一種新型基于密鑰循環的半量子多方認證盲量子計算方案

Abstract：In order to fulfill the requirements of the client with limited quantum capacity for a large number of quantum computing， blind quantum computing （BQC） emerged as the times require， which can realize the remote interaction between the client and the quantum computer and ensure the security of information transmission. In this paper， we propose a new multi-party authentication blind quantum computation， which can recycle the used pre-shared keys. And then we use the quantum key recycling function of BQC to improve the utilization efficiency of quantum resources. In our BQC protocol， there are four kinds of participants： client， server， Load_Balancer and semi-honest certificate authority （CA）， which consists of two stages： key distribution and blind quantum computing. In the first stage， the Load_Balancer completes identity authentication and secret key distribution with the help of the certificate authority， and recycles the secret keys that can be used again for next new instance of the protocol. In the second stage， blind quantum computing enables the client to complete the computing task only by measuring the quantum bits from the server without preparing the quantum bits. The client can use the server to measure the quantum to complete the computation. Compared with the traditional BQC protocol， our proposed quantum key recycling protocol can greatly improve the efficiency of key distribution and reuse， we prove it in the efficiency analysis part of the paper.

Key words：blind quantum computation; key recycling; key distribution

CLC number：TP319Document code：A

doi：10.3969/j.issn.16735862.2023.04.003

摘要：為了滿足量子容量有限的客戶端對大量量子計算的需求，盲量子計算應運而生，它可以實現客戶端與量子計算機之間的遠程交互，從而確保信息傳輸的安全。提出了一種新的多方認證盲量子計算，它可以回收使用預共享密鑰，進而使用BQC（blind quantum computing）的量子密鑰回收功能來提高量子資源的利用效率。在BQC協議中，有4種參與者：客戶端、服務器、負載平衡器和半誠實證書頒發機構（certificate authority， CA）。包括了2個階段：密鑰分發和盲量子計算。在第1階段，負載平衡器在證書頒發機構的幫助下完成身份驗證和密鑰分發，并回收可再次用于協議的下一個新實例的密鑰。在第2階段，盲量子計算使客戶端能夠僅通過測量來自服務器的量子比特來完成計算任務，而無須準備量子比特?？蛻舳丝梢允褂梅掌鱽頊y量以完成計算。與傳統的BQC協議相比，提出的量子密鑰回收協議可以大大提高密鑰分發和重用的效率，在論文的效率分析部分對此進行了證明。

