Complete Insecurity of Quantum Protocols for Classical Two-Party Computation

A fundamental task in modern cryptography is the joint computation of a function which has two inputs, one from Alice and one from Bob, such that neither of the two can learn more about the other's input than what is implied by the value of the function. In this Letter, we show that any quantum protocol for the computation of a classical deterministic function that outputs the result to both parties (two-sided computation) and that is secure against a cheating Bob can be completely broken by a cheating Alice. Whereas it is known that quantum protocols for this task cannot be completely secure, our result implies that security for one party implies complete insecurity for the other. Our findings stand in stark contrast to recent protocols for weak coin tossing, and highlight the limits of cryptography within quantum mechanics. We remark that our conclusions remain valid, even if security is only required to be approximate and if the function that is computed for Bob is different from that of Alice.

Traditionally, cryptography has been understood as the art of "secret writing", i.e., of sending messages securely from one party to another.Today, the research field of cryptography comprises much more than encryption and studies all aspects of secure communication and computation among players that do not trust each other, including tasks such as electronic voting and auctioning.Following the excitement that the exchange of quantum particles may allow for the distribution of a key that is unconditionally secure [BB84,Eke91], a level of security unattainable by classical means, the question arose whether other fundamental cryptographic tasks could be implemented with the same level of security using quantum mechanical effects.For oblivious transfer and bit commitment, it was shown that the answer is negative [LC97,May97].Interestingly, however, a weak version of a coin toss can be implemented by quantum mechanical means [Moc07].
In this Letter we study the task of secure two-party computation.Here, two mistrustful players, Alice and Bob, wish to compute the value of a classical deterministic function f , which takes an input u from Alice and v from Bob, in such a way that both learn the result of the computation and that none of the parties can learn more about the other's input, even by deviating from the protocol.As our main result we show that any quantum protocol which is secure against a cheating Bob can be completely broken by a cheating Alice.Formally, we design an attack by Alice which allows her to compute the value of the function f for all of her inputs (rather than only a single one, which would be required from a secure protocol).
Our result strengthens the impossibility result for twosided secure two-party computation by Colbeck, where he showed that Alice can always obtain more information about Bob's input than what is implied by the value of the function [Col07].In a similar way, we complement a result by Salvail, Schaffner and Sotáková [SSS09] showing that any quantum protocol for a non-trivial primitive necessarily leaks information to a dishonest player.Our result is motivated by Lo's impossibility result for the case where only Alice obtains the result of the function (one-sided computation) [Lo97].Lo's approach is based on the idea that Bob does not have any output; hence, his quantum state cannot depend on Alice's input.Then, Bob has learned nothing about Alice's input and a cheating Alice can therefore still change her input value (by purifying the protocol) and thus cheat.
In the two-sided case, this approach to proving the insecurity of two-party computation fails as Bob knows the value of the function and has thus some information about Alice's input.In order to overcome this problem we develop a new approach.We start with a formal definition of security based on the standard real/ideal-world paradigm from modern cryptography.In our case of a classical functionality, this definition guarantees the existence of a classical input for Bob in the ideal world, even if he is, in the real world, dishonestly purifying his steps of the protocol.Since real and ideal are indistinguishable for a secure protocol and since a purification of the classical input cannot be part of Bob's systems, Alice can now obtain a copy of this input by applying a unitary-constructed with help of Uhlmann's theoremto her output registers and, henceforth, break the protocol.
We wish to emphasize that the above conclusion remains valid if the protocol is not required to be perfectly secure (nor perfectly correct).More precisely, if the protocol is secure up to a small error against cheating Bob, then Alice is able to compute the value of the function for all of her inputs with only a small error.Since the error is independent of the number of inputs that both Alice and Bob have, our analysis improves over Lo's result in the one-sided case.In fact, our results apply to this case since, more generally, they remain true should Bob receive the output of a function g, different from Alice's f , as a careful look at our argument reveals.
Security Definition.Alice and Bob, at distant locations and only connected with a quantum channel, wish to execute a protocol that takes an input u from Alice and an input v from Bob and that outputs the value f (u, v) of a classical deterministic function f to both of them.Since Alice does not trust Bob, she wants to be sure that the protocol does not allow him to extract more information about her input than what is implied by the output value of the function.The same should be true if Alice is cheating and Bob is honest.Whereas for simple functions this intuitive notion of security can be made precise by stating a list of security requirements for certain quantum states of Alice and Bob, such an approach seems very complicated and prone to pitfalls for general functions f , in particular, if we want to consider protocols that are only approximately secure.We therefore follow the modern literature on cryptography where such situations have been in the center of attention for many years (cf.zero-knowledge, composability) and where a suitable notion of security, known as the real/ideal-world paradigm, has been firmly established.
