Quantum Homomorphic Encryption for PolynomialSized Circuits
 14 Citations
 25 Mentions
 1.9k Downloads
Abstract
We present a new scheme for quantum homomorphic encryption which is compact and allows for efficient evaluation of arbitrary polynomialsized quantum circuits. Building on the framework of Broadbent and Jeffery [BJ15] and recent results in the area of instantaneous nonlocal quantum computation [Spe15], we show how to construct quantum gadgets that allow perfect correction of the errors which occur during the homomorphic evaluation of T gates on encrypted quantum data. Our scheme can be based on any classical (leveled) fully homomorphic encryption (FHE) scheme and requires no computational assumptions besides those already used by the classical scheme. The size of our quantum gadget depends on the space complexity of the classical decryption function – which aligns well with the current efforts to minimize the complexity of the decryption function.
Our scheme (or slight variants of it) offers a number of additional advantages such as ideal compactness, the ability to supply gadgets “on demand”, and circuit privacy for the evaluator against passive adversaries.
Keywords
Homomorphic encryption Quantum cryptography Quantum teleportation Gardenhose model1 Introduction
Fully homomorphic encryption (FHE) is the holy grail of modern cryptography. Rivest et al. were the first to observe the possibility of manipulating encrypted data in a meaningful way, rather than just storing and retrieving it [RAD78]. After some partial progress [GM84, Pai99, BGN05, IP07] over the years, a breakthrough happened in 2009 when Gentry presented a fullyhomomorphic encryption (FHE) scheme [Gen09]. Since then, FHE schemes have been simplified [VDGHV10] and based on more standard assumptions [BV11]. The exciting developments around FHE have sparked a large amount of research in other areas such as functional encryption [GKP+13a, GVW13, GKP+13b, SW14] and obfuscation [GGH+13].
Developing quantum computers is a formidable technical challenge, so it currently seems likely that quantum computing will not be available immediately to everyone and hence quantum computations have to be outsourced. Given the importance of classical^{1} FHE for “computing in the cloud”, it is natural to wonder about the existence of encryption schemes which can encrypt quantum data in such a way that a server can carry out arbitrary quantum computations on the encrypted data (without interacting with the encrypting party^{2}). While previous work on quantum homomorphic encryption has mostly focused on informationtheoretic security (see Sect. 1.2 below for details), schemes that are based on computational assumptions have only recently been thoroughly investigated by Broadbent and Jeffery. In [BJ15], they give formal definitions of quantum fully homomorphic encryption (QFHE) and its security and they propose three schemes for quantum homomorphic encryption assuming the existence of classical FHE.
A natural idea is to encrypt a message qubit with the quantum onetime pad (i.e. by applying a random Pauli operation), and send the classical keys for the quantum onetime pad along as classical information, encrypted by the classical FHE scheme. This basic scheme is called CL in [BJ15]. It is easy to see that CL allows an evaluator to compute arbitrary Clifford operations on encrypted qubits, simply by performing the actual Clifford circuit, followed by homomorphically updating the quantum onetime pad keys according to the commutation rules between the performed Clifford gates and the Pauli encryptions. The CL scheme can be regarded as analogous to additively homomorphic encryption schemes in the classical setting. The challenge, like multiplication in the classical case, is to perform nonClifford gates such as the T gate. Broadbent and Jeffery propose two different approaches for doing so, accomplishing homomorphic encryption for circuits with a limited number of T gates. These results lead to the following main open problem:
Is it possible to construct a quantum homomorphic scheme that allows evaluation of polynomialsized quantum circuits?
1.1 Our Contributions
We answer the above question in the affirmative by presenting a new scheme TP (as abbreviation for teleportation) for quantum homomorphic encryption which is both compact and efficient for circuits with polynomially many T gates. The scheme is secure against chosen plaintext attacks from quantum adversaries, as formalized by the security notion qINDCPA security defined by Broadbent and Jeffery [BJ15].
Like the schemes proposed in [BJ15], our scheme is an extension of the Clifford scheme CL . We add auxiliary quantum states to the evaluation key which we call quantum gadgets and which aid in the evaluation of the T gates. The size of a gadget depends only on (a certain form of) the space complexity of the decryption function of the classical FHE scheme. This relation turns out to be very convenient, as classical FHE schemes are often optimized with respect to the complexity of the decryption operation (in order to make them bootstrappable). As a concrete example, if we instantiate our scheme with the classical FHE scheme by Brakerski and Vaikuntanathan [BV11], each evaluation gadget of our scheme consists of a number of qubits which is polynomial in the security parameter.
In TP, we require exactly one evaluation gadget for every T gate that we would like to evaluate homomorphically. Intuitively, after a T gate is performed on a onetimepad encrypted qubit \(\mathsf {X}^a\mathsf {Z}^b{\left {\psi }\right\rangle }\), the result might contain an unwanted phase \(\mathsf {P}^a\) depending on the key a with which the qubit was encrypted, since \(\mathsf{T}~\mathsf {X}^a \mathsf {Z}^b {\left {\psi }\right\rangle } = \mathsf {P}^a \mathsf {X}^a \mathsf {Z}^{b} \mathsf{T}~{\left {\psi }\right\rangle }\). Obviously, the evaluator is not allowed to know the key a. Instead, he holds an encryption \(\tilde{a}\) of the key, produced by a classical FHE scheme. The evaluator can teleport the encrypted qubit “through the gadget” [GC99] in a way that depends on \(\tilde{a}\), in order to remove the unwanted phase. In more detail, the quantum part of the gadget consists of a number of EPR pairs which are prepared in a way that depends on the secret key of the classical FHE scheme. Some classical information is provided with the gadget that allows the evaluator to homomorphically update the encryption keys after the teleportation steps. On a high level, the use of an evaluation gadget corresponds to a instantaneous nonlocal quantum computation ^{3} where one party holds the secret key of the classical FHE scheme, and the other party holds the input qubit and a classical encryption of the key to the quantum onetime pad. Together, this information determines whether an inverse phase gate \(\mathsf {P}^{\dag }\) needs to be performed on the qubit or not. Very recent results by Speelman [Spe15] show how to perform such computations with a bounded amount of entanglement. These techniques are the crucial ingredients for our construction and are the reason why the gardenhose complexity [BFSS13] of the decryption procedure of the classical FHE is related to the size of our gadgets.
The quantum part of our evaluation gadget is strikingly simple, which provides a number of advantages. To start with, the evaluation of a T gate requires only one gadget, and does not cause errors to accumulate on the quantum state. The scheme is very compact in the sense that the state of the system after the evaluation of a T gate has the same form as after the initial encryption, except for any classical changes caused by the classical FHE evaluation. This kind of compactness also implies that individual evaluation gadgets can be supplied “on demand” by the holder of the secret key. Once an evaluator runs out of gadgets, the secret key holder can simply supply more of them.
Furthermore, \(\mathsf{TP}\) does not depend on a specific classical FHE scheme, hence any advances in classical FHE can directly improve our scheme. Our requirements for the classical FHE scheme are quite modest: we only require the classical scheme to have a spaceefficient decryption procedure and to be secure against quantum adversaries. In particular, no circularsecurity assumption is required. Since we supply at most a polynomial number of evaluation gadgets, our scheme \(\mathsf{TP}\) is leveled homomorphic by construction, and we can simply switch to a new classical key after every evaluation gadget. In fact, the Clifford gates in the quantum evaluation circuit only require additive operations from the classical homomorphic scheme, while each \(\mathsf{T}\) gate needs a fixed (polynomial) number of multiplications. Hence, we do not actually require fully homomorphic classical encryption, but leveled fully homomorphic schemes suffice.
Finally, circuit privacy in the passive setting almost comes for free. When wanting to hide which circuit was evaluated on the data, the evaluating party can add an extra randomization layer to the output state by applying his own onetime pad. We show that if the classical FHE scheme has the circuitprivacy property, then this extra randomization completely hides the circuit from the decrypting party. This is not unique to our specific scheme: the same is true for CL.
In terms of applications, our construction can be appreciated as a constantround scheme for blind delegated quantum computation, using computational assumptions. The server can evaluate a universal quantum circuit on the encrypted input, consisting of the client’s quantum input and a (classical) description of the client’s circuit. In this context, it is desirable to minimize the quantum resources needed by the client. We argue that our scheme can still be used for constantround blind delegated quantum computation if we limit either the client’s quantum memory or the types of quantum operations the client can perform.
As another application, we can instantiate our construction with a classical FHE scheme that allows for distributed key generation and decryption amongst different parties that all hold a share of the secret key [AJLA+12]. In that case, it is likely that our techniques can be adapted to perform multiparty quantum computation [BCG+06] in the semihonest case. However, the focus of this article lies on the description and security proof of the new construction, and more concrete applications are the subject of upcoming work.
