Classical Fully Homomorphic Encryption for Quantum Circuits: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
 
(130 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The example protocol [https://arxiv.org/abs/1708.02130 Mahadev (2017)] achieves the functionality of [[Secure Delegated Quantum Computation]] by a method which involves fully [[Secure Delegated Quantum Computation#Protocols#Classical Offline Communication-No Quantum Communication|classical offline]] and no [[Secure Delegated Quantum Computation#Protocols#Classical Offline Communication-No Quantum Communication|quantum communication]]. It uses only classical [[Supplementary Information#Quantum Cryptography Techniques#Quantum Capable Homomorphic Encryption|Homomorphic Encryption]] (HE) scheme to evaluate quantum circuits for classical input/input. It allows a fully classical Client to hide her data such that Server can carry out any arbitrary quantum computation on the encrypted data without having any knowledge about Client’s inputs. It hides the output and input of the computation while Server is allowed to choose the [[Supplementary Information#A General Introduction to Quantum Information#Unitary Operation|unitary operation]] (any quantum gate) for required computation. Quantum offline communication would be required if Client’s input and output is quantum.</br></br>
The [https://arxiv.org/abs/1708.02130 example protocol] achieves the functionality of [[Secure Client- Server Delegated Quantum Computation|Delegated Quantum Computation]] by a method which involves fully [[Secure Client- Server Delegated Quantum Computation#Protocols|classical offline]] and no [[Secure Client- Server Delegated Quantum Computation#Protocols|quantum communication]]. It uses only classical [[Glossary#Quantum Capable Homomorphic Encryption|Homomorphic Encryption]] (HE) scheme to evaluate quantum circuits for classical input/output. It allows a fully classical Client to hide her data such that Server can carry out any arbitrary quantum computation on the encrypted data without having any knowledge about Client’s inputs. It hides the output and input of the computation while Server is allowed to choose the [[Glossary#Unitary Operations|unitary operation]] (any quantum gate) for required computation. Quantum offline communication would be required if Client’s input and output is quantum.</br></br>
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Functionality|Quantum Functionality]], [[:Category:Universal Task|Universal Task]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], [[Prepare and Send Quantum Fully Homomorphic Encryption|Prepare and Send Quantum FHE]], Classical Offline Communication, [[Supplementary Information#Superposition|Superposition]], [[Supplementary Information#Trapdoor Claw-Free Functions|Trapdoor Claw-Free Functions (TCF)]], [[Supplementary Information#Learning With Errors|Learning With Errors]], [[Supplementary Information#Encrypted CNOT Operation|Encrypted CNOT Operation]].
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Functionality|Quantum Functionality]], [[:Category:Universal Task|Universal Task]], [[Secure Client- Server Delegated Quantum Computation]], [[Prepare and Send Quantum Fully Homomorphic Encryption|Prepare and Send Quantum FHE]], Classical Offline Communication, [[Glossary#Superposition|Superposition]], Trapdoor Claw-Free Functions, [https://en.wikipedia.org/wiki/Learning_with_errors Learning With Errors], Encrypted CNOT Operation.
[[Category:Two Party Protocols]][[Category:Quantum Functionality]][[Category:Universal Task]]
[[Category:Two Party Protocols]][[Category:Quantum Functionality]][[Category:Universal Task]]
==Assumptions==
==Assumptions==
* This protocol is secure against honest but curious adversary setting.
* This protocol is secure against honest but curious adversary setting.
* HE is a classical leveled fully homomorphic encryption scheme which is [[Supplementary Information#Quantum Cryptography Techniques#Quantum Capable Homomorphic Encryption|quantum capable]] for given depth of one layer of circuit, <math>L_c</math> (See Notations below).
* HE is a classical leveled fully homomorphic encryption scheme which is [[Glossary#Quantum Capable Homomorphic Encryption|quantum capable]] for given depth of one layer of circuit, <math>L_c</math> (See Notations below).
* A [[Supplementary Information#Complexity|BQP]] Server can generate a superposition of inputs for the encryption function over some distribution given the public key used for encryption. The protocol takes [[Supplementary Information#Security Definition|learning with errors]] assumption.
* A [https://complexityzoo.uwaterloo.ca/Complexity_Zoo:B#bqp BQP] Server (a quantum computer) can generate a superposition of inputs for the encryption function over some distribution given the public key used for encryption. The protocol takes [https://en.wikipedia.org/wiki/Learning_with_errors learning with errors] assumption.


