The field of quantum computing is rapidly advancing, with significant investments from governments and major companies in building programmable quantum devices. Cloud services offering access to these devices are emerging, allowing users to delegate quantum computations. However, delegating computations to untrusted hardware raises critical privacy concerns. This paper addresses this issue by introducing a quantum trusted execution environment (Quantum TEE) called QEnclave, demonstrating its use in privacy-preserving delegated quantum computation (DQC), even with a fully classical client. Classical TEEs, like Intel SGX and ARM TrustZone, isolate trusted execution from untrusted environments, employing hardware architecture and cryptography for protection. They've been applied to various areas, including blockchain, privacy-preserving machine learning, and cloud services. Delegated computation allows clients with limited computational resources to offload tasks to powerful but untrusted servers while maintaining data privacy—a crucial need for cloud-based high-performance computing. This need extends to quantum computing, where access to scalable quantum computers will likely remain limited and expensive for the foreseeable future. Existing secure (blind) delegated quantum computation protocols require quantum channels between client and server, which may be impractical for certain quantum hardware. The paper explores a different approach, based on hardware security assumptions, to achieve a practical secure DQC protocol with a fully classical client, building on the modular approach defining remote state preparation (RSP) as the main building block for the DQC protocol. While some proposals use a classical channel but assume a 'measurement buffer' resource (which is classically unrealizable), this work explores a different approach through a hardware security module that securely implements this function without the significant server overhead of post-quantum secure trapdoor one-way function based protocols. Therefore the research proposes QEnclave as a practical solution for secure DQC with a classical client, requiring only one call to the hardware module to create a remote blind qubit, which only transforms single qubit states.

Existing literature highlights significant advancements in quantum computing algorithms (Shor's algorithm, polynomial quantum algorithm for approximating the Jones polynomial) and the development of small-scale quantum computers and cloud services (IBM, Google, Amazon). Universal protocols for secure (blind) delegated quantum computation exist, but they typically assume a quantum channel between client and server, which may pose practical limitations. Attempts to build fully classical client protocols for quantum servers based on post-quantum secure trapdoor one-way functions face challenges due to huge server overhead. Previous work on remote state preparation (RSP) protocols, while using classical channels, relied on unachievable resources like a 'measurement buffer.' The impossibility of creating a composable secure RSP protocol using only a classical channel necessitates alternative approaches, such as hardware security assumptions, which is the motivation for this research. The paper's approach leverages the concept of remote state preparation as a building block for secure delegated quantum computation and contrasts with prior work that attempted to achieve security through computational assumptions, which led to significant server-side overheads. This paper proposes a new solution using a hardware security assumption that provides more practical and less computationally intensive approach.

The paper introduces the concept of a new ideal functionality called Remote State Rotation (RSR). RSR only performs single qubit rotations with angles chosen uniformly at random. It is weaker than RSP (which generates quantum states) as it only rotates states generated by the server. This functionality is formally defined with two interfaces, A (client) and B (server), where interface B receives a single qubit state, the RSR performs a rotation, and outputs the rotated state (ρout) at B and the rotation angle (θ) at A. A two-party protocol, π = (πA, πB), is defined using RSR, where πA receives θ and πB accepts either |+⟩⟨+| (honest server) or an arbitrary state ρ (dishonest server). The security of this functionality is proven within the abstract cryptography framework. The paper then introduces the QEnclave, a practical implementation of RSR using a classical TEE to protect the flow of information between the TEE and the quantum device performing single-qubit rotations. The QEnclave is depicted as having a trusted and an untrusted area, with classical communication with the client and return of a quantum state to the server. It is assumed that the client can choose input angles randomly; this simplifies the analysis without affecting security. The secure processor is abstracted as attested execution G_{att}^{Sec}, showing how it securely constructs the outsourcing computation protocol. The outsourcing computation is modeled as F_{outsrc}[C, S], representing the client C outsourcing function f and input x, obtaining the output y, while the server S only knows the input/output sizes. A G_{att}^{Sec}-hybrid protocol π_{outsrc} is utilized, proven UC-realized under the assumption that C is honest and S is a static adversary. The security relies on the decisional Diffie-Hellman (DDH) assumption for secure key exchange and authenticated encryption, and is shown to be equivalent under the AC framework. Post-quantum secure cryptography is crucial, employing quantum-safe digital signatures for remote attestation and symmetric key encapsulation for confidentiality. The paper presents a detailed protocol (Protocol 1) outlining QEnclave-based RSP, incorporating post-quantum secure digital signatures and key encapsulation mechanisms (e.g., AES). The communication between the secure processor and the quantum device is assumed to be protected against tampering. The security definition of UBQC allows for unrelated errors, which is relevant in this context. Potential attacks are discussed (correct fabrication, side-channel attacks, counterfeiting), highlighting assumptions made. The composability of RSR is rigorously proven in the AC framework by showing that it meets the conditions for blindness in UBQC. This involves showing how MRSP (measurement-based remote blind state preparation) can be constructed from RSR. A detailed mathematical proof is provided showing how the output of RSR satisfies the weak correlation conditions for blindness. The security of using RSR with UBQC is demonstrated by constructing MRSP from RSR and proving that a distinguisher cannot differentiate between them.