1.2 Related Work
Early classical FHE schemes were limited in the sense that they could not facilitate arbitrary operations on the encrypted data: some early schemes only implemented a single operation (addition or multiplication) [RSA78, GM84, Pai99]; later on it became possible to combine several operations in a limited way [BGN05, GHV10, SYY99]. Gentry’s first fully homomorphic encryption scheme [Gen09] relied on several nonstandard computational assumptions. Subsequent work [BGV12, BV11] has relaxed these assumptions or replaced them with more conventional assumptions such as the hardness of learning with errors (LWE), which is believed to be hard also for quantum attackers. It is impossible to completely get rid of computational assumptions for a classical FHE scheme, since the existence of such a scheme would imply the existence of an informationtheoretically secure protocol for private information retrieval (PIR) [KO97] that breaks the lower bound on the amount of communication required for that task [CKGS98, Fil12].
While quantum fully homomorphic encryption (QFHE) is closely related to the task of blind or delegated quantum computation [Chi05, BFK09, ABOE10, VFPR14, FBS+14, Bro15a, Lia15], QFHE does not allow interaction between the client and the server during the computation. Additionally, in QFHE, the server is allowed to choose which unitary it wants to apply to the (encrypted) data.
Yu et al. [YPDF14] showed that perfectly informationtheoretically secure QFHE is not possible unless the size of the encryption grows exponentially in the input size. Thus, any scheme that attempts to achieve informationtheoretically secure QFHE has to leak some proportion of the input to the server [AS06, RFG12] or can only be used to evaluate a subset of all unitary transformations on the input [RFG12, Lia13, TKO+14]. Like the multiplication operation is hard in the classical case, the hurdle in the quantum case seems to be the evaluation of nonClifford gates. A recent result by Ouyang et al. provides informationtheoretic security for circuits with at most a constant number of nonClifford operations [OTF15].
Broadbent and Jeffery [BJ15] proposed two schemes that achieve homomorphic encryption for nontrivial sets of quantum circuits. Instead of trying to achieve informationtheoretic security, they built their schemes based on a classical FHE scheme and hence any computational assumptions on the classical scheme are also required for the quantum schemes. Computational assumptions allow bypassing the impossibility result from [YPDF14] and work toward a (quantum) fully homomorphic encryption scheme.
Both of the schemes presented in [BJ15] are extensions of the scheme CL described in Sect. 1.1. These two schemes use different methods to implement the evaluation of a T gate, which we briefly discuss here. In the EPR scheme, some entanglement is accumulated in a special register during every evaluation of a T gate, and stored there until it can be resolved in the decryption phase. Because of this accumulation, the complexity of the decryption function scales (quadratically) with the number of T gates in the evaluated circuit, thereby violating the compactness requirement of QFHE. The scheme AUX also extends CL, but handles T gates in a different manner. The evaluator is supplied with auxiliary quantum states, stored in the evaluation key, that allow him to evaluate T gates and immediately remove any error that may have occurred. In this way, the decryption procedure remains very efficient and the scheme is compact. Unfortunately, the required auxiliary states grow doubly exponentially in size with respect to the T depth of the circuit, rendering AUX useful only for circuits with constant T depth. Our scheme TP is related to AUX in that extra resources for removing errors are stored in the evaluation key. In sharp contrast to AUX, the size of the evaluation key in TP only grows linearly in the number of T gates in the circuit (and polynomially in the security parameter), allowing the scheme to be leveled fully homomorphic. Since the evaluation of the other gates causes no errors on the quantum state, no gadgets are needed for those; any circuit containing polynomially many T gates can be efficiently evaluated.
1.3 Structure of the Paper
We start by introducing some notation in Sect. 2 and presenting the necessary preliminaries on quantum computation, (classical and quantum) homomorphic encryption, and the gardenhose model which is essential to the mostgeneral construction of the gadgets. In Sect. 3, we describe the scheme TP and show that it is compact. The security proof of TP is somewhat more involved, and is presented in several steps in Sect. 4, along with an informal description of a circuitprivate variant of the scheme. In Sect. 5, the rationale behind the quantum gadgets is explained, and some examples are discussed to clarify the construction. We conclude our work in Sect. 6 and propose directions for future research.
2 Preliminaries
2.1 Quantum Computation
We assume the reader is familiar with the standard notions in the field of quantum computation (for an introduction, see [NC00]). In this subsection, we only mention the concepts that are essential to our construction.
We use \({\left {\psi }\right\rangle }\) or \({\left {\varphi }\right\rangle }\) to denote pure quantum states. Mixed states are denoted with \(\rho \) or \(\sigma \). Let \({\mathbb {I}}_d\) denote the identity matrix of dimension d: this allows us to write the completely mixed state as \({\mathbb {I}}_d / d\).
Define \({\left {\varPhi ^+}\right\rangle }:= \frac{1}{\sqrt{2}}({\left {00}\right\rangle }+{\left {11}\right\rangle })\) to be an EPR pair.
If X is a random variable ranging over the possible basis states B for a quantum system, then let \(\rho (X)\) be the density matrix corresponding to X, i.e. \(\rho (X) := \sum _{b\,\in \,B} \Pr [X = b]{\left {b}\right\rangle } {\left\langle {b}\right }\).
2.2 Homomorphic Encryption
This subsection provides the definitions of (classical and quantum) homomorphic encryption schemes, and the security conditions for such schemes. In the current work, we only consider homomorphic encryption in the publickey setting. For a more thorough treatment of these concepts, and how they can be transferred to the symmetrickey setting, see [BJ15].
The Classical Setting. A classical homomorphic encryption scheme \(\mathsf{HE}\) consists of four algorithms: key generation, encryption, evaluation, and decryption. The key generator produces three keys: a public key and evaluation key, both of which are publicly available to everyone, and a secret key which is only revealed to the decrypting party. Anyone in possession of the public key can encrypt the inputs \(x_1,\ldots ,x_\ell \), and send the resulting ciphertexts \(c_1,\ldots ,c_\ell \) to an evaluator who evaluates some circuit \(\mathsf {C}\) on them. The evaluator sends the result to a party that possesses the secret key, who should be able to decrypt it to \(\mathsf {C}(x_1,\ldots ,x_\ell )\).

\(( pk , evk , sk ) \leftarrow \mathsf{HE}.{\mathsf {KeyGen}}(1^{\kappa })\)] where \(\kappa \in \mathbb {N}\) is the security parameter. Three keys are generated: a public key \( pk \), which can be used for the encryption of messages; a secret key \( sk \) used for decryption; and an evaluation key \( evk \) that may aid in evaluating the circuit on the encrypted state. The keys \( pk \) and \( evk \) are announced publicly, while \( sk \) is kept secret.

\(c \leftarrow \mathsf{HE}.\mathsf{Enc}_{ pk }(x)\) for some onebit message \(x \in \{0,1\}\). This probabilistic procedure outputs a ciphertext c, using the public key \( pk \).

\(c' \leftarrow \mathsf{HE}.{\mathsf {Eval}}^{\mathsf {C}}_{ evk }(c_1,\ldots ,c_\ell )\) uses the evaluation key to output some ciphertext \(c'\) which decrypts to the evaluation of circuit \(\mathsf {C}\) on the decryptions of \(c_1,\ldots ,c_\ell \). We will often think of \({\mathsf {Eval}}\) as an evaluation of a function f instead of some canonical circuit for f, and write \(\mathsf{HE}.{\mathsf {Eval}}^{f}_{ evk }(c_1,\ldots ,c_\ell )\) in this case.

\(x' \leftarrow \mathsf{HE}.\mathsf{Dec}_{ sk }(c)\) outputs a message \(x' \in \{0,1\}\), using the secret key \( sk \).
In principle, \(\mathsf{HE}.\mathsf{Enc}_{ pk }\) can only encrypt single bits. When encrypting an nbit message \(x \in \{0,1\}^n\), we encrypt the message bitbybit, applying the encryption procedure n times. We sometimes abuse the notation \(\mathsf{HE}.\mathsf{Enc}_{ pk }(x)\) to denote this bitwise encryption of the string x.
Another desirable property is compactness, which states that the complexity of the decryption function should not depend on the size of the circuit: a scheme is compact if there exists a polynomial \(p(\kappa )\) such that for any circuit \(\mathsf {C}\) and any ciphertext c, the complexity of applying \(\mathsf{HE}.\mathsf{Dec}\) to the result of \(\mathsf{HE}.{\mathsf {Eval}}^{C}(c)\) is at most \(p(\kappa )\).
