Unconditionally verifiable blind computation

Blind Quantum Computing (BQC) allows a client to have a server carry out a quantum computation for them such that the client's input, output and computation remain private. A desirable property for any BQC protocol is verification, whereby the client can verify with high probability whether the server has followed the instructions of the protocol, or if there has been some deviation resulting in a corrupted output state. A verifiable BQC protocol can be viewed as an interactive proof system leading to consequences for complexity theory. The authors, together with Broadbent, previously proposed a universal and unconditionally secure BQC scheme where the client only needs to be able to prepare single qubits in separable states randomly chosen from a finite set and send them to the server, who has the balance of the required quantum computational resources. In this paper we extend that protocol with new functionality allowing blind computational basis measurements, which we use to construct a new verifiable BQC protocol based on a new class of resource states. We rigorously prove that the probability of failing to detect an incorrect output is exponentially small in a security parameter, while resource overhead remains polynomial in this parameter. The new resource state allows entangling gates to be performed between arbitrary pairs of logical qubits with only constant overhead. This is a significant improvement on the original scheme, which required that all computations to be performed must first be put into a nearest neighbour form, incurring linear overhead in the number of qubits. Such an improvement has important consequences for efficiency and fault-tolerance thresholds.


Introduction
Scalable quantum computing has proven extremely difficult to achieve, and when the technology to build large scale quantum computers does become available it is likely that they will appear initially in small numbers at a handful of centres. How will a user interface with such a quantum computer? The solution is blind quantum computing (BQC) that enables a classical client (called Alice) with limited quantum technology to delegate a computation to the quantum server(s) (called Bob) in such a way that the privacy of the computation is preserved [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16].
Blind classical computing (the notion of "computing with encrypted data") was proposed by Feigenbaum [17] and then extended by Abadi, Feigenbaum and Killian in a client server setting [18]. cases such as quantum simulation [29,30] or other problems in BQP [31]. The challenge is to mimic a similar construction where an efficiently testable witness can guarantee the correctness of the entire computation. The main contribution of the present paper is to present a new protocol that compared to the original UBQC protocol offers a more rigorous but intuitive proof of verification. Where the client can verify with high probability whether Bob has followed the instructions of the protocol and the output state is indeed in the correct form, or if there has been a deviation resulting in an incorrect output state. The central idea is based on the randomly prepared single qubits (called traps), blindly isolated from the actual computation, which can act as such a witness, where even the computation of the test (measurement of the qubits) can be performed blindly by an untrusted server.
The rest of this paper is organised as follows. Section 2 and 3 summarise various required concepts from measurement-based quantum computing and also the original UBQC scheme presented in [3]. In order to construct our new verifiable UBQC protocol we first introduce the concept of dummy qubits in Section 4, where we assume Alice now can prepare a qubit randomly chosen not only in the equatorial plain, as in the original UBQC scheme, but also from the set {|0 , |1 }. The latter qubits are called dummy qubits as they have no effect on the actual underlying computation. However, they permit the blind construction of isolated trap qubits in the state |+ θ as explained in Section 6 where the core concept of verification is introduced. In order to deal with universality, in Section 5 we introduce a new resource state called the dotted-complete graph states which allow us to adapt the topological fault-tolerant measurement-based quantum computation scheme due to Raussendorf, Harrington and Goyal [32] to our blind setting. The use of this scheme is expected to lead to substantially increased thresholds for fault tolerant computing in the blind setting. A threshold for fault-tolerant blind computation in the absence of verification based on this faulttolerance scheme was previously calculated as 4.3 × 10 −3 by Morimae and Fujii [8]. As shown in Section 6, introduction of a single blind isolated trap qubit leads to a verifiable blind quantum computing protocol with security polynomial in the total number of qubits. In order to boost the security while maintaining universality a new scheme has to be constructed. This is done in Section 7 where we put together various constructions of the previous sections to present the main result of this paper, a universal exponentially-secure verifiable blind quantum computing protocol.

Preliminaries
Measurement-based quantum computing (MBQC) [27,28] is a novel form of quantum information processing, where the key twin notions that distinguish quantum information processing from its classical counterpart, entanglement (creating non-local correlations between quantum elements) and measurement (observing a quantum system), are the explicit driving force of computation. More precisely, a measurement-based computation consists of a phase in which a collection of qubits are set up in a standard entangled state. Measurements are then made on individual qubits and the outcomes of the measurements may be used to determine further adaptive measurements. Finally, again depending on measurement outcomes, local adaptive unitary operators, called corrections, are applied to some qubits; this allows the elimination of the indeterminacy introduced by measurements. Conceptually MBQC separates the quantum and classical aspects of computation; thus it clarifies, in particular, the interplay between classical control and the quantum evolution process. The UBQC protocol explores this unique feature of MBQC as it has been proven to be conceptually enlightening to reason about distributed computing tasks using this approach [33]. We begin by describing all the required elements for an MBQC protocol and then move to the particular family of distributed MBQC protocols for hiding various aspects of a given computation.

Single party (undistributed) MBQC protocol
A formal language to describe in a compact way the operations needed for the MBQC model was proposed in [28]. In this framework every MBQC algorithm (usually referred to as an MBQC pattern) involves a sequence of operations such as entangling gates, measurements and feed-forwarding of outcome results to determine further measurement bases. A measurement pattern, or simply a pattern, is defined by a choice of a set of working qubits (V ), a subset of input qubits (I), another subset of output qubits (O), and a finite sequence of commands acting on qubits in V . Therefore, we consider patterns associated with the so-called open graphs. Following the terminology of [28], a single party MBQC protocol consists of three elements: 1. A uniform family of open graph states {(G n,m , I n , O n )} n over m vertices associated with individual qubits, where n is the size of the input/output space of the underlying computation. In this paper we deal only with those MBQC protocol that implements a unitary operator over their input space and hence the size of the output space is the same as the input space, but this is not a restriction and we can extend this treatment to any general completely positive trace preserving map by padding the input and output spaces. Further, for simplicity, we will assume that the input is always a pure state, though again this treatment can be extended to the general case. We usually assume that |I| = |O| = n, however sometime n is taken to be strictly larger than the dimension of the input/output Hilbert space due to the existence of auxiliary input or output qubits (as in later protocols which incorporate trap qubits). In order to have uniform notation, for the latter case, we will still use I/O to be the class of all nonprepared/non-measured qubits where it is strictly larger than the class of all input/output qubits. By the term "uniform family" we simply mean that for any protocol there exist a classical Turing machine that for a given input of the size n describes the required graph over m ≥ n vertices. If the underlying geometry of the graph is regular, for example being one-dimensional lines, two-dimensional regular lattices or brickwork graphs (as we describe later), then instead of referring to the Turing machine to define the uniform family we simply use fixed parameters such as the size of the line or lattice to specify the graphs. For any fixed input size n the graph G n,m describes the initial quantum state of the protocol. Given an arbitrary state of the input qubits corresponding to the input vertices of the graph, one prepares m − n qubits in the state |+ = 1 √ 2 (|0 + |1 ) corresponding to all non-input qubits (I c ) in the graph and then apply ctrl-Z operator between qubits i and j, if the corresponding vertices in G n,m are connected. Note that since the ctrl-Z gate is symmetric the direction of the edge is not important and hence we are working with undirected graphs. We will usually refer to the obtained quantum state based on the graph G n,m as the graph state G n,m , unless a different notation is more appropriate, also for simplicity we drop the sub-index m.
2. A set of angles φ i ∈ A where A ⊆ [0, 2π) for all non-output qubits, to describe a collection of single qubit (X, Y )-measurements, that is measurement in the bases 1 √ 2 (|0 ± e iφ i |1 ). For the specific class of MBQC protocols that we discuss in this paper we require the angles to specify a collection of measurement bases, such that individual measurements are unbiased with respect to the initial state. This is an essential ingredient for the blindness property that we define later. Without loss of generality, we can fix the set from which the angles are chosen to be A = {0, π/4, 2π/4, · · · , 7π/4}. We will discuss later how this combination of angles and particular families of graph states leads to approximate universality.
3. The last ingredient is the structure of the dependency among the measurements. It is known that despite the probabilistic nature of the measurements, an MBQC protocol can implement a unitary computation over the input space by introducing a casual structure over the measurements. This is done by allowing any measurement on qubit i to be dependent on the result of some (possibly none) previously measured qubits. Let s i ∈ {0, 1} be the classical result of the measurement at qubit i. There are two type of dependencies, called X and Z dependency. If a measurement at qubit i is X or Z dependent on the s j where qubit j has been already measured then the actual angle of the measurement of qubit i during the protocol run is (−1) s j φ i or φ i + s j π respectively. Naturally one needs a non-cyclic structure to be able to run such dependencies and for an arbitrary graph such construction (if it exists) is formalised by the notion of the flow of the graph [34,35]. A function (f : O c → I c ) from the measured qubits to non-input qubits and a partial order ( ) over the vertices of the graph such that ∀i : i f (i) and ∀j ∈ N G (i) : and Z dependent on all qubits l such that k ∈ N G (f (l)). Note that if the dependency set is empty, that is there is no qubit q such that q = f −1 (k) or q ∈ N G (f (l)) then we set the convention that the corresponding value of s q is zero and hence we can use the same formulas ((−1) s j φ i or φ i + s j π) to compute the dependent angles.
The above describes only a non-distributed (single party) MBQC protocol, that is a protocol where a party both prepares the graph state and performs the sequence of the dependent measurements according to the order given by the flow (see [27,28] for more details on MBQC computation). One can easily extend the above definition to the distributed setting where different elements of the protocol are accessible and known only to specific parties and through classical/quantum communication the parties collaborate to perform a specific computation. Consider a simple two-party example where Alice has the information about the angles and Bob has the information about the graph and hence he can calculate the flow. Then they can collaborate to perform the corresponding computation as follows: first Bob prepares the required graph state and asks Alice to send him the classical information about the angles of the measurement, Bob then computes the dependency and performs the measurement and so forth. The purpose of this paper is to describe a family of such distributed protocols where, despite the communication, Alice can keep the measurement angles hidden from Bob. We then show that, for certain carefully chosen graph families, hiding these angles is sufficient to hide the full underlying computation together with the input and outputs.

