I Introduction
As quantum computers are difficult to build, a practical way for doing quantum computation is using the clientserver model. The quantum computer is placed at the server, and the clients may have limited quantum capabilities. The client and the server may want to hide some information about their program or data from each other. This is part of the reason why security in bipartite quantum computing is of interest. Bipartite quantum computation may also be related to or directly implement some classical or quantum cryptographic tasks. Two problems in bipartite quantum computing have attracted a lot of attention. One of them is blind quantum computing, and the other is quantum homomorphic encryption, the main topic of this paper.
In classical cryptography, homomorphic encryption (HE) is an encryption scheme that allows computation to be performed (effectively on the plaintext after decryption) while having access only to the ciphertext. A fully homomorphic encryption (FHE) scheme allows for any computation to be performed in such fashion. The known schemes Gentry09 ; brakerski2011efficient are based on computational assumptions. Quantum (fully) homomorphic encryption (QHE and QFHE respectively) allows (universal) quantum computation to be performed without accessing the unencrypted data. Schemes for quantum homomorphic encryption rfg12 ; Fisher13 ; Tan16 ; Ouyang18 ; bj15 ; Dulek16 ; Lai17 ; Mahadev17 ; TOR18 allow two stages of communication, with some initial shared entangled state. The requirements are that the final computation result is correct, and the data and the final computation result are known only to the dataprovider, who learns little about the circuit performed beyond what can be deduced from the result of the computation itself. There is no limit to the quantum capabilities of any party. We regard interactive QHE schemes as those schemes with similar security characteristics as the usual QHE schemes, but allows many rounds of communication. We allow any party to abort during the interactive protocol.
It is known that informationtheoreticallysecure (ITS) QHE for circuits of unrestricted size necessarily incurs exponential overhead NS17 ; Lai17 ; Newman18 . For the special case of unrestricted quantum input states and perfect data privacy, a stronger lower bound is stated in ypf14 . Some computationallysecure QHE schemes for polynomialsized quantum circuits have been constructed bj15 ; Dulek16 ; Mahadev17 .
In this paper, we firstly introduce a QHE scheme for a restricted type of circuits (Scheme 1). It keeps the real product input state perfectly secure, and the circuit privacy is optimal up to a constant factor. We then propose a QHE scheme for a larger class of polynomialdepth quantum circuits, which has partial data privacy and nearoptimal circuit privacy. The entanglement and classical communication costs in both schemes scale linearly with the product of input size and circuit depth.
We then introduce a partiallysecure interactive QHE scheme for polynomialsized circuits, which is Scheme 4 in Sec. V. It is independent from the two schemes above. It uses a subprocedure (Scheme 3) for computing classical linear polynomials. The Scheme 4 has asymptotic data privacy, but the circuit privacy is not good. We then propose an enhanced version with embedded verifications, in which Bob, who provides the circuit, may choose to abort if the messages returned from Alice during the protocol do not pass his verifications. Such enhanced scheme has both quite satisfactory data privacy and circuit privacy: it leaks a constant amount of information about the data, where the constant is determined by the security requirements; and the circuit privacy is quite good since the cheating by Alice is likely to be caught.
In Sec. VI, we propose a variant of Scheme 3, denoted as Scheme 6, which achieves some nontrivial level of data privacy and circuit privacy. The degree of data privacy does not satisfy the INDCPA criterion, but for some range of parameters, it is good when the input is a priori
uniformly random in the other party’s view. There are also other variants which interpolates between Scheme
3 and Scheme 6. In Sec. VII, we propose Scheme 7 for computing classical linear polynomials. It is based on the idea of information locking by quantum techniques, but also contains some idea from Scheme 6. It generally achieves better security than Scheme 6. In Sec. VIII, we present methods for combined use of the schemes for evaluating classical linear polynomials, and mention some application to interactive QHE with limited circuit depth. In Sec. IX, we present some interactive protocols that make use of the previously proposed schemes for evaluating general classical functions with some nontrivial level of security.The rest of the paper is organized as follows. In Sec. II we review some literature results. In Sec. III we will introduce some preliminary knowledge. Secs. IV presents the two QHE schemes which are secure for some types of data and some types of circuits. Sec. V contains an interactive QHE scheme and its enhanced version. The Secs. VI and VII contain variants of Scheme 3. Sec. VIII contains methods for combined use of the schemes for evaluating classical linear polynomials. Sec. IX contains some methods for evaluating general classical functions with some nontrivial level of security. Sec. X contains the conclusion and some open problems.
Ii Review of past results
In the following we put our work in the context of literature results on quantum homomorphic encryption and related problems.
Blind quantum computing (BQC) is a task in which Alice knows both the data and program but can only do limited quantum operations, and the main part of the computation is to be carried out by Bob, who learns neither the data nor much about the program. The output is to be known to Alice but not Bob (this is different from QHE, in which the party with the program does not know the output). Broadbent, Fitzsimons and Kashefi presented a BQC scheme bfk09 using the measurementbased quantum computing model. An experimental demonstration is in Barz12 . There are other BQC schemes based on the circuit model ABE10 , or the ancilladriven model skm13 . The possibility of Alice being a classical client (allowing partial leakage of the client’s information) is discussed in Mantri17 .
In Yu et al ypf14 , it is shown that the condition of perfect data privacy implies an information localization phenomenon, and this puts restrictions on the possible forms of QHE schemes and their complexity. The Theorem 1 and Corollary 1 of ypf14 are for the case that input states are unrestricted. For restricted input states such as real product states, the Scheme 1 in the current work and the scheme in Lai17 provide examples for which the above statements do not apply.
Newman and Shi NS17 (see also Newman18 ), concurrently with Lai and Chung Lai17
, showed that ITSQFHE schemes require communication cost (including entanglement cost) that is at least exponential in the number of input qubits, where “ITS” allows a negligible amount of data leakage. This is based on the work of Nayak
Nayak99 .On computing twoparty classical functions with quantum circuits, Lo Lo97 studied the data privacy in the case that the output is on one party only, and both parties know the function. The security of twoparty quantum computation for fixed classical function with both parties knowing the outcome has been studied by Buhrman et al bcs12 .
There is a line of work on partiallyITS QHE, which are sometimes limited to certain types of circuits. In the scheme of Rohde et al rfg12 , only a logarithmic amount of information about the data is hidden, and the type of circuit is limited to Boson sampling. Tan et al Tan16 ; TOR18 presented QHE schemes that allow some types of quantum circuits and hides only partial information (but more than that in rfg12 ) about the data. Ouyang et al Ouyang18 presented a scheme that hides almost all information about the data, but can only perform Clifford gates and a constant number of nonClifford gates. In the scheme in Ouyang18 , the party with initial data could cheat by replacing the mixed qubits by pure qubits in some particular input state to gain partial knowledge about the Clifford gates applied, without affecting the correctness of the evaluation. The degree of circuit privacy is related to the size of the code, thus it is in a tradeoff with data privacy.
The following results are based on the existence of computationallysecure classical homomorphic encryption schemes. Broadbent and Jeffery bj15 presented two computationallysecure QFHE schemes that are relatively efficient for polynomialsized quantum circuits with limited use of gates (and arbitrary use of Clifford gates). A compact QFHE scheme was proposed by Dulek, Schaffner and Speelman Dulek16 . Its complexity of decryption (but not the overall computation and communication costs) could be independent of the size of the circuit to be evaluated, by choosing the classical HE scheme in it appropriately. Mahadev Mahadev17 presented a quantum leveled fully homomorphic encryption scheme using classical homomorphic encryption schemes with certain properties. The client holding the initial data in the scheme is almost classical except for the sending and receiving of quantum states at the beginning and at the end. Alagic et al devised a computationallysecure QFHE scheme with verification ADSS17 , where the client is similarly almost classical (and completely classical in the case of classical input and output).
Verification of quantum computations is an interesting problem on its own, but the study of this problem has been closely related to that of blind quantum computing. The fact that it is related to QHE has been hinted in Mahadev17 ; Mahadev18v ; ADSS17 . Usually, the verification problem involves a quantum prover and a quantum verifier, and the prover tries to convince the verifier that a quantum computation has been done as planned. Most studies assume the verifier to have some quantum capabilities FK17 ; ABE10 ; ABOEM17 ; Broadbent18 ; FHM18 . There are also significant progress in using a classical or almost classical verifier ADSS17 ; DOF18 ; Mahadev18v ; FHM18 . The protocols in FHM18 show that verification can be done after the computation is done, while not necessarily achieving blindness of the computation.
Some schemes for delegated quantum computation have been proposed Ch05 ; Fisher13 ; MJS16 . In their original form, they usually have good data privacy but are not necessarily strong in circuit privacy. The Supplementary Note 1 of Fisher13 contains a method based on socalled “universal circuits” to achieve blind quantum computing (hiding the information about the circuit which is initially on the same party as the data) but this does not make it useful for the QHE problem, since the input data and the program are on opposite parties in QHE, unlike in BQC. It is pointed out in bfk09 (with details in Fitz17 ) that the protocol in Ch05 can be modified to become a blind quantum computing protocol having circuit privacy. This method is also not useful for QHE.
Some lower bounds on the length of classical encryption key in an ITS QHE scheme can be found in Lai19 .
Iii Preliminaries
First, we give a definition for quantum homomorphic encryption. Note the Encryption algorithm below absorbs both the key generation algorithm and the encryption algorithm in bj15 . The measurements are explicitly allowed.
Definition 1.
A quantum homomorphic encryption scheme (QHE) contains the following three algorithms, where is the security parameter, and refers to a quantum circuit which may contain measurements and quantum gates controlled by classical functions of measurement outcomes, is an initial entangled resource state shared by Alice and Bob, and is the input data state of Alice.

Encryption algorithm . The algorithm outputs some quantum state called the ciphertext. The reduced state of on Alice’s and Bob’s systems are denoted and , respectively.

Evaluation algorithm that does a computation on without decryption.

Decryption algorithm , where .
A scheme is correct if for any input state with associated ciphertext , and any circuit chosen from a set of permitted quantum circuits , (up to a possible global phase). A scheme with perfect data privacy is one such that Bob cannot learn anything about the input , except the size of the input, from . The requirement of circuit privacy refers to that Alice does not learn anything about the circuit performed beyond what can be deduced from the result of the computation itself. In actual protocols we seem only able to approach this goal. A quantum fully homomorphic encryption (QFHE) scheme is one that is homomorphic for all circuits, i.e. the set is the set of all unitary quantum circuits. For approximate data privacy in QHE, there is a qINDCPA criterion bj15 which is related to the indistinguishability of encoded states. We regard interactive QHE schemes as those have similar security characteristics as the usual QHE schemes, but allow many rounds of communication. Naturally, any one party may choose to abort during the interactive protocol (but we exclude that in the scheme in Sec VI). In Sec. VI, we encounter a new criterion for data privacy in (interactive) QHE schemes in terms of mutual information for uniformly random inputs.
Here is a brief note about data privacy. It is well known [see for example Theorem 1(ii) of ygc10 ] that if a unitary is exactly and deterministically implemented on all possible pure input states, no information about the input is leaked to the environment (which can be understood as the opposite party in our setting). Hence, data privacy is sort of trivial in some cases, but becomes an interesting problem when data privacy is more important than the correctness of computation, or when the computations are not restricted to unitaries, or when the type of input states is restricted (say real product inputs only). The QHE Schemes 3 and 4 in this paper satisfy that the correctness of evaluation in general implies both data privacy and circuit privacy, and since arbitrary measurements can be done at the end, the computations here are not limited to unitaries. (The expression “in general” means excluding some classes of computations in which the output contains all information about the circuit, e.g. the special case in Scheme 3 where the polynomial has only one term.) As far as we know, this phenomenon of “correctness implies privacy” is not previously known for nonunitary computations, and is thus a strong point of our schemes.
Denote the Pauli operators by , , , . The set of Clifford gates is defined as the set of unitaries satisfying , where and
are tensor products of Pauli operators. The
qubit Clifford gates form a group called Clifford group. Since we ignore the global phase here, the size of the qubit Clifford group is of an expression given in CRSS98 . In particular, the onequbit Clifford group has elements. Let the rotations of angle about the three axes of the Bloch sphere be , , and . Let , , and . Any onequbit Clifford gate (ignoring global phase, same below) can be decomposed using products of (proportional to ) and (proportional to ) in different sequences. The qubit Clifford gates can be decomposed into products of onequbit Clifford gates and the (controlled) gate. The Clifford gates and the gate together form a universal set of gates for quantum computing. For more about universal sets of gates, see Shi03 . In this paper, the term “EPR pair” refers to two qubits in the state . Let denote , and denote .We shall adopt the rebit quantum computation formalism in Rudolph02 in our schemes. (See MMG09 for more about simulating the usual quantum circuit or Hamiltonian within the rebit formalism.) States of complex amplitudes can be represented by states of real amplitudes with only one extra qubit. Let there be an ancillary qubit with an orthonormal basis . The following nonunitary encoding is used in Rudolph02 :
(1) 
where are real numbers. When there are qubits in the initial input, only one ancillary qubit is needed. This ancillary qubit will be called the “phase qubit” in this paper. For Scheme 1 in this paper, we only need to deal with real input states, and in this case the initial encoding is trivial.
Next, we introduce how to apply gates on such representation. A unitary rotation in the basis of an original qubit is mapped to a controlled on the real (i.e. original) qubit and the phase qubit, with the real qubit as the control. A unitary rotation in the basis of an original qubit is still the same gate on the original qubit, and no action is needed on the phase qubit. An entangling twoqubit gate [which is controlled] is implemented by the same gate on the original qubits, and no action is needed on the phase qubit. These gates are all real (meaning that their matrix elements are real), and they can generate all possible unitary operations on any number of qubits, hence quantum computation in this particular representation can be done using only real gates. Let us denote three gates (on the logical qubit) , and as forming the gate set . These three gates can generate the Clifford group on any number of logical qubits, and each of them can be implemented using real gates in the rebit formalism.
In the following paragraphs, we show how an unknown logical onequbit Clifford gate can be implemented up to a phase by just performing the onequbit gates in and the uncertain gates in the set . We shall call the latter gate the uncertain gate. The uncertain gate on Alice’s side is generated using the gadget shown in Fig. 1 which initially contains an EPR pair shared by Alice and Bob. Alice performs a controlled gate with her part of the EPR pair as the control and the data qubit (assumed to be real) as the target. Then she performs a gate on her qubit in the EPR pair and measures it in the basis (with basis states being or ). Bob performs a gate and does a measurement in the basis, where . The choice of determines the gate applied on Alice’s qubit up to a correction and a phase. Such correction can be commuted through the Clifford gates performed later with some Pauli operators as corrections.
Inspired by an gate gadget construction in Broadbent18 , we give a construction using and for some integers to implement one of the four gates , where . We have
(2)  
(3) 
where are real constants, and . Noticing that , the uncertain gate can be implemented using the uncertain gate and the gate which is in . Since and generate the singlequbit Clifford group, the two types of uncertain gates generate the same group.
We also notice that a gate can be implemented using the same gadget. Alice’s action is still the same as before. Bob does some gate with or before doing a basis measurement. The choice of depends on Alice and Bob’s previous measurement results. All previous gadgets and fixed gates give rise to some Pauli operators known to Bob (which are to be corrected by Alice later), and these Pauli operators cause some Pauli operator on Bob’s qubit in the gadget, which is corrected by Bob’s choice of gate before measurement in the gadget. Generally, Bob may implement a gate for any real , by suitably choosing his gate before measurement in the gadget. We omit the details here, since this is a special case of the more general multiqubit diagonal gate in Scheme 1 below.
Iv Two schemes based on rebits
(1) About Scheme 1. The Scheme 1 is for a restricted type of circuits with restricted types of input states. The scheme uses the rebit quantum computation techniques in Rudolph02 . In the following, we denote the number of input data qubits as .
The input state for Scheme 1 can be a product real state, but it can also be slightly more general: a product state of onequbit real states on qubits with a logical qubit state encoded in the rebit form (1), where the physical qubit for that exceptional logical qubit is the first data qubit. The output of Scheme 1 is of the form of (1). If the required output of Scheme 1
is classical, we only need to measure the qubits except the phase qubit to get the outcome. There might be other applications in which there are both real and imaginary parts in the output state, and the wanted part is real. Then we may still have some probability of success: do a measurement of the phase qubit in the
basis, and if the outcome corresponds to , we then measure the remaining qubits to get the result. If an output state with complex amplitudes is required, we may measure the phase qubit in the basis, and if the result is the first one, we know the output state is correct.The Scheme 1 allows continuous families of multiqubit gates to be performed using relatively few gadgets. Bob is required to be able to perform more general operations than singlequbit measurements. The ability to perform twoqubit gates and singlequbit measurements is enough, but for better efficiency, he should do gates on more than two qubits.
Each layer of the circuit in the scheme implements some diagonal unitary. Note that diagonal unitaries on multiple qubits are not necessarily real, and the scheme is limited to implementing those real diagonal unitaries. This is to guarantee the satisfaction of the requirement in rebit computation that the physical states are real. A class of examples of a threequbit real diagonal gate is , where is real.
The implementation of a diagonal unitary uses the groupbased protocol of remote implementation of unitary operators in LW13 . Such protocol is derived from the protocol for implementation of doublegroup unitaries on two parties ygc10 . The doublegroup unitary protocol is a bipartite version of a groupbased local quantum computing scheme KR03 , with additional analysis in the case of projective representations. In the current work, we only deal with the simple case of ordinary representation of a group, and the group is Abelian: it is the fold direct product of the group (the group with two elements), denoted as . In Scheme 1, is the number of qubits involved in the logical diagonal unitary. The paper LW13 contains the detailed steps for the remote unitary protocol for the case of ordinary representation of a group. In Scheme 1, all qubits are on Alice’s side. The unitary operators used in the current case are , where , and the subscript means the gate acts on qubit . The target unitary (on data qubits) is diagonal in the axis, so it can be expanded using such a set of unitary operators:
(4) 
where is a group element in , and can be represented using a binary string of length , consisting of the bits : . The unitary is of the form . The coefficients
appear in the unitary matrix
in the remote unitary scheme. From the equation (45) in ygc10 , the matrix is defined using (ignoring phases since we are dealing with ordinary representations here)(5) 
where and are group elements, and their product is the group multiplication. When each element is represented using a binary string of length
as mentioned above, the group multiplication is just the addition modulo 2 on each position of the vector. The corrections are
. In the current case, it amounts to or [equivalent to up to a global phase] on each qubit. It is shown in KR03 that when is unitary and that the is an ordinary representation, it is guaranteed that there exists at least one matrix that is unitary. Further, if the is a linearly independent set (which is true for the current case), then is unique. These statements are extended in ygc10 to the case of projective representations.Some note about a particular step in the scheme: Bob’s or gates on his qubit in each gadget are the product of two gates: one of them is or , which is a correction according to Alice’s measurement outcome, and the other is a fixed gate to correct for the phase in the controlled gate in the gadget. Bob’s such gates can also be absorbed into his unitary .
The entanglement and classical communication costs in Scheme 1 scale linearly with the product of the input size and the circuit depth. For data privacy in Scheme 1, we have the following theorem, with the proof in Appendix A.
Theorem 1.
When Scheme 1 is used for almostcommuting circuits with input state of the type specified in the scheme, the input data is perfectly secure.
A statement about the circuit privacy in Scheme 1 is in Theorem 4 below. The circuit privacy is already optimal up to a constant factor, since Alice can always learn bits of information about the circuit by looking at her output.
We note that there is a simplification of the scheme, using a method from Lai17 : for the last data qubits, Alice could choose to apply possible masks on them and send them to Bob before the protocol starts. In this way, the ancillary qubits for those data qubits can be saved. At the end of the protocol, Bob sends these qubits back, and Alice can recover this part of the output by undoing the masks. An alternative way of simplification is by combining some gate gadgets so that each of the last data qubits uses one gate gadget only.
(2) About Scheme 2. Based on Scheme 1, we propose the following Scheme 2 which works for a large class of polynomialdepth circuits. Its data privacy is only partial. Its circuit privacy is similar to that in Scheme 1.
The entanglement and classical communication costs in the two schemes scale linearly with the product of the input size and the circuit depth. The circuit in Scheme 2 only consists of products of real diagonal unitaries performed by Bob and some fixed type of unitaries performed by Alice. Numerical evidence suggests that whenever (where is the number of data qubits), the type of the allowed circuits at the logical level is not arbitrary. This is confirmed by Theorem 3 below. But the scheme at least allows a large class of unitary circuits. The data privacy in Scheme 2 is partial. From the proof of Theorem 1, it can be found that the two input states of all and all on the data qubits (with the phase qubit in the same initial state ) cannot be distinguished by Bob. More generally, we have the following theorem, with the proof in Appendix A.
Theorem 2.
(i) Suppose two input states in Scheme 2 satisfy that each is a product state across the bipartition between the data qubits and the phase qubit, and they are related to each other by a on each data qubit and a on the phase qubit, where is any real number, then Bob cannot distinguish these two input states at all.
(ii) In Scheme 2, if
is odd, the following logical qubit is perfectly secure: it is composed by encoding
and into and , respectively, on the data qubits, and the phase qubit is that in Scheme 2. The first qubits of the two encoded states could also be any computationalbasis state and acting on such state.It is interesting to note that Theorem 2(ii) does not hold for the case of even , even if we replace the “logical qubit” with “logical rebit”. For example, when , the two input states and (where the last is the input state of the phase qubit) can be distinguished perfectly by Bob with a constantdepth circuit. This is because on an even number of qubits is not equal to the logical under the encoding in Theorem 2(ii). On the other hand, the two input states and which are not always orthogonal to each other ( is real), cannot be distinguished by Bob at all, according to Theorem 2(i). The considerations about data privacy leads to the following restrictions on the type of allowed circuits at the logic level.
Theorem 3.
In Scheme 2, if , the type of allowed circuits (at the logic level) does not include all circuits on qubits.
Proof.
First, we prove for the case of even . Consider the logical rebit defined by encoding and into and , respectively. In the following we show that the logical Hadamard gate on such logical rebit cannot be implemented. Let the two input states in Scheme 2 be and (where the last qubit is the phase qubit), respectively, then after the logic Hadamard gate, the states on the data qubits become and , respectively (up to unimportant global phases, which may appear as a change of state on the phase qubit). These two states are at least partially distinguishable by Bob with a constant depth circuit, according to explicit calculations in the case (note that these two input states are related to each other by a gate on only one qubit; the calculation is by finding an offdiagonal element in Bob’s reduced density matrix that depends on the choice of input state), which is easily generalizable to any even . This implies that the two original input states are at least partially distinguishable by Bob, which violates Theorem 2(i). Therefore, the logic Hadamard gate on such logical rebit cannot be implemented deterministically.
Next, we prove for the case of odd where . The input states and can be at least partially distinguished, according to explicit calculations. (Note that these two input states are related to each other by an gate on the last data qubit.) This implies that the unitary that maps to while keeping unchanged cannot be implemented deterministically, since otherwise the two states and are at least partially distinguishable by Bob, which violates Theorem 2(i). This completes the proof.
For general complex input states encoded in rebit form, there is some evidence that partial data privacy exists in general. Specifically, there is numerical evidence that if classical information is encoded in some random (nonPauli and nonreal) product bases, and then encoded into the rebit form, Bob cannot generally distinguish the input states deterministically with a depth circuit (depth means there are two gadgets on each qubit line). Note that if the product bases above are chosen to be real, then Bob may deterministically distinguish between some pairs of input states with a depth circuit, according to the argument in the proof of Theorem 1.
For circuit privacy in the two schemes above, we have the following theorem. (The input size is .)
Theorem 4.
Proof.
In (DHL04, , Theorem 1), consider the case that the initial maximum classical mutual information , which means two systems and satisfy that . After bits of classical communication in one direction, the maximum classical mutual information is at most bits. Consider adding a hypothetical program register in Scheme 1 or 2 on Bob’s side, and call it . After Alice has sent measurement outcomes to Bob in the scheme, the combined system of Alice’s system (denoted ) and is in a direct product (mixed) state. Then, after some local operations on Bob’s side between and Bob’s other systems, the systems and is still in a direct product (mixed) state. Then bits of classical message is sent by Bob to Alice. Applying (DHL04, , Theorem 1) to this case, we get that the final maximum classical mutual information is at most bits. This means Alice learns at most bits of information about the program register . Thus the assertions hold.
In Scheme 2, since Bob only sends classical bits, Alice can learn at most bits of information about the circuit. We think this amount is optimal for a sufficiently large class of circuits such as the one in Scheme 2), since Alice could always use superdense coding to learn about bits from the output of the computation.
V An interactive QHE scheme
Before describing the main interactive QHE scheme and its enhanced version, we first introduce the noninteractive Scheme 3. It is almost a subroutine in the main Scheme 4, except that it is altered a little when used in the main scheme.
(1) About Scheme 3. We propose the following Scheme 3 for computing linear polynomials with classical input. It is for computing , where are bit values of Alice’s classical input, and and are constant bits known to Bob. The Scheme 3 uses EPR pairs in the teleportations, where is a positive integer that both parties agree on. The Alice’s data in scheme are asymptotically secure for large , and Bob’s attempts to learn about the data would affect the correctness of evaluation. However, Bob’s input (the ) are not secure: Alice could initially entangle her input qubits with some auxiliary qubits, and carry out the scheme as if she had used the usual input states, to learn some information about Bob’s input , at the cost of not computing the distributed outcome correctly (this refers to the situation when Scheme 3 is used in Scheme 4 below, in which the sending of the last bit by Bob is omitted, thus the outcome of the altered Scheme 3 is distributed across two parties), although she can compute the correct outcome herself. Such property is exploited below to yield a protocol with verifications such that Alice’s cheating can be caught by Bob.
Note that it was previously thought that Bob should permute the two qubits in each pair with probability after step 3a, but such permutation is in fact redundant (in Alice’s view) because of the withholding of partial information in the teleportations in the following step. Thus, such step has been omitted.
The data in Scheme 3 is partially secure for any fixed . For any pair, it can be found that the average density operator (averaged over the possible values of and ) for the twoqubit state corresponding to each input bit are not orthogonal for the cases and . The trace distance of the two density operators is . If Bob chooses a best POVM measurement (which can be chosen to be a projective measurement: to measure the first qubit in each pair of qubits in the basis, and the second qubit in the pair in the basis), he has probability of guessing the value of correctly, and he has only probability of assuredly finding out the value of . And because of the effective independence among the with different (given that is a priori unknown to Bob), Bob’s has probability of assuredly finding out . Equivalently, the trace distance of the two density operators corresponding to or on the qubits is , which agrees with the result of numerical calculations. Thus, the probability of Bob correctly guessing is , which implies that he gets little information about when is large. Since measurements generally perturb the original state, it can be expected that the correctness of the computation cannot be guaranteed when these measurements are done, and in fact, in the current case, the requirement of exact correctness of the computation implies that Bob cannot get any information about the value of , and thus he cannot find out the . If approximate correctness is required, Bob still cannot get much information about the value of . Since the bits of the input, the , are independently encrypted (as opposed to the correlated encoding in Sec. VI), the data security automatically satisfies the INDCPA criterion (with classical input but quantum measurements, same below), thus the main Scheme 4 below, which contains the modified Scheme 3 as a subprocedure, satisfies the qINDCPA criterion in bj15 . At the end of Sec. VI below, we will mention a continuous class of variants of the current scheme, in which the data privacy is somewhat compromised (but still good for sufficiently random input), while the circuit privacy improves significantly.
For circuit privacy, we first discuss the case of Alice being honest, i.e. she exactly follows the protocol: in this case, Bob’s sending of functions of measurement outcomes in the teleportations do not reveal useful information. Thus Alice learns at most bit of information about the circuit, for the same reason as shown in the proof of Theorem 4.
In the following we discuss circuit privacy in the case of a cheating Alice. She could use some input state different from that specified in the scheme, or initially entangle her input qubits with some auxiliary qubits, and carry out the scheme as if she had used the usual input states, to learn some information about Bob’s input . Her best choice in the case of is to use the two qubit state for a particular pair. After Bob returns two qubits, she can find out Bob’s input with certainty. But if Alice cheats, she generally cannot get a definite distributed outcome (which is expected to exist as the XOR of two bits at the two parties) related to the particular . Although she may learn by cheating and compute by herself, such computation result is on Alice’s side only, while in the form of Scheme 3 used in Scheme 4 below, it is distributed as the XOR of two bits at opposite parties. If Bob asks Alice to send back her part of the (classical) result to combine with his corresponding mask bit (which is itself the XOR of two local bits), an error would sometimes occur. The technical reason that for those for which Alice cheated, she cannot definitely make the distributed outcome correct is because of the following: in the case of a conclusive measurement outcome of her POVM to distinguish Bob’s two programs, she cannot deterministically and correctly find out Bob’s values of the logical mask bit (the XOR of his two local mask bits) since that needs a measurement incompatible with that POVM she performed. (The previous statement is a somewhat nontrivial fact implied by that the two cases of zero or two masks for the pair may appear with probability each.) Thus Alice would have significant probability of error in learning the logical mask bit of Bob’s. Next, we discuss two different strategies of Alice’s.
One strategy a cheating Alice may adopt is to aim for perfect knowledge about . This can be achieved by using the type of input state mentioned in the last paragraph (or some other states), but then she would have significant probability of error in guessing the mask bit of Bob’s. Since such mask bits are used in Scheme 4 below for the gates, Alice’s lack of knowledge about such bits would cause the evaluation to be incorrect, unless she chooses to deviate from the scheme once she has cheated by learning perfectly about some : she calculates the intermediate result directly from the knowledge about , and cheats later to learn about Bob’s other coefficient(s), and calculates the new intermediate result, and continues to do this throughout the evaluation. Therefore, we may say that Alice’s cheating may either affect the correctness of the evaluation, or cause deviation from the original protocol, and in both cases such cheating would be caught by Bob in an interactive scheme (Scheme 5 below).
Another strategy for Alice is that she aims for partial knowledge about and partial knowledge of Bob’s mask bit. She could use joint input states and joint measurements across different
to increase her probability of success in learning both Bob’s input and the overall mask bit of Bob’s, which has been confirmed by numerical calculations. As a result of this type of attack, we estimate that Alice would have significant probability of guessing correctly both the output bit and Bob’s overall logical mask bit for a particular variable
. Since a variable will appear for many times in the Scheme 4 below, with suitable choices of the (see below), the probability of Alice guessing correctly both the contribution to the output from the variable , and the overall mask bit of Bob’s related to that variable, can be upper bounded by a constant.(2) About Scheme 4. The following Scheme 4 is an interactive scheme. It has asymptotic data privacy but the circuit privacy is not good. Later in Scheme 5 we add some artificial verifications for improving circuit privacy.
