1, ϵ-correctness of the f -routing scheme is immediately ϵ-correctness of the CDQS.
To show secrecy of the CDQS protocol, we first establish some notation.We label the channel realized by the first round operations of Alice and Bob N Q→M M ′ , and let V Q→M M ′ E be a isometric extension of this channel.By correctness in 0 instances of the f -routing scheme, we have that there exists a channel D xy M ′ →Q such that Then the decoupling theorem 2 tells us that there exists a completely depolarizing channel Adding a trace over part of the outputs of channels can only make the channels less distinguishable, and hence the diamond norm smaller, so that but this is just which is exactly 2 √ ϵ-security of the CDQS.Note that the CDQS protocol defined by the f -routing protocol uses the same entangled resource state and no more communication.Now suppose we have a CDQS protocol which is ϵ-correct and δ-secure.Then to build the f -routing protocol, purify the channels Alice and Bob perform to isometries, and send the original message systems of the CDQS to Bob and their purifications to Alice.Then by ϵ-correctness of the CDQS protocol, we immediately have ϵ-correctness of the f -routing protocol when f (x, y) = 1.
Next consider the case where f (x, y) = 0. Then security of the CDQS implies that there exists a simulator channel S xy ∅→M such that We will again apply the decoupling theorem.Notice that now, because of how we have defined the f -routing protocol, the map from Q to M M ′ is isometric, so (N xy ) c Q→M = (N xy ) Q→M ′ .Then the decoupling theorem implies the existence of a decoding channel which gives 2 √ δ correctness on 0 instances.The protocol is then max{2 √ δ, ϵ}-correct.To see how the communication in the resulting f -routing protocol is related to the communication in the original CDQS protocol, we can use that a channel N A→B can always be purified by an isometry V A→BC where d C ≤ d A d B .Let CDQS have messages that each consist of at most n M qubits, and use an n E qubit resource system on systems LR.Then the most general possible protocol is defined by families of channels applied on the left and right respectively.We define purifications of these, We see that the message sizes are now at most n M + n E qubits, so the total size of the communication is at most 4(n M + n E ).The entangled resource system used in the f -routing protocol is identical to the one used in the CDQS.

Explicit reconstruction procedure:
It is perhaps counter-intuitive that the f -routing protocol built from the CDQS protocol succeeds in the case when f (x, y) = 0.This is implied by the general physics of decoupling as captured by theorem 2, but for intuition we give a more explicit description in a special case here.
Let's suppose the CDQS protocol is perfectly correct, and works in the following way.Assume the quantum secret is a single qubit and is stored in system Q.To hide the quantum state on Q, Alice applies the one-time pad using a classical string s = (s 1 , s 2 ) as key.Explicitly she has applied A message system M is sent to Bob, which reveals the key if and only if f (x, y) = 1.The system A must be sent to Alice on the left.The full state of the message systems then has the form Suppose we are in the case where f (x, y) = 0. Then by security, the state on M is independent of s.We can trace it out and the M ′ system out and obtain the pure state The claim is that Alice can recover the state on Q from the A system.To do this, she maps |s 1 , s 2 ⟩ to the Bell basis, obtaining Then notice that so that mapping A 1 A 2 into the Bell basis actually swaps the state on Q into A 2 , so that Alice recovers the state on Q.

PSQM gives CDQS
Analogous to the observation that PSM gives CDS, we can also show that PSQM gives CDQS.
Theorem 24 Suppose that an ϵ-correct and δ-private PSQM protocol exists for f (x, y) ∈ {0, 1} using messages of at most n M bits and an entangled state of no more than n E qubits.Then there exists a CDQS protocol hiding one qubit using n M + 1 bits of message and n E qubits of entangled state which is 2ϵ correct and δ private.
Proof.If the function f (x, y) is constant then the CDQS protocol is trivial, so we assume without loss of generality that f (x, y) is non-constant.
Given the PSQM protocol, we build a CDQS protocol as follows.We introduce two random shared bits which we call s = (s 1 , s 2 ), which are held by Alice and Bob.Alice and Bob also pre-agree on a pair of inputs (x, y) where f (x, y) = 0, call them (x * , y * ), which exist because f is non-constant by assumption.Upon receiving inputs x, y Alice and Bob compute for i = 1, 2. They run the PSQM protocol for f on inputs (x 1 , y 1 ) and (x 2 , y 2 ) in parallel.Note that following the remark made after definition 8, the PSQM for F (x, y, s) = (f (x 1 , y 1 ), f (x 2 , y 2 )) is 2ϵ correct and 2δ secure.Notice that This means that by running the PSM for f (x ′ i , y ′ i ), the referee will learn s i when f (x, y) = 1.In the CDQS protocol, we have Alice act on the quantum secret Q with the one time pad using the key s = (s 1 , s 2 ).Then the referee will be able to undo the one time pad when f (x, y) = 1 (and so they know s), but not otherwise.
Next we establish correctness more carefully.First note that the encoding channel for the CDQS defined by the above protocol is where ρ M is the state of the message systems prepared by the PSQM.Correctness of the CDQS requires we establish the existence of a channel which approximately inverts this.Note that by 2ϵ correctness of the PSQM, we have that there exists a channel V M →Z such that where we defined ).We define our decoding channel to apply V M →Z , measure the Z system, then apply a Pauli conditioned on the outcome, We claim this is an approximate inverse to N xy Q→M Q .Using the definitions of N xy Q→M Q , D M Q→Q and the diamond norm, we obtain where we replaced the V M → M Z (ρ M (x, y)) with |F ′ ⟩⟨F ′ | at the expense of the added 2ϵ, which is justified by equation 67.Continuing, we can see that the second term is actually zero, since (from equation 65) F ′ is just s when f (x 1 , y 1 ) = f (x 2 , y 2 ) = 1, which removes the Pauli's and so the full diamond norm is bounded by 2ϵ.
Next we study security of the CDQS protocol.Recall that security of the PSQM implies that there exists a channel S Z→M such that In the definition of security for CDQS, we need to show the existence of a channel S ′ x,y ∅→M such that S ′ x,y ∅→M • tr Q is close to the action of the protocol N xy Q→M Q .We define then consider, where we used 69 in the inequality.This is δ security of the CDQS.

