Prepare-and-Send Quantum Fully Homomorphic Encryption: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
 
(65 intermediate revisions by 3 users not shown)
Line 1: Line 1:


== Functionality Description==
This [https://arxiv.org/abs/1603.09717 example protocol] achieves the functionality of [[Secure Client- Server Delegated Computation]] by a method which involves quantum offline and classical offline communication, called Quantum Fully Homomorphic Encryption (QFHE). Offline communication means there is exchange of information is not required throughout the protocol but only once at the start or end of the protocol. It allows the Client to encrypt quantum data in such a way that Server can carry out any arbitrary quantum computations on the encrypted data without having to interact with the encrypting party. It hides the output and input of the computation while Server is allowed to choose the unitary operation for required computation. Thus, the circuit is known to the Server while efforts can be made to hide it from the encrypting party i.e. Client. Based on the existence of classical [https://en.wikipedia.org/wiki/Homomorphic_encryption Homomorphic Encryption] (HE) scheme, it comes with properties of [[Secure Client- Server Delegated Computation#Properties|correctness]], [[Secure Client- Server Delegated Computation#Properties|compactness]] and [[Secure Client- Server Delegated Computation#Properties|full homomorphism]]. QFHE can be used to keep the circuit private to the Server and hidden from the Client unlike UBQC where the circuit is private to the Client and hidden from the Server.</br></br>
Delegated Computation is the task of assigning quantum computation to an untrusted device while maintaining privacy of the computation. It can be done via classical online/offline and quantum online/offline communication. Following description deals with a method which involves quantum offline and classical offline communication, called Quantum Fully Homomorphic Encryption (QFHE). It allows the Client to encrypt quantum data in such a way that Server can carry out any arbitrary quantum computations on the encrypted data without having to interact with the encrypting party. It hides the output and input of the computation while Server is allowed to choose the unitary operation for required computation. Thus, the circuit is known to the Server while efforts can be made to hide it from the encrypting party i.e. Client. Based on the existence of classical Fully Homomorphic Encryption (FHE) scheme, it comes with properties of correctness, i.e. for any arbitrary circuit if both the parties follow the protocol, the final outcome is deemed to be correct and, compactness, i.e. decryption of data should be independent of the size of the quantum circuit used for computation. An additional requirement of the scheme is that after encryption of input data it should be impossible to decrypt it without performing any computation.
'''Tags:''' [[:Category:Two Party Protocols|Two Party]],[[:Category:Universal Task|Universal Task]], [[:Category:Quantum Functionality|Quantum Functionality]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], Quantum Offline Communication, Classical Offline Communication, [[Supplementary Information#Entanglement|Entanglement]], [[Quantum Gadgets]], Garden Hose Model, [[Prepare and Send Verifiable Quantum Fully Homomorphic Encryption]], [[Classical Fully Homomorphic Encryption for Quantum Circuits]].
'''Tags:''' [[Two Party Protocols|Two Party]],[[Universal Task|Universal Task]] [[Quantum Functionality|Quantum Functionality]], [[Secure Delegated Quantum Delegated computation|Delegated computation]]
[[Category:Two-Party Protocols]][[Category: Universal Task]][[Category:Quantum Functionality]]
 
==Assumptions==
== See Also ==
* This protocol is secure against malicious adversary setting
[[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], [[Measurement Only Quantum Fully Homomorphic Encryption|Measurement Only QFHE]], [[Prepare and Send Verifiable Quantum Fully Homomorphic Encryption|Prepare and Send Verifiable Quantum Fully Homomorphic Encryption (VQFHE)]], [[Measurement Only Verifiable Quantum Fully Homomorphic Encryption|Measurement Only VQFHE]].
* One cannot decrypt the ciphertext without performing the Evaluation step
* A one-time quantum channel from Client to Server
* A one-time quantum channel from Server to Client
* The circuit has a polynomial number of T-Gates.


