Private Product Computation using Quantum Entanglement

In this work, we show that a pair of entangled qubits can be used to compute a product privately. More precisely, two participants with a private input from a finite field can perform local operations on a shared, Bell-like quantum state, and when these qubits are later sent to a third participant, the third participant can determine the product of the inputs, but without learning more about the individual inputs. We give a concrete way to realize this product computation for arbitrary finite fields of prime order.


I. INTRODUCTION
Having access to quantum bits, or qubits, opens up new methods that would be impossible in the classical realm.An example of this is superdense coding [1], where two participants sharing an entangled pair can send a single qubit to transmit two classical bits, see e.g., [2, pp. 97-98].
In this article, we explore how entangled pairs may be used to compute private products over finite fields.Namely, if two participants each hold an element of a finite field, and they wish to reveal the product of their elements to a third party without revealing their individual inputs, then this can in certain cases be achieved using pairs of entangled qubits.One may argue that it is also possible to achieve this using Shamir's secret sharing scheme [3], [4,Ch. 3]; this is true, in the same sense that one may similarly argue that superdense coding can be obviated by classical transmission of two bits using a single symbol, as in quadrature phase shift keying, rather than using entanglement.As such, our motivation for studying this problem is not so much the application to a specific real-world problem, but should be seen more as an exploration of the possibilities opened up by using quantum information processing.
The rest of this article is organized as follows.Section II describes our model assumptions and recalls the basic quantum properties that will be used throughout.After that, Section III provides a sketch of the problem in the case of products over F 2 .This is meant to provide a better intuition about the challenges and requirements in the general case.In Section IV, we then define properties necessary to compute a private product over general finite fields of prime size, and use this to formulate a general protocol.Section V provides an explicit construction of a private product family that can be applied in the general protocol, and in Section VI we show how this encoding can be realized systematically by Alice and Bob.Finally, Section VII indicates how the developed methods can be applied to (small) private set intersections (PSI) and to dot products, both in the binary case.Finally, Section VIII concludes this article and lists a few open problems for future research.

II. PRELIMINARIES
Throughout this article, we assume that p is a prime and let F p denote the finite field of order p.

A. MODEL ASSUMPTIONS
Keeping with cryptographic tradition, we will call the three participants Alice, Bob, and Charlie.Alice and Bob each hold an input a ∈ F p and b ∈ F p , respectively, and their goal is for Charlie to learn ab.In addition, they need to achieve this in such a way that the following holds.We assume only a limited number of communication channels between the participants.Namely, we assume the existence of a classical channel 1 from Alice to Bob, and quantum 1 As noted by one of the reviewers, one may replace this classical channel by shared randomness between Alice and Bob that is independent of (a, b).channels from Alice to Charlie and from Bob to Charlie.For simplicity, we assume that all channels are perfectly private and error-free.Note that if the participants do not have access to other channels than the three above-mentioned, the classical solution provided by Shamir's secret sharing is no longer possible.
Throughout, we assume participants are "honest-butcurious."That is, they will follow protocols as specified, but they may try to use anything received during the protocol in an attempt to extract information about the other participants' inputs.

B. QUANTUM ENTANGLEMENT
A p-ary quantum bit can be described by a state in C p , and we will fix an orthonormal basis {|i } i∈F p of C p .Here, i does not refer to the imaginary unit, and throughout, we will simply use it as an index.Now, let ω ∈ C be a primitive p'th root of unity.As defined in [5], the p-ary bit flip and phase shift operators applied to the basis states are X (a) : where a, b ∈ F p , and images of arbitrary states are defined by linearity of the operators.Consider the Bell-like states given by With this definition, we have |ϕ 00 = p−1 i=0 |i |i , and |ϕ ab = (X (a) ⊗ Z(b))|ϕ 00 .Note, that in the literature, |ϕ ± and |ψ ± are commonly used to denote the four Bell states in the binary case, but we use the notation in (1) as it eases notation in our setting.
The mathematical representation of a quantum state can be multiplied by a complex scalar of modulus 1, which is called a global phase.The significance of this global phase does not carry over to the physical qubit, however, as a global phase does not influence the outcomes when measuring a qubit [2].For this reason, we will ignore global phase factors throughout most of this work.