A scheme that is both correct for all circuits and compact, is called fully homomorphic. If it is only correct for a subset of all possible circuits (e.g. all circuits with no multiplication gates) or if it is not compact, it is considered to be a somewhat homomorphic scheme. Finally, a leveled fully homomorphic scheme is (compact and) homomorphic for all circuits up to a variable depth L, which is supplied as an argument to the key generation function [Vai11].
We will use the notation \( \widetilde{x} \) to denote the result of running \(\mathsf{HE}.\mathsf{Enc}_{ pk }(x)\): that is, \(\mathsf{Dec}_{ sk }( \widetilde{x} ) = x\) with overwhelming probability. In our construction, we will often deal with multiple classical key sets \(( pk _i, sk _i, evk _i)_{i\,\in \,I}\) indexed by some set I. In that case, we use the notation \( \widetilde{x}^{[i]} \) to denote the result of \(\mathsf{HE}.\mathsf{Enc}_{ pk _i}(x)\), in order to avoid confusion. Here, \( pk _i\) does not refer to the ith bit of the public key: in case we want to refer to the ith bit of some string s, we will use the notation s[i].

\(( pk , \rho _{ evk }, sk ) \leftarrow \mathsf{QHE}.{\mathsf {KeyGen}}(1^{\kappa })\) where \(\kappa \in \mathbb {N}\) is the security parameter. In contrast to the classical case, the evaluation key is a quantum state.

\(\sigma \leftarrow \mathsf{QHE}.\mathsf{Enc}_{ pk }(\rho )\) produces, for every valid public key \( pk \) and input state \(\rho \) from some message space, to a quantum cipherstate \(\sigma \) in some cipherspace.

\(\sigma ' \leftarrow \mathsf{QHE}.{\mathsf {Eval}}_{\rho _{ evk }}^{\mathsf {C}}(\sigma )\) represents the evaluation of a circuit \(\mathsf {C}\). If \(\mathsf {C}\) requires n input qubits, then \(\sigma \) should be a product of n cipherstates. The evaluation function maps it to a product of \(n'\) states in some output space, where \(n'\) is the number of qubits that \(\mathsf {C}\) would output. The evaluation key \(\rho _{ evk }\) is consumed in the process.

\(\rho ' \leftarrow \mathsf{QHE}.\mathsf{Dec}_{ sk }(\sigma ')\) maps a single state \(\sigma '\) from the output space to a quantum state \(\rho '\) in the message space. Note that if the evaluation procedure \(\mathsf{QHE}.{\mathsf {Eval}}\) outputs a product of \(n'\) states, then \(\mathsf{QHE}.\mathsf{Dec}\) needs to be run \(n'\) times.
The decryption procedure differs from the classical definition in that we require the decryption to happen subsystembysubsystem: this is fundamentally different from the more relaxed notion of indivisible schemes [BJ15] where an auxiliary quantum register may be built up for the entire state, and the state can only be decrypted as a whole. In this work, we only consider the divisible definition.
Quantum Security.
The notion of security that we aim for is that of indistinguishability under chosenplaintext attacks, where the attacker may have quantum computational powers (qINDCPA). This security notion was introduced in [BJ15, Definition 3.3] (see [GHS15] for a similar notion of the security of classical schemes against quantum attackers) and ensures semantic security [ABF+16]. We restate it here for completeness.
Definition 1
 1.
\({\mathsf {KeyGen}}(1^\kappa )\) is run to obtain keys \((pk,sk,\rho _{evk})\).
 2.
Adversary \({\mathscr {A}}_1\) is given \((pk,\rho _{evk})\) and outputs a quantum state on \(\mathcal {M} \otimes \mathcal E\).
 3.
For \(r\in \{0,1\}\), let \(\varXi _{\mathsf{QHE}~}^{\mathsf{cpa},r}: D(\mathcal {M}) \rightarrow D(\mathcal {C})\) be: \(\varXi _{\mathsf{QHE}~}^{\mathsf{cpa},0}(\rho )= \mathsf{QHE}.\mathsf{Enc}_{pk}({\left {0}\right\rangle }{\left\langle {0}\right })\) and \(\varXi _{\mathsf{QHE}~}^{\mathsf{cpa},1}(\rho )= \mathsf{QHE}.\mathsf{Enc}_{pk}(\rho )\). A random bit \(r \in \{0,1\}\) is chosen and \(\varXi _{\mathsf{QHE}~}^{\mathsf{cpa},r}\) is applied to the state in \(\mathcal {M}\) (the output being a state in \(\mathcal {C}\)).
 4.
Adversary \({\mathscr {A}}_2\) obtains the system in \(\mathcal {C} \otimes \mathcal {E}\) and outputs a bit \(r'\).
 5.
The output of the experiment is defined to be 1 if \(r'=r\) and 0 otherwise. In case \(r=r'\), we say that \({\mathscr {A}}\) wins the experiment.
The game \(\mathsf {PubK}^{\mathsf {cpa}}_{{\mathscr {A}},\mathsf {QHE}}(\kappa )\) is depicted in Fig. 1. Informally, the challenger randomly chooses whether to encrypt some message, chosen by the adversary, or instead to encrypt the state \({\left {0}\right\rangle }{\left\langle {0}\right }\). The adversary has to guess which of the two happened. If he cannot do so with more than negligible advantage, the encryption procedure is considered to be qINDCPA secure:
Definition 2
Analogously to \(\mathsf {PubK}^{\mathsf {cpa}}_{{\mathscr {A}},\mathsf {S}}(\kappa )\), in the game \(\mathsf {PubK}^{\mathsf {cpamult}}_{{\mathscr {A}},\mathsf {S}}(\kappa )\), the adversary can give multiple messages to the challenger, which are either all encrypted, or all replaced by zeros. Broadbent and Jeffery [BJ15] show that these notions of security are equivalent.
2.3 GardenHose Complexity
The gardenhose model is a model of communication complexity which was introduced by Buhrman et al. [BFSS13] to study a protocol for positionbased quantum cryptography. The model recently saw new use, when Speelman [Spe15] used it to construct new protocols for the task of instantaneous nonlocal quantum computation, thereby breaking a wider class of schemes for positionbased quantum cryptography. (Besides the gardenhose model, this construction used tools from secure delegated computation. These techniques were first used in the setting of instantaneous nonlocal quantum computation by Broadbent [Bro15b].)
We will not explain the gardenhose model thoroughly, but instead give a short overview. The gardenhose model involves two parties, Alice with input x and Bob with input y, that jointly want to compute a function f. To do this computation, they are allowed to use garden hoses to link up pipes that run between them, onetoone, in a way which depends on their local inputs. Alice also has a water tap, which she connects to one of the pipes. Whenever \(f(x,y)=0\), the water has to exit at an open pipe on Alice’s side, and whenever \(f(x,y)=1\) the water should exit on Bob’s side.
The applicability of the gardenhose model to our setting stems from a close correspondence between protocols in the gardenhose model and teleporting a qubit backandforth; the ‘pipes’ correspond to EPR pairs and the ‘garden hoses’ can be translated into Bell measurements. Our construction of the gadgets in Sect. 5.2 will depend on the number of pipes needed to compute the decryption function \(\mathsf{HE}.\mathsf{Dec}\) of a classical fully homomorphic encryption scheme. It will turn out that any logspace computable decryption function allows for efficiently constructable polynomialsize gadgets.
3 The TP Scheme
Our scheme \(\mathsf{TP}\) (for teleportation) is an extension of the scheme \(\mathsf{CL}~\) presented in [BJ15]: the quantum state is encrypted using a quantum onetime pad, and Clifford gates are evaluated simply by performing the gate on the encrypted state and then homomorphically updating the encrypted keys to the pad. The new scheme \(\mathsf{TP}\), like \(\mathsf{AUX}\), includes additional resource states (gadgets) in the evaluation key. These gadgets can be used to immediately correct any \(\mathsf {P}\) errors that might be present after the application of a \(\mathsf{T}\) gate. The size of the evaluation key thus grows linearly with the upper bound to the number of \(\mathsf{T}\) gates in the circuit: for every \(\mathsf{T}\) gate the evaluation key contains one gadget, along with some classical information on how to use that gadget.
3.1 Gadget
In this section we only give the general form of the gadget, which suffices to prove security. The explanation on how to construct these gadgets, which depend on the decryption function of the classical homomorphic scheme \(\mathsf{HE}.\mathsf{Dec}\), is deferred to Sect. 5.
Recall that when a \(\mathsf{T}\) gate is applied to the state \(\mathsf {X}^a\mathsf {Z}^b{\left {\psi }\right\rangle }\), an unwanted \(\mathsf {P}\) error may occur since \( \mathsf{T}\mathsf {X}^a\mathsf {Z}^b = \mathsf {P}^a\mathsf {X}^a\mathsf {Z}^b\mathsf{T}. \) If a is known, this error can easily be corrected by applying \(\mathsf {P}^{\dag }\) whenever \(a = 1\). However, as we will see, the evaluating party only has access to some encrypted version \( \widetilde{a} \) of the key a, and hence is not able to decide whether or not to correct the state.