CFE gives PSQM and weak converse
Finally, we relate coherent function evaluation to PSQM.Note that the relationship is only that good CFE protocols give good PSQM protocols, although a weak converse also exists, as we describe.
Theorem 25 An ϵ-correct CFE protocol for the function f using n E EPR pairs and messages of n M qubits implies the existence of an ϵ-correct and √ ϵ-secure PSQM protocol for the same function, using n E EPR pairs and no more than n M message qubits.Proof.We define the PSQM protocol from the CFE protocol as follows.The PSQM protocol uses the same resource state as the CFE, Alice applies the bottom left operation of the CFE, Bob applies the bottom right operation of the CFE, and they send the systems that would reach the top right of the CFE protocol to the referee, which we call the M systems.To produce their output, the referee applies the top right operation from the CFE.See figure 6 for labels of the relevant subsystems.Correctness of the CFE protocol means that we have where N is the channel applied by our CFE protocol and F denotes the CFE isometry to be implemented.Applying these channels to the input |x⟩ X |y⟩ Y and using the definition of the diamond norm distance, we obtain Tracing out the Z ′ system and using that the one norm distance decreases under the partial trace, we obtain ϵ-correctness of the PSQM.
Next we study security of the PSQM.We start again from the correctness of the CFE protocol.To simplify our notation, we define the channels (see also figure 6) † Then we note that the CFE protocol can be decomposed into two steps, and rewrite the statement of correctness, Next, we will use that Stinespring dilations of channels can be chosen to be close if the initial channels are close [36].In particular we have where the infimum is over all dilations V i of T i .Noting that F is already isometric, we have that its dilations must consist of adding a state preparation channel, which we label P ∅→E .Further, all dilations are related by a partial isometry on the auxiliary space, so the dilations of the tr M M ′ W • V channel can be written in the form Then using the upper bound in 73, we have Next, we will exploit the lower bound in 73 to translate this to an upper bound on the diamond norm of these isometries.To do this, notice that from 73 we have Using this in equation 75, we obtain Next, apply I † M M ′ →E to both terms, which cannot increase the diamond norm, and obtain Then, apply these channels to the input |xy⟩ XY and call the output of the protocol on the M system ρ M (x, y), and trace out the M ′ system, Simplifying the state on the left using we obtain which is 2 √ ϵ security of the PSQM protocol, where W R † M → M Z along with the state preparation of σ M defines the simulator channel.
Next, we give a weak converse to the above theorem, which shows that a good PSQM protocol implies the existence of CFE protocol that succeeds with constant probability when acted on the maximally entangled state.Note that this falls short of bounding the diamond norm.We show this only in the exact setting though a robust version might also exist.We are also limited to the case where the function outputs a single bit.
Theorem 26 Suppose there exists a perfectly correct and perfectly secure PSQM protocol for the function f : X × Y → Z with Z ∈ {0, 1} using n M bits of communication and n E qubits of entangled resource system.Then there is a CFE protocol that implements a channel Ṽf XY →Z ′ Z such that and which uses n E qubits of entangled resource state and n M + n E + 2n qubits of communication, where n is the input size.
Proof.By security of the PSQM protocol, we have that when given input |xy⟩ the protocol produces a reduced state ρ M (x, y) with the form As part of the CFE protocol we are defining, we make a copy of the inputs |x⟩ X |y⟩ Y and send this copy in a system labelled Z ′ to the left.The overall state of the message system then is, Now consider purifying the channels used in the PSQM protocol, and sending the purifying systems (call them M ′ ) to the left.Then the message system becomes where we used that the reduced density matrix on M depends only on f xy to enforce that the Schmidt coefficients and Schmidt vectors on M can depend only on f xy .Next, we consider adding to the protocol a unitary where the α fxy are phases, |α fxy | 2 = 1.We will determine later how to choose these phases.This means we produce the state We'd like to exploit the correctness of the PSQM protocol to show this state can be made, using an operation on M , to have large overlap with the correct output for the CFE protocol, which here is |xy⟩ Z ′ |f xy ⟩ Z .Looking at the reduced state on M again, we have From correctness we have that there exists a map which is only solved if, for all k, with β k fxy being pure phases, |β k fxy | 2 = 1.Returning to the form 87, we can now add an application of V M →Z M as the top right element of our CFE protocol and we see that we produce the state By linearity, if we perform the same protocol on the state |Ψ + ⟩ RXY we produce the output We would like to compute the fidelity of the state produced by our protocol on RZ ′ Z with the correct one when acted on the maximally entangled state.Note that the correct output state would be Computing the fidelity of this with the partial state of Ψ ′ f on RZ ′ Z, we find Now, we can see how we should choose the phases α fxy that enter through our choice of the unitary U. We should choose the phases such that this sum is lower bounded, which we can achieve by setting This ensures that the terms in the sum where f xy ̸ = f x ′ y ′ are positive, so we bound them below by zero and obtain where N m is the number of inputs that lead to f xy = m.This gives the needed lower bound.
To understand the resource consumption of the protocol constructed above, notice that it uses the same resource state, and so still n E qubits of entangled resource system.Considering the message sizes, notice that in purifying the channels used in the PSQM protocol we need no more than n E + n M qubits in the auxiliary system, and then we added an additional copy of the input sent to the left, so we use at most Recently a robust version of this theorem was proven, see [37].Note that we do not expect that a good PSQM protocol implies a CFE protocol that succeeds with fidelity near 1, even in the perfect case, and the above is likely the best implication from PSQM to CFE that is possible.To understand why, consider why the fidelity of 1/2 appears in the above.The security requirement of the PSQM implies that the density matrix on Bob's side in the CFE depends only on f (x, y), and not further on (x, y).In the proof above, this restricts the entanglement between ZZ ′ and M , which can be exploited to make the CFE protocol mostly coherent.However, since the system on the right can still depend on f (x, y), there can be one qubit worth of entanglement between ZZ ′ and M , which leads to the fidelity of 1/2.We do not believe there is any way to remove this last qubit of entanglement, since it seems consistent with the security of the PSQM, and hence no way to achieve fidelity 1 in the CFE.For this reason we should understand CFE as likely a stronger primitive than PSQM.It would be interesting to understand if there is some other special case of NLQC, aside from CFE, which is equivalent to PSQM.