== Outline==
== Outline==
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit; Encryption encodes the input into a secret text using the encryption key generated during Key Generation; Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key generated and Decryption transforms result of the evaluation step hidden in the secret text, to outcome of the circuit for Client's input using decryption key. Following the stages of [[Secure Delegated Quantum Computation]], in preparation stage, Client encrypts her input by performing [[one time pad]] to hide it from the Server, who, in the computation stage, performs quantum computation by a completely classical evaluation step. There are two kinds of gates in Quantum Computation (See Heirarchy of Quantum Gates in [[Supplementary Information]]) Clifford Gates, which consists of Hadamard gate, CNOT and Pauli gates (X, Y, Z) and Toffoli gates (any single qubit phase/rotation gate). A universal scheme can perform both these types of gates implying that it can perform any quantum operation. Now, applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Clifford gates]] remains a simple step as it leaves the state with only Pauli corrections (X, Z) which are easy to handle as these gates commute with every quantum gate and hence can be shifted and cancelled out by applying corresponding inverse gate later by the Client, but when applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Toffoli Gates]], it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for encryption key used by Client. Decryption key cannot deal with Clifford gate errors as they do not commute with all quantum operations and hence it needs to be corrected by applying corresponding inverse gate before the operation of next gate for computation by the Server. These Clifford gate corrections are a combination of CNOT corrections dependent on encryption key and a Hadamard correction independent of encryption key. Thus, applying Hadamard requires no extra information but CNOT gate errors require revelation of the encryption key. FHE deals with this problem via [[Supplementary Information#Quantum Cryptography Techniques#Encrypted CNOT operation|Encrypted CNOT operation]] using [[Supplementary Information#Quantum Cryptography Techniques#Trapdoor Claw-Free Function (TCF)|Trapdoor Claw-Free Function (TCF)]] without revelation of encryption key to the Server. Finally, in the Output Correction stage, Client gets her inputs and updated encryption keys to get the correct final outcome from the secret text using her decryption key. Following is an outline of the steps to illustrate the above mentioned scheme, assuming depth of circuit (see notations used) equal to L.</br>
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit; Encryption encodes the input into a secret text using the encryption key generated during Key Generation; Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key generated and Decryption transforms result of the evaluation step hidden in the secret text, to outcome of the circuit for Client's input using decryption key. Following the stages of [[Secure Delegated Quantum Computation]], in preparation stage, Client encrypts her input by performing [[one time pad]] to hide it from the Server, who, in the computation stage, performs quantum computation by a completely classical evaluation step. There are two kinds of gates in Quantum Computation (See [[Glossary#Hierarchy of Quantum Gates|Glossary]]) Clifford Gates, which consists of [[Glossary#Unitary Operations|Hadamard gate]], [[Glossary#Unitary Operations|CNOT]] and [[Glossary#Unitary Operations|Pauli gates (X, Y, Z)]] and Toffoli gates (any single qubit phase/rotation gate). A universal scheme can perform both these types of gates implying that it can perform any quantum operation. Now, applying [[Glossary#Hierarchy of Quantum Gates|Clifford gates]] remains a simple step as it leaves the state with only Pauli corrections (X, Z) which are easy to handle as these gates commute with every quantum gate and hence can be shifted and cancelled out by applying corresponding inverse gate later by the Client, but when applying [[Glossary#Heirarchy of Quantum Gates|Toffoli Gates]], it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for encryption key used by Client. Decryption key cannot deal with Clifford gate errors as they do not commute with all quantum operations and hence it needs to be corrected by applying corresponding inverse gate before the operation of next gate for computation by the Server. These Clifford gate corrections are a combination of CNOT corrections dependent on encryption key and a Hadamard correction independent of encryption key. Thus, applying Hadamard requires no extra information but CNOT gate errors require revelation of the encryption key. FHE deals with this problem via Encrypted CNOT operation using Trapdoor Claw-Free Function (TCF) without revelation of encryption key to the Server. Finally, in the Output Correction stage, Client gets her inputs and updated encryption keys to get the correct final outcome from the secret text using her decryption key. Following is an outline of the steps to illustrate the above mentioned scheme, assuming depth of circuit (see notations used) equal to L.</br>
The preparation stage incorporates,
The preparation stage incorporates,
* '''Key Generation:''' Client generates L+1 classical homomorphic key sets consisting of public key, evaluation key, secret key, trapdoor information (a piece of information required to invert the function used for encrypted CNOT operation, as explained in Circuit Evaluation) using HE.KeyGen() (classical HE step). Evaluation key consists of first L pairs of secret key-trapdoor information encrypted with last L public keys such that secret key-trapdoor key pair and public key do not belong to the same key set. Evaluation key also contains this public key used to encrypt the pair.
* '''Key Generation:''' Client generates <math>L+1</math> classical homomorphic key sets consisting of public key, evaluation key, secret key, trapdoor information (a piece of information required to invert the function used for encrypted CNOT operation, as explained in Circuit Evaluation) using HE.KeyGen() (classical HE step). Evaluation key consists of first L pairs of secret key-trapdoor information encrypted with last L public keys such that secret key-trapdoor key pair and public key do not belong to the same key set. Evaluation key also contains this public key used to encrypt the pair.
* '''Encryption:''' Client uses classical one time pad to hide her input and encrypts the pad key with the first public key (not used to encrypt any trapdoor-secret key pair) using HE.Enc() (classical HE step). She then sends the hidden classical input with encrypted pad key and classical evaluation key to the Server over classical channel. This step marks the end of preparation stage.</br>
* '''Encryption:''' Client uses classical one time pad to hide her input and encrypts the pad key with the first public key (not used to encrypt any trapdoor-secret key pair) using HE.Enc() (classical HE step). She then sends the hidden classical input with encrypted pad key and classical evaluation key to the Server over classical channel. This step marks the end of preparation stage.</br>
Further, the computation stage incorporates,
Further, the computation stage incorporates,
* '''Circuit Evaluation:''' Server starts with the classical one time padded states from the Client and generates the required quantum states. For each gate of the circuit that Server applies, he updates the encrypted Pauli encryption according to rules given in Pseudo code below. In case of Toffoli gate operation, an additional step is incorporated where he corrects the extra Clifford gate error performing encrypted CNOT operation and then Hadamard operation on the target qubit. This step uses evaluation key and can be explained as follows.</br>
* '''Circuit Evaluation:''' Server starts with the classical one time padded states from the Client and generates the required quantum states. For each gate of the circuit that Server applies, he updates the encrypted Pauli encryption according to rules given in Pseudo code below. In case of Toffoli gate operation, an additional step is incorporated where he corrects the extra Clifford gate error performing encrypted CNOT operation and then Hadamard operation on the target qubit. This step uses evaluation key and can be explained as follows.</br>
'''Encrypted CNOT operation''' All errors imposed by Toffoli gates can be represented using encrypted CNOT operation, a Hadamard operation and a set of Pauli gates (X, Z). All errors imposed by Clifford gates can be represented by a combination of Pauli gates. A mathematical representation of this step can be found in the [[Supplementary Information]].  
'''Encrypted CNOT operation''' All errors imposed by Toffoli gates can be represented using encrypted CNOT operation, a Hadamard operation and a set of Pauli gates (X, Z). All errors imposed by Clifford gates can be represented by a combination of Pauli gates. A mathematical representation of this step can be found in the [[Classical Fully Homomorphic Encryption for Quantum Circuits #Pseudo Code|Pseudo Code]] below.  
#'''TCF:''' This operation uses Trapdoor Claw Free function pairs which have the same image (output) for different pre-images(inputs) called 'random claw pair'. Given the image, it is rendered a hard problem to find this corresponding random claw without its trapdoor information (example, a piece of information required to invert the function). For this protocol, the HE Encryption function (HE.Enc()) is taken as one of the functions. A second function whose distribution is shifted from the previous function by a natural (homomorphic) XOR operation (a requirement for the [[Supplementary Information#Quantum cryptography Techniques#Quantum Capable Homomorphic Encryption|classical HE]] scheme used) of encrypted key bit used for that encryption function. This means, the functions have a common range such that for every image (output), the pre-images (input) for each of the functions stated above would also differ by a XOR operation of actual (not encrypted) key bit. Thus, any element in the said range set would have one pre-image in the domain set of each function, together called random claw pair. If one performs a XOR operation on the pair, the result is pad key bit. This is implied from the properties of homomorphic XOR. Thus, any pre-image pair (random claw) thus, obtained, hides the pad key (to be used later for Encrypted CNOT operation). In simple words, the above paragraph implies that if two functions are separated by encrypted pad key via a homomorphic XOR operation, their inputs for a common output (random claw pair) would be separated by the (not encrypted) pad key bit.
#'''TCF:''' This operation uses Trapdoor Claw Free function pairs which have the same image (output) for different pre-images(inputs) called 'random claw pair'. Given the image, it is rendered a hard problem to find this corresponding random claw without its trapdoor information (example, a piece of information required to invert the function). For this protocol, the HE Encryption function (HE.Enc()) is taken as one of the functions. A second function whose distribution is shifted from the previous function by a natural (homomorphic) XOR operation (a requirement for the [[Glossary#Quantum Capable Homomorphic Encryption|classical HE]] scheme used) of encrypted key bit used for that encryption function. This means, the functions have a common range such that for every image (output), the pre-images (input) for each of the functions stated above would also differ by a XOR operation of actual (not encrypted) key bit. Thus, any element in the said range set would have one pre-image in the domain set of each function, together called random claw pair. If one performs a XOR operation on the pair, the result is pad key bit. This is implied from the properties of homomorphic XOR. In simple words, the above paragraph implies that if two functions are separated by encrypted pad key via a homomorphic XOR operation, their inputs for a common output (random claw pair) would be separated by the (not encrypted) pad key bit. Thus, any pre-image pair (random claw) thus, obtained, hides the pad key (to be used later for Encrypted CNOT operation).
#'''Server's preparation''' Thus, Server creates a superposition of inputs for the functions over some distribution. Next, he creates a superposition of quantum states generated from Client's input. After applying the gates on qubits, for correction of CNOT errors, Server creates three registers. First has the superposition of single qubit states, second has the superposition of quantum states generated from Client's input while third register has the output of one of the two functions illustrated above, where the function (one of the two) is chosen according to the first register and its quantum input is taken from the second register. Hence, these registers are entangled. Server, now measures the third register which reduces second register to a random claw pair as discussed before, hiding the pad key. It is still hidden from the Server as he does not know trapdoor information to be able to know the random claw pair and he cannot compute it from the measured output as it is a hard problem.  
#'''Server's preparation''' Thus, Server creates a superposition of inputs for the functions over some distribution. Next, he creates a superposition of quantum states generated from Client's input. After applying the gates on qubits, for correction of CNOT errors, Server creates three registers. First has the superposition of quantum states generated from Client's input, second has the superposition on a distribution chosen for inputs of the function while third register has the output of one of the two functions illustrated above, where the function (one of the two) is chosen according to the first qubit of the first register and its quantum input is taken from the second register. Hence, these registers are entangled. Server, now measures the third register which reduces second register to a random claw pair as discussed before, hiding the pad key. It is still hidden from the Server as he does not know trapdoor information to be able to know the random claw pair and he cannot compute it from the measured output as it is a hard problem.  
#'''Server's Toffoli gate operation''' After some calculations it can be shown that if Server performs Hadamard operation on the second register and then measures it, the first register is reduced to corrected quantum state with some extra Pauli corrections. These final Pauli corrections require trapdoor information and measurement outcome of the second register. To perform the above operation one needs the secret text to be same throughtout the protocol and existence of a natural XOR operation. This is not known to have been achieved by a single HE together. Hence, this protocol uses AltHE (an alternate HE) which can operate XOR for encrypted CNOT operation while he uses HE for updation of Pauli keys. In order to do this, HE provides a conversion of secret text under HE to secret text under AltHE and vice versa. Thus, after encrypted CNOT operation, encrypted pad key bit and other measurement outcomes are recrypted using public key provided in the evaluation key for that step, under HE. Thus, the trapdoor information and pad key bit are encrypted under same public key. Now, using the measurement outcome and the encrypted trapdoor information with recrypted pad key, Server obtains Pauli corrections. The Server encrypts Pauli corrections under public key for corresponding layer and hence updates the recrypted pad key<br/>
#'''Server's Toffoli gate operation''' After some calculations it can be shown that if Server performs [[Glossary#Unitary Operations|Hadamard operation]] on the second register and then measures it, the first register is reduced to corrected quantum state with some extra [[Glossary#Unitary Operations|Pauli corrections]]. These final Pauli corrections require trapdoor information and measurement outcome of the second register. To perform the above operation one needs the secret text to be same throughtout the protocol and existence of a natural XOR operation. This is not known to have been achieved by a single HE together. Hence, this protocol uses AltHE (an alternate HE) which can operate XOR for encrypted CNOT operation while he uses HE for updation of Pauli keys. In order to do this, HE provides a conversion of secret text under HE to secret text under AltHE and vice versa. Thus, after encrypted CNOT operation, encrypted pad key bit and other measurement outcomes are recrypted using public key provided in the evaluation key for that step, under HE. Thus, the trapdoor information and pad key bit are encrypted under same public key. Now, using the measurement outcome and the encrypted trapdoor information with recrypted pad key, Server obtains Pauli corrections. The Server encrypts Pauli corrections under public key for corresponding layer and hence updates the recrypted pad key<br/>
#'''Server's Clifford gate operation''' Server obtains with Pauli corrections according to rules described in the Pseudo code and updates the recrypted pad key as before.</br>
#'''Server's Clifford gate operation''' Server obtains with Pauli corrections according to rules described in the Pseudo code and updates the recrypted pad key as before.</br>
* '''Decryption''' Server repeats the same procedure for each layer and at the end of last layer, sends the updated recryption of pad key and classical measurement output of the first register (containing the corrected quantum state encrypted by pad key) to Client. Client converts the pad key to another secret text using AltHE. The sent pad key is recrypted with public key of the last (<math>L_{th}</math>) evaluation key used. This is the <math>(L + 1)_{th}</math> public key. Hence, Client uses <math>(L + 1)_{th}</math> secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. She (Client) uses the resulting pad key to undo the one time pad on the sent output.
* '''Decryption''' Server repeats the same procedure for each layer and at the end of last layer, sends the updated recryption of pad key and classical measurement output of the first register (containing the corrected quantum state encrypted by pad key) to Client. Client converts the pad key to another secret text using AltHE. The sent pad key is recrypted with public key of the last (<math>L_{th}</math>) evaluation key used. This is the <math>(L + 1)_{th}</math> public key. Hence, Client uses <math>(L + 1)_{th}</math> secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. She (Client) uses the resulting pad key to undo the one time pad on the sent output.


