Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

An encryption scheme is homomorphic over some set of circuits \({\mathscr {S}}\) if any circuit in \({\mathscr {S}}\) can be evaluated on an encrypted input. That is, given an encryption of the message m, it is possible to produce a ciphertext that decrypts to the output of the circuit \(\mathsf C\) on input m, for any \(\mathsf{C}\in {\mathscr {S}}\). In fully homomorphic encryption (FHE), \({\mathscr {S}}\) is the set of all classical circuits. FHE was introduced in 1978 [26], but the existence of such a scheme was an open problem for over 30 years. Some early public-key encryption schemes were homomorphic over the set of circuits consisting of only additions [18, 23] or over the set of circuits consisting of only multiplications [12]. Several steps were made towards FHE, with schemes that were homomorphic over increasingly large circuit classes, such as circuits containing additions and a single multiplication [4], or of logarithmic depth [29], until finally in 2009, Gentry established a breakthrough result by giving the first fully homomorphic encryption scheme [15]. Follow-up work showed that FHE could be simplified [11], and based on standard assumptions, such as learning with errors [5]. The advent of FHE has unleashed a series of far-reaching consequences, such as delegating computations, and functional encryption [17]. For a survey on FHE, see [32].

A number of works have studied the secure delegation of quantum computation [1, 68, 10, 13, 33]. None directly address the question of quantum homomorphic encryption, since they are interactive schemes, and the work of the client is proportional to the size of the circuit being evaluated (and thus, they do not satisfy the compactness requirement of FHE, even if we allow interaction). Non-interactive approaches are given by [3, 27] and [31]. However, none of these approaches are applicable to universal circuit families. Furthermore, in the case of [3], security is given only in terms of cheat sensitivity, while both [27] and [31] only bound the leakage of their encoding schemes.

Recent work [36] examines the question of perfect security and correctness for quantum fully homomorphic encryption (QFHE), concluding that the trivial scheme is optimal in this context. In light of this result, it is natural to consider computational assumptions in achieving QFHE. Indeed, the question of computationally secure QFHE remains an open problem; our contribution makes progress in this direction by presenting the first schemes that are homomorphic for a large class of quantum circuits.

1.1 Summary of Contributions and Techniques

We introduce schemes for quantum homomorphic encryption (QHE), the quantum version of homomorphic encryption; we are interested in the evaluation of quantum circuits on encrypted quantum data. In terms of definitions, we contribute by giving the first definition of quantum homomorphic encryption (QHE) in the computational setting, in the case of both public-key and symmetric-key cryptosystems. As a consequence, we give the first formal definition (and scheme) for the public-key encryption of quantum information, where security is given in terms of quantum indistinguishability under chosen plaintext attacks—for which we show the equivalence of a number of definitions, including security for multiple messages. Prior work considered the computational setting for quantum encryption of classical plaintexts only [20, 22, 35].

In terms of QHE schemes, we start by using straightforward techniques to construct a scheme that is homomorphic for Clifford circuits. This can be seen as an analogue to a classical scheme that is homomorphic for linear circuits (circuits performing only additions). While Clifford circuits are not universal for quantum computation, this already yields a range of applications for quantum information processing, including encoding and decoding into stabilizer codes. Our quantum public-key encryption scheme is a hybrid of a classical public-key fully homomorphic encryption scheme and the quantum one-time pad [2]. Intuitively, the scheme works by encrypting the quantum register with a quantum one-time pad, and then encrypting the one-time pad encryption keys with a classical public-key FHE scheme. Since Clifford circuits conjugate Pauli operators to Pauli operators, any Clifford circuit can be directly applied to the encrypted quantum register; the homomorphic property of the classical encryption scheme is used to update the encryption key. Of course, we specify that the classical FHE scheme should be secure against quantum adversaries. By using, e.g., the scheme from [5], we get security based on the learning with errors (LWE) assumption [24, 25]; this has been equated with worst-case hardness of “short vector problems"on arbitrary lattices [21], which is widely believed to be a quantum-safe (or “post-quantum”) assumption.