In this paradigm we first define an ideal situation in which everything is computed perfectly and securely and call this the ideal functionality.Informally, a twoparty protocol is secure if it looks to the outside world just like the ideal functionality it is supposed to implement.More concretely, a protocol is deemed secure if for every adversarial strategy, or real adversary, there exists an ideal adversary interacting only with the ideal functionality such that the execution of the protocol in the real world is indistinguishable from this ideal world.If such a security guarantee holds, it is clear that a secure protocol can be treated as a call to the ideal functionality and hence, it is possible to construct and prove secure more complicated protocols in a modular fashion.See [Can00,Can96,Gol04] and [Unr04, Unr10, BM04, FS09] for further information about this concept of security in the context of classical and quantum protocols, respectively.
There exist different meaningful ways to make the above informal notion of the real/ideal-world paradigm precise.All these notions have in common that the execution of the protocol by the honest and dishonest players is modeled by a completely positive trace-preserving (CPTP) map.Likewise, every ideal adversary interacting with the ideal functionality is composed out of CPTP maps modeling the pre-and postprocessing of the in-and outputs to the ideal functionality (which is a CPTP map itself).A desirable notion of security is the following: for every real adversary there exists an ideal adversary, such that the corresponding CPTP maps are (approximately) indistinguishable.The natural measure of dis- FIG. 1: Illustration of the security definition.A protocol is secure against Bob, if the real protocol (left) can be simulated as an interaction with the ideal functionality F (right).
tinguishability of CPTP maps in this context is the diamond norm, since it can be viewed as the maximal bias of distinguishing real and ideal world by supplying inputs to the CPTP maps and attempting to distinguish the outputs by measurements (i.e. by interacting with an environment).This rather strong notion of security naturally embeds into a composable framework for security in which also quantum key distribution can be proven secure (see e.g.[CKR09]).Since our goal is the establishment of a no-go theorem, we consider a notion of security which is weaker than the above in two respects.First, we do not allow the environment to supply an arbitrary input state but only the purification of a classical input (see definition of ρ U V R below), and second, we consider a different order of quantifiers: instead of "∀ real adversary ∃ ideal adversary ∀ input, the output states are indistinguishable" as a security requirement we only require "∀ real adversary ∀ input ∃ ideal adversary, the outputs states are indistinguishable."This notion of security is closely related to notions of security considered in [FS09, Unr10] and is further discussed in the appendix.
We will now give a formal definition of security.Following the notation of [FS09], we denote by A and B the real honest Alice and Bob and add a prime to denote dishonest players A , B and a hat for the ideal versions Â, B. The CPTP map corresponding to the protocol for honest Alice and dishonest Bob is denoted by π A,B .Both honest and dishonest players obtain an input, in Alice's case u (in register U ) and in Bob's case v (in register V ) drawn from the joint distribution p(u, v).The output state of the protocol, augmented by the reference R, takes the Since we are faced with the task of the secure evaluation of a classical deterministic function, we consider an ideal functionality F which measures the inputs in registers Ũ and Ṽ and outputs orthogonal states in registers X and Ỹ that correspond to the function values.Formally, where δ denotes the Kronecker delta function.When an ideal honest Â and an ideal adversary B interact with the ideal functionality, we denote the joint map by F Â, B : U V → XY (see Figure 1).Â just forwards the in-and outputs to and from the functionality, whereas B pre-and postprocesses them with CPTP maps Λ 1 , where • denotes sequential application of CPTP maps.
Definition.A (two-party quantum) protocol π for f is ε-correct if for any distribution p(u, v) of the inputs it holds that The protocol is ε-secure against dishonest Bob if for any p(u, v) and for any real adversary B , there exists an ideal adversary B such that ε-security against dishonest Alice is defined analogously.
Since F is classical, we can augment it so that it outputs ṽ in addition.More precisely, we define ) if the protocol is secure against cheating Bob.We call σ RX Ṽ Y a secure state for input distribution p(u, v).