==Outline==
==Outline==
Homomorphic Encryption [[Supplementary Information#Homomorphic schemes|(HE)]] schemes can be divided into four stages: Key Generation generates keys for encryption, decryption and evaluation of the circuit, Encryption encodes the input into a ciphertext using encryption key, Homomorphic Evauation performs operations (imlpements the circuit) on the encrypted input using evaluation key and Decryption transforms result of the ciphertext to actual outcome of the circuit using decryption key. This protocol requires Client to prepare and send the quantum states to Server, hence the name, ''Prepare and Send QFHE''. A QFHE scheme is fundamentally different from classical FHE in the aspect that evaluation key is allowed to be a quantum state in former case. Also, in the last step decryption for FHE is carried out subsystem by subsystem. This cannot be correct for QFHE as quantum states can be entangled, hence decryption should be carried out on the system as a whole. The QFHE version of encryption is based on quantum one time pad [[Supplementary Information#Quantum One Time Pad|(QOTP)]] i.e. randomly applying a Pauli Gate (X, Y, Z, I) in order to hide the input. A Fully Homomorphic Encryption can implement Universal Gates (a set of gates which can implement any quantum circuit). Most of the gates in this set work well with QOTP while for T gates one needs an additional gadget, in order to implement any arbitrary circuit and make the scheme Fully Homomorphic. This adds an additional step called ”Gadget Construction” during Key Generation Stage in this protocol
Homomorphic Encryption [[Glossary#Quantum Capable Homomorphic Encryption|(HE)]] schemes can be divided into four stages: Key Generation generates keys for encryption, decryption, and evaluation of the circuit, Encryption encodes the input into a ciphertext using encryption key, Homomorphic Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key and Decryption transforms result of the ciphertext to actual outcome of the circuit using decryption key. This protocol requires Client to prepare and send the quantum states to Server, hence the name, ''Prepare and Send QFHE''. A QFHE scheme is fundamentally different from classical FHE in the aspect that an evaluation key is allowed to be a quantum state in the former case. Also, in the last step decryption for FHE is carried out subsystem by subsystem. This cannot be correct for QFHE as quantum states can be entangled, hence decryption should be carried out on the system as a whole. The QFHE version of encryption is based on [[quantum one-time pad]] i.e. randomly applying a Pauli Gate (X, Y, Z, I) in order to hide the input. A Fully Homomorphic Encryption can implement Universal Gates (a set of gates which can implement any quantum circuit). Most of the gates in this set work well with QOTP while for T gates one needs an additional gadget, in order to implement any arbitrary circuit and make the scheme Fully Homomorphic. This adds an additional step called ”Gadget Construction” during Key Generation Stage in this protocol
'''Key Generation'''  
*'''Key Generation (QFHE.KeyGen())'''  
This step generates homomorphic key sets consisting of classical public key for encryption, a classical private key for decryption and a quantum evaluation key for operation on the encrypted input state. If the circuit involves L T gates, Client needs L+1 such key sets for L gadgets and one input state. The Client uses classical HE Key Generation (HE.KeyGen) to get classical key sets. She stores all the public keys and secret keys in two separate sets (tuples). Quantum evaluation keys consist of the classical evaluation keys and the L gadgets. Once constructed, the gadget is also encrypted using all public keys except first one by the Client. As construction of gadgets take secret keys (first L) as inputs, the public key used for its encryption should not belong to the same homomorphic key set used to construct the gadget. A classical description of the gadget, useful for evaluation is also encrypted and included in the gadget. Construction and encryption of gadgets is described in the last step.<br/>
This step generates homomorphic key sets consisting of the classical public key for encryption, a classical private key for decryption and a quantum evaluation key for operation on the encrypted input state. If the circuit involves L T gates, Client needs L+1 such key sets for L gadgets and one input state. The Client uses the classical HE Key Generation (HE.KeyGen) to get classical key sets. She stores all the public keys and secret keys in two separate sets (tuples). Quantum evaluation keys consist of the classical evaluation keys and L gadgets. Once constructed, the gadget is also encrypted using all public keys except the first one by the Client. As construction of gadgets takes secret keys (first L) as inputs, the public key used for its encryption should not belong to the same homomorphic key set used to construct the gadget. A classical description of the gadget, useful for evaluation is also encrypted and included in the gadget. Construction and encryption of gadgets is described in the last step.<br/>
*'''Gadget Construction''' This step involves construction of gadgets to correct any additional phase gate error on the input due to T gates in the circuit. If there are L T gates in the Circuit, one needs L Gadgets constructed using L private keys and then encrypted using L public keys. The public key used for encryption should not belong to the same homomorphic key set of private key used for construction. A gadget consists of 2m EPR pairs (maximally entangled qubits). Client starts with 4m such pairs. Performs pairwise Bell measurement on one half of the EPR pairs. Pairs for Bell measurement are chosen according to the private decryption key used for the particular gadget. This leaves other half of the EPR pairs entangled in the same pairs as chosen by Client to perform bell measurement. E.g. if (a,b) and (c,d) denote two EPR pairs and one performs bell measurement on a and c, then b and d become maximally entangled with some extra Pauli X,Z corrections due to measurement (refer to one-pad key in supplementary draft). These corrections are determined by Client’s measurement outcomes. The resulting gadget thus has 2m EPR pairs, some of which have an inverse phase gate. Classical information of a gadget includes private key used, Client’s measurement outcomes and locations of inverse phase gates. This data is encrypted with the public key. Hence, L such gadgets consisting of encrypted classical information and 2m EPR pairs quantum one-time padded by the Pauli X,Z gates, are sent to the server.<br/>
**'''Gadget Construction''' This step involves the construction of gadgets to correct any additional phase gate error on the input due to T gates in the circuit. If there are L T gates in the Circuit, one needs L Gadgets constructed using L private keys and then encrypted using L public keys. The public key used for encryption should not belong to the same homomorphic key set of the private key used for construction. A gadget consists of 2m [[Glossary#EPR pairs|EPR pairs]] (maximally entangled qubits). The client starts with 4m such pairs. Performs pairwise [[Glosssary#Bell State Measurement|Bell measurement]] on one-half of the EPR pairs. Pairs for Bell measurement are chosen according to the private decryption key used for the particular gadget. This leaves the other half of the EPR pairs entangled in the same pairs as chosen by Client to perform bell measurement. E.g. if (a,b) and (c,d) denote two EPR pairs and one performs bell measurement on a and c, then b and d become maximally entangled with some extra [[Glossary#Unitary Operations|Pauli X, Z]] corrections due to measurement. These corrections are determined by Client’s measurement outcomes according to [[one pad key]]. The resulting gadget thus has 2m EPR pairs, some of which have an inverse phase gate. Classical information of a gadget includes private key used, Client’s measurement outcomes and locations of inverse phase gates. This data is encrypted with the public key. Hence, L such gadgets consisting of encrypted classical information and 2m EPR pairs quantum one-time padded by the Pauli X, Z gates, are sent to the server.<br/>
Finally, Client stores all the gadgets with the classical evaluation key of the corresponding secret key (generated from HE.KeyGen) used to construct the gadget, as the set of quantum evaluation keys. Note that, the gadgets are quantum states and classical evaluation keys are random numbers, the resulting quantum evaluation key is what we call a classical-quantum (CQ) state.
Finally, Client stores all the gadgets with the classical evaluation key of the corresponding secret key (generated from HE.KeyGen) used to construct the gadget, as the set of quantum evaluation keys. Note that, the gadgets are quantum states and classical evaluation keys are random numbers, the resulting quantum evaluation key is what we call a classical-quantum (CQ) state.
''' Encryption'''
*'''Encryption (QFHE.Enc())''' This step is used to encrypt the quantum input into a quantum cipher-text (secret text) using the first public key which has not been used for gadget construction. Every input qubit state is [[quantum one time padded]] by the Client, using two classical random bits, one of which decided the operation of Pauli-X and the other operation of Pauli-Z gate on the qubit state. She also encrypts the classical random bits (called pad key) with the same public key using classical HE (HE.Enc) and hence stores it with the corresponding encrypted qubit state as a classical-quantum state. She then sends this CQ state, encrypted pad key, public key tuple, and evaluation key tuple to Server.
This step is used to encrypt the quantum input into a quantum ciphertext using the first public key which has not been used for gadget construction. Every input qubit state is quantum one time padded by the Client, using two classical random bits, one of which decided the operation of Pauli-X and the other operation of Pauli-Z gate on the qubit state. She also encrypts the classical random bits (called pad key) with the same public key using classical HE (HE.Enc) and hence stores it with the corresponding encrypted qubit state as a classical-quantum state. She then sends this CQ state, encrypted pad key, public key tuple and evaluation key tuple to Server.
*'''Circuit Evaluation (QFHE.Eval())''' This step operates the circuit on the encrypted input state and updates the encrypted classical information using the evaluation key. As stated earlier, any circuit can be implemented using a set of Universal Gates. This set consists of Clifford Gates and T gates.
  ''' Circuit Evaluation'''
The Clifford group gates may affect a single qubit or multiple qubits but they follow a simple set of rules for updation of the encrypted classical information (pad key), given in the pseudocode. The server operates the circuit and with each gate in the circuit, it updates the encrypted classical description.<br/>
This step operates the circuit on the encrypted input state and updates the encrypted classical information using the evaluation key. As states earlier, any circuit can be implemented using a set of Universal Gates. This set consists of Clifford Gates and T gates.
On the other hand, T gates affect only single qubits but one needs to make use of the gadgets constructed during key generation. The issue with T gates is that it adds an additional [[Glossary#Unitary Operations|Phase gate (P)]] depending on the classical random bit used for QOTP in the previous step. As P gates do not commute like Pauli-X and Pauli-Z, so they need to be corrected before applying the next gate by the Server. This would reveal the pad key used for QOTP to the Server. Hence, to avoid this, the Client constructed gadgets, which apply an Inverse Phase operator or Identity on a qubit after every T-Gate, depending on the encrypted bit without leaking any information about the pad key. Thus, after applying a T gate on a qubit, P error is removed using a gadget as follows.
The Clifford group gates may affect a single qubit or multiple qubits but they follow a simple set of rules for for updation of the encrypted classical information (pad key), given in the pseudo code. Server operates the circuit and with each gate in the circuit it updates the encrypted classical description.<br/>
Out of 2m EPR pairs, some qubits are measured pairwise including the input qubit with/without error and excluding one qubit entangled with one of the measured qubits. Input qubit is thus, transferred to this last unmeasured qubit, according to one-bit teleportation. Following are the steps to get the correct output qubit.<br/>
On the other hand, T gates affects only single qubits but one needs to make use of the gadgets constructed during key generation. The issue with T gates is that it adds an additional Phase gate (P) depending on the classical random bit used for QOTP in the previous step. As P gates do not commute like Pauli-X and Pauli-Z, so they need to be corrected before applying the next gate by the Server. This would reveal the pad key used for QOTP to the Server. Hence, to avoid this, the Client constructed gadgets, which apply an Inverse Phase operator or Identity on a qubit after every T-Gate, depending on the encrypted bit without leaking any information about the pad key. Thus, after applying a T gate on a qubit, P error is removed using a gadget as follows.
*'''Generate Measurement (QFHE.GenMeasurement())''' The encrypted one pad key bit which determines phase gate error and the classical information of the gadget is used to determine a measurement order. Private key tells which qubits are entangled, thus, using the location of inverse phase gates, the qubits needed to be measured are decided. If one-pad key bit indicates a phase error then the measurement order of qubits includes an EPR pair with a phase gate else not.
Out of 2m EPR pairs, some qubits are measured pairwise including the input qubit with/without error and excluding one qubit entangled with one of the measured qubits. Input qubit is thus, transferred to this last unmeasured qubit, according to one bit teleportation. Following are the steps to get the correct output qubit.<br/>
*'''Generate Measurement (QFHE.GenMeasurement())''' The encrypted one pad key bit which determines phase gate error and the classical information of the gadget is used to determine a measurement order. Private key tells which qubits are entangled, thus, using location of inverse phase gates, the qubits needed to be measured are decided. If one-pad key bit indicates a phase error then the measurement order of qubits includes an EPR pair with a phase gate else not.
*'''Gadget Correction (QFHE.Measurement())''' Server performs the required measurements. The last unmeasured qubit is corrected input qubit. The qubit is one time padded with pad key determined by Client’s measurement outcomes, encrypted with the public key used for the gadget and Server’s measurement outcomes. Hence, it is still hidden from the Server.<br/>
*'''Gadget Correction (QFHE.Measurement())''' Server performs the required measurements. The last unmeasured qubit is corrected input qubit. The qubit is one time padded with pad key determined by Client’s measurement outcomes, encrypted with the public key used for the gadget and Server’s measurement outcomes. Hence, it is still hidden from the Server.<br/>
*'''Recryption (QFHE.Rec())''' Server recrypts pad key of the qubit with the same public key that encrypts the corrected output state i.e. the one used for the corresponding gadget. Then, he updates the encrypted pad key according to the T Gate (similar to what is done for the Clifford Gate), Client’s encrypted measurement outcomes and Server’s (his) measurement outcomes.
*'''Recryption (QFHE.Rec())''' Server recrypts pad key of the qubit with the same public key that encrypts the corrected output state i.e. the one used for the corresponding gadget. Then, he updates the encrypted pad key according to the T Gate (similar to what is done for the Clifford Gate), Client’s encrypted measurement outcomes and Server’s (his) measurement outcomes.
Server performs all the Clifford and T gates in the circuit following the respective procedure given above. Finally, he is left with the one time padded quantum output of the computation together with the required classical pad key encrypted with the public key of the gadget used for the last T gate, Lth public key. Server sends both the quantum state and classical encryptions to the Client.
The server performs all the Clifford and T gates in the circuit following the respective procedure given above. Finally, he is left with the one time padded quantum output of the computation together with the required classical pad key encrypted with the public key of the gadget used for the last T gate, the last public key in the set. The server sends both the quantum state and classical encryptions to the Client.
'''Decryption'''  
*'''Decryption (QFHE.Dec())''' The Client uses the last secret key in the set, which was not used to create any gadget (Gadgets used 0-(L-1) secret keys only) and decrypts sent encryptions to obtain the pad key. The pad key thus obtained determines the Pauli operations on the sent quantum state to obtain the final and correct outcome of the computation. The client performs the required operations on individual qubits of the quantum state and gets the output of his computation.
The Client uses skL, which was not used to create any gadget (Gadgets used 0-(L-1) secret keys only) and decrypts sent encryptions to obtain the pad key. The pad key thus obtained determines the Pauli operations on the sent quantum state to obtain final and correct outcome of the computation. Client performs the required operations on individual qubits of the quantum state and gets the output of his computation.
 
