Prepare-and-Send Verifiable Quantum Fully Homomorphic Encryption: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
 
(31 intermediate revisions by 2 users not shown)
Line 1: Line 1:
In this protocol, Quantum Fully Homomorphic Encryption (link) protocol is implemented with the additional property of verification, where it is checked if the final ciphertext produces by the server matches the results of a particular computation. QFHE is a protocol where any arbitrary computations can be carried out by the server on the client's encrypted data while hiding all inputs and outputs of the client. In the classical version of this protocol, the verification was carried by creating copies at every stage, which is not possible in the quantum version due to the no-cloning theorem. Hence in this protocol, verification is carried out by a technique where the server generates classical computational logs through which the underlying encryptions becomes authenticated. </br>
In this [https://arxiv.org/abs/1708.09156 example protocol], [[Prepare-and-Send Quantum Fully Homomorphic Encryption]] protocol is implemented with the additional property of verification, where it is checked if the final ciphertext produces by the server matches the results of a particular computation. QFHE is a protocol where any arbitrary computations can be carried out by the server on the client's encrypted data while hiding all inputs and outputs of the client. In the classical version of this protocol, verification was carried by creating copies at every stage, which is not possible in the quantum version due to the no-cloning theorem(link). Hence in this protocol, verification is carried out by a technique where the server generates classical computational logs through which the underlying encryptions becomes authenticated. These computational logs are used to certify to the client that a particular homomorphic quantum computation was performed on a classical computer. </br>


'''Tags:''' [[:Category: Two-Party Protocols|Two Party]],[[:Category:Universal Task|Universal Task]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], Quantum Offline Communication, Classical Offline Communication, [[Quantum Gadgets]], [[Prepare and Send Quantum Fully Homomorphic Encryption]], [[Classical Fully Homomorphic Encryption for Quantum Circuits]].
'''Tags:''' [[:Category: Two-Party Protocols|Two Party]],[[:Category:Universal Task|Universal Task]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], Quantum Offline Communication, Classical Offline Communication, [[Quantum Gadgets]], [[Prepare and Send Quantum Fully Homomorphic Encryption]], [[Classical Fully Homomorphic Encryption for Quantum Circuits]].
== Assumptions ==
* The classical fully homomorphic public-key encryption scheme HE is fixed has decryption in LOGSPACE.
* A message authentication code MAC is fixed which is existentially unforgeable under adaptive chosen message attacks from a quantum adversary.


==Outline==
==Outline==


This protocol consists mainly of four stages: Key Generation, Encryption, Homomorphic evaluation and Verified decryption. For verification, the major changes from the standard [[Prepare and Send Quantum Fully Homomorphic Encryption]] is in stage 2, evaluation where a computational log is provided as an extra output and in stage 4, Verified decryption which accepts computational log and performs the verification. The verification performed in this protocol is mainly classical in nature
This protocol consists mainly of four stages: Key Generation, Encryption, Homomorphic evaluation, and Verified decryption. To introduce verification, the major changes from the standard [[Prepare and Send Quantum Fully Homomorphic Encryption]] protocol take place in stage 2 (Evaluation) where a computational log is provided as an extra output and in stage 4 (Verified decryption) which accepts computational log and performs the verification. The verification performed in this protocol is mainly classical in nature.
 
*'''Key Generation and encryption''': This procedure requires the generation of single-qubit and two-qubit states from a small fixed set, performing Bell measurements and Pauli gates, and executing the encoding procedure of a quantum error-correcting code on which the trap code is based.
'''Key gen''':
** The classical fully homomorphic encryption scheme is used here to generate the public key, the secret keys and the evaluation function key for the encryption.
** A message authenticating system (MAC) is used to authenticate this process. Using [[MAC]], a key is also generated.
** A random global permutation is selected from <math>3*m</math> letters. A tuple is generated now using the global permutation and all the keys generated in the above steps. These are the non-evaluation keys which used to encrypt the auxiliary states.
 
'''Encryption''': We encrypt each qubit of the plaintext using the trap code, and encrypt the trap code
keys using the FHE scheme. This again requires the ability to perform Paulis, execute an error-correcting encoding, and the generation of basic single-qubit states.
 
** Majority of the single-qubit and two-qubit quantum states are encrypted using the global permutation. A [[CSS]] concatenated Steane code is selected with specific requirements. The quantum state is first encoded using this CSS code which results in a state with <math>m</math> qubits. Then, <math>m</math> computational and <math>m</math> Hadamard traps (<math>|0\rangle</math> and <math>|+\rangle</math> states) are added to that state and the resulting state is permutated using the global permutation. Next, if <math>n</math> is the number of qubits that will be encrypted, two bits strings are picked of length <math>n</math> to encrypt the state with [[Quantum one time pad]]. After this, we obtain our magic state for that particular quantum state. Here it is important to note that the keys for [[Quantum one time pad]] are selected during Encryption rather than Key Generation.
** For the <math>T</math> gate, error correcting gadgets are prepared from [[garden-hose gadgets]].
** Then the evaluation key is formed by MAC which uses the auxiliary states, including the magic states.