關鍵詞：盲量子計算;密鑰回收;密鑰分配

Quantum computing has flourished in recent years. The overwhelming computing power and security of quantum computers provide an effective guarantee for the security of information in the era of big data. In 1984， Bennett et al［1］ proposed the first quantum key distribution （QKD） protocol to help the involved participants share an unconditionally secure key. Over the next few decades， researchers have proposed a large number of quantum cryptographic protocols and quantum communication protocols， such as multiparty quantum secret sharing protocol （QSS）［24］ and quantum secure direct communication protocol （QSDC） for direct communication between two parties without relay equipment［56］. Quantum key distribution makes full use of the advantages of the non-cloning theorem and the uncertainty principle of quantum mechanics signals， which make it impossible for eavesdroppers to save the copied version of quantum signals sent in the process of quantum key distribution. The combination of quantum key distribution and one time pad（OTP） encryption improves the security of the protocol and realizes absolutely dependable communication in theory without estimating the computing power of potential eavesdroppers. Boyer et al［7］first proposed a new concept of semi-quantum， which means that not all users must have quantum capabilities in quantum cryptographic protocols. This protocol is a semi-quantum key distribution （SQKD） protocol with measurement retransmission characteristics. Li and his team［8］ proposed two semi-quantum secret sharing （SQSS） protocols based on GHZ-like states. The idea of quantum key recycling （QKR） was proposed in 1982［9］， in a QKD-equipped world， QKR has an important role to play." Fehr and Salvail［10］，" koriAc＇G and vries［11］ returned to qubit-based schemes that do not require a quantum computer.However， quantum computing is often limited by equipment conditions and quantum resources， making its cost too expensive. Therefore， many customers entrust the task of information computing and storage to cloud services， which have achieved the purpose of economic security. The emergence of blind quantum computing theory （BQC）［12］ can well solve the problem that users want to ensure the safe transmission of information. Although many different kinds of BQC protocols have been proposed， most of these protocols only support classic clients. Clients need to have measurement capabilities rather than higher-level capabilities， such as the ability to prepare quantum， so quantum computing is proposed and widely used in the cloud. Although using only classical communications between classical clients and a single quantum server may not be applicable to secure BQC［13］， classical communications between classical clients and multiple quantum servers can be achieved［14］. The two main features of BQC are blindness and verifiability. It can be seen as a combination of quantum computation and quantum cryptography. In 2005， Childs［15］ proposed the first BQC protocol model based on quantum circuits. The protocol requires the client to have the ability of quantum storage and transmission. Arrighi and Salvail［16］ then proposed a BQC protocol for calculating a certain function， which requires customers to have the ability to prepare and measure entangled states. Then， in 2009， Broadbent et al［17］proposed the bricklaying state， and proposed the first general blind algorithm quantum computing protocol via the measurement-based quantum computation （MBQC） model. Morimae et al［18］ implemented fault-tolerant blind quantum computing， a blind topological quantum computing protocol based on quantum measurement. In order to solve the problem that two servers cannot communicate in the BFK protocol， Li et al［19］ proposed an almost classical client-side three-server BQC protocol based on entanglement switching. In 2016， Kong et al［20］ proposed a flexible multiple-server blind algorithm quantum computing protocol based on the network environment. In order to deal with various side-channel attacks， Lo et al［21］ proposed a measurement-device independent （MDI）-QKD protocol in 2012， which solves the security risk caused by equipment conditions. The MDI system has two senders， Alice and Bob， and an untrusted receiver， Charlie. According to Charlies position， the MDI system can be divided into symmetric MDI （SMDI） and asymmetric MDI （AMDI）. In symmetric MDI， Charlie is at the midpoint of two senders， and in the latter， it is not the midpoint. SMDI appears more in theoretical research than AMDI. In 2016， by combining with decoy technology， MDI-QKD has good robustness， which greatly increases the efficiency of key distribution. MDI-QKD protocol has been studied and selected by more people because of its good scalability and security. Its application is more and more widespread. At present， the BB84 and MDI theory and experimental systems generally use the decoy particle scheme. In addition， in order to improve the performance of the QKD system， the biased-basis method is usually used［2223］. Multi-party protocols are a basic and important model of communication in any system， practical or theoretical， where there is shared information. In 1996， Just and vaudenay［24］ proposed the Authenticated Multi-Party Key Agreement. In the latest research， there are quantum private comparisons［25］ and quantum private queries［26］ in the field of quantum secure multiparty computing. This paper adds multi-party identity authentication to BQC.

To further address efficiency and privacy security issues， this paper proposes a new multi-party authentication blind quantum computation， which can recycle the used pre-shared keys in a convenient way. There are four legitimate participants in our scheme： client， server， Load_Balancer， and semi-honest certificate authority （CA）. Load_Balancer has quantum capabilities and can perform quantum operations， and the rest of the participants only have classical abilities. The purpose of combining QKD and BQC protocol is to make use of the advantages of MDI-QKD， to enable users to share the initial key securely during the registration phase， thus improving the overall efficiency of the protocol. Secondly， with the help of a semi-honest certification authority， mutual identity authentication can be achieved quickly by sharing the key in the mutual identity authentication phase.

In section 1， the theoretical preparation， which introduces the quantum-related knowledge used in this paper， the theoretical introduction of brick state， and MDI-QKD protocol. In section 2， the multi-party blind quantum computing protocol is described in detail， and the flow chart is attached. In section 3， we will analyze the security of the protocol. Section 4 and section 5 of the paper are efficiency analysis and conclusion.

1preliminaries

1.1BB84 protocol［1］

BB84 protocol is one of the most famous unconditional secure QKD protocols， and its security has been proved by many researchers. Two polarization bases are used in the protocol， namely， the linear basis （Z-basis{|0〉，|1〉}） and the diagonal basis （X-basis{|+〉，|-〉}）. Participants must agree on how to encode each polarization state {|1〉，|0〉，|+〉，|-〉} in binary representation. BB84 is a classical quantum key distribution （QKD） protocol because one party can independently decide and generate a key， and then distribute it to the other party. Although the sender cannot know which transmitted quantum bits will be used as the key and which will be used for random sampling discussion， in extreme cases， she can set the key to all “1” bits （or all “0” bits）， and then polarize the photon to |1〉 or |+〉 （|0〉 or |-〉）. Therefore， the shared key will be determined by the sender. In this paper， all participants need to handle four BB84 states.

