A framework for quantum homomorphic encryption with experimental demonstration

10/08/2019
by   Yu Zhang, et al.
0

Quantum homomorphic encryption (QHE) is an encryption method that allows quantum computation to be performed on one party's private data with the program provided by another party, without revealing much information about the data nor the program to the opposite party. We propose a framework for (interactive) QHE based on the universal circuit approach. It contains a subprocedure of calculating a classical linear polynomial, which can be implemented with quantum or classical methods; apart from the subprocedure, the framework has low requirement on the quantum capabilities of the party who provides the circuit. We illustrate the subprocedure using a quite simple classical protocol with some privacy tradeoff. For a special case of such protocol, we obtain a scheme similar to blind quantum computation but with the output on a different party. Another way of implementing the subprocedure is to use a recently studied quantum check-based protocol, which has low requirement on the quantum capabilities of both parties. The subprocedure could also be implemented with a classical additive homomorphic encryption scheme. We demonstrate some key steps of the outer part of the framework in a quantum optics experiment.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

10/02/2018

A quantum homomorphic encryption scheme for polynomial-sized circuits

Quantum homomorphic encryption (QHE) is an encryption method that allows...
11/28/2017

Quantum Search on Encrypted Data Based on Quantum Homomorphic Encryption

Here we propose a quantum search protocols on ciphered superposition sta...
10/02/2018

A rebit-based quantum homomorphic encryption scheme

Quantum homomorphic encryption (QHE) is an encryption method that allows...
08/31/2020

Homomorphic Encryption for Quantum Annealing with Spin Reversal Transformations

Homomorphic encryption has been an area of study in classical computing ...
09/08/2021

User-generated pseudonyms through Merkle trees

A pseudonymisation technique based on Merkle trees is described in this ...
02/02/2020

Full-Blind Delegating Private Quantum Computation

The delegating private quantum computation (DQC) protocol with the unive...
01/09/2018

Practical Quantum Appointment Scheduling

We propose a protocol based on coherent states and linear optics operati...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Secure quantum computing is an interesting research field that draws ideas from classical cryptography and quantum mechanics. It aims to keep the input data or the program private when two parties perform a quantum computation on possibly restricted sets of input states, while the input and the output may be on one or both parties. Blind quantum computing (BQC) bfk09 ; ABE10 ; skm13 ; Barz12 and “quantum computing on encrypted data” Ch05 ; Fisher13 are two types of problems for which there are satisfactory protocols. Quantum homomorphic encryption is a different but related problem, and is the topic of this paper.

Blind quantum computing is a task in which a client knows both the data and the program but can only do limited quantum operations, and the main part of the computation is carried out by the server, who is not able to learn the data nor the program by design of the protocol. The BQC scheme in bfk09 builds on the measurement-based quantum computing model. There are other BQC schemes based on the circuit model ABE10 , or the ancilla-driven model skm13 . On the other hand, “Quantum computing on encrypted data”, or delegated quantum computation Ch05 ; Fisher13 , allows a publicly known quantum program to be run by a server on secret quantum data provided by a client.

In classical cryptography, homomorphic encryption (HE) is an encryption scheme that allows computation to be performed (effectively on the plaintext after decryption) while having access only to the ciphertext. A fully homomorphic encryption (FHE) scheme allows for any computation to be performed in such fashion Gentry09 ; Dijk09 ; smart2010fully ; brakerski2011efficient . Quantum homomorphic encryption (QHE) allows some classes of quantum computation to be performed without accessing the unencrypted data, and quantum fully homomorphic encryption (QFHE) is similarly defined with the allowed class of quantum computation being universal. The goals of QHE are that the final computation result is correct, and the data and the final computation result are known only to the data-provider, who learns little about the circuit performed beyond what can be deduced from the computation result itself. Schemes for QHE rfg12 ; MinL13 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; ADSS17 ; Mahadev17 ; TOR18 with varying degrees of success have been proposed. Some techniques in QHE have been applied to the problem of computing on shared quantum secrets Ouyang17 . QHE schemes for arbitrary unrestricted circuits are shown to require exponential resources ypf14 ; NS17 ; Lai17 ; Newman18 . Although ypf14 and some results on bipartite quantum computation of classical functions Lo97 ; bcs12 ; Colbeck07 suggest that the goal of both perfect data privacy and near-perfect circuit privacy cannot be reached in the plain model without aborts, the recent work Yu19 suggests that when some party is allowed to abort, some nontrivial level of security can be reached. An experimental implementation of homomorphic-encrypted quantum walk proposed in rfg12 has been reported Zeuner18 . An experimental demonstration of computationally-secure QFHE is shown in Tham18 .