2-Party (distributed) Hiding Protocols
We define a specific family of two-party (Alice and Bob) MBQC protocols (which we term hiding protocols) that can be shown to be "blind" in the sense that Alice can hide information from Bob. For simplicity, instead of working with a family of graphs representing the computation over an arbitrary size input, we fix the input size to be n and we denote by m ≥ n the total number of vertices in the graph and hence the total number of qubits in the equivalent single-party protocol. Note that if we desire to have an efficient protocol, then we restrict the computation of the protocol to be of the polynomial size by requiring that m = Poly(n). However blindness is independent of any complexity assumptions so we do not, in general, restrict the size of m.
The protocol will be interactive having m − n steps if the output is quantum or m steps if the output is classical, where at each step a single qubit is measured. In practice we can parallelise the protocol to D steps, where D is the depth of the partial order of the flow of the graph [36,37]. This is due to the special structure of the partial order of the qubits defined by the flow function whereby all the qubit in the same class of the partial order are independent of each other and hence can be measured in parallel, i.e. at the same time. However this parallelisation will make no difference to the concept of blindness that we are concerned with, so we keep the simple convention that at each step only one qubit is measured. Furthermore we assume for the case of classical output that all of the output qubits are measured in the final step with a Pauli X measurement. Again this is simply a convention for the discussion in our paper and in general the output qubits could be measured with any angles and in different steps depending on the flow construction. Such a convention does not affect universality, as the circuit being implemented can simply by modified to replace measurements in arbitrary bases with measurements in fixed bases preceded by an appropriate local rotation.
We will denote by s a sequence of length m − n with value in {0, 1} describing the result of the non-output measurements performed so far. In the case of classical output, where output qubits are measured as the last n steps, s is a sequence of length m. The value associated with a qubit that is not yet measured are set to 0, and hence at the beginning of the protocol before any measurement being performed we set s = 0, 0, · · · , 0. We will denote by s ≤i the prefix of length i of s and elements of s are denoted by s i . Whenever adding the values of s i and s j we define their sum modulo 2. All the qubits in the protocol are enumerated in such a way that at position i all qubits with label less than i are measured before measuring qubit i. Any total ordering of the qubits consistent with partial ordering of the flow will work and as a result the measurement at qubit i will depends only on the string s <i .
We describe first a generic hiding protocol with quantum input and output (Protocol 1) and one with classical input and output (Protocol 2) and then formalise various derivatives of them to obtain universal, blind and verifiable protocols. Protocol 2 is exactly the same as Protocol 1 except that the steps for encoding input are removed and all the output qubits are measured in the Pauli X basis. Note that the reason we chose the measurement of the output qubits to be in the Pauli X basis is purely for simplicity of presentation, so that the same evaluation function C of the non-output measurements, in Protocol 1, can be used for the output qubits. However one could add separate evaluation function for the output qubit measurement to perform Pauli Z measurement over them.
The outline of the main protocol is as follows. Alice has in mind a unitary operator U that is implemented with a measurement pattern on some graph state G with its unique flow function f , and measurements angles in A. This pattern could have been designed either directly within the MBQC framework or from a circuit construction. The pattern assigns a measurement angle φ i to each qubit in G, however during the execution of the pattern, the actual measurement angle φ i is a modification of φ i that depends on previous measurement outcomes instructed by f in the following way [34,35]: As said before, in a standard MBQC pattern all the non-input qubits are prepared in the state |+ and all the input qubits in the desired input state |I . Considering such quantum input allows for the possibility of Alice having additional capabilities allowing her to produce arbitrary input states, or for the possibility that the input state is supplied on Alice's behalf by a third party. In our protocols, in order to hide the information about the angles some randomness has to be added to the preparation and consequently the measurements have to be adjusted to compensate for this initial randomness to obtain the correct outcome. Hence, Alice prepares all the non-input qubits in |+ θ i for some randomly chosen θ i ∈ A and also applies a modified version of a full quantum one-time pad encryption over the input qubits using random keys x i ∈ {0, 1} and θ i ∈ A in the following way: before sending all qubits to Bob. After that, Bob entangles qubits according to G. Note that this unavoidably reveals upper bounds on the dimensions of the underlying quantum computation, corresponding to the length of the input and depth of the computation. The computation stage involves interaction: for each qubit, Alice sends Bob a classical message δ i ∈ A to tell him in which basis (in the (X, Y ) plane) he should measure the qubit. This angle is computed in such a way as to correct for the one-time padding of the input qubits and the random rotation of the non-input qubits, as follows: where the last term r i π, with a randomly chosen r i ∈ {0, 1}, is added to hide the correct classical outcome of the measurement from Bob without effecting the overall computation (see correctness proof below). Bob then performs the measurement and communicates the outcome b i to Alice. Alice's choice of angles in future rounds will depend on these values, hence she will correct the obtained outcome by setting s i := b i ⊕ r i . If Alice is computing a classical function, the protocol finishes when all qubits are measured (Protocol 2), as the classical outputs are encoded in the measurement outcomes sent to Alice. If she is computing a quantum function, Bob returns to her the final qubits (Protocol 1), and it is taken that the quantum output is encoded in these qubits. Note that in Protocol 2 we take the input to be |+ ⊗ · · · ⊗ |+ , an encoding of the fixed classical input 0 · · · 0, any other arbitrary classical input i 1 · · · i n is prepared by applying appropriate Z on the corresponding qubit to create For classical input there is no need for a full one-time padding of the input hence no need for the x i random variables as θ i rotation completely hides the input. The above explanation is the basis for the correctness of all of the protocols presented in this paper.

Definition 2.
A hiding protocol with quantum input is correct if the quantum output state is U |I or if the classical outputs are the result of Pauli X measurements on the state U |I , where U is the unitary operator corresponding to the implementation of the measurement pattern of the hiding protocol. Similarly one could define correctness for protocols with classical input.
Theorem 1 (Correctness). Assume Alice and Bob follow the steps of Protocols 1 and 2. Then the outcome is correct.
Proof. Here we explicitly give a proof only for the case of quantum input and output, as the remaining cases have virtually identical proofs. The protocol deviates in three ways from the standard implementation of the desired measurement pattern defined by a graph state G with measurement angles φ i : a random Z(θ i ) rotation over all qubits; a random X x i rotation over the input qubits; measuring with angles δ i . However, since ctrl-Z commutes with Z-rotations, Alice's preparation does not change the underlying graph state; only the phase of each qubit is locally changed, and it is as if Bob had done the Z-rotation after the ctrl-Z. Let φ i be the adapted angles of the measurement φ i according to the flow structure of the desired measurement pattern defined by G. Note that a measurement in the + φ i , − φ i basis on a state |ψ is the same as a measurement in the + φ i +θ i , − φ i +θ i basis on Z(θ i ) |ψ . Also a measurement in the + φ i , − φ i basis on a state |ψ is the same as a measurement in the Bob's measurement has the same effect as Alice's target measurement; if r i = 1, all Alice needs to do is to flip the outcome. Therefore all the deviation from the actual implementation of the measurement patter are corrected and the quantum output is the desired state corresponding to the action of the unitary operator implemented by the graph state G over the input state.

Blindness
We say a hiding protocol is blind if Bob cannot tell anything relating to the angles of measurements.
In considering this it is worth noting that Bob can run the protocol only once with fixed values for Alice's parameters φ i , θ i , r i , x i . Later we will show how for generic graphs this will lead to hiding the output of the computation as well. Following the convention of [18], we use the notation of a leakage function, denoted as L(X), to formalise what Bob learns during the interaction.
Definition 3. A hiding protocol P with input X is blind while leaking at most L(X) if: 1. The distribution of the classical information obtained by Bob in P is dependent only on L(X).

2.
Given the distribution of classical information described in 1 and L(X), the state of the quantum system obtained by Bob in P is fixed.
Theorem 2 (Blindness). Protocols 1 and 2 are blind while leaking at most G.
Proof. Necessarily Bob learns G as he is instructed to entangle all the received qubits according to G. We show now that for a fixed G every possible set δ = {δ i } occurs with equal probability (satisfying the first condition). We then prove that for a fixed set of angles δ the state of the quantum system obtained by Bob is the maximally mixed state, and hence independent of both φ = {φ i } and ρ I (the quantum input state), thereby satisfying the second condition. For simplicity, we first prove the blindness for Protocol 2 with no quantum input or output. Alice's secret angles consist of φ = {φ i }, with the actual measurement angles φ = {φ i } being a modification of φ that depends on previous measurement outcomes. Let the classical angles that Bob receives during the protocol be δ = {δ i }, and let ρ be the quantum system initially sent from Alice to Bob.
To show independence of Bob's classical information, let θ i = θ i + πr i (for a uniformly random chosen θ i ) and θ = {θ i }. We then have δ = φ + θ , with θ being uniformly random. Thus the distribution of δ is also the uniformly random distribution, and is hence independent of φ and/or φ (satisfying the first condition).
In Protocol 2, there is no quantum input, and so the quantum system Bob receives from Alice is composed only of the qubits prepared in states |ψ i = |+ θ i . For each qubit i, we fix δ i . Because r i is uniformly random, one of the following two has occurred:

Protocol 1 Generic Hiding Protocol with Quantum Input and Output
• Alice's resources -Graph G over m vertices where labelling of vertices are in such a way that the first n qubits are input and the last n qubits are output.
-An n-qubit input state |I .
-A sequence of non-output measurement angles, -m random variables θ i with values taken uniformly at random from A.
-n random variables x i and m−n random variables r i with values taken uniformly at random from {0, 1}.
-A fixed function C G that for each non-output qubit i (1 ≤ i ≤ m − n) computes the angle of the measurement of qubit i to be sent to Bob. This function depends on φ i , θ i , r i , x i and the result of the measurements that have been performed so far (s <i ). The function C G also depends on the flow (f, ) of the graph G. However, since the flow of the graph G is unique (if it exists), we need not take flow as a parameter of the function C G . We have where x k for n + 1 ≤ k ≤ m and also s k for any non-defined value of k is set to zero.
• Initial Step -Alice's move: Alice sends Bob the graph G and sets all the values in s to be 0. Next she sends m qubits in the order of the labelling of the vertices of the graph, as follows: first, Alice encodes the n-qubit input state as and sends them as the first n qubits to Bob. She then prepares m − n single qubits in the state |+ θ i (n + 1 ≤ i ≤ m) and sends them to Bob as the remaining qubits.
-Bob's move: Bob receives m single qubits and entangles them according to G.
-Alice's move: Alice computes the angle -Alice's move: Alice applies X s f −1 (i) Z j: i∈N G (f (j)) s j Z(θ i ) over qubit i.