1.2Brickwork state［27］

The brickworkstate Ga×b. Each circle represents a |+〉 state and each line denotes a controlled-Z （CZ） operation. Each particle cluster with different rotation angles is replaced by seven physical qubits with fixed rotation angles. Changes in the overall angle are encoded as different measurements［28］. Qubits |ψab〉（a=1，…，n，b=1，…，m） are arranged according to layer a and row b， corresponding to the vertices in Fig.1， and are originally in the |+〉=12|0〉+12|1〉state.

1.3The principle of MDI-QKD［29］

In reality applications， QKD will encounter many problems that do not conform to the ideal environment assumption. For example， by taking advantage of the security vulnerabilities in reality， especially the defects in the detector， you can successfully launch attacks against the commercial QKD system， and the security problems are highlighted. Therefore， in order to solve this problem， researchers have proposed three solutions. The first solution is to try to fully describe the characteristics of the real equipment and consider all side channels， which is difficult to achieve. The second method is the remote transmission technique［30］. The third solution is to apply device independent QKD （DI-QKD）. Unfortunately， the implementation of DI-QKD is too difficult， because it requires a detection efficiency close to the unit and quantum bit amplifier or quantum non-destructive （QND） measurement of the number of photons in the pulse， and may even greatly reduce the key transmission rate （about 10-10 bits per pulse）［31］. In this paper， we propose the idea of using MDI-QKD， which can remove all （existing and undiscovered） detector side channels to improve the overall security of the protocol. Therefore， it provides greater security advantages than the standard security certificate Gottesman Lo-Lütkenhaus-Preskill （GLLP）［32］. In addition， it has the ability to double the transmission distance covered by the QKD scheme using traditional laser diodes， and its key generation rate is equivalent to the standard security proof using entangled pairs. MBQC model plays an important role in the universal BQC protocol. Brickwork state ［27］is one of the common resource states. Brick status is used to implement the proposed protocol. MDI-QKD is actually a quantum key distribution process， but the distribution involves three parties， including Alice， Bob， and the third party （TP） responsible for Bell basis measurement. Alice and Bob will randomly prepare a series of single photon sequences |γ〉A，|γ〉B∈{|0〉，|1〉，|+〉{-}} under X or Z basis firstly. Then TP will make joint Bell measurement on the photons |γ〉A|γ〉B received from Alice and Bob. TP sends the measurement result RAB∈{00，01，10，11} to Alice and Bob across the classical channel. The corresponding values of RAB and BMR are shown in the following Table 1.Then Alice and Bob publish the base of the particle and take the measurement result BMR=|φ+〉AB，|ψ-〉AB as the initial original key. A truly secure shared secret key can be obtained after eavesdropping detection. Any two-qubit can be expressed via four Bell basis， for example， |0〉A|1〉B=12（|ψ+〉AB+|ψ-〉AB）［33］.

1.4Blind quantum computing theory （BQC）［15］

Blind quantum computing is a new secure quantum computing protocol， which enables clients （Alice） of classical computers or original quantum devices that are not sufficient for general quantum computing to delegate their computing tasks to a server （Bob） with a fully mature quantum computer［34］. Therefore， the requirements of her own device are reduced without disclosing any of Alices privacy （that is， which algorithm Alice wants to run or input， and the calculated output results）. Childs ［15］ proposed the first example of blind quantum computing， which uses a quantum circuit model to complete blind quantum computing. The register state is encrypted with a quantum one-time pad. Therefore， Bob， who executes the quantum gate， knows nothing about the information in the quantum register. Nowadays， blind quantum computing has more abundant research. In 2009， Broadbent et al［17］ proposed a new blind quantum computing protocol， which uses a one-way model. All Alice needs is a classical computer and a raw quantum device， which emits a randomly rotating single qubit state. Alice does not need any quantum memory， and the protocol realizes unconditional security.