In this paper, we introduce a framework for (interactive) QHE schemes, intended to work for general quantum input with a polynomial-sized circuit. We refer to “interactive QHE scheme” as any protocol that achieves the goals of QHE (the correctness of final result, and the security of the data and the circuit) while allowing multiple rounds of communication. The flexibility in the framework is that one subprocedure, namely the evaluation of the classical linear polynomials, can be replaced by any quantum or classical protocol for such task. The main computation is on the side of Alice, who provides the data. The framework depends on a “program state” method which is seen in ancilla-driven blind quantum computing skm13 , and it takes hint from a “universal circuit” method in (Fisher13, , Supplementary Note 1)

. If not considering the implementation of the subprocedure, the party Bob who provides the circuit need only have very limited quantum capability: to prepare and send single-qubit states in one of two bases, or to make single-qubit measurements in one of two bases. This point distinguishes it from the framework in

bj15 ; Dulek16 , where the main quantum computation is carried out by the party who provides the circuit, so that both parties need to be able to store at least qubits (in the case of quantum input; and is the input size).

We provide two example classes of protocols for the subprocedure for evaluating the classical linear polynomials. The first class is entirely classical, and it satisfies that the degree of data privacy is in a tradeoff with that of the circuit privacy, both in the subprocedure and in the overall scheme. One end of such tradeoff is that the data is completely insecure, and then the circuit is quite (but not completely) secure, which yields a scheme similar to blind quantum computing, but the output is on the Alice (server) side, rather than on the party with the initial program. When the input state is classical or a product real state, the tradeoff between the data privacy and the circuit privacy is unexpectedly good compared to the case of general quantum input. The second way of implementing the subprocedure is to use a recently studied quantum check-based protocol Yu19 , which has low requirement on the quantum capabilities of both parties: each party need only do repeated quantum operations on a constant number of qubits at a time.

The framework under the two classes of protocols for evaluating classical linear polynomials have modest resource costs: for the first class, the entanglement and classical communication costs are linear in the product of circuit size and the input size; for the second class, the costs are polynomial in circuit size and the input size.

We demonstrate the key steps of the outer part of framework (but not the subprocedure for evaluating classical linear polynomials) in a quantum optics experiment.

In Sec. IV, we mention that the subprocedure for evaluating the classical linear polynomials could also be implemented with a classical additive homomorphic encryption scheme.

The rest of the paper is organized as follows. Sec. II presents the framework for interactive QHE, and briefly introduces the two classes of protocols for the subprocedure of evaluation of the classical linear polynomials. Sec. III presents the experimental methods and the results of the experiment. Sec. IV contains some discussions. Sec. V contains the conclusions.

Ii Framework for interactive QHE

First, we introduce the method of using program states in our scheme. A circuit diagram is shown in Fig. 1 below. The lower qubit is referred to as the program register, and its state is called the program state. It interacts with a data qubit (the first qubit in the figure) via a fixed controlled- gate (where , and , , are the Pauli operators), and then the program register is subject to a Hadamard gate , and measured in the basis. (By viewing the Hadamard gate as a change of basis, the lower qubit is effectively measured in the basis.) When the measurement result is , the one-qubit gate is implemented on the first qubit. When the measurement result is and the program state is not in the basis (i.e. for integer ), a unitary correction is needed, to make the effective gate on the data qubit the same as in the case that the measurement outcome is . The form of the correction depends on the program state: it is . When the correction is a Pauli operator not equal to , which happens when

with odd

, this correction can be deferred by commuting it through the Clifford gates in later parts of the protocol. Note that two mutually orthogonal states of the program register correspond to the same program up to a Pauli correction known to Bob. If Alice knows that the program state is one of these two states, she can of course make a projective measurement to distinguish them. But when Alice is not sure that the program state is one of these two states, e.g. when there are four possible states in two different bases, she cannot know the exact program state, which happens in the case discussed below Eq. (II).

Figure 1: The gadget for using the program state (in the lower qubit) to implement a gate on the data qubit (the upper qubit). This circuit is done entirely by Alice in Scheme 1. The lower qubit is initially in a real state . The two-qubit gate is controlled-, where . By viewing the Hadamard gate as a change of basis, the lower qubit is effectively measured in the basis. For the measurement outcome , a unitary correction is required on the data qubit. But in Scheme 1, rather than doing the correction immediately, Bob updates his coefficients in some linear polynomials of the form (5) in order to do corrections later.

