I Introduction
Secure quantum computing is an interesting research field that draws ideas from classical cryptography and quantum mechanics. It aims to keep the input data or the program private when two parties perform a quantum computation on possibly restricted sets of input states, while the input and the output may be on one or both parties. Blind quantum computing (BQC) bfk09 ; ABE10 ; skm13 ; Barz12 and “quantum computing on encrypted data” Ch05 ; Fisher13 are two types of problems for which there are satisfactory protocols. Quantum homomorphic encryption is a different but related problem, and is the topic of this paper.
Blind quantum computing is a task in which a client knows both the data and the program but can only do limited quantum operations, and the main part of the computation is carried out by the server, who is not able to learn the data nor the program by design of the protocol. The BQC scheme in bfk09 builds on the measurementbased quantum computing model. There are other BQC schemes based on the circuit model ABE10 , or the ancilladriven model skm13 . On the other hand, “Quantum computing on encrypted data”, or delegated quantum computation Ch05 ; Fisher13 , allows a publicly known quantum program to be run by a server on secret quantum data provided by a client.
In classical cryptography, homomorphic encryption (HE) is an encryption scheme that allows computation to be performed (effectively on the plaintext after decryption) while having access only to the ciphertext. A fully homomorphic encryption (FHE) scheme allows for any computation to be performed in such fashion Gentry09 ; Dijk09 ; smart2010fully ; brakerski2011efficient . Quantum homomorphic encryption (QHE) allows some classes of quantum computation to be performed without accessing the unencrypted data, and quantum fully homomorphic encryption (QFHE) is similarly defined with the allowed class of quantum computation being universal. The goals of QHE are that the final computation result is correct, and the data and the final computation result are known only to the dataprovider, who learns little about the circuit performed beyond what can be deduced from the computation result itself. Schemes for QHE rfg12 ; MinL13 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; NS17 ; Lai17 ; ADSS17 ; Mahadev17 ; TOR18 with varying degrees of success have been proposed. Some techniques in QHE have been applied to the problem of computing on shared quantum secrets Ouyang17 . QHE schemes for arbitrary unrestricted circuits are shown to require exponential resources ypf14 ; NS17 ; Lai17 ; Newman18 . Although ypf14 and some results on bipartite quantum computation of classical functions Lo97 ; bcs12 ; Colbeck07 suggest that the goal of both perfect data privacy and nearperfect circuit privacy cannot be reached in the plain model without aborts, the recent work Yu19 suggests that when some party is allowed to abort, some nontrivial level of security can be reached. An experimental implementation of homomorphicencrypted quantum walk proposed in rfg12 has been reported Zeuner18 . An experimental demonstration of computationallysecure QFHE is shown in Tham18 .
In this paper, we introduce a framework for (interactive) QHE schemes, intended to work for general quantum input with a polynomialsized circuit. We refer to “interactive QHE scheme” as any protocol that achieves the goals of QHE (the correctness of final result, and the security of the data and the circuit) while allowing multiple rounds of communication. The flexibility in the framework is that one subprocedure, namely the evaluation of the classical linear polynomials, can be replaced by any quantum or classical protocol for such task. The main computation is on the side of Alice, who provides the data. The framework depends on a “program state” method which is seen in ancilladriven blind quantum computing skm13 , and it takes hint from a “universal circuit” method in (Fisher13, , Supplementary Note 1)
. If not considering the implementation of the subprocedure, the party Bob who provides the circuit need only have very limited quantum capability: to prepare and send singlequbit states in one of two bases, or to make singlequbit measurements in one of two bases. This point distinguishes it from the framework in
bj15 ; Dulek16 , where the main quantum computation is carried out by the party who provides the circuit, so that both parties need to be able to store at least qubits (in the case of quantum input; and is the input size).We provide two example classes of protocols for the subprocedure for evaluating the classical linear polynomials. The first class is entirely classical, and it satisfies that the degree of data privacy is in a tradeoff with that of the circuit privacy, both in the subprocedure and in the overall scheme. One end of such tradeoff is that the data is completely insecure, and then the circuit is quite (but not completely) secure, which yields a scheme similar to blind quantum computing, but the output is on the Alice (server) side, rather than on the party with the initial program. When the input state is classical or a product real state, the tradeoff between the data privacy and the circuit privacy is unexpectedly good compared to the case of general quantum input. The second way of implementing the subprocedure is to use a recently studied quantum checkbased protocol Yu19 , which has low requirement on the quantum capabilities of both parties: each party need only do repeated quantum operations on a constant number of qubits at a time.