1.5Background of key recycling［7］

Paper ［35］ pointed out that there is a maximal probability of 85.4% to obtain the correct value of the four single photons {|0〉，|1〉，|+〉{-}}. That is， for a single photon sequence S={s1，s2，…，sn}， where each photon is randomly chosen from {|0〉，|1〉，|+〉{-}}， the maximal probability of obtaining the correct value of si is 85.4%. According to Shannons entropy H（X）=-∑xp（x）log2p（x）， where is the probability of possible values x， the maximal information leakage of the value of si is 0.41 bit. Moreover， if the value of si is known， the maximal information leakage of s′is basis is 0.40 bit. For a pre-shared key K， the key recycling rate is defined as follows：

rate（K）=bit（K）-leakage（K）bit（K）（1）

The bit（K） is the number of bits of the whole and the leakage（K） is the maximal leakage bits in the protocol.

2Multi-party authentication blind quantum computation protocol with key recycling

In our scheme， there are four kinds of participants： client， server， Load_Balancer and semi-honest certificate authority （CA）. The protocol consists of two parts： key distribution part and blind quantum computing part. Except that the quantum center is semi-honest， the client， server and Load_Balancer_A and Load_Balancer_B are honest parties. Load_Balancer， client and server already have the shared key KAL={k1AL， k2AL， k3AL}， KBL={k1BL， k2BL， k3BL} in advance， where k1AL， k2AL， k3AL， k1BL， k2BL， k3BL∈{0，1} denotes ith bit of the key. The role of CA in the protocol is different from that of CA in the common key distribution protocol. It only needs to carry out Bell measurement in phase 2.1， and encode each non-orthogonal state as a classical bit. The appearance of client and server as the third party enables the protocol to complete identity authentication and key distribution. In phase 22， only the interaction between the client and the server is required. In essence， phase 2.2 is the classic BQC protocol. The steps of our protocol can be described as follows. The symbol description of this scheme is summarized in Table 2.

2.1Quantum key distribution phase

Step 1Load_Balancer_A and Load_Balancer_B randomly prepare a series of single photon sequences with X-basis or Z-basis， which are represented by SA and SB respectively. Both SA and SB are 4k in length. Load_Balancer_A and Load_Balancer_B also prepare decoy particles with fixed length of 2k. Randomly select the particles in {|0〉，|1〉，|+〉，|-〉}insert them into SA， SB to get a new sequence SdASdB， and send them to Ai and Bi mod n respectively.

Step 2Where Ai is the client and Bi mod n is the server. Ai and Bi mod nuse KAL to separate the decoy particles， knows the measurement method through KBL， and informs Load_Balancer_A and Load_Balancer_B of the result after measurement.If the error rate is higher than the allowable limit， the agreement will be terminated， otherwise proceed to the next step.

Step 3Ai and Bi mod nsend their SA and SB to CA. CA receives both sequences from Load_Balancer and performs a Bell measurement to get （a， b） of the sequences. CA encodes and records the measurement results as MAB， refer to Table 3 for coding rules. Then CA sends MAB to Ai and Bi mod n.

Step 4Once Ai and Bi mod n receive MAB successfully， Load_Balancer_A and Load_Balancer_B would announce the basis of each states in SA， SB. And then Ai and Bi mod n keep the bits under the same basis as the raw key when MAB=00，11. In this way， both Ai and Bi mod n obtain the shared key KA，KB at the same time. Where KA，KB are in {0，1}， bit 0 represents Z-basis， and bit 1 represents X-basis. Similarly， after MAiMBi mod n=K′AB calculation of the remaining particles at the corresponding position of MAB=01，10， another pair of shared key K′A， K′B is obtained.

Step 5When the client wants to request the server to perform computing tasks， Ai needs to first send a request i to Load_Balancer_A through the classic channel. After receiving request i， Load_Balancer_A puts it into the request queue and transmits the request to CA according to FIFO principle. CA prepares randomly non-orthogonal states |φ〉AB∈{|-〉AB，|ψ+〉AB，|Φ-〉AB，|Ψ+〉AB} length of 4k according to formula 2.