*'''Key Generation and Encryption'''
** This procedure requires the generation of single-qubit and two-qubit states from a small fixed set, performing Bell measurements and Pauli gates, and executing the encoding procedure of a quantum error-correcting code on which the trap code is based.
** In this step, using the classical fully homomorphic encryption scheme, public key, the secret keys and the evaluation function key for the encryption are generated. A message authenticating system (MAC) is used to authenticate this process. Using [[MAC]], a key is also generated.
** Majority of the single-qubit and two qubit quantum states are encrypted using the global permutation <math>\pi</math>, but all the qubits in the error correcting gadget are encrypted using independent permutation. The encryption occurs through [[CSS]] where equal amounts of traps gates (<math>|0\rangle</math> and <math>|+\rangle</math>) are added and permuted using the global permutation, after which the overall state is encrypted by using [[Quantum one time pad]]. The final state formed of the single-qubit or two qubit quantum used initially is known as the magic state.
** The keys for the quantum one-time pad are selected during the encryption stage, For the <math>T</math> gate, error correcting gadgets are prepared from garden-hose gadgets(Link here).
** Then the evaluation key is formed, using the auxiliary states mentioned, which includes the magic states too.
</br>
</br>
* '''Evaluation''': Evaluation of a circuit is done gate by gate. Throughout this procedure, apart from the outputs, a complete computational log is made of all randomness used, all computation steps, all intermediate results and all the classical FHE computations. To measure a qubit, we measure all ciphertext qubits and place the outcomes in the log.
* '''Evaluation''': Evaluation of a circuit is done gate by gate. Throughout this procedure, apart from the outputs, a complete computational log is made of all randomness used, all computation steps, all intermediate results, and all the classical FHE computations. To measure a qubit, we measure all ciphertext qubits and place the outcomes in the log.
**  Measurements: In computational basis measurement, logical measurement is performed by measurement of all physical qubits of the ciphertext and also checks the traps. This is followed by using the encryption function of classical homomorphic encryption on the result. In Hadamard basis measurement, because of the Hadamard gate property of <math>H|0\rangle = |+\rangle</math> and <math>H|+\rangle = |0\rangle</math>, all computational traps are swapped with the Hadamard traps. . A transversal application of <math>H</math> to all relevant physical qubits precedes the evaluation procedure for the computational basis measurement.
**  Measurements: In computational basis measurement, logical measurement is performed by measurement of all physical qubits of the ciphertext and also checks the traps. This is followed by using the encryption function of classical homomorphic encryption on the result. In Hadamard basis measurement, because of the Hadamard gate property of <math>H|0\rangle = |+\rangle</math> and <math>H|+\rangle = |0\rangle</math>, all computational traps are swapped with the Hadamard traps. . A transversal application of <math>H</math> to all relevant physical qubits precedes the evaluation procedure for the computational basis measurement.
** Pauli gates: Applying a logical Pauli is done by applying the same Pauli to all physical qubits. The application of Pauli gates (<math>X</math> and/or <math>Z</math>) to a state encrypted with a quantum one-time pad can be achieved without touching the actual state, by updating the keys to QOTP in the appropriate way. The logical Pauli-X is performed by (homomorphically) flipping the X-key bits of the QOTP and Pauli-Y works in the same manner for Z-key bits. Hence, this is a classical task.
** Pauli gates: Applying a logical Pauli is done by applying the same Pauli to all physical qubits. The application of Pauli gates (<math>X</math> and/or <math>Z</math>) to a state encrypted with a quantum one-time pad can be achieved without touching the actual state, by updating the keys to QOTP in the appropriate way. The logical Pauli-X is performed by (homomorphically) flipping the X-key bits of the QOTP and Pauli-Y works in the same manner for Z-key bits. Hence, this is a classical task.
** CNOT gate: The effect of applying CNOT to the encrypted qubits, without the quantum one-time padding is that logical CNOT is applied to the physical data qubits in the permutation and the remaining traps are unchanged due to its action. Hence in the quantum one-time pad, the secret key bits are homomorphically updated during evaluation while applying CNOT.
** CNOT gate: The effect of applying CNOT to the encrypted qubits, without the quantum one-time padding is that logical CNOT is applied to the physical data qubits in the permutation and the remaining traps are unchanged due to its action. Hence in the quantum one-time pad, the secret key bits are homomorphically updated during evaluation while applying CNOT.
** Phase gates: Performing this gate requires homomorphic evaluation of all the above gates: (classically controlled) Paulis, CNOTs, and measurements. Here the corresponding encrypted magic state is also used. The below circuit is used to apply this gate
** Phase gates: Performing this gate requires homomorphic evaluation of all the above gates: (classically controlled) Paulis, CNOTs, and measurements. Here the corresponding encrypted magic state is also used.
** Hadamard gate: The Hadamard gate can be applied using the same method used in the Phase gate.
** Hadamard gate: The Hadamard gate can be applied using the same method used in the Phase gate.
** T gate: Applying T requires a magic state and an encrypted [[garden-hose gadget]] (because the T-gate magic state circuit applies a P-gate conditioned on a measurement outcome). The evaluation of that circuit is complicated and hence that specific error correcting gadget is used.
** T gate: Applying T requires a magic state and an encrypted [[garden-hose gadget]] (because the T-gate magic state circuit applies a P-gate conditioned on a measurement outcome). The evaluation of that circuit is complicated and hence that specific error correcting gadget is used.
Line 25: Line 36:
*'''Verified decryption'''
*'''Verified decryption'''
**Here the correctness and consistency of the classical FHE transcript,  the measurement outcomes, and the claimed circuit are checked. The result of this computation is a set of keys for the trap code, which are correct provided that Eval was performed honestly. In this step, decryption takes place using these keys and the output is either plaintext or reject. In terms of quantum capabilities, decryption requires executing the decoding procedure of the error-correcting code, computational-basis and Hadamard-basis measurements, and Paulis.
**Here the correctness and consistency of the classical FHE transcript,  the measurement outcomes, and the claimed circuit are checked. The result of this computation is a set of keys for the trap code, which are correct provided that Eval was performed honestly. In this step, decryption takes place using these keys and the output is either plaintext or reject. In terms of quantum capabilities, decryption requires executing the decoding procedure of the error-correcting code, computational-basis and Hadamard-basis measurements, and Paulis.
** This procedure consists of two parts. Several classical checks are performed at first, where MAC-verification of all classically authenticated messages takes places. It also includes checking if the gates listing in the computational log match the circuit description. The portion of the log which specifies the purely classical, FHE steps taking during classical homomorphic encryption are also checked. Next, all the unmeasured traps are checked and the remaining qubits are decoded. If the logs don't match or if any of the traps are triggered, then the entire process is rejected.
** This procedure consists of two parts. Several classical checks are performed at first, where MAC-verification of all classically authenticated messages takes places. It also includes checking if the gates listing in the computational log match the circuit description. The portion of the log which specifies the purely classical, FHE steps taking during classical homomorphic encryption are also checked.  
** Next, all the unmeasured traps are checked and the remaining qubits are decoded. If the logs don't match or if any of the traps are triggered, then the entire process is rejected.
 
