Secure multi-party quantum computation protocol for quantum circuits:
the exploitation of triply-even quantum error-correcting codes

In our MPQC protocol, we assume that all the quantum nodes have an access to the classical authenticated broadcast channel Canetti et al. (1999) (which is feasible if and only if $t<\frac{n}{3}$ Lamport et al. (1982); Pease et al. (1980)) and to the public source of randomness, the latter of which can be created with the help of the secure multi-party classical computation Ben-Or et al. (1988); Chaum et al. (1988) (which is also feasible if and only if $t<\frac{n}{3}$) ³³3We note that aforementioned constraints on the feasibility of the classical authenticated broadcast channel and the public source of randomness do not cause any additional problems since we assume that only $t<\frac{n}{4}\left(<\frac{n}{3}\right)$ quantum nodes are corrupted by the adversary, see Sec. III.2.. Also, each pair of quantum nodes is connected via the authenticated and private classical Canetti (2004) and quantum Barnum et al. (2002) channels. Finally, we assume that each quantum node can perfectly process and store classical and quantum information.

In our MPQC protocol, we make no assumptions about the computational power of the adversary. Our non-adaptive ⁴⁴4Non-adaptive is the adversary that chooses quantum nodes to corrupt before the MPQC protocol begins and remains with that choice., but active ⁵⁵5Active is the adversary that is able to perform arbitrary quantum operations on the shares in the possession of the corrupted quantum nodes. adversary is limited only by the number of quantum nodes $t<\frac{n}{4}$ it can corrupt. The quantum nodes which are corrupted by the adversary and therefore disobey the instructions of the MPQC protocol are called cheating quantum nodes. On the contrary, the quantum nodes which are not corrupted by the adversary and obey the instructions of the MPQC protocol are called honest quantum nodes.

Since in our MPQC protocol we consider a sub-class of general CSS QECCs Steane (1996); Calderbank and Shor (1996), i.e., triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ Betsumiya and Munemasa (2012); Knill et al. (1996), we first define properties common to any type of CSS QECCs. Hereafter, $[n,k,d]$ stands for the distance $d$ binary classical linear code that encodes $k$ bits into $n$ bits. General CSS QECC is defined through the two binary classical linear codes denoted as $V$ and $W$, and these binary classical linear codes satisfy the following three conditions:

• •

  $V$ is an $[n,k_{V},d_{V}]$ binary classical linear code that can correct $t_{V}\leq\left\lfloor\frac{d_{V}-1}{2}\right\rfloor$ bit errors.

• •

  $W$ is an $[n,k_{W},d_{W}]$ binary classical linear code that can correct $t_{W}\leq\left\lfloor\frac{d_{W}-1}{2}\right\rfloor$ bit errors.

• •

  $V^{\perp}$ and $W$ satisfy $V^{\perp}\subseteq W$, where $V^{\perp}$ means the dual of the binary classical linear code $V$. Here, $V^{\perp}$ is an $[n,k_{V^{\perp}},d_{V^{\perp}}]$ classical linear code that satisfies $k_{V^{\perp}}=n-k_{V}$.

These two binary classical linear codes generate an $[[n,k,d]]$ CSS QECC encoding $k$-qubit quantum state into $n$-qubit logical quantum state, and where the constraint $k=k_{V}+k_{W}-n$ is satisfied. Such a CSS QECC can correct $t_{V}$ bit flip ($X$) errors and $t_{W}$ phase flip ($Z$) errors, which leads to a CSS QECC with distance $d\geq\min(d_{V},d_{W})$ tolerating $t\leq\left\lfloor\frac{d-1}{2}\right\rfloor$ arbitrary quantum errors and $p\leq d-1$ erasure quantum errors.