== Notations ==
== Properties ==
*''Quantum Capable'' A classical HE is quantum capable i.e. can perform quantum computation efficiently if there exists AltHE which can execute natural XOR operations.
*''Indistinguishability under Chosen Plaintext Attacks by adversary(IND-CPA)'' The presented classical FHE scheme is CPA secure i.e. it is not possible for any polynomial time adversary to distinguish between the encrypted classical message bits 0 and 1, by learning with errors.
*''Compactness'' This protocol is compact i.e. decryption does not depend on the complexity of the quantum circuit.
*''Correctness'' Correctness is implied from the correctness of encrypted CNOT operation.
*''Circuit Privacy'' This protocol is not circuit private as both Client and Server know the quantum circuit used for performing the computation.
*''Full Homomorphism'' This protocol is fully homomorphic i.e. Server can operate any quantum circuit using this protocol.
*''Circular Security'' This protocol has a stronger notion of circular security where not only the secret key but also the trapdoor functions are encrypted when provided to the Server.
== Notation ==
*<math>m</math>: classical data of client's required quantum input states
*<math>\lambda</math>: security parameter
* <math>k</math>: security parameter
* <math>k</math>: security parameter
* <math>\tilde{x}</math>: encryption of x
* <math>\tilde{x}</math>: encrypted pad key
*<math>s</math>: concatenated pad key elements
*<math>c=HE.Enc_{pk}(s)</math> Encryption of s using public key <math>pk</math> via classical HE encryption step.
*<math>\hat{c}</math>: converted c using classical HE in order to use it with <math>AltHE</math>
* <math>\tilde{x}^{[l]}</math>: <math>l^{th}</math> bit of encrypted pad key
* <math>L_c</math>: depth of a layer of circuit where each layer contains Clifford gates and Toffoli gates
* <math>L_c</math>: depth of a layer of circuit where each layer contains Clifford gates and Toffoli gates
* <math>L</math>: depth of the circuit (no. of layers in the circuit)
* <math>L</math>: depth of the circuit (no. of layers in the circuit)
Line 31: Line 45:
* <math>d</math>: measurement outcome of the second register
* <math>d</math>: measurement outcome of the second register


== Hardware Requirements ==
== Requirements ==
*The concerned protocol requires classical HE scheme. The communication can be performed over a classical network with only one quantum node (in case of classical input and output).  
*'''Network Stage:''' [[:Category:Quantum Memory Network Stage|Quantum Memory]] [[Category:Quantum Memory Network Stage]]
*One of the nodes require quantum memory, hence, this protocol belongs to Quantum Memory Network Stage.
*'''Required Network Parameters:'''
**'''<math>\epsilon_j</math>''', which measures the error due to noisy operations.
**Number of communication rounds
**Circuit depth
**Number of physical qubits used
*The concerned protocol requires classical HE scheme.  
*Classical offline communication links
*Communication can be performed over a classical network with only one quantum node (in case of classical input and output).  
*The functions <math>f_0, f_1</math> used must be trapdoor claw-free(TCF) such that one it is not possible to find a triple <math>(\mu_0,\mu_1,y)</math> such that <math>f_0(\mu_0)=f_1(\mu_1)=y</math>


== Properties ==
==Knowledge Graph==
*''Quantum Capable'' A classical HE is quantum capable i.e. can perform quantum computation efficiently if there exists AltHE which can execute natural XOR operations.
 
*''Indistinguishability under Chosen Plaintext Attacks by adversary(IND-CPA)'' The presented classical FHE scheme is CPA secure i.e. it is not possible for any polynomial time adversary to distinguish between the encrypted classical message bits 0 and 1, by learning with errors.
{{graph}}
*''Compactness'' This protocol is compact i.e. decryption does not depend on the complexity of the quantum circuit.
*''Correctness'' Correctness is implied from the correctness of encrypted CNOT operation.
*''Circuit Privacy'' This protocol is not circuit private as both Client and Server know the quantum circuit used for performing the computation.
*''Full Homomorphism'' This protocol is fully homomorphic i.e. Server can operate any quantum circuit using this protocol.
*''Circular Security'' This protocol has a stronger notion of circular security where not only the secret key but also the trapdoor functions are encrypted when provided to the Server.


== Pseudo-Code==  
==Protocol Description==  
*Boxed texts are not part of the code but contain proofs used in various steps, illustrated for a better understanding of the protocol.
==='''Stage 1''' Client’s Preparation===
==='''Stage 1''' Client’s Preparation===
   
   
*Input: <math>k, L, L_c</math>, classical message <math>m</math>, ( and Quantum Input <math>|\psi\rangle</math> in case of quantum inputs)
*Input: <math>k, L, L_c</math>, classical message <math>m</math>
*Output: Homomorphic key sets <math>(pk_i,evk_i,sk_i, t_{sk_i})</math>, encrypted pad key <math>\tilde{a}, \tilde{b}</math> (and Quantum One time Padded Output State <math>X^aZ^b|\psi\rangle</math> in case of quantum output)
*Output: Homomorphic key sets <math>(pk_i,evk_i,sk_i, t_{sk_i})</math>, encrypted pad key <math>\tilde{z}, \tilde{x}</math>, One time Padded message (<math>l</math>)
**'''Key Generation (FHE.KeyGen(<math>1^{\lambda}, 1^L</math>))'''
**'''Key Generation (FHE.KeyGen(<math>1^{\lambda}, 1^L</math>))'''
# For <math>1\leq i\leq L + 1</math>,  
# For <math>1\leq i\leq L + 1</math>,  
# Client generates homomorphic key set, <math>(pk_i,evk_i,sk_i, t_{sk_i}) = </math>HE.Keygen(<math>1^{\lambda}, 1^{L_c}</math>).</br>The public key <math>pk</math> is <math>pk_1</math> and the secret key <math>sk</math> is <math>sk_{L+1}</math>. </br>The evaluation key <math>evk</math> consists of <math>(evk_1,\ldots,evk_{L+1})</math> as well as <math>(pk_{i+1},</math>HE.Enc<math>_{pk_{i+1}}(sk_{i})</math>, HE.Enc<math>_{pk_{i+1}}(t_{sk_i})</math>) for <math>1\leq i\leq L</math>.
# Client generates homomorphic key set, <math>(pk_i,evk_i,sk_i, t_{sk_i}) = </math>HE.Keygen(<math>1^{\lambda}, 1^{L_c}</math>).</br>The public key <math>pk</math> is <math>pk_1</math> and the secret key <math>sk</math> is <math>sk_{L+1}</math>. </br>The evaluation key <math>evk_i</math> consists of <math>(pk_{i+1},</math>HE.Enc<math>_{pk_{i+1}}(sk_{i})</math>, HE.Enc<math>_{pk_{i+1}}(t_{sk_i})</math>) for <math>1\leq i\leq L</math>.
**'''Encryption (FHE.Enc<math>_{pk}(m)</math>))'''
**'''Encryption (FHE.Enc<math>_{pk}(m)</math>))'''
# Client chooses pad key for each message bit <math>a,b\in\{0,1\}^{\lambda}</math>.
#Client chooses pad key for each message bit <math>z,x\in\{0,1\}^{\lambda}</math>.
# She then encrypts this pad key and sends it to the Server with the evaluation keys.</br>HE.Enc<math>_{pk_1}(a,b))</math>,
#She one time pads the message m, <math>l= x\oplus m</math> <div class="floatright">//z is used for quantum input <math>Z^zX^x|\psi\rangle</math> where <math>|\psi\rangle</math> is quantum input.</div>
# She sends encrypted classical message <math>X^aZ^b|l\rangle</math> which can be represented as the classical string <math>a\oplus m</math>. In case of quantum output Client uses pad key to hide her quantum state using QOTP (<math>X^aZ^b|\psi\rangle</math>) and then sends this hidden state to the Server along with the encrypted pad key.
#She then encrypts the pad key. HE.Enc<math>_{pk_1}(z,x)</math>
# She sends the encrypted message and pad key to the Server with the evaluation keys.