For universal quantum computations, we must evaluate a non-Clifford gate, for which we choose the “\(\mathsf{T}\)” gate (also known as “\(\mathsf {R}\)” or “\(\pi /8\)”). Applying the above principle we run into trouble, since \(\mathsf{T}\mathsf{X}^a \mathsf{Z}^b = \mathsf{X}^a \mathsf{Z}^{a \oplus b} \mathsf{P}^a \mathsf{T}\). That is, conditioned on the quantum one-time pad encryption key \(a, b \in \{0,1\}\), the output picks up an undesirable non-Pauli error. Our main contribution is to present two schemes, \(\mathsf{EPR}\) and \(\mathsf{AUX}\), that deal with this situation in two different ways:

  • \(\mathsf{EPR}\): The main idea of \(\mathsf{EPR}\) is to use entangled quantum registers to enable corrections within the circuit at the time of decryption. This scheme is efficient for any quantum circuit, however, it fails to meet a requirement for fully homomorphic encryption called compactness, which requires that the complexity of the decryption procedure be independent of the evaluated circuit. More specifically, the complexity of the decryption procedure for \(\mathsf{EPR}\) scales with the square of the number of \(\mathsf{T}\)-gates. This gives an advantage over the trivial scheme whenever the number of \(\mathsf{T}\)-gates in the evaluated circuit is less than the squareroot of the number of gates. (The trivial scheme consists of appending to the ciphertext a description of the circuit to be evaluated, and specifying that it should be applied as part of the decryption procedure.)

  • \(\mathsf{AUX}\): Compared to \(\mathsf{EPR}\), the scheme \(\mathsf{AUX}\) takes a more proactive approach to performing the correction required for a \(\mathsf{T}\)-gate: to do this, it uses a number of auxiliary qubits that are given as part of the evaluation key. Intuitively, these auxiliary qubits encode the required corrections. In order to ensure universality, a large number of possible corrections must be available — the length of the evaluation key is thus given by a polynomial of degree exponential in the circuit’s \(\mathsf{T}\)-gate depth, yielding a homomorphic scheme that is efficient for quantum circuits with constant \(\mathsf{T}\)-depth.

The two main schemes are incomparable. The scheme \(\mathsf{EPR}\) becomes less compact (and therefore less interesting, since it approaches the trivial scheme), as the number of \(\mathsf{T}\)-gates increases, while the scheme \(\mathsf{AUX}\) becomes inefficient (extremely rapidly) as the depth of \(\mathsf{T}\)-gates increases.

Our results can be viewed as a quantum analogue of precursory results to classical fully homomorphic encryption, which established the homomorphic property of encryption schemes that tolerate a limited amount of operations. One difference is that, while these schemes started with the modest goal of just a single multiplication (the addition operation being “easy”), we have already allowed for at the very least a constant number, and, depending on the circuit, up to a polynomial number of “hard” operations, namely of \(\mathsf{T}\)-gates.

Our schemes use the existence of classical FHE, although at the expense of a slightly more complicated exposition, a classical scheme that is homomorphic only for linear circuits would actually suffice. We see the relationship between our schemes and classical FHE as a strength of our result, via the following interpretation: classical FHE is sufficient to enable QHE for a large family of circuits, and perhaps by taking greater advantage of the fully homomorphic property of the classical scheme in some as yet unknown way, our ideas might be extended to larger classes of quantum circuits. With this in mind, and for ease of exposition, we use a classical fully homomorphic encryption scheme for all of our quantum homomorphic encryption schemes.

Some preliminaries and notation are given in Sect. 2. We give formal definitions of quantum homomorphic encryption and related concepts, including security definitions, in Sect. 3; this allows us to formally state our results in Sect. 4. Section 5 contains a basic quantum homomorphic encryption scheme, \(\mathsf{CL}\), for Clifford circuits that is used as a basis for \(\mathsf{EPR}\) (Sect. 6), and \(\mathsf{AUX}\) (Sect. 7). Further details, including proofs of our main theorems, can be found in the full version [9].

2 Preliminaries and Notation

A negligible function, denoted \(\eta (\cdot )\), is a function such that for every polynomial \(p(\cdot )\), there exists an N such that for all integers \(n > N\) it holds that \(\eta (n) < \frac{1}{p(n)}\). As a convention, if a is a classical plaintext, we denote its encryption by \(\tilde{a}\). Throughout this work we use \(\kappa \) to indicate the security parameter.

A quantum register is a quantum system, which we view as a physical object that stores quantum information. The contents of a quantum register are mathematically modelled as the set of trace-1, positive semidefinite operators, called density operators, on \(\mathcal {X}\), where \(\mathcal {X}\) is a complex Euclidean space. We denote the set of density operators on any space \(\mathcal {X}\) by \(D(\mathcal {X})\).