Main Results.The proofs of our main results build upon the following lemma which constructs a cheating strategy for Alice that works on average over the input distribution p(u, v).Subsequently we will show how this result can be used to devise a cheating strategy that works for all distributions at the same time.
Proof.We first construct a "cheating unitary" T for Alice and then show how Alice can use it to cheat successfully.
Let Alice and Bob play honestly but let them purify their protocol with purifying registers X 1 and Y 1 respectively.We assume without loss of generality that honest parties measure their classical input and hence, X 1 and Y 1 contain copies of u and v, respectively.We denote by |Φ RXX 1 Y 1 Y the state of all registers at the end of the protocol.Notice that tracing out which is exactly the final state when Alice played honestly and Bob played dishonestly with the following strategy: he plays the honest but purified strategy and outputs the purification of the protocol (register Y 1 ) and the output values f (u, v) (register Y ).His combined dishonest register is Y = Y 1 Y .Since the protocol is ε-secure against Bob by assumption, there exists a secure state σ RX Ṽ Y satisfying σ RXY ≈ ε ρ RXY . (1) Let |Ψ RXP Ṽ Y be a purification of σ RX Ṽ Y with purifying register P .Note that |Ψ RXP Ṽ Y is also a purification of σ RXY , this time with purifying registers P Ṽ .
We will now show how Alice can use the isometry T to cheat.Notice that tracing out Y 1 from |Φ RXX 1 Y Y 1 results exactly in the final state when Bob played honestly and Alice played dishonestly with the following strategy: she plays the honest but purified strategy and outputs the purification of the protocol (register X 1 ) and the output values f (u, v) (register X).She then applies T X 1 →P Ṽ , measures register Ṽ in the computational basis and obtains a value ṽ.It remains to argue that Alice can compute f (u, v) with good probability based on the value ṽ that she has obtained from measuring register Ṽ .
Let M R Ṽ X be the CPTP map that measures registers R, X and Ṽ in the computational basis.Tracing over P Y and applying M R Ṽ X on both sides of Equation (2), we find by the monotonicity of the purified distance under CPTP maps.The right-hand side of Equation (3) equals for some probability distribution q(ṽ|v) that is conditioned only on Bob's input v, since |Ψ RXP Ṽ Y is a purification of the secure state σ RX Ṽ Y .The left-hand side of Equation (3) equals for some conditional probability distributions q(ṽ|u, v) and r(x|u, v, ṽ).Because of the correctness of the protocol, term (4 (5) for some conditional probability distribution q(ṽ|u, v).Noting that the ε-closeness of (4) and (5) implies that p(•, ) increasing the purified distance to the left-hand side of Equation (3) only to 2ε.Putting things together, Equation (3) implies

Sandwiching both sides with tr[Z•]
, where Z = u,v,ṽ |uv uv| R ⊗|ṽ ṽ| Ṽ ⊗|f (u, ṽ) f (u, ṽ)| X we find the first claim since the purified distance of two distributions upper bounds their total variation distance and since the latter does not increase under tr[Z•].The second claim follows similarly by tracing out register X from Equation (6).
Applying the lemma to the uniform distribution we immediately obtain our impossibility result for perfectly secure protocols.
Theorem 1.Let π be a protocol for the evaluation of f which is perfectly correct and perfectly secure (ε = 0) against Bob.Then, if Bob has input v, Alice can compute f (u, v) for all u.
We note that this implies that Alice can completely break the security for any non-trivial function f .
|U ||V | and ε = 0 in the lemma results in the statement that if Alice has input u 0 , then she will obtain ṽ from the distribution q(ṽ|u 0 , v) which equals q(ṽ|v).But since also q(ṽ|u, v) = q(ṽ|v) for all u, we have 1
The impossibility result for the case of imperfect protocols is also based on the lemma, but requires a subtle swap in the order of quantifiers (from "∀ input ∃ ideal adversary" to "∃ ideal adversary ∀ input") which we achieve by use of von Neumann's minimax theorem.