We show how the key generator can create a gadget ahead of time that corrects the state, conditioned on a, when the qubit \(\mathsf {P}^a\mathsf {X}^a\mathsf {Z}^b\mathsf{T}{\left {\psi }\right\rangle }\) is teleported through it. The gadget will not reveal any information about whether or not a \(\mathsf {P}\) gate was present before the correction. Note that the value of a is completely unknown to the key generator, so the gadget cannot depend on it. Instead, the gadget will depend on the secret key \( sk \), and the evaluator will use it in a way that depends on \( \widetilde{a} \).
The intuition behind our construction is as follows. A gadget consists of a set of fully entangled pairs that are crosswise linked up in a way that depends on the secret key \( sk \) and the decryption function of the classical homomorphic scheme \(\mathsf{HE}\). If the decryption function \(\mathsf{HE}.\mathsf{Dec}\) is simple enough, i.e. computable in logarithmic space or by lowdepth binary circuit, the size of this state is polynomial in the security parameter.
Some of these entangled pairs have an extra inverse phase gate applied to them. Note that teleporting any qubit \(\mathsf {X}^a \mathsf {Z}^b {\left {\psi }\right\rangle }\) through, for example, \((\mathsf {P}^{\dagger } \otimes \mathsf {I}) {\left {\varPhi ^+}\right\rangle }\), effectively applies an inverse phase gate to the qubit, which ends up in the state \(\mathsf {X}^{a'} \mathsf {Z}^{b'} \mathsf {P}^{\dagger } {\left {\psi }\right\rangle }\), where the new Pauli corrections \(a'\),\(b'\) depend on a,b and the outcome of the Bell measurement.
When wanting to remove an unwanted phase gate, the evaluator of the circuit teleports a qubit through this gadget state in a way which is specified by \( \widetilde{a} \). The gadget state is constructed so that the qubit follows a path through this gadget which passes an inverse phase gate if and only if \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\) equals 1. The Pauli corrections can then be updated using the homomorphicallyencrypted classical information and the measurement outcomes.
Specification of Gadget. Assume \(\mathsf{HE}.\mathsf{Dec}\) is computable in space logarithmic in the security parameter \(\kappa \). In Sect. 5 we will show that there exists an efficient algorithm \(\mathsf{TP}.{\mathsf {GenGadget}}_{ pk '}( sk )\) which produces a gadget: a quantum state \(\varGamma _{pk'}( sk )\) of the form as specified in this section.
The gadget will able to remove a single phase gate \(\mathsf {P}^a\), using only knowledge of \( \widetilde{a} \), where \( \widetilde{a} \) decrypts to a under the secret key \( sk \). The public key \( pk '\) is used to encrypt all classical information which is part of the gadget.
Since this gadget depends on the secret key \( sk \), simply encrypting this information using the public key corresponding to \( sk \) would not be secure, unless we assume that \(\mathsf{HE}.\mathsf{Dec}\) is circularly secure. In order to avoid the requirement of circular security, we will always use a fresh, independent key \( pk '\) to encrypt this information. The evaluator will have to do some recrypting before he is able to use this information, but otherwise using independent keys does not complicate the construction much. More details on how the evaluation procedure deals with the different keys is provided in Sect. 3.4.
Usage of Gadget. The gadget is used by performing Bell measurements between pairs of its qubits, together with an input qubit that needs a correction, without having knowledge of the structure of the gadget.
The choice of measurements can be generated by an efficient (classical) algorithm \(\mathsf{TP}.{\mathsf {GenMeasurement}}( \widetilde{a} )\) which produces a list M containing m disjoint pairs of elements in \(\{0,1,2,\dots ,2m\}\). Here the labels 1 to 2m refer to the qubits that make up a gadget and 0 is the label of the qubit with the possible \(\mathsf {P}\) error. The pairs represent which qubits will be connected through Bell measurements; note that all but a single qubit will be measured according to M.
Consider an input qubit, in some arbitrary state \(\mathsf {P}^a {\left {\psi }\right\rangle }\), i.e. the qubit has an extra phase gate if \(a=1\). Let \( \widetilde{a} \) be an encrypted version of a, such that \(a = \mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\). Then the evaluator performs Bell measurements on \(\varGamma _{ pk '}( sk )\) and the input qubit, according to \(M \leftarrow \mathsf{TP}.{\mathsf {GenMeasurement}}( \widetilde{a} )\). By construction, one out the \(2m+1\) qubits is still unmeasured. This qubit will be in the state \(\mathsf {X}^{a'} \mathsf {Z}^{b'} {\left {\psi }\right\rangle }\), for some \(a'\) and \(b'\), both of which are functions of the specification of the gadget, the measurement choices which depend on \( \widetilde{a} \), and the outcomes of the teleportation measurements. Also see Sect. 3.4 (and the full version of this paper) for a more indepth explanation of how the accompanying classical information is updated.
Intuitively, the ‘path’ the qubit takes through the gadget state, goes through one of the fully entangled pairs with an inverse phase gate whenever \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} ) = 1\), and avoids all such pairs whenever \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} ) = 0\).
3.2 Key Generation
 1.
For \(i = 0\) to L: execute \(( pk _i, sk _i, evk _i) \leftarrow \mathsf{HE}.{\mathsf {KeyGen}}(1^{\kappa })\) to obtain \(L+1\) independent classical homomorphic key sets.
 2.
Set the public key to be the tuple \(( pk _i)_{i\,=\,0}^{L}\).
 3.
Set the secret key to be the tuple \(( sk _i)_{i\,=\,0}^{L}\).
 4.
For \(i = 0\) to \(L1\): Run the procedure \(\mathsf{TP}.{\mathsf {GenGadget}}_{ pk _{i+1}}( sk _i)\) to create the gadget \(\varGamma _{ pk _{i+1}}( sk _i)\) as described in Sect. 3.1.
 5.Set the evaluation key to be the set of all gadgets created in the previous step (including their encrypted classical information), plus the tuple \(( evk _i)_{i\,=\,0}^L\). The resulting evaluation key is the quantum state$$ \bigotimes _{i = 0}^{L1} \left( \varGamma _{ pk _{i+1}}( sk _i) \otimes {\left { evk _i}\right\rangle }{\left\langle { evk _i}\right } \right) . $$
3.3 Encryption
The encryption procedure \(\mathsf{TP}.\mathsf{Enc}\) is identical to \(\mathsf{CL}.\mathsf{Enc}\), using the first public key \( pk _0\) for the encryption of the onetimepad keys. We restate it here for completeness.
3.4 Circuit Evaluation
Consider a circuit with n wires. The evaluation of the circuit on the encrypted data is carried out one gate at a time.

If U is a Clifford gate, we proceed exactly as in \(\mathsf{CL}.{\mathsf {Eval}}\). The gate U is simply applied to the encrypted qubit, and since U commutes with the Pauli group, the evaluator only needs to update the encrypted keys in a straightforward way. For a detailed description of this computation, also see the full version of this paper, or e.g. [BJ15, Appendix C].
 If \(U = \mathsf{T}\), the evaluator should start out by applying a \(\mathsf{T}\) gate to the appropriate wire w. Afterwards, the qubit at wire w is in the stateIn order to remove the \(\mathsf {P}\) error, the evaluator uses one gadget \(\varGamma _{ pk _{i+1}}( sk _{i})\) from the evaluation key; he possesses the classical information \( \widetilde{a_w}^{[i]} \) encrypted with the correct key to be able to compute measurements \(M \leftarrow \mathsf{TP}.{\mathsf {GenMeasurement}}( \widetilde{a_w}^{[i]} )\) and performs the measurements on the pairs given by M. Afterwards, using his own measurement outcomes, the classical information accompanying the gadget (encrypted using \( pk _{i+1}\)), and the recryptions of \( \widetilde{a_w}^{[i]} \) and \( \widetilde{b_w}^{[i]} \) into \( \widetilde{a_w}^{[i+1]} \) and \( \widetilde{b_w}^{[i+1]} \), the evaluator homomorphically computes the new keys \( \widetilde{a'_w}^{[i+1]} \) and \( \widetilde{b'_w}^{[i+1]} \). See also Fig. 2 and see the full version of this paper for a detailed description of the update algorithm. After these computations, the evaluator also recrypts the keys of all other wires into the \((i+1)\)th key set.$$\begin{aligned} \bigl ( \mathsf {P}^{a_w}\mathsf {X}^{a_w}\mathsf {Z}^{b_w} \mathsf{T}\bigr ) \rho _w \bigl ( \mathsf{T}^\dagger \mathsf {X}^{a_w}\mathsf {Z}^{b_w} (\mathsf {P}^\dagger )^{a_w} \bigr ) . \end{aligned}$$
At the end of the evaluation of some circuit \(\mathsf {C}\) containing k \(\mathsf{T}\) gates, the evaluator holds a onetimepad encryption of the state \(\mathsf {C}{\left {\psi }\right\rangle }\), together with the keys to the pad, classically encrypted in the kth key. The last step is to recrypt (in \(Lk\) steps) this classical information into the Lth (final) key. Afterwards, the quantum state and the key encryptions are sent to the decrypting party.