III. BINARY CASE
In order to illustrate the ideas in this work, we give a detailed overview in the case p = 2. Here, ω = −1, and the states in (1) are given by where we use the notation |ii = |i |i .Assume that Alice and Bob have already prepared the Bell state |ϕ 00 and split the qubits between them such that Alice holds the first qubit and Bob holds the second.Alice and Bob now do the following.If a = 1, Alice will apply X to her qubit, and if b = 1, Bob will apply Z.The reader may check that this maps |ϕ 00 to |ϕ ab .If Alice and Bob send their individual qubits to Charlie, he can measure the received system in the Bell basis to recover |ϕ ab .The problem with this approach, however, is that Charlie not only learns the product ab.He also learns the individual inputs a and b since |ϕ ab is the output if and only if Alice has input a and Bob has input b.
In order to fix this, Alice and Bob will choose uniformly at random between three different encodings that all encode (a, b) = (1, 1) to the same state |ϕ 11 (up to a global phase factor).That is, they choose one of the encodings in Table 1 uniformly at random.Note that in each row, the same operator is applied to the first qubit regardless of the column index.Similarly for the second qubit in each column.This means that Alice and Bob can perform the encoding of their own input independently of the input of the other participant.By translating these operators into the resulting state when applied to |ϕ 00 , we get the states in Table 2, where one should note that-ignoring global phase factors-each of the "zero states" |ϕ 00 , |ϕ 10 , and |ϕ 01 correspond to inputs (0,0), (1,0), and (0,1) with equal probability when the encodings are chosen uniformly.The end effect is that Charlie receives the state |ϕ 11 if and only if a = 1 and b = 1, which is equivalent to ab = 1.If (a, b) = (1, 1), Charlie will receive |ϕ 00 , |ϕ 01 , or |ϕ 10 with equal probability.That is, the specific encoding of zero received by Charlie reveals nothing about the individual inputs of Alice and Bob. 2ctually, the encodings that we have presented in this section do not quite match those that we propose in the general setting.More precisely, the three encodings in Table 1 are a

Engineering uantum
Transactions on IEEE subset of the encodings in the general procedure.The binary case has some extra symmetry compared to larger fields, and this allows a smaller family of encodings (three instead of six).

IV. GENERAL CASE
In order to analyze products in F p for general primes p, we will have a closer look at the operators applied by Alice and Bob.We will assume that Alice and Bob both use operators on the form X (i)Z( j) where i, j ∈ F p .More precisely, for each input a ∈ F p Alice will have values x A a and z A a , both in F p , defining the operator X (x A a )Z(z A a ) that she will apply to her qubit.Note here that the superscript indicates that these values belong to Alice, and the subscript denotes the specific input.For instance, if p = 2 Alice's operators will be defined by values x A 0 , z A 0 corresponding to a = 0 and x A 1 , z A 1 corresponding to a = 1.In a similar way, we can define values x B b and z B b for Bob.With this notation in place, the input (a, b) will result in the quantum state There are, however, many different choices of x A a , z A a , x B b , and z B b that lead to the same state.To handle this, we will make extensive use of the equivalence given in the following lemma.
Lemma 1: For any Proof: Direct calculations reveal that where the last equality follows from appropriate substitution of the summing variable.Lemma 1 not only gives us an equivalence between different operators, it also allows us to describe the Bell states using elements of F 2 p .Namely, the state (3) can be uniquely represented by the pair ( We use this to describe the different encodings as was done in Section III. Our strategy is to use this insight to describe "multiplication tables," i.e., to define p × p tables such that the Bell-like state in entry (i, j) represents the product i j.Notationally, such a table corresponds to a bijection, and we will refer to this as an encoding.
Definition 1: An encoding is a bijection ε : The set of all encodings is denoted by E.
Not all encodings match the properties needed to compute products, however, so we derive necessary and sufficient conditions for an encoding to be valid.First of all, the encoded Bell state must correspond to the correct product.In other words, if Alice and Bob have inputs (a, b), and this is encoded to a Bell-state |ϕ i j , then it must be the case that Charlie recognizes this as representing the product ab.That is, ab = i j (where computations are done in F p ).
A second condition comes from the way Alice and Bob apply the encodings to their qubits.More precisely, an encoding can only be used if there exist local operations represented by for every i, i , j, j .The analysis leading to this is somewhat involved, so we give it in Appendix A.
Summarizing this in a single definition, we get the encodings that we need.Here, we use π : as a shorthand notation for products, which will make the exposition less cumbersome.Definition 2: An encoding ε ∈ E is called productcompatible if it satisfies the following.
2) For every i, j, i , j ∈ F p it holds that for every (i, j) ∈ F 2 p satisfying i j = ab.A few comments about the intuition behind Definition 3 are in order.The first condition is related to correctness, meaning that the state that Charlie receives will actually correspond to the correct product.The second requirement ensures privacy.It guarantees that when Charlie receives a state |ϕ ab , then it will have come from any input pair (i, j) satisfying i j = ab with equal probability as long as Alice and Bob choose ε ∈ E uniformly at random.
The proposed method for computing private products using entangled pairs can be found in Fig. 1.