Complexity of efficiently achievable functions
The set of implications summarized in figure 3 imply efficient protocols for one primitive imply efficient protocols for many others.In this section we briefly summarize what is known about the efficiently achievable functions in various settings, and how they compare across various primitives.

Relevant complexity measures
An important model of computation we will discuss is the modulo-p branching program.These are computational models with close relationships to various non-uniform complexity classes sitting inside of NC.
Definition 27 A branching program is a tuple BP = (G, ϕ, s, t 0 , t 1 ) where, • ϕ is a function from edges in E to either a value "yes" or a tuple (b, i) for b a bit and i ∈ {1, ..., n}, • s, t 0 , t 1 are vertices from V .
Given a n bit string x as input, the branching program specifies a subgraph of G labelled G x according to the following rule.If for e ∈ E we have ϕ(e) = (b, j) with x j = b, or if ϕ(e) ="yes", then e is included in G x .We define a function acc(x) as the number of paths s → t 1 in the graph G x , and a function rej(x) as the number of paths from s to t 0 in G x .

Definition 28
The size of a branching program is defined as the number of vertices in V .We label the minimal sized branching program computing f as BP (f ).
We say a branching program is deterministic if the out degree of every vertex in every G x is at most 1, and non-deterministic otherwise.The function f (x) computed by a deterministic or non-deterministic branching program is defined such that f (x) = 1 iff acc(x) > 0. A Boolean modulo-p branching program computes the function f (x) defined such that f (x) = 1 iff acc(x) ̸ = 0 mod p.We label the minimal size of a mod p branching program computing f by BP p (f ).
The class of functions with polynomial sized modulo-p branching programs is defined below.

Definition 29
The complexity class Mod p L/poly is defined as those Boolean function families {f n } which have polynomial (in n) sized modulo-p branching programs.
The uniform complexity class Mod p L can be defined similarly in terms of log-space uniform branching programs, or given an equivalent definition in terms of Turing machines [38].Another relevant complexity class, also based on branching programs, is the following.

Definition 30
The class C = L/poly (read as "equality L") is defined as those Boolean function families {f n } which can be decided in the following way.We consider a branching program of polynomial (in n) size.If acc(x) = rej(x), output 1 and otherwise output 0.
A related notion of complexity that we will need is that of a span program, defined initially in [39].
Definition 31 A span program over a field Z p consists of a triple S = (M, ϕ, t), where M is a d × e matrix with entries in Z p , ϕ is a map from rows of M , labelled r i , to pairs (k, ε i ), with k ∈ {1, ..., n} and ε i ∈ {0, 1}, and t is a non-zero vector of length e with entries in Z p .A span program S computes a function f : {0, 1} n → {0, 1} as follows.Given an input string z of n bits, if the vector t is in span({r i : ∃j, ϕ(r i ) = (j, z j )}), then output 1.Otherwise, output 0.

Definition 32
The size of a span program is defined to be d, the number of rows in M .We denote the minimal size of a span program over Z p that computes f by SP p (f ).
The size of a span program computing {f n } and of a branching program computing the same function family are related by the following theorem, noted in [39] to follow from techniques in [38].
Theorem 33 For every prime p, Mod p L consists of those function families with polynomial sized span programs over Z p .
Thus the size of span programs and of arithmetic branching programs are related polynomially, and in fact [40] 10 We will never be interested in constant factor differences, so we can take that span programs are always smaller than modulo-p branching programs.An important notion for us will be that of pre-processing.We will consider functions f : {0, 1} n × {0, 1} n → {0, 1}, and are interested in the complexity of computing f (x, y) after allowing for arbitrary functions to be applied to x and y separately.We make the following definition.
We say that the complexity after pre-processing (with respect to some measure of complexity) of a function f (x, y) is the minimal complexity of any interaction part of f (x, y).More concretely, for span and branching program size we define the following pre-processed complexity measures.

Definition 35
The pre-processed branching program complexity is defined as Definition 36 The pre-processed span program complexity is defined as The pre-processed branching and span program complexities are related polynomially, because the non pre-processed complexities are.We define the following pre-processed complexity classes.

Definition 37
The complexity class M od k L (2) is defined as those functions f : {0, 1} n × {0, 1} n → {0, 1} with an interaction part that can be computed with a polynomial size (in n) modulo-p branching program.