Since the VHSS protocol we employ in this paper works for any type of CSS QECCs encoding single-qubit quantum states into $n$-qubit logical quantum state, see Sec. IV.1, $k$ will always be equal to $1$, and therefore the encodings of the standard basis “zero” state and the Fourier basis “plus” state can be written as $\bar{\ket{0}}=\frac{1}{\sqrt{W^{\bot}}}\sum_{w\in W^{\bot}}\ket{w}$ and $\bar{\ket{+}}=\frac{1}{\sqrt{V}}\sum_{v\in V}\ket{v}$ correspondingly. Here individual codewords of the binary classical linear codes $V$ and $W$ are denoted as $v$ and $w$ respectively.

Important to note that a CSS QECC generated by the two binary classical linear codes $V$ and $W$ may be denoted as a set $V\cap\mathcal{F}W$ (where $\mathcal{F}$ stands for the Fourier transform), which means that a CSS QECC is a set of $n$-qubit logical quantum states, which yield a codeword $v$ in $V$ when measured in the standard basis (also called $Z$ basis in the literature) and a codeword $w$ in $W$ when measured in the Fourier basis (also called $X$ basis in the literature) Nielsen and Chuang (2011).

Also, we emphasize that any type of CSS QECC allows transversal implementation of the $\mathrm{C}\text{-}X$ gate, while not any type of CSS QECC allows transversal implementation of the other well-known quantum gates such as $H$ gate, $P$ gate, or $T$ gate. For example, a sub-class of general CSS QECCs constructed from the two binary classical linear codes satisfying $V=W$ and called self-dual CSS QECCs Preskill (1999), allows transversal implementation of $H$ gate, $P$ gate, and $\mathrm{C}\text{-}X$ gate, while does not allow transversal implementation of the $T$ gate. Besides, we should note that in case of CSS QECCs, logical measurement can be implemented transversally by local measurements of all the single-qubit quantum states comprising the $n$-qubit logical quantum state and the classical communication.

Finally, let us mention the important property of CSS QECCs. The set of stabilizer generators $S$ of any CSS QECC can be divided into the set of stabilizer generators consisting of only $X$ and $I$ (in this case, each stabilizer generator is denoted as $S^{X}_{g}$ and the entire set is denoted as $S^{X}$) or only $Z$ and $I$ (in this case, each stabilizer generator is denoted as $S^{Z}_{g}$ and the entire set is denoted as $S^{Z}$) operators in the tensor product representation, which permits independent correction of the bit flip ($X$) and the phase flip ($Z$) errors. As it happens, the Steane-type quantum error correction method Steane (1997) on the basis of which the VHSS protocol is built, takes advantage of this fact Lipinska et al. (2020b), see Sec. IV.1 for details. Furthermore, the encoding of the standard basis “zero” state and the Fourier basis “plus” state in terms of the stabilizer generators can be written as $\bar{\ket{0}}=\frac{1}{\sqrt{2^{|}S^{X}|}}\prod_{g\in S^{X}}(I+S^{X}_{g})\ket{0}^{\otimes n}$ and $\bar{\ket{+}}=\frac{1}{\sqrt{2^{|}S^{Z}|}}\prod_{g\in S^{Z}}(I+S^{Z}_{g})\ket{+}^{\otimes n}$ correspondingly.

To be comprehensive, we briefly describe a method of constructing the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ Betsumiya and Munemasa (2012); Knill et al. (1996), which constitute a sub-class of general CSS QECCs Steane (1996); Calderbank and Shor (1996) and allow transversal implementation of the $T$ gate without any Clifford corrections Rengaswamy et al. (2020). This is in contrast to the so called triorthogonal CSS QECCs, which constitute an another sub-class of general CSS QECCs as well as comprise a super-class for the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$, and for which the transversal implementation of the $T$ gate requires additional Clifford corrections Bravyi and Haah (2012). We begin with the definition of the triply-even binary matrices Betsumiya and Munemasa (2012) from which the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ can be constructed Paetznick (2014). Suppose the existence of two binary vectors $f$, $g\in\{0,1\}^{n}$ with the Hamming weights $|f|$ and $|g|$ respectively, and for which the entry-wise product $f\cdot g\in\{0,1\}^{n}$ is defined. In this case, we call an $m\times n$ binary matrix $G$ triorthogonal if for its rows $f_{1},\ldots f_{m}\in\{0,1\}^{n}$ following two conditions are satisfied:

$\displaystyle|f_{i}\cdot f_{j}\cdot f_{k}|=0\pmod{2}$

(1)

for all triples of rows $1\leq i<j<k\leq m$,

$\displaystyle|f_{i}\cdot f_{j}|=0\pmod{2}$

(2)

for all pairs of rows $1\leq i<j\leq m$. If in addition to the above two conditions the more restrictive constraint

$\displaystyle|f_{i}\cdot f_{j}|=0\pmod{4}$

(3)

is satisfied for all pairs of even weight rows $1\leq i<j\leq l$, we call the binary matrix $G$ triply-even. The latter constraint implies that $|f_{i}|=0\pmod{8}$ is satisfied for all the even weight rows of the binary matrix $G$ Paetznick (2014). Important to note that we assume the $m\times n$ binary matrix $G$ consisting of two submatrices: the one comprised of $l$ even weight rows and denoted as $G_{e}$ (an $l\times n$ matrix) and the one comprised of $m-l$ odd weight rows and denoted as $G_{o}$ (an $l-m\times n$ matrix).

With the above triply-even binary matrix $G$ at hand, one can construct corresponding triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$ as follows Bravyi and Haah (2012); Paetznick (2014). For each row of the binary matrix $G_{e}$, one defines an $X$ stabilizer generator by mapping non-zero entries of the row to the $X$ operators (and zero entries of the row to the $I$ operators). Next, for each row of the orthogonal complement of the triply-even binary matrix $G$, i.e., $G^{\bot}$, one defines a $Z$ stabilizer generator by mapping non-zero entries of the row to the $Z$ operators (and zero entries of the row to the $I$ operators). Finally, each row of the binary matrix $G_{o}$ corresponds to both the $\bar{X}$ and $\bar{Z}$ operators, if non-zero entries of the rows are mapped to the $X$ and $Z$ operators respectively (and zero entries of the rows to the $I$ operators in both cases).

Let us also mention about the minimum distance of the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ constructed above. If we denote the linear span of all the rows of the binary matrices $G_{e}$ ($G_{e}^{\bot}$) and $G^{\bot}$ as $\mathcal{G}_{e}$ ($\mathcal{G}_{e}^{\bot}$) and $\mathcal{G}^{\bot}$ respectively, in case of the triorthogonal CSS QECCs, and consequently the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$, the condition $\mathcal{G}_{e}\subseteq\mathcal{G}^{\bot}$ is satisfied and this fact will automatically imply the relation $d_{Z}\leq d_{X}$, where $d_{Z}$ and $d_{X}$ mean the distances against the phase flip $Z$ and bit flip $X$ errors respectively Bravyi and Haah (2012); Paetznick (2014). Therefore, the minimum distance of the triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$ can be defined as the minimum weight of any non-trivial $\bar{Z}$ operator: $\displaystyle d=\min_{f\in\mathcal{G}_{e}^{\bot}\setminus\mathcal{G}^{\bot}}|f|$ Bravyi and Haah (2012); Nezami and Haah (2022).

Eventually, to introduce an essential property of the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$, i.e., a transversal implementation of the $T$ gate without any Clifford corrections, we define the weight $|S|$ of a stabilizer generator $S$ as the number of terms not-equal to $I$ in the tensor product representation. Actually, according to the Ref. Rengaswamy et al. (2020), a CSS QECC allows transversal implementation of the $T$ gate without any Clifford corrections if and only if the binary matrix $G$ is triorthogonal, i.e., Eqs. 1 and 2 are satisfied, and the weight of all the stabilizer generators $S^{X}$ is multiple of eight: $|S^{X}|=0\pmod{8}$ ⁶⁶6This statement is indeed consistent with the claim that the condition $|f_{i}|=0\pmod{8}$ is satisfied for all the even weight rows $1\leq i\leq l$ of the triply-even binary matrix $G$.. An example of such a CSS QECC is $[[15,1,3]]$ CSS QECC Knill et al. (1996), as well as $[[49,1,5]]$ CSS QECC Bravyi and Haah (2012).