Protocol 2 Generic Hiding Protocol with Classical Input and Output
• Alice's resources -Graph G over m vertices where labelling of vertices are in such a way that the first n qubits are input and the last n qubits are output.
-A sequence of non-output measurement angles, -m random variables θ i with values taken uniformly at random from A.
-m random variables r i with values taken uniformly at random from {0, 1}.
-A fixed function C G that for each non output qubit i (1 ≤ i ≤ m) computes the angle of the measurement of qubit i to be sent to Bob: where s k for any non-defined value of k is set to zero, also φ i = 0 for m − n + 1 ≤ i ≤ m.

• Initial
Step -Alice's move: Alice sends Bob the graph G and sets all the value in s to be 0. Next she sends m qubits in the order of the labelling of the vertices of the graph, as follows: first, Alice encodes the n-bit string classical input i 1 · · · i n as state and sends them as the first n qubits to Bob. She then prepares m − n single qubits in the state |+ θ i (n + 1 ≤ i ≤ m) and sends them to Bob as the remaining qubits.
-Bob's move: Bob receives m single qubits and entangles them according to G.
. For any given r i there is a unique value of θ i such that δ i takes any given value. Thus δ i is independent of r i . Tracing over all r i we see that for any fixed value of δ i each qubit of ρ is left in the maximally mixed state, and so ρ = I/2 m , where m is the total number of qubits sent by Alice to Bob. Hence the state of the quantum system obtained by Bob in Protocol 2 is fixed and independent of the angles {φ i } (satisfying the second condition).
Similarly we can prove the blindness of Protocol 1. The only difference is that Alice has performed a full one-time pad over the input qubits and the first layer of the measurements are adapted to undo these if required. However the quantum system initially sent from Alice to Bob is again the maximally mixed state. This is due to the fact that for each qubit i in the input state tracing over r i and x i leaves the system in the maximally mixed state.
We note that recently other definitions of blindness have been proposed in the context of composable security, however the protocols presented herein also satisfy those definitions [13].

Dummy Qubits
In order to obtain an intuitive method for achieving verification, we construct an extension of Protocol 1 and 2 (see Protocol 3) where Alice can also prepare qubits in the state |z where z is chosen uniformly at random from {0, 1}. These qubits are called dummy qubits, as they will not be part of actual computation. A dummy qubit remains disentangled from the rest of the qubits of the graph state and, as we prove later, the addition of these dummy qubits does not affect the correctness or blindness of the hiding protocol. These dummy qubits are measured with random angles which again will not affect the actual computation due to the fact that they are disentangled from the rest of the qubits. However, as we prove in the next section, these dummy qubits allow Alice to easily add isolated trap qubits to the computation and achieve verification. Note that Alice must keep the position of the dummy qubits hidden from Bob (i.e. part of the secret) in order to keep the position of any trap qubits hidden. The addition of the dummy qubits can also be viewed as a method for the blind implementation of the Pauli Z basis measurements. This is due to the fact that their position is hidden from Bob and from his point of view they are measured in the (X, Y ) plane as well. However due to their preparation state (|0 or |1 ) through the entangling step, they have the same effect of measuring the corresponding qubit in the Pauli Z basis. Therefore, we use the term blind Pauli Z measurement interchangeably with dummy qubits in the rest of the paper. Due to the addition of dummy qubits, we will assume from now on that n is an upper bound over the number of the input or output qubits. This is required to allow the possibility of having trap or dummy qubits as part of the input or output system. Therefore in the design of the measurement pattern, auxiliary qubits are added to the input and output space in such a way that the actual computation remains intact. Proof. The proof is similar to the proof of Theorem 1, the only new element is the effect of the dummy qubits. If a dummy qubit is in the state |0 then in the entangling step this qubit does not affect the state of the other qubits. However, if the dummy qubit is in the state |1 then the

Protocol 3 Generic Hiding Protocol with Quantum Input and Output and Dummy Qubits
• Alice's resources -Graph G over m vertices where labelling of vertices are in such a way that all the l input qubits are located among the first n ≥ l qubits and all the l output qubits are located among the last n qubits.
-An l-qubit input state |I .
-The dummy qubits positions, set D, chosen among all possible vertices except the l input and l output qubits.
-m random variables θ i with value taken uniformly at random from A.
-l random variables x i , m − n random variable r i and |D| random variable d i with values taken uniformly at random from {0, 1}.
-A fixed function C G that for each non output qubit i (1 ≤ i ≤ m − n) computes the angle of the measurement of qubit i to be sent to Bob: where x k for n + 1 ≤ k ≤ m and s k for any non-defined value of k are set to zero.
• Initial Step -Alice's move: Alice sends Bob the graph G and sets all the value in s to be 0. Alice encodes the l-qubit input state as and positions them among the first n qubits. She then prepares the remaining qubits in the following form Then Alice sends Bob all m qubits in the order of the labelling of the vertices of the graph.
-Bob's move: Bob receives m single qubits and entangles them according to G.
entangling operation will introduce a Pauli Z rotation on all the neighbouring qubits in G. Hence a qubit i ∈ D will be affected by the operator j∈N G (i)∩D Z d j . However, in the initial step, Alice already applied the operation j∈N G (i)∩D Z d j over the prepared qubits and therefore all qubits i ∈ D are in the desired state |+ θ i , since Z operator is self-inverse. Moreover all the dummy qubits are unentangled with the rest of qubits and are measured in a random basis with no consequences for the part of the computation taking place over the graph G after removing vertices D.
Theorem 4. The generic hiding protocol with dummy qubits, Protocol 3, is blind while leaking at most G.
Proof. Proof follows along similar lines of Theorem 2. We define Alice's total communication to Bob consists of the initial quantum states, which we can rewrite as + θ i −πr i if the qubit is not a dummy qubit or ∈ R {|0 , |1 } if it is a dummy qubit, and the measurement angles which are set to be As before, the values of δ i are uniformly random since θ i are uniformly random, and for any fixed values of δ i tracing over all r i , we obtain the initial quantum state for each qubit as either the qubit was not dummy, and the qubit was a dummy. Hence the qubits obtained by Bob are always in the maximally mixed state and are not correlated with each other.

Generic Graph
During a hiding protocol Bob learns the graph of entanglement, G, however it was shown in [3] that it is possible for Alice to choose a family of graphs corresponding to what were termed brickwork states such that blindness of the angles, as defined before, will permit Alice to hide the unitary operator that the protocol is implementing, revealing only an upper bound on the dimensions of the circuit required to implement it. The key element to achieve this is the use of those universal resources for MBQC [38] that are generic, hence revealing no information about the structure of the underlying computation, except the bounds on the size of input and the depth of the computation. Moreover to make the protocol practical from Alice's point, it is desirable to restrict the class of measurement angles, so that the required class of random qubits prepared by Alice is also restricted. Hence we are restricted to achieving only approximate universality, however this is still equivalent to the quantum circuit model with a finite but universal set of gates. Note that exact universal blind quantum computing could be achieved similarly if Alice could prepare separable single qubit states |+ θ with θ chosen randomly in [0, 2π) and if Bob could make any measurement with angles in [0, 2π). However, such a model requires Alice to communicate random real angles to Bob, and hence such a setting is unattractive from a communications resources point of view. However, similar to the quantum circuit scenario, by the Solovay-Kitaev theorem, a finite set of angles (for instance a set that corresponds to Hadamard and π 8 -Phase gates) can be used to efficiently approximate any single qubit unitary operator. 5 For the rest of this paper we will restrict our attention to approximate universality and we use the fact that a large family of graph states are approximately universal if one restricts the set of angles to be in the set {0, ±π/4, ±π/2} [39]. We give two such examples below.
Definition 4. A brickwork state G n×m , where m ≡ 5 (mod 8), is an entangled state of n×m qubits constructed as follows: 1. Prepare all qubits in state |+ and assign to each qubit an index (i, j), i being a row (i ∈ [n]) and j being a column (j ∈ [m]).
2. For each row, apply the operator ctrl-Z on qubits (i, j) and 3. For each column j ≡ 3 (mod 8) and each odd row i, apply the operator ctrl-Z on qubits (i, j) and (i + 1, j) and also on qubits (i, j + 2) and (i + 1, j + 2).
We will refer to the underlying graph of a brickwork state as the brickwork graph and denote it with the same notation as G n×m , see Figure 1.  Theorem 5 (Universality [3]). The brickwork state G n×m is universal for quantum computation. Furthermore, we only require single-qubit measurements under the angles {0, ±π/4, ±π/2} to achieve approximate universality, and measurements can be done layer-by-layer.
Let us denote vertices of a brickwork graph G n×m by (i, j) (where 1 ≤ i ≤ n, 1 ≤ j ≤ m), then it is easy to verify that the unique flow function of G is defined by: That is to say, the flow of each vertex in the graph is from its immediate left neighbour in the same row. The corresponding partial order ≺ G is defined as the collection of sets L j of all vertices in the jth column of the brickwork graph Now suppose Alice has in mind a unitary operator U of size 2 n × 2 n and the n-qubit input state |I . Due to Theorem 5 there exist an integer m and angles {φ i,j } 1≤i≤n,1≤j≤m ∈ A such that the measurement pattern with angles {φ i,j } over the brickwork state G n×m , where the first n qubit are set to be in the state |I , approximates U |I . Therefore the last n qubits after the measurements of the first m − n qubits and application of the corresponding corrections induced by flow are in a state which can be made arbitrarily close to U |I . We can simply adapt the generic hiding protocol to implement this measurement pattern blindly.