3.5 Decryption
The decryption procedure is identical to \(\mathsf{CL}.\mathsf{Dec}\). For each qubit, \(\mathsf{HE}.\mathsf{Dec}_{ sk _L}\) is run twice in order to retrieve the keys to the quantum pad. The correct Pauli operator can then be applied to the quantum state in order to obtain the desired state \(\mathsf {C}{\left {\psi }\right\rangle }\).
The decryption procedure is fairly straightforward, and its complexity does not depend on the circuit that was evaluated. This is formalized in a compactness theorem for the \(\mathsf{TP}\) scheme:
Theorem 1
If \(\mathsf{HE}\) is compact, then \(\mathsf{TP}\) is compact.
Proof
Note that because the decryption only involves removing a onetime pad from the quantum ciphertext produced by the circuit evaluation, this decryption can be carried out a single qubit at a time. By compactness of \(\mathsf{HE}\), there exists a polynomial \(p(\kappa )\) such that for any function f, the complexity of applying \(\mathsf{HE}.\mathsf{Dec}\) to the output of \(\mathsf{HE}.{\mathsf {Eval}}^f\) is at most \(p(\kappa )\). Since the keys to the quantum onetime pad of any wire w are two single bits encrypted with the classical \(\mathsf{HE}\) scheme, decrypting the keys for one wire requires at most \(2p(\kappa )\) steps. Obtaining the qubit then takes at most two steps more for (conditionally) applying \(\mathsf {X}^{a_w}\) and \(\mathsf {Z}^{b_w}\). The total number of steps is polynomial in \(\kappa \) and independent of \(\mathsf {C}\), so we conclude that \(\mathsf{TP}\) is compact. \(\square \)
4 Security of TP
In order to guarantee the privacy of the input data, we need to argue that an adversary that does not possess the secret key cannot learn anything about the data with more than negligible probability. To this end, we show that \(\mathsf{TP}\) is qINDCPA secure, i.e. no polynomialtime quantum adversary can tell the difference between an encryption of a real message and an encryption of \({\left {0}\right\rangle }{\left\langle {0}\right }\), even if he gets to choose the message himself (recall the definition of qINDCPA security from Sect. 2.2). Like in the security proofs in [BJ15], we use a reduction argument to relate the probability of being able to distinguish between the two encryptions to the probability of winning an indistinguishability experiment for the classical \(\mathsf{HE}\), which we already know to be small. The aim of this section is to prove the following theorem:
Theorem 2
If \(\mathsf{HE}\) is qINDCPA secure, then \(\mathsf{TP}\) is qINDCPA secure for circuits containing up to polynomially (in \(\kappa \)) many \(\mathsf{T}\) gates.
In order to prove Theorem 2, we first prove that an efficient adversary’s performance in the indistinguishability game is only negligibly different whether or not he receives a real evaluation key with real gadgets, or just a completely mixed quantum state with encryptions of 0’s accompanying them (Corollary 1). Then we argue that without the evaluation key, an adversary does not receive more information than in the indistinguishability game for the scheme \(\mathsf{CL}\), which has already been shown to be qINDCPA secure whenever \(\mathsf{HE}\) is.
Lemma 1
Proof
The difference between schemes \(\mathsf{TP}^{(\ell )}\) and \(\mathsf{TP}^{(\ell 1)}\) lies in whether the gadget state \(\gamma _{x_{\ell 1},z_{\ell 1}}(g_{\ell 1})\) is supplemented with its classical information \( \widetilde{g_{\ell 1}} , \widetilde{x_{\ell 1}} , \widetilde{z_{\ell 1}} \), or just with an encryption of \(0^{g_{\ell 1}+ 2m}\).

\({\mathscr {A}}'_1\) takes care of most of the key generation procedure: he generates the classical key sets 0 through \(\ell 1\) himself, generates the random strings \(x_0,z_0, \dots , x_{\ell 1},z_{\ell 1}\), and constructs the gadgets \(\gamma _{x_0,z_0}(g_0), \dots , \gamma _{x_{\ell 1},z_{\ell 1}}(g_{\ell 1})\) and their classical information \(g_0, \dots , g_{\ell 1}\). He encrypts the classical information using the appropriate public keys. Only \(g_{\ell 1}\), \(x_{\ell 1}\) and \(z_{\ell 1}\) are left unencrypted: instead of encrypting these strings himself using \( pk _{\ell }\), \({\mathscr {A}}'_1\) sends the strings for encryption to the challenger. Whether the challenger really encrypts \(g_{\ell 1}\), \(x_{\ell 1}\) and \(z_{\ell 1}\) or replaces the strings with a string of zeros, determines which of the two schemes is simulated. \({\mathscr {A}}'\) is unaware of the random choice of the challenger. The adversary \({\mathscr {A}}'_1\) also generates the extra padding inputs that correspond to the alreadyremoved gadgets \(\ell \) up to \(L1\). Since these gadgets consist of allzero strings encrypted with independently chosen public keys that are not used anywhere else, together with a completely mixed quantum state (as shown in Eq. 1), the adversary can generate them without needing any extra information.

\({\mathscr {A}}'_2\) feeds the evaluation key and public key, just generated by \({\mathscr {A}}'_1\), to \({\mathscr {A}}_1\) in order to obtain a chosen message \(\mathcal {M}\) (plus the auxiliary state \(\mathcal {E}\)). He then picks a random \(r \in _R \{0,1\}\) and erases \(\mathcal {M}\) if and only if \(r = 0\). He encrypts the result according to the \(\mathsf{TP}.\mathsf{Enc}\) procedure (using the public key \(( pk _i)_{i=0}^{L}\) received from \({\mathscr {A}}'_1\)), and gives the encrypted state, plus \(\mathcal {E}\), to \({\mathscr {A}}_2\), who outputs \(r'\) in an attempt to guess r. \({\mathscr {A}}'_2\) now outputs 1 if and only if the guess by \({\mathscr {A}}\) was correct, i.e. \(r \equiv r'\).

\(s = 1\) and \({\mathscr {A}}\) guesses r correctly: If \(s = 1\), the game that is being simulated is \(\mathsf {PubK}^{\mathsf {cpa}}_{{\mathscr {A}}, \mathsf{TP}^{(\ell )}}(\kappa )\). If \({\mathscr {A}}\) wins the simulated game (\(r \equiv r'\)), then \({\mathscr {A}}'\) will correctly output \(s' = 1\). (If \({\mathscr {A}}\) loses, then \({\mathscr {A}}'\) outputs 0, and loses as well).

\(s = 0\) and \({\mathscr {A}}\) does not guess r correctly: If \(s = 0\), the game that is being simulated is \(\mathsf {PubK}^{\mathsf {cpa}}_{{\mathscr {A}}, \mathsf{TP}^{(\ell 1)}}(\kappa )\). If \({\mathscr {A}}\) loses the game (\(r \not \equiv r'\)), then \({\mathscr {A}}'\) will correctly output \(s' = 0\). (If \({\mathscr {A}}\) wins, then \({\mathscr {A}}'\) outputs 1 and loses).
By applying Lemma 1 iteratively, L times in total, we can conclude that the difference between \(\mathsf{TP}^{(L)}\) and \(\mathsf{TP}^{(0)}\) is negligible, because the sum of polynomially many negligible functions is still negligible:
Corollary 1
Using Corollary 1, we can finally prove the qINDCPA security of our scheme \(\mathsf{TP}= \mathsf{TP}^{(L)}\).
Proof of Theorem 2 . The scheme \(\mathsf{TP}^{(0)}\) is very similar to \(\mathsf{CL}~\) in terms of its key generation and encryption steps. The evaluation key consists of several classical evaluation keys, plus some completely mixed states and encryptions of 0 which we can safely ignore because they do not contain any information about the encrypted message. In both schemes, the encryption of a qubit is a quantum onetime pad together with the encrypted keys. The only difference is that in \(\mathsf{TP}^{(0)}\), the public key and evaluation key form a tuple containing, in addition to \( pk _0\) and \( evk _0\) which are used for the encryption of the quantum onetime pad, a list of public/evaluation keys that are independent of the encryption. These keys do not provide any advantage (in fact, the adversary could have generated them himself by repeatedly running \(\mathsf{HE}.{\mathsf {KeyGen}}(1^{\kappa }, 1^L)\)). Therefore, we can safely ignore these keys as well.