The framework under the two classes of protocols for evaluating classical linear polynomials have modest resource costs: for the first class, the entanglement and classical communication costs are linear in the product of circuit size and the input size; for the second class, the costs are polynomial in circuit size and the input size.
We demonstrate the key steps of the outer part of framework (but not the subprocedure for evaluating classical linear polynomials) in a quantum optics experiment.
In Sec. IV, we mention that the subprocedure for evaluating the classical linear polynomials could also be implemented with a classical additive homomorphic encryption scheme.
The rest of the paper is organized as follows. Sec. II presents the framework for interactive QHE, and briefly introduces the two classes of protocols for the subprocedure of evaluation of the classical linear polynomials. Sec. III presents the experimental methods and the results of the experiment. Sec. IV contains some discussions. Sec. V contains the conclusions.
Ii Framework for interactive QHE
First, we introduce the method of using program states in our scheme. A circuit diagram is shown in Fig. 1 below. The lower qubit is referred to as the program register, and its state is called the program state. It interacts with a data qubit (the first qubit in the figure) via a fixed controlled gate (where , and , , are the Pauli operators), and then the program register is subject to a Hadamard gate , and measured in the basis. (By viewing the Hadamard gate as a change of basis, the lower qubit is effectively measured in the basis.) When the measurement result is , the onequbit gate is implemented on the first qubit. When the measurement result is and the program state is not in the basis (i.e. for integer ), a unitary correction is needed, to make the effective gate on the data qubit the same as in the case that the measurement outcome is . The form of the correction depends on the program state: it is . When the correction is a Pauli operator not equal to , which happens when
with odd
, this correction can be deferred by commuting it through the Clifford gates in later parts of the protocol. Note that two mutually orthogonal states of the program register correspond to the same program up to a Pauli correction known to Bob. If Alice knows that the program state is one of these two states, she can of course make a projective measurement to distinguish them. But when Alice is not sure that the program state is one of these two states, e.g. when there are four possible states in two different bases, she cannot know the exact program state, which happens in the case discussed below Eq. (II).In the scheme below, some program states are produced by Bob through his measurement on some shared entangled state with Alice. From a security point of view, such remote operation is not really necessary. Bob could directly send some states to Alice as the program states, or directly prepare some program states using Alice’s experimental apparatus (in the latter case, for security of Alice’s data, we have to assume that Bob has no access to Alice’s data states when doing so). Alice encrypts her data using the quantum onetimepad first, before letting her data interact with the program states. Such encryption is for protecting the data from possible leakage due to that some measurement outcomes are sent to Bob. See Sec.
IV for more explanations.Since every onequbit Clifford gate can be expressed as the product of some Clifford gates of the form
(1) 
the program states can be used to implement onequbit Clifford gates. Alice can of course implement twoqubit gates by herself, but we need a nontrivial twoqubit gate or the identity to be implemented according to Bob’s choice. This is done as follows. Let . It is a twoqubit Clifford gate. The following construction accommodates a free choice of a gate in the set using a fixed sequence of interleaved with singlequbit Clifford gates:
(2) 
The gate can be implemented by Alice. The onequbit Clifford gates in Eq. (II) can be implemented by the programstate method, and Bob has a choice as to whether to implement the or by choosing appropriate program states, according to whether he wants to implement the overall gate or . The and are both products of some onequbit Clifford gates of the form (II) that are implementable by program states. (The Pauli corrections in the implementations can be delayed.) Thus the choice between and is realized by different choices of program states at each gate of the form (II). For each onequbit Clifford gate of the form (II), the average state of the two possible program states is the maximally mixed state. Hence, Alice is ignorant of which gate is implemented, when she has not received any information about the Pauli corrections. (Another way to see this fact is to consider the generation of program states by Bob’s measurement on his qubit in an EPR pair, which is in Scheme 1 below. Before Bob tells Alice any information about the Pauli corrections, Alice received no messages, so she had no information about which gate Bob intends to implement.)