Definition 38
The complexity class C = L (2) is defined as those functions f : {0, 1} n × {0, 1} n → {0, 1} with an interaction part that can be computed according to the following procedure.We consider a branching program of polynomial (in n) size.If acc(x) = rej(x), output 1 and otherwise output 0.
We can analogously define the complexity class P (2) as those families of function families which have a poly-time computable interaction part.
4.2 Efficiency of protocols for PSM, CDS, and related primitives

PSM and PSQM protocols
The largest class of functions for which efficient PSM protocols have been constructed are those with polynomial sized modulo-p branching programs.The following theorem was proven in [16].
Theorem 39 [IK '97] Let p be a prime, and let BP = (G, ϕ, s, t 0 , t 1 ) be a Boolean modulo-p branching program of size a(n) computing an interaction part of f .Then there exists a PSM protocol for f with randomness complexity and communication complexity both O(a(n) 2 log p).
Note that the original statement of this theorem considers f rather than its interaction part, but the extension is trivial.An immediate consequence of this theorem, along with the implications summarized in figure 3, is that CDS, PSQM, CDQS, and f -routing can all be achieved with the randomness and communication complexity given in the same way, up to constant factor overheads.
To better understand the implications of this theorem, it is helpful to understand which complexity classes can be efficiently achieved.Fixing p, those functions with polynomial sized branching programs are exactly the class M od p L. Running the PSM protocol on the interaction part, we can therefore achieve the class Mod p L (2) efficiently as a PSM.We can also choose p adaptively, and doing so achieve the class C = L (2) .This is shown in [16].It is also interesting to find a complexity class that contains all of those functions where (log p)BP p (f ) can be made polynomial.The smallest class which we can show contains all such functions is L #L , which we state as the following remark.
Remark 40 Every function family {f n } for which (log p) • BP p (f n ) is polynomial in n for some choice of p is contained in the class L #L /poly.Proof.By assumption, there is a polynomial sized branching program, call it BP and denote its size by s, whose number of accepting paths counted mod p is non-zero if f (x) = 1, and 0 otherwise.Further, the choice of p needed must have log p be polynomial.Our algorithm to compute f in L #L is as follows.We take our advice string to be a description of the branching program BP.We give BP along with the input x to the #L oracle, and it will return the number of accepting paths of this program, call it N .Notice that N < 2 s , since there must be no more accepting paths then there are subsets of vertices in BP.This means the output of the oracle consists of at most a polynomial sized string.We then subtract p from N repeatedly until it obtains a number less than p.Since p also consists of a polynomial number of bits, this can be done in log space.
To relate L #L to more familiar classes, we can note that it is contained inside of DET which is in turn contained inside of NC, where NC is the class of functions computed by poly-logarithmic depth circuits.
Notice that from theorem 19 the result of theorem 39 carries over immediately to the setting of PSQM.We move on to understand the implications of theorem 39 for the CDS, CDQS, and f -routing primitives below.

CDS protocols
From theorem 39 and because PSM protocols give CDS protocols (see theorem 18), we obtain the following corollary.
Theorem 41 Let p be a prime, and let BP = (G, ϕ, s, t 0 , t 1 ) be a Boolean modulo-p branching program of size a(n) computing f .Then there exists a CDS protocol for f with randomness complexity and communication complexity both O(a(n) 2 log p).
Note that the implication from PSM to CDS was known already, so that this implication was already clear.Recently, this scaling was improved to linear in the branching program size [41].
We can compare this to the most efficient CDS constructions in the literature.A CDS protocol based on secret sharing schemes was given in [15].They prove the following theorem 11 .
Theorem 42 [GIKM '98] Let h M : {0, 1} n → {0, 1} be a monotone Boolean function, and let h : {0, 1} n → {0, 1} be a projection of h M ; that is, h(y 1 , ..., y n ) = h M (g 1 , ..., g M ), where each g i is a function of a single variable y i .Let S be a secret sharing scheme realizing the access structure h M , in which the total share size is c, and let s be a secret that can be hidden in S. Then there exists a protocol P for disclosing s subject to the condition h whose communication and randomness complexity are bounded by c + |s|.
Using the span program based constructions of secret sharing schemes [39], this upper bounds the CDS cost of f by the minimal size of a monotone span program computing any projection of f , call it f M .If the span program is over the field Z p , the cost is (log p) • mSP (f M ).In [12] (see lemma 5) it is shown that the size of a span program computing the projection f M is the same as the size of a (non-monotone) span program computing f , up to a constant additive term.This leads to the following corollary.

Corollary 43
The randomness and communication complexity to perform CDS on the function f is at most O(log p • SP p (f )), where SP p (f ) is the size of any span program over Z p computing f .Notice that this is quite similar to corollary 41.Because the span program size and branching program size are related by equation 97, the secret sharing based construction for CDS is always more efficient than the branching program based approach inherited from PSM.
Another protocol based on dependency programs [42] was given in [31].Because dependency programs are always larger than span programs (see [42], Lemma 3.6) 12 , the span program based construction remain the most efficient.

CDQS and f -routing protocols
Notice that efficient CDQS protocols are given by both efficient CDS protocols (theorem 22) and by PSQM protocols (theorem 24).Further, from theorem 23 we have that efficient CDQS leads to efficient f -routing.These implications lead to the following theorem.

Theorem 44
The randomness and communication complexity to perform CDQS or frouting on the function f is at most O(log p • SP p (f )).
Since it had not previously been studied in the literature, this gives the largest known class of functions that can be implemented efficiently for CDQS.
We can compare theorem 44 to the most efficient protocols known for f -routing.In [12], the authors proved an upper bound of O(log p • SP p (f )) on communication and entanglement complexity of f -routing, exactly matching the result inherited from classical CDS.It is also interesting to note that the protocol given in [12] that achieves this bound is a close quantum analogue of the CDS protocol devised in the classical setting in [15]: both protocols are based on storing the secret in a secret sharing scheme and sending or not sending shares based on the value of bits of the input.
5 New lower bounds

Linear lower bounds on CFE
We have the following theorem from [35].In theorem 25, which shows CFE→PSQM, we could replace shared entanglement in the CFE protocol and obtain a PSQM protocol that only uses shared randomness.In fact, the theorem gives that the resulting PSQM uses the same distributed resource state as the CFE.From this, theorem 45 above gives the following.
Note that we would expect no amount of shared random bits to suffice for a CFE, and instead for entangled states to be required.Thus the consequence of this theorem is very weak in the CFE context.