==Requirements==
*'''Network Stage:''' [[:Category:Quantum Memory Network Stage|Quantum Memory]] [[Category:Quantum Memory Network Stage]]
*'''Required Network Parameters:'''
**'''<math>\epsilon_j</math>''', which measures the error due to noisy operations.
**Number of communication rounds
**Circuit depth
**Number of physical qubits used
*Client should be able to generate and store entanglement in order to make quantum gadgets, perform [[Glosssary#Bell State Measurement|Bell measurement]], perform [[quantum one time pad]], process and store classical quantum states.
*Quantum offline channel
*Classical offline channel
*A classical HE scheme is required
*Server should be able to store entangled states, perform all Clifford and T gates.
 
==Knowledge Graph==
 
{{graph}}


== Figure==
==Properties ==
* ''Indistinguishability under Chosen Plaintext Attacks by an adversary with quantum computational powers(q-IND-CPA).'' If FHE is q-IND-CPA secure then this protocol is q-IND-CPA secure. It means that an adversary cannot distinguish between ciphertext from a message and a ciphertext from an arbitrary quantum state such as <math>|0\rangle \langle 0|</math>
== Notations ==
* ''Correctness.'' This protocol is perfectly correct such that,<br/>
<math>Pr[QFHE.Dec_{s_k}(QFHE.Eval^C_{evk}(HE.Enc_{p_k}(x)))\neq C(x)] \le \eta(k)</math><br/>
, where <math>\eta_k</math> is a negligible function.Note that, negligible function $\eta(n)$ is a function such that for every positive integer d, <math>\eta(n) < 1/n^d</math>, for big enough n. This means that if the protocol is followed it results in the same output as when the circuit is operated on the input states directly with overwhelming probability.
* ''Compactness.'' If HE is compact then this protocol is compact. The complexity of applying QFHE.Dec on the results of QFHE.Eval is at most p(k), where p(k) is a polynomial dependent only on the security parameter k. This implies that decryption is independent of the size of the quantum circuit for evaluation.
* ''Circuit Privacy.'' This protocol is not circuit private as it does not guarantee that the client cannot gain information about the circuit evaluated i.e. the circuit is not private to one party and unknown to another. It can make the circuit private to the evaluator (Server) and hidden from the Client apart from the necessary leakage the output states gives if one uses circuit private HE for the protocol.
• ''Full Homomorphism.'' This scheme is fully homomorphic for circuits with polynomial sized T gates