=== '''Stage 2''' Server’s Computation ===
=== '''Stage 2''' Server’s Computation ===
   
   
*Input: evaluation key (<math>evk_i</math>), encrypted pad key <math>\tilde{a}, \tilde{b}</math> concatenation (c), one time padded message l (and Quantum One time Padded Output State in case of quantum output)
*Input: <math>\mathrm{evk}_i</math>, pad key elements concatenation (<math>s</math>), encryption of s under HE (<math>c=\mathrm{HE.Enc}_{pk}(s)</math>), one time padded message (<math>l</math>)
*Output:  updated encryption of pad key <math>\tilde{a},\tilde{b}</math> (and Quantum One time Padded Output State <math>X^{\tilde {a}}Z^{\tilde{b}}C|\psi\rangle</math> in case of quantum output, where C is the quantum circuit)
*Output:  Updated encryption of pad key <math>\tilde{z},\tilde{x}</math> and final classical outcome after performing the circuit.
**'''Circuit Evaluation (FHE.Eval())'''
**'''Circuit Evaluation (FHE.Eval())'''
#Server creates a superposition state for the encrypted classical message and Pauli one time pads it using encrypted pad key. He applies the circuit on it as follows:</br>Let the Circuit be denoted by C and the gates be <math>c_i</math>
#Server creates a quantum superposition state for encrypted input <math>l</math>: <math>Z^zX^x|\psi\rangle</math>, where </br><math>|\psi\rangle=\sum_{a,b\epsilon\{0,1\}}\alpha_{ab}|a,b\rangle</math> represents the two qubits superposition state for classical message m,</br> <math>Z^zX^x</math> represents quantum one time pad. </br>
# For all i, <math>c_i</math> gate is applied on qubit l and the <math>l_{th}</math> bits of pad key <math>(\tilde {a}^{[l]},\tilde{b}^{[l]})</math> are updated to <math>(\tilde {a}'^{[l]},\tilde{b}'^{[l]})</math> as follows.
# For all i, Server applies gate <math>c_i</math> on qubit l and the <math>l_{th}</math> bits of pad key <math>(\tilde {x}^{[l]},\tilde{z}^{[l]})</math> are updated to <math>(\tilde {x}'^{[l]},\tilde{z}'^{[l]})</math> as follows.
## If <math>c_i=\{P,H,CNOT\}</math>, a Clifford gate then <div class="floatright">//(<math>c_iX^{a^{[l]}}Z^{b^{[l]}}|\psi\rangle=X^{a'^{[l]}}Z^{b'^{[l]}}c_i|\psi\rangle</math>)</div>
## If <math>c_i=\{P,H,CNOT\}</math>, a Clifford gate then <div class="floatright">//(<math>c_iZ^{z^{[l]}}X^{x^{[l]}}|\psi\rangle=Z^{z'^{[l]}}X^{x'^{[l]}}c_i|\psi\rangle</math>)</div>
### if <math>c_i=</math>H then<div class="floatright">//Hadamard Gate</div></br><math>(\tilde {a}^{[l]},\tilde{b}^{[l]})\rightarrow (\tilde{b}^{[l]},\tilde{a}^{[l]})</math><div class="floatright">//Hadamard tranforms X gate into Z and Z into X</div>
### if <math>c_i=</math>H then<div class="floatright">//Hadamard Gate</div></br><math>(\tilde {x}^{[l]},\tilde{z}^{[l]})\rightarrow (\tilde{z}^{[l]},\tilde{x}^{[l]})</math><div class="floatright">//Hadamard tranforms X gate into Z and Z into X</div>
### if <math>c_i=</math>P then <div class="floatright">//Pauli Gate</div></br><math>(\tilde {a}^{[l]},\tilde{b}^{[l]})\rightarrow (\tilde{a}^{[l]},\tilde{a}^{[l]}\oplus\tilde{b}^{[l]})</math>
### if <math>c_i=</math>P then <div class="floatright">//Pauli Gate</div></br><math>(\tilde {x}^{[l]},\tilde{z}^{[l]})\rightarrow (\tilde{x}^{[l]},\tilde{x}^{[l]}\oplus\tilde{z}^{[l]})</math>
### if <math>c_i=</math>CNOT with m as target bit and n as control bit then (CNOT)</br>(\tilde {a}^{[l]},\tilde{b}^{[l]};\tilde {a}^{[n]},\tilde{b}^{[n]})\rightarrow (\tilde {a}^{[l]},\tilde{b}^{[l]}\oplus \tilde {b}^{[n]};\tilde{a}^{[l]}\oplus \tilde {a}^{[n]},\tilde{b}^{[n]})</math>
### if <math>c_i=CNOT_{l,n}</math> with m as target bit and n as control bit then <div class="floatright">//CNOT</div></br>(<math>\tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]}\oplus \tilde {z}^{[n]};\tilde{x}^{[l]}\oplus \tilde {x}^{[n]},\tilde{z}^{[n]})</math>
## If ci = T gate then //Toffoli Gate on lth,nth,oth key bits
## If <math>c_i=T</math> gate then <div class="floatright">//Toffoli Gate on <math>l_{th}, n_{th}, o_{th}</math> key bits</br>
### The Toffoli gate is applied to the Pauli one time padded state and the state is reduced to combination of Clifford C and Pauli P corrections as follows:<br/>TXa[l]Zb[l]Xa[n]Zb[n]Xa[o]Zb[o] |ψi<br/>=TXa[l]Zb[l]Xa[n]Zb[n]Xa[o]Zb[o]T T |ψi<br/>= CNOTl,oa[n]CNOTn,oa[l]CZl,nb[o]Xa[l]Zb[l]T |ψi<br/>= CNOTl,oa[n]CNOTn,oa[l]HnCNOTl,nb[o]HnXa[l]Zb[l]T |ψi<br/>= CabPabT |ψi, where C{CNOT,H} and<br/>
<div style="background-color: gray; border: solid thin black;title=Functionality Description;">The Toffoli gate application can be deduced as follows:</br><math>TZ^{z^{[l]}}X^{x^{[l]}}Z^{z^{[n]}}X^{x^{[n]}}Z^{z^{[o]}}X^{x^{[o]}}|\psi\rangle</math></br><math>=TZ^{z^{[l]}}X^{x^{[l]}}Z^{z^{[n]}}X^{x^{[n]}}Z^{z^{[o]}}X^{x^{[o]}}T\dagger T|\psi\rangle</math></br><math>=CNOT_{l,o}^{x^{[n]}}CNOT_{n,o}^{x^{[l]}}CZ_{l,n}^{z^{[o]}}Z^{z^{[l]}}X^{x^{[l]}}T|\psi\rangle</math></br><math>=CNOT_{l,o}^{x^{[n]}}CNOT_{n,o}^{x^{[l]}}H_nCNOT_{l,n}^{z^{[o]}}H_{n}Z^{z^{[l]}}X^{x^{[l]}}T|\psi\rangle</math></br><math>=C_{zx}P_{zx}T|\psi\rangle</math>, where <math>C\epsilon \{\text{CNOT,H}\}</math> and <math>P\epsilon\{X,Z\}</math>
### The Pauli key encryptions are homomorphically updated according to P_ab
</div>
### Three encrypted CNOTs are used to correct Cab as follows.
:::#The Pauli key encryptions are homomorphically updated according to <math>P_{zx}</math>.</br> (<math>\tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]};\tilde {x}^{[o]},\tilde{z}^{[o]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]};0,0;0,0)</math>
#### The server applies encrypted CNOT operation to the two qubit state ZzXx |ψi using the ciphertext ˆc =HE.Convert(c).
:::# Three encrypted CNOTs are used to correct <math>C^{zx}</math> as follows under <math>\mathrm{AltHE}</math>.</br></br>
#### Server generates following superposition sampled over random distribution D for the TCF function pairs (f0 =AltHE.Encpk(),f1) based on the condition f0 ⊕H f1 = cˆ{euqation missing}
***'''Server's Preparation:'''
#### Servers generates three register for quantum input, function input, function output and entangles them as follows{equation missing}  
::::#Server converts <math>\hat{c} = \mathrm{HE.Convert(c)}</math>.
#### Server measures the last register to get a ciphertext y =AltHE.Encpk(µ0,r0), where µ0 ⊕ µ1 = s.
::::#Server generates superposition on distribution D: <math>\sum_{\mu\in\{0,1\},r}\sqrt{D(\mu,r)}|\mu,r\rangle</math>