==Hardware Requirements==
* Classical HE scheme is required here. The communication can be performed over a classical network with only one quantum node (in case of classical input and output).
 
==Knowledge Graph==
 
{{graph}}
 
==Properties==
* Compactness: This protocol is compact if verified decryption is divisible into a classical verification procedure Verification (outputting only an accept/reject flag), followed by a quantum decryption procedure Decryption. The running time of Verification is allowed to depend on the circuit size, but the running time of Decryption is not when it is compact.
* Semantic Security: A QPT adversary with access to the ciphertext can be simulated by a simulator that only has access to an ideal functionality that simply applies the claimed circuit. (Explain when this protocol is semantically secure)
* Indistinguishability: For a defined security game, if the success probability for an QPT adversary is at-most <math>\frac{1}{2} + negl(\kappa)</math>, then this protocol is indistinguishable. The security game is based on the QPT adversary determining the outcome of a hidden coin flip.
* Fully Homomorphic: This protocol is fully homomorphic i.e. Server can operate any quantum circuit using this protocol.
* Privacy: this scheme is private if its ciphertexts are indistinguishable under chosen plaintext attack.
* Computational logs are generally classical in nature.
* The chosen message authentication code MAC = (Tag, Ver) is existentially unforgeable under adaptive chosen message attack from a quantum adversary
 
==Notation==
 
* <math>\kappa</math>: Security parameter.
* <math>t</math>: Upper bound on T gate.
* <math>p</math>: Upper bound on P gate.
* <math>h</math>: Upper bound on H gate.
* <math>k</math>: All keys
* <math>\pi</math>: Global permutation which are used to encrypt the states, this is a random permutation of 3m bits<math>\pi \in S_{3m}</math>
* <math>S_{3m}</math>: Permutation group.
* MAC: Message authentication code, MAC = (Tag, Ver)
* HE: Classical fully homomorphic public-key encryption scheme
* TC: Trap Code scheme which is a building block for FHE scheme.
* <math>pk_i, sk_i, evk_i</math>: <math>i_{th}</math> homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, respectively for given k, the security parameter.
* <math>\tilde{\sigma}</math>: ciphertext
* <math>x, z</math>: Randomly picked bit strings to encrypt with Quantum one time pad. <math>x[i] \in \{0, 1\}^{3m}, z[i] \in \{0, 1\}^{3m}</math>
* <math>\tilde{x}, \tilde{z}</math>: Classical encryptions of the x, z
* <math>\rho_{evk}</math>: evaluation key
* <math>b</math>: Output of the measurement, <math>b \in \{0, 1\}</math>


==Protocol Description==
'''Stage 1''': Key generation and encryption </br>
Main function: TrapTP.KeyGen
'''Function 1''': TrapTP.KeyGen(<math>1^\kappa, 1^t, 1^p, 1^h</math>)</br>
* <math>k \xleftarrow[]{}</math> MAC.KeyGen<math>(1^\kappa)</math>
* <math>\pi \xleftarrow[r]{} S_{3m}</math>
* for <math>i = 0, ..., t:</math>
** <math>(sk_i, pk_i, ev_i) \xleftarrow[]{}</math> HE.KeyGen<math>(1^\kappa)</math>
* <math>sk \xleftarrow[]{} (\pi, k, sk_0, ..., sk_t, pk_0)</math>
* for <math>i = 0, ..., p:</math>
** <math>\mu_i^{P} \xleftarrow[]{}</math>  TrapTP.ENC<math>(sk, P|+\rangle)</math>
* for <math>i = 0, ..., t:</math>
** <math>\mu_i^{T} \xleftarrow[]{}</math>  TrapTP.ENC<math>(sk, T|+\rangle)</math>
* for <math>i = 0, ..., h:</math>
** <math>\mu_i^{H} \xleftarrow[]{}</math>  TrapTP.ENC<math>(sk, \frac{1}{\sqrt{2}}(H\otimes I)(|00\rangle + |11\rangle))</math>
* for <math>i = 0, ..., t:</math>
** <math>\pi_i \xleftarrow[r]{r} S_{3m}</math>
** <math>(g_i, \gamma_i^{in}, \gamma_i^{mid}, \gamma_i^{out}) \xleftarrow[]{}</math> TrapTP.GadgetGen<math>(sk_{i-1})</math>
** <math>\Gamma_i \xleftarrow[]{}</math> MAC.Sign(HE.ENC<math>_{pk_i}(g_i, \pi_i)) \otimes</math> TrapTP.ENC<math>((\pi_i, k, sk_0, ..., sk_t, pk_i), \gamma^{mid}_i \otimes</math> TrapTP.Enc<math>(sk, \gamma^{in}_i, \gamma^{out}_i)</math>
* <math>keys \xleftarrow[]{}</math> MAC.Sign<math>(evk_0, ..., evk_t, pk_0, ..., pk_t,</math> HE.Enc<math>_{pk_0}(\pi))</math>
* <math>\rho_{evk} \xleftarrow[]{} (keys, \mu^{P}_0, ..., \mu^{P}_p, \mu^{T}_0, ..., \mu^{T}_t, \mu^{H}_0, ..., \mu^{H}_h, \Gamma_1, ..., \Gamma_t)</math>
* return <math>(sk, \rho_{evk})</math>
</br>
'''Function 2''': TrapTP.GadgetGen(<math>sk_i</math>)
* <math>g_i \xleftarrow[]{} g(sk_i)</math>
* <math>(\gamma^{in}, \gamma^{mid}, \gamma^{out}) \xleftarrow[]{}</math> generate <math>|\Phi^+\rangle</math> states depending on <math>g_i</math>
* return (<math>g_i, \gamma^{in}, \gamma^{mid}, \gamma^{out}</math>)
</br>
'''Function 3''': TrapTP.Enc((<math>\pi, k, sk_0, ..., sk_t, pk</math>), <math>\sigma</math>)
* <math>\tilde{\sigma} \xleftarrow[]{} \Sigma_{x, z \in \{0,1\}^{3m}} </math> (TC.Enc<math>((\pi, x, z), \sigma) \otimes</math> MAC.Sign<math>_k(HE.Enc_{pk}(x,z)))</math>
* return <math>\tilde{\sigma}</math>
</br>
'''Stage 2''': Evalutation </br>
</br>
'''Function 4''': TrapTP.EvalMeasure(<math>\tilde{\sigma}, \tilde{x}, \tilde{z}, \tilde{\pi}, pk, evk</math>)
* <math>a = (a_1, ..., a_{3m}) \xleftarrow[]{}</math> measure qubits of <math>\tilde{\sigma}</math> in the computational basis
* <math>(\tilde{a}, log_1) \xleftarrow[]{}</math> HE.Enc<math>_{pk}(a)</math>
* <math>(\tilde{b}, \tilde{flag}, log_2 \xleftarrow[]{} </math>HE.Eval<math>^{TC.VerDecMeasurement}_{evk}((\tilde{\pi}, \tilde{x}, \tilde{z}), \tilde{a}, HE.Enc_{pk}(+))</math>
* return (<math>\tilde{b}, \tilde{flag}, log_1, log_2</math>)
</br>
'''Function 5''': TrapTP.EvalX(<math>\tilde{\sigma}, \tilde{x}, \tilde{\pi}, pk, evk</math>)
* <math>(\tilde{x}, log_1) \xleftarrow[]{}</math> HE.Eval<math>_{evk}^{unpermute}(\tilde{\pi}, \tilde{x})</math>
* <math>(\tilde{x}, log_2) \xleftarrow[]{}</math> HE.Eval<math>_{evk}^{\otimes}(\tilde{x},</math> HE.Enc<math>_{pk}(1^m0^{2m}))</math>
* <math>(\tilde{x}, log_3) \xleftarrow[]{}</math> HE.Eval<math>^{permute}_{evk}(\tilde{\pi}, \tilde{x})</math>
* return (<math>\tilde{\sigma}, \tilde{x}, log_1, log_2, log_3</math>)
</br>
'''Function 6''': TrapTP.EvalCondX(<math>\tilde{b}, \tilde{\sigma}, \tilde{x}, \tilde{z}, \tilde{\pi}, pk, evk</math>)
* <math>(\tilde{x}, log_1) \xleftarrow[]{}</math> HE.Eval<math>_{evk}^{unpermute}(\tilde{\pi}, \tilde{x})</math>
* <math>\tilde{s} \xleftarrow[]{}</math> HE.Eval<math>^{y\xrightarrow[]{} y^m0^{2m}}_{evk}(\tilde{b})</math>
* <math>(\tilde{x}, log_2) \xleftarrow[]{}</math> HE.Eval<math>_{evk}^{\otimes}(\tilde{x}, \tilde{s})</math>
* <math>(\tilde{x}, log_3) \xleftarrow[]{}</math> HE.Eval<math>^{permute}_{evk}(\tilde{\pi}, \tilde{x})</math>
* return (<math>\tilde{\sigma}, \tilde{x}, \tilde{z}, log_1, log_2, log_3</math>)
</br>
'''Function 7''': TrapTP.EvalCNOT(<math>\tilde{\sigma}_1, \tilde{\sigma}_2, \tilde{x}_1, \tilde{x}_2, \tilde{z}_1, \tilde{z}_2, \tilde{\pi}, pk, evk</math>)