V. CONSTRUCTING A PRIVATE PRODUCT FAMILY
In the following, we describe an explicit way to produce a private product family over arbitrary finite fields.In greater detail, we focus on a subset of E and obtain the private product family as orbits under group actions defined later.Our starting point will be two "canonical" product-compatible encodings given by ε 0 (i, j) = (i, j) and ε T 0 (i, j) = ( j, i).Intuitively, the idea is that these are "good" encodings in the sense that they posses the properties we want.By choosing the group actions appropriately (i.e., in a way that preserves the desired properties) we obtain additional "good" encodings by considering the orbits of ε 0 and ε T 0 .In our proofs, we will rely on an additional property of ε 0 and ε T 0 that is also preserved by the group action.Namely, we define E 1 ⊆ E by (5) Proposition 1: We have ε 0 ∈ E 1 and ε T 0 ∈ E 1 .Proof: From the definition of ε 0 and ε T 0 , it is clear that they are product-compatible.In addition, we see that for any (i, j) ∈ F 2 p and δ ∈ F p , ε 0 satisfies as required.The proof for ε T 0 is similar.Now, fix a primitive element α of F p (i.e.α has multiplicative order p − 1), and consider the additive group Proposition 2: For every n ∈ Z p−1 and β ∈ F p , the map ϕ n,β : E 1 → E 1 is well-defined.
Proof: Let n ∈ Z p−1 , and assume ε ∈ E 1 .We first show that ϕ n,β (ε) is product-compatible.Indeed, for j = 0 it is easy to check that π (ϕ n,β (ε)(i, j)) = 0 = i j, and for j = 0 we have To see that condition 2 in Definition 2 is satisfied, notice that for j = 0, j = 0, we have where the second equality stems from ε being product compatible.Otherwise, we can by symmetry assume j = 0 and j = 0, which implies where the first and second conditions in (5) give the second and third equalities, respectively.
For the remaining condition in (5), observe that for every (i, j) ∈ F 2 p , and every δ ∈ F p , we have where the second equality once again stems from ε ∈ E 1 .Thus, ϕ n,β (ε) ∈ E 1 , and ϕ n,β is well-defined.Consider the additive group Z p−1 and F p as a group with addition as well.By defining the composition we obtain the semidirect product G 1 = Z p−1 F p .In more detail, the map β → α n β is an automorphism of F p for any n ∈ Z p−1 , and the construction above yields the outer semidirect product as described in [6, p. 76].Proposition 3: Let G 1 = Z p−1 F p with composition as in (6).The map given by Proof: By Proposition 2, the map is well-defined.The following observations imply that it defines a group action.First, for every ε ∈ E 1 , we have ϕ 0,0 (ε) = ε.Second, we see