#### Server performs Hadamard on second register and measures it to get a string d such that first register of input quantum state is reduced to: the following ideal state:<br/> (Zd·((µ0,r0)⊕(µ1,r1)) ⊗ Xµ0)CNOT (1)<br/>where AltHE.Encpk(µ0;r0) = AltHE.Encpk(µ1;r1) ⊕H cˆ and ⊕H is the homomorphic XOR operation.
::::#Server entangles above superposition and <math>|\psi\rangle</math> with a third register:<math>\sum_{a,b,\mu\in\{0,1\},r}\alpha_{ab}\sqrt{D(\mu,r)}|a,b\rangle|\mu,r\rangle|f_a(r)\rangle</math>, such that </br><math>f_0=\mathrm{AltHE.Enc}_{pk}()</math>;</br><math>f_1(\mu_1,r_1)=f_0 (\mu_0,r_0)\oplus_H \hat{c}=\mathrm{AltHE.Enc}_{pk}(\mu_0,r_0)\oplus_H \mathrm{AltHE.Enc}_{pk}(s)</math> </br><math>\therefore \mu_0\oplus\mu_1=s</math>
#### The server uses pki+1 to compute HE.Encpki+1(ca,b,pki) and HE.Encpki+1(c,y,dˆ ).
::::#Server measures the last register to get <math>y =\mathrm{AltHE.Enc}(\mu_0,r_0)=\mathrm{AltHE.Enc}_{pk}(\mu_1,r_1)\oplus_H AltHE.Enc_{pk}(s)</math>.</br> The resulting superposition state is:<math>\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}|a,b\rangle|\mu_a,r_a\rangle|\mathrm{AltHE.Enc}(\mu_0,r_0)\rangle=\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}|a,b\rangle|\mu_a,r_a\rangle|y\rangle</math>
#### The server computes the encryption of a,b under pki+1 by homomorphically running the decryption circuit on inputs HE.Encpki+1(ski) and HE.Encpki+1(ca,b,pki) .
***'''Encrypted CNOT operation:'''<div style="background-color: gray; border: solid thin black;title=Functionality Description;"><math>\sum_{a,b\in\{0,1\}}\alpha_{ab}CNOT_{a,b}^s|a,b\rangle</math></br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\oplus a\cdot s\rangle</math></br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\oplus a\cdot(\mu_0\oplus\mu_1)\rangle</math></br><math>=\sum_{b\in\{0,1\}}\alpha_{0b}|0,b\oplus \mu_0\oplus\mu_0\rangle+\alpha_{1b}|1,b\oplus \mu_0\oplus\mu_1\rangle</math>,  <math>\because q\oplus q=0</math></br><math>=\sum_{b\in\{0,1\}}\alpha_{0b}|0\rangle\otimes X^{\mu_0}|b\oplus \mu_0\rangle+\alpha_{1b}|1\rangle \otimes X^{\mu_0}|b\oplus \mu_1\rangle</math>, <math>\because |q\oplus y\rangle=X^y|q\rangle</math></br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}|a\rangle\otimes X^{\mu_0}|b\oplus \mu_a\rangle</math></br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}(I\otimes X^{\mu_0})|a,b\oplus \mu_a\rangle</math></br> </div>
#### The server homomorphically computes (µ0,r0) and (µ1,r1), using the ciphertexts encrypting tski,ski,c,y,(all encrypted with HE under public key pki+1). The server then uses this result, along with the ciphertexts encrypting a,b,d, to homomorphically compute ˜b = b + (d · ((µ0,r0) (µ1,r1)),0) and ˜a = a + (0,µ0).
::::#Server XORs the second qubit of first register with <math>\mu_a</math> to get:</br><math>\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{a,b}^s|a,b\rangle\otimes|\mu_a,r_a\rangle|y\rangle</math>
# Server sends updated encryptions of Pauli corrections ˜a,˜b and the classical outcome after measurement of the output state (or Quantum one time padded state in case of quantum output) to Client.
::::#Server performs Hadamard on second register. The resulting superposition state is:</br><math>\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes H^k|\mu_a,r_a\rangle|y\rangle</math></br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes\bigg(\sum_{e\in\{0,1\}^k}(-1)^{e\cdot(\mu_a,r_a) }|e\rangle\bigg)|y\rangle</math>, <math>\because H^k|q\rangle=\sum_{e\in\{0,1\}^k}(-1)^{e\cdot q}|e\rangle</math>, where q has k qubits</br>
::::#Server measures the second register to get d. The resulting superposition is:</br><math>=\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes(-1)^{d\cdot(\mu_a,r_a)}|d\rangle|y\rangle</math></br>
<div style="background-color: gray; border: solid thin black;title=Functionality Description;">
The first register could be equivalently written as:</br><math>(-1)^{d\cdot(\mu_0,r_0)}|0,b\rangle+(-1)^{d\cdot(\mu_1,r_1)}|1,b\rangle</math></br><math>=(-1)^{d\cdot (\mu_0,r_0)}((-1)^{d\cdot((\mu_0,r_0)\oplus(\mu_0,r_0))}|0,b\rangle+(-1)^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}|1,b\rangle)</math></br><math>=(-1)^{d\cdot (\mu_0,r_0)}((-1)^{0\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))})|0,b\rangle+(-1)^{1\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1)))}|1,b\rangle)</math></br><math>=(-1)^{d\cdot (\mu_0,r_0)}((-1)^{a\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))})|a,b\rangle</math></br><math>=(-1)^{d\cdot (\mu_0,r_0)}(Z^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}|a,b\rangle)</math>, <math>\because Z|q\rangle=(-1)^q|q\rangle</math></br>Thus, the resulting state (upto a global phase) is: </br><math>\approx(Z^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}\otimes X^{\mu_0})CNOT_{12}^s\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\rangle</math></br>
Final superposition at the end of encrypted CNOT operation is:</br> <math>(Z^{d\cdot ((\mu_0,r_0)\oplus (\mu_1,r_1))}\otimes X^{\mu_0})\mathrm{CNOT}_{1,2}^s|\psi_{12}\rangle</math> </br>where <math>(\mu_0,r_0)=(\mu_1,r_1)\oplus_H s</math>, as <math>\oplus_H</math> is the homomorphic XOR operation.
</div>
::::#The server uses <math>pk_{i+1}</math> to recrypt 'c' (previously encrypted using <math>pk_{i}</math>) and encrypt other variables under HE: <math>\mathrm{HE.Enc}_{pk_{i+1}}(c)</math>, <math>\mathrm{HE.Enc}_{pk_{i+1}}(\hat{c},y,d)</math>.
::::#The server computes the encryption of <math>z,x</math> (stored in <math>\tilde{z},\tilde{x}</math>) under <math>pk_{i+1}</math> by performing decryption circuit on <math>\mathrm{HE.Enc}_{pk_{i+1}}(c)</math> using <math>\mathrm{HE.Enc}_{pk_{i+1}}(sk_i)</math> (provided by the evaluation key). Here, c, as stated before is the concatenation of encryption of x, z under <math>pk_{i}</math>, provided by the Client.
::::#The server (homomorphically) computes <math>(\mu_0,r_0)</math> and <math>(\mu_1,r_1)</math>, using <math>\mathrm{HE.Enc}_{pk_{i+1}}(t_{sk_i},sk_i)</math>, provided by the evaluation key <math>\mathrm{evk}_i</math> encrypted under <math>pk_{i+1}</math>, and <math>\mathrm{HE.Enc}_{pk_{i+1}}(\hat{c},y,d)</math>, from the previous step.
::::#The server then uses this results of the last three steps, to (homomorphically) update Pauli encryptions for encrypted <math>CNOT^s_{l,n}</math>: </br>(<math>\tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]}+d\cdot ((\mu_0,r_0)\oplus (\mu_1,r_1);\tilde {x}^{[n]}+\mu_0,\tilde{z}^{[n]})</math></br>
3. Server sends updated encryptions of Pauli corrections <math>\tilde{x},\tilde{z}</math> and the classical outcome after measurement of the output state to Client.