\(\square \)
4.1 Circuit Privacy
The scheme TP as presented above ensures the privacy of the input data. It does not guarantee, however, that whoever generates the keys, encrypts, and decrypts cannot gain information about the circuit \(\mathsf {C}\) that was applied to some input \(\rho \) by the evaluator. Obviously, the output value \(\mathsf {C}\rho \mathsf {C}^{\dag }\) often reveals something about the circuit \(\mathsf {C}\), but apart from this necessary leakage of information, one may require a (quantum) homomorphic encryption scheme to ensure circuit privacy in the sense that an adversary cannot statistically gain any information about \(\mathsf {C}\) from the output of the evaluation procedure that it could not already gain from \(\mathsf {C}\rho \mathsf {C}^\dag \) itself.
We claim that circuit privacy for TP in the semihonest setting (i.e. against passive adversaries^{5}) can be obtained by modifying the scheme only slightly, given that the classical encryption scheme has the circuit privacy property.
Theorem 3
If \(\mathsf{HE}\) has circuit privacy in the semihonest setting, then \(\mathsf{TP}\) can be adapted to a quantum homomorphic encryption scheme with circuit privacy.
Proof Sketch. If the evaluator randomizes the encryption of the output data by applying a quantum onetime pad to the (already encrypted) result of the evaluation, the keys themselves are uniformly random and therefore do not reveal any information about what circuit was evaluated. The evaluator can then proceed to update the classical encryptions of those keys accordingly, and by the circuit privacy of the classical scheme, the resulting encrypted keys will also contain no information about the computations performed. Because of space constraints, the full detailed proof is given in the full version of this paper. \(\square \)
5 Constructing the Gadgets
In this section we will first show how to construct gadgets that have polynomial size whenever the scheme \(\mathsf{HE}\) has a decryption circuit with logarithmic depth (i.e., the decryption function is in \(\mathsf{NC}^1\)). This construction will already be powerful enough to instantiate \(\mathsf{TP}\) with current classical schemes for homomorphic encryption, since these commonly have lowdepth decryption circuits. Afterwards, in Sect. 5.2, we will present a larger toolkit to construct gadgets, which is efficient for a larger class of possible decryption functions. To illustrate these techniques, we apply these tools to create gadgets for schemes that are based on Learning With Errors (LWE). Finally, we will reflect on the possibility of constructing these gadgets in scenarios where quantum power is limited.
5.1 For LogDepth Decryption Circuits
The main tool for creating gadgets that encode logdepth decryption circuits comes from Barrington’s theorem: a classic result in complexity theory, which states that all boolean circuits of logarithmic depth can be encoded as polynomialsized width5 permutation branching programs. Every instruction of such a branching program will be encoded as connections between five Bell pairs.
Definition 3
A widthk permutation branching program of length L on an input \(x \in \{0,1\}^n\) is a list of L instructions of the form \(\langle i_\ell , \sigma ^1_\ell ,\sigma ^0_\ell \rangle \), for \(1 \le \ell \le L\), such that \(i_\ell \in [n]\), and \(\sigma ^1_\ell \) and \(\sigma ^0_\ell \) are elements of \(S_{k}\), i.e., permutations of [k]. The program is executed by composing the permutations given by the instructions 1 through L, selecting \(\sigma ^1_\ell \) if \(x_{i_\ell } = 1\) and selecting \(\sigma ^0_\ell \) if \(x_{i_\ell } = 0\). The program rejects if this product equals the identity permutation and accepts if it equals a fixed kcycle.
Since these programs have a very simple form, it came as a surprise when they were proven to be quite powerful [Bar89].
Theorem 4
(Barrington [Bar89]). Every fanin 2 boolean circuit C of depth d can be simulated by a width5 permutation branching program of length at most \(4^d\).
Our gadget construction will consist of first transforming the decryption function \(\mathsf{HE}.\mathsf{Dec}\) into a permutation branching program, and then encoding this permutation branching program as a specification of a gadget, as produced by \(\mathsf{TP}.{\mathsf {GenGadget}}_{ pk '}( sk )\), and usage instructions \(\mathsf{TP}.{\mathsf {GenMeasurement}}( \widetilde{a} )\).
Theorem 5
Let \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\) be the decryption function of the classical homomorphic encryption scheme \(\mathsf{HE}\). If \(\mathsf{HE}.\mathsf{Dec}\) is computable by a boolean fanin 2 circuit of depth \(O(\log (\kappa ))\), where \(\kappa \) is the security parameter, then there exist gadgets for \(\mathsf{TP}\) of size polynomial in \(\kappa \).
Proof
Our description will consist of three steps. First, we write \(\mathsf{HE}.\mathsf{Dec}\) as a width5 permutation branching program, of which the instructions alternately depend on the secret key \( sk \) and on the ciphertext \( \widetilde{a} \). Secondly, we specify how to transform these instructions into a gadget which almost works correctly, but for which the qubit ends up at an unknown location. Finally, we complete the construction by executing the inverse program, so that the qubit ends up at a known location.
The output of \(\mathsf{TP}.{\mathsf {GenGadget}}_{ pk '}( sk )\), i.e., the list of pairs that defines the structure of the gadget, will be created from the evennumbered instructions, evaluated using the secret key \( sk \). For every evennumbered \(\ell \le L\), we connect ten qubits in the following way. Suppose the \(\ell ^{\text {th}}\) instruction evaluates to some permutation \(\sigma _\ell := \sigma ^{ sk _{i_\ell }}_\ell \). Label the 10 qubits of this part of the gadget by \(1_{\ell ,\mathrm {in}}, 2_{\ell ,\mathrm {in}}, \dots , 5_{\ell ,\mathrm {in}}\) and \(1_{\ell ,\mathrm {out}}, 2_{\ell ,\mathrm {out}}, \dots , 5_{\ell ,\mathrm {out}}\). These will correspond to 5 EPR pairs, connected according to the permutation: \((1_{\ell ,\mathrm {in}}, \sigma _{\ell }(1)_{\ell ,\mathrm {out}})\), \((2_{\ell ,\mathrm {in}}, \sigma _{\ell }(2)_{\ell ,\mathrm {out}})\), etc., up to \((5_{\ell ,\mathrm {in}}, \sigma _{\ell }(5)_{\ell ,\mathrm {out}})\).
After the final instruction of the branching program, \(\sigma _L\), also perform an inverse phase gate \(\mathsf {P}^{\dag }\) on the qubits labeled as \(2_{L,\mathrm {out}}\), \(3_{L,\mathrm {out}}\), \(4_{L,\mathrm {out}}\), \(5_{L,\mathrm {out}}\). Execution of the gadget will teleport the qubit through one of these whenever \( \widetilde{a} = 1\).
For this construction, \(\mathsf{TP}.{\mathsf {GenMeasurement}}( \widetilde{a} )\) will be given by the odd instructions, which depend on the bits of \( \widetilde{a} \). Again, for all odd \(\ell \le L\), let \(\sigma _\ell := \sigma _\ell ^{ \widetilde{a} _{i_\ell }}\) be the permutation given by the evaluation of instruction \(\ell \) on \( \widetilde{a} \). For all \(\ell \) strictly greater than one, the measurement instructions will be: perform a Bell measurement according to the permutation \(\sigma _\ell \) between the ‘out’ qubits of the previous set, and the ‘in’ qubits of the next. The measurement pairs will then be \((1_{\ell 1,\mathrm {out}}, \sigma (1)_{\ell ,\mathrm {in}})\), \((2_{\ell 1,\mathrm {out}}, \sigma (2)_{\ell ,\mathrm {in}})\), up to \((5_{\ell 1,\mathrm {out}}, \sigma (5)_{\ell ,\mathrm {in}})\).
For \(\ell =1\), there is no previous layer to connect to, only the input qubit. For that, we add the measurement instruction \((0, \sigma (1)_{1,\mathrm {in}})\), where 0 is the label of the input qubit.
By Barrington’s theorem, if \(\mathsf{HE}.\mathsf{Dec}_ sk ( \widetilde{a} ) = 0\) then the product, say \(\tau \), of the permutations coming from the evaluated instructions equals the identity. In that case, consecutively applying these permutations on ‘1’, results in the unchanged starting value, ‘1’. If instead the decryption would output 1, the consecutive application results in another value in \(\{2,3,4,5\}\), because in that case, \(\tau \) is a kcycle. After teleporting a qubit through these EPR pairs, with teleportation measurements chosen accordingly, the input qubit will be present at \(\tau (1)_{L,\mathrm {out}}\), with an inverse phase gate if \(\tau (1)\) is unequal to 1.