Protocol 4 Brickwork State Universal Hiding Protocol with Quantum/Classical Input/Output
Replace G with G n×m and follow the steps of Protocols 1 or 2.
Theorem 6. Protocol 4 is blind while leaking at most m and n.
Proof. The proof is exactly the same as the proof of Theorem 2 and therefore the angles of measurement φ i remain secret from Bob. Moreover, the universality of the brickwork state guarantees that Bob's knowledge of G n×m does not reveal anything about the underlying computation except n and m.
Note that at every step of protocol, the state of Bob's system remains independent of Alice's input. During the execution of the protocol the true value of s i are unknown to Bob since they have been one-time padded using the random keys r i at each step. Due to the flow construction [34], each qubit (starting at the third column of the brickwork state) receives independent Pauli operators, which act as a full quantum one-time pad over Bob's state. In the case of quantum input they are all already one-time padded using secret keys x i and θ i , and since the first layer performs a hidden Z-rotation, it follows that the qubits in the second layer are also completely encrypted during the computation. Similarly, the classical input are one-time padded using only θ i keys. Finally for the classical output, random keys r i are enough to classically one-time pad the outcome measurements of the final Pauli X measurements over the last n qubits containing the classical outputs.
Note that in practice if Alice has the description of a unitary V such that V (⊗ i |+ ) = |I then trivially a hiding protocol that blindly computes U V over the input states ⊗ i |+ will prepare the desired output state of the form U |I . Therefore for such a scenario Alice can follow the step of the Protocol 1 with classical input without having to prepare the encoded state X x 1 Z(θ 1 ) ⊗ . . . ⊗ X xn Z(θ n ) |I herself. However, we have presented the full protocol for an arbitrary, possibly unknown, quantum input state, since the general scheme proved useful for dealing with input supplied by a third party [40].
Next we introduce another generic family called dotted-complete graph states which will be necessary for our new method of verification. The basic idea behind this new universal resource state is that it can be partitioned blindly into smaller universal resource states, one of which will be used for the computation, while the others will be used as traps for verification purposes (see later). To begin with, we need to introduce the graphs which we will use, and prove that they have some special properties.
Definition 5. We define the operator ∼ (G) on graph G to be the operator which transforms a graph G to a new graph denoted asG by replacing every edge in G with a new vertex connected to the two vertices originally joined by that edge. Let K N denote the complete graph of N vertices, we call the quantum state corresponding to the graphK N the dotted-complete graph state denoted withK N . We denote the set of vertices ofK N previously inherited from K N as P (K N ), and denote the vertices added by the ∼ () operation by A(K N ). The number of the vertices in theK N graph is then equal to N (N + 1)/2. The next definition and lemmas will be used in manipulation of dotted-complete graph states.
Definition 6. We define the bridge operator on a vertex v of degree 2 on graph G to be the operator which connects the two neighbours of v and then removes vertex v and any associated edges from G.
We define the break operator on a vertex v of graph G to be the operator which removes vertex v and any associated edges from G. Let G be a graph on m vertices. Then we say that G is n-universal, for n ≤ m, if and only if any graph of n vertices can be obtained from G through a sequence of bridges and breaks. Lemma 2. Given a partitioning of the vertices P (K N ) into n sets {P i } containing N i vertices respectively, by applying a sequence of break operations only, it is possible to transformK N into n disconnected graphsk i such that each one of them are of the formK N i and P (k i ) = P i .
Proof. As the vertices P (K N ) are associated with a corresponding vertex in K N , the vertices of K N can by partitioned into the sets {P i }. As K N is the complete graph the vertices within each partition P i form a clique. Thus by removing edges between the partitions the resulting graph is composed of n disconnected graphs {k i = K N i } such that the vertices in k i are the vertices in P i . As removing an edge before applying the ∼ () operator is equivalent to applying a break operation after the ∼ () operator there exists a corresponding sequence of break operations, such that the resulting graph is ∼ ( Lemma 3. Given a graphK N , by applying break operators to every vertex in P (K N ) or A(K N ) the resulting graph is composed of the vertices of A(K N ) or P (K N ) respectively and contains no edges.
Proof. As the ∼ () operation only introduces vertices connected to vertices in P (K N ), every vertex in A(K N ) shares edges only with vertices in P (K N ). Thus when the vertices in P (K N ) and their associated edges are removed by the break operators, the vertices in A(K N ) become disconnected. Similarly, since ∼ () removes all edges between vertices in P (K N ), hence every vertex in P (K N ) shares edges only with vertices in A(K N ). Thus when the vertices in A(K N ) and their associated edges are removed by the break operators, the vertices in P (K N ) become disconnected.
We now extend these results to graph states.
Lemma 4. Given two graph states |ψ G 1 and |ψ G 2 corresponding to graphs G 1 and G 2 respectively, if it is possible to obtain G 2 from G 1 through a sequence of bridge and break operations, then it is possible to obtain |ψ G 2 from |ψ G 1 through a sequence of Pauli measurements and local rotations about the Z axis through angles from the set {0, π 2 , π, 3π 2 }. Proof. By measuring any qubit in a graph state with Pauli Z operator, we obtain a state equivalent up to local Pauli Z corrections to the graph state obtained from the graph when that vertex and its associated edges are removed. To see this, we consider the operations this qubit undergoes: It is first prepared in a state |+ , then interacted with its neighbours via ctrl-Z gates, and then measured in the Z basis. As the measurement commutes with the entangling operation, this result is identical to the case where the ctrl-Z gates are applied to the measured eigenstate of Z. Thus when the complete sequence of events is taken into account, this operation is equivalent to the identity when the measurement outcome is 0, and equivalent to local Pauli Z operators applied to the neighbours of the measured site when the measurement outcome is 1. This is then the graph state equivalent of the break operation defined on the associated graph.
If a vertex is of degree 2, then measuring the associated qubit with the Pauli Y operator yields the graph state corresponding to the graph obtained by applying a bridge operation to that vertex, up to local Z-rotations through an angle ± π 2 . To see this, we again consider the sequence of operations the qubit undergoes: It is prepared in the state |+ , interacted with its neighbours and then measured in the Y basis. Immediately prior to measurement, the net operator applied is where the subscripts 1 and 2 denote the neighbours of the measured qubit. Thus if the measurement result is 0 then this is equivalent to directly applying the operator e i π 4 Z 1 ⊗Z 2 to the neighbouring qubits, whereas if the measurement result is 1 this is equivalent to applying the operator e −i π 4 Z 1 ⊗Z 2 to these qubits. Since the ctrl-Z gate can be written either as e i π 4 (I−Z⊗I−I⊗Z+Z⊗Z) or e −i π 4 (I−Z⊗I−I⊗Z+Z⊗Z) , the effect on the neighbouring qubits is equivalent to a ctrl-Z, up to local Z-rotations by π 2 (for a measurement result of 0) or − π 2 (for a measurement result of 1).
For a more detailed discussion of the effect of Pauli measurements in the measurement based model, the reader is referred to [41].
Theorem 7 (Universality). The dotted-complete graph stateK N is universal for quantum computation. Furthermore, we only require single-qubit measurements under the angles {0, ±π/4, ±π/2} and in the Pauli Z basis to achieve approximate universality, and measurements can be done layerby-layer.
Proof. Due to lemmas 1 and 4, by choosing N big enough, we could construct the brickwork state G n×m fromK N using only Pauli measurements. Hence from Theorem 5 we obtain the universality of dotted-complete graph states and approximate universality with only single qubits measurements under the angles {0, ±π/4, ±π/2} (which includes the Pauli Y measurements required to implement bridge operations), and the Pauli Z basis measurements required to implement break operations.
From this result we can construct a new universal hiding protocol based on dotted-complete graph states, as given in Protocol 5. Interestingly, in the case of classical input and output this new protocol does not even reveal the circuit dimensions, but instead a single integer which is an upper bound on the number of qubits required to implement the computation in the measurement-based model.

Protocol 5 Dotted-Complete Graph State Universal Hiding Protocol with Quantum Input/Output
• Alice's resources -Parameter N such that the desired computation could be obtained from the stateK N after a sequence of break and bridge operators (Theorem 7). The labelling of vertices are in such a way that the first n qubits are input and the last n qubits are output.
-The dummy qubits position, set D, is set to be the position of all the qubits that are required to be Pauli Z measured for performing the break operators.
-A sequence of non-output measurement angles, for all i ∈ D and also for all the qubits that are required to be Pauli Y measured to perform the bridge operators.
-The rest of the resources are the same as Protocol 3.
Follow the steps of Protocol 3 where G is replaced withK N .
Theorem 8. Protocol 5 is blind, while leaking at most n and N .
Proof. As Bob entangles according toK N , clearly the parameter N is leaked. Additionally, in the case of quantum output, Bob must be instructed how many qubits to return to Alice, and hence knows n. However, fixing these parameters, due to Theorem 2 all the measurement angles including the measurements for the bridge operators are blind to Bob. Similarly, from Theorem 4 we have blindness for the measurement corresponding to the break operators. Together these guarantee the blindness of the operations required to prepare a brickwork state fromK N . Finally Theorem 6 proved the blindness of the remaining measurements performed on the prepared brickwork state.