=== '''Stage 3''' Client’s Output Correction ===
=== '''Stage 3''' Client’s Output Correction ===
   
   
*'''Input:''' Classical output state, l {0,1}λ (or Quantum One time padded state in case of Quantum output), encrypted Pauli corrections ˜a,˜b
*Input: Classical output state (<math>l\in\{0,1\}^{\lambda}</math>), encrypted Pauli corrections (<math>\tilde{z},\tilde{x}</math>)
*'''Output:''' Decrypted classical message x ⊕ m (or final quantum output of computation ZzXx |ψi)
*Output: Decrypted classical message (<math>l\oplus x</math>)
''Decryption (FHE.Decsk)''
**'''Decryption (FHE.Dec<math>_{sk}</math>)'''
# Client decrypts ˜a,˜b using skL+1 to obtain a,b.
# Client decrypts <math>\tilde{z},\tilde{x}</math> using <math>sk_{L+1}</math> to obtain <math>z,x</math>.  
# She then uses the decrypted Pauli corrections to get the output XaZb |li, which can be represented as a ⊕ l.<br/>She operates XaZb on quantum output to get C|ψi, in case of quantum output.
# She then uses the decrypted Pauli corrections to get the correct output <math>l\oplus x</math>.</br>
 
==Further Information==
In case of Quantum Input, the client additionally sends quantum one tie padded input state. In case of quantum output the Server instead of classical outcome sends the final quantum one time padded output state (operated by the required circuit). Client gets the output by using the updated encryption sent by the server to perform Pauli corrections on the output state. This protocol is first and only protocol currently, to use a classical functionality to solve a quantum task. It provides computationally security. Verification of this protocol is still an open question.
 
<div style='text-align: right;'>''*contributed by Shraddha Singh''</div>

Latest revision as of 15:35, 16 October 2019

The example protocol achieves the functionality of Delegated Quantum Computation by a method which involves fully classical offline and no quantum communication. It uses only classical Homomorphic Encryption (HE) scheme to evaluate quantum circuits for classical input/output. It allows a fully classical Client to hide her data such that Server can carry out any arbitrary quantum computation on the encrypted data without having any knowledge about Client’s inputs. It hides the output and input of the computation while Server is allowed to choose the unitary operation (any quantum gate) for required computation. Quantum offline communication would be required if Client’s input and output is quantum.

Tags: Two Party, Quantum Functionality, Universal Task, Secure Client- Server Delegated Quantum Computation, Prepare and Send Quantum FHE, Classical Offline Communication, Superposition, Trapdoor Claw-Free Functions, Learning With Errors, Encrypted CNOT Operation.

Assumptions[edit]

  • This protocol is secure against honest but curious adversary setting.
  • HE is a classical leveled fully homomorphic encryption scheme which is quantum capable for given depth of one layer of circuit, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle L_c} (See Notations below).
  • A BQP Server (a quantum computer) can generate a superposition of inputs for the encryption function over some distribution given the public key used for encryption. The protocol takes learning with errors assumption.

Outline[edit]

FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit; Encryption encodes the input into a secret text using the encryption key generated during Key Generation; Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key generated and Decryption transforms result of the evaluation step hidden in the secret text, to outcome of the circuit for Client's input using decryption key. Following the stages of Secure Delegated Quantum Computation, in preparation stage, Client encrypts her input by performing one time pad to hide it from the Server, who, in the computation stage, performs quantum computation by a completely classical evaluation step. There are two kinds of gates in Quantum Computation (See Glossary) Clifford Gates, which consists of Hadamard gate, CNOT and Pauli gates (X, Y, Z) and Toffoli gates (any single qubit phase/rotation gate). A universal scheme can perform both these types of gates implying that it can perform any quantum operation. Now, applying Clifford gates remains a simple step as it leaves the state with only Pauli corrections (X, Z) which are easy to handle as these gates commute with every quantum gate and hence can be shifted and cancelled out by applying corresponding inverse gate later by the Client, but when applying Toffoli Gates, it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for encryption key used by Client. Decryption key cannot deal with Clifford gate errors as they do not commute with all quantum operations and hence it needs to be corrected by applying corresponding inverse gate before the operation of next gate for computation by the Server. These Clifford gate corrections are a combination of CNOT corrections dependent on encryption key and a Hadamard correction independent of encryption key. Thus, applying Hadamard requires no extra information but CNOT gate errors require revelation of the encryption key. FHE deals with this problem via Encrypted CNOT operation using Trapdoor Claw-Free Function (TCF) without revelation of encryption key to the Server. Finally, in the Output Correction stage, Client gets her inputs and updated encryption keys to get the correct final outcome from the secret text using her decryption key. Following is an outline of the steps to illustrate the above mentioned scheme, assuming depth of circuit (see notations used) equal to L.
The preparation stage incorporates,

  • Key Generation: Client generates classical homomorphic key sets consisting of public key, evaluation key, secret key, trapdoor information (a piece of information required to invert the function used for encrypted CNOT operation, as explained in Circuit Evaluation) using HE.KeyGen() (classical HE step). Evaluation key consists of first L pairs of secret key-trapdoor information encrypted with last L public keys such that secret key-trapdoor key pair and public key do not belong to the same key set. Evaluation key also contains this public key used to encrypt the pair.
  • Encryption: Client uses classical one time pad to hide her input and encrypts the pad key with the first public key (not used to encrypt any trapdoor-secret key pair) using HE.Enc() (classical HE step). She then sends the hidden classical input with encrypted pad key and classical evaluation key to the Server over classical channel. This step marks the end of preparation stage.

Further, the computation stage incorporates,

  • Circuit Evaluation: Server starts with the classical one time padded states from the Client and generates the required quantum states. For each gate of the circuit that Server applies, he updates the encrypted Pauli encryption according to rules given in Pseudo code below. In case of Toffoli gate operation, an additional step is incorporated where he corrects the extra Clifford gate error performing encrypted CNOT operation and then Hadamard operation on the target qubit. This step uses evaluation key and can be explained as follows.

Encrypted CNOT operation All errors imposed by Toffoli gates can be represented using encrypted CNOT operation, a Hadamard operation and a set of Pauli gates (X, Z). All errors imposed by Clifford gates can be represented by a combination of Pauli gates. A mathematical representation of this step can be found in the Pseudo Code below.