In the scheme below, some program states are produced by Bob through his measurement on some shared entangled state with Alice. From a security point of view, such remote operation is not really necessary. Bob could directly send some states to Alice as the program states, or directly prepare some program states using Alice’s experimental apparatus (in the latter case, for security of Alice’s data, we have to assume that Bob has no access to Alice’s data states when doing so). Alice encrypts her data using the quantum one-time-pad first, before letting her data interact with the program states. Such encryption is for protecting the data from possible leakage due to that some measurement outcomes are sent to Bob. See Sec. 

IV for more explanations.

Since every one-qubit Clifford gate can be expressed as the product of some Clifford gates of the form

(1)

the program states can be used to implement one-qubit Clifford gates. Alice can of course implement two-qubit gates by herself, but we need a nontrivial two-qubit gate or the identity to be implemented according to Bob’s choice. This is done as follows. Let . It is a two-qubit Clifford gate. The following construction accommodates a free choice of a gate in the set using a fixed sequence of interleaved with single-qubit Clifford gates:

(2)

The gate can be implemented by Alice. The one-qubit Clifford gates in Eq. (II) can be implemented by the program-state method, and Bob has a choice as to whether to implement the or by choosing appropriate program states, according to whether he wants to implement the overall gate or . The and are both products of some one-qubit Clifford gates of the form (II) that are implementable by program states. (The Pauli corrections in the implementations can be delayed.) Thus the choice between and is realized by different choices of program states at each gate of the form (II). For each one-qubit Clifford gate of the form (II), the average state of the two possible program states is the maximally mixed state. Hence, Alice is ignorant of which gate is implemented, when she has not received any information about the Pauli corrections. (Another way to see this fact is to consider the generation of program states by Bob’s measurement on his qubit in an EPR pair, which is in Scheme 1 below. Before Bob tells Alice any information about the Pauli corrections, Alice received no messages, so she had no information about which gate Bob intends to implement.)

Alice initially encrypts her input data qubits using the quantum one-time-pad, which means applying random Pauli operators. The choice of the Pauli operators are recorded as bits: the Pauli operator is recorded as two bits and . These bits are unknown to Bob, so he regards them as variables. The variables are unchanged in the procedures of the scheme below, and Bob changes the coefficients for them in the polynomials in the scheme [i.e. in Eq. (5), Bob updates the coefficients but not the variables ]. The way Bob changes the coefficients is because of some key-update rules, and we call them effective key-update rules below, since they do not change Alice’s keys but rather change Bob’s coefficients. The effective key-update rules can be easily obtained from the following relations:

where the is addition modulo 2, and in the gate , the qubit 1 is the control. The effective key-update rules under the gate can be obtained from the relations

(4)

More details about the key-update rules are in bj15 ; Dulek16 .

The detailed steps of our scheme are shown in Scheme 1 below. Starting from step 2, we distinguish the case of classical or product real input from the case of general quantum input. For each gate in the desired circuit, Alice and Bob perform a subprocedure to evaluate a classical linear polynomial of the form

(5)

with the output being a bit on Alice’s side, indicating whether a gate should be done after the gate, to compensate for differences on different Pauli masks due to the gate. The are coefficients known to Bob, and the are variables known to Alice. The is in the case of general quantum input, but is in the case of classical or product real input, since then the initial Pauli corrections are only of the type, which suffice for making the average state maximally mixed. The “classical input” refers to that the input qubits are in the state or

. The “product real input” refers to that the input is the tensor product of real qubit states. For the stage of Clifford gates after the last

gate, Alice and Bob perform two instances of the subprocedure for each of the output qubits, and the output bits are for what Pauli corrections Alice should do on each output qubit.

Scheme 1. A framework for interactive QHE.

1. Bob decomposes the desired circuit using Clifford and gates, where the Clifford gates involved only include the gate and the single-qubit Clifford gates. Alice and Bob prepare some EPR pairs in the state . Bob measures his qubits in the entangled pairs in the or basis, according to the desired program to be performed on Alice’s data. After the measurement, Alice’s qubit in each pair (denoted ) is in one of the following four states in Bob’s view: , , , , which are referred to as the program states. In this way, Bob effectively sends the program states to Alice.

2. In the case of general quantum input, Alice does a random Pauli gate on each input data qubit, and locally records the Pauli mask bits, with bit value indicating a Pauli gate or was done. These bits are Alice’s variables in the linear polynomials to be evaluated by both parties. In the case that the input is classical or a direct product of real qubit states, Alice does a random Pauli gate on each input data qubit, and locally records the Pauli mask bits, with bit value indicating a Pauli gate was done.

3. Bob sends Alice some message about which qubit each program state should interact with, and the type of interaction for each program state (controlled-, or controlled-, or controlled-), and where to insert the gates and gates between uses of the program states (including the information about which qubit any gate or gate acts on). Bob keeps track of the change in coefficients for the variables (in the linear polynomials to be evaluated by both parties) due to such program states.

4. For each in the desired circuit, Alice does the following:
(1) Alice does the fixed gates before a gate, interspersed with some gadgets for single-qubit Clifford gates: for each program state corresponding to logical gates before the current gate, she does a controlled- (or controlled-, controlled-) gate on qubits , where is the received qubit and is a data qubit.
(2) Alice measures all such qubits in the basis. She sends Bob all available measurement outcomes.
(3) Bob determines the coefficients in a linear polynomial according to Alice’s messages and her previous messages, together with his knowledge about the program states. Alice and Bob perform the subprocedure for evaluating this linear polynomial for the qubit that a gate acts on. Alice applies the gate on such qubit, and, according to the output of the corresponding polynomial, performs the gate on the same qubit.

5. For the last part of Clifford gates after the last gate in the desired circuit, Alice does the following:
(1) Alice does the fixed Clifford gates including the gates, interspersed with the gadget for some single-qubit Clifford gates: for each program state, she does a controlled- (or controlled-, controlled-) gate on qubits , where is the received qubit and is a data qubit.
(2) Alice measures all such qubits in the basis. She sends Bob all available measurement outcomes.
(3) Bob determines the coefficients in some linear polynomials according to Alice’s messages and her previous messages, together with his knowledge about the program states. Alice and Bob perform the subprocedures for evaluating two linear polynomials for each output qubit. Alice applies on each output qubit, where and are the output of the corresponding polynomials.
This completes the protocol.

Note that in the step 1, Bob uses local measurement with the help of entanglement to prepare the program states on Alice’s side, rather than direct sending of the program states, since any failure in preparation of the entangled pairs can be remedied by preparing a new pair, while direct sending of the program states may have some rate of failure which is not acceptable. Another remark is on the use of the three types of controlled-Pauli gates. In principle, controlled- gate together with some fixed Clifford gates suffice for replacing the role of all three types of controlled-Pauli gates with the fixed Clifford gates, e.g. in ancilla-driven blind quantum computation skm13 . But the use of three types of controlled-Pauli gates here partially reduces the need for fixed types of gates on Alice’s side, while not leaking much information about the circuit to Alice. Anyway, the sequence of Clifford gates would form an almost random Clifford circuit, if the number of program states used is large, no matter they are for one or three types of controlled-Pauli gates.

The argument for the correctness of the scheme consists of two parts: one is that the program states and associated operations indeed perform the desired Clifford gates. The other is that the key-update rules for gates are correct. Both follow from elementary calculations.

We introduce two classes of protocols to be used for the subprocedure of evaluating classical linear polynomials. The overall scheme is interactive under both classes of protocols. For techniques of turning the scheme into a constant-round scheme, see the use of a teleportation gadget in the constant-round QHE scheme in Yu19 . Such type of gadget was introduced in Dulek16 .

The first class of protocols is completely classical. Alice sends variables (mask bits) to Bob in plaintext, and hides all remaining mask bits ( in the case of general quantum input, and in the case of classical or product real input). The choices of the sent variables are the same among all linear polynomials. Bob tells Alice a linear polynomial containing only the variables that are unknown to him. The generic form of the original polynomial is , but since some are known to Bob, the number of variables appearing in Bob’s polynomial becomes fewer. The constant term in Bob’s polynomial absorbs his coefficients for those variables known to him.

The second class is the protocol for evaluating linear polynomials in Yu19 . It contains one of a few different quantum check-based protocols for generating initial classical correlations (called “one-time tables”) in Yu19 . The one-time tables are generated prior to the main computation. Some checks are performed by one or both parties to prevent the opposite party from cheating. So the protocols may abort when some party insists on cheating. If the party being checked indeed wants to perform the computation, he (she) should almost not cheat, as cheating does not bring much benefit in learning the opposite party’s data, since the checks are before the main computation. The protocol for evaluating linear polynomials in Yu19 has distributed output (the XOR of two remote bits), while the use here has output on Alice’s side only, so we need Bob to send Alice one bit at the end, which partially affects Bob’s privacy. (Such partial leakage is mitigated by possible recompilations of the circuit in the overall interactive QHE scheme). With that minor point set aside, our interactive QHE scheme under the second class of protocols has asymptotic information-theoretic data privacy and circuit privacy, under some choice of the check-based protocol for generating one-time tables. But the circuit privacy is slightly worse than that of the interactive scheme in Yu19 , which uses a so-called garden-hose gadget for performing a possible correction after a gate. The current scheme is easier to implement because it does not need to use such gadget, while the scheme in Yu19 cannot get rid of it because the location of the main computation is on Bob’s side.

In the following we discuss the security of Scheme 1 under the first class of protocols, i.e. the partly-secure classical protocols. We first discuss the case of general quantum input. The input data is partially secure in Scheme 1. Some of the input qubits are protected by Pauli masks. Thus, even if the outcomes of measurements on the program registers are sent to Bob, he cannot find out any information about the input state on these qubits. Some qubits may have some of the Pauli masks known to Bob, thus he may measure his qubit in his entangled pair in some suitable basis, and together with the measurement outcome on Alice’s program register, he can get some information about the data. Such measurement by Bob may affect the correctness of computation. In the case of classical input, Bob’s similar operation can be regarded as copying of the classical input, and it does not affect the correctness. The case of classical or product real input would have better tradeoff between data privacy and circuit privacy, since Bob has much fewer coefficients to tell Alice in each polynomial, for the same value of .

Under the first class of protocols for the subprocedure, the circuit in Scheme 1 is partially secure, and the degree of circuit privacy depends on the value of and the number of gates in the desired circuit: a larger value of and more gates imply better circuit privacy. By sending Alice some polynomials, Bob tells Alice some information about his program. But since each polynomial has terms missing (because Alice tells Bob the values of variables), Alice lacks knowledge about this part of the program. The amount of lack of information is about bits for each polynomial, since Bob also sends Alice the constant term in the polynomial, which carries one bit or less (the case of less than one bit may happen when the variables told to Bob are all zero, since then Bob’s constant term must be zero). Such lack of information would accumulate across different polynomials (each corresponding to a gate), so that Alice lacks a significant part of the knowledge about the overall program. Here, we have ignored the asymptotically vanishing amount of information about the circuit learnable through the sequence of controlled-Pauli gates told to Alice. Note that in each polynomial, Alice’s lack of knowledge is limited to some fixed terms. This may mean that the part of circuit on some subset of the input qubits not related to these terms may be known quite well by Alice, provided that these qubits do not interact with the remaining qubits very often.

Iii Experimental demonstration

We have performed a quantum optics experiment to demonstrate some steps in the outer part of the scheme: the state preparation of a data qubit and a program register (qubit), the controlled-Pauli gate on these qubits, the measurement on the program register after the gate, and state tomography on the output data qubit. The inner part, which is the subprocedure for evaluating classical linear polynomials, can be implemented independently, since it is connected to the outer part of the scheme classically. Such inner part can be implemented by known protocols or by those developed in the future. In our experiment, the controlled-, controlled- and controlled-

gates are performed using a single photon’s path and polarization degrees of freedom. The photon’s path is the controlling qubit (the program register) and the polarization is the controlled qubit. For ease of implementation, we assume directly the existence of a qubit as the program register as in Fig. 

1, instead of implementing it through measuring one qubit in an entangled pair of qubits as in Scheme 1. The optical circuit is illustrated in Fig. 2.

Figure 2: The optical setup for demonstrating some key steps in the scheme. The HWP and QWP prepare a polarization state, and after the photon reaches the larger PBS at the middle, the prepared state becomes a path state, representing the controlling qubit in the controlled-Pauli gate to be performed. The HWP, QWP, HWP and QWP are for preparing polarization states dependent on the path, representing the results of the identity gate or Pauli gate acting on some initial polarization state. The HWP and HWP in the upper block are set to and , respectively. The upper block serves to perform a Hadamard gate on the path state. The QWP and QWP are set to but tilted for phase compensation.

In the setup, a pair of photons is generated by type-I spontaneous parametric down conversion in a 3-mm-thick nonlinear beta-barium borate (BBO) crystal pumped by a 100mW diode laser (centered at 404nm). The circuit first prepares a polarization state on one photon, while the other photon is used as the trigger. After passing through the larger PBS in the middle, the two branches go to separate paths, this means that the prior polarization state is actually used as a path state. In each of the two paths, the polarization state is known ( or ), and we let the photon pass through some combination of HWP and QWP to get some polarization state dependent on the path. This effectively implements the controlled- gate in Fig. 1. Then the photon passes through the PBS again to enter the upper loop. This loop takes clue from the optical circuit in Fig. 2(b) of Liu16 . It consists of a PBS and some mirrors and HWPs (the HWP and HWP in Fig. 2), and serves as an effective 50:50 beam splitter. The effective beam splitter performs a Hadamard gate on the path states. This implements the gate in Fig. 1. After the photon comes out of this loop (including passing through HWP on one output path), it goes into one of the two output ports in the setup. The two path states at the end correspond to outcomes of the measurement on the lower qubit in Fig. 1. In each run of the experiment, we only measure one polarization state in one output port. The choice of the port corresponds to choosing one outcome of the X-basis measurement on the ancilla qubit (in this notation, the gate on the ancilla is regarded as part of the measurement). Under a fixed choice of the port, the choice of the polarization state to be detected is done by the QWP and HWP placed just before the detector.

Some separate testing shows that the interference visibility of the green (upper) loop and the grey (lower) loop are about 0.9983 and 0.9973, respectively.

For each combination of the input state of the controlling qubit, and the gate to be performed, we do five repeated periods of measurements. The duration of each measurement period is 20 seconds. We measure four polarization states in the selected output port, and reconstruct the density matrix using a program based on the maximum likelihood estimation method in

JKM01 . For various input states of the controlling and the controlled qubits, and the chosen outcome for the measurement on the controlling qubit, we calculate the fidelity of the experimentally found density matrix with the ideal one. The fidelity between two pure states and is defined as . The fidelities for some parameterized sets of input states are listed in the figures below. Figure 3 shows fidelities between the theoretical and experimental output one-qubit states for the case of controlled- gate acting on input state where is a real parameter, and subsequently measuring the controlling qubit with the outcome corresponding to . The average fidelities for other input state combinations are also mostly above 0.99.

The other figures illustrate the correctness of the results from another perspective. The left figure in Fig. 4 shows the theoretical curve and experimental result for the squared overlap between the output state of the target qubit and the reference state , for the case that the controlled- gate acts on input state , with measurement outcome of the controlling qubit corresponding to (same below). The squared overlap of two pure states has the same definition as the fidelity, and we use this notion to emphasize that it is not intended to be near . The here is not limited to states located on a circle on the Bloch sphere: the states used here include some states of the form , and some states of the form , and another generic pure qubit state. The right figure in Fig. 4 is for the same input states, and the reference output state is changed to . The left figure in Fig. 5 shows the theoretical curve and experimental result for the squared overlap between the output state of the target qubit and the reference state (same as that in Fig. 4), for the case that the controlled- gate acts on input state , where is not limited to states located on a circle on the Bloch sphere. The right figure in Fig. 5 are for the same input states, but with the reference output state changed to (same as that in Fig. 4).

Figure 3: Fidelities between the theoretical and experimental output one-qubit states in the case of a controlled- gate acting on input state and subsequently measuring the controlling qubit with the outcome corresponding to (the same outcome is assumed below). The error bars indicate fluctuations in the experimentally obtained fidelities over repeated runs of the experiment.
Figure 4: Left: theoretical curve and experimental result for the squared overlap between the output state of the target qubit and a reference state , for the case that the controlled- gate acts on , where is not limited to states located on a circle on the Bloch sphere. The horizontal axis is for the angle with respect to the center of the Bloch sphere between the theoretical output state and the reference state . Right: for the same input states, but the reference state of the output is changed to .
Figure 5: Left: theoretical curve and experimental result for the squared overlap between the output state of the target qubit and a reference state , for the case that the controlled- gate acts on , where is not limited to states located on a circle on the Bloch sphere. The horizontal axis is for the angle with respect to the center of the Bloch sphere between the theoretical output state and the reference state . Right: for the same input states, but the reference state of the output is changed to .