Alice initially encrypts her input data qubits using the quantum onetimepad, which means applying random Pauli operators. The choice of the Pauli operators are recorded as bits: the Pauli operator is recorded as two bits and . These bits are unknown to Bob, so he regards them as variables. The variables are unchanged in the procedures of the scheme below, and Bob changes the coefficients for them in the polynomials in the scheme [i.e. in Eq. (5), Bob updates the coefficients but not the variables ]. The way Bob changes the coefficients is because of some keyupdate rules, and we call them effective keyupdate rules below, since they do not change Alice’s keys but rather change Bob’s coefficients. The effective keyupdate rules can be easily obtained from the following relations:
where the is addition modulo 2, and in the gate , the qubit 1 is the control. The effective keyupdate rules under the gate can be obtained from the relations
(4) 
More details about the keyupdate rules are in bj15 ; Dulek16 .
The detailed steps of our scheme are shown in Scheme 1 below. Starting from step 2, we distinguish the case of classical or product real input from the case of general quantum input. For each gate in the desired circuit, Alice and Bob perform a subprocedure to evaluate a classical linear polynomial of the form
(5) 
with the output being a bit on Alice’s side, indicating whether a gate should be done after the gate, to compensate for differences on different Pauli masks due to the gate. The are coefficients known to Bob, and the are variables known to Alice. The is in the case of general quantum input, but is in the case of classical or product real input, since then the initial Pauli corrections are only of the type, which suffice for making the average state maximally mixed. The “classical input” refers to that the input qubits are in the state or
. The “product real input” refers to that the input is the tensor product of real qubit states. For the stage of Clifford gates after the last
gate, Alice and Bob perform two instances of the subprocedure for each of the output qubits, and the output bits are for what Pauli corrections Alice should do on each output qubit.Scheme 1. A framework for interactive QHE.
1. Bob decomposes the desired circuit using Clifford and gates, where the Clifford gates involved only include the gate and the singlequbit Clifford gates. Alice and Bob prepare some EPR pairs in the state . Bob measures his qubits in the entangled pairs in the or basis, according to the desired program to be performed on Alice’s data. After the measurement, Alice’s qubit in each pair (denoted ) is in one of the following four states in Bob’s view: , , , , which are referred to as the program states. In this way, Bob effectively sends the program states to Alice.
2. In the case of general quantum input, Alice does a random Pauli gate on each input data qubit, and locally records the Pauli mask bits, with bit value indicating a Pauli gate or was done. These bits are Alice’s variables in the linear polynomials to be evaluated by both parties. In the case that the input is classical or a direct product of real qubit states, Alice does a random Pauli gate on each input data qubit, and locally records the Pauli mask bits, with bit value indicating a Pauli gate was done.
3. Bob sends Alice some message about which qubit each program state should interact with, and the type of interaction for each program state (controlled, or controlled, or controlled), and where to insert the gates and gates between uses of the program states (including the information about which qubit any gate or gate acts on). Bob keeps track of the change in coefficients for the variables (in the linear polynomials to be evaluated by both parties) due to such program states.
4. For each in the desired circuit, Alice does the following:
(1) Alice does the fixed gates before a gate, interspersed with some gadgets for singlequbit Clifford gates: for each program state corresponding to logical gates before the current gate, she does a controlled (or controlled, controlled) gate on qubits , where is the received qubit and is a data qubit.
(2) Alice measures all such qubits in the basis. She sends Bob all available measurement outcomes.
(3) Bob determines the coefficients in a linear polynomial according to Alice’s messages and her previous messages, together with his knowledge about the program states. Alice and Bob perform the subprocedure for evaluating this linear polynomial for the qubit that a gate acts on. Alice applies the gate on such qubit, and, according to the output of the corresponding polynomial, performs the gate on the same qubit.
5. For the last part of Clifford gates after the last gate in the desired circuit, Alice does the following:
(1) Alice does the fixed Clifford gates including the gates, interspersed with the gadget for some singlequbit Clifford gates: for each program state, she does a controlled (or controlled, controlled) gate on qubits , where is the received qubit and is a data qubit.