Engineering uantum
Transactions on Having established that G 1 does indeed act on E 1 , we verify that ε 0 and ε T 0 are in different orbits and hence give rise to different encodings.
The second group action that we are going to use is very similar to G 1 acting on E 1 .In fact, the group will be the same, but the action is different.Hence, we will denote the group by G 2 in connection to this new group action to ease the notation.This group G 2 will act on a second subset of E given by One can then prove that this is indeed a group action as was done in Propositions 2 and 3 for G 1 , and analyze the orbits as in Proposition 4. For G 2 we simply state the results and omit the proofs, as they are completely analogous to the previous ones for G 1 .
Proposition 5: Let G 2 = Z p−1 F p with composition as in (6).The map given by Proposition 6: The orbits G 2 ε 0 and G 2 ε T 0 are disjoint.In addition, they satisfy which are all subsets of E. The set E is, we claim, a private product family as desired, and the following lemma and proposition prove this claim.
Lemma 2: Writing E as a disjoint union we have and In addition, So for ϕ n,β (ε) = ψ n ,β (ε ) to hold, it must be the case that either β = β = 0, or β = β = 0 and ε = ε .The latter case is impossible, however, as and regardless of the choices of ε = ε , this implies α n = 0, which is a contradiction.Hence, β = β = 0.For these mappings, observe that they satisfy regardless of the choice of ε and the values of i and j, so they constitute the elements of H 1 ∩ H 2 as claimed.
What remains is to prove that , as the cardinalities of H 1 \ H 2 and H 2 \ H 1 then follow from Propositions 4 and 6, respectively.From Proposition 4, we know that G 1 acts injectively on E 1 , meaning that each of the ϕ n,0 (ε) appearing in the statement of the Lemma are The set E defined in ( 7) is a private product family.
Proof: Since all the orbits making up E consist of productcompatible encodings, we only need to prove item 2 in Definition 3. Fix (a, b), (i, j) ∈ F 2 p such that ab = i j, and assume first that ab = 0. Consider ϕ n,β (ε 0 ) ∈ (H 1 \ H 2 ) as given in Lemma 2. If ϕ n,β (ε 0 )(i, j) = (a, b), then ε 0 (α n i, α −n j) = (a, b), which again implies α n = ai −1 .Here, we use that i is a nonzero element of F p .Note also that the assumption ab = i j means that a = α n i automatically implies b = α −n j as needed.Since α is primitive, there is exactly one n that satisfies α n = ai −1 , and β ∈ F * p can be chosen freely.Thus, this gives p − 1 encodings ε ∈ H 1 \ H 2 such that ε(i, j) = (a, b), and similar arguments applied to ε T 0 yields another p − 1 encodings.Completely analogously, there are 2(p − 1) such encodings in H 2 \ H 1 .In the case of H 1 ∩ H 2 , there is only a single choice for α as above, and in addition β = 0 in this case.Hence, one would find 2 encodings in H 1 ∩ H 2 .In total, this amounts to 4(p − 1) + 2 encodings regardless of the choice of (i, j).
Moving on, assume ab = 0 with a = 0 -the case b = 0 is analogous.Considering (i, 0) ∈ F p with i = 0, the possible encodings are For the first equality, each choice of n ∈ Z p−1 gives a unique choice of β.In the second, there is one possible n, but β ∈ F p can be chosen freely.Note, however, that there is an encoding ϕ n,β (ε 0 ) = ψ n,β (ε 0 ) (as shown in Lemma 2) that is counted twice in this way.Hence, the total number of encodings ε ∈ The same strategy can be used to show that there are also 2(p − 1) encodings such that ε(0, j) = (a, 0) by considering ϕ n,β (ε T 0 ) and ψ nβ (ε T 0 ).Thus, regardless of the choice of (i, j) with i j = ab = 0, there are exactly 2(p − 1) For each, any n is possible, giving 2(p − 1) encodings.For (i, j) = (i, 0) with i = 0, we use a similar strategy and consider For each n ∈ Z p−1 there is a unique choice of β, and all of these encodings are distinct by Proposition 4. Thus, we have 2(p − 1) encodings like previously.If (i, j) = (0, j), similar arguments can be applied to ψ n,β (ε 0 ) and ψ n,β (ε T 0 ).

VI. SYSTEMATIC CHOICES
The analysis in Section IV provides a way to permute the Bell states similarly to what was done in Section III.But by considering these encodings carefully, it also gives us a systematic way to choose x A a , z A a , x B b , z B b such that the operators applied by Alice and Bob correspond to using a specific encoding from E. Namely, to perform the encoding according to ϕ n,β (ε 0 ) Alice will set x A a = α n a and z A a = 0. Bob will use z B b = α −n b and Using Lemma 1, this implies that Alice and Bob will end up in state otherwise.In any case, this corresponds exactly to the encoding ϕ n,β (ε 0 ), as Similar considerations can be done for the remaining encodings in E, leading to the systematic choices presented in Table 3.We note that when applying this private product family in Fig. 1, one way to sample ε ∈ E uniformly is to first sample a trit T ∈ {1, 2, 3} with probabilities Pr[T = 1] = Pr[T = 2] = (p − 1)/(2p − 1) and Pr[T = 3] = 1/(2p − 1).Each outcome then corresponds to one of the cases in Lemma 2 with probabilities matching the proportion of ε contained in each case.After that, Alice can simply sample (n, β) according to the requirements in the case determined by T .
To illustrate the use of the protocol in Fig. 1, we provide two examples.
Example 1: Let p = 5, α = 2, and assume that Alice and Bob have inputs a = 2 and b = 4, respectively.Alice samples an encoding ε from E uniformly at random, and for concreteness we use ε = ψ 3,2 (ε 0 ) in this example.She sends this outcome to Bob.