* <math>(\tilde{\sigma}_1, \tilde{\sigma}_2) \xleftarrow[]{}</math> apply <math>CNOT</math> on all physical qubit pairs of <math>\tilde{\sigma}_1, \tilde{\sigma}_2</math>
* <math>(\tilde{x}_1, \tilde{x}_2, \tilde{z}_1, \tilde{z}_2, log_1) \xleftarrow[]{}</math> HE.Eval<math>^{CNOT-key-update}_{evk}(\tilde{x}_1, \tilde{x}_2, \tilde{z}_1, \tilde{z}_2)</math>
* return <math>(\tilde{\sigma}_1, \tilde{\sigma}_2, \tilde{x}_1, \tilde{x}_2, \tilde{z}_1, \tilde{z}_2, log_1, log_2)</math>
</br>
'''Function 8''': TrapTP.EvalT(<math>\tilde{\sigma}, \tilde{x}, \tilde{z}, \tilde{\pi}, \mu_i^{T},\Gamma_i, pk_{i-1}, evk_{i-1}</math>)
* <math>(\tilde{\sigma}_1, \tilde{\sigma}_2, \tilde{x}_1, \tilde{z}_1, \tilde{x}_2, \tilde{z}_1, log_1) \xleftarrow[]{}</math> Trap.TP.EvalCNOT(<math>(\mu^T_i, \tilde{\sigma}, \tilde{x}, \tilde{z}, \tilde{\pi}, pk_{i-1}, evk_{i-1} </math>)
* <math>(\tilde{b}, log_2) \xleftarrow[]{}</math> TrapTP.EvalMeasure(<math>\tilde{\sigma}_2, \tilde{x}_2, \tilde{z}_2, \tilde{\pi}, pk_{i-1}, evk_{i-1}</math>
* <math>log_3 \xleftarrow[]{}</math> recrypt all classically encrypted information (except <math>\tilde{b}</math>) from key set <math>i-1</math> into key set <math>i</math>.
* <math>(\tilde{\sigma}, log_4) \xleftarrow[]{}</math> TrapTP.EvalCondP<math>(\tilde{b}, \tilde{\sigma}_1, \tilde{x}_1, \tilde{z}_1, \Gamma_i, \tilde{\pi}, pk_i, evk_i)</math>
* return <math>(\tilde{\sigma}, log_!, log_2, log_3, log_4)</math>
</br>
'''Function 9''': TrapTP.EvalCondP(<math>\tilde{b}, \tilde{\sigma}, \tilde{x}, \tilde{z}, \Gamma_i = (\tilde{g_i}, \tilde{\pi}_i, \tilde{\gamma_i^{in}}, \tilde{\gamma_i^{mid}}, \tilde{\gamma_i^{out}}), \tilde{\pi},pk_{i}, evk_{i}</math>)
* <math>(\tilde{a}_1, \tilde{a}_2, log_1) \xleftarrow[]{}</math> evaluate Bell measurement between <math>\tilde{\sigma}</math> and <math>\tilde{\gamma}^{in}_i</math>
* <math>(\tilde{a}, log_2) \xleftarrow[]{}</math> evaluate Bell measurement in <math>\tilde{\Gamma_i^{mid}}</math> as dictated by the ciphertext <math>\tilde{b}</math> and the garden-hose protocol  for HE.Dec
*  <math>(\tilde{x}, \tilde{z}, log_3) \xleftarrow[]{}</math> HE.Eval<math>^{T-key-update}_{evk_i}(\tilde{x}, \tilde{z}, \tilde{a}_1, \tilde{a}_2, \tilde{a}, \tilde{g}_i)</math>
* return <math>(\tilde{\gamma_i^{out}}, \tilde{x}, \tilde{z}, log_1, log_2, log_3)</math>
'''Stage 3''': Verification Decryption </br>
</br>
'''Function 10''': TrapTP.VerDec(<math>sk, \tilde{\sigma}, \tilde{x[i]}_i, \tilde{z[i]}_i, log, c</math>)
* Verify classically authenticated messages (in <math>log</math>) using (contained in <math>sk</math>). If one of these verifications rejects, reject.
* Check whether all claimed gates in log match the structure of c. If not, return (<math>\Omega, |rej\rangle</math>).
* <math>flag</math> ← TrapTP.CheckLog(<math>log</math>)  If flag = rej, return (<math>\Omega, |rej\rangle</math>).
* Check whether the claimed final QOTP keys in the log match <math>\tilde{x}</math> and <math>\tilde{z}</math>. If not, return (<math>\Omega, |rej\rangle</math>).
* for all gates G of c do
** if G is a measurement then
*** <math>\tilde{x'}, \tilde{z'} \xleftarrow[]{}</math> encrypted QOTP keys right before measurement (listed in <math>log</math>)
*** <math>\tilde{w} \xleftarrow[]{}</math> encrypted measurement outcomes (listed in <math>log</math>)
*** <math>\tilde{x'}, \tilde{z'}, \tilde{w} \xleftarrow[]{}</math> HE.Dec<math>_{{sk}_t}(\tilde{x'}, \tilde{z'}, \tilde{w})</math>
*** Execute TC.VerDecMeasurement<math>((\pi, x',z'), w, basis)</math> where basis is the appropriate basis for the measurement, and store the (classical) outcome.
*** if a trap is triggered then
**** return (<math>\Omega, |rej\rangle</math>)
* for all unmeasured qubits <math>\tilde{\sigma_i}</math> in <math>\tilde{\sigma}</math> do
** <math>x[i], z[i] \xleftarrow[]{}</math> HE.Dec<math>_{sk_t}(\tilde{x[i]}, \tilde{z[i]})</math>
** <math>\sigma_i \xleftarrow[]{}</math> TC.VerDec<math>_{(\pi, x[i], z[i])}(\tilde{\sigma_i}).</math> If TC.VerDec rejects, return <math>(\Omega, |rej\rangle)</math>
* <math>\sigma \xleftarrow[]{}</math> the list of decrypted qubits (and measurement outcomes) that are part of the output of c
* return (<math>\sigma, |acc\rangle</math>)