* {pki,ski,evki}, ith homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, respectively for given k, the security parameter.
== Notation ==
* Γpki+1(ski), Gadget using ith secret key (ski) and encrypted by (i + 1)th public key (pki+1)
* <math>\mathrm{k}</math>, security parameter
* σ, single qubit state
* <math>\mathrm{L}</math>, number of T gates in the evaluation circuit
* ρ = |ψihψ|, here ρ is the density matrix of quantum state |ψi
* <math>\mathrm{n}</math>, dimension of input qubit
* ρ, n-qubit input state, where n is determined by the Client
* <math>\mathrm{{pk_i,sk_i,evk_i}}</math>, <math>\mathrm{i_{th}}</math> homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, respectively for given k, the security parameter.
* ρ(HE.Encpk(a)), a is encrypted with public key pk and is represented by density matrix ρ
* <math>\Gamma_{pk_{i+1}}(\mathrm{sk_i})</math>, Gadget using <math>\mathrm{i_th}</math> secret key (<math>sk_i</math>) and encrypted by <math>\mathrm{(i + 1)_{th}}</math> public key (<math>\mathrm{pk_{i+1}}</math>)
* <math>\sigma</math>, single qubit state
* <math>\rho=|\psi\rangle\langle\psi|</math>, here <math>\rho</math> is the density matrix of quantum state <math>|\psi\rangle</math>
* <math>\rho</math>, n-qubit input state, where n is determined by the Client
* <math>\rho</math>(HE.Encpk(a)), a is encrypted with public key pk and is represented by density matrix ρ
* p, location of inverse phase gate
* p, location of inverse phase gate
* x,z measurement outcome sets of Client for her Bell Pair measurements.
* x,z measurement outcome sets of Client for her Bell Pair measurements.
* x’,z’ measurement outcome sets of Server for his Gadget measurement.
* <math>x',z'</math> measurement outcome sets of Server for his Gadget measurement.
* [i], resulting ciphertext one gets for an input ith element of array x or ith bit of key x after the Encrypting it with ith of public key string, pk.
* <math>\tilde{x}^{[i]}</math>, resulting ciphertext one gets for an input <math>i^{th}</math> element of array x or <math>i^{th}</math> bit of key x after the Encrypting it with <math>i^{th}</math> of public key string, pk.
 
== Properties ==
 
===Adversarial Assumption===
* This protocol is secure against honest but curious adversary setting
===Setup Assumptions===
* A one time quantum channel from Client to Server
* A one time quantum channel from Server to Client
*      The circuit has polynomial number of T-Gates.
===Parameters===
* k, security parameter
* L, number of T gates in the evaluation circuit
* n, dimension of input qubit
===Security Claim/ Theorems===
* Indistinguishability under Chosen Plaintext Attacks by adversary with quantum computational powers(q-IND-CPA) If FHE is q-IND-CPA secure then this protocol is q-IND-CPA secure. It means that an adversary cannot distinguish between ciphertext from a message and a ciphertext from an arbitrary quantum state such as |0ih0|
* Correctness This protocol is perfectly correct such that,<br/>
Pr[QFHE.Decsk(QFHE.EvalevkC (HE.Encpk(x))) 6= C(x)] ≤ η(k)<br/>
, where ηk is a negligible function . This means that if the protocol is followed it results the same output as when circuit is operated on the input states directly with overwhelming probability.
* Compactness If HE is compact then this protocol is compact. The complexity of applying QFHE.Dec on the results of QFHE.Eval is at most p(k), where p(k) is a polynomial dependent only on the security parameter k. This implies that decryption is independent of the size of quantum circuit for evaluation.
* Circuit Privacy This protocol does not guarantee that client cannot gain information about the circuit evaluated.


== Pseudo-Code==
==Protocol Description==
===Stage 1 Client’s Preparation===
===Stage 1 Client’s Preparation===
   
   
'''Key Generation (QFHE.KeyGen(1k,1L))'''
'''Key Generation (QFHE.KeyGen(1k,1L))'''
*Input: No. of T gates (L), Security Parameter (k),
*Input: No. of T gates (L), Security Parameter (k),
*Output: L+1 evaluation keys (encrypted Gadgets, classical HE evaluation key), L+1 public keys, L+1 secret keys
*Output: L+1 evaluation keys (encrypted Gadgets, classical HE evaluation key), L+1 public keys, L+1 secret keys
# For i = 0 to L
# For i = 0 to L
##Client executes (pki,ski,evki) HE.KeyGen() to obtain L + 1 independent classical homomorphic key sets.
## Client executes <math>(pk_i, sk_i, evk_i) \leftarrow \text{HE.KeyGen}(1^{\kappa})</math> to obtain <math>L+1</math> independent classical homomorphic key sets.
# She sets the public key to be the tuple ( .
# She sets the public key to be the tuple <math>(pk_i)_{i = 0}^{L}</math>.
# She sets the secret key to be the tuple ( .
# She sets the secret key to be the tuple <math>(sk_i)_{i = 0}^{L}</math>.
# For i = 0 to L 1
# For i = 0 to L-1
##Client runs the procedure QFHE.GenGadgetpki+1(ski) to create the gadget Γpki+1(ski).
## Client runs the procedure <math>\text{QFHE.GenGadget}_{pk_{i+1}}(sk_i)</math> to create the gadget <math>\Gamma_{pk_{i+1}}(sk_i)</math>.  
# Client sets the evaluation key to be the set of all gadgets created in the previous step (including their encrypted classical information), plus the tuple ( . The resulting evaluation key is the classical-quantum (CQ) state {missing math}
# Client sets the evaluation key to be the set of all gadgets created in the previous step (including their encrypted classical information), plus the tuple <math>(evk_i)_{i=0}^L</math>. The resulting evaluation key is the classical-quantum (CQ) state</br><math>\bigotimes_{i = 0}^{L-1}\Big(\Gamma _{pk_{i+1}}(sk_i)\otimes |evk_i\rangle \langle evk_i|)</math>
   
   
'''Encryption(QFHE.Enc())'''
'''Encryption(QFHE.Enc())'''
*Input: Quantum Input state density matrix (ρ) (say composed of n single qubit states, σ)
*Input: Quantum Input state density matrix (<math>\rho</math>) (say composed of n single qubit states, <math>\sigma</math>)
*Output: Encrypted pad keys: {[0]...[n], ˜b[i]...˜b[n]}; QOTP state: Xa[1]Zb[1].....⊗Xa[n]Zb[n]ρZb[1]Xa[1]..... ⊗ Xa[n]Zb[n]
*Output: Encrypted pad keys:<math>\{\tilde{a}^{[0]}...\tilde{a}^{[n]}</math>,<math>\tilde{b}^{[i]}...\tilde{b}^{[n]}\}</math>; QOTP state: <math>X^{a^{[1]}}Z^{b^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}}\rho Z^{b^{[1]}}X^{a^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}}</math>
 
# For i=1 to n
# For i=1 to n
## Client chooses pad keys a,b  
## Client chooses pad keys a,b <math>\epsilon_R\{0,1\}</math>
## She quantum one time pads the single qubit by applying XaZb on the single qubit state. XaZbσZbXa ← σ
## She quantum one time pads the single qubit by applying $X^aZ^b$ on the single qubit state. <math>X^aZ^b\sigma Z^bX^a\leftarrow\sigma</math>
## She encrypts the pad keys using one bit for each of a and b from the public key string pk0 using HE.Enc. (˜  )=(HE.Enc ),HE.Enc  
## She encrypts the pad keys using one bit for each of a and b from the public key string <math>pk_0</math> using HE.Enc. (<math>\tilde{a}^{[i]},\tilde{b}^{[i]}</math>)=(HE.Enc<math>_{pk_0^{[i]}}(a^{[i]}</math>),HE.Enc<math>_{pk_0^{[i]}}(b^{[i]}))\leftarrow</math> (a,b)
## She apprehends encrypted pad keys to the one time padded quantum state to obtain CQ state,
## She apprehends encrypted pad keys to the one time padded quantum state to obtain CQ state,  
# Client sends encryptions (˜a[i],˜b[i]) and the quantum one time padded (QOTP) state Xa[1]Zb[1] ..... ⊗ Xa[n]Zb[n]ρZb[1]Xa[1] ..... ⊗ Xa[n]Zb[n], for all i to the Server with the evaluation keys and public keys.
<math>\sum_{a,b\epsilon\{0,1\}}\frac{1}{4}\rho(HE.Enc_{pk_0^{[i]}}(a^{[i]}),HE.Enc_{pk_0^{[i]}}(b^{[i]}))\otimes X^aZ^b\sigma Z^bX^a</math>
'''Gadget Construction (QFHE.GenGadgetpki+1(ski))'''
#Client sends encryptions (<math>\tilde{a}^{[i]},\tilde{b}^{[i]}</math>) and the quantum one time padded (QOTP) state<math> X^{a^{[1]}}Z^{b^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}}\rho Z^{b^{[1]}}X^{a^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}} \forall i</math>, to the Server with the evaluation keys and public keys.
# Generate 4m EPR pairs (  
'''Gadget Construction (<math>\text{QFHE.GenGadget}_{pk_{i+1}}(sk_i)</math>)'''
# Choose 2m pairs using sk
# Generate <math>4m</math> EPR pairs (<math>|\phi\rangle=\frac{1}{\sqrt{2}}(00+11))</math>, <math>\{(a_1,b_1),...,(a_{4m},b_{4m})\}</math>
## If (sk = 0) then {(a1,a2),(a2,a3),...,(a4m−1,a4m)} ii. If (sk = 1) then {(a1,a3),(a2,a4),...,(a4m−2,a4m)}
# Choose <math>2m</math> pairs <math>\epsilon \{a_1, a_2,....,a_{4m}\}</math> using sk
# For j=1 to 2m,
## If <math>(sk=0)</math> then <math>\{(a_1,a_2),(a_2,a_3),...,(a_{4m-1},a_{4m})\}</math>
## Choose p[j]  
## If <math>(sk=1)</math> then <math>\{(a_1,a_3),(a_2,a_4),...,(a_{4m-2},a_{4m})\}</math>
## Perform Bell Measurement on jth pair with an extra (P†)p operation, get outcomes (x[j],z[j])
# For j=1 to 2m,  
## Thus, new EPR pairs are{missing math}<br/>If (sk = 0) then {(b1,b2),(b2,b3),...,(b4m−1,b4m)}<br/>If (sk = 1) then {(b1,b3),(b2,b4),...,(b4m−2,b4m)}<br/>Denote the 2m entangled pairs be denoted by {(s1,t1),(s2,t2),...,(s2m,t2m)}, such that<br/>
## Choose p[j] <math>\epsilon_R \{0,1\}</math>
###The classical information of gadget be g(sk)= ({(s1,t1),(s2,t2),...,(s2m,t2m),p,sk}.<br/>
## Perform Bell Measurement on <math>j^{th}</math> pair with an extra <math>(P^\dagger)^p</math> operation, get outcomes (x[j],z[j])
###The quantum state of gadget can be written as {missing math}
## Thus, new EPR pairs are
# Encrypt (x[j],z[j]), p[j] for all j and sk using pki+1. Resulting Gadget is the classical-quantum (CQ) state,{missing math}
### If <math>(sk=0)</math> then <math>\{(b_1,b_2),(b_2,b_3),...,(b_{4m-1},b_{4m})\}</math>
### If <math>(sk=1)</math> then <math>\{(b_1,b_3),(b_2,b_4),...,(b_{4m-2},b_{4m})\}</math>
## Denote the <math>2m</math> entangled pairs be denoted by <math>\{(s_1,t_1),(s_2,t_2),...,(s_{2m},t_{2m})\}</math>, such that
## The classical information of gadget be g(sk)<math>=(\{(s_1,t_1),(s_2,t_2),...,(s_{2m},t_{2m}),p,sk\}</math>.
## The quantum state of gadget can be written as <math>\gamma_{x,z}(g(sk))=\pi_{j=1}^mX^{x[i]}Z^{z[i]}(P^\dagger){p[i]}|\phi\rangle\langle\phi|_{s_jt_j}(P^\dagger){p[i]}Z^{z[i]}X^{x[i]}</math>
# Encrypt (x[j],z[j]), p[j] for all j and sk using <math>pk_{i+1}</math>. Resulting Gadget is the classical-quantum (CQ) state,
<math>\Gamma_{pk_{i+1}}(sk_i)=\rho(HE.Enc_{pk_{i+1}}(g(sk))\otimes \frac{1}{2^{2m}}\sum_{x,z\epsilon\{0,1\}^m}\rho(HE.Enc_{pk_{i+1}}(x,z)\otimes \gamma_{x,z}(g(sk))</math>


=== Stage 2 Server’s Computation===
=== Stage 2 Server’s Computation===
'''Circuit Evaluation (QFHE.Eval())'''
'''Circuit's Evaluation (QFHE.Eval())'''
*Input: public key tuple ( , Evaluation key tuple, Encrypted Pad key ({[0]...[n], ˜b[i]...˜b[n]}), QOTP Input State (Xa[1]Zb[1] ..... ⊗ Xa[n]Zb[n]ρZb[1]Xa[1] ..... ⊗ Xa[n]Zb[n])
*'''Input:''' public key tuple <math>(pk_i)_{i = 0}^{L}</math>, Evaluation key tuple, Encrypted Pad key (<math>\{\tilde{a}^{[0]}...\tilde{a}^{[n]}</math>, <math>\tilde{b}^{[i]}...\tilde{b}^{[n]}\}</math>), QOTP Input State (<math> X^{a^{[1]}}Z^{b^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}}\rho Z^{b^{[1]}}X^{a^{[1]}}\otimes.....\otimes X^{a^{[n]}}Z^{b^{[n]}}</math>)</br>
*Output: QOTP Circuit Output State (Xa0[1]Zb0[1].....⊗Xa0[k]Zb0[k]ρ0Zb0[1]Xa0[1].....⊗Xa0[k]Zb0[k]), Corresponding Encrypted Pad key (a˜0,b˜0)=(HE.EvalCevkL(),HE.EvalCevkL(˜b))
*'''Output:''' QOTP Circuit Output State (<math> X^{a'^{[1]}}Z^{b'^{[1]}}\otimes.....\otimes X^{a'^{[k]}}Z^{b'^{[k]}}\rho' Z^{b'^{[1]}}X^{a'^{[1]}}\otimes.....\otimes X^{a'^{[k]}}Z^{b'^{[k]}}</math>), Corresponding Encrypted Pad key (<math>\tilde{a'},\tilde{b'}</math>)=(HE.Eval<math>_{evk_L}^\text{C}(\tilde{a}</math>),HE.Eval<math>_{evk_L}^\text{C}(\tilde{b}</math>))</br></br>
Let the Circuit be denoted by C and the gates be ci
Let the Circuit be denoted by C and the gates be <math>c_i</math>
# For all i, ci gate is applied on qubit m and the mth bits of pad key (˜a[m],˜b[m]) are updated to
# For all i, <math>c_i</math> gate is applied on qubit m and the <math>m_{th}</math> bits of pad key <math>(\tilde {a}^{[m]},\tilde{b}^{[m]})</math> are updated to <math>(\tilde {a}'^{[m]},\tilde{b}'^{[m]})</math> as follows.  
(a˜0[m],˜b0[m]) as follows.
## If <math>c_i=\{P,H,CNOT\}</math>, a Clifford gate then <math>c_iX^{a^{[m]}}Z^{b^{[m]}}\psi=X^{a'^{[m]}}Z^{b'^{[m]}}c_i\psi</math>)
## If ci = {P,H,CNOT}, a Clifford gate then (ciXa[m]Zb[m]ψ = Xa0[m]Zb0[m]ciψ)
### if <math>c_i=</math>H then: <math>(\tilde {a}^{[m]},\tilde{b}^{[m]})\rightarrow (\tilde{b}^{[m]},\tilde{a}^{[m]})</math> (Hadamard tranforms X gate into Z and Z into X)
### if ci =H then{missing math} (Hadamard tranforms X gate into Z and Z into X)
### if <math>c_i=</math>P then: <math>(\tilde {a}^{[m]},\tilde{b}^{[m]})\rightarrow (\tilde{a}^{[m]},\tilde{a}^{[m]}\oplus\tilde{b}^{[m]})</math>
### if ci =P then<br/>{missing math}
### if <math>c_i=</math>CNOT with m as target bit and n as control bit then: <math>(\tilde {a}^{[m]},\tilde{b}^{[m]};\tilde {a}^{[n]},\tilde{b}^{[n]})\rightarrow (\tilde {a}^{[m]},\tilde{b}^{[m]}\oplus \tilde {b}^{[n]};\tilde{a}^{[m]}\oplus \tilde {a}^{[n]},\tilde{b}^{[n]})</math>
###if ci =CNOT with m as target bit and n as control bit then (CNOT)<br/>([m],˜b[m];˜a[n],˜b[n]) ([m],˜b[m] ⊕˜b[n];˜a[m] ⊕a˜[n],˜b[n])
## If <math>c_i=T_j</math> gate then: <math> (T_jX^{a^{[m]}}Z^{b^{[m]}}\psi=P^{a^{[m]}}X^{a^{[m]}}Z^{b^{[m]}}T_j\psi)</math>
## If ci = Tj gate then (TjXa[m]Zb[m]ψ = Pa[m]Xa[m]Zb[m]Tjψ)
###'''Generate Measurement''' M<math>\leftarrow</math> QFHE.GenMeasurement(<math>\tilde {a}^{[m]},\Gamma_{pk_{j+1}}(sk_j),evk_j)</math>
### Generate Measurement<br/>M← QFHE.GenMeasurement(˜a[m],Γpkj+1(skj),evkj)<br/>
###'''Gadget Correction'''<math>(X^{a'^{[m]}}Z^{b'^{[m]}}T_j)\psi\leftarrow</math> QFHE.Measurement(M, <math>P^{a^{[m]}}X^{a^{[m]}}Z^{b^{[m]}}T_j\psi)</math>
### Gadget Correction<br/>(Xa0[m]Zb0[m]Tj)ψ ← QFHE.Measurement(M, Pa[m]Xa[m]Zb[m]Tjψ);<br/> Server gets measurement outcome x’,z’
### Server gets measurement outcome x',z'
### Recryption Server recrypts one-pad key using pkk+1<br/>QFHE.Recpkk+1([m],˜b[m]).<br/>
###'''Recryption''' Server recrypts one-pad key using pk<math>_{k+1}</math> (<math>\tilde {a''}^{[m]},\tilde{b''}^{[m]})\leftarrow</math> QFHE.Rec<math>_{pk_{k+1}}(\tilde {a}^{[m]},\tilde{b}^{[m]})</math>
##Server updates the recrypted key using x,z and x’,z’.
### Server updates the recrypted key using x,z and x',z'. (<math>\tilde {a'}^{[m]},\tilde{b'}^{[m]})\leftarrow (\tilde {a''}^{[m]},\tilde{b''}^{[m]}</math>)
## Server sends the updated encryption and QOTP output state to Client.
## Server sends the updated encryption and QOTP output state to Client.
 
===Stage 3 Client’s Correction===
===Stage 3 Client’s Correction===
'''Decryption (QFHE.Dec())
'''Decryption (QFHE.Dec())
*Input: QOTP Circuit Output State (Xa0[1]Zb0[1] ..... ⊗ Xa0[k]Zb0[k]ρ0Zb0[1]Xa0[1] ..... ⊗Xa0[k]Zb0[k]), Corresponding Encrypted Pad key (a˜0,b˜0)
*'''Input:''' QOTP Circuit Output State (<math> X^{a'^{[1]}}Z^{b'^{[1]}}\otimes.....\otimes X^{a'^{[k]}}Z^{b'^{[k]}}\rho' Z^{b'^{[1]}}X^{a'^{[1]}}\otimes.....\otimes X^{a'^{[k]}}Z^{b'^{[k]}}</math>), Corresponding Encrypted Pad key (<math>\tilde{a'},\tilde{b'}</math>)
*Output: Final outcome of the computation CρC† = ρ0 (a) Client uses skL to restore the pad key from sent encryption. (a0[i],b0[i])=(HE.Dec [i](a0[i]),HE.Dec [i](b0[i]))
*'''Output:''' Final outcome of the computation C<math>\rho</math>C<math>^\dagger=\rho'</math>
# Client uses skL to restore the pad key from sen encryption
# Client uses <math>sk_L</math> to restore the pad key from sent encryption: (<math>{a'}^{[i]},{b'}^{[i]}</math>)=(HE.Dec<math>_{sk_L^{[i]}}(a'^{[i]}</math>),HE.Dec<math>_{pk_L^{[i]}}(b'^{[i]}))</math>
# Client uses pad key and operates Xa Zb on single qubits i separately just like encryption.<br/>Let single qubit representation of the output state be Xa0[i]Zb0[i]σ0Zb0[i]Xa0[i], then operation of Pauli X,Z gates as above yields σ0
# Client uses pad key and operates <math>X^{a'^{[i]}}Z^{b'^{[i]}}</math> on single qubits i separately just like encryption.  
# Client repeats this for all single qubits and hence gets the quantum state ρ0, final outcome of the computation.
##Let single qubit representation of the output state be <math>X^{a'^{[i]}}Z^{b'^{[i]}}\sigma' Z^{b'^{[i]}}X^{a'^{[i]}}</math>, then operation of Pauli X,Z gates as above yields <math>\sigma'</math>
 
# Client repeats this for all single qubits and hence gets the quantum state <math>\rho'</math>, final outcome of the computation.
== References ==


==Further Information==


== Requirements ==
<div style='text-align: right;'>''*contributed by Shraddha Singh''</div>

Latest revision as of 15:37, 16 October 2019

This example protocol achieves the functionality of Secure Client- Server Delegated Computation by a method which involves quantum offline and classical offline communication, called Quantum Fully Homomorphic Encryption (QFHE). Offline communication means there is exchange of information is not required throughout the protocol but only once at the start or end of the protocol. It allows the Client to encrypt quantum data in such a way that Server can carry out any arbitrary quantum computations on the encrypted data without having to interact with the encrypting party. It hides the output and input of the computation while Server is allowed to choose the unitary operation for required computation. Thus, the circuit is known to the Server while efforts can be made to hide it from the encrypting party i.e. Client. Based on the existence of classical Homomorphic Encryption (HE) scheme, it comes with properties of correctness, compactness and full homomorphism. QFHE can be used to keep the circuit private to the Server and hidden from the Client unlike UBQC where the circuit is private to the Client and hidden from the Server.