Linear lower bounds on CDQS
We have the following theorem from [43].
Theorem 47 [BCS 2022, random function].Let n ≥ 10.Assume inputs x, y ∈ {0, 1} n are chosen at random.Then there exists a function f : X × Y → Z with X, Y ∈ {0, 1} n , Z ∈ {0, 1} such that, if the number q of qubits each of the attackers controls satisfies q ≤ n/2 − 5 (100) then the attackers are caught with probability at least 2 × 10 −2 .Moreover, a uniformly random function will have this property, except with exponentially small probability.
Combining this result with theorem 23, we find the following result for CDQS.
Corollary 48 There exists a function f : X ×Y → Z with X, Y ∈ {0, 1} n , Z ∈ {0, 1} such that a CDQS protocol which is ϵ-correct and δ-secure for f with max{ϵ, √ δ} < 2 × 10 −2 requires Alice and Bob have a quantum resource system consisting of at least n/2−5 qubits.Moreover, a uniformly random function will have this property, except with exponentially small probability.Now applying theorem 24 we obtain the following linear lower bound on the dimension of the resource system in PSQM.Note that previously a 2n − O(log n) linear lower bound on communication complexity was known, but no bound on shared entanglement was previously known.
Corollary 49 There exists a function f : X × Y → Z with X, Y ∈ {0, 1} n , Z ∈ {0, 1} such that an ϵ-correct and δ-secure PSQM protocol for f with max{2ϵ, √ 2δ} < 2 × 10 −2 requires Alice and Bob have a quantum resource system consisting of at least n/2−5 qubits.Moreover, a uniformly random function will have this property, except with exponentially small probability.connection from secret sharing to CDS to CDQS and f -routing reproduces the known class of functions that can be efficiently implemented in the f -routing setting.
Beyond linear schemes, [44] constructed secret sharing schemes with indicator functions that have complexity outside of P .Their scheme realizes the following access structure.
Definition 54 NQR n is an access structure on n = 4m parties for m an integer.We label the 4m shares by W b i and U b j with b ∈ {0, 1} and j ∈ {1, ..., m}.Given two bit strings13 w, u each of length m, we associate a subset B w,u of size 2m according to The access structure NQR n is then defined by its minimal authorized sets, which are for w, u such that u ̸ = 0, 1 and QR(w, u) = 0, so that w is not a quadratic residue modulo u.
Evaluating the indicator function for this access structure is at least as hard as solving the quadratic residuosity problem.To see this, notice that we can reduce computing QR(u, w) to evaluating f I as follows.From the string w of length m, define the two strings w, w′ according to We similarly define ũ and ũ′ , and then notice that Since computing w, w′ , ũ, ũ′ from (w, u) can be done efficiently, computing f I is not harder than computing QR(w, u).Despite the indicator function being of high complexity, there exists an efficient secret sharing scheme for the access structure NQR n .This is given in the following theorem.

Theorem 55 [BI 2005]
There exists an ϵ secure and δ private secret sharing scheme for the access structure NQR n storing a single bit secret with security parameter k, and We refer the reader to [44] for the construction of this scheme.
In the context of these distributed cryptographic tasks, we are interested in functions which remain of high complexity even when allowing for pre-processing.Thus we would like to construct functions outside of P (2) , perhaps starting with NQR.For a function to be a likely candidate to be outside P (2) , we need to ensure pre-processing is as unhelpful as possible.We suggest the following function Then, since Alice see's only x and Bob see's only y, pre-processing seems no better than advice, so we expect that NQR 4m,( 2) is outside P (2) if we have that N QR 4m is outside P/poly, as we commented above is believed.We state this as the following assumption.
Next, we claim that there is an efficient CDS scheme for NQR 4m,(2) (x, y).To see this, we have Alice, following remark 16, prepare the scheme in theorem 55 with access structure NQR 4m (z).Then she takes share S i to be the secret which will be conditionally disclosed in a scheme on the XOR function with inputs x i and y i .Correctly implementing each of these CDS schemes for the shares S i is easily seen to now correctly implement the larger scheme with access structure NQR (2),4m .This CDS can be performed using O(|S i |) randomness, so the total needed randomness is still given by the size of the secret sharing scheme.
From this construction for CDS and theorem 22 we obtain the following.
Corollary 57 Assuming conjecture 56, there exists a function outside of P (2) with n input bits and hiding one (qu)bit for which CDS and CDQS can be performed ϵ = 2 −k correctly and δ = k2 −k securely with O(k 2 + kn) shared bits of randomness.
From theorem 23, we then obtain the following consequence for f -routing.
Corollary 58 Assuming conjecture 56, there exists a function outside of P (2) with n input bits and hiding one (qu)bit for which f-routing can be performed ϵ = O(k2 −k ) correctly with O(k 2 + kn) shared entangled pairs.f -routing for a problem outside NC from DRE Next, we construct a CDS scheme for a lower complexity function, albeit one that is still outside of N C, via a second route that begins with a decomposable randomized encoding. 15The computational problem that will interest us is again quadratic residuosity, but this time where the modulus is taken over a prime.