Theorem 2. If a protocol π for the evaluation of f is ε-correct and ε-secure against Bob, then there is a cheating strategy for Alice (where she uses input u 0 while Bob has input v) which gives her ṽ distributed according to some distribution Q(ṽ|u 0 , v) such that for all u: Proof.The argument is inspired by [DKSW07].For a finite set S, we denote by ∆(S) the simplex of probability distributions over S. Denote by W the set of pairs (u, v).Consider a finite ε-net D of ∆(W) in total variation distance; and to each distribution in D the corresponding cheating unitary T constructed in the proof of the lemma.We collect all these unitaries in the (finite) set E and assume that T determines p uniquely, as we could include the value p into T .For each such T , let q(ṽ|u, v, T ) and q(ṽ|v, T ) be the distributions from the lemma.Define the payoff function g(u, v, T ) := ṽ q(ṽ|u, v, T )δ f (u,v),f (u,ṽ) − ṽ |q(ṽ|u, v, T ) − q(ṽ|v, T )|.The lemma then yields 1 − 12ε ≤ min p∈D max T ∈E u,v p(u, v)g(u, v, T ) which is at most 2ε + min p ∈∆(W) max T ∈E u,v p (u, v)g(u, v, T ), since replacing p by p incurs only an overall change in the value by 2ε (as −1 ≤ g(u, v, T ) ≤ 1) .By von Neumann's minimax theorem, this last term equals 2ε + max p ∈∆(E) min (u,v)∈W T g(u, v, T )p (T ) [20].
Hence, we have shown that there is a strategy for Alice, where she chooses her cheating unitary T with probability p (T ), such that (for some where Q(ṽ|u, v) := T p(T )q(ṽ|u, v, T ) and Q(ṽ|v) := T p(T )q(ṽ|v, T ).This implies that for all u, v, ṽ |Q(ṽ|u 0 , v) − Q(ṽ|u, v)| ≤ 2ε 2 .Combining this inequality with Equation (7), we find for all u, v, One might wonder whether Theorem 2 can be strengthened to obtain, with probability 1 − O(ε), a ṽ such that for all u : f (u, v) = f (u, ṽ).It turns out that this depends on the function f : when f is equality [EQ(u, v) = 1 iff u = v] and inner-product modulo 2 [IP(u, v) = i u i • v i mod 2], the stronger conclusion is possible.However for disjointness [DISJ(u, v) = 0 iff ∃i : u i = v i = 1] such a strengthening is not possible showing that our result is tight in general.
For EQ, we reason as follows.
Set u = v in Theorem 2.
Alice is able to sample a ṽ such that ṽ Q(ṽ|u 0 , v)δ EQ(v,v),EQ(v,ṽ) ≥ 1 − 28ε.Since δ EQ(v,v),EQ(v,ṽ) = 1 iff v = ṽ, Q(v|u 0 , v) ≥ 1 − 28ε.When f is IP, we pick u uniform at random and obtain ṽ Interestingly, for DISJ such an argument is not possible.Assume that we have a protocol that is ε-secure against Bob.Bob could now run the protocol normally on strings v with Hamming weight |v| ≤ n/2, but on inputs v with |v| > n/2 he could flip, at random, √ n of v's bits that are 1.It is not hard to see that this new protocol is still ε-secure and ε + O( 1 √ n )-correct.The loss in the correctness is due to the fact that, on high Hamming-weight strings, the protocol may, with a small probability, not be correct.On the other hand, on high-Hamming-weight inputs, the protocol can not transmit or leak the complete input v to Alice, simply because Bob does not use it.
the following real adversary A who measures the first n qubits of U in the computational basis in case b = 0 or performs the measurement in the Hadamard basis if b = 1 and returns the measurement outcome as s b .Due to the entanglement, the first n qubits of R collapse to the measured state.Notice that for this adversary A , the argument above is no longer applicable, because Â cannot simulate two independent copies of A as the U register is only available once.In fact, for this adversarial strategy A , only one of the two strings s 0 , s 1 is well-defined as the other string corresponds to the measurement outcome in a complementary basis of the same quantum state.This highlights the intuitive security problem of the suggested protocol, namely that it is not guaranteed that both s 0 and s 1 classically exist for a cheating Alice.This shows that the protocol is not secure against cheating Alice and that it therefore does not stand in contradiction with our results.order to apply von Neumann's theorem, note that the initial term equals min p ∈∆(W) max p ∈∆(E) u,v p (u, v)g(u, v, T )p (T ) since the maximal value of the latter is attained at an extreme point.Von Neumann's minimax theorem [vN28] allows us to swap minimization and maximization leading to max p ∈∆(E) min p∈∆(W) u,v,T p(u, v)g(u, v, T )p (T ) without changing the value.This expression corresponds to the final term since the minimization can without loss of generality be restricted to its extreme points .