-〉=12（00〉-11〉）

ψ+〉=12（01〉+10〉）

Φ-〉=12（-〉-ψ+〉）=12（0-〉-1+〉）=12（+1〉--0〉）

Ψ+〉=12（-〉+ψ+〉）=12（0+〉+1-〉）=12（+0〉+-1〉）（2）

CA divides them into two parts and transmits sequences S1A， S1B with length of 4k to Load_Balancer respectively. After Load_Balancer_A and Load_Balancer_B receive S1A， S1B， Load_Balancer_A and Load_Balancer_B also prepare decoy particles with fixed length of 2k. Randomly select the particles in {|0〉，|1〉，|+〉，|-〉} insert them into S1A， S1B to get a new sequence S1dAS1dB， and send them to Ai and Bi mod n separately with request i. Ai and Bi mod n removes the decoy particles and informs the measurement results. If the error rate is higher than the allowable limit， the agreement will be terminated， otherwise proceed to the next step.

Step 6After Ai and Bi mod n obtain the original sequences S1A， S1B， they measure S1A， S1B with the initial keys KA， KB generated in step 3， and obtain the measurement results MA， MB with length of 4k. MA， MB with length of 2k are selected randomly and transmitted to Bi mod n and Ai across the classical channel， together with the corresponding particle positions. CA encodes each of non-orthogonal states into classical bit sequence SAB and broadcasts it unjammably to Ai and Bi mod n. The encoding rule refer to Table 3.

Step 7According to Table 4， Ai and Bi mod n check independently whether the other sides measurement results are correct. For example， assume that |〉AB=|ψ+〉AB， when the measurement result from Ai is bit 1， the measurment result from Bi mod n should be bit 0， otherwise the agreement will be terminated. After successfully completing the identity authentication， Ai and Bi mod n retains the distributed key KA， KB， K′A， K′B to complete key recycling， that is， if the protocol is successfully completed， Ai and Bi mod n generated true random number R and calculates the value of RK and sends it to key pool， this can improve the security of the whole process. If an error occurs during the agreement process， the operation of the agreement will be terminated， keys KA， KB， K′A， K′B will be discarded and the key KAL， KBL will be extracted from the key pool again.

2.2Multi-party blind quantum computation phase

Step 8After Ai and Bi mod n authenticate each other successfully， Bi mod n should generate a quantum resource state， for example brickwork state Ga×b， where b≡5（mod 8）.

Step 9Bi mod n sends a qubit （x， y） of brickwork state to Ai via quantum channel， and keeps the rest of qubits in the quantum memory.

Step 10Ai computes the real measurement angle θ′x，y=（-1）sXx，yθx，y+sXx，yπ， where θx，y∈-π4， 0， π4， π2 is the desired measurement angle， sXx，y is summation （module 2） of all previous measurement results in Zx，y，sX0，y=sZ0，y=0. Then Ai needs to measure the received qubit （x， y） in basis {|±θ′x，y〉}=12（|0〉±e-iθ′x，y|1〉）. The measurement result is recorded as sx，y∈{0，1}.

The specific protocol steps are shown in Fig.2.

3Efficiency analysis

Efficiency analysis can effectively show the scientific degree of resource utilization of an agreement. In quantum protocols， efficiency analysis usually analyzes the utilization of quantum. According to formula 2， we can calculate that the maximal information leakage of KAL， KBL is 0.41×2k×0.4≈0.33k. The key recycling rate is rate（KAL，KBL）=2k-0.33k2k=0.84. Similarly， the recycling rate of KA，KB，K′A，K′B" can be calculated as rate（KA，KB，K′A，K′B）=3i-0.49i3i=0.84. The recycling rate of the scheme is high， which greatly saves quantum resources. The formula for efficiency analysis is usually η=cb+q×100%， where q represents the total number of generated qubits， b stands for the total number of classic interaction information of both sides of communication and c represents the total number of shared classical bits （the classical bits used for checking of eavesdropping are not counted）. In our multi-party blind quantum computation protocol with key recycling， we divide the protocol into two parts. For better comparison， here we only calculate the efficiency of the first stage， and the number of bits of classical information is 2k bits. So， c = 2k （because particles with length of 2k are selected randomly and transmitted to Bi mod n and Ai）. Due to the total number of particles and decoy particles prepared by CA and Load_Balancer_A and Load_Balancer_B is 12k， the value of q is 12k. In this paper， because there are shared keys between quantum centers and participants or between participants and participants， the total number of classic interaction information generated by the whole protocol is 0.Furthermore， the qubit efficiency of related protocol can be expressed as：

η=cb+q×100%=2k0+12k×100%=16

Table 5 shows the efficiency comparison between the protocol in the first phase of this literature and other similar protocols. And we can see that compared with similar literatures， our literature has obvious efficiency advantages. At the same time， the recovery of key will also improve the utilization of quantum in the protocol and greatly save quantum resources.

4Security analysis

4.1Man-in-the-middle attack

Man-in-the-middle attack means Eve intercepts the sequence sent by the sender，then she forges another group of particles similar to Bell state and sends them to the receiver to realize the attack. In the protocol we designed， the client and server do not exchange information directly with the certificate distributor， but use the Load_Balancer_A and Load_Balancer_B for the secondary transmission of messages. Suppose that the eavesdropper Eve steals the Sd sent by the Load_Balancer_A and Load_Balancer_B to the client and server in the first phase of the protocol， but she cannot accurately eliminate the decoy particles. When she sends the fake particles she prepared to Ai and Bi mod n， the eavesdropping behavior will be found when Ai， Bi mod n and CA feedback the measurement results to the Load_Balancer_A and Load_Balancer_B in the subsequent steps. If the eavesdropper Eve wants to steal SA，SB in the key distribution phase and replace them with two groups of particles prepared in advance， Eve does not know the coding rules and corresponding basis of the Load_Balancer_A and Load_Balancer_B in the MAB comparison phase， so it cannot successfully steal the key pair， and Eves action will be declared failed.

4.2Forward security

Forward security or forward secrecy is an important security attribute of communication protocols in cryptography， sometimes called complete forward security. Simply put， if the master key used for a long time is leaked， other session keys will not be leaked. That is， forward security can protect the communication information transmitted in the past and prevent the password or key from being leaked in the future. In the protocol we designed， the pre shared key is KAL，KBL， which is used to eliminate the decoy particle Sd. Suppose that eavesdropper Eve stole the shared key KAL，KBL， but because of the MDI-QKD protocol［29］， she cannot know the base corresponding to the coding rule. Once an error occurs， it will be detected by the Load_Balancer when the measurement results are published later. Even if Eve guesses the encoding method correctly， she will be detected in step 4. The reason is that she does not know which basis corresponds to when the Load_Balancer_A and Load_Balancer_B generates SA，SB， nor the measurement result MAB. Once an erroroccurs in the protocol or an eavesdropper is detected， the key KAL，KBL will be recovered and re extracted from the key pool. Therefore， the disclosure of the long-term key KAL，KBLwill not threaten the security of the entire protocol.

4.3Correctness analysis

Correctness means that if the client runs the correct mode in phase 2.2， the protocol can execute and output correctly. In the protocol we designed， phase 2.1 has nothing to do with the correctness of the customers output.Assume that both the client and the server follow the steps in phase 2.2， and then get the normal output. The bricklaying status we used in phase 2.2 is the same as the resource status in［17］. In this paper， we use the brickwork state. Brickwork state is a general quantum state， and any unitary operation， they show how the brickwork state can be used to compute any gate in U. Recall the rotation transformations： X（θ）=eiθX2and Z（θ）=eiθZ2. Brickwork state can be realized through the general gate set CNOT， H， π8. At the end of the paper， it also explains the stacking mode of three cell gates when the input is four qubits. We can extend the unitary gate to a larger brick state， so that the clients in the protocol can measure layer by layer to successfully execute the protocol. If the output is the information of the classical channel， the customer can directly obtain the results from the customers previous measurement results. If the output is quantum channel information， the server needs to send the last layer to the client after the client measures it. Therefore， the protocol we designed is correct and feasible.

4.4Overall safety

In the protocol we designed， a single server BQC scheme is proposed. The scheme shows stronger security， that is， combined security［39］， which is based on the principle of no-signaling. The no-signaling principle is the basic theory prior to quantum mechanics， so the security of the BQC scheme is inherent， and it meets the equipment independent security. No matter how many quanta the server sends to the client， the server Bi mod n cannot obtain the information about A′i" is measurement of the received qubits， that is， it cannot know the measurement results. Among the BQC protocols that Ai needs to measure， only one-way communication （only one-way information flow） is required， which is different from most BQC protocols. This greatly saves the resources and time required for the completion of the protocol， and makes the protocol less demanding on customer equipment， thus improving its security. Therefore， the protocol provides simpler and stronger security. Therefore， internal attacks such as identity counterfeiting attacks on the server will fail. External attacks also fail to obtain any useful information for the client.