VII. EXTENSION TO DOT PRODUCTS
In the binary case, the protocol in Fig. 1 can be easily extended to compute a PSI or a private dot product.Extending it to PSI is the easiest, as each possible set element e i receives an index i, and Alice and Bob then set a i = 1 and b i = 1, respectively, if e i is contained in their individual sets.Applying the protocol in a component-wise fashion then reveals exactly the set intersection to Charlie.Note, however, that this is not a scalable approach, as the required number of products is given by the size of the set domain.Thus, this approach is only feasible for smaller examples and more advanced techniques must be used in general, see e.g., [7], [8], [9], [10].
Altering this to a private dot product only requires Alice to sample a uniformly random permutation of the indices, inform Bob of the outcome, and then have them both apply this permutation to the ordering of the Bell states before sending them to Charlie.In this way, Charlie only learns the number of indices i such that a i = 1 and b i = 1.But this is exactly the same as the dot product.

VIII. CONCLUSION AND OPEN PROBLEMS
In this article, we showed that private products over finite fields can be computed by sacrificing a pair of entangled qubits.Moreover, the set defined in (7) provides an explicit description of encodings that allow this computation to happen over fields F p for arbitrary choice of prime p.
The idea presented here could be extended in several ways.First, one could analyze if a similar approach is possible for general finite fields, F q with q = p r a power of a prime.Another direction is to consider more than two inputting parties, thus aiming to compute the product of n inputs while still giving the output to a participants with no input (like Charlie in the current article).

APPENDIX A CONDITION FOR PRODUCT COMPATIBILITY
Let ε ∈ E be an encoding, and let ε(i, j) = (α i j , β i j ), meaning that we fix α i j and β i j and want to find (x A i , z A i ) and (x B j , z B j ).In order for Alice and Bob to arrive at this state using local operations, it must by Lemma 1 be the case that their (x A i , z A i ) and (x B j , z B j ) are solutions to the linear system One would find such a system for every possible pair (i, j).The x A a , z A a , x B b , and z B b must be solutions to all of these systems simultaneously, meaning that we obtain 2p 2 equations in 4p unknowns.One may note, however, that the x-part can be solved separately from the z-part, which instead gives two systems of p 2 equations in 2p unknowns.Considering the system concerning the z's, it can be represented in matrixform as given in (10), where the horizontal lines separate p × 2p-matrices.
The system describing the x's is similar, but with the p last columns of the coefficient matrix multiplied by p-1 [caused by the change of sign in (8)].Rather than working with this system as the linear combination of p 2 -dimensional column vectors, we will consider equivalent p × p-matrices.Namely, we define for each i ∈ {0, 1, . . ., p − 1} the p × p matrices R i and C i with entries where row and column indexing start from 0. With this definition, the system in (10) can be represented as Engineering where M β has entries (M β ) i j = β i j .Using this representation will simplify our arguments below, but before stating the result, we illustrate the notation in an example.Example 3: If p = 3, the system in (10), shown at the top of this page, is 1 0 0 1 0 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 1 0 0 1 0 0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 0 0 1 0 0 1 Let M be a p × p-matrix over F p .We say that M has property P if for every (i, j) ∈ F p and (i , j ) ∈ F p it holds that m i j + m i j = m i j + m i j where computations are done in F p .
Proposition 8: Let M β be a p × p-matrix over F p .Then, (9) has a solution if and only if M β has property P as defined in Definition 4.
Proof: Note first that if two matrices A and B satisfy P, then A + B satisfies P as well.In addition, it is easily checked that R i and C i satisfy P for every i ∈ {0, 1, . . ., p − 1}.This shows the "only if" part.
For the other direction, note that the number of p × pmatrices satisfying P is p 2p−1 .Namely, choosing the entries in the first row and column fixes all other entries.We show that this is exactly the number of matrices in the span of the R i and C i on the left-hand side of (9).The result then follows by the first part of the proof.
We claim that B = {R i } p−1 i=0 ∪ {C i } p−1 i=1 is a basis for Span({R i } p−1 i=0 ∪ {C i } p−1 i=0 ).To see this, note that all elements of {C i } p−1 i=1 has only zeros in column 0. Thus, the equation where O p×p denotes the p × p-dimensional zero matrix, implies that s i = 0 for all i, and hence also t i = 0 for all i.As such, B is linearly independent, and shows that Span B = Span({R i } p−1 i=0 ∪ {C i } p−1 i=0 ), meaning that B is a basis.Thus, there are p 2p−1 matrices in the span of {R i } p−1 i=0 ∪ {C i } p−1 i=0 , concluding the proof.Remark 1: The same result holds for the system describing the x-values.In particular, the only difference is a scalar on the C i , but this does not change their span.

1 )
Alice does not learn anything about b. 2) Bob does not learn anything about a. 3) Charlie does not learn anything about (a, b) except what is implied by ab.

.
In addition, columns 0 and 4 in the coefficient matrix correspond exactly to the 3 × 3-matrices entries in a row-wise fashion.Definition 4: