QEnclave - A practical solution for secure quantum cloud computing

Quantum computing promises algorithmic speedups, and several organizations already provide cloud access to small-scale devices. Delegated quantum computation (DQC) via untrusted quantum hardware raises privacy challenges, especially for clients without quantum capabilities. The paper addresses privacy by introducing a quantum trusted execution environment (Quantum TEE) termed QEnclave, enabling privacy-preserving DQC for a fully-classical client. Classical TEEs isolate and protect computations from the rich execution environment; analogous protections are desirable in quantum settings. Existing blind DQC protocols provide security but require a quantum channel or client-side quantum capabilities, which are impractical for some platforms (e.g., superconducting, cold atoms). Fully-classical-client approaches based on post-quantum cryptography (e.g., LWE-based constructions) exist but incur huge server overheads. Motivated by these constraints and impossibility results for purely classical composable RSP, the authors propose QEnclave: a minimal hardware assumption providing tamper-proof, confidential single-qubit rotations, enabling classical-client blind DQC with optimal server overhead and without requiring client quantum state generation or measurement. Notably, blindness holds even if the server controls the qubit source.

Prior blind DQC protocols (e.g., UBQC) rely on a quantum channel and client capabilities to prepare or measure single-qubit states, ensuring blindness but limiting practicality on certain platforms. Fully classical-client protocols leveraging LWE-based cryptography (Mahadev, QFactory, etc.) demonstrate feasibility but require substantial server overhead (on the order of thousands of qubits to mask a single gate) and complex cryptographic subroutines, raising practicality concerns. Remote State Preparation (RSP) and its measurement-based variant (MRSP) were identified as composable building blocks enabling blind DQC with only classical communication to the client, but impossibility results show that composably secure RSP cannot be realized via classical channels alone without additional assumptions. Prior proposals incorporating a measurement buffer as an externalized measurement resource avoid quantum channels but remain non-classically realizable and impose large cryptographic overheads. These observations motivate a hardware-assisted approach: making the minimal quantum operation trusted (single-qubit rotation), while relying on classical TEE notions (attestation, confidentiality, integrity) to bridge the gap between practicality and composable security.

The work introduces Remote State Rotation (RSR) as an ideal functionality capturing a minimal trusted quantum operation: RSR receives a single-qubit input (from the server), applies a random Z(θ) rotation with θ uniformly sampled from a fixed set, outputs the rotated qubit back to the server, and reveals θ to the client. RSR removes all client quantum capabilities and eliminates the need for a quantum channel to the client. Within the Abstract Cryptography (AC) framework, the authors: (1) formalize RSR and the client/server interfaces; (2) define a protocol π in which the client only receives θ while the server supplies (possibly adversarial) input states that may be entangled with server-side ancillas; (3) prove Lemma 1 showing that outputs of RSR satisfy weak correlation conditions necessary and sufficient for UBQC blindness; (4) construct MRSP from RSR (Theorem 3) by providing an explicit simulator σθ so that πA RSRθ πB is indistinguishable from MRSPθ, achieving ε = 0; and (5) compose with known results that MRSP enables UBQC with perfect blindness (Theorem 4), thus establishing that RSR suffices for blind DQC. On the practical side, the authors propose QEnclave, a hardware design implementing RSR using a classical TEE to protect the secrecy of θ and control a minimal quantum device that performs single-qubit rotations. QEnclave relies on: anonymous remote attested execution (Gatt) to instantiate secure, authenticated channels between client and enclave; post-quantum secure digital signatures for attestation; and key establishment via post-quantum KEM to derive symmetric keys (e.g., AES) for confidential angle transmission. Protocol 1 specifies the workflow: client generates KEM keys, verifies attestation and enclave program identity, derives a session key, encrypts rotation angles, and sends them to the server; the enclave decrypts within the trusted area and commands the quantum rotation Z(θ) on incoming source qubits; the rotated qubits are returned to the server while the client holds θ. Security against a malicious server derives from TEE guarantees (code and data confidentiality/integrity inside the enclave, remote attestation), cryptographic confidentiality of θ in transit, and protected intra-enclave communication with the quantum device (assumed tamper-resistant). The AC-based proof establishes that this realization constructs the RSR resource under composition, thereby enabling UBQC with perfect blindness using only classical client-server communication. The paper also discusses engineering considerations (noise tolerances within UBQC’s blindness definition), the need for tamper-resistant packaging akin to FIPS-140 certified HSMs, and outlines integration pathways with various quantum platform technologies.