Verification
This section deals with another property of the hiding protocol called verification. This property requires that Alice can verify with high probability whether Bob has followed the instructions of the protocol and hence if the quantum or classical output state is indeed in the correct form, or whether there has been a deviation and she should therefore reject the output state. The main idea is to exploit blindness so that Alice can expand the protocol to include trap qubits where Alice knows in advance the classical outcome of these specific measurements (i.e. the correct message from Bob for these measurements), where the blindness ensures that the position of these traps remains hidden to Bob. At the end Alice will accept the quantum or classical output only if Bob has produced all of the expected outcomes for these trap qubits measurements. The subtlety in verification is to prove that the accepted quantum or classical output is indeed correct. It is essential that Alice keeps the position of these trap qubits unknown to Bob, so that he cannot attempt to interfere with the actual computation of U while keeping the trap qubits untouched. We will present a protocol where every qubit of the underlying graph could potentially be an isolated (unentangled) trap qubit in an unknown state |+ θ for θ ∈ A. In order to do so, it is enough to prepare all the neighbouring vertices of the trap qubit as a dummy qubits, hence these dummy qubits together with the trap qubits remain disentangled from the rest of the graph during the preparation stage. Building on this simple construction, by adding more traps and adding error detection elements, we will present a final protocol in which the probability of not detecting an incorrect outcome is exponentially small.
In order to first demonstrate the main idea of this method of verification, we ignore the universality property and only later will we present a concrete universal blind quantum computing protocol with the verification property. Hence to obtain a generic hiding protocol with a random unknown trap it is sufficient to use Protocol 3, where Alice chooses a random position t to be an isolated trap qubit (Protocol 6). • Follow the steps of Protocol 3.
• Accept/Reject -After obtaining all the output qubits from Bob, if the trap qubit, t, is an output qubit, Alice measures it with angle δ t = θ t + r t π to obtain b t .
-Alice accepts if b t = r t .
Theorem 4 directly implies that Protocol 6 is blind and the position of the trap qubits t remains unknown to Bob. Recall that at each stage i only qubit i is measured. We present some intermediate definitions before formalising the definition of verification. All the protocols presented so far describe the expected behaviour of Alice and Bob in a hiding protocol. Since we are concerned with the secrecy of Alice's resources we can assume that Alice always follows the steps of the protocol. In fact after the initial step when Alice draws all the random variables θ i and r i her behaviour, for a fixed run of the protocol, is deterministic. This means that at each step the next move of Alice is determined completely by the past, however a malicious Bob might deviate in any way he desires. We will define a run of protocol to be honest (Bob has behaved as expected) or correct (the output is correct despite Bob's deviations) based on the outcome of all measurements and the quantum output state if it exists.
Recall that in a generic hiding protocol with quantum input and output the messages sent by Bob to Alice depend on a collection of outcome measurements, s i ∈ {0, 1}. In fact Bob will send the outcome value b i and then Alice, depending on r i , will reset them to their corrected values s i . In what follows we will deal with the corrected outcome measurement that is s i . Similarly at the end of the protocol Bob will send Alice some quantum output state in the output Hilbert space H O that needs to be corrected depending on all the measurements outcomes. In what follows we consider the corrected quantum output state ρ. Note that the values of s i and ρ depends on Alice's specific random choices and also Bob's general strategy of deviation. We treat this information as a single density operator to deal uniformly with both classical and quantum output. Finally in order to consider the most general deviation that Bob can perform during a run of protocol we consider a collection of unitary operators acting each at a stage of the protocol on the private qubits of Bob and all the other qubits and classical bits sent by Alice to Bob. Definition 7. Consider a particular run of a generic hiding protocol, where all the following parameters are fixed: Alice's angles of measurements φ = (φ i ) 1≤i≤(m−n) ; Alice's random variables x = (x i ) 1≤i≤n , r = (r i ) 1≤i≤(m−n) , θ = (θ i ) 1≤i≤m and d = (d i ) i∈D ; Alice's input state |I ; The number of Bob's private qubits B; Bob's deviation unitaries at each stage of the protocol U = {U i } 0≤i≤m+1 acting on all quantum and classical messages. We denote the outcome density operator (of all classical and quantum messages sent by Bob to Alice) as follows: where ν collectively denotes Alice's choice of variables t, x, r, θ, d; j ranges over Bob's choices: B and U; s ranges over all possible values of the corrected values {s i } of the measurement outcomes {b i } sent by Bob to Alice; and ρ s ν,j is the reduced density operator for the non-measured qubits with the corresponding correction operators for the measurement outcomes s has been applied. We call the outcome density operator B 0 (ν), obtained from a run of the protocol where all U i are set to be the identity operator, the exact outcome density operator. That is the outcome density operator obtained from a run where Bob exactly follows the step of the protocol.
Note that if we were dealing only with deterministic pattern over a connected graph state then the outcome density operator could have been simplified to a fixed pure state of the output qubits, independent of the measurement outcomes. Moreover in such a scenario the probability of each branch of the computation would have been the same. However the above definition aims to capture any general deviation by Bob, that could effect the determinism and probability of the branches. Also since we will have dummy and trap qubits then not all the possible branches will be equally probable. The outcome density operator, depending on all the random choices of Alice and Bob, can be classified as follows below. Although not all mentioned categories will be used in the remainder of the paper, we give them here for completeness and to highlight the subtle differences between possible outcomes. Definition 8. We say the outcome density operator B j (ν) is honest if it is indistinguishable from the exact outcome density operator: where · tr denotes the trace norm. It is called correct if the quantum output state and the trap outcome measurement is indistinguishable from the corresponding value of the exact outcome density operator: It is called lucky if b t = r t and finally it is called incorrect if it is lucky but the quantum output state, T r i ∈{O\{t}} (B j (ν)), is orthogonal to the corresponding subsystem of the exact outcome density operator. Note that for the classical output scenario, any bit-flip implies orthogonality.
Alice should not care if Bob's deviation leads to a correct outcome density operator, as the final quantum or classical output is in the correct state. Therefore, in the definition of a verifiable blind quantum computation we aim to bound the probability of Alice being fooled, i.e the probability of Alice accepting an incorrect outcome density operator. Any outcome density operator either results in s t = r t or is contained within the subspace of correct and incorrect outcome states, which could be then probabilistically projected onto a correct or an incorrect state. Hence intuitively, a protocol is defined to be verifiable if the corresponding outcome state is far from any incorrect outcome states. Following the approach of [42], we first define the notion of correctness. Recall that for simplicity we have assumed that the computation is deterministic and the input is in a pure state, and hence the ideal output will necessarily be a pure state. This restriction to pure states mirrors the approach of [42].
Definition 9. Let P ν incorrect be the projection onto the subspace of all the possible incorrect outcome density operator for the fixed choice of Alice's random variables ν. It will be convenient to divide ν into two subsets depending on whether the secret variables correspond to the trap setting or the remainder of the computation. Thus we define ν T = {t, r t , θ t } and ν C = ν/ν T . When the output state is a pure state, P ν incorrect is given by where |Ψ ideal Ψ ideal | = T r i ∈{O\{t}} (B 0 (ν)), and where |η ν T t = |+ θt when t ∈ O and |η ν T t = |r t otherwise. Let p(ν) be the probability of Alice choosing random variables parameterized by ν, that is the probability of choosing a particular vertex, among all possible vertices of the graph, to be the trap position (denoted as a random variable t) and the probability of choosing random variables r, x, θ and d (as defined in Definition 7). Given 0 ≤ < 1, we define a protocol to be -verifiable, if for any choice of Bob's strategy (defined as in Definition 7 and denoted by index j) the probability of Alice accepting an incorrect outcome density operator is bounded by : Recall that B 0 (ν) is the output density operator of an honest run after the corrections have been performed. Hence, in the above definition |Ψ ideal is independent of ν, since for an honest run of the protocol, the output state is independent of Alice's secret parameters, via the correctness theorem.
Theorem 9. Protocol 6 is (1 − 1 2m )-verifiable in general, and in the special case of purely classical output the protocol is also (1 − 1 m )-verifiable, where m is the total number of qubits in the protocol.
Proof. At the beginning of the protocol, Alice chooses the independent and uniform random variables for ν. Next Alice prepares the input qubits in the following form: and positions them among the first n qubits. Recall that n > |I| and hence the trap qubit might be among this set of qubits. She then prepares the remaining qubits in the following form (where D is the index of the dummy qubits) and sends all m qubits in the order of the labelling of the vertices of the graph, we represent the whole m qubit state as |M ν . We can treat all the measurement angles δ i as orthogonal quantum states |δ i . For a fixed choice of Alice's random variables (ν) and Bob's strategy (j), Bob's output from the computation can be written in the form of the output of a circuit computation as depicted Figure 3: A run of protocol together with Bob's deviation represented as U i operators. The entangling operator, E G , is the collection of all the required ctrl-Z operators corresponding to the graph edges. Note that in Definition 7 we also considered an operator U 0 representing Bob's initial deviation. In the figure, for simplicity, we have commuted U 0 and combined it with U 1 . Trivially, if all the U i operators are set to be identity the above circuit converges to the exact run of the protocol, where a measurement in the basis |± δ i is implemented using the controlled Z-rotation followed by a Hadamard gate and finally a Pauli Z basis (computation basis) measurement on the corresponding qubits.
in Figure 3. Note this is the state of the system before the relevant corrections for Alice's secret key have been applied to yield the outcome density operator B j (ν). While in the actual protocol, at step i, Alice computes δ i as a function of s <i which in turn is calculated from b <i and r <i , we can rewrite the circuit from Figure 3 in such a way that the values δ i are part of the initial state, without affecting causality as they do not interact with anything until after the corresponding b i has been generated. This will allow us to reorder all the operators U i to the end to obtain the new circuit shown in Figure 4. Note that Figure 4 is not an actual run of the protocol, it is a mathematical equivalent of Figure 3 where the values of b i have been fixed to permit us to commute the operators as depicted. However in the following proof we have considered any general deviation performed by Bob, that is to say we consider any arbitrary U i operators.
In the rest of this proof we will use t to represent both the random variable and also the position of the trap qubit. We denote by Ω = U m−n U m−n−1 ...U 1 the overall action of Bob's deviation and by P = 1≤i≤m−n H i Z i (δ i ) E G the action of the exact protocol prior to measurement. Here, and in Figure 4, we have taken the joint state of the initial (input, dummy and prepared) qubits sent by Alice to Bob and the Figure 4: The fact that any U j in Figure 3 is independent of all δ i<j , allows us to reposition the deviation to the end of the circuit as shown above. Hence we can rewrite Bob's deviation as classical angles δ b i , where b represents a possible branch of the computation as parameterized by the measurement results {b i } sent by Bob to Alice. Finally, in line with Definition 9, we define C ν C ,b to be the Pauli operator which maps the final quantum output state to the correct one depending on the random variable ν C and computation branch b. Hence we have where (c r ) i = r i for all i = t and (c r ) t = 0, and the subscript B denotes that the partial trace is taken over Bob's private register. Here c r is used to compactly deal with the fact that in the protocol all measured qubits are decrypted by XORing them with r, except for the trap qubit which remains uncorrected. Note that in the above the operator b| · · · |b acts upon the subspace of all measured qubits and |b + c r · · · b + c r | store the corrected outcome of the measurement. We take P ⊥ to be the projection onto the subspace of incorrect states for the non-trap qubits, after Alice's final corrections have been applied to any quantum output. Hence Here we use the subscript on the ket to identify the relevant qubit. Thus we have As Bob's private register is traced out, the net result of Ω is to apply a completely positive trace preserving map of the other qubits. Taking the Kraus operators associated with this operator to be {χ k }, with k χ k χ † k = I, we have Since any Kraus operator can be written as a linear combination of Pauli operators with complex coefficients, we have χ k = i α ki σ i , where k i α ki α * ki = 1 and σ i is a Pauli operator acting on the joint quantum state of the system. Therefore the above equation can be written as In order to determine which σ i terms have a non-zero contribution in the above sum after the projection operator is taken into account, it will be necessary to look at the structure of each such Pauli operator. To this end, we will denote by σ i|γ the action of σ i on qubit γ, and hence σ i|γ ∈ {I, X, Y, Z}. For simplicity we assume each δ i is encoded across 3 qubits (since there are only 8 possible angles). Thus, we have 1 ≤ γ ≤ (m + 3(m − n)), where 1 ≤ γ ≤ m identifies qubits received from Alice and the remaining γ values identify the qubits containing δ i . Without loss of generality, we can assume that the qubits representing the values of δ remain unchanged by Bob's deviation, and hence we can take σ i|γ ∈ {I, Z} for all m < γ.
The probability of Alice accepting an incorrect outcome density operator is given by ) . This can be calculated via the expression for Tr(P ν incorrect B j (ν)) obtained earlier In order to obtain an upper bound for the above expression we make use of sets of indices γ of qubits such that the action of σ i at that position, σ i|γ , is a particular Pauli operator, which we denote as follows: Note that in the above we restrict attention to the set of qubits originally sent from Alice to Bob (which is why 1 ≤ γ ≤ m), and disregard the action on Bob's private qubits. Additionally, we will make use of a superscript O to denote subsets of the above sets subject to the constraint that γ is an output qubit (m − n < γ). Thus, for example, D O i = {γ s.t. σ i|γ = Z and m − n + 1 ≤ γ ≤ m}. We note that only σ i and σ j operators for which Tr(P ⊥ σ i P Ψ ν,b Ψ ν,b P † σ j ) = 0 contribute to p incorrect . With the above definitions in place, we can express succinctly a necessary condition for this to hold as . That is to say, one or both of the following has happened: σ i (σ j ) has produced an incorrect outcome for one or more of the measurement results and hence

