Quantum function secret sharing

TL;DR

The paper defines quantum function secret sharing (QFSS) with a classical dealer and quantum parties, aiming to compute $f_C(|\psi\rangle,\Pi)=\|\Pi C|\psi\rangle\|^2$ using only classical communication. It introduces a Cayley-path–based protocol where shares are randomized circuit interpolants $C_i=C(1-i\Delta)$ and the final value is reconstructed by extrapolating measured probabilities, achieving correctness and information-theoretic security against a single adversary. However, the work proves two inherent limitations: security does not hold against colluding parties (two or more adversaries) and the evaluation requires exponential time in the number of gates, driven by the need for exponential precision in reconstruction. The results connect quantum function secret sharing to interpolation-based approaches used in quantum supremacy, offering a stepping stone toward fully classical verification of quantum computation while highlighting fundamental barriers to broader security and efficiency.

Abstract

We propose a quantum function secret sharing scheme in which the communication is exclusively classical. In this primitive, a classical dealer distributes a secret quantum circuit $C$ by providing shares to $p$ quantum parties. The parties on an input state $\ketψ$ and a projection $Π$, compute values $y_i$ that they then classically communicate back to the dealer, who can then compute $\lVert ΠC|ψ\rangle\rVert^2$ using only classical resources. Moreover, the shares do not leak much information about the secret circuit $C$. Our protocol for quantum secret sharing uses the {\em Cayley path}, a tool that has been extensively used to support quantum primacy claims. More concretely, the shares of $C$ correspond to randomized version of $C$ which are delegated to the quantum parties, and the reconstruction can be done by extrapolation. Our scheme has two limitations, which we prove to be inherent to our techniques: First, our scheme is only secure against single adversaries, and we show that if two parties collude, then they can break its security. Second, the evaluation done by the parties requires exponential time in the number of gates.

Figures (2)

• Figure 1: A function $f_C$ is computed in a distributed way, where $f_C(\psi,\Pi):=\norm{\Pi C\ket{\psi}}^2$ is the output of a quantum circuit that the dealer (e.g., client) wants to compute. The dealer may wish to provide a classical description of $\psi$ but the protocol allows for a pre-agreed state $\psi$ whose $p$ copies are used by the quantum parties as inputs. The latter allows for inputs whose preparation may require deep quantum circuits. The quantum parties compute $y_i\approx\norm{\Pi C(\theta_i)\ket{\psi}}^2$ and classically communicate them back to the dealer. The reconstruction by the dealer is performed classically and efficiently through an extrapolation.
• Figure 2: The center of the ball denotes the Haar measure $\mathcal{H}$ and the circuits $B(\theta_i)$ and $C(\theta_j)$ are instances of small pullbacks of the Haar measure towards the fixed circuits $B:=B(0)$ and $C:=C(0)$.

Theorems & Definitions (22)

• Remark 1
• Proposition 1: Lemma 4 via Eq. 13 in kondo2022quantum
• Proposition 2: Lemma 2 in movassagh2023hardness
• Definition 1
• Theorem 1
• Lemma 1
• proof
• Lemma 2
• proof
• Remark 2