  1. TCF: This operation uses Trapdoor Claw Free function pairs which have the same image (output) for different pre-images(inputs) called 'random claw pair'. Given the image, it is rendered a hard problem to find this corresponding random claw without its trapdoor information (example, a piece of information required to invert the function). For this protocol, the HE Encryption function (HE.Enc()) is taken as one of the functions. A second function whose distribution is shifted from the previous function by a natural (homomorphic) XOR operation (a requirement for the classical HE scheme used) of encrypted key bit used for that encryption function. This means, the functions have a common range such that for every image (output), the pre-images (input) for each of the functions stated above would also differ by a XOR operation of actual (not encrypted) key bit. Thus, any element in the said range set would have one pre-image in the domain set of each function, together called random claw pair. If one performs a XOR operation on the pair, the result is pad key bit. This is implied from the properties of homomorphic XOR. In simple words, the above paragraph implies that if two functions are separated by encrypted pad key via a homomorphic XOR operation, their inputs for a common output (random claw pair) would be separated by the (not encrypted) pad key bit. Thus, any pre-image pair (random claw) thus, obtained, hides the pad key (to be used later for Encrypted CNOT operation).
  2. Server's preparation Thus, Server creates a superposition of inputs for the functions over some distribution. Next, he creates a superposition of quantum states generated from Client's input. After applying the gates on qubits, for correction of CNOT errors, Server creates three registers. First has the superposition of quantum states generated from Client's input, second has the superposition on a distribution chosen for inputs of the function while third register has the output of one of the two functions illustrated above, where the function (one of the two) is chosen according to the first qubit of the first register and its quantum input is taken from the second register. Hence, these registers are entangled. Server, now measures the third register which reduces second register to a random claw pair as discussed before, hiding the pad key. It is still hidden from the Server as he does not know trapdoor information to be able to know the random claw pair and he cannot compute it from the measured output as it is a hard problem.
  3. Server's Toffoli gate operation After some calculations it can be shown that if Server performs Hadamard operation on the second register and then measures it, the first register is reduced to corrected quantum state with some extra Pauli corrections. These final Pauli corrections require trapdoor information and measurement outcome of the second register. To perform the above operation one needs the secret text to be same throughtout the protocol and existence of a natural XOR operation. This is not known to have been achieved by a single HE together. Hence, this protocol uses AltHE (an alternate HE) which can operate XOR for encrypted CNOT operation while he uses HE for updation of Pauli keys. In order to do this, HE provides a conversion of secret text under HE to secret text under AltHE and vice versa. Thus, after encrypted CNOT operation, encrypted pad key bit and other measurement outcomes are recrypted using public key provided in the evaluation key for that step, under HE. Thus, the trapdoor information and pad key bit are encrypted under same public key. Now, using the measurement outcome and the encrypted trapdoor information with recrypted pad key, Server obtains Pauli corrections. The Server encrypts Pauli corrections under public key for corresponding layer and hence updates the recrypted pad key
  4. Server's Clifford gate operation Server obtains with Pauli corrections according to rules described in the Pseudo code and updates the recrypted pad key as before.
  • Decryption Server repeats the same procedure for each layer and at the end of last layer, sends the updated recryption of pad key and classical measurement output of the first register (containing the corrected quantum state encrypted by pad key) to Client. Client converts the pad key to another secret text using AltHE. The sent pad key is recrypted with public key of the last (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle L_{th}} ) evaluation key used. This is the Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (L + 1)_{th}} public key. Hence, Client uses Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (L + 1)_{th}} secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. She (Client) uses the resulting pad key to undo the one time pad on the sent output.

Properties[edit]

  • Quantum Capable A classical HE is quantum capable i.e. can perform quantum computation efficiently if there exists AltHE which can execute natural XOR operations.
  • Indistinguishability under Chosen Plaintext Attacks by adversary(IND-CPA) The presented classical FHE scheme is CPA secure i.e. it is not possible for any polynomial time adversary to distinguish between the encrypted classical message bits 0 and 1, by learning with errors.
  • Compactness This protocol is compact i.e. decryption does not depend on the complexity of the quantum circuit.
  • Correctness Correctness is implied from the correctness of encrypted CNOT operation.
  • Circuit Privacy This protocol is not circuit private as both Client and Server know the quantum circuit used for performing the computation.
  • Full Homomorphism This protocol is fully homomorphic i.e. Server can operate any quantum circuit using this protocol.
  • Circular Security This protocol has a stronger notion of circular security where not only the secret key but also the trapdoor functions are encrypted when provided to the Server.

Notation[edit]

  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m} : classical data of client's required quantum input states
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \lambda} : security parameter
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle k} : security parameter
  • : encrypted pad key
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle s} : concatenated pad key elements
  • Encryption of s using public key via classical HE encryption step.
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \hat{c}} : converted c using classical HE in order to use it with
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{x}^{[l]}} : Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l^{th}} bit of encrypted pad key
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle L_c} : depth of a layer of circuit where each layer contains Clifford gates and Toffoli gates
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle L} : depth of the circuit (no. of layers in the circuit)
  • : Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle i_{th}} homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, trapdoor information required for randomness recovery from secret texts.
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle y} : measurement outcome of third register
  • : random claw for pair, for given y
  • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle d} : measurement outcome of the second register

Requirements[edit]

  • Network Stage: Quantum Memory
  • Required Network Parameters:
    • Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \epsilon_j} , which measures the error due to noisy operations.
    • Number of communication rounds
    • Circuit depth
    • Number of physical qubits used
  • The concerned protocol requires classical HE scheme.
  • Classical offline communication links
  • Communication can be performed over a classical network with only one quantum node (in case of classical input and output).
  • The functions Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle f_0, f_1} used must be trapdoor claw-free(TCF) such that one it is not possible to find a triple such that Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle f_0(\mu_0)=f_1(\mu_1)=y}

Knowledge Graph[edit]

Protocol Description[edit]

  • Boxed texts are not part of the code but contain proofs used in various steps, illustrated for a better understanding of the protocol.

Stage 1 Client’s Preparation[edit]

  • Input: Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle k, L, L_c} , classical message Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle m}
  • Output: Homomorphic key sets Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (pk_i,evk_i,sk_i, t_{sk_i})} , encrypted pad key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{z}, \tilde{x}} , One time Padded message (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l} )
    • Key Generation (FHE.KeyGen(Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 1^{\lambda}, 1^L} ))
  1. For Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 1\leq i\leq L + 1} ,
  2. Client generates homomorphic key set, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (pk_i,evk_i,sk_i, t_{sk_i}) = } HE.Keygen(Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 1^{\lambda}, 1^{L_c}} ).
    The public key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk} is Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_1} and the secret key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle sk} is .
    The evaluation key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle evk_i} consists of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (pk_{i+1},} HE.EncFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle _{pk_{i+1}}(sk_{i})} , HE.EncFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle _{pk_{i+1}}(t_{sk_i})} ) for Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 1\leq i\leq L} .
    • Encryption (FHE.EncFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle _{pk}(m)} ))
  1. Client chooses pad key for each message bit Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle z,x\in\{0,1\}^{\lambda}} .
  2. She one time pads the message m, Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l= x\oplus m}
    //z is used for quantum input Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle Z^zX^x|\psi\rangle} where Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle |\psi\rangle} is quantum input.
  3. She then encrypts the pad key. HE.EncFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle _{pk_1}(z,x)}
  4. She sends the encrypted message and pad key to the Server with the evaluation keys.

Stage 2 Server’s Computation[edit]

  • Input: , pad key elements concatenation (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle s} ), encryption of s under HE (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c=\mathrm{HE.Enc}_{pk}(s)} ), one time padded message (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l} )
  • Output: Updated encryption of pad key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{z},\tilde{x}} and final classical outcome after performing the circuit.
    • Circuit Evaluation (FHE.Eval())
  1. Server creates a quantum superposition state for encrypted input Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l} : Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle Z^zX^x|\psi\rangle} , where
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle |\psi\rangle=\sum_{a,b\epsilon\{0,1\}}\alpha_{ab}|a,b\rangle} represents the two qubits superposition state for classical message m,
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle Z^zX^x} represents quantum one time pad.
  2. For all i, Server applies gate Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i} on qubit l and the Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l_{th}} bits of pad key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\tilde {x}^{[l]},\tilde{z}^{[l]})} are updated to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\tilde {x}'^{[l]},\tilde{z}'^{[l]})} as follows.
    1. If Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i=\{P,H,CNOT\}} , a Clifford gate then
      //(Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_iZ^{z^{[l]}}X^{x^{[l]}}|\psi\rangle=Z^{z'^{[l]}}X^{x'^{[l]}}c_i|\psi\rangle} )
      1. if Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i=} H then
        //Hadamard Gate

        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\tilde {x}^{[l]},\tilde{z}^{[l]})\rightarrow (\tilde{z}^{[l]},\tilde{x}^{[l]})}
        //Hadamard tranforms X gate into Z and Z into X
      2. if Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i=} P then
        //Pauli Gate

        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\tilde {x}^{[l]},\tilde{z}^{[l]})\rightarrow (\tilde{x}^{[l]},\tilde{x}^{[l]}\oplus\tilde{z}^{[l]})}
      3. if Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i=CNOT_{l,n}} with m as target bit and n as control bit then
        //CNOT

        (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]}\oplus \tilde {z}^{[n]};\tilde{x}^{[l]}\oplus \tilde {x}^{[n]},\tilde{z}^{[n]})}
    2. If Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle c_i=T} gate then
      //Toffoli Gate on Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l_{th}, n_{th}, o_{th}} key bits
The Toffoli gate application can be deduced as follows:
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle TZ^{z^{[l]}}X^{x^{[l]}}Z^{z^{[n]}}X^{x^{[n]}}Z^{z^{[o]}}X^{x^{[o]}}|\psi\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =TZ^{z^{[l]}}X^{x^{[l]}}Z^{z^{[n]}}X^{x^{[n]}}Z^{z^{[o]}}X^{x^{[o]}}T\dagger T|\psi\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =CNOT_{l,o}^{x^{[n]}}CNOT_{n,o}^{x^{[l]}}CZ_{l,n}^{z^{[o]}}Z^{z^{[l]}}X^{x^{[l]}}T|\psi\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =CNOT_{l,o}^{x^{[n]}}CNOT_{n,o}^{x^{[l]}}H_nCNOT_{l,n}^{z^{[o]}}H_{n}Z^{z^{[l]}}X^{x^{[l]}}T|\psi\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =C_{zx}P_{zx}T|\psi\rangle} , where Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle C\epsilon \{\text{CNOT,H}\}} and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle P\epsilon\{X,Z\}}
  1. The Pauli key encryptions are homomorphically updated according to Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle P_{zx}} .
    (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]};\tilde {x}^{[o]},\tilde{z}^{[o]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]};0,0;0,0)}
  2. Three encrypted CNOTs are used to correct Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle C^{zx}} as follows under Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{AltHE}} .