Quantum registers are denoted with calligraphic typeset. Two quantum systems, \(\mathcal {X}\) and \(\mathcal {Y}\), form a composite system by the tensor product, \(\mathcal {X} \otimes \mathcal {Y}\). If \(\rho \in D(\mathcal {X}\otimes \mathcal {Y})\) is a state on the joint system, we write \({\rho }^{\mathcal {X}}\) to denote \({Tr}_{\mathcal {Y}}(\rho )\). If \(\mathcal {X}\) and \(\mathcal {Y}\) have the same dimension, we denote this by \(\mathcal {X} \equiv \mathcal {Y}\). The trace distance between two states, \(\rho \) and \(\sigma \), is defined \(\varDelta (\rho , \sigma ):=Tr\left( \sqrt{(\rho -\sigma )^\dagger (\rho -\sigma )}\right) \).

A density matrix that is diagonal in the computational basis corresponds to a classical random variable. For a random variable X on some set \(\varSigma _X\), we define \(\rho (X):=\sum _{x\in \varSigma _X}\Pr [X=x]{|{x}\rangle }{\langle {x}|}\), the density matrix corresponding to X. A classical-quantum state is a state of the form \(\rho ^{\mathcal {M}\mathcal {A}} = \sum _x \Pr [X=x]{|{x}\rangle }{\langle {x}|}^\mathcal {M} \otimes \rho _x^\mathcal {A}\).

One special quantum state on any system \(\mathcal X\) is the completely mixed state, \(\frac{1}{\dim \mathcal X}\mathbb {I}_\mathcal{X}\), which we will sometimes denote by \({\$}\) (where \(\mathcal X\) should be implicit from the context). When \(\mathcal X\) is interpreted as \(\mathbb {C}^S\) for some finite set S, then \({\$}\) corresponds to the uniform distribution on S.

A quantum channel \(\varPhi :D({\mathcal {A}})\rightarrow D({\mathcal {B}})\) refers to any physically-realizable mapping on quantum registers. The identity channel on register \({\mathcal {R}}\) is denoted \(\mathbb {I}_{\mathcal {R}}\). Let \(\varPhi \) be a quantum channel acting on register \({\mathcal {A}}\), and \(\rho ^{{\mathcal {A}}{\mathcal {E}}}\) a quantum system held in the joint registers \({\mathcal {A}}\otimes {\mathcal {E}}\). Then to simplify notation, when it is clear from the context, we write \(\varPhi (\rho ^{{\mathcal {A}}{\mathcal {E}}})\) to mean \((\varPhi \otimes {\mathbb I})(\rho ^{{\mathcal {A}}{\mathcal {E}}})\).

We work with the gate set \(\{\mathsf{X},\mathsf{Z},\mathsf{P},\mathsf{CNOT},\mathsf{H}\}\). This gate set applied to arbitrary wires (redundantly) generates the Clifford group, and adding any non-Clifford gate, such as \(\mathsf{T}\), gives a generating set for all quantum circuits.

For a single-qubit register \({\mathcal {R}}\), and \(a,b \in \{0,1\}\), we denote by \({\mathsf {QEnc}}_{a,b}: {\mathcal {R}}\rightarrow {\mathcal {R}}\) the quantum one-time pad encryption and by \({\mathsf {QDec}}_{a,b}: {\mathcal {R}}\rightarrow {\mathcal {R}}\) the quantum one-time pad decryption [2], \(\mathsf {QEnc}_{a,b} : \rho \mapsto \mathsf{X}^a \mathsf{Z}^b \rho \mathsf{Z}^b \mathsf{X}^a\) and \(\mathsf {QDec}_{a,b} = \mathsf {QEnc}_{a,b}\). It is easy to see that \({\mathsf {QDec}}_{a,b} \circ {\mathsf {QEnc}}_{a,b} = {\mathbb I}_{{\mathcal {R}}}\). By specifying that (ab) be chosen uniformly at random, we get that the encryption maps any input to the completely mixed state (from the point of view of the adversary), since for all \(\rho \), \(\frac{1}{4}\sum _{a,b} \mathsf{X}^a \mathsf{Z}^b \rho \mathsf{Z}^b \mathsf{X}^a = \frac{{\mathbb I}_2}{2}\).

3 Definitions

We now formally define QHE schemes and their properties. In Sect. 3.1, we define QHE in the public-key setting. Section 3.2 carefully defines the security of QHE, giving two definitions for security under chosen plaintext attacks, shown in the full version [9] to be equivalent. Section 3.3 defines correctness and compactness for QHE, culminating in a complete definition of quantum fully homomorphic encryption. Section 3.4 deals with an important subtlety that arises in the quantum case: due to the no-cloning theorem, when a large system is encrypted with some auxiliary quantum information needed for decryption, that auxiliary information cannot be copied and given to every subsystem, but rather, the system must now be decrypted as a whole, rather than subsystem-by-subsystem. We also define compactness and quasi-compactness in this context. Finally, one of our schemes (\(\mathsf{AUX}\)) must be used in the symmetric-key setting, defined in Sect. 3.5. We do not address the issue of circuit privacy [16], leaving this question for future work.