Definition 59
The quadratic residuosity problem over Z p is defined as follows.
• Input: An integer a of n bits and prime p, also of n bits.
• Output: 1 if a = b 2 mod p for some b, and 0 otherwise.
While this problem is not known to be inside of NC, but is easily placed inside of P by recalling the Euler criterion, which states that if and only if a is a square.Given this, modular exponentiation can be used to determine if a is a square in polynomial time.Note that if we pose the same problem but with the prime p replaced by a composite number the resulting problem is thought to be outside of P [48].We focus on the prime case here.See [44] for a related discussion of the complexity of the quadratic residuosity functions considered over a field Z p for p prime.The quadratic residuosity problem over primes admits a simple randomized encoding scheme.In particular take a → r 2 a (108) for r a randomly chosen integer in Z p .To understand why this is a randomized encoding, notice that QR(a) = QR(r 2 a), so we can compute the result of the function defined by the residuosity problem from the encoded output correctly, by (in this particular case) simply computing the original function, since r 2 a is a quadratic residue if a is.Next, to show security one needs to show that if a is a quadratic residue then r 2 a is randomly distributed over all those integers ã in Z p which also are, and if a is not a quadratic residue then r 2 is uniformly distributed over all those ã which are also not.This amounts to showing that if a and ã both are (or both are not) quadratic residues then there is a unique r such that r 2 a = ã.This follows because the product of two residues is a residue, and the product of two non-residues is a residue.We can further extend this to a decomposable randomized encoding as follows [49].Use the encoding for s i , r drawn independently and at random from Z p for all but the last s i , which we set so that i s i = 0. Then to decode use To see security, we assume that a, ã are two integers with the same quadratic residue, and then show there is a choice of r, s i which make the bits of a look like the bits of ã.This means we need to solve subject also to i s i = 0.It is easy to see we can do this taking as an assumption the same thing we used in the earlier case, that if a, ã have the same quadratic residue then there is a r such that a = r 2 ã.
Given the existence of a decomposable randomized encoding scheme for the quadratic residue problem, we immediately obtain a PSM for this problem as noted above: Alice and Bob simply send the randomized encodings of their input bits to the referee, who runs the decoding procedure.This was observed already in [16].This in turn implies an efficient CDS, CDQS, and f -routing scheme for f (x) = QR(x).We collect these observations as the following remark.
Remark 60 Consider an n bit string z and split its bits into arbitrary subsets S and S c .Let the bits from S define a string z S and a bit from S c define a string z S c .Then the function f (z S , z S c ) = QR(z) has perfectly correct PSM and CDS schemes that uses poly(n) bits of randomness.
We can also use theorems 22 and 23 to upgrade these to quantum schemes, giving the following corollary.The circuit implementing the unitary U ′ .The unitary U computes f (x, y) on its last wire with high fidelity.System A 0 is initially maximally entangled with reference R. At the end of the circuit, R with be highly entangled with system A f (x,y) .
Corollary 61 Consider an n bit string z and split its bits into arbitrary subsets S and S c .Let the bits from S define a string z S and a bit from S c define a string z S c .Then the function f (z S , z S c ) = QR(z) have perfectly correct PSQM and CDQS schemes that uses poly(n) EPR pairs as a resource state.
Ideally, one would show that, assuming QR(z) is outside of NC implies f (z S , z S c ) is outside of NC (2) but we are unable to do so.Nonetheless, this constructs a second problem not known to be in NC (2) with an efficient f -routing scheme, although this one is inside of P. Another comment is that this problem has an exact scheme, while the construction in the previous section that is outside of P is approximate.

Efficient PSQM and CDQS for low T-depth circuits
In [14], a protocol is given that performs a unitary U AB non-locally with entanglement cost that depends on the circuit decomposition of U AB .In particular we write U AB in terms of a Clifford + T gate set, and obtain the following two upper bounds on entanglement cost.
Theorem 62 Any n qubit Clifford + T quantum circuit C which has at most k T -gates can be implemented non-locally using O(n2 k ) EPR pairs.Further, if C has T -depth d then there is a protocol to implement C non-locally using O((68n) d ) EPR pairs.From theorems 44 and 25, these results lead to upper bounds on entanglement cost in implementing CDQS, f -routing, and PSQM.These upper bounds depend on the number of T gates needed to compute f (x, y) with a quantum circuit.We discuss the CDQS setting first.
Corollary 63 Suppose that a function f (x, y) can be evaluated with probability 1 − ϵ by a Clifford + T circuit with T-count k and T-depth d.Then there is a 2ϵ-correct frouting protocol for the function f (x, y) that uses at most O(n2 k ) EPR pairs, or at most O((68n) d+5 ) EPR pairs, whichever is smaller.
Proof.Let U be the unitary that computes f .Recall that this means a measurement in the computational basis on the first qubit of the output of U returns f (x, y) with probability 1 − ϵ.Writing the state we have that |α f (x,y) | 2 ≥ 1 − ϵ.Now consider modifying the circuit that implements U by adding two ancilla qubits A 0 A 1 and a controlled SWAP gate, where we control on the first output qubit of U. We show this as a quantum circuit in figure 7. The controlled SWAP gate can be implemented with 7 T -gates arranged in 5 layers (see e.g.[50]).Thus our new circuit has T -depth at most d + 5 and T -count at most k + 7. We call the unitary U composed with the controlled swap gate U ′ .
To implement the f -routing protocol, we implement U ′ non-locally with A 0 X held on the left and A 1 Y held on the right.Initially A 0 is in the maximally entangled state with the reference system R.Because U ′ can be implemented with k + 7 T -gates and T -depth of d + 5, theorem 62 gives that this takes no more than O(n2 k ) EPR pairs, or at most O((68n) d+5 ) EPR pairs, whichever is smaller.Then we claim that at the end of the protocol that the A f (x,y) system is nearly maximally entangled with R.
To see this, notice that the state of the RA 0 A 1 XY after the unitary plus controlled swap have been applied is where ψ 0 and ψ 1 are orthogonal states as a consequence of unitarity of U. We take the decoding channel to be the trace over the A 1−f (x,y) XY system, followed by a relabelling of A f (x,y) as Q.This produces the state Then we can calculate the fidelity so that the f -routing protocol is 2ϵ correct, as needed.
From theorem 44, this also leads to a similar upper bound for CDQS.
Corollary 64 Suppose that a function f (x, y) can be evaluated with probability Proof.Follows immediately from theorems 25 and 62 taken together.