- Conceptual contribution: Definition of Remote State Rotation (RSR), a weaker ideal functionality than Remote State Preparation, in which the trusted component only applies single-qubit rotations Z(θ) to server-provided states and reveals θ to the client. - Security results in AC framework: (i) Lemma 1 shows RSR outputs meet weak correlation conditions required for UBQC blindness; (ii) Theorem 3 constructs MRSP from RSR with perfect indistinguishability (ε = 0) by providing a simulator; (iii) Theorem 4, by composition with known results for MRSP, yields that UBQC with access to RSR achieves DQC with perfect blindness. - Practical realization: QEnclave, a TEE-controlled module implementing single-qubit rotations with classical-only client interaction. The design uses post-quantum-secure attestation, signatures, KEM-derived symmetric keys (e.g., AES) to protect rotation angles and program integrity. Only one QEnclave call is needed to create one remote blind qubit. - System-level impact: Enables fully classical clients to delegate quantum computations with optimal server overhead and perfect blindness, even when the server controls the qubit source. Avoids the large overheads of LWE-based classical-client approaches (which may require ~1000 server qubits per masked gate). - Applicability: The approach is compatible with measurement-based protocols like UBQC and suggests integrations with photonic platforms and potential extensions to verifiable computation and other quantum protocols.

The findings demonstrate that trusting the minimal operation of single-qubit rotation, formalized via RSR, suffices to achieve perfectly blind delegated computation under composable security definitions. This reframes the hardware requirements for secure quantum cloud services: instead of trusting sources or measurements (as in RSP/MRSP), trusting a rotation device controlled by a TEE reduces client quantum requirements to zero while preserving optimal server overhead. The AC-based reductions show that security guarantees are robust to arbitrary server-provided inputs, including states entangled with server ancillas, addressing adversarial source control. Practically, QEnclave leverages mature TEE primitives (remote attestation, sealing, isolated execution) and post-quantum cryptography to form secure classical control channels to the quantum rotation hardware, aligning with real-world deployment constraints. The authors also discuss the path toward verifiability: direct adaptation of trap-based verifiable UBQC faces challenges under adversarial control of the source and correlated attacks; alternative self-testing-based methods may be more suitable. Integration opportunities are highlighted across platforms: photonics (natural support for single-qubit rotations and quantum communication) appears ideal, whereas ion traps and superconducting platforms may require teleportation-based or other interfaces. Beyond UBQC, RSR/QEnclave can benefit multi-client blind computation scenarios and may influence designs for quantum money and homomorphic encryption under stronger enclave assumptions.

This work introduces RSR as a minimal, composable ideal functionality enabling perfectly blind DQC and presents QEnclave, a practical TEE-based implementation that performs only single-qubit rotations under classical control. By proving that RSR constructs MRSP and thus UBQC with perfect blindness, the authors lower client-side quantum requirements and avoid the heavy server overheads of LWE-based approaches, all while tolerating adversarially controlled sources. The QEnclave blueprint pairs post-quantum attestation and key establishment with protected quantum control, offering a path toward deployable secure quantum cloud services. Future directions include achieving verifiability compatible with adversarial sources (e.g., via self-testing), engineering secure and tamper-resistant quantum-TEE interfaces across diverse hardware platforms, mitigating side-channel vectors and device counterfeiting risks, and exploring broader applications such as multi-client blind computation, quantum money, and carefully scoped quantum homomorphic encryption within minimal enclave functionality.

- Physical realization assumptions: QEnclave must be correctly fabricated by a trusted manufacturer; device counterfeiting is not addressed. The design assumes tamper-resistant packaging and protected intra-enclave links to the quantum device (akin to FIPS-140 HSM protections). - Side-channel scope: Hardware-dependent side-channel attacks on specific enclave products are out of scope; the work assumes confidentiality/integrity within the TEE and secure communication to the quantum device. - Noise and verification: While UBQC blindness tolerates certain errors, the noise within RSR composed with UBQC is not verifiably tracked; verifiability under adversarial source control remains open, and correlated attacks could evade trap-based checks. - Cryptographic assumptions: Practical security depends on post-quantum-secure attestation, digital signatures, and KEM schemes, and on the availability of secure authenticated channels. - Platform integration: For non-photonic platforms (e.g., ion traps, superconducting), additional interface mechanisms (e.g., teleportation) are required; detailed designs are left for future work.