Teleportation-based quantum homomorphic encryption scheme with quasi-compactness and perfect security

Abstract

Quantum homomorphic encryption (QHE) is an important cryptographic technology for delegated quantum computation. It enables remote server to perform quantum computation on encrypted data, and the specific algorithm performed by Server is unnecessarily known by Client. Quantum fully homomorphic encryption (QFHE) is a QHE that satisfies both compactness and \({\mathcal {F}}\)-homomorphism (homomorphic for any quantum circuits). However, Yu et al. (Phys Rev A 90:050303, 2014) proved a negative result: Assume interaction is not allowed, it is impossible to construct perfectly secure QFHE scheme. So this article focuses on non-interactive and perfectly secure QHE scheme with loose requirement, e.g., quasi-compactness. This article defines encrypted gate, which is denoted by \(EG[U]:|\alpha \rangle \rightarrow \left( (a,b),Enc_{a,b}(U|\alpha \rangle )\right) \). We present a gate-teleportation-based two-party computation scheme for EG[U], where one party gives arbitrary quantum state \(|\alpha \rangle \) as input and obtains the encrypted U-computing result \(Enc_{a,b}(U|\alpha \rangle )\), and the other party obtains the random bits a, b. Based on \(EG[P^x](x\in \{0,1\})\), we propose a method to remove the P-error generated in the homomorphic evaluation of \(T/T^\dagger \)-gate. Using this method, we design two non-interactive and perfectly secure QHE schemes named GT and VGT. Both of them are \({\mathcal {F}}\)-homomorphic and quasi-compact (the decryption complexity depends on the \(T/T^\dagger \)-gate complexity). Assume \({\mathcal {F}}\)-homomorphism, non-interaction and perfect security are necessary properties, the quasi-compactness is proved to be bounded by \(\varOmega (M)\), where M is the total number of \(T/T^\dagger \)-gates in the evaluated circuit. We prove VGT is M-quasi-compact and reaches the optimal bound. According to our QHE schemes, the decryption would be inefficient when the evaluated circuit contains exponential number of \(T/T^\dagger \)-gates. Thus, our schemes are suitable for homomorphic evaluation of any quantum circuit with low \(T/T^\dagger \)-gate complexity, such as any polynomial-size quantum circuit or any quantum circuit with polynomial number of \(T/T^\dagger \)-gates.

Appendices

Some definitions about quantum homomorphic encryption

In this section, we introduce some concepts about QHE, including symmetric-key QHE, homomorphism, compactness, QFHE, quasi-compactness and security. Some definitions can be referred to Ref. [15].

Definition 1

(Symmetric-key quantum homomorphic encryption) A symmetric-key QHE scheme QHE contains the following four algorithms

QHE = (QHE.KeyGen,QHE.Enc,QHE.Eval,QHE.Dec).

• 1. Key Generation. \((sk,\rho _{evk}\leftarrow \texttt {QHE.KeyGen}(1^n)\), where sk is the secret key, \(\rho _{evk}\) is quantum evaluation key in \(D({\mathcal {H}}_{evk})\). The evaluation key is optional in symmetric QHE scheme.

• 2. Encryption. \(\texttt {QHE.Enc}_{sk}:D({\mathcal {H}}_M)\rightarrow D({\mathcal {H}}_C)\), where \(D({\mathcal {H}}_M)\) and \(D({\mathcal {H}}_C)\) are the set of density operators in plaintext space and ciphertext space, respectively.

• 3. Evaluation. \(\texttt {QHE.Eval}^{QC}:D({\mathcal {H}}_{evk}\otimes {\mathcal {H}}_C)\rightarrow D({\mathcal {H}}_{C'}\otimes {\mathcal {H}}_{aux})\), where \({\mathcal {H}}_{C'}\) is the result space of quantum computation on the input space \({\mathcal {H}}_C\). For any quantum circuit QC (called evaluated circuit), with induced channel \(\varPhi _{QC}:D({\mathcal {H}}_M)\rightarrow D({\mathcal {H}}_{M'})\), we define a channel \(\texttt {Eval}^{QC}\) that maps \(D({\mathcal {H}}_C)\) to \(D({\mathcal {H}}_{C'})\) with an additional auxiliary quantum state in space \({\mathcal {H}}_{aux}\). The evaluation key in \(D({\mathcal {H}}_{evk})\) is used up in the process.