In Scheme 4, we denote an upper bound on the number of gates in the desired circuit as . The scheme makes use of some ideas from the computationallysecure QHE scheme TP in Dulek16 : the idea of teleporting the state to Bob’s side to let him do the gates; and the gardenhose construction for doing a Clifford gate depending on the exclusiveOR of two bits at opposite parties (Appendix B). It also uses many instances of Scheme 3 (called the lowerlevel scheme here), except the very last small step in it, namely the correction of the output bit by Alice according to Bob’s message. This is because in Scheme 4 we hope to reduce Bob’s messages to Alice as much as possible, for improving circuit privacy. The general structure of the scheme in Dulek16 is that Alice first teleports the input state to Bob’s side, but withholds the Pauli keys, and Bob performs the Clifford gates and the gates in the desired circuit, while the corrections are calculated with the help of a classical HE scheme and some measurement on some EPR pairs (based on the “garden hose” technique developed in some related papers). In this work we get rid of the classical HE scheme, and only use the most elementary instance of the “garden hose” model. By combining Scheme 3 with the simple “garden hose” model in Appendix B, we obtain an interactive QHE scheme.
In the scheme, we make use of the following polynomials to update the initial Pauli keys. The and () are keyupdating polynomials which are linear polynomials in variables. All variables are in the finite field . The first variables are the initial Pauli keys and (), corresponding to the Pauli operator applied on qubits. The other variables are Alice’s Bellstate measurement outcomes in the “garden hose” gadget in Appendix B. The output of the polynomials are , corresponding to the Pauli correction . (If these variables are not introduced, Alice would need to tell the Bellstate measurement outcomes to Bob, making the data less secure for a cheating Bob.)
The initial variables are unchanged at each Clifford stage in the circuit. Bob changes the coefficients for them in the polynomials in instances of Scheme 3. The way Bob changes the coefficients is because of some keyupdate rules, and we call them effective keyupdate rules below, since they do not change Alice’s keys but rather change Bob’s coefficients. The effective keyupdate rules for the first variables under the action of Clifford gates are reversible (hence no new variables need to be introduced), and they can be easily obtained from the following relations:
(6) 
where the is addition modulo 2, and in the gate , the qubit 1 is the control. The effective keyupdate rules for the first variables under the gate can be obtained from the relations
(7) 
More details about the keyupdate rules are in bj15 ; Dulek16 .
The Scheme 4 works for any quantum input, including states with complex amplitudes, and mixed states. There are instances of Scheme 3 in Scheme 4. There are instances of the gadget in Appendix B for correcting an unwanted gate after a gate, up to Pauli corrections.
The correctness of Scheme 4 follows from the correctness of Scheme 3 and our way of using the scheme TP in Dulek16 . Since each input variable appears for times (for example, in each of the polynomials related to gates), it is necessary to set the parameter to be sufficiently large, while the circuit size needs to be multiplied by a factor to allow recompilation of the original circuit into a form not easily guessed by Alice from partial information about the coefficients in the polynomials. In the following, we give some estimate under the requirement of asymptotic data privacy; the circuit privacy is to be improved in Scheme 5. As mentioned previously, it is necessary to set to hide the data in one instance of Scheme 3. Since each input variable of Alice’s appear for at most times in Scheme 4, to let the data privacy be independent of the correctness of evaluation, it suffices to set , where is a small positive real number describing the leak of information about an input qubit of Alice’s. An near zero means that the qubit is almost secure. The total classical communication cost and entanglement cost are (bits and ebits, respectively), as there are instances of the lowerlevel scheme, each of which uses EPR pairs and a proportional amount of classical communication.
We now discuss the circuit privacy in Scheme 4. If Alice honestly follows the protocol, the bits sent by Bob during the instances of the lowerlevel scheme do not actually carry useful information about his circuit, thus she learns at most bits about the circuit, according to the analysis after Scheme 3. This degree of circuit privacy is already optimal for general unitary circuits, since Alice could always use dense coding to learn about bits from the output of the computation; and since we do not allow the use of initial entangled states for an honest Alice, she in fact learns only bits. If Alice cheats by using some other input state for each instance of the lowerlevel scheme, she could learn more information about the circuit, see the discussion after Scheme 3. A method for improving circuit privacy is in the following Scheme 5.
(3) About Scheme 5. The Scheme 5 is based on Scheme 4. The general idea is that Bob asks Alice to return some messages as outputs for his embedded checking procedures, and Bob aborts the protocol if the returned messages are not as expected. In this way, Bob verifies the quantum computation for the original circuit. This is inspired by the results in the literature that a quantum verifier can verify the result of a polynomialsized quantum computation of a prover. Some protocols of verification for different types of blind quantum computing have been constructed FK17 ; ABOEM17 ; Broadbent18 . The verification protocol FHM18 is not intended for blind quantum computing. A computationallysecure QFHE scheme with verification is given in ADSS17 .
The reason that verifications are of significant help here is because of a property of Scheme 4: Alice’s knowledge about (the current part of) Bob’s program does not mean she can send back the correct messages. This is because Bob verifies Alice’s messages against his mask bits, which are unknown to the honest Alice, and a cheating Alice cannot (almost) deterministically find out those mask bits while (almost) deterministically learning about the related part of Bob’s program at the same time, since the two tasks involve incompatible measurements. An error of Alice, which can also be stated as an error of the distributed result in an instance of Scheme 3, will affect the correctness of removing unwanted after each gate. Consequently, due to the gates added in the random gates in Scheme 5, Alice has large probability of returning some wrong classical message, resulting in wrong state of Bob’s auxiliary qubits after he corrects such qubits according to Alice’s message.
Here is an explanation for the “added instance of reduced Scheme 3” in Scheme 5. Such instance is for computing a polynomial whose output is a bit, representing whether some Pauli or correction should be performed on some qubit on Bob’s side, and Bob will later measure those qubits in some suitable Pauli basis to find out whether Alice has cheated. The input variables for such polynomial should be the (at most) variables in Scheme 4, but since the verification is supposed to be independent of the input data, the variables actually have zero coefficients (for honest Bob), and the remaining (at most) variables are from Alice’s Bellstate measurements in some instances of the gardenhose gadget in Appendix B.