(2) Alice measures all such qubits in the basis. She sends Bob all available measurement outcomes.
(3) Bob determines the coefficients in some linear polynomials according to Alice’s messages and her previous messages, together with his knowledge about the program states. Alice and Bob perform the subprocedures for evaluating two linear polynomials for each output qubit. Alice applies on each output qubit, where and are the output of the corresponding polynomials.
This completes the protocol.
Note that in the step 1, Bob uses local measurement with the help of entanglement to prepare the program states on Alice’s side, rather than direct sending of the program states, since any failure in preparation of the entangled pairs can be remedied by preparing a new pair, while direct sending of the program states may have some rate of failure which is not acceptable. Another remark is on the use of the three types of controlledPauli gates. In principle, controlled gate together with some fixed Clifford gates suffice for replacing the role of all three types of controlledPauli gates with the fixed Clifford gates, e.g. in ancilladriven blind quantum computation skm13 . But the use of three types of controlledPauli gates here partially reduces the need for fixed types of gates on Alice’s side, while not leaking much information about the circuit to Alice. Anyway, the sequence of Clifford gates would form an almost random Clifford circuit, if the number of program states used is large, no matter they are for one or three types of controlledPauli gates.
The argument for the correctness of the scheme consists of two parts: one is that the program states and associated operations indeed perform the desired Clifford gates. The other is that the keyupdate rules for gates are correct. Both follow from elementary calculations.
We introduce two classes of protocols to be used for the subprocedure of evaluating classical linear polynomials. The overall scheme is interactive under both classes of protocols. For techniques of turning the scheme into a constantround scheme, see the use of a teleportation gadget in the constantround QHE scheme in Yu19 . Such type of gadget was introduced in Dulek16 .
The first class of protocols is completely classical. Alice sends variables (mask bits) to Bob in plaintext, and hides all remaining mask bits ( in the case of general quantum input, and in the case of classical or product real input). The choices of the sent variables are the same among all linear polynomials. Bob tells Alice a linear polynomial containing only the variables that are unknown to him. The generic form of the original polynomial is , but since some are known to Bob, the number of variables appearing in Bob’s polynomial becomes fewer. The constant term in Bob’s polynomial absorbs his coefficients for those variables known to him.
The second class is the protocol for evaluating linear polynomials in Yu19 . It contains one of a few different quantum checkbased protocols for generating initial classical correlations (called “onetime tables”) in Yu19 . The onetime tables are generated prior to the main computation. Some checks are performed by one or both parties to prevent the opposite party from cheating. So the protocols may abort when some party insists on cheating. If the party being checked indeed wants to perform the computation, he (she) should almost not cheat, as cheating does not bring much benefit in learning the opposite party’s data, since the checks are before the main computation. The protocol for evaluating linear polynomials in Yu19 has distributed output (the XOR of two remote bits), while the use here has output on Alice’s side only, so we need Bob to send Alice one bit at the end, which partially affects Bob’s privacy. (Such partial leakage is mitigated by possible recompilations of the circuit in the overall interactive QHE scheme). With that minor point set aside, our interactive QHE scheme under the second class of protocols has asymptotic informationtheoretic data privacy and circuit privacy, under some choice of the checkbased protocol for generating onetime tables. But the circuit privacy is slightly worse than that of the interactive scheme in Yu19 , which uses a socalled gardenhose gadget for performing a possible correction after a gate. The current scheme is easier to implement because it does not need to use such gadget, while the scheme in Yu19 cannot get rid of it because the location of the main computation is on Bob’s side.
In the following we discuss the security of Scheme 1 under the first class of protocols, i.e. the partlysecure classical protocols. We first discuss the case of general quantum input. The input data is partially secure in Scheme 1. Some of the input qubits are protected by Pauli masks. Thus, even if the outcomes of measurements on the program registers are sent to Bob, he cannot find out any information about the input state on these qubits. Some qubits may have some of the Pauli masks known to Bob, thus he may measure his qubit in his entangled pair in some suitable basis, and together with the measurement outcome on Alice’s program register, he can get some information about the data. Such measurement by Bob may affect the correctness of computation. In the case of classical input, Bob’s similar operation can be regarded as copying of the classical input, and it does not affect the correctness. The case of classical or product real input would have better tradeoff between data privacy and circuit privacy, since Bob has much fewer coefficients to tell Alice in each polynomial, for the same value of .