acts non-trivially on the quantum output and hence
. By taking the trace over the subspace of the measurement results except for the trap qubit we obtain where we take |b t to have have unit dimension if t ∈ O. Taking b = {b i } i =t , the above equation can be written as where the inequality follows from the fact that the projector, P ⊥ , acts on a positive semi-definite matrix, and the last equality follows from the fact that both remaining projectors act as the identity on qubits in O.
Next, we attempt to show that a necessary requirement for a term in the above summation over i and j to be non-zero is that i = j. Let the output state for an honest run of the protocol to be denoted by |ψ I . As per the proof of blindness, summing over ν C yields the maximally mixed state of the system received from Alice. Hence we have This can be further simplified, since for the general case. However, for the specific case of only classical output, this bound can be made tighter by performing the simplification in a different way, since

Probability Amplification for Universal Verifiable Blind QC
In the previous section we presented a very simple verifiable protocol where the probability of Bob succeeding in making Alice accept an incorrect outcome density operator was strictly less than 1.
Building upon that simple construction, by adding more traps and making the computation fault tolerant, we can make the probability of Alice accepting an incorrect outcome density operator as small as required. The central idea is to design a protocol with O(N ) many traps in essentially random locations, where N is the number of qubits in the protocol, to increase the probability of any local error being detected. The fault-tolerance is added to increase the minimum weight of any operator which leads to an incorrect outcome, and hence further increase the probability of detection. Here, and in what follows, the weight of a Pauli operator is defined to be the number of qubits upon which it acts non-trivially. First, given such a protocol we show how it amplifies the verification parameter. We then present the central contribution of this paper, a new universal verifiable blind quantum computing protocol that achieves the probability amplification without any such assumptions.
Theorem 10. Let P be a blind quantum computing protocol on N qubits with N T isolated traps in the states |+ θt at a set of positions T chosen uniformly at random. Assume N T /N is a constant fraction c. Moreover assume that the computation is encoded in such a way that any Pauli error with weight less than d will be corrected or an error will be detected. Then the protocol is (1 − c 2 ) dverifiable in general, and (1 − c) d -verifiable in the case of purely classical output.
Proof. In order to exploit Theorem 9, we notionally partition the qubits into independent sets with one single trap qubit in each set. These partitions amount to extra information about the location of the trap qubits, and hence their inclusion can only serve to increase the probability of Bob convincing Alice to accept an incorrect state. Thus the bound we obtain with this additional information is still an upper bound on the probability of Alice accepting an incorrect output when these partitions are unknown. There are N T many such sets S γ with 1/c many qubits in each set. We adopt a similar proof strategy to that used to prove Theorem 9, taking as the projection onto the subspace of incorrect outcomes. Similar to the proof of Theorem 9, only those Pauli operators contribute to p incorrect where one or both of the following has happened: σ i has produced an incorrect outcome some of the measurement results b i or σ i acts non-trivially on the quantum output. Now due to the error-detection property of the encoding assumed in the statement of the theorem we need to consider only those σ i where |B i | + |C i | + |D O i | ≥ d. Following the steps of the proof of Theorem 9 we obtain Here we can exploit the structure we have introduced through the sets S γ where t γ is taken to be the location of the trap qubit in set S γ . Rearranging the above and substi-tuting in the values of p(t γ ), p(θ tγ ), and p(r tγ ) we obtain Note that within each set the position of the trap is chosen uniformly at random and so the probability of detection by that trap corresponds to the bound obtained for Theorem 9. Going through the steps of the proof of Theorem 9 we obtain where we use the additional γ subscript on sets |A iγ |, ..., |D iγ | to indicate subsets of the respective sets, subject to the restriction that the elements are also in S γ . For convenience we define We now make use of the fact that, for any positive a, 1 − ac 2 ≤ (1 − (a − 1) c 2 )(1 − c 2 ). As w iγ is a non-negative integer, we can recursively apply this identity to obtain In the case of purely classical output this bound can be improved, since Going through the same steps with this additional constraint gives We can now present the final contribution of this paper, a new scheme for blind quantum computing which has all the previously described properties: correctness, universality, blindness of angles, input, output and computation and more importantly verifiability with exponentially small probability of error. Roughly speaking, universality and correctness will be obtained by using dotted-complete graph states (similar to Protocol 5). In order to achieve verification we exploit the idea of dummy qubits (similar to Protocol 3) to create, blindly, out of a dotted-complete graph statẽ K 3N three disconnected smaller dotted-complete graph statesK N . Then we use two of these graph states to create O(N ) isolated trap qubits at random positions (similar to Protocol 6). The final step is to perform the actual computation over the remaining dotted-complete graph state in such a way that the stated property in Theorem 10 is also satisfied. That is, to have the measurement pattern encoded in such a way that any Pauli error with weight less than d, will be either corrected or detected. Such an encoding exists through the fault tolerant one-way quantum computing scheme of [32]. All that is needed is to create a three dimensional cluster state from the dotted-complete graph state and proceed with the fault tolerant computation scheme of Raussendorf, Harrington and Goyal [43,32] We first give a concrete protocol for choosing the required parameters for the Raussendorf, Harrington and Goyal scheme, given the desired security threshold for the verification, see Protocol 7. This will fix the size of the dotted-graph state, N , required for the actual computation. However as stated above, we will start with a dotted-complete graph state of size 3N and will break it into three smaller dotted-complete graph states of size N each, see Figure 5. We will refer to these graphs as the white trap graph, the black trap graph and the computation graph. In the white trap graph all the vertices in P (K N ) will become isolated traps (called white traps) by choosing all the vertices in A(K N ) to be dummy qubits. Similarly in the black trap graph all the vertices in A(K N ) will become isolated traps (called black traps) by choosing all the vertices in P (K N ) to be dummy qubits. We have to choose both type of vertices (A(K 3N ) and P (K 3N )) to be potentially isolated traps otherwise Bob could choose to cheat on one type rather than the other one. In order to make the position of traps random, Alice will choose a random partition of P (K 3N ) into three equal size sets, and will choose appropriate dummy qubits (similar to Lemma 2) to obtain the three disconnected graphs. Note that this will lead to random positions for trap qubits, however the positions of trap qubits will be also correlated with each other and we will take care of this issue when we present the proof of the verification. The above procedure is formalised in Protocol 7 and finally Protocol 8 presents a hiding protocol that is universal, verifiable and blind.
As a high level overview of the fault-tolerance scheme, qubits are encoded topologically as chains of defects (qubits to be measured in the Z basis) of finite thickness and separation (referred to as the scale parameter) which trace out a path through the three dimensional structure of the resource state. The encoding forces non-detectable errors to be topologically non-trivial chains, either connecting or encircling defect chains. Certain Clifford group operations are implemented directly by braiding these defect chains. For the remaining operations required for universality it is necessary to implement the gate by first distilling a suitable resource state which is then used to implement the gate via teleportation (all within the topologically encoded computation). While the teleportation can be done with Clifford group operations, the distillation is implemented on a concatenated encoding where at each level of concatenation the corresponding distillation step 6 In its original form, this scheme requires Z-basis measurements to be made adaptively, which is not easily implementable using dummy qubits. However, the location of the dummy qubits can be fixed by always including a correction step for each gate teleportation in the logical circuit, where the angle of the correction is adapted based on the outcome of the teleportation. An alternative option is to use a slightly modified version of the scheme due to Morimae and Fujii [8], which requires only measurements in the X-Y plane. Although we assume the first scenario here, an almost identical proof applies to the second scenario.
is topologically encoded with progressively higher defect thicknesses and scale parameters. At the lowest level, however, the operations are performed directly on physical qubits, and so the defect chains are only a single qubit in diameter.