By choosing the level of data privacy in the original scheme suitably, the Scheme 5 keeps the original data qubits quite secure with the exception that the verification messages may reveal information about the data. Since the total length of such messages is limited to a constant (see the expression of below), the amount of information leak introduced by the revision compared to Scheme 4 is a constant. Thus, the data privacy may be quite satisfactory, especially in the applications in which partial information about the data do not reveal much useful information, say when the input is already the output of some hashing procedure (or the encryption procedure in some classical homomorphic encryption scheme) acting on some original data. By choosing a suitable number of check bits from Alice, the circuit privacy in Scheme 5 can be enhanced to a satisfactory level: suppose there are check bits, then since a cheating Alice would return a wrong bit with some constant probability (a cheating Alice should cheat at almost all places in the protocol, otherwise she learns little about the circuit due to the possible different decompositions of the circuit; see also the analysis about circuit privacy after Scheme 3), the probability that at least one check bit is wrong is about , where is a constant real number. If the desired level of the probability that a cheating Alice is not caught is , we may set . Consequently, the Scheme 5 keeps all but qubits of the input secure, and there is chance that the information about Bob’s intended circuit is asymptotically secure except for an amount proportional to input size, where
is a constant related to the prior probability that Alice may cheat.
Random recompilation of the circuit may help circuit privacy. For some simple types of circuits, such as Clifford circuits, it may be helpful to recompile the circuit to fit it into a more complex class of circuits. Enlarging the circuit size by a constant factor is already sufficient to allow for many different forms of the original circuit.
Note that a purely classical client may be used in the verification of quantum computation Mahadev18v ; ADSS17 (at least in the case of classical input and output), but this is based on computational assumptions, thus it is out of the situations considered in Scheme 5. We leave as an open problem whether the method in Mahadev18v or ADSS17 together with Scheme 4 can be used to construct an interactive QHE scheme with classical client with better security than that in Mahadev17 .
Vi A class of variants of Scheme 3
In this section, we first introduce Scheme 6, which is a variant of Scheme 3. The use of such scheme is discussed in later sections. We then mention that there is a continuous class of variants of Scheme 3, which interpolates between Scheme 3 and Scheme 6.
Since Scheme 6 is noninteractive, from the proof of Theorem 4, we find that a cheating Alice learns at most bits of information about Bob’s circuit (i.e. about and the constant ). If the last bit of communication is omitted, which may be the case when Scheme 6 is used in some higherlevel schemes such as Scheme 4, Alice learns at most bits of information about Bob’s coefficients , and in such case the result is distributed as the XOR of two remote bits. It should be stressed that Alice’s learning of the circuit would affect the correctness of evaluation of the distributed result, for similar reasons as discussed after Scheme 3. If the result is not distributed, but completely on Alice’s side, and if , she still cannot learn all information about Bob’s input. If Alice wants to ensure that the evaluation (with distributed result when ) is exactly correct, she cannot learn any information about the circuit apart from what is learnable from the output of the evaluation. But she can learn about Bob’s input up to the amount mentioned above if she does not care about the correctness of evaluation of the distributed result.
For the data privacy of Scheme 6, we consider two criteria: first, when the input is a priori uniformly random in the other party’s view, the amount of information learnable by Bob is small. The second is the usual INDCPA type of criterion: that any two classical input strings are hardly distinguishable by Bob. The security under the first criterion is partially discussed in Theorem 5 and in Appendix C. It is found that even with uniformly random data, the security of Scheme 6 is not very good by itself, but with the help of the type of verifications in the last section, the security in an interactive QHE scheme would be quite interesting. Later we show that the data security of Scheme 6 does not satisfy the second criterion.
Theorem 5.
The following statements hold for Scheme 6
in the case that Alice’s input data is uniformly distributed in Bob’s view.
(i) The information learnable by a cheating Bob about each bit of Alice’s input is bits (although he may learn more about the correlations between the input bits).
(ii) The information learnable by a cheating Bob about the joint distribution of the input bits is at least
bits.Proof.
(i) It is shown in the discussion after Scheme 3 that the trace distance of Bob’s two reduced density matrices (on qubits corresponding to ) for the different values of a particular is exactly . Bob actually has a very good measurement to find out about in Scheme 6 (also for Scheme 3). He just needs to measure the first qubit in each pair of qubits in the basis, and the second qubit in the pair in the basis. Such measurement basis in the combined Hilbert space of qubits is a fixed basis, in which the density matrix is diagonal. The mutual information between Alice and Bob (for uniformly random input ) by measuring the qubits in this way is exactly bits: it is because the only cases in which the can be determined are that the qubit pairs are all in the state or all in the state , and in all other cases (which are perfectly distinguishable from the two cases just mentioned) the two possible bit values of are equally likely. An alternative way to calculate the amount of mutual information is by using the fact that the Holevo quantity is equal to the classical mutual information in the current case, see Appendix C.
Since the input distribution is uniformly random, each is with probability exactly , then, if Bob had no prior knowledge about the , the qubits received by Bob are in a maximally mixed state in his view, for each possible combination of the values of . In other words, Bob’s information about the cannot be increased at all if he had zero information to start with. And he indeed initially has zero information about the . Hence, Bob is completely ignorant of the even after his measurements. Therefore, his best strategy to learn about one of the bits is to learn it by measuring the corresponding qubits. As mentioned above, the information about the bit learnable by Bob is bits for uniformly random input. By doing the same measurement for all input bits, and looking at the correlations among measurement outcomes across different , he may learn about the joint distribution of the input bits.
(ii) If Alice further sends bits of information about the to Bob, he would know all information about the input by the following fixedbasis measurement below. He just needs to measure the first qubit in each pair of qubits in the basis, and the second qubit in the pair in the basis. The fixedbasis measurement and the construction of the scheme imply that the state received by Bob is effectively classical, and since locking does not happen for classical states DHL04 , we get that Bob’s information about the before being told anything about the is at least bits.
For more details about the classical mutual information when Alice’s input is uniformly random, see Appendix C.
As a step towards studying the security under the second criterion, we prove the following result.
Theorem 6.
In Scheme 6, the trace distance between Bob’s reduced density matrices for two different input binary strings of length is a constant dependent only on and .
Proof.