The paper's main contribution is the introduction of QEnclave, a practical solution for secure delegated quantum computing with a classical client. QEnclave relies on a hardware security assumption, namely the secure processor and secure communication between the secure processor and the quantum rotation device, achieving secure DQC using solely classical communication. This approach overcomes the limitations of previous methods requiring quantum channels or suffering from substantial server overhead. The core innovation lies in the proposed Remote State Rotation (RSR) functionality. RSR, unlike prior RSP functionalities, only requires the capability of performing single-qubit rotations, significantly lowering the client's quantum technology requirements. The security of RSR is rigorously proven in the Abstract Cryptography (AC) framework, demonstrating that it securely constructs the Blind Delegated Quantum Computing (DQC) functionality. The paper formally proves that the RSR functionality meets the weak correlation conditions necessary for achieving blindness in delegated quantum computation. This mathematical proof addresses the potential vulnerabilities of a malicious server having control over the qubit source, ensuring security even in this adversarial scenario. The proposed QEnclave architecture is designed using a standard classical Trusted Execution Environment (TEE) coupled with a protected quantum device. This architecture ensures that the rotation angles chosen by the client remain confidential until the rotation is performed within the trusted area of the QEnclave. The protocol outlined in the paper uses post-quantum secure cryptography (digital signatures and key encapsulation mechanisms) to guarantee security against quantum adversaries. The paper demonstrates the feasibility of integrating QEnclave with various quantum computing technologies, such as linear optics-based photonics, noting that specific interfaces may be needed for other technologies like ion traps or superconducting qubits. Future research directions, like integrating QEnclave with other quantum protocols (prepare-and-send UBQC with multiple clients, quantum homomorphic encryption, quantum money schemes), are discussed, though challenges and complexities are acknowledged.

The results demonstrate the feasibility of secure delegated quantum computing using only classical communication from the client side, overcoming a significant hurdle in the field. The reduced requirements on the client's quantum capabilities, namely just the ability to perform single-qubit rotations, make QEnclave a more practical approach than prior methods. The rigorous security proofs in the AC framework provide strong assurance against various adversarial attacks, especially those related to a compromised qubit source. While the paper addresses many potential security concerns, it acknowledges some limitations, primarily related to the physical realization of the QEnclave and its susceptibility to hardware-dependent attacks (side-channel attacks, counterfeiting). The reliance on a correctly fabricated QEnclave and the assumption of secure communication between the secure processor and quantum device are key assumptions. The work opens up new avenues of research into verifiable quantum computation, potentially through techniques like self-testing, given the challenges in adapting existing techniques due to the possibility of correlated attacks. The paper’s exploration of integrating QEnclave with other protocols highlights its potential for broader impact in the secure quantum computing ecosystem.

The paper successfully introduces QEnclave, a practical and secure hardware solution for delegated quantum computing with a classical client. The key innovation is the use of the RSR functionality, which significantly lowers the client's quantum requirements while maintaining perfect blindness in DQC. The formal security analysis, the detailed architectural specification, and the discussion of practical implementation across different quantum computing platforms showcase the significance of QEnclave. Future work includes addressing open questions related to verifiability in the presence of a malicious server, exploring potential vulnerabilities arising from the physical implementation, and investigating the application of QEnclave in diverse quantum protocols.

The paper acknowledges several limitations. First, it relies on the assumption that the QEnclave is correctly manufactured and that its internal communication channels are secure against tampering. This assumption, while common in hardware security, is still a significant one. Second, certain hardware-dependent attacks (side-channel attacks, counterfeiting) are not explicitly addressed. Third, the paper does not provide a detailed solution for verifiability beyond pointing out that adapting current approaches is non-trivial. Finally, the integration with quantum computing technologies other than photonics is discussed conceptually, but requires further investigation.