5Conclusion

The emergence of blind quantum computing theory can well solve the problem that customers want to ensure the safe transmission of information. The two main features of BQC are blindness and verifiability， it can be seen as a combination of quantum computation and quantum cryptography. BQC can ensure a client with limited quantum capability safely delegates computing tasks to a remote quantum server. In our multi-party authentication blind quantum computation with key recycling protocol， it is divided into key distribution part and blind quantum computation part. In the first stage， Load_Balancer prepares quantum， completes authentication and key distribution with the help of the certificate authority and the key， and reclaims the key that can be used again for the next time， saving limited quantum resources. In the second stage， blind quantum computation is used， and the client can use the server to measure the quantum to complete the computation. We introduce the MBQC model in the paper， which enables the protocol to execute blind quantum computation requests of multiple clients， greatly improving the computational efficiency. CAs semi-integrity identity is also conducive to improving the security of the protocol. Compared with the traditional BQC protocol， the proposed quantum key circulation protocol can greatly improve the efficiency of key distribution and reuse， it can also greatly save costs and improve the availability of the scheme.

The protocol we designed is proposed under the ideal premise of no noise.but there will always be noise interference in reality. Therefore， the future protocols for noise tolerance characteristics will be the focus of our research. We will also study the improvement of the protocol in the actual environment and the specific application of multi-party authentication in blind quantum computing.

References

［1］BENNETT C H，BRASSARD G. Quantum cryptography： Public-key distribution and coin tossing［C］∥Proc of IEEE International Conference on Computers， System and Signal Processing. Piscataway， NJ： IEEE Press， 1984：175-179.

［2］QIN H W，DAI Y W. Verifiable （t， n） threshold quantum secret sharing using d-dimensional bell state［J］. Inform Process Lett， 2016，116（5）：351-355 .

［3］MISHRA S，SHUKLA C，PATHAK A，et al. An integrated hierarchical dynamic quantum secret sharing protocol［J］. Int J Theor Phys， 2015，54（9）：1-12.

［4］HILLERY M，BUZEK V，BERTHIAUME A. Quantum secret sharing［J］. Phys Rev A， 1999，59（3）：1829-1834.

［5］LI X H. Quantum secure direct communication［J］. Acta Phys Sin， 2015，64（16）：160307-160312.

［6］DENG F G，REN B C，LI X H. Quantum hyperentanglement and its applications in quantum information processing［J］. Sci Bull， 2017，62（1）：46-48.

［7］BOYER M，KENIGSBERG D，MOR T. Quantum key distribution with classical bob［J］. Phys Rev Lett， 2007，99（14）：140501-140509.

［8］LI L Z，QIU D W，MATEUS P. Quantum secret sharing with classical bobs［J］. J Phys A： Math Theor， 2013，46（4）：045-304.

［9］BENNETT C H，BRASSARD G，BREIDBART S. Quantum cryptography Ⅱ： How to reuse a one-time pad safely even if P=NP［J］. Nat Comput， 2014，13（4）：453-458.

［10］FEHR S，SALVAIL L. Quantum authentication and encryption with key recycling［C］∥Advances in Cryptology-Eurocrypt. Pairs： EUROCRYPT， 2017：311-338.

［11］KORIAC＇G B，VRIECS M D. Quantum key recycling with eight-state encoding［J/OL］. ［20230218］. https：∥doi.org/10.1142/S0219749917500162.

［12］ARRIGHI P，SALVAIL L. Blind quantum computation［J］. Int J Quantum Inf， 2006，4（5）：883-898.

［13］AARONSON S，COJOCARU A，GHEORGHIU A，et al. Complexity-theoretic limitations on blind delegated quantum computation［J/OL］. ［20230116］. https：∥doi.org/10.48550/arXiv.1704.08482.

［14］REICHARDT B W，UNGER F，VAZIRANI U. Classical command of quantum systems［J］. Nature （London）， 2013，496：456-460.

［15］CHILDS A M. Secure assisted quantum computation［J］. Quantum Inf amp; Comput， 2005，5（6）：456-466.

［16］ARRIGHI P，SALVAIL L. Blind quantum computation［J］. Int J Quantum Inf， 2006，4（5）：883-898.