Without loss of generality, let the first input binary string be the allzero string. Now assume the second input binary string contains only one , then without loss of generality it can be assumed to be . Let the trace distance between Bob’s reduced density matrices for these two input strings be , which depends on and . Now we consider the case that the second input string contains two ’s, and without loss of generality the string can be assumed to be . The trace distance between Bob’s reduced density matrices for the allzero string and the above string can be expressed as . For any unitary acting on such reduced density matrices, the expression above is equal to . Now let be the following operation: Bob does gates with the controlling qubit being the first qubit in each of the pairs of qubits corresponding to the input bit , and the target qubit being the first qubit in each of the pairs of qubits corresponding to the input bit ; Bob also does gates with the controlling qubit being the second qubit in each of the pairs of qubits corresponding to the input bit , and the target qubit being the second qubit in each of the pairs of qubits corresponding to the input bit . The effectively changes the input to , while leaving the allzero input string unchanged. Thus, the trace distance between Bob’s reduced density matrices for the allzero string and the is equal to . By doing similar unitaries for other pairs of states corresponding to the allzero input string and some nonzero input string, we get that the trace distance between Bob’s reduced density matrices for the allzero string and any nonzero string is equal to . Then, noting that on a pair of qubits corresponding to one of the input bits effectively flip the input bit , we have that the trace distance between Bob’s reduced density matrices corresponding to any pair of different input binary strings is . This completes the proof.
Numerical calculations suggest that the trace distance between Bob’s reduced density matrices for the allzero input string and for a mixture of other input strings is also equal to the same constant in Theorem 6.
Now we discuss whether Scheme 6 is secure under the INDCPA criterion. While it is expected that the allzero and the allone inputs are more distinguishable compared to the case of only one bit input ( or ), which has been confirmed by numerical calculations, it may seem counterintuitive that many identical bits in the case of the zero string versus still help distinguishability compared to the onebit input case. But there is an easy explanation for this phenomenon: since Bob knows the value of the input bit for a particular , he may do some measurements in the qubits corresponding to so that he learns something about Alice’s choices of the encoding bases, i.e. the , and such partial information helps the distinguishability when he measures other qubits. A very good measurement strategy for Bob is to measure the first qubit in each pair of qubits in the basis, and the second qubit in the pair in the basis. In this way, since he knows the value of for any , he may exclude about a half of the possible strings by measuring the qubits for a particular . After he repeats this procedure for many different , he gets a lot of information about such that he can measure the qubits corresponding to , and get quite a good amount of information about , which determines the input is the zero string or the . Since his ignorance about decreases exponentially with , we may expect that he can distinguish the zero string or the with probability near , when is large. And according to Theorem 6, this means the trace distance between any two different inputs is nearly for large , implying that the Scheme 6 is not secure under the INDCPA criterion. As a result, the overall interactive QHE scheme based on Scheme 6 is not secure under the qINDCPA criterion in bj15 .
By using Scheme 4 as the main scheme, we obtain an interactive QHE scheme. The security depends on the parameter range: is guarantees circuit privacy, by using many gates in the circuit and allowing recompilation of the circuit, but the data privacy is not good; is good for data privacy in the case of uniformly random data, but the circuit privacy is not good by itself, but similar to the last section, we may still in principle use Scheme 5 for improving circuit privacy by embedded verifications, at some minor cost of affecting data privacy. Some further discussions about the uses of Scheme 6 in bipartite secure computation and interactive QHE are in Sec. VIII.
A last comment is that the schemes in Sec. V may be improved by partially using the method in this section: in Scheme 3, all the are independently random. If we change the choices such that about bits are the same, for the same but different , then we may reduce the amount of classical communication from Bob to Alice by a factor of about . This should help circuit privacy when Scheme 3 is used as a subprocedure in Scheme 4 and later in Scheme 5, while the data privacy is somewhat compromised, but if is small enough, say , then the data security is still of the INDCPA type, according to the remarks after Theorem 6 above.
Vii A scheme for computing classical linear polynomials based on information locking
In this section, we introduce Scheme 7, which is a variant of Scheme 6 and Scheme 3. It makes use of the method of information locking by quantum techniques DHL04 . An application of Scheme 7 is discussed in the next section.
Similar to the last section, from the proof of Theorem 4, a cheating Alice learns at most bits of information about Bob’s circuit (i.e. about and the constant ). If the last bit of communication is omitted, which may be the case when Scheme 7 is used in some higherlevel schemes such as Scheme 4, Alice learns at most bits of information about Bob’s coefficients , and in such case the result is distributed as the XOR of two remote bits. It should be stressed that Alice’s learning of the circuit would affect the correctness of evaluation of the distributed result, for similar reasons as discussed after Scheme 3. If the result is not distributed, but completely on Alice’s side, and if , she still cannot learn all information about Bob’s input. If Alice wants to ensure that the evaluation (with distributed result when ) is exactly correct, she cannot learn any information about the circuit apart from what is learnable from the output of the evaluation. But she can learn about Bob’s input up to the amount mentioned above if she does not care about the correctness of evaluation of the distributed result.
For the data privacy of Scheme 7, we consider two criteria: first, when the input is a priori uniformly random in the other party’s view, the amount of information learnable by Bob is small. The second is the usual INDCPA type of criterion: that any two classical input strings are hardly distinguishable by Bob. The security under the first criterion is partially discussed in Theorem 7 and in Appendix C. It is better than Scheme 6, but the precise level of security for large still needs further study. Later we show that the data security of Scheme 7 does not satisfy the second criterion, at least when .
Theorem 7.
The following statements hold for Scheme 7 in the case that Alice’s input data is uniformly distributed in Bob’s view.
(i) The information learnable by a cheating Bob about each bit of Alice’s input is bits.
(ii) The information learnable by a cheating Bob about the joint distribution of the input bits is at least bits.
Proof.
(i) It can be found by explicit calculation that if , the trace distance of Bob’s two reduced density matrices for a particular is exactly . For larger , since the encoded states are independent among the qubits with different (provided that is unknown to Bob), the trace distance of Bob’s two reduced density matrices for a particular is exactly . Hence, by measuring each qubit in a best basis, the mutual information between Alice and Bob (for uniformly random input ) by measuring the qubits is bits, and numerical calculations suggest that the mutual information and the Holevo bound (limited to one particular ) may be bits.
Since the input distribution is uniformly random, each is with probability exactly , then, if Bob had no prior knowledge about the , the qubits received by Bob are in a maximally mixed state in his view, for each possible combination of the values of . In other words, Bob’s information about the cannot be increased at all if he had zero information to start with. And he indeed initially has zero information about the . Hence, Bob is completely ignorant of the even after his measurements. Therefore, his best strategy to learn about one of the bits is to learn it by measuring the corresponding qubits. As mentioned above, the information about the bit learnable by Bob is bits for uniformly random input, which may be a tight bound. By doing the same measurement for all input bits, and looking at the correlations among measurement outcomes across different , he may learn about the joint distribution of the input bits.
(ii) Bob may choose to do