• 4. Decryption. \(\texttt {QHE.Dec}_{sk}:D({\mathcal {H}}_{C'}\otimes {\mathcal {H}}_{aux})\rightarrow D({\mathcal {H}}_{M'})\). For any possible secret key sk, \(\texttt {Dec}_{sk}\) is a quantum channel that maps ciphertext state together with auxiliary state to a plaintext state in \(D({\mathcal {H}}_{M'})\).

Definition 2

(Compactness) QHE scheme QHE is compact if the algorithm QHE.Dec is independent of the evaluated circuit QC.

Definition 3

(Homomorphism) Let \({\mathcal {L}}=\{{\mathcal {L}}_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a class of quantum circuits. A quantum encryption scheme QHE is homomorphic for the class \({\mathcal {L}}\) if for any sequence of circuits \(\{C_{\kappa }\in {\mathcal {L}}_{\kappa }\}_{\kappa \in \mathbb {N}}\) and input \(\rho \in D({\mathcal {H}}_M)\), there exists a negligible function negl such that:

$$\begin{aligned} \varDelta \left( \texttt {QHE.Dec}_{sk}\left( \texttt {QHE.Eval}^{C_{\kappa }}\left( \rho _{evk},\texttt {QHE.Enc}_{sk}(\rho )\right) \right) ,\varPhi _{C_{\kappa }}(\rho )\right) \le negl(\kappa ), \end{aligned}$$

where \((sk,\rho _{evk})\leftarrow \texttt {QHE.KeyGen}(1^{\kappa })\) and \(\varPhi _{C_{\kappa }}\) is the channel induced by quantum circuit \(C_{\kappa }\).

Definition 4

(Quantum fully homomorphic encryption) A QHE scheme is a quantum fully homomorphic encryption scheme if

1. 1.

   it is compact and

2. 2.

   it is \({\mathcal {F}}\)-homomorphic (or homomorphic for \({\mathcal {F}}\)), where \({\mathcal {F}}\) is the set of all quantum circuits over the universal quantum gate set \(\{X,Z,H,P,CNOT,T,T^\dagger \}\).

Definition 5

(Quasi-compactness) Let \({\mathcal {L}}=\{L_\kappa \}_{\kappa \in \mathbb {N}}\) be the set of all quantum circuits over the universal quantum gate set \(\{X,Z,H,P,CNOT,T,T^\dagger \}\). Let \(f:{\mathcal {L}}\rightarrow \mathbb {R}_{\ge 0}\) be some function on the circuits in \({\mathcal {L}}\). A QHE scheme is f-quasi-compact if there exists a polynomial p such that for any sequence of circuits \(\{C_{\kappa }\in {\mathcal {L}}_\kappa \}_{\kappa \in \mathbb {N}}\) with induced channels \(\varPhi _{C_\kappa }:D({\mathcal {H}}_M)\rightarrow D({\mathcal {H}}_{M'})\), the circuit complexity of decrypting the output of \(\texttt {QHE.Eval}^{C_\kappa }\) is at most \(f(C_\kappa )p(\kappa )\).

Actually, QHE is a class of quantum encryption with special property. So its security can be defined following the definition of quantum encryption. Concretely, there are three level of security, e.g., computational security, information theoretic security and perfect security. This article focuses only on the QHE with perfect security. So we present the definition of perfect security as follows.

Definition 6

(Perfect security) QHE scheme QHE is perfectly secure if there exists a quantum state \(\varOmega ^{\mathrm {A}'}\) such that for all states \(\rho ^{\mathrm {AE}}\) we have that:

$$\begin{aligned} \parallel \texttt {QHE.Enc}(\rho ^{\mathrm {AE}})-\varOmega ^{\mathrm {A}'}\otimes \rho ^\mathrm {E}\parallel =0, \end{aligned}$$

where QHE.Enc is an encryption algorithm performed on the part \(\mathrm {A}\) of quantum state \(\rho ^\mathrm {AE}\). Denote \(\texttt {QHE.Enc}(\rho ^\mathrm {AE})\) as a quantum ensemble over the probability distribution of the secret key and all the randomness in the quantum algorithm.

Elementary identities about quantum gates

For the quantum gates in the set \({\mathcal {S}}\), there exists the following identities (up to a global phase):

$$\begin{aligned} X^aZ^b= & {} (-1)^{ab}Z^bX^a,\forall a,b\in \{0,1\}, \\ HX^aZ^b= & {} Z^aX^bH,\forall a,b\in \{0,1\}, \\ PX^aZ^b= & {} X^aZ^{a\oplus b}P,\forall a,b\in \{0,1\}, \\ P^aTX^aZ^b= & {} X^aZ^{a\oplus b}T,\forall a,b\in \{0,1\}, \\ P^aT^{\dagger }X^aZ^b= & {} X^aZ^bT^\dagger ,\forall a,b\in \{0,1\}, \\ CNOT(X^aZ^b\otimes X^cZ^d)= & {} (X^aZ^{b\oplus d}\otimes X^{a\oplus c}Z^d)CNOT,\forall a,b,c,d\in \{0,1\}. \end{aligned}$$

In the description of quantum circuit, the standard measurement (or Z-basis measurement) is depicted using the symbol in Fig. 6a. The U-rotated Bell measurement can be transformed into the standard measurement. Their relation is shown in Fig. 6b.

Fig. 6

a Symbol for standard measurement (or Z-basis measurement) in quantum circuit. b The relation between U-rotated Bell measurement and standard measurement

The \(\mathrm {SWAP}\) can be implemented from three \(\mathrm {CNOT}\) gates, e.g.,

$$\begin{aligned} SWAP_{i,j}= & {} CNOT_{i,j}CNOT_{j,i}CNOT_{i,j} \\= & {} CNOT_{i,j}(H_i\otimes H_j)CNOT_{i,j}(H_i\otimes H_j)CNOT_{i,j}. \end{aligned}$$

In quantum circuit, \(SWAP_{i,j}\) is depicted using the symbol in Fig. 7.

Fig. 7

Symbol for \(\mathrm {SWAP}\) in quantum circuit

Key-updating rules

Suppose the evaluated circuit consists of the gates in the set \({\mathcal {S}}=\{X,Z,H,P,CNOT,T,T^\dagger \}\). The quantum data has n qubits and is encrypted according to QOTP scheme with the secret key being a 2n-bit string. The secret key is the initial key of key-updating. Let the initial key be \((x_0,z_0)\), where \(x_0,z_0\in \{0,1\}^n\). Denote \(x_0=x_0(1)x_0(2)\cdots x_0(n)\) and \(z_0=z_0(1)z_0(2)\cdots z_0(n)\). Given n-qubit data, the wth (\(w=1,\ldots ,n\)) qubit is encrypted with the wth pair of bits \((x_0(w),z_0(w))\). Once that a quantum gate is performed on the wth encrypted qubit, the wth pair of bits should be updated so as to decrypt that qubit correctly. Denote by \((x_j,z_j)\) the key after the jth key-updating, where \(x_j=x_j(1)x_j(2)\cdots x_j(n)\),\(z_j=z_j(1)z_j(2)\cdots z_j(n)\).

1. Rules 1:

   If Gate[j] does not act on the wth qubit, then let \((x_j(w),z_j(w)):=(x_{j-1}(w),z_{j-1}(w))\); otherwise goto rules 2 or 3.

2. Rules 2:

   If \(Gate[j]=CNOT_{w,w'}\), then let

   $$\begin{aligned} (x_j(w),z_j(w))&:=(x_{j-1}(w),z_{j-1}(w)\oplus z_{j-1}(w')),\end{aligned}$$

   (26)
   $$\begin{aligned} (x_j(w'),z_j(w'))&:=(x_{j-1}(w)\oplus x_{j-1}(w'),z_{j-1}(w')). \end{aligned}$$

   (27)
3. Rules 3:

   If Gate[j] acts only on the wth qubit, there exist the following cases.

   1. 1.