［17］BROADBENT A，FITZSIMONS J，KASHEF E. Universal blind quantum computation［C］∥Annual IEEE Symposium on Foundations of Computer Science. Atlanta： GA， 2009：517-526.

［18］MORIMAE T，FUJII K. Secure entanglement distillation for double-server blind quantum computation［J/OL］. ［20230203］. https：∥doi.org/10.1103/PhysRevLett.111.020502.

［19］LI Q，CHAN W H，WU C H，et al. Triple-server blind quantum computation using entanglement swapping［J/OL］. ［20230124］. https：∥doi.org/10.1103/PhysRevA.89.040302.

［20］KONG X，QIN L，WU C，et al. Multiple-server fexible blind quantum computation in networks［J］. Int J Theor Phys， 2016，55（6）：3001-3007.

［21］LO H K，CURTY M，QI B. Measurement-device-independent quantum key distribution［J］. Phys Rev Lett， 2012，108：130-503.

［22］LO H K，CHAU H F，ARDEHALI M. Efficient quantum key distribution scheme and proof of its unconditional security［J］. J Cryptol， 2005，18（2）：133-165.

［23］MA Y，YI L，WEI G，et al. Performance optimization of decoy-state BB84-and MDI-QKD protocol and their key integrating application strategy for power dispatching［J］. Opt Fiber Technol， 2019，52：101944.

［24］JUST M，VAUDENAY S. Authenticated multi-party key agreement［C］∥International Conference on the Theory and Application of Cryptology and Information Security. Berlin：Springer， 1996，1163：36-49.

［25］TSENG H Y，LIN J，HWANG T. New quantum private comparison protocol using EPR pairs［J］. Quantum Inf Process 2012，11（2）：373-384 .

［26］WEI C Y，CAI X Q，LIU B，et al. A generic construction of quantum-oblivious-key-transfer-based private query with ideal database security and zero failure［J］. IEEE Trans Comput， 2018，67（1）：2-8.

［27］YANG Z，BAI M Q，MO Z W . The brickwork state with fewer qubits in blind quantum computation［J］. Quantum Inf Process， 2022，21（4）：125-140.

［28］GAO X，WANG S T，DUAN L M. Quantum supremacy for simulating a translation-invariant ising spin model［J/OL］. ［20230126］. https：∥doi.org/10.48550/arXiv.1607.04947.

［29］SHENG Y B，ZHOU L. Deterministic entanglement distillation for secure double-server blind quantum computation［J/OL］. ［20230126］. https：∥doi.org/10.1038/srep07815.

［30］LO H K，CHAU H F. Unconditional security of quantum key distribution over arbitrarily long distances［J］. Science， 1999，283：2050-2056.

［31］GISIN N，PIRONIO S，SANGOUARD N. Proposal for implementing device-independent quantum key distribution based on a heralded qubit amplifier［J/OL］. ［20230222］. https：∥doi.org/10.1103/PhysRevLett.105.070-501.

［32］GOTTESMAN D，LO H K，LUTKENHAUS N，et al. Security of quantum key distribution with imperfect devices［J］Quantum Inf Process， 2022，21（4）：125-140.

［33］SHAN R T，CHEN X B，YUAN K G. Multi-party blind quantum computation protocol with mutual authentication in network［J］. Sci China Inf Sci， 2021，64：1-14.

［34］MORIMAE T，FUJII K. Blind quantum computation protocol in which alice only makes measurements［J］. Phys Rev A， 2013，87（5）：3393-3402.

［35］MERMIN N D. Quantum theory： Concepts and methods［J］. Stud Hist Philos Sci， 1997，28（1）：131-135.

［36］SUN Y H，YAN L L，CHANG Y，et al. Two semi-quantum secure direct communication protocols based on bell states［J/OL］. ［20230213］. https：∥doi.org/10.1142/S0217732319500044.

［37］TSAI C L，HWANG T. Semi-quantum key distribution robust against combined collective noise［J］. Int J Theor Phys， 2018，57：3410-3418.

［38］ZHOU N R，ZHU K N，ZOU X F. Multi-party semi-quantum key distribution protocol with four-particle cluster states［J］. Annalen der Physik， 2019，531（8）：1970031.

［39］MORIMAE T，KOSHIBA T. Composable security of measuring-alice blind quantum computation［J/OL］. ［20230209］. https：∥arxiv.org/abs/1306.2113.