As we can see from the above discussions, triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ allow transversal implementation of $X$ gate, $Z$ gate, $\mathrm{C}\text{-}X$ gate (since any type of CSS QECC allows transversal implementation of these quantum gates), and $T$ gate. Therefore, only the $H$ gate in the chosen universal set of quantum gates ($X$ gate, $Z$ gate, $\mathrm{C}\text{-}X$ gate, $T$ gate, and $H$ gate) is not transversal and needs to be implemented by the gate teleportation technique, see Sec. IV.2, since in case of the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ binary classical linear codes $V$ and $W$ do not satisfy $V=W$.

An important ingredient required for the construction of our MPQC protocol based on a technique of quantum error correction is the VHSS protocol, which was recently introduced in Ref. Lipinska et al. (2020b). First of all, quantum nodes participating in the MPQC protocol use the VHSS protocol to encode and share a single-qubit input quantum state $\rho^{i}$ among all the $n$ quantum nodes in a verifiable way. We note that the VHSS protocol in Ref. Lipinska et al. (2020b) is applicable to any type of CSS QECC and that if the minimum distance of the underlying CSS QECC is $d$, the VHSS protocol tolerates $t\leq\left\lfloor\frac{d-1}{2}\right\rfloor$ cheating quantum nodes corrupted by the adversary described in Sec. III.2. As it was already mentioned in Sec. II, this constraint indeed allows honest quantum nodes to correct all the arbitrary quantum errors introduced by the $t<\frac{n}{4}$ cheating quantum nodes. To be more specific, the VHSS protocol is information-theoretically secure and satisfies the security requirements, i.e., soundness, completeness, and secrecy, which hold with the probability exponentially close to $1$ in the security parameter $r$. Namely, the verification performed by using the VHSS protocol has the probability of error $2^{-\Omega(r)}$. The detailed security proof can be found in Ref. Lipinska et al. (2020b).

First, let us describe the VHSS protocol itself. In the sharing phase of the VHSS protocol, some quantum node $i$ acting as a dealer $D^{i}$ encodes his input $\rho^{i}$ into the $n$-qubit logical quantum state by using some CSS QECC (some triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$ in our case) on which all the quantum nodes have an agreement and shares it among all the quantum nodes (including himself). We call this procedure the first level encoding. Then, each quantum node $i$ one more time encodes a single-qubit quantum state obtained from the dealer $D^{i}$ into the $n$-qubit logical quantum state by using the same CSS QECC (the same triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$ in our case) and one more time shares it among all the quantum nodes (including himself). We call this procedure the second level encoding. Eventually, quantum nodes jointly possess logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ (or global logical quantum state $\bar{\bar{\mathcal{P}}}$ if all the $n$ quantum nodes participating in the MPQC protocol have finished the sharing phase of the VHSS protocol), see Fig. 2.

In the verification phase of the VHSS protocol, quantum nodes jointly verify that the quantum state $\bar{\bar{\mathcal{P}}}^{i}$ in their possession is for sure a valid logical quantum state encoded by the aforementioned triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$. To be more specific, quantum nodes publicly check that there are $t\leq\left\lfloor\frac{d-1}{2}\right\rfloor$ arbitrary quantum errors introduced by the dealer $D^{i}$ during the procedure of the first level encoding, which will also mean that the dealer $D^{i}$ is honest. For that purpose, first, quantum nodes jointly prepare ancillary logical quantum states $\bar{\bar{\ket{0}}}^{i}$ (to detect the phase flip $Z$ errors) or $\bar{\bar{\ket{+}}}^{i}$ (to detect the bit flip $X$ errors), which are generated in the same way as the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ but from the single-qubit input quantum states $\ket{0}^{i}$ or $\ket{+}^{i}$ respectively. Then, quantum nodes propagate arbitrary quantum errors in the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ (if any) to these ancillary logical quantum states by means of the transversal application of the $\mkern 1.5mu\overline{\mkern-1.5mu\mkern 1.5mu\overline{\mkern-1.5mu\mathrm{C}\text{-}X\mkern-1.5mu}\mkern 1.5mu\mkern-1.5mu}\mkern 1.5mu^{i}$ gate (superscript $i$ means that the logical quantum gate is applied between the logical quantum states initially created from the single-qubit input quantum states $\rho^{i}$, $\ket{0}^{i}$, or $\ket{+}^{i}$) to their shares. Next, quantum nodes logically measure the ancillary logical quantum states in the appropriate basis, and finally, by decoding the results of these logical measurements find arbitrary quantum errors in the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ (if any). The detailed procedure of the bit flip $X$ errors detection is shown in Fig. 3.