      If \(Gate[j]=X_w\) or \(Z_w\), then let \((x_j(w),z_j(w)):=(x_{j-1}(w),z_{j-1}(w))\).

   2. 2.

      If \(Gate[j]=H_w\), then let \((x_j(w),z_j(w)):=(z_{j-1}(w),x_{j-1}(w))\).

   3. 3.

      If \(Gate[j]=P_w\), then let \((x_j(w),z_j(w)):=(x_{j-1}(w),x_{j-1}(w)\oplus z_{j-1}(w))\).

   4. 4.

      If \(Gate[j]\in \{T_w,T_w^\dagger \}\), in our QHE schemes, Gate[j] is executed with a subsequent operation \(EG[P^{x_{j-1}(w)}]\). Denote by (\(r_x(i)\), \(r_z(i)\)) the classical output of \(EG[P^{x_{j-1}(w)}]\) (Assume Gate[j] is the ith gate in the sequence of \(T/T^\dagger \)-gates). Let

      $$\begin{aligned} (x_j(w),z_j(w)):=&(x_{j-1}(w)\oplus r_x(i),x_{j-1}(w)\oplus z_{j-1}(w)\oplus r_z(i)), \\&\text {if } Gate[j]=T_w;\\ (x_j(w),z_j(w)):=&(x_{j-1}(w)\oplus r_x(i),z_{j-1}(w)\oplus r_z(i)), \text {if } Gate[j]=T_w^\dagger . \end{aligned}$$

Based on these key-updating rules Rules 1, 2, 3, the keys \((x_j,z_j)\), \(j=1,\ldots ,N\) can be computed from the evaluated circuit and initial key \((x_0,z_0)\). It can be verified that these keys satisfy the following relations.

1. 1.

   If Gate[j] does not act on wth qubit (\(\forall j,w\)), then

   $$\begin{aligned} (x_{j-1}(w),z_{j-1}(w))=(x_j(w),z_j(w)). \end{aligned}$$
2. 2.

   If \(Gate[j]\in \{X,Z,H,P\}\) acts on wth qubit, then (up to a global phase)

   $$\begin{aligned} Gate[j]_w X^{x_{j-1}(w)} Z^{z_{j-1}(w)}= X^{x_j(w)} Z^{z_j(w)} Gate[j]_w. \end{aligned}$$
3. 3.

   If Gate[j] is \(CNOT_{w,w'}\), then (up to a global phase)

   $$\begin{aligned}&CNOT_{w,w'}(X^{x_{j-1}(w)} Z^{z_{j-1}(w)} \otimes X^{x_{j-1}(w')} Z^{z_{j-1}(w')}) \\&=(X^{x_j(w)} Z^{z_j(w)} \otimes X^{x_j(w')} Z^{z_j(w')})CNOT_{w,w'}. \end{aligned}$$
4. 4.

   If Gate[j] is \(T_w/T_w^\dagger \) and is the ith gate in the sequence of \(T/T^\dagger \)-gates, then (up to a global phase)

   $$\begin{aligned}&EG[P^{x_{j-1}(w)}]Gate[j]_w X^{x_{j-1}(w)} Z^{z_{j-1}(w)} \\&\quad = ((r_x(i),r_z(i)),X^{x_j(w)} Z^{z_j(w)} Gate[j]_w), \end{aligned}$$

   where \((r_x(i),r_z(i))\) is the classical output of \(EG[P^{x_{j-1}(w)}]\).

An example for the scheme GT

Given any single-qubit unitary operator U and any \(\epsilon >0\), it is possible to approximate U to within \(\epsilon \) using a circuit composed of H gates and T-gates. In order to verify the principle of our QHE scheme GT, we only consider the single-qubit circuit \(C_1=HTHT\), which is composed of T and HTH (see Fig. 8). Up to a global phase, the gates satisfy \(T=R_z(\pi /4)\) and \(HTH=R_x(\pi /4)\).