==Further Information==
==Further Information==
==References==
* [https://www.crcpress.com/Introduction-to-Modern-Cryptography/Katz-Lindell/p/book/9781466570269 Introduction to Modern Cryptography]: Message Authentication Code is chosen from here
<div style='text-align: right;'>''*contributed by Rhea Parekh''</div>
<div style='text-align: right;'>''*contributed by Rhea Parekh''</div>

Latest revision as of 15:38, 16 October 2019

In this example protocol, Prepare-and-Send Quantum Fully Homomorphic Encryption protocol is implemented with the additional property of verification, where it is checked if the final ciphertext produces by the server matches the results of a particular computation. QFHE is a protocol where any arbitrary computations can be carried out by the server on the client's encrypted data while hiding all inputs and outputs of the client. In the classical version of this protocol, verification was carried by creating copies at every stage, which is not possible in the quantum version due to the no-cloning theorem(link). Hence in this protocol, verification is carried out by a technique where the server generates classical computational logs through which the underlying encryptions becomes authenticated. These computational logs are used to certify to the client that a particular homomorphic quantum computation was performed on a classical computer.

Tags: Two Party,Universal Task, Secure Delegated Quantum Computation, Quantum Offline Communication, Classical Offline Communication, Quantum Gadgets, Prepare and Send Quantum Fully Homomorphic Encryption, Classical Fully Homomorphic Encryption for Quantum Circuits.

Assumptions[edit]

  • The classical fully homomorphic public-key encryption scheme HE is fixed has decryption in LOGSPACE.
  • A message authentication code MAC is fixed which is existentially unforgeable under adaptive chosen message attacks from a quantum adversary.