Actually, the above procedure is an extension of the Steane-type quantum error correction method introduced in Ref. Steane (1997) and stands for a single iteration in the verification phase of the VHSS protocol which contains $r^{2}+2r$ of such iterations. To be more specific, there are $r$ iterations to check the bit flip $X$ errors (where each iteration spends single ancillary logical quantum state $\bar{\bar{\ket{+}}}^{i}$), $r$ iterations to check the phase flip $Z$ errors (where each iteration spends single ancillary logical quantum state $\bar{\bar{\ket{0}}}^{i}$), and $r$ additional iterations for each ancillary logical quantum state $\bar{\bar{\ket{0}}}^{i}$ to check it for the bit flip $X$ errors (where each iteration indeed spends single ancillary logical quantum state $\bar{\bar{\ket{+}}}^{i}$). Obviously, this procedure requires a workspace of $3n$ qubits per quantum node, i.e., a workspace of $n$ qubits per quantum node for each of the logical quantum states $\bar{\bar{\mathcal{P}}}^{i}$, $\bar{\bar{\ket{0}}}^{i}$, and $\bar{\bar{\ket{+}}}^{i}$, which need to be stored simultaneously during the verification phase of the VHSS protocol, see Ref. Lipinska et al. (2020b) for the details.

Throughout the verification phase of the VHSS protocol, quantum nodes jointly construct a public set of apparent cheaters $B$, which records all the arbitrary quantum errors introduced by the dealer $D^{i}$ during the procedure of the first level encoding and by the cheating quantum nodes during the procedure of the second level encoding. This allows identification of the cheating quantum nodes with probability exponentially close to $1$ in the security parameter $r$, i.e., the probability of error is $2^{-\Omega(r)}$. Note that it is impossible to distinguish arbitrary quantum errors introduced by the dealer $D^{i}$ from those introduced by the cheating quantum nodes. Anyway, if at the end of the verification phase $|B|\leq t$ is satisfied, then the dealer $D^{i}$ passes the verification phase of the VHSS protocol. In this case, a logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ in the possession of the quantum nodes can always be reconstructed into the original input $\rho^{i}$ because arbitrary quantum errors introduced during the first level encoding and the second level encoding can always be corrected by the triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$, since we assume that there are $t<\frac{n}{4}$ cheating quantum nodes and therefore $t\leq\left\lfloor\frac{d-1}{2}\right\rfloor$ arbitrary quantum errors at each level of encoding. On the other hand, if $|B|>t$ is satisfied the VHSS protocol aborts.