      • Server's Preparation:
  1. Server converts Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \hat{c} = \mathrm{HE.Convert(c)}} .
  2. Server generates superposition on distribution D: Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{\mu\in\{0,1\},r}\sqrt{D(\mu,r)}|\mu,r\rangle}
  3. Server entangles above superposition and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle |\psi\rangle} with a third register:Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{a,b,\mu\in\{0,1\},r}\alpha_{ab}\sqrt{D(\mu,r)}|a,b\rangle|\mu,r\rangle|f_a(r)\rangle} , such that
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle f_0=\mathrm{AltHE.Enc}_{pk}()} ;
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle f_1(\mu_1,r_1)=f_0 (\mu_0,r_0)\oplus_H \hat{c}=\mathrm{AltHE.Enc}_{pk}(\mu_0,r_0)\oplus_H \mathrm{AltHE.Enc}_{pk}(s)}
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \therefore \mu_0\oplus\mu_1=s}
  4. Server measures the last register to get Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle y =\mathrm{AltHE.Enc}(\mu_0,r_0)=\mathrm{AltHE.Enc}_{pk}(\mu_1,r_1)\oplus_H AltHE.Enc_{pk}(s)} .
    The resulting superposition state is:Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}|a,b\rangle|\mu_a,r_a\rangle|\mathrm{AltHE.Enc}(\mu_0,r_0)\rangle=\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}|a,b\rangle|\mu_a,r_a\rangle|y\rangle}
      • Encrypted CNOT operation:
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{a,b\in\{0,1\}}\alpha_{ab}CNOT_{a,b}^s|a,b\rangle}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\oplus a\cdot s\rangle}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\oplus a\cdot(\mu_0\oplus\mu_1)\rangle}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{b\in\{0,1\}}\alpha_{0b}|0,b\oplus \mu_0\oplus\mu_0\rangle+\alpha_{1b}|1,b\oplus \mu_0\oplus\mu_1\rangle} , Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \because q\oplus q=0}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{b\in\{0,1\}}\alpha_{0b}|0\rangle\otimes X^{\mu_0}|b\oplus \mu_0\rangle+\alpha_{1b}|1\rangle \otimes X^{\mu_0}|b\oplus \mu_1\rangle} , Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \because |q\oplus y\rangle=X^y|q\rangle}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}|a\rangle\otimes X^{\mu_0}|b\oplus \mu_a\rangle}
        Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}(I\otimes X^{\mu_0})|a,b\oplus \mu_a\rangle}
  1. Server XORs the second qubit of first register with Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mu_a} to get:
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{a,b}^s|a,b\rangle\otimes|\mu_a,r_a\rangle|y\rangle}
  2. Server performs Hadamard on second register. The resulting superposition state is:
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes H^k|\mu_a,r_a\rangle|y\rangle}
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes\bigg(\sum_{e\in\{0,1\}^k}(-1)^{e\cdot(\mu_a,r_a) }|e\rangle\bigg)|y\rangle} , Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \because H^k|q\rangle=\sum_{e\in\{0,1\}^k}(-1)^{e\cdot q}|e\rangle} , where q has k qubits
  3. Server measures the second register to get d. The resulting superposition is:
    Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =\sum_{a,b\in\{0,1\}}\alpha_{ab}\sqrt{D(\mu_0,r_0)}(I\otimes X^{\mu_0})CNOT_{ab}^s|a,b\rangle\otimes(-1)^{d\cdot(\mu_a,r_a)}|d\rangle|y\rangle}

The first register could be equivalently written as:
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (-1)^{d\cdot(\mu_0,r_0)}|0,b\rangle+(-1)^{d\cdot(\mu_1,r_1)}|1,b\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =(-1)^{d\cdot (\mu_0,r_0)}((-1)^{d\cdot((\mu_0,r_0)\oplus(\mu_0,r_0))}|0,b\rangle+(-1)^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}|1,b\rangle)}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =(-1)^{d\cdot (\mu_0,r_0)}((-1)^{0\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))})|0,b\rangle+(-1)^{1\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1)))}|1,b\rangle)}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =(-1)^{d\cdot (\mu_0,r_0)}((-1)^{a\cdot(d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))})|a,b\rangle}
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle =(-1)^{d\cdot (\mu_0,r_0)}(Z^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}|a,b\rangle)} , Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \because Z|q\rangle=(-1)^q|q\rangle}
Thus, the resulting state (upto a global phase) is:
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \approx(Z^{d\cdot((\mu_0,r_0)\oplus(\mu_1,r_1))}\otimes X^{\mu_0})CNOT_{12}^s\sum_{a,b\in\{0,1\}}\alpha_{ab}|a,b\rangle}
Final superposition at the end of encrypted CNOT operation is:
Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (Z^{d\cdot ((\mu_0,r_0)\oplus (\mu_1,r_1))}\otimes X^{\mu_0})\mathrm{CNOT}_{1,2}^s|\psi_{12}\rangle}
where Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\mu_0,r_0)=(\mu_1,r_1)\oplus_H s} , as Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \oplus_H} is the homomorphic XOR operation.

  1. The server uses Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_{i+1}} to recrypt 'c' (previously encrypted using Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_{i}} ) and encrypt other variables under HE: Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(c)} , Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(\hat{c},y,d)} .
  2. The server computes the encryption of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle z,x} (stored in Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{z},\tilde{x}} ) under Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_{i+1}} by performing decryption circuit on Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(c)} using Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(sk_i)} (provided by the evaluation key). Here, c, as stated before is the concatenation of encryption of x, z under Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_{i}} , provided by the Client.
  3. The server (homomorphically) computes Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\mu_0,r_0)} and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle (\mu_1,r_1)} , using Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(t_{sk_i},sk_i)} , provided by the evaluation key Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{evk}_i} encrypted under Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle pk_{i+1}} , and Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \mathrm{HE.Enc}_{pk_{i+1}}(\hat{c},y,d)} , from the previous step.
  4. The server then uses this results of the last three steps, to (homomorphically) update Pauli encryptions for encrypted Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle CNOT^s_{l,n}} :
    (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde {x}^{[l]},\tilde{z}^{[l]};\tilde {x}^{[n]},\tilde{z}^{[n]})\rightarrow (\tilde {x}^{[l]},\tilde{z}^{[l]}+d\cdot ((\mu_0,r_0)\oplus (\mu_1,r_1);\tilde {x}^{[n]}+\mu_0,\tilde{z}^{[n]})}

3. Server sends updated encryptions of Pauli corrections and the classical outcome after measurement of the output state to Client.

Stage 3 Client’s Output Correction[edit]

  • Input: Classical output state (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l\in\{0,1\}^{\lambda}} ), encrypted Pauli corrections (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{z},\tilde{x}} )
  • Output: Decrypted classical message (Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l\oplus x} )
    • Decryption (FHE.DecFailed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle _{sk}} )
  1. Client decrypts Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle \tilde{z},\tilde{x}} using Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle sk_{L+1}} to obtain Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle z,x} .
  2. She then uses the decrypted Pauli corrections to get the correct output Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle l\oplus x} .

Further Information[edit]

In case of Quantum Input, the client additionally sends quantum one tie padded input state. In case of quantum output the Server instead of classical outcome sends the final quantum one time padded output state (operated by the required circuit). Client gets the output by using the updated encryption sent by the server to perform Pauli corrections on the output state. This protocol is first and only protocol currently, to use a classical functionality to solve a quantum task. It provides computationally security. Verification of this protocol is still an open question.

*contributed by Shraddha Singh