Under the first class of protocols for the subprocedure, the circuit in Scheme 1 is partially secure, and the degree of circuit privacy depends on the value of and the number of gates in the desired circuit: a larger value of and more gates imply better circuit privacy. By sending Alice some polynomials, Bob tells Alice some information about his program. But since each polynomial has terms missing (because Alice tells Bob the values of variables), Alice lacks knowledge about this part of the program. The amount of lack of information is about bits for each polynomial, since Bob also sends Alice the constant term in the polynomial, which carries one bit or less (the case of less than one bit may happen when the variables told to Bob are all zero, since then Bob’s constant term must be zero). Such lack of information would accumulate across different polynomials (each corresponding to a gate), so that Alice lacks a significant part of the knowledge about the overall program. Here, we have ignored the asymptotically vanishing amount of information about the circuit learnable through the sequence of controlledPauli gates told to Alice. Note that in each polynomial, Alice’s lack of knowledge is limited to some fixed terms. This may mean that the part of circuit on some subset of the input qubits not related to these terms may be known quite well by Alice, provided that these qubits do not interact with the remaining qubits very often.
Iii Experimental demonstration
We have performed a quantum optics experiment to demonstrate some steps in the outer part of the scheme: the state preparation of a data qubit and a program register (qubit), the controlledPauli gate on these qubits, the measurement on the program register after the gate, and state tomography on the output data qubit. The inner part, which is the subprocedure for evaluating classical linear polynomials, can be implemented independently, since it is connected to the outer part of the scheme classically. Such inner part can be implemented by known protocols or by those developed in the future. In our experiment, the controlled, controlled and controlled
gates are performed using a single photon’s path and polarization degrees of freedom. The photon’s path is the controlling qubit (the program register) and the polarization is the controlled qubit. For ease of implementation, we assume directly the existence of a qubit as the program register as in Fig.
1, instead of implementing it through measuring one qubit in an entangled pair of qubits as in Scheme 1. The optical circuit is illustrated in Fig. 2.In the setup, a pair of photons is generated by typeI spontaneous parametric down conversion in a 3mmthick nonlinear betabarium borate (BBO) crystal pumped by a 100mW diode laser (centered at 404nm). The circuit first prepares a polarization state on one photon, while the other photon is used as the trigger. After passing through the larger PBS in the middle, the two branches go to separate paths, this means that the prior polarization state is actually used as a path state. In each of the two paths, the polarization state is known ( or ), and we let the photon pass through some combination of HWP and QWP to get some polarization state dependent on the path. This effectively implements the controlled gate in Fig. 1. Then the photon passes through the PBS again to enter the upper loop. This loop takes clue from the optical circuit in Fig. 2(b) of Liu16 . It consists of a PBS and some mirrors and HWPs (the HWP and HWP in Fig. 2), and serves as an effective 50:50 beam splitter. The effective beam splitter performs a Hadamard gate on the path states. This implements the gate in Fig. 1. After the photon comes out of this loop (including passing through HWP on one output path), it goes into one of the two output ports in the setup. The two path states at the end correspond to outcomes of the measurement on the lower qubit in Fig. 1. In each run of the experiment, we only measure one polarization state in one output port. The choice of the port corresponds to choosing one outcome of the Xbasis measurement on the ancilla qubit (in this notation, the gate on the ancilla is regarded as part of the measurement). Under a fixed choice of the port, the choice of the polarization state to be detected is done by the QWP and HWP placed just before the detector.
Some separate testing shows that the interference visibility of the green (upper) loop and the grey (lower) loop are about 0.9983 and 0.9973, respectively.