Sub-exponential protocols for f -routing on arbitrary functions
In a surprising breakthrough, [51] showed that CDS can be performed for any function using sub-exponential communication and randomness.We summarize their result as the following theorem.Combining this with theorem 22 we obtain the following corollary.
Corollary 67 There exist CDQS protocols with perfect correctness and secrecy for every function bits of communication, along with a single qubit of communication.
Proof.Recall that CDS protocols for secrets s 1 , s 2 can be run in parallel if using fresh randomness for each instance (see the paragraph after remark 4).Thus we can create a CDS hiding two bits of secret while still using 2 O( √ n log n) randomness and communication, and then apply theorem 22 to see that we can perform CDQS on a single qubit.
From here, theorem 23 leads to the following.
Corollary 68 There exists a perfectly correct f -routing protocol for every function f : Proof.Immediate from corollary 67 and theorem 23.
Before moving on, we give some brief context for the construction in [51] that leads to sub-exponential CDS protocols.The reader interested in the construction may refer to the original reference [51] or to the lectures [34].
The construction begins with a reduction from a CDS protocol for a general function f This means in particular that a good CDS protocol for the index function will lead to a good CDS protocol for all functions.The construction of a CDS for INDEX begins with a connection to the cryptographic task of private information retrieval (PIR).In a PIR task, a client interacts with several non-communicating servers to retrieve an item with label x from a database D, call the item D[x].Security of the PIR requires that the databases not be able to determine the label x.This primitive has long been noted to be related to CDS, and in fact CDS was first defined in the context of studying PIR schemes [15].While it is not known if all PIR schemes induce CDS schemes, techniques used in PIR constructions have led to CDS schemes.Theorem 66 was proven by applying tools from a sub-exponential PIR scheme presented in [52] to construct a CDS.
The PIR scheme developed in [52] relies on the existence of large matching vector families.A set of pairs of vectors {(u i , v i )} N i=1 is said to be a S-matching vector family if ⟨u i , v i ⟩ = 0 (118) ⟨u i , v j ⟩ ∈ S, when i ̸ = j. (119) Matching vector families find other applications as well, for instance in the construction of locally decodable codes.An outstanding question is how large N can be taken for vectors chosen in a given vector space.In [53], the authors constructed large matching vector families over Z ℓ 6 , which lead to efficient PIR schemes.Using similar techniques, the same matching vector families lead to the efficient CDS scheme of [51].

Collapse of CDQS and PSQM complexity with PR boxes
A Popescu-Rohrlich box is a hypothetical device, shared by distant parties Alice and Bob, which allows them to satsify the CHSH game with probability one.More concretely, given input x on Alice's side and input y on Bob's side, the device returns a to Alice and b to Bob such that a ⊕ b = x ∧ y.Broadbent [54] showed that if Alice and Bob share PR boxes, they can implement any unitary as a non-local computation using only linear entanglement and a linear number of uses of a PR box.This can be seen as a quantum analogue of a similar collapse that occurs in the setting of classical communication complexity [55].Because efficient non-local computation protocols lead, via theorems 23 and 25, to efficient CDQS and PSQM protocols, Broadbent's result similarly leads to a collapse to linear cost for PSQM and CDQS.
In fact, an even stronger collapse follows for CDQS, PSQM and f -routing by applying the result of [55] showing the collapse of classical communication complexity in the presence of PR boxes.In particular, PR boxes can be used to reduce computing f (x, y) with x held by Alice and y held by Bob to computing α + β, with α computed from x plus the output of PR box uses, and β computed from y along with PR box uses. 16In the CDS or PSM settings then, we need only execute CDS or PSM on the function g(α, β) = α + β with the inputs being single bits.This can be done with O(1) randomness.Via theorems 22 and 19 then, CDQS can be done with O(1) EPR pairs and PSQM with O(1) shared random bits.We can further note that from theorem 23 this means f -routing can be performed for arbitrary functions using only O(1) EPR pairs when given access to PR boxes.

Connections to quantum gravity and holography
In the study of quantum gravity the holographic principle [57,58] asserts that gravity in d dimensions should have an alternative quantum mechanical description in just d − 1 dimensions.This principle is realized manifestly in the context of the AdS/CFT correspondence [59,60].In [4], holography and the AdS/CFT correspondence was related to non-local quantum computation.In particular, they argued local interactions in the higher dimensional gravity picture are reproduced as non-local quantum computations in the lower dimensional quantum mechanical picture.As a consequence, computations in the presence of gravity may be constrained by limits on entanglement in the dual quantum mechanical picture [9], or interactions in the gravity picture may imply more computations can be performed non-locally than we have so far found protocols for.
In this work, we see that as a consequence of their connections to NLQC, CDQS and PSQM are also related to holography.One can also realize CDQS and PSQM protocols directly in holography, using connections similar to the one in [4] or the more recent [6].This implies that, as with NLQC, constraints on CDQS and PSQM correspond to constraints on bulk interactions.Conversely, the holographic picture has been argued [7,9] to suggest that a larger class of unitaries than is currently known should have efficient non-local implementations.Importantly, the connection between CDQS and PSQM is so far limited to the 2 input player case, which is also the case that ties to NLQC.It may be possible to explore a connection between CDQS and PSQM to holography that is realized more directly, not via NLQC, which could extend the connection to settings with many input players.
Recalling [9], it was argued that the holographic connection suggests that at least unitaries in BQP should be implementable non-locally.From this perspective it is in-teresting that, from the connection to secret sharing, we now have at least one function outside of P but inside of BQP with an efficient non-local implementation.