In the reconstruction phase of the VHSS protocol, some quantum node $j$ acting as a reconstructor $R^{j}$ collects all the single-qubit quantum states from all the quantum nodes. Then, to correct arbitrary quantum errors introduced to the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ by the cheating quantum nodes after the verification phase and before the reconstruction phase, i.e., at the second level encoding, the reconstructor $R^{j}$ identifies arbitrary quantum errors in the $n$-qubit logical quantum states coming from the quantum nodes not in the public set of apparent cheaters $B$ by using the triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$ and subsequently updates a public set of apparent cheaters $B$. Next, the reconstructor $R^{j}$ decodes all the $n$-qubit logical quantum states in his possession that may contain $t\leq\left\lfloor\frac{d-1}{2}\right\rfloor$ arbitrary quantum errors. We call this procedure the second level decoding. After that, from the single-qubit quantum states obtained during the second level decoding, the reconstructor $R^{j}$ randomly chooses $n-2t$ single-qubit quantum states originally encoded and shared by the quantum nodes which are not in the public set of apparent cheaters $B$, performs erasure recovery by using the triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$, and finally obtains single-qubit output quantum state $\omega^{j}=\rho^{i}$. We note that the communication complexity of the VHSS protocol per quantum node becomes $\mathcal{O}(nr^{2})$ qubits, which is obvious considering that the quantum nodes send $n^{2}-1$ single qubit quantum states $(r+1)^{2}$ times in the process of the VHSS protocol execution Lipinska et al. (2020b).

Actually, the VHSS protocol in Ref. Lipinska et al. (2020b) is also able to confirm that the single-qubit input quantum state from the dealer $D^{i}$ is exactly $\ket{0}^{i}$ (or $\ket{+}^{i}$), i.e., that the quantum state ${}_{v}\!\bar{\bar{\ket{0}}}^{i}$ (${}_{v}\!\bar{\bar{\ket{+}}}^{i}$) (left subscript $v$ denotes the logical quantum state which the quantum nodes want to verify and confirm, and is used to distinguish it from the ancillary logical quantum states $\bar{\bar{\ket{0}}}^{i}$ or $\bar{\bar{\ket{+}}}^{i}$ which are spent in the verification phase of the VHSS protocol) in the possession of the quantum nodes is for sure a valid logical quantum state created from the input $\ket{0}^{i}$ (or $\ket{+}^{i}$) and is definitely encoded by the triply-even CSS QECC $\mathcal{C}_{\mathrm{TE}}$, see Refs. Crépeau et al. (2002); Lipinska et al. (2020b); Smith (2001) for the details. To achieve that, all the $r^{2}+2r$ iterations in the verification phase of the VHSS protocol are performed with the ancillary logical quantum states $\bar{\bar{\ket{0}}}^{i}$ (or $\bar{\bar{\ket{+}}}^{i}$), which are indeed generated from the single-qubit input quantum states $\ket{0}^{i}$ (or $\ket{+}^{i}$) ⁷⁷7This is different from the VHSS protocol employed to check whether the quantum node $i$ is honest or not by simply verifying the encoding of the input $\rho^{i}$.. Also, after the logical measurements of these ancillary logical quantum states in the standard (or Fourier) basis, quantum nodes publicly check that the twice decoded outcomes of the logical measurements correspond to the $\ket{0}^{i}$ (or $\ket{+}^{i}$).

Here we describe the gate teleportation technique which was first suggested in Ref. Gottesman and Chuang (1999). The key idea of the technique is to use a specially created ancillary quantum state as a control quantum state, measure it with respect to the appropriate basis, and apply necessary quantum correction to the target quantum state depending on the measurement outcome. Gate teleportation technique is frequently used for the fault-tolerant realization of the quantum gate that cannot be implemented transversally once a particular QECC is chosen Gottesman (2009). Since our MPQC protocol is constructed on the basis of the triply-even CSS QECCs $\mathcal{C}_{\mathrm{TE}}$ Betsumiya and Munemasa (2012); Knill et al. (1996), the only quantum gate which cannot be implemented transversally in the chosen universal set of quantum gates, i.e., $X$ gate, $Z$ gate, $T$ gate, $\mathrm{C}\text{-}X$ gate, and $H$ gate, will be the $H$ gate Knill et al. (1996). Therefore, in our MPQC protocol, a non-transversal $H$ gate needs to be implemented by the gate teleportation technique Knill et al. (1996).