Fig. 8

A single-qubit quantum circuit \(C_1\)

The quantum circuit \(C_1\) is given 1 (\(n=1\)) qubit as input, and the 4 (\(N=4\)) quantum gates are performed on the single-qubit. \(C_1\) can be described as a sequence of the gates, e.g., \(Gate[1]=T,Gate[2]=H,Gate[3]=T,Gate[4]=H\). It contains 2 (\(M=2\)) T-gates and \(j_1=1,w_1=1,j_2=3,w_2=1\). The QHE scheme GT for \(C_1\) uses 2 (\(M=2\)) Bell states denoted by \(|\varPhi _{00}\rangle _{c_i,s_i},i=1,2\). The qubits labeled as \(s_i\) and \(c_i\) are held by Server and Client, respectively. Figure 9 shows the QHE scheme GT for \(C_1\). Because \(n=1\), the secret key is \(sk=(x_0,z_0)\), where \(x_0=x_0(1),z_0=z_0(1)\).

Fig. 9

QHE scheme GT for single-qubit circuit \(C_1\). Server’s quantum operations are shown in the dashed box, and Client’s operations are shown outside the dashed box. Client’s secret key is \((x_0(1),z_0(1))\), and the final key \((x_4(1),z_4(1))\) is computed from the secret key and the measurement results

In the evaluation procedure, Server should finish the quantum operations shown in the dashed box. In addition, Server must generate 3 (\(M+1=3\)) key-updating functions \(g_1\), \(g_2\) and f based on key-updating rules and evaluated circuit \(C_1\). Key-updating functions \(x_0(1)=g_1(x_0,z_0)\), \(x_2(1)=g_2(x_0,z_0,r_x(1),r_z(1))\) are expressed as follows

$$\begin{aligned} x_0(1)= & {} x_0(1), \\ x_2(1)= & {} x_0(1)\oplus z_0(1) \oplus r_z(1). \end{aligned}$$

Key-updating function \((x_4,z_4)=f(x_0,z_0,r_x(1),r_z(1),r_x(2),r_z(2))\) is expressed as follow

$$\begin{aligned} x_4(1)= & {} z_0(1)\oplus r_x(1)\oplus r_z(1)\oplus r_z(2), \\ z_4(1)= & {} x_0(1)\oplus z_0(1)\oplus r_z(1)\oplus r_x(2). \end{aligned}$$

In the decryption procedure, Client performs two quantum measurements: (1) according to the function \(g_1\), Client computes the measurement basis \(\varPhi (P^{x_0(1)})\) and then performs quantum measurement and obtains a pair of bits \((r_x(1),r_z(1))\); (2) according to the function \(g_2\), Client computes the measurement basis \(\varPhi (P^{x_2(1)})\) and then performs quantum measurement and obtains a pair of bits \((r_x(2),r_z(2))\). Finally, according to the function f, Client computes the final key \((x_4(1),z_4(1))\) and performs QOTP decryption transformation.

An example for the scheme VGT

For two-qubit quantum computation, we choose two-qubit quantum Fourier transformation (QFT) as example. The two-qubit QFT can be implemented by the quantum circuit \(C_2\) in Fig. 10, which contains \(H,CNOT,T,T^\dagger \).

Fig. 10

Quantum circuit \(C_2\) for the two-qubit quantum Fourier transformation

The quantum circuit \(C_2\) is given 2 (\(n=2\)) qubits as input, and 2 qubits as output. It consists of 7 (\(N=7\)) quantum gates, and can be described as a sequence of gates, e.g., \(Gate[1]=H_1\), \(Gate[2]=CNOT_{2,1}\), \(Gate[3]=T_1^\dagger \), \(Gate[4]=CNOT_{2,1}\), \(Gate[5]=T_1\), \(Gate[6]=T_2\), \(Gate[7]=H_2\). The circuit contains 2 T-gates and 1 \(T^\dagger \)-gate. It can be known from \(C_2\) that, \(M=3\) and \(j_1=3\), \(w_1=1\), \(j_2=5\), \(w_2=1\), \(j_3=6\), \(w_3=2\). The QHE scheme VGT for \(C_2\) should use 3 (\(M=3\)) Bell states denoted by \(|\varPhi _{00}\rangle _{c_i,s_i}\),\(i=1,2,3\). The qubits labeled as \(s_i\) and \(c_i\) are held by Server and Client, respectively. Figure 11 shows the QHE scheme VGT for \(C_2\). Because \(n=2\), the secret key is \(sk=(x_0,z_0)\), where \(x_0=x_0(1)x_0(2)\), \(z_0=z_0(1)z_0(2)\).