6.
7. Figure 5: A graphical depiction of Protocol 8. In this figure we replace the Raussendorf-Harrington-Goyal encoding in the first step with a simpler computation, as to include a full encoding yields graphs too large to reasonably draw.
Theorem 11. Assume Alice and Bob follow the steps of Protocol 8, then Alice always accepts the output and the outcome density operator is correct.
Proof. First we note that it is always possible to choose measurement patterns M P by Lemma 2 and M Reduce by Lemma 1. Further, by the universality of the Raussendorf-Harrington-Goyal encoding, it is always possible to choose M Comp . As the measurements composing M P , M Reduce , M P and M A are composed entirely of Pauli basis measurements, there is no partial time ordering imposed on the sequence of measurements, and so the times at which these measurements are made have no effect on the outcome of the protocol. Thus for any honest run of the protocol, the result will be the same as if the measurements from M P were made first. By construction this measurement pattern splits the graph state into three separate graph statesK N .
The dummy qubits in M P and M A correspond to break operations in their respective graphs by Lemma 4 and hence after the initial step all the trap qubits remain unentangled from the rest.

Protocol 7 Measurement Pattern Choice
In what follows choosing a measurement pattern means fixing the underlying graph state together with the appropriate angles of computation such that the resulting pattern implements the desired computation due to universality. Similarly choosing a partial measurement pattern means fixing the underlying graph state together with a partial set of angles of computation corresponding to a partial computation, where the rest of angles will be fixed in Protocol 8 where this protocol is called as a subroutine. Here, we assume that a standard labelling of the vertices of each dotted-complete graph state is known to both Alice and Bob.
1. Alice chooses security parameter d, then transforms the quantum circuit C corresponding to her desired computation into (or directly designs) a measurement pattern M Comp on a graph state G L which implements her computation using the encoding for topological fault-tolerant measurement-based quantum computation due to Raussendorf, Harrington and Goyal [32], where G L is taken to correspond to the graph state of the 3D lattice L introduced in [32] with sufficient dimensions D x , D y and D z to implement her computation using an encoding with parameters as follows: • Defect thickness d • Lattice scale parameter λ = 5d • Distillation of resource states |A and |Y using L = log 3 (d) levels • For each concatenation level 1 < < L the thickness parameter and scale parameter for that level are chosen as d = 3d −1 and λ = λ −1 , with d 1 = 1, λ 1 = 5, d L = d and λ L = λ.
2. Alice chooses a partial measurement pattern M Reduce which reduces the graph stateK N to the graph state G L through Pauli measurements (Theorem 7), where N is the total number of qubits in L.
3. Alice chooses a partial measurement pattern M P on the graph stateK N such that every qubit corresponding to a vertex in A(K N ) are set to be dummy qubits. Hence all vertices in P (K N ) are isolated traps.
4. Alice chooses a partial measurement pattern M A on the graph stateK N such that every qubit corresponding to a vertex in P (K N ) is set to be dummy qubits. Hence all vertices in A(K N ) are isolated traps.
5. For the graphK 3N , Alice chooses uniformly at random a partitioning P of the vertices into three equal sized sets of vertices P 1 , P 2 and P 3 .
6. Alice takes M P to be the partial measurement pattern where the required vertices in A(K 3N ) are set to be dummy qubits such that the resulting state is the tensor product of three graph states of the three disconnected graphsk 1 =K N ,k 2 =K N andk 3 =K N , such that P (k i ) = P i .
7. Alice calculates M, her overall measurement pattern on a graph state corresponding toK 3N by combining the partial pattern M P with M Comp and M Reduce applied to subgraphk 1 and M P and M A applied to subgraphsk 2 andk 3 respectively, to obtain a full measurement pattern.

Protocol 8 Verifiable Universal Blind Quantum Computation
• Alice's resources -Alice chooses the pattern M and random partitioning P according to Protocol 7.
-The dummy qubits position, set D chosen according to Protocol 7.
-A sequence of measurement angles, φ = (φ i ) 1≤i≤3N (3N +1)/2 with φ i ∈ A, according to the description of Protocol 7, where φ i = 0 for all the trap and dummy qubits. The ordering of the measurements on P (K 3N ) is chosen uniformly at random subject to the constraint that the partial ordering of measurements from M Comp determined by flow is preserved. Such a random ordering is required to hide the position of the trap qubits. The qubits in A(K 3N ) are measured first in the order that the relevant edge entry appears in the adjacency matrix of K 3N once this random ordering has been taken into account. That is, the site in A(K 3N ) which is joined by edges to i and j in P (K 3N ), with i < j in the random ordering imposed on P (K 3N ), is measured in position 3N (i − 1) + j − i(i+1) 2 . Note that the measurement order of the vertices in A should be independent of the computation (and traps), so in the above we prescribe one such suitable sequence. This is followed by the measurements of P (K 3N ) in the randomly chosen order. -3N (3N + 1)/2 random variables θ i with value taken uniformly at random from A. -3N (3N + 1)/2 random variables r i and |D| random variable d i with values taken uniformly at random from {0, 1}. -A fixed function C(i, φ i , θ i , r i , s) that for each non output qubit i computes the angle of the measurement of qubit i to be sent to Bob.

• Initial
Step -Alice's move: Alice sets all the value in s to be 0 and prepares the qubits in the following form ∀i ∈ D |d i ∀i ∈ D j∈N G (i)∩D Z d j |+ θ i and sends Bob all the 3N (3N + 1)/2 qubits in the order of the labelling of the vertices of the graph.