For each combination of the input state of the controlling qubit, and the gate to be performed, we do five repeated periods of measurements. The duration of each measurement period is 20 seconds. We measure four polarization states in the selected output port, and reconstruct the density matrix using a program based on the maximum likelihood estimation method in
JKM01 . For various input states of the controlling and the controlled qubits, and the chosen outcome for the measurement on the controlling qubit, we calculate the fidelity of the experimentally found density matrix with the ideal one. The fidelity between two pure states and is defined as . The fidelities for some parameterized sets of input states are listed in the figures below. Figure 3 shows fidelities between the theoretical and experimental output onequbit states for the case of controlled gate acting on input state where is a real parameter, and subsequently measuring the controlling qubit with the outcome corresponding to . The average fidelities for other input state combinations are also mostly above 0.99.The other figures illustrate the correctness of the results from another perspective. The left figure in Fig. 4 shows the theoretical curve and experimental result for the squared overlap between the output state of the target qubit and the reference state , for the case that the controlled gate acts on input state , with measurement outcome of the controlling qubit corresponding to (same below). The squared overlap of two pure states has the same definition as the fidelity, and we use this notion to emphasize that it is not intended to be near . The here is not limited to states located on a circle on the Bloch sphere: the states used here include some states of the form , and some states of the form , and another generic pure qubit state. The right figure in Fig. 4 is for the same input states, and the reference output state is changed to . The left figure in Fig. 5 shows the theoretical curve and experimental result for the squared overlap between the output state of the target qubit and the reference state (same as that in Fig. 4), for the case that the controlled gate acts on input state , where is not limited to states located on a circle on the Bloch sphere. The right figure in Fig. 5 are for the same input states, but with the reference output state changed to (same as that in Fig. 4).
Iv Discussion
Under the first class of protocols for evaluating classical linear polynomials, the extreme case of completely insecure data gives rise to an overall scheme similar to blind quantum computing (BQC) scheme, but with the output on a different party. In blind quantum computing, the client (usually called Alice, but to compare to our scheme, let us assume the client is Bob and the server is Alice) has both the data and the program but has limited quantum capabilities. The client delegates (a part of) the secret program to the server to let the program run on the client’s private data (or a blank state), and the result is returned to the client in the end. Our scheme in the case of completely insecure data gives rise to a scheme for BQC if the final steps are modified so that Bob has the computation result instead of Alice. The revision required is that Alice teleports her output state to Bob before the final Pauli corrections, and Bob does not send her the information for the final Pauli corrections. The blindness is from that each program state is in a completely mixed qubit for the server. Such BQC scheme saves the number of rounds of communication compared to the scheme in bfk09 and some other existing schemes. On the other hand, without such modification, the scheme has the output on Alice’s side, and a practical application is as follows: Bob serves as a data collecting party who effectively sends some data to Alice through the choices of the program states, and Alice does the main quantum computation, with the output known to herself. In such case, we no longer have the usual problem in BQC that the quantum computation needs to be verified, since Alice wants to get the result.
We remark on the use of program registers sent by the client Bob, and the associated necessity for Alice to encrypt her data locally (via the quantum onetimepad in our scheme). In many BQC schemes, some qubit in mixed state (in the view of the server) is sent by the client to be used as a local program register on the server. Things are different in (interactive) QHE, in which the data and the program are initially on opposite parties. In schemes of (interactive) QHE, the use of a program register with Bob knowing its content is likely a weak point in security, since it is modelled by a mixed state, and we may think of two ways of purifying it, each has its own problem: (i) if a purifying third party is introduced, it may be an active party who may collude with some party or cheat; (ii) if instead a mixed state resource on the two parties (Alice and Bob) is used, there is no guarantee that Bob would not replace his part so that they share a pure entangled state with the same function in the protocol, and if Alice’s data qubits are not properly encrypted, it is likely that Bob may measure his part of the entangled state at some stage of the protocol in some suitable basis, and together with the information about measurement outcomes sent by Alice, he may get some information about Alice’s data. This issue does not cause a security problem in BQC, since in BQC the initial data is on the party who has the program. Our Scheme 1 avoids the problem above by the trick of letting Alice encrypt the data locally first.
The Scheme 1 contains a procedure of evaluating a classical linear polynomial of the form (5). For such procedure, we have introduced a simple classical protocol with some privacy tradeoff as an example protocol. Such procedure could be replaced with any classical additive homomorphic encryption scheme encrypting bits, analogous to the situation in bj15 . One can use the relatively simple schemes in GM82 ; Paillier99 which are not postquantum schemes; some postquantum scheme may be used if the security against quantum computers is of concern.