Fig. 11

QHE scheme VGT for two-qubit circuit \(C_2\). Server’s quantum operations are shown in the dashed box, and Client’s operations are shown outside the dashed box. Client’s secret key is \((x_0,z_0)\), and the final key \((x_7,z_7)\) is computed from the secret key and the measurement results

In the evaluation procedure, Server should finish the quantum operations shown in the dashed box. In addition, Server must generate 7 (\(2M+1=7\)) key-updating functions \(\{g_i\}_{i=1}^3\) and \(\{f_i\}_{i=1}^4\) based on key-updating rules and evaluated circuit \(C_2\). Key-updating functions \(x_2(1)=g_1(x_0,z_0)\), \(x_4(1)=g_2(x_3,z_3)\), \(x_5(2)=g_3(x_5,z_5)\) are expressed as follows

$$\begin{aligned} g_1:&x_2(1) = x_0(2) \oplus z_0(1), \\ g_2:&x_4(1) = x_3(1) \oplus x_3(2), \\ g_3:&x_5(2) = x_5(2). \end{aligned}$$

Three key-updating functions \((x_3,z_3)=f_1(x_0,z_0,r_x(1),r_z(1))\), \((x_5,z_5)=f_2(x_3,z_3,r_x(2),r_z(2))\), \((x_6,z_6)=f_3(x_5,z_5,r_x(3),r_z(3))\), \((x_7,z_7)=f_4(x_6,z_6)\) are expressed as follows

$$\begin{aligned} f_1:&\left( \begin{array}{cc} x_3(1) &{} z_3(1) \\ x_3(2) &{} z_3(2) \end{array} \right) = \left( \begin{array}{cc} x_0(2)\oplus z_0(1)\oplus r_x (1) &{} x_0(1)\oplus r_z(1) \\ x_0(2) &{} x_0(1)\oplus z_0(2) \end{array} \right) \\ f_2:&\left( \begin{array}{c@{\quad }c} x_5(1) &{} z_5(1) \\ x_5(2) &{} z_5(2) \\ \end{array} \right) = \left( \begin{array}{c@{\quad }c} x_3(1)\oplus x_3(2)\oplus r_x(2) &{} x_3(1)\oplus x_3(2)\oplus z_3(1)\oplus r_z(2) \\ x_3(2) &{} z_3(1)\oplus z_3(2) \\ \end{array} \right) \\ f_3:&\left( \begin{array}{c@{\quad }c} x_6(1) &{} z_6(1) \\ x_6(2) &{} z_6(2) \\ \end{array} \right) = \left( \begin{array}{c@{\quad }c} x_5(1) &{} z_5(1) \\ x_5(2)\oplus r_x (3) &{} x_5(2)\oplus z_5(2)\oplus r_z(3) \\ \end{array} \right) \\ f_4:&\left( \begin{array}{c@{\quad }c} x_7(1) &{} z_7(1) \\ x_7(2) &{} z_7(2) \\ \end{array} \right) = \left( \begin{array}{c@{\quad }c} x_6(1) &{} z_6(1) \\ z_6(2) &{} x_6(2) \\ \end{array} \right) \end{aligned}$$

In the decryption procedure, Client performs three rounds of the computations “\(g_i\)-measurement-\(f_i\)” and obtains the key \((x_6,z_6)\). In the ith round \((i=1,\ldots ,3)\), Client alternately performs the following steps: (1) according to the function \(g_i\), Client computes the measurement basis \(\varPhi (P^{x_{j_i-1}(w_i)})\); (2) Client measures the pair of qubits \((s_i,c_i)\) and obtains two bits \((r_x(i),r_z(i))\); (3) according to the function \(f_i\), Client computes the intermediate key \((x_{j_i},z_{j_i})\). Then, based on the function \(f_4\), Client computes the final key \((x_7,z_7)\) from \((x_6,z_6)\). Finally, Client performs QOTP decryption with the key \((x_7,z_7)\).