The gadget constructed so far would correctly apply the phase gate, conditioned on \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\), with one problem: afterward, the qubit is at a location unknown to the user of the gadget, because the user cannot compute \(\tau \).
We fix this problem in the following way: execute the inverse branching program afterwards. The entire construction is continued in the same way, but the instructions of the inverse program are used. The inverse program can be made from the original program by reversing the order of instructions, and then for each permutation using its inverse permutation instead. The first inverse instruction is \(\langle i_{L}, (\sigma ^1_L)^{1}, (\sigma ^0_L)^{1} \rangle \), then \(\langle i_{L1}, (\sigma ^1_{L1})^{1}, (\sigma ^0_{L1})^{1} \rangle \), with final instruction \(\langle i_1, (\sigma ^1_1)^{1}, (\sigma ^0_1)^{1} \rangle \). One small detail is that \(i_{L}\) is used twice in a row, breaking the alternation; the user of the gadget can simply perform the measurements that correspond to the identity permutation e in between, since \((\sigma ^0_L)(\sigma ^0_L)^{1} = (\sigma ^1_L)(\sigma ^1_L)^{1} = e\).
After having repeated the construction with the inverse permutation branching program, the qubit is guaranteed to be at the location where it originally started: \(\sigma _1(1)\) of the final layer of five qubits – that will then be the corrected qubit which is the output of the gadget.
The total number of qubits which form the gadget, created from a width5 permutation branching program of length L, of which the instructions alternate between depending on \( \widetilde{a} \) and depending on \( sk \), is \(2\cdot (5L) = 10L\). \(\square \)
 1.
\(\langle 1, e, (12345)\rangle \)
 2.
\(\langle 2, e, (12453)\rangle \)
 3.
\(\langle 1, e, (54321)\rangle \)
 4.
\(\langle 2, (14235), (15243)\rangle \)
As a simplified example, suppose the decryption function \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\) is \( sk _1 \,\mathsf {OR}\,\, \widetilde{a} _1\). Then, for one possible example set of values of \( \widetilde{a} \) and \( sk \), half of the gadget and measurements will be as given in Fig. 4. To complete this gadget, the same construction is appended, reflected horizontally.
5.2 For LogSpace Computable Decryption Functions
Even though the construction based on Barrington’s theorem has enough power for current classical homomorphic schemes, it is possible to improve on this construction in two directions. Firstly, we extend our result to be able to handle a larger class of decryption functions: those that can be computed in logarithmic space, instead of only \(\mathsf{NC}^1\). Secondly, for some specific decryption functions, executing the construction of Sect. 5.1 might produce significantly larger gadgets than necessary. For instance, even for very simple circuits of depth \(\log \kappa \), Barrington’s theorem produces programs of length \(\kappa ^2\) — a direct approach can often easily improve on the exponent of the polynomial. See also the gardenhose protocols for equality [Mar14, CSWX14] and the majority function [KP14] for examples of nontrivial protocols that are much more efficient than applying Barrington’s theorem as a black box.
Theorem 6
Let \(\mathsf{HE}.\mathsf{Dec}_{ sk }( \widetilde{a} )\) be the decryption function of the classical homomorphic encryption scheme \(\mathsf{HE}\). If \(\mathsf{HE}.\mathsf{Dec}\) is computable by a Turing machine that uses space \(O(\log \kappa )\), where \(\kappa \) is the security parameter, then there exist gadgets for \(\mathsf{TP}\) of size polynomial in \(\kappa \).
A detailed explanation of how to construct a gadget for a logspace computation is given in the full version of this paper. All morecomplicated constructions use a different language than the direct encoding of the previous section: there is a natural way of writing the requirements on the gadgets as a twoplayer task, and then writing strategies for this task in the gardenhose model. Writing these gadgets in terms of the gardenhose model, even though it adds a layer of complexity to the construction, gives more insight into the structure of the gadgets, and forms its original inspiration. We therefore sketch the link between logspace computation and gadget construction within this framework.
Besides clarifying the logspace construction, viewing the gadget construction as an instantiation of the gardenhose mode also makes it easier to construct gadgets for specific cases. Earlier work developed protocols in the gardenhose model for several functions, see for instance [Spe11, BFSS13, KP14], and connections to other models of computation. These results on the gardenhose model might serve as building blocks to create more efficient gadgets for specific decoding functions of classical homomorphic schemes, that are potentially much smaller than those created as a result of following the general constructions of Theorem 5 or 6.
The scheme by Brakerski and Vaikuntanathan [BV11] is wellsuited for our construction, and its decryption function is representative for a much wider class of schemes which are based on the hardness of Learning With Errors (LWE). As an example, we construct gadgets that enable quantum homomorphic encryption based on the BV11 scheme in the full version of our paper.
5.3 Constructing Gadgets Using Limited Quantum Resources
In a setting where a less powerful client wants to delegate some quantum computation to a more powerful server, it is important to minimize the amount of effort required from the client. In delegated quantum computation, the complexity of a protocol can be measured by, among other things, the total amount of communication between client and server, the number of rounds of communication, and the quantum resources available to the client, such as possible quantum operations and memory size.
We claim that \(\mathsf{TP}\) gives rise to a threeround delegated quantum computation protocol in a setting where the client can perform only Pauli and swap operations. \(\mathsf{TP}.\mathsf{Enc}\) and \(\mathsf{TP}.\mathsf{Dec}\) only require local application of Pauli operators to a quantum state, but \(\mathsf{TP}.{\mathsf {KeyGen}}\) is more involved because of the gadget construction. However, when supplied with a set of EPR pairs from the server (or any other untrusted source), the client can generate the quantum evaluation key for TP using only Pauli and swap operations. Even if the server produces some other state than the claimed list of EPR pairs, the client can prevent the leakage of information about her input by encrypting the input with random Pauli operations. More details are supplied in the appendix of the full version of this paper.
Alternatively, \(\mathsf{TP}\) can be regarded as a tworound delegated quantum computation protocol in a setting where the client can perform arbitrary Clifford operations, but is limited to a constantsized quantum memory, given that \(\mathsf{HE}.\mathsf{Dec}\) is in \(\mathsf{NC}^1\). In that case, the gadgets can be constructed ten qubits at a time, by constructing the sets of five EPR pairs as specified in Sect. 5.1. By decomposing the 5cycles into products of 2cycles, the quantum memory can even be reduced to only four qubits. The client sends these small parts of the gadgets to the server as they are completed. Because communication remains oneway until all gadgets have been sent, this can be regarded as a single round of communication.
6 Conclusion
We have presented the first quantum homomorphic encryption scheme TP that is compact and allows evaluation of circuits with polynomially many T gates in the security parameter, i.e. arbitrary polynomialsized circuits. Assuming that the number of wires involved in the evaluation circuit is also polynomially related to the security parameter, we may consider TP to be leveled fully homomorphic. The scheme is based on an arbitrary classical FHE scheme, and any computational assumptions needed for the classical scheme are also required for security of TP. However, since TP uses the classical FHE scheme as a black box, any FHE scheme can be plugged in to change the set of computational assumptions.
Our constructions are based on a new and interesting connection between the area of instantaneous nonlocal quantum computation and quantum homomorphic encryption. Recent techniques developed by Speelman [Spe15], based on the gardenhose model [BFSS13], have turned out to be crucial for our construction of quantum gadgets which allow homomorphic evaluation of T gates on encrypted quantum data.
6.1 Future Work
Since Yu et al. [YPDF14] showed that informationtheoretically secure QFHE is impossible (at least in the exact case), it is natural to wonder whether it is possible to construct a nonleveled QFHE scheme based on computational assumptions. If such a scheme is not possible, can one find lower bounds on the size of the evaluation key of a compact scheme? Other than the development of more efficient QFHE schemes, one can consider the construction of QFHE schemes with extra properties, such as circuit privacy against active adversaries. It is also interesting to look at other cryptographic tasks that might be executed using QFHE. In the classical world for example, multiparty computation protocols can be constructed from fully homomorphic encryption [CDN01]. We consider it likely that our new techniques will also be useful in other contexts such as quantum indistinguishability obfuscation [AF16].
Footnotes
 1.
Here and throughout the article, we use “classical” to mean “nonquantum”.
 2.
In contrast to blind or delegated quantum computation where some interaction between client and server is usually required, see Sect. 1.2 for references.
 3.
