Delegated and Distributed Quantum Computation Yfke Dulek Abstract: This dissertation explores the possibilities and impossibilities of securely delegating and distributing quantum computations. We construct explicit protocols for several quantum-cryptographic primitives (quantum message authentication, multi-party quantum computation, and verifiable quantum homomorphic encryption), but show that one other primitive is impossible to achieve in general (quantum virtual black-box obfuscation). For the primitives that we do realize, we often need to make assumptions on the computational power of the adversary’s quantum computer. Such computational assumptions are necessary because the variants of the primitives that we wish to achieve are impossible information-theoretically. Nonetheless, our protocols are information-theoretic upgrades from their classical variants: the only computational assumptions are those that are already required to achieve the classical primitives. The advantage of this approach is that advances in classical and post-quantum cryptography directly influence our protocols as well. In all of the cryptographic primitives studied in this dissertation, verification plays a crucial role. Whether a client wants to check the outcome of a computation he delegated to an untrustworthy server, or whether a player in a multi-party protocol wants to monitor the honesty of the other players in the protocol, an honest party always needs some kind of mechanism to ensure that the dishonest parties are not deviating from the protocol without being noticed. In Chapter 3, we consider an important building block for verifiable quantum computation: the quantum authentication code. Although traditionally used to ensure that a message cannot be altered after it is sent, authentication codes can also be used to enforce a specific operation to be applied to the message: this is known as (quantum) computing on authenticated data, or (Q)CAD. We study the relation between a property called (strong) purity testing and the ability of a code to preserve the integrity of a ciphertext rather than just the plaintext, and furthermore characterize in which cases the encryption key can be recycled. We give an overview of existing quantum authentication codes, and construct two new variations on the so-called "trap code", an authentication code that is especially suited for QCAD. One of these new variations is strong purity testing, achieving ciphertext authentication with key recycling. The other variation only achieves inverse polynomial security, but encoding can be done using only a constant-size quantum memory. The constructions in this chapter are information-theoretically secure. In Chapter 4, we give a protocol for multi-party quantum computation, where a number of players perform a joint quantum computation, but want to keep their inputs private from the other players. Previously, protocols were only known if strictly less than half of the players was dishonest, or if there were only two players in total. We generalize the two-player protocol to devise a secure protocol for multi-party quantum computation for any number of players k, and prove it secure against up to k-1 actively colluding adversaries. To achieve efficiency, we develop a novel public verification protocol for the Clifford authentication code, and a testing protocol for magic-state inputs. Our protocol relies on classical multi-party computation and the computational assumptions that come with it. In Chapter 5, we study quantum homomorphic encryption, which allows a less powerful client to outsource a Clifford circuit to a more powerful server. A simple scheme, based on classical homomorphic encryption, already exists for this task; we show that it has circuit privacy. In theoretical applications of classical (fully) homomorphic encryption, it is often necessary for the client to verify the correctness of the computation at decoding time. We define a new primitive of "verifiable quantum homomorphic encryption", carefully consider what kind of compactness should be expected in this context, and give two equivalent definitions of security: a semantic one, and a game-based one. We construct a protocol for verifiable quantum homomorphic encryption, enabling Clifford computations to be delegated and verified in a noninteractive manner. Verification is almost entirely classical; for computations that start and end with classical states, it is completely classical. In Chapter 6, we extend the results from Chapter 5 to quantum fully homomorphic encryption by devising a procedure to evaluate the non-Clifford gate T. Using techniques from instantaneous nonlocal quantum computation, we construct “T-gate gadgets”, quantum states that do not reveal the secret encryption key, but at the same time allow the server to correct errors that depend on that secret key during the evaluation. The size of the gadget depends on the space complexity of the decryption function of the underlying classical homomorphic-encryption scheme. The resulting scheme provides privacy against quantum chosen-plaintext attacks. We show how to extend it to provide verifiability, in the sense defined in the previous chapter, as well. As a first application of the verifiable scheme, we describe how to construct quantum one-time programs from classical one-time programs and verifiable quantum fully homomorphic encryption. In Chapter 7, we show that, under a variant of the learning-with-errors assumption, it is impossible to obfuscate classical circuits into quantum states. Virtual black-box obfuscation is a strong cryptographic primitive: it encrypts a circuit while maintaining its full input/output functionality. A remarkable result by Barak et al. [BGI+01] shows that a general obfuscator that obfuscates classical circuits into classical circuits cannot exist. A promising direction that circumvents this impossibility result was to obfuscate classical circuits into quantum states, which would potentially be better capable of hiding information about the obfuscated circuit. We show that this quantum variant of virtual black-box obfuscation of classical circuits is generally impossible. On the way, we show that under the presence of dependent classical auxiliary input, even the small class of classical point functions cannot be quantum virtual black-box obfuscated.