The gate teleportation protocol implementing the non-transversal $H^{i}$ gate takes logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ and ancillary logical quantum state ${}_{v}\!\bar{\bar{\ket{+}}}^{i}$ as an input, see Fig. 4. At this point, both of these logical quantum states are already verified by using the VHSS protocol. In addition, quantum nodes has already jointly confirmed that the ancillary logical quantum state ${}_{v}\!\bar{\bar{\ket{+}}}^{i}$ in their possession is definitely a logical version of the single-qubit quantum state $\ket{+}^{i}$. Important to note that this can be achieved by using the VHSS protocol only, see Sec. IV.1. Here lies the main difference from the previous suggestion in Ref. Lipinska et al. (2020a) as well as its reconsidered version in Ref. Lipinska et al. (2022), where the logical version of the ancillary “magic” state $\frac{1}{\sqrt{2}}(\ket{0}+e^{i\pi/4}\ket{1})$, which is required for the implementation of the non-transversal $T$ gate with the gate teleportation technique, cannot be verified by using the VHSS protocol only, and therefore an additional verification of the ancillary logical “magic” state becomes vital Lipinska et al. (2020a, 2022), see Appendix C for the details ⁸⁸8For the details of the protocol called “verification of the Clifford stabilizer states” (VCSS) which was employed in the original version of the MPQC protocol for the verification of the ancillary logical “magic” state see Appendix A and Appendix B.

To perform the gate teleportation technique and apply a non-transversal $\bar{\bar{H}}^{i}$ gate to the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$, in addition to the $n^{2}$ qubits required for holding a share $\bar{\bar{\mathcal{P}}}_{i}$, each quantum node requires $3n$ qubits to verify and confirm the input ancillary logical quantum state ${}_{v}\!\bar{\bar{\ket{+}}}^{i}$ by using the VHSS protocol, see Sec. IV.1, and afterwards $n$ qubits to actually perform the gate teleportation technique. Therefore, the communication complexity of the gate teleportation protocol is the same as of the VHSS protocol, i.e., $\mathcal{O}(nr^{2})$ qubits per quantum node.

The detailed procedure of the gate teleportation technique is shown in Fig. 4. To apply a non-transversal $\bar{\bar{H}}^{i}$ gate to the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$, quantum nodes transversally apply $\bar{\bar{P}}^{i}=\bar{\bar{T}}^{i}\circ\bar{\bar{T}}^{i}$ gate to their shares of both input logical quantum states $\bar{\bar{\mathcal{P}}}^{i}$ and ${}_{v}\!\bar{\bar{\ket{+}}}^{i}$, then transversally apply $\mkern 1.5mu\overline{\mkern-1.5mu\mkern 1.5mu\overline{\mkern-1.5mu\mathrm{C}\text{-}X\mkern-1.5mu}\mkern 1.5mu\mkern-1.5mu}\mkern 1.5mu^{i}$ gate to their shares, taking shares of the ancillary logical quantum state ${}_{v}\!\bar{\bar{\ket{+}}}^{i}$ as the control shares and shares of the logical quantum state $\bar{\bar{\mathcal{P}}}^{i}$ as the target shares. Then, quantum nodes transversally apply $\bar{\bar{P}}^{i}$ gate to the target shares and logically measure the control shares in the Fourier basis. Next, quantum nodes decode the result of the logical measurement twice and publicly check whether this twice-decoded result corresponds to the $\ket{+}^{i}$ or $\ket{-}^{i}$. Finally, if the result corresponds to the $\ket{-}^{i}$, then quantum nodes do nothing to their target shares, but if the result corresponds to the $\ket{+}^{i}$, then quantum nodes transversally apply the $-i\bar{\bar{Y}}^{i}=-i\bar{\bar{P}}^{i}\circ\bar{\bar{X}}^{i}\circ\mkern 1.5mu\overline{\mkern-1.5mu\mkern 1.5mu\overline{\mkern-1.5muP^{\dagger}\mkern-1.5mu}\mkern 1.5mu\mkern-1.5mu}\mkern 1.5mu^{i}$ gate to their target shares, see Appendix E for the detailed calculations. At the same time, quantum nodes update the public set of apparent cheaters $B$, and if $|B|>t$ is satisfied, quantum nodes assume that the twice-decoded result of the logical measurement corresponds to the $\ket{-}^{i}$, and do nothing to their target shares. For the detailed procedure of the gate teleportation protocol see Table 3.