V Conclusions
We have constructed a framework for (interactive) QHE scheme for general circuits, based on the universal circuit approach. A feature of the framework is the compatibility with blind quantum computation. We discussed two classes of example protocols for the subprocedure for evaluating a linear polynomial, and such subprocedure is replaceable by other protocols. With the first class of example protocols, which are fully classical, there is a tradeoff in the privacy of the data and the privacy of the circuit in the overall scheme, and the tradeoff is particularly good when the input is classical or a product real state. With the second class of example protocols which require repeated quantum operations on constant number of qubits, the overall scheme has asymptotic data privacy and asymptotic circuit privacy (the latter for large circuits only) under some weak assumptions about the two parties. We have demonstrated some key steps of the framework part of the scheme in a quantum optics experiment.
Apart from the implementation of the subprocedure, the framework has low requirement on Bob’s quantum capabilities: he need only be able to prepare and send singlequbit states, or be able to make singlequbit measurements in one of two bases. We have mentioned in Sec. II that the framework may be made noninteractive by using the socalled gardenhose gadgets. Note that in a computationallysecure leveled QFHE scheme Mahadev17 , an almost classical client is also used, but the client provides the data rather than the circuit. As an alternative to the first type of protocols mentioned above, it is possible to use classical additive homomorphic encryption methods in evaluating the linear polynomials.
Acknowledgments
This work was supported in part by the NKRDP of China (No. 2016YFA0301802), the National Natural Science Foundation of China (No. 11974096, No. U1705264, No. 11774076, No. 11775065, No. 61472114, No. 61972124, and No. 61672030), the Zhejiang Provincial Natural Science Foundation of China (No. LY17A050003, No. LY19F020019), the Research Foundation of Guangxi Key Laboratory of Cryptography and Information Security (No. GCIS201725), the Scientific Research Fund of Zhejiang Provincial Education Department (No. Y201737289, No. Y201737292), and the startup grant of Hangzhou Normal University.
References
 [1] Anne Broadbent, Joseph Fitzsimons, and Elham Kashefi. Universal blind quantum computation. Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2009), pages 517–526, 2009.
 [2] Dorit Aharonov, Michael BenOr, and Elad Eban. Interactive proofs for quantum computations. In Proceeding of the First Symposium on Innovations in Computer Science, pages 453–469, 2010.
 [3] Takahiro Sueki, Takeshi Koshiba, and Tomoyuki Morimae. Ancilladriven universal blind quantum computation. Phys. Rev. A, 87:060301(R), Jun 2013.
 [4] Stefanie Barz, Elham Kashefi, Anne Broadbent, Joseph F. Fitzsimons, Anton Zeilinger, and Philip Walther. Demonstration of blind quantum computing. Science, 335(6066):303–308, 2012.
 [5] Andrew Childs. Secure assisted quantum computation. Quantum Information and Computation, 5(6):456, 2005.
 [6] K. Fisher, A. Broadbent, L.K. Shalm, Z. Yan, J. Lavoie, R. Prevedel, T. Jennewein, and K.J. Resch. Quantum computing on encrypted data. Nat. Commun., 5:3074, 2014.

[7]
Craig Gentry.
Fully homomorphic encryption using ideal lattices.
In
Proceedings of the Fortyfirst Annual ACM Symposium on Theory of Computing
, STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM.  [8] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology—EUROCRYPT 2010, Lecture Notes in Computer Science, 6110:24–43, 2010.
 [9] N. P. Smart and F. Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography – PKC 2010, pages 420–443, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg.
 [10] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, pages 97–106, Oct 2011.
 [11] Peter P. Rohde, Joseph F. Fitzsimons, and Alexei Gilchrist. Quantum walks with encrypted data. Phys. Rev. Lett., 109:150501, 2012.
 [12] Min Liang. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process., 12:3675–3687, 2013.
 [13] S.H. Tan, J. A. Kettlewell, Y. Ouyang, L. Chen, and J. F. Fitzsimons. A quantum approach to homomorphic encryption. Sci. Rep., 6:33467, 2016.