Tags: Two Party,Universal Task, Quantum Functionality, Secure Delegated Quantum Computation, Quantum Offline Communication, Classical Offline Communication, Entanglement, Quantum Gadgets, Garden Hose Model, Prepare and Send Verifiable Quantum Fully Homomorphic Encryption, Classical Fully Homomorphic Encryption for Quantum Circuits.

Assumptions[edit]

  • This protocol is secure against malicious adversary setting
  • One cannot decrypt the ciphertext without performing the Evaluation step
  • A one-time quantum channel from Client to Server
  • A one-time quantum channel from Server to Client
  • The circuit has a polynomial number of T-Gates.

Outline[edit]

Homomorphic Encryption (HE) schemes can be divided into four stages: Key Generation generates keys for encryption, decryption, and evaluation of the circuit, Encryption encodes the input into a ciphertext using encryption key, Homomorphic Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key and Decryption transforms result of the ciphertext to actual outcome of the circuit using decryption key. This protocol requires Client to prepare and send the quantum states to Server, hence the name, Prepare and Send QFHE. A QFHE scheme is fundamentally different from classical FHE in the aspect that an evaluation key is allowed to be a quantum state in the former case. Also, in the last step decryption for FHE is carried out subsystem by subsystem. This cannot be correct for QFHE as quantum states can be entangled, hence decryption should be carried out on the system as a whole. The QFHE version of encryption is based on quantum one-time pad i.e. randomly applying a Pauli Gate (X, Y, Z, I) in order to hide the input. A Fully Homomorphic Encryption can implement Universal Gates (a set of gates which can implement any quantum circuit). Most of the gates in this set work well with QOTP while for T gates one needs an additional gadget, in order to implement any arbitrary circuit and make the scheme Fully Homomorphic. This adds an additional step called ”Gadget Construction” during Key Generation Stage in this protocol

  • Key Generation (QFHE.KeyGen())

This step generates homomorphic key sets consisting of the classical public key for encryption, a classical private key for decryption and a quantum evaluation key for operation on the encrypted input state. If the circuit involves L T gates, Client needs L+1 such key sets for L gadgets and one input state. The Client uses the classical HE Key Generation (HE.KeyGen) to get classical key sets. She stores all the public keys and secret keys in two separate sets (tuples). Quantum evaluation keys consist of the classical evaluation keys and L gadgets. Once constructed, the gadget is also encrypted using all public keys except the first one by the Client. As construction of gadgets takes secret keys (first L) as inputs, the public key used for its encryption should not belong to the same homomorphic key set used to construct the gadget. A classical description of the gadget, useful for evaluation is also encrypted and included in the gadget. Construction and encryption of gadgets is described in the last step.

    • Gadget Construction This step involves the construction of gadgets to correct any additional phase gate error on the input due to T gates in the circuit. If there are L T gates in the Circuit, one needs L Gadgets constructed using L private keys and then encrypted using L public keys. The public key used for encryption should not belong to the same homomorphic key set of the private key used for construction. A gadget consists of 2m EPR pairs (maximally entangled qubits). The client starts with 4m such pairs. Performs pairwise Bell measurement on one-half of the EPR pairs. Pairs for Bell measurement are chosen according to the private decryption key used for the particular gadget. This leaves the other half of the EPR pairs entangled in the same pairs as chosen by Client to perform bell measurement. E.g. if (a,b) and (c,d) denote two EPR pairs and one performs bell measurement on a and c, then b and d become maximally entangled with some extra Pauli X, Z corrections due to measurement. These corrections are determined by Client’s measurement outcomes according to one pad key. The resulting gadget thus has 2m EPR pairs, some of which have an inverse phase gate. Classical information of a gadget includes private key used, Client’s measurement outcomes and locations of inverse phase gates. This data is encrypted with the public key. Hence, L such gadgets consisting of encrypted classical information and 2m EPR pairs quantum one-time padded by the Pauli X, Z gates, are sent to the server.

Finally, Client stores all the gadgets with the classical evaluation key of the corresponding secret key (generated from HE.KeyGen) used to construct the gadget, as the set of quantum evaluation keys. Note that, the gadgets are quantum states and classical evaluation keys are random numbers, the resulting quantum evaluation key is what we call a classical-quantum (CQ) state.

  • Encryption (QFHE.Enc()) This step is used to encrypt the quantum input into a quantum cipher-text (secret text) using the first public key which has not been used for gadget construction. Every input qubit state is quantum one time padded by the Client, using two classical random bits, one of which decided the operation of Pauli-X and the other operation of Pauli-Z gate on the qubit state. She also encrypts the classical random bits (called pad key) with the same public key using classical HE (HE.Enc) and hence stores it with the corresponding encrypted qubit state as a classical-quantum state. She then sends this CQ state, encrypted pad key, public key tuple, and evaluation key tuple to Server.
  • Circuit Evaluation (QFHE.Eval()) This step operates the circuit on the encrypted input state and updates the encrypted classical information using the evaluation key. As stated earlier, any circuit can be implemented using a set of Universal Gates. This set consists of Clifford Gates and T gates.

The Clifford group gates may affect a single qubit or multiple qubits but they follow a simple set of rules for updation of the encrypted classical information (pad key), given in the pseudocode. The server operates the circuit and with each gate in the circuit, it updates the encrypted classical description.
On the other hand, T gates affect only single qubits but one needs to make use of the gadgets constructed during key generation. The issue with T gates is that it adds an additional Phase gate (P) depending on the classical random bit used for QOTP in the previous step. As P gates do not commute like Pauli-X and Pauli-Z, so they need to be corrected before applying the next gate by the Server. This would reveal the pad key used for QOTP to the Server. Hence, to avoid this, the Client constructed gadgets, which apply an Inverse Phase operator or Identity on a qubit after every T-Gate, depending on the encrypted bit without leaking any information about the pad key. Thus, after applying a T gate on a qubit, P error is removed using a gadget as follows. Out of 2m EPR pairs, some qubits are measured pairwise including the input qubit with/without error and excluding one qubit entangled with one of the measured qubits. Input qubit is thus, transferred to this last unmeasured qubit, according to one-bit teleportation. Following are the steps to get the correct output qubit.

  • Generate Measurement (QFHE.GenMeasurement()) The encrypted one pad key bit which determines phase gate error and the classical information of the gadget is used to determine a measurement order. Private key tells which qubits are entangled, thus, using the location of inverse phase gates, the qubits needed to be measured are decided. If one-pad key bit indicates a phase error then the measurement order of qubits includes an EPR pair with a phase gate else not.
  • Gadget Correction (QFHE.Measurement()) Server performs the required measurements. The last unmeasured qubit is corrected input qubit. The qubit is one time padded with pad key determined by Client’s measurement outcomes, encrypted with the public key used for the gadget and Server’s measurement outcomes. Hence, it is still hidden from the Server.
  • Recryption (QFHE.Rec()) Server recrypts pad key of the qubit with the same public key that encrypts the corrected output state i.e. the one used for the corresponding gadget. Then, he updates the encrypted pad key according to the T Gate (similar to what is done for the Clifford Gate), Client’s encrypted measurement outcomes and Server’s (his) measurement outcomes.