Here we state the security framework and the security definition following Refs. Beaver (1992); Micali and Rogaway (1992); Canetti (2001); Unruh (2010); Lipinska et al. (2020a). To prove that our MPQC protocol is secure we employ the simulator-based security definition, which automatically satisfies requirements of correctness, soundness, and privacy mentioned in Sec. I. The simulator-based security definition uses two models: the “real” model corresponding to the execution of the actual MPQC protocol and the “ideal” model where quantum nodes interact with an oracle that performs the MPQC protocol perfectly and cannot be corrupted by the adversary. In this security framework, the MPQC protocol is said to be secure if one cannot distinguish a “real” execution from an “ideal” execution of the MPQC protocol.

In the “ideal” model the honest quantum nodes solely send their input quantum states to the oracle and merely output whatever they receive from the oracle as their results. On the other hand, cheating quantum nodes are allowed to perform any joint quantum operation on their input quantum states before sending them to the oracle and also allowed to perform any joint quantum operation on whatever they receive from the oracle before they output their results. We assume that the cheating quantum nodes are non-adaptively corrupted by an active adversary $\mathcal{A}$, which can corrupt $t<\frac{n}{4}$ quantum nodes, but otherwise has unlimited computational power, see Sec. III.2. Hereafter, an adversary in the “real” model will be denoted as $\mathcal{A}_{\mathrm{real}}$ and an adversary in the “ideal” model will be denoted as $\mathcal{A}_{\mathrm{ideal}}$.

By using the definition of the $\epsilon$-security we can state the security of our MPQC protocol as follows, see Refs. Lipinska et al. (2020a, 2022) for details.

Proof of the security of our MPQC protocol will be almost the same as the security proof of the previously suggested MPQC protocol in Refs. Lipinska et al. (2020a, 2022) ⁹⁹9In the Ref. Lipinska et al. (2022) it was shown that the security proofs of the original version of the MPQC protocol in Ref. Lipinska et al. (2020a) and the reconsidered version of the MPQC protocol in Ref. Lipinska et al. (2022) are identical., and the only essential difference lies in the type of the non-transversal quantum gate, namely the $T$ gate is substituted for the $H$ gate, and in the basis of the logical measurement, namely the normal basis is substituted for the Fourier basis. In particular, in the security proof of the previously suggested MPQC protocol the “ideal” protocol is constructed by using a simulation technique, i.e., for any “real” adversary $\mathcal{A}_{\mathrm{real}}$ an “ideal” adversary $\mathcal{A}_{\mathrm{ideal}}$ is constructed by saying that an “ideal” adversary $\mathcal{A}_{\mathrm{ideal}}$ internally simulates the execution of the “real” protocol with “real” adversary $\mathcal{A}_{\mathrm{real}}$. Specifically, one writes the execution of the “real” protocol and the “ideal” protocol and shows that the outputs of both protocols are equivalent in case of success of the VHSS protocol. Finally, we note that the security definition employed in this paper follows the paradigm of sequential composability, see Refs. Lipinska et al. (2020a, 2022) for details.

Here we show that the security proof of our MPQC protocol can be reduced to the security proof of the previously suggested MPQC protocol presented in Refs. Lipinska et al. (2020a, 2022). To achieve that, we borrow statements from the previous suggestion and restate the lemma with the corresponding proof as will be given below, and in such a way show that there is no difference between our MPQC protocol and the MPQC protocol in Refs. Lipinska et al. (2020a, 2022) when the security proof is the concern. The lemma shows that preparing, sharing, and verifying the input quantum state, then performing logical quantum circuit $\bar{\bar{\mathcal{U}}}$, and finally reconstructing and measuring the output quantum state is equivalent to preparing the input quantum state, performing quantum circuit $\mathcal{U}$, and measuring the output quantum state without any encoding. After restating the lemma, we also restate the property that extends the applicability of the lemma from individual quantum operations to the entire quantum circuit.