Iv Discussion

Under the first class of protocols for evaluating classical linear polynomials, the extreme case of completely insecure data gives rise to an overall scheme similar to blind quantum computing (BQC) scheme, but with the output on a different party. In blind quantum computing, the client (usually called Alice, but to compare to our scheme, let us assume the client is Bob and the server is Alice) has both the data and the program but has limited quantum capabilities. The client delegates (a part of) the secret program to the server to let the program run on the client’s private data (or a blank state), and the result is returned to the client in the end. Our scheme in the case of completely insecure data gives rise to a scheme for BQC if the final steps are modified so that Bob has the computation result instead of Alice. The revision required is that Alice teleports her output state to Bob before the final Pauli corrections, and Bob does not send her the information for the final Pauli corrections. The blindness is from that each program state is in a completely mixed qubit for the server. Such BQC scheme saves the number of rounds of communication compared to the scheme in bfk09 and some other existing schemes. On the other hand, without such modification, the scheme has the output on Alice’s side, and a practical application is as follows: Bob serves as a data collecting party who effectively sends some data to Alice through the choices of the program states, and Alice does the main quantum computation, with the output known to herself. In such case, we no longer have the usual problem in BQC that the quantum computation needs to be verified, since Alice wants to get the result.

We remark on the use of program registers sent by the client Bob, and the associated necessity for Alice to encrypt her data locally (via the quantum one-time-pad in our scheme). In many BQC schemes, some qubit in mixed state (in the view of the server) is sent by the client to be used as a local program register on the server. Things are different in (interactive) QHE, in which the data and the program are initially on opposite parties. In schemes of (interactive) QHE, the use of a program register with Bob knowing its content is likely a weak point in security, since it is modelled by a mixed state, and we may think of two ways of purifying it, each has its own problem: (i) if a purifying third party is introduced, it may be an active party who may collude with some party or cheat; (ii) if instead a mixed state resource on the two parties (Alice and Bob) is used, there is no guarantee that Bob would not replace his part so that they share a pure entangled state with the same function in the protocol, and if Alice’s data qubits are not properly encrypted, it is likely that Bob may measure his part of the entangled state at some stage of the protocol in some suitable basis, and together with the information about measurement outcomes sent by Alice, he may get some information about Alice’s data. This issue does not cause a security problem in BQC, since in BQC the initial data is on the party who has the program. Our Scheme 1 avoids the problem above by the trick of letting Alice encrypt the data locally first.

The Scheme 1 contains a procedure of evaluating a classical linear polynomial of the form (5). For such procedure, we have introduced a simple classical protocol with some privacy tradeoff as an example protocol. Such procedure could be replaced with any classical additive homomorphic encryption scheme encrypting bits, analogous to the situation in bj15 . One can use the relatively simple schemes in GM82 ; Paillier99 which are not post-quantum schemes; some post-quantum scheme may be used if the security against quantum computers is of concern.

V Conclusions

We have constructed a framework for (interactive) QHE scheme for general circuits, based on the universal circuit approach. A feature of the framework is the compatibility with blind quantum computation. We discussed two classes of example protocols for the subprocedure for evaluating a linear polynomial, and such subprocedure is replaceable by other protocols. With the first class of example protocols, which are fully classical, there is a tradeoff in the privacy of the data and the privacy of the circuit in the overall scheme, and the tradeoff is particularly good when the input is classical or a product real state. With the second class of example protocols which require repeated quantum operations on constant number of qubits, the overall scheme has asymptotic data privacy and asymptotic circuit privacy (the latter for large circuits only) under some weak assumptions about the two parties. We have demonstrated some key steps of the framework part of the scheme in a quantum optics experiment.

Apart from the implementation of the subprocedure, the framework has low requirement on Bob’s quantum capabilities: he need only be able to prepare and send single-qubit states, or be able to make single-qubit measurements in one of two bases. We have mentioned in Sec. II that the framework may be made non-interactive by using the so-called garden-hose gadgets. Note that in a computationally-secure leveled QFHE scheme Mahadev17 , an almost classical client is also used, but the client provides the data rather than the circuit. As an alternative to the first type of protocols mentioned above, it is possible to use classical additive homomorphic encryption methods in evaluating the linear polynomials.

Acknowledgments

This work was supported in part by the NKRDP of China (No. 2016YFA0301802), the National Natural Science Foundation of China (No. 11974096, No. U1705264, No. 11774076, No. 11775065, No. 61472114, No. 61972124, and No. 61672030), the Zhejiang Provincial Natural Science Foundation of China (No. LY17A050003, No. LY19F020019), the Research Foundation of Guangxi Key Laboratory of Cryptography and Information Security (No. GCIS201725), the Scientific Research Fund of Zhejiang Provincial Education Department (No. Y201737289, No. Y201737292), and the startup grant of Hangzhou Normal University.