The server performs all the Clifford and T gates in the circuit following the respective procedure given above. Finally, he is left with the one time padded quantum output of the computation together with the required classical pad key encrypted with the public key of the gadget used for the last T gate, the last public key in the set. The server sends both the quantum state and classical encryptions to the Client.

  • Decryption (QFHE.Dec()) The Client uses the last secret key in the set, which was not used to create any gadget (Gadgets used 0-(L-1) secret keys only) and decrypts sent encryptions to obtain the pad key. The pad key thus obtained determines the Pauli operations on the sent quantum state to obtain the final and correct outcome of the computation. The client performs the required operations on individual qubits of the quantum state and gets the output of his computation.

Requirements[edit]

  • Network Stage: Quantum Memory
  • Required Network Parameters:
    • , which measures the error due to noisy operations.
    • Number of communication rounds
    • Circuit depth
    • Number of physical qubits used
  • Client should be able to generate and store entanglement in order to make quantum gadgets, perform Bell measurement, perform quantum one time pad, process and store classical quantum states.
  • Quantum offline channel
  • Classical offline channel
  • A classical HE scheme is required
  • Server should be able to store entangled states, perform all Clifford and T gates.

Knowledge Graph[edit]

Properties[edit]

  • Indistinguishability under Chosen Plaintext Attacks by an adversary with quantum computational powers(q-IND-CPA). If FHE is q-IND-CPA secure then this protocol is q-IND-CPA secure. It means that an adversary cannot distinguish between ciphertext from a message and a ciphertext from an arbitrary quantum state such as
  • Correctness. This protocol is perfectly correct such that,


, where is a negligible function.Note that, negligible function $\eta(n)$ is a function such that for every positive integer d, , for big enough n. This means that if the protocol is followed it results in the same output as when the circuit is operated on the input states directly with overwhelming probability.

  • Compactness. If HE is compact then this protocol is compact. The complexity of applying QFHE.Dec on the results of QFHE.Eval is at most p(k), where p(k) is a polynomial dependent only on the security parameter k. This implies that decryption is independent of the size of the quantum circuit for evaluation.
  • Circuit Privacy. This protocol is not circuit private as it does not guarantee that the client cannot gain information about the circuit evaluated i.e. the circuit is not private to one party and unknown to another. It can make the circuit private to the evaluator (Server) and hidden from the Client apart from the necessary leakage the output states gives if one uses circuit private HE for the protocol.

Full Homomorphism. This scheme is fully homomorphic for circuits with polynomial sized T gates

Notation[edit]

  • , security parameter
  • , number of T gates in the evaluation circuit
  • , dimension of input qubit
  • , homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, respectively for given k, the security parameter.
  • , Gadget using secret key () and encrypted by public key ()
  • , single qubit state
  • , here is the density matrix of quantum state
  • , n-qubit input state, where n is determined by the Client
  • (HE.Encpk(a)), a is encrypted with public key pk and is represented by density matrix ρ
  • p, location of inverse phase gate
  • x,z measurement outcome sets of Client for her Bell Pair measurements.
  • measurement outcome sets of Server for his Gadget measurement.
  • , resulting ciphertext one gets for an input element of array x or bit of key x after the Encrypting it with of public key string, pk.

Protocol Description[edit]

Stage 1 Client’s Preparation[edit]

Key Generation (QFHE.KeyGen(1k,1L))

  • Input: No. of T gates (L), Security Parameter (k),
  • Output: L+1 evaluation keys (encrypted Gadgets, classical HE evaluation key), L+1 public keys, L+1 secret keys
  1. For i = 0 to L
    1. Client executes to obtain independent classical homomorphic key sets.
  2. She sets the public key to be the tuple .
  3. She sets the secret key to be the tuple .
  4. For i = 0 to L-1
    1. Client runs the procedure to create the gadget .
  5. Client sets the evaluation key to be the set of all gadgets created in the previous step (including their encrypted classical information), plus the tuple . The resulting evaluation key is the classical-quantum (CQ) state

Encryption(QFHE.Enc())

  • Input: Quantum Input state density matrix () (say composed of n single qubit states, )
  • Output: Encrypted pad keys:,; QOTP state:
  1. For i=1 to n
    1. Client chooses pad keys a,b
    2. She quantum one time pads the single qubit by applying $X^aZ^b$ on the single qubit state.
    3. She encrypts the pad keys using one bit for each of a and b from the public key string using HE.Enc. ()=(HE.Enc),HE.Enc (a,b)
    4. She apprehends encrypted pad keys to the one time padded quantum state to obtain CQ state,

  1. Client sends encryptions () and the quantum one time padded (QOTP) state, to the Server with the evaluation keys and public keys.

Gadget Construction ()

  1. Generate EPR pairs (,
  2. Choose pairs using sk
    1. If then
    2. If then
  3. For j=1 to 2m,
    1. Choose p[j]
    2. Perform Bell Measurement on pair with an extra operation, get outcomes (x[j],z[j])
    3. Thus, new EPR pairs are
      1. If then
      2. If then
    4. Denote the entangled pairs be denoted by , such that
    5. The classical information of gadget be g(sk).
    6. The quantum state of gadget can be written as
  4. Encrypt (x[j],z[j]), p[j] for all j and sk using . Resulting Gadget is the classical-quantum (CQ) state,

Stage 2 Server’s Computation[edit]

Circuit's Evaluation (QFHE.Eval())

  • Input: public key tuple , Evaluation key tuple, Encrypted Pad key (, ), QOTP Input State ()
  • Output: QOTP Circuit Output State (), Corresponding Encrypted Pad key ()=(HE.Eval),HE.Eval))

Let the Circuit be denoted by C and the gates be

  1. For all i, gate is applied on qubit m and the bits of pad key are updated to as follows.
    1. If , a Clifford gate then )
      1. if H then: (Hadamard tranforms X gate into Z and Z into X)
      2. if P then:
      3. if CNOT with m as target bit and n as control bit then:
    2. If gate then:
      1. Generate Measurement M QFHE.GenMeasurement(
      2. Gadget Correction QFHE.Measurement(M,
      3. Server gets measurement outcome x',z'
      4. Recryption Server recrypts one-pad key using pk ( QFHE.Rec
      5. Server updates the recrypted key using x,z and x',z'. ()
    3. Server sends the updated encryption and QOTP output state to Client.

Stage 3 Client’s Correction[edit]

Decryption (QFHE.Dec())

  • Input: QOTP Circuit Output State (), Corresponding Encrypted Pad key ()
  • Output: Final outcome of the computation CC
  1. Client uses to restore the pad key from sent encryption: ()=(HE.Dec),HE.Dec
  2. Client uses pad key and operates on single qubits i separately just like encryption.
    1. Let single qubit representation of the output state be , then operation of Pauli X,Z gates as above yields
  3. Client repeats this for all single qubits and hence gets the quantum state , final outcome of the computation.

Further Information[edit]

*contributed by Shraddha Singh