Outline[edit]

This protocol consists mainly of four stages: Key Generation, Encryption, Homomorphic evaluation, and Verified decryption. To introduce verification, the major changes from the standard Prepare and Send Quantum Fully Homomorphic Encryption protocol take place in stage 2 (Evaluation) where a computational log is provided as an extra output and in stage 4 (Verified decryption) which accepts computational log and performs the verification. The verification performed in this protocol is mainly classical in nature.

  • Key Generation and encryption: This procedure requires the generation of single-qubit and two-qubit states from a small fixed set, performing Bell measurements and Pauli gates, and executing the encoding procedure of a quantum error-correcting code on which the trap code is based.

Key gen:

    • The classical fully homomorphic encryption scheme is used here to generate the public key, the secret keys and the evaluation function key for the encryption.
    • A message authenticating system (MAC) is used to authenticate this process. Using MAC, a key is also generated.
    • A random global permutation is selected from letters. A tuple is generated now using the global permutation and all the keys generated in the above steps. These are the non-evaluation keys which used to encrypt the auxiliary states.

Encryption: We encrypt each qubit of the plaintext using the trap code, and encrypt the trap code keys using the FHE scheme. This again requires the ability to perform Paulis, execute an error-correcting encoding, and the generation of basic single-qubit states.

    • Majority of the single-qubit and two-qubit quantum states are encrypted using the global permutation. A CSS concatenated Steane code is selected with specific requirements. The quantum state is first encoded using this CSS code which results in a state with qubits. Then, computational and Hadamard traps ( and states) are added to that state and the resulting state is permutated using the global permutation. Next, if is the number of qubits that will be encrypted, two bits strings are picked of length to encrypt the state with Quantum one time pad. After this, we obtain our magic state for that particular quantum state. Here it is important to note that the keys for Quantum one time pad are selected during Encryption rather than Key Generation.
    • For the gate, error correcting gadgets are prepared from garden-hose gadgets.
    • Then the evaluation key is formed by MAC which uses the auxiliary states, including the magic states.


  • Evaluation: Evaluation of a circuit is done gate by gate. Throughout this procedure, apart from the outputs, a complete computational log is made of all randomness used, all computation steps, all intermediate results, and all the classical FHE computations. To measure a qubit, we measure all ciphertext qubits and place the outcomes in the log.
    • Measurements: In computational basis measurement, logical measurement is performed by measurement of all physical qubits of the ciphertext and also checks the traps. This is followed by using the encryption function of classical homomorphic encryption on the result. In Hadamard basis measurement, because of the Hadamard gate property of and , all computational traps are swapped with the Hadamard traps. . A transversal application of to all relevant physical qubits precedes the evaluation procedure for the computational basis measurement.
    • Pauli gates: Applying a logical Pauli is done by applying the same Pauli to all physical qubits. The application of Pauli gates ( and/or ) to a state encrypted with a quantum one-time pad can be achieved without touching the actual state, by updating the keys to QOTP in the appropriate way. The logical Pauli-X is performed by (homomorphically) flipping the X-key bits of the QOTP and Pauli-Y works in the same manner for Z-key bits. Hence, this is a classical task.
    • CNOT gate: The effect of applying CNOT to the encrypted qubits, without the quantum one-time padding is that logical CNOT is applied to the physical data qubits in the permutation and the remaining traps are unchanged due to its action. Hence in the quantum one-time pad, the secret key bits are homomorphically updated during evaluation while applying CNOT.
    • Phase gates: Performing this gate requires homomorphic evaluation of all the above gates: (classically controlled) Paulis, CNOTs, and measurements. Here the corresponding encrypted magic state is also used.
    • Hadamard gate: The Hadamard gate can be applied using the same method used in the Phase gate.
    • T gate: Applying T requires a magic state and an encrypted garden-hose gadget (because the T-gate magic state circuit applies a P-gate conditioned on a measurement outcome). The evaluation of that circuit is complicated and hence that specific error correcting gadget is used.


  • Verified decryption
    • Here the correctness and consistency of the classical FHE transcript, the measurement outcomes, and the claimed circuit are checked. The result of this computation is a set of keys for the trap code, which are correct provided that Eval was performed honestly. In this step, decryption takes place using these keys and the output is either plaintext or reject. In terms of quantum capabilities, decryption requires executing the decoding procedure of the error-correcting code, computational-basis and Hadamard-basis measurements, and Paulis.
    • This procedure consists of two parts. Several classical checks are performed at first, where MAC-verification of all classically authenticated messages takes places. It also includes checking if the gates listing in the computational log match the circuit description. The portion of the log which specifies the purely classical, FHE steps taking during classical homomorphic encryption are also checked.
    • Next, all the unmeasured traps are checked and the remaining qubits are decoded. If the logs don't match or if any of the traps are triggered, then the entire process is rejected.