Quantum analogues of recent classical results
Non-local quantum computation was previously thought to have no (non-trivial) classical analogue: taking the inputs and outputs of a computation to be classical, one can immediately perform the computation in the non-local form of figure 1b without use of shared randomness. 17The connections pointed out in this article give non-trivial classical analogues of non-local computation: CDQS is equivalent to a special case of NLQC, and has a non-trivial classical version (CDS), and similarly to PSM.
Traditionally, classical analogues are a source of techniques and conjectures in the quantum setting.Taking this perspective on CDS and CDQS, two recent results in the CDS literature are natural candidates to revisit in the quantum setting.
First, in [33], the authors relate CDS to various communication complexity scenarios.In particular they consider the communication complexity class AM cc , defined as follows.Alice and Bob hold inputs x and y and share randomness r, while a referee holds (x, y).The referee will send Alice and Bob a proof p = p(x, y, r) that both Alice and Bob should accept when f (x, y) = 1, and both should reject if f (x, y) = 0. AM cc (f ) is the minimal length of the needed proof, and AM cc is the class of functions for which the proof can be taken to be of polylogarithmic length.Relating this to CDS, they show that for some constant c > 0, where CDS(f ) is the communication complexity of a CDS protocol for f (allowing for imperfect correctness and imperfect security), and a similar bound differing only by constant factors exists for randomness complexity.Unfortunately, there are no explicit functions known to be outside AM cc ∩coAM cc , but nonetheless equation 120 is an intriguing result.A natural question is if a similar inequality holds when considering CDQS and quantum communication complexity classes.Second, the related work [31] studied the relationship between zero-knowledge proofs and both CDS and PSM.The starting point is a zero-knowledge variant of the class AM cc discussed above, where an additional requirement that the proof p not reveal anything about (x, y) is imposed.This is refereed to as the class ZAM cc .The authors of [31] found that a PSM protocol with perfect correctness and privacy leads to a similarly efficient ZAM protocol, and that a ZAM protocol (which may be approximate) leads to a similarly efficient CDS protocol.Again, it is natural to ask for a quantum analogue of these results.

Classical analogues of further non-local computations
In this paper we relate two special cases of non-local quantum computationfrouting and coherent function evaluation -to other cryptographic tasks, CDQS and PSQM.One aspect of these relationships we have emphasized is that while non-local computation naively becomes trivial when considered classically 18 , PSQM and CDQS have natural classical variants.This raises the question as to whether NLQC generally has a good classical analogue, perhaps one exploiting the same communication pattern as CDS and PSM, and employing an appropriate secrecy condition.Less ambitiously, we can also ask about classical analogues of other commonly studied non-local quantum computation schemes.One commonly studied non-local computation which we have not considered here is the BB84 task [3,10], and its extension to f -BB84 [29,61].It would be interesting to understand if f -BB84 is related to a classical primitive.

Figure 1 :
Figure 1: (a) Circuit diagram showing the local implementation of a unitary in terms of a unitary U.In positionverification, an honest prover implements the required unitary in this form.(b) Circuit diagram showing the non-local implementation of a unitary U. V L , V R , W L , and W R are quantum channels.The lower, bent wire represents an entangled state.In position-verification, a dishonest prover must use a circuit of this form to implement a required unitary.

Figure 7 :
Figure7: The circuit implementing the unitary U ′ .The unitary U computes f (x, y) on its last wire with high fidelity.System A 0 is initially maximally entangled with reference R. At the end of the circuit, R with be highly entangled with system A f (x,y) .
(x, y) to a particular function we denote as IN DEX(x, D y ), which takes as input Alice's input x and the string D y = f (00...00, y)f (00...01, y)...f (11...11, y) of length 2 n .Notice that f (x, y) = IN DEX(x, D y ) = D y [x](117) ||P S SM − P S P S P M || 1 = ||P S| SM P SM − P S P S P M || 1 = ||P S| S P SM − P S P S P M || 1 ≤ ||P S| S P S P M − P S P S P M || 1 + δ = ||P S S P M − P S P S 6. (b) A PSQM protocol.Again Alice and Bob share an entangled resource state.Alice receives input x ∈ {0, 1} n , Bob receives input y ∈ {0, 1} n .Alice and Bob prepare quantum systems M 0 and M 1 , which they pass to the referee.The protocol succeeds if the referee can determine f (x, y), but the system M = M 0 M 1 otherwise reveals nothing about the inputs x, y.See definition 8.Then by repeated application of the triangle inequality, and using security of each instance of the CDS, we have that on 0 instances ||Sim M 1 ...Mm|xy − P M 1 ...Mm|xys || 1 = ||Sim M 1 |xy ...Sim Mm|xy − P M 1 |xys 1 ...P Mm|xys || 1 ≤ mδ EPR pairs, or at most O((68n) d n 5 ) EPR pairs, whichever is smaller.′ |f xy ⟩ Z ⟨x| X ⟨y| 1 − ϵ by a Clifford + T circuit with T-count k and T-depth d.Then there is a 2ϵ-correct and ϵ log d Q secure CDQS protocol for the function f (x, y) that uses at most O(n2 k ) xy |xy⟩ Z Y (116) can be implemented with closeness ϵ (according to the diamond norm distance) with a Clifford + T circuit with T-count k and T-depth d.Then there exists a PSQM protocol for f (x, y) which is ϵ-correct and √ ϵ-secure that uses at most O(n2 k ) EPR pairs, or at most O((68n) d n 5 ) EPR pairs, whichever is smaller.