References

  • [1] Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi. Universal blind quantum computation. Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2009), pages 517–526, 2009.
  • [2] Dorit Aharonov, Michael Ben-Or, and Elad Eban. Interactive proofs for quantum computations. In Proceeding of the First Symposium on Innovations in Computer Science, pages 453–469, 2010.
  • [3] Takahiro Sueki, Takeshi Koshiba, and Tomoyuki Morimae. Ancilla-driven universal blind quantum computation. Phys. Rev. A, 87:060301(R), Jun 2013.
  • [4] Stefanie Barz, Elham Kashefi, Anne Broadbent, Joseph F. Fitzsimons, Anton Zeilinger, and Philip Walther. Demonstration of blind quantum computing. Science, 335(6066):303–308, 2012.
  • [5] Andrew Childs. Secure assisted quantum computation. Quantum Information and Computation, 5(6):456, 2005.
  • [6] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.
  • [7] Craig Gentry. Fully homomorphic encryption using ideal lattices. In

    Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing

    , STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.
  • [8] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Computer Science, 6110:24–43, 2010.
  • [9] N. P. Smart and F. Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography – PKC 2010, pages 420–443, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.
  • [10] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
  • [11] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
  • [12] Min Liang. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process., 12:3675–3687, 2013.
  • [13] S.-H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
  • [14] Y. Ouyang, S.-H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
  • [15] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low T-gate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
  • [16] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomial-sized circuits. CRYPTO 2016: Advances in Cryptology - CRYPTO 2016, pages 3–32, 2016.
  • [17] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
  • [18] C.-Y. Lai and K.-M. Chung. On Statistically-Secure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
  • [19] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum fully homomorphic encryption with verification. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 438–467, Cham, 2017. Springer International Publishing.
  • [20] U. Mahadev. Classical homomorphic encryption for quantum circuits. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 332–338, Oct 2018.
  • [21] Si-Hui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhat-secure quantum somewhat-homomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
  • [22] Yingkai Ouyang, Si-Hui Tan, Liming Zhao, and Joseph F. Fitzsimons. Computing on quantum shared secrets. Phys. Rev. A, 96:052333, Nov 2017.
  • [23] Li Yu, Carlos A. Pérez-Delgado, and Joseph F. Fitzsimons. Limitations on information-theoretically-secure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
  • [24] M. Newman. Further Limitations on Information-Theoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
  • [25] Hoi-Kwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
  • [26] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical two-party computation. Phys. Rev. Lett., 109:160501, Oct 2012.
  • [27] Roger Colbeck. Impossibility of secure two-party classical computation. Phys. Rev. A, 76:062308, Dec 2007.
  • [28] Li Yu. Quantum preprocessing for information-theoretic security in two-party computation. http://arxiv.org/abs/1908.05584, Aug 2019.
  • [29] Jonas Zeuner, Ioannis Pitsios, Si-Hui Tan, Aditya N. Sharma, Joseph F. Fitzsimons, Roberto Osellame, and Philip Walther. Experimental Quantum Homomorphic Encryption. http://arxiv.org/abs/1803.10246, Mar 2018.
  • [30] W. K. Tham, Hugo Ferretti, Kent Bonsma-Fisher, Aharon Brodutch, Barry C. Sanders, Aephraim M. Steinberg, and Stacey Jeffery. Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a Two-Party Secure Protocol. http://arxiv.org/abs/1811.02149, Nov 2018.
  • [31] Bi-Heng Liu, Xiao-Min Hu, Jiang-Shan Chen, Yun-Feng Huang, Yong-Jian Han, Chuan-Feng Li, Guang-Can Guo, and Adán Cabello. Nonlocality from local contextuality. Phys. Rev. Lett., 117:220402, Nov 2016.
  • [32] Daniel F. V. James, Paul G. Kwiat, William J. Munro, and Andrew G. White. Measurement of qubits. Phys. Rev. A, 64:052312, Oct 2001.
  • [33] Shafi Goldwasser and Silvio Micali. Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC ’82, pages 365–377, New York, NY, USA, 1982. ACM.
  • [34] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Jacques Stern, editor, Advances in Cryptology — EUROCRYPT ’99, pages 223–238, Berlin, Heidelberg, 1999. Springer Berlin Heidelberg.