Hardware Requirements[edit]

  • Classical HE scheme is required here. The communication can be performed over a classical network with only one quantum node (in case of classical input and output).

Knowledge Graph[edit]

Properties[edit]

  • Compactness: This protocol is compact if verified decryption is divisible into a classical verification procedure Verification (outputting only an accept/reject flag), followed by a quantum decryption procedure Decryption. The running time of Verification is allowed to depend on the circuit size, but the running time of Decryption is not when it is compact.
  • Semantic Security: A QPT adversary with access to the ciphertext can be simulated by a simulator that only has access to an ideal functionality that simply applies the claimed circuit. (Explain when this protocol is semantically secure)
  • Indistinguishability: For a defined security game, if the success probability for an QPT adversary is at-most , then this protocol is indistinguishable. The security game is based on the QPT adversary determining the outcome of a hidden coin flip.
  • Fully Homomorphic: This protocol is fully homomorphic i.e. Server can operate any quantum circuit using this protocol.
  • Privacy: this scheme is private if its ciphertexts are indistinguishable under chosen plaintext attack.
  • Computational logs are generally classical in nature.
  • The chosen message authentication code MAC = (Tag, Ver) is existentially unforgeable under adaptive chosen message attack from a quantum adversary

Notation[edit]

  • : Security parameter.
  • : Upper bound on T gate.
  • : Upper bound on P gate.
  • : Upper bound on H gate.
  • : All keys
  • : Global permutation which are used to encrypt the states, this is a random permutation of 3m bits
  • : Permutation group.
  • MAC: Message authentication code, MAC = (Tag, Ver)
  • HE: Classical fully homomorphic public-key encryption scheme
  • TC: Trap Code scheme which is a building block for FHE scheme.
  • : homomorphic key set generated from HE.KeyGen(). Public key for encryption, secret key for decryption, evaluation function key, respectively for given k, the security parameter.
  • : ciphertext
  • : Randomly picked bit strings to encrypt with Quantum one time pad.
  • : Classical encryptions of the x, z
  • : evaluation key
  • : Output of the measurement,

Protocol Description[edit]

Stage 1: Key generation and encryption
Main function: TrapTP.KeyGen

Function 1: TrapTP.KeyGen()

  • MAC.KeyGen
  • for
    • HE.KeyGen
  • for
    • TrapTP.ENC
  • for
    • TrapTP.ENC
  • for
    • TrapTP.ENC
  • for
    • TrapTP.GadgetGen
    • MAC.Sign(HE.ENC TrapTP.ENC TrapTP.Enc
  • MAC.Sign HE.Enc
  • return


Function 2: TrapTP.GadgetGen()

  • generate states depending on
  • return ()


Function 3: TrapTP.Enc((), )

  • (TC.Enc MAC.Sign
  • return


Stage 2: Evalutation


Function 4: TrapTP.EvalMeasure()

  • measure qubits of in the computational basis
  • HE.Enc
  • HE.Eval
  • return ()


Function 5: TrapTP.EvalX()

  • HE.Eval
  • HE.Eval HE.Enc
  • HE.Eval
  • return ()


Function 6: TrapTP.EvalCondX()

  • HE.Eval
  • HE.Eval
  • HE.Eval
  • HE.Eval
  • return ()


Function 7: TrapTP.EvalCNOT()

  • apply on all physical qubit pairs of
  • HE.Eval
  • return


Function 8: TrapTP.EvalT()

  • Trap.TP.EvalCNOT()
  • TrapTP.EvalMeasure(
  • recrypt all classically encrypted information (except ) from key set into key set .
  • TrapTP.EvalCondP
  • return


Function 9: TrapTP.EvalCondP()

  • evaluate Bell measurement between and
  • evaluate Bell measurement in as dictated by the ciphertext and the garden-hose protocol for HE.Dec
  • HE.Eval
  • return


Stage 3: Verification Decryption


Function 10: TrapTP.VerDec()

  • Verify classically authenticated messages (in ) using (contained in ). If one of these verifications rejects, reject.
  • Check whether all claimed gates in log match the structure of c. If not, return ().
  • ← TrapTP.CheckLog() If flag = rej, return ().
  • Check whether the claimed final QOTP keys in the log match and . If not, return ().
  • for all gates G of c do
    • if G is a measurement then
      • encrypted QOTP keys right before measurement (listed in )
      • encrypted measurement outcomes (listed in )
      • HE.Dec
      • Execute TC.VerDecMeasurement where basis is the appropriate basis for the measurement, and store the (classical) outcome.
      • if a trap is triggered then
        • return ()
  • for all unmeasured qubits in do
    • HE.Dec
    • TC.VerDec If TC.VerDec rejects, return
  • the list of decrypted qubits (and measurement outcomes) that are part of the output of c
  • return ()

Further Information[edit]

References[edit]

*contributed by Rhea Parekh