This term is not related to the term ‘instantaneous quantum computation’ [SB08], and instead first was used as a specific form of nonlocal quantum computation, one where all parties have to act simultaneously.
 4.
A negligible function \(\eta \) is a function such that for every positive integer d, \(\eta (n) < 1/n^d\) for big enough n.
 5.
 6.
This can be seen by inserting dummy instructions that always perform the identity permutation between any two consecutive instructions that depend on the same variable. Alternatively, it would be possible to improve the construction by ‘multiplying out’ consecutive instructions whenever they depend on the same variable.
Notes
Acknowledgements
We acknowledge useful discussions with Anne Broadbent, Harry Buhrman, and Leo Ducas. We thank Stacey Jeffery for providing the inspiration for a crucial step in the security proof, and Gorjan Alagic and Anne Broadbent for helpful comments on a draft of this article. This work was supported by the 7th framework EU SIQS and QALGO, and a NWO VIDI grant.
References
 [ABF+16]Alagic, G., Broadbent, A., Fefferman, B., Gagliardoni, T., Schaffner, C., St. Jules, M.: Computational security of quantum encryption (2016). arXiv preprint arXiv:1602.01441
 [ABOE10]Aharonov, D., BenOr, M., Eban, E.: Interactive proofs for quantum computations. In: Proceeding of Innovations in Computer Science (ICS 2010), pp. 453–469 (2010)Google Scholar
 [AF16]Alagic, G., Fefferman, B.: On quantum obfuscation (2016). arXiv preprint arXiv:1602.01771
 [AJLA+12]Asharov, G., Jain, A., LópezAlt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [AS06]Arrighi, P., Salvail, L.: Blind quantum computation. Int. J. Quantum Inf. 4(05), 883–898 (2006)CrossRefzbMATHGoogle Scholar
 [Bar89]Barrington, D.A.: Boundedwidth polynomialsize branching programs recognize exactly those languages in NC1. J. Comput. Syst. Sci. 164, 150–164 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
 [BB14]Baumeler, Ä., Broadbent, A.: Quantum private information retrieval has linear communication complexity. J. Cryptol. 28(1), 161–175 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 [BCG+06]BenOr, M., Crépeau, C., Gottesman, D., Hassidim, A., Smith, A.: Secure multiparty quantum computation with (only) a strict honest majority. In: 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2006), pp. 249–260 (2006)Google Scholar
 [BFK09]Broadbent, A., Fitzsimons, J., Kashefi, E.: Universal blind quantum computation. In: 50th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2009, pp. 517–526. IEEE (2009)Google Scholar
 [BFSS13]Buhrman, H., Fehr, S., Schaffner, C., Speelman, F.: The gardenhose model. In: Proceedings of the 4th Innovations in Theoretical Computer Science Conference, pp. 145–158. ACM (2013)Google Scholar
 [BGN05]Boneh, D., Goh, E.J., Nissim, K.: Evaluating 2DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 [BGV12]Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 309–325. ACM (2012)Google Scholar
 [BJ15]Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low Tgate complexity. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 609–629. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 [Bro15a]Broadbent, A.: Delegating private quantum computations. Can. J. Phys. 93(9), 941–946 (2015)CrossRefGoogle Scholar
 [Bro15b]Broadbent, A.: PopescuRohrlich correlations imply efficient instantaneous nonlocal quantum computation (2015). arXiv preprint arXiv:1512.04930
 [BV11]Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 97–106, October 2011Google Scholar
 [CDN01]Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 [Chi05]Childs, A.M.: Secure assisted quantum computation. Quantum Inf. Comput. 5(6), 456–466 (2005)MathSciNetzbMATHGoogle Scholar
 [CKGS98]Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM (JACM) 45(6), 965–981 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
 [CSWX14]Chiu, W.Y., Szegedy, M., Wang, C., Xu, Y.: The garden hose complexity for the equality function. In: Gu, Q., Hell, P., Yang, B. (eds.) AAIM 2014. LNCS, vol. 8546, pp. 112–123. Springer, Heidelberg (2014)Google Scholar
 [DNS10]Dupuis, F., Nielsen, J.B., Salvail, L.: Secure twoparty quantum evaluation of unitaries against specious adversaries. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 685–706. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [FBS+14]Fisher, K.A.G., Broadbent, A., Shalm, L.K., Yan, Z., Lavoie, J., Prevedel, R., Jennewein, T., Resch, K.J.: Quantum computing on encrypted data. Nat. Commun. 5 (2014). Article number: 3074Google Scholar
 [Fil12]Fillinger, M.: Lattice based cryptography and fully homomorphic encryption. Master of Logic Project (2012). http://homepages.cwi.nl/ schaffne/courses/reports/MaxFillinger_FHE_2012.pdf
 [GC99]Gottesman, D., Chuang, I.L.: Quantum teleportation is a universal computational primitive. Nature 402, 390–393 (1999)CrossRefGoogle Scholar
 [Gen09]Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, vol. 9, pp. 169–178 (2009)Google Scholar
 [GGH+13]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49. IEEE (2013)Google Scholar
 [GHS15]Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security, indistinguishability in the quantum world (2015). arXiv preprint arXiv:1504.05255
 [GHV10]Gentry, C., Halevi, S., Vaikuntanathan, V.: A simple BGNtype cryptosystem from LWE. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 506–522. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [GKP+13a]Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GKP+13b]Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Proceedings of the 45th Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 555–564 (2013)Google Scholar
 [GM84]Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
 [Got98]Gottesman, D.: Theory of faulttolerant quantum computation. Phys. Rev. A 57, 127–137 (1998)CrossRefGoogle Scholar
 [GVW13]Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: Proceedings of the 45th Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 545–554 (2013)Google Scholar
 [IP07]Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 [KO97]Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationallyprivate information retrieval. In: FOCS, p. 364. IEEE (1997)Google Scholar
 [KP14]Klauck, H., Podder, S.: New bounds for the gardenhose model. In: 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, pp. 481–492 (2014)Google Scholar
 [Lia13]Liang, M.: Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process. 12(12), 3675–3687 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 [Lia15]Liang, M.: Quantum fully homomorphic encryption scheme based on universal quantum circuit. Quantum Inf. Process. 14(8), 2749–2759 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
 [Mar14]Margalit, O.: On the riddle of coding equality function in the garden hose model. In: Information Theory and Applications Workshop (ITA), pp. 1–5. IEEE (2014)Google Scholar
 [NC00]Nielsen, M., Chuang, I.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000)zbMATHGoogle Scholar
 [OTF15]Ouyang, Y., Tan, S.H., Fitzsimons, J.: Quantum homomorphic encryption from quantum codes (2015). arXiv preprint arXiv:1508.00938
 [Pai99]Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 [RAD78]Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks, privacy homomorphisms. Found. Secur. Comput. 4(11), 169–180 (1978)MathSciNetGoogle Scholar
 [RFG12]Rohde, P.P., Fitzsimons, J.F., Gilchrist, A.: Quantum walks with encrypted data. Phys. Rev. Lett. 109(15), 150501 (2012)CrossRefGoogle Scholar
 [RSA78]Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
 [SB08]Shepherd, D., Bremner, M.J.: Instantaneous quantum computation (2008). arXiv preprint arXiv:0809:0847
 [Spe11]Speelman, F.: Positionbased quantum cryptography, the gardenhose game. Master’s thesis, University of Amsterdam. arXiv:1210.4353
 [Spe15]Speelman, F.: Instantaneous nonlocal computation of low Tdepth quantum circuits (2015). arXiv preprint arXiv:1505.02695
 [SW14]Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Proceedings of the 46th Annual ACM Symposium on Theory of Computing, STOC 2014, pp. 475–484 (2014)Google Scholar
 [SYY99]Sander, T., Young, A., Yung, M.: Noninteractive cryptocomputing for NC1. In: 40th Annual Symposium on Foundations of Computer Science, pp. 554–566. IEEE (1999)Google Scholar
 [TKO+14]Tan, S.H., Kettlewell, J.A., Ouyang, Y., Chen, L., Fitzsimons, J.F.: A quantum approach to fully homomorphic encryption (2014). arXiv preprint arXiv:1411.5254
 [Vai11]Vaikuntanathan, V.: Computing blindfolded: new developments in fully homomorphic encryption. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 5–16. IEEE (2011)Google Scholar
 [VDGHV10]van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [VFPR14]Dunjko, V., Fitzsimons, J.F., Portmann, C., Renner, R.: Composable security of delegated quantum computation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 406–425. Springer, Heidelberg (2014)Google Scholar
 [YPDF14]Li, Y., PérezDelgado, C.A., Fitzsimons, J.F.: Limitations on informationtheoreticallysecure quantum homomorphic encryption. Phys. Rev. A 90, 050303 (2014)CrossRefGoogle Scholar