 [14] Y. Ouyang, S.H. Tan, and J. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, 2018.
 [15] Anne Broadbent and Stacey Jeffery. Quantum homomorphic encryption for circuits of low Tgate complexity. In Proceedings of Advances in Cryptology — CRYPTO 2015, pages 609–629, 2015.
 [16] Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum homomorphic encryption for polynomialsized circuits. CRYPTO 2016: Advances in Cryptology  CRYPTO 2016, pages 3–32, 2016.
 [17] M. Newman and Y. Shi. Limitations on Transversal Computation through Quantum Homomorphic Encryption. Quantum Information and Computation, 18:927–948, 2018.
 [18] C.Y. Lai and K.M. Chung. On StatisticallySecure Quantum Homomorphic Encryption. Quantum Information and Computation, 18:785–794, 2018.
 [19] Gorjan Alagic, Yfke Dulek, Christian Schaffner, and Florian Speelman. Quantum fully homomorphic encryption with verification. In Tsuyoshi Takagi and Thomas Peyrin, editors, Advances in Cryptology – ASIACRYPT 2017, pages 438–467, Cham, 2017. Springer International Publishing.
 [20] U. Mahadev. Classical homomorphic encryption for quantum circuits. In 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pages 332–338, Oct 2018.
 [21] SiHui Tan, Yingkai Ouyang, and Peter P. Rohde. Practical somewhatsecure quantum somewhathomomorphic encryption with coherent states. Phys. Rev. A, 97:042308, Apr 2018.
 [22] Yingkai Ouyang, SiHui Tan, Liming Zhao, and Joseph F. Fitzsimons. Computing on quantum shared secrets. Phys. Rev. A, 96:052333, Nov 2017.
 [23] Li Yu, Carlos A. PérezDelgado, and Joseph F. Fitzsimons. Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A, 90:050303(R), Nov 2014.
 [24] M. Newman. Further Limitations on InformationTheoretically Secure Quantum Homomorphic Encryption. http://arxiv.org/abs/1809.08719, September 2018.
 [25] HoiKwong Lo. Insecurity of quantum secure computations. Phys. Rev. A, 56:1154–1162, Aug 1997.
 [26] Harry Buhrman, Matthias Christandl, and Christian Schaffner. Complete insecurity of quantum protocols for classical twoparty computation. Phys. Rev. Lett., 109:160501, Oct 2012.
 [27] Roger Colbeck. Impossibility of secure twoparty classical computation. Phys. Rev. A, 76:062308, Dec 2007.
 [28] Li Yu. Quantum preprocessing for informationtheoretic security in twoparty computation. http://arxiv.org/abs/1908.05584, Aug 2019.
 [29] Jonas Zeuner, Ioannis Pitsios, SiHui Tan, Aditya N. Sharma, Joseph F. Fitzsimons, Roberto Osellame, and Philip Walther. Experimental Quantum Homomorphic Encryption. http://arxiv.org/abs/1803.10246, Mar 2018.
 [30] W. K. Tham, Hugo Ferretti, Kent BonsmaFisher, Aharon Brodutch, Barry C. Sanders, Aephraim M. Steinberg, and Stacey Jeffery. Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a TwoParty Secure Protocol. http://arxiv.org/abs/1811.02149, Nov 2018.
 [31] BiHeng Liu, XiaoMin Hu, JiangShan Chen, YunFeng Huang, YongJian Han, ChuanFeng Li, GuangCan Guo, and Adán Cabello. Nonlocality from local contextuality. Phys. Rev. Lett., 117:220402, Nov 2016.
 [32] Daniel F. V. James, Paul G. Kwiat, William J. Munro, and Andrew G. White. Measurement of qubits. Phys. Rev. A, 64:052312, Oct 2001.
 [33] Shafi Goldwasser and Silvio Micali. Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC ’82, pages 365–377, New York, NY, USA, 1982. ACM.
 [34] Pascal Paillier. Publickey cryptosystems based on composite degree residuosity classes. In Jacques Stern, editor, Advances in Cryptology — EUROCRYPT ’99, pages 223–238, Berlin, Heidelberg, 1999. Springer Berlin Heidelberg.