• Verification
Alice accepts if s i = r i for all the white and black trap qubits i.
Recall that for these trap qubits φ i = 0, and since the qubit is prepared in the state |+ θ i and measured in basis {|+ θ i , |− θ i }, the measurement result communicated to Alice is s i = r i for all such qubits. Thus, Alice always accepts, satisfying the first criterion. By definition M Reduce transforms the graph state corresponding toK N to the resource state necessary to implement M Comp . Lastly, measuring according to M Comp yields the correct output of C by the correctness of the Raussendorf-Harrington-Goyal protocol.
Theorem 12. Protocol 8 is blind while leaking at most N .
Proof. The proof is directly obtained from Theorem 5.
In order to prove the verification property, as stated in Theorem 10, we require that the measurement pattern is encoded in such a way that any Pauli error of weight less than d will be either corrected or detected. We now show that this is true for the Raussendorf-Harrington-Goyal scheme although this is already implicit in their paper [32], we make it explicit here for completeness. In what follows, we take L to be the 3D lattice corresponding to the resource state used in [32]. Proof. In the Raussendorf-Harrington-Goyal scheme, logical qubits are topologically protected against errors. The two lowest weight topological errors are error cycles around defects and error chains running between defects. As defects have thickness d, any cross-section forms a rectangle of dimension at least d × d and thus perimeter at least 4(d + 1). As an error cycle must fit around the remaining defect, the minimum error cycle is at least 4d. As the centres of defects are separated by distance λ, the minimum distance between defects is λ − d and hence for our parameters we have λ − d = 4d.
The only region where this topological protection breaks down is within the regions used to distill the resource states |A and |Y . This distillation is performed using a concatenation of L levels of the Reed-Muller (|A ) or Steane (|Y ) codes. Each level of distillation is topologically protected with parameters d and λ . As the Reed-Muller and Steane codes are both distance 3, an error at level can be caused either by a topological error at that level or not less than 3 errors at the previous level. However, since at each level < L we have λ − d = 4d and d = 3d −1 , the minimum weight w to create an error at level is min(4d , 8d −1 , 4d −1 + w −1 , 3w −1 ). The four terms in this last expression account, respectively, for the minimum weight errors in each of the four possible cases: 1) The error is entirely topological at level , 2) The error is entirely topological at level − 1, 3) the error includes both topological errors at level − 1 (which in the worst case affects two qubits with a single weight 4d error chain) and inherited errors from level − 2, and 4) the case where all errors are inherited from level − 2.
We then prove that w > 2d by induction, as follows. Assume that at level i we have w i > 2d i . In that case we have w i+1 = min(4d i+1 , 6d i ), since by assumption 4d i + w i > 6d i and 3w i > 6d i , and clearly 8d i > 6d i . However, we have d i+1 = 3d i for all levels except the top level, where d L ≤ 3d L−1 . Thus, in general, 2d i+1 ≤ 6d i , and hence w i+1 > 2d i+1 . At the lowest level the error distillation uses unencoded qubits measured in non-Pauli bases, and so w 0 = 1, so w 1 = 3 > 2d 1 = 2 and thus by induction on i we obtain the result that w L > 2d as required.
Note, however, that any operation on a measured qubit which is diagonal in the computational basis (σ i ∈ {I, Z}) does not alter the computation. Hence an undetectable logical error is not created unless the total number of measured sites for which σ i ∈ {X, Y } plus the total number of output qubits for which σ i ∈ {X, Y, Z} is equal to or greater than 2d. Thus the outcome is either correct or when decoded results in a detected error, unless |B L | + |C L | + |D O L | ≥ 2d.
Now we link the above general property of the Raussendorf-Harrington-Goyal scheme to our specific protocol. To do so, we first introduce the notion of independently detectable errors.
Definition 10. Given a dotted-complete graph stateK N , a set of output qubits O, a measurement pattern M target containing only X-Y plane measurements and Z basis measurements, and a set of single qubit Pauli operators σ = {σ i } N i=1 with σ i ∈ {I, X, Y, Z} which represent errors which modify each measurement result or unmeasured output qubit i by the application of σ i , for each location i we define the set i = {i} for i ∈ P (K N ), and i = NK N (i) for i ∈ A(K N ). We say that σ contains k independently detectable errors if and only if there exists a set E of k locations such that The intuition behind this definition is that in Protocol 8 the qubits in P (K 3N ) are independently randomly distributed between the two trap graphs and the computation graph, and whether or not a qubit in A(K 3N ) coincides with a trap or not depends only on the placement of the neighbouring qubits (which are both in P (K 3N )). The first condition ensures that the error anticommutes with some possible measurement of the system, and is hence truly an error, while the second condition ensures that we are considering only qubits associated with unique subsets of P (K 3N ), and hence whether or not they coincide with a trap is uncorrelated. With this definition in place, we can proceed with proving a corollary to Lemma 5 which links that result with Protocol 8. Further, let M Reduce be a partial measurement pattern consisting of Pauli Z and Pauli Y measurements on qubits corresponding to the vertices in A(K N ) which reducesK N to G L up to local Z-rotations. Let M be the measurement pattern for graph stateK N produced by applying the partial pattern M Reduce to the qubits corresponding to vertices in A(K N ) and M C (with appropriate local Z-rotations applied) to the qubits corresponding to vertices in P (K N ). Take σ = {σ i } to be a set of single qubit Pauli operators, such that each σ i ∈ {I, X, Y, Z} acts on qubit i. Then for any σ, if M C is implemented on stateK N , but the output of each measurement result or unmeasured qubit is modified by applying σ i , then either the computation is correct (corresponding to a run where all σ i = I) or an error is detected when the output is decoded, unless σ contains at least 2d 5 independently detectable errors.
Proof. First we note that only qubits in P (K 3N ) are contained in O, since all qubits in A(K 3N ) will be measured to make the required resource states. All measurements on qubits associated with vertices A(K N ) are in either the Y or Z basis, allowing any error in the measurement outcome to be associated with an X error on the underlying qubit. As the generators for the stabiliser ofK N are simply the operators X i j∈NK N (i) Z j , and each vertex in A(K N ) has only two neighbours, both of which lie in P (K N ), an X error on a qubit associated with a vertex in A(K N ) is equivalent to a local error on each of two qubits in P (K N ). Thus any local Pauli operator in σ i associated with a vertex in A(K N ) can be either replaced by at most two local operators acting on qubits associated with vertices in P (K N ) without altering the outcome of the computation, or has no effect on the computation. Note that since Pauli Z operators always commute with Z basis measurements, and anticommute with any measurement in the X − Y plane, these local operators are always Pauli operators due to the corresponding restriction on M target .
The only Pauli terms which can affect the outcome of the computation are those which either flip a measurement outcome (X or Y ) or those which act non-trivially upon an unmeasured qubit (as either X, Y or Z). By Lemma 5, the outcome of the computation is unaltered unless σ produces such errors on at least 2d sites. To show that this implies the existence of at least 2d 5 independently detectable errors we will consider the effects of errors on A(K N ) and P (K N ) in relation to the resource state for the Raussendorf-Harrington-Goyal scheme, G L . Errors on A(K N ) only occur when the qubit in question is measured in the Y basis, since for Z basis measurements dummy qubits are used and the outcome of Bob's measurement is ignored. Thus, as we have shown above, such errors correspond to local Pauli errors at either end of an edge in the G L . Errors in P (K N ), however, correspond simply to errors on single vertices in G L . Therefore, we can consider any error introduced by σ as corresponding to a subgraph g σ of G L , where i ∈ A(K N ) introduces the vertices in NK N (i) together with a connecting edge, while i ∈ P (K N ) simply introduces the vertex i. Such a subgraph contains all of the qubits in G L which can possibly be affected by local errors after the measurement of qubits according to M Reduce are taken into account (propagating errors from A(K N ) to P (K N )).
We note that any connected subgraph g γ σ of g σ containing n γ vertices necessarily contains at least n γ − 1 edges. Note also that G L is 4-edge-colourable (see Figure 6). Thus, by the pigeonhole principle, there is at least one colour for that subgraph which corresponds to at least nγ − 1 4 edges. As the various subgraphs g γ σ are disconnected, we are free to choose the colouring independently for each, and hence can choose a single 4-edge-colouring for g σ such that it includes at least nγ −1 4 edges from each subgraph. We then take the set E to correspond to qubits in A(K N ) corresponding to edges of this colour, as well as to the single vertex in any g γ σ for which n γ = 1, hence i ∩ j = 0. By Lemma 5, this insures that the outcome of the computation is either correct or an error is detected upon decoding, or σ contains at least γ:nγ ≥2 nγ −1 4 + γ:nγ =1 1 independently detectable errors, where γ n γ ≥ 2d. Note that γ:nγ ≥2 and hence the computation is either correct or an error is detected upon decoding, or σ contains at least 2d 5 independently detectable errors.
The above corollary guarantees that one of the condition of Theorem 10 for the verification with the amplified security is satisfied. However we cannot yet directly use that theorem since, as stated before, the position of the traps are not completely random as the position of the black traps are fixed once we choose the random position assignment of qubits in P (K 3N ) to each of the three subgraphs. This is why we have introduced the notion of independently detectable errors. Here we give a direct proof of verification for Protocol 8 following the same steps as the proof of Theorem 10.
Theorem 13. Protocol 8 is in general (5/6)  Proof. The proof of this theorem follows the same strategy as Theorem 9, first taking the most general strategy for Bob, expanding this in terms of Pauli operators, and lastly showing that any Pauli term which leads to an incorrect outcome is detected with high-probability. We note that any deviation by Bob from Protocol 8 can be rewritten in the form shown in Figure 4. The proof of this is identical to the corresponding step in the proof of Theorem 9: Without loss of generality any deviation by Bob from the protocol can be written in the form of Figure 3. We can treat {δ i } as inputs to the circuit without violating causality, as they do not interact with any other part of the computation until after b j has been measured, for all j < i. Then simply by reordering the operators via their commutation relations we obtain the form in Figure 4 as required. As a result, any deviation by Bob can be written as a single deviation operator Ω which acts upon the quantum states Bob receives from Alice as well as δ i and some private register held by Bob. Similar to the proof of Theorem 9 the probability of Alice accepting an incorrect outcome density operator is then where as in previous proofs, we take the Kraus operators associated with the Ω, once Bob's private system has been removed, to be χ k = i α ki σ i , with k i α ki α * ki = 1. By Corollary 1, P ⊥ projects out the terms in the above sum where σ i does not contain at least 2d 5 independently detectable errors on the computation graph. This is a somewhat stronger condition than we actually need, and so we will consider terms corresponding to any σ i which produces at least 2d 5 independently detectable errors in total across all three subgraphs (the computation graph and the two trap graphs). We will denote by I the set of all i for which σ i does not satisfy this condition. Similar to the proof of Theorem 9, all terms for which i = j average to zero. Thus, as in the proof of Theorem 10, we obtain As before, we introduce notional sets S γ of three qubits each such that exactly one qubit from each set is on each of the three subgraphs (the two trap graphs and the computation graph), and where either all of the qubits are in P (K 3N ) or all of the qubits are in A(K 3N ) (ensuring exactly one trap and at least one dummy qubit per set). As every σ i in the above sum corresponds to at least 2d 5 independently detectable (and hence uncorrelated) errors across these sets S γ , we have where as before t γ denotes the location of the trap qubit in set S γ . Averaging over all values of t γ , r tγ and θ tγ , we obtain suggests a novel approach to questions such as the open problem of finding an interactive proof for any problem in BQP with a BQP prover, but with a purely classical verifier. The conceptual link between blindness and interactive proof systems is the key ingredient for verifying the "high complexity" quantum-theoretical models with "low complexity" classical ones.