3.1 Classical and Quantum Homomorphic Encryption

Our schemes rely on a classical fully homomorphic encryption scheme. Since our adversaries are modelled as being quantum polynomial-time, we need a further security guarantee on the classical scheme, namely that it is secure against quantum adversaries (see Definition 1). Fortunately, much of classical fully homomorphic encryption uses lattice-based cryptography, which exploits one of the few conjectured “quantum-safe” assumptions [21]. Among all known solutions, the scheme of [5] appears to be the best for our purposes, as it bases its security on the learning with errors (LWE) assumption [24, 25], which has been equated with worst-case hardness of “short vector problems" on arbitrary lattices.

Definition 1

(q-IND-CPA). A classical homomorphic encryption scheme \(\mathsf {HE}\) is q-IND-CPA secure if for any quantum polynomial-time adversary \({\mathscr {A}}\), there exists a negligible function \(\eta \) such that for \((pk, evk, sk) \leftarrow \mathsf {HE.Keygen(1^\kappa )}\):

$$\begin{aligned} \left| \mathrm {Pr}[{\mathscr {A}}(pk, evk, \mathsf {HE.Enc}_{pk}(0)) = 1] - \mathrm {Pr}[{\mathscr {A}}(pk, evk, \mathsf {HE.Enc}_{pk}(1)) = 1] \right| \le \eta (\kappa )\,. \end{aligned}$$

Although a classical scheme that is q-IND-CPA is also IND-CPA, the converse may not be true. Note, however, that any proof that a scheme is IND-CPA can potentially be turned into a proof for q-IND-CPA if all statements still hold when “probabilistic polynomial-time adversary” is replaced by “quantum polynomial-time adversary” (see [30]).

We now give our new definitions for quantum homomorphic encryption. In our definitions, both pk, the public encryption key, and sk, the secret decryption key, are classical, whereas the evaluation key is allowed to be a quantum state.

Definition 2

(QHE). A quantum homomorphic encryption scheme is a 4-tuple of quantum algorithms \((\mathsf {QHE.KeyGen},\mathsf {QHE.Enc},\mathsf {QHE.Eval},\mathsf {QHE.Dec})\):

  • Key Generation. \(\mathsf{QHE}.{\mathsf {KeyGen}}: 1^\kappa \rightarrow (pk, sk, \rho _{evk})\). This algorithm takes a unary representation of the security parameter as input and outputs a classical public encryption key \({ pk}\), a classical secret decryption key \({ sk}\) and a quantum evaluation key \(\rho _{evk}\in D({\mathcal {R}}_{evk})\).

  • Encryption. \(\mathsf{QHE}.\mathsf{Enc}_{pk}: D(\mathcal {M}) \rightarrow D({\mathcal {C}})\). For every possible pk, the quantum channel \(\mathsf {Enc}_{pk}\) maps a state in the message space \(\mathcal M\) to a state (the cipherstate) in the cipherspace \(\mathcal{C}\).

  • Homomorphic Evaluation. \(\mathsf{QHE}.{\mathsf {Eval}}^{\mathsf {C}}: D({\mathcal {R}}_{evk}\otimes \mathcal {C}^{\otimes n}) \rightarrow D(\mathcal {C'}^{\otimes m})\). For every quantum circuit \(\mathsf {C}\), with induced channel \(\varPhi _{\mathsf {C}}:D(\mathcal {M}^{\otimes n})\rightarrow D(\mathcal {M}^{\otimes m})\), we define a channel \(\mathsf {Eval}^{\mathsf {C}}\) that maps an n-fold cipherstate to an m-fold cipherstate, consuming the evaluation key in the process.

  • Decryption. \(\mathsf {QHE.Dec}_{sk} : D({\mathcal {C}}') \rightarrow D(\mathcal {M})\). For every possible sk, \(\mathsf {Dec}_{sk}\) is a quantum channel that maps the state in \(D({\mathcal {C}}')\) to a quantum state in \(D(\mathcal {M})\).

3.2 Security of Quantum Homomorphic Encryption

We now define a notion of security for QHE analogous to the classical notion of indistinguishability under chosen plaintext attack. We note that, by taking the evaluation key to be empty, our definitions are trivially applicable to the scenario of quantum public-key encryption (i.e. without a homomorphic property).

Fig. 1.
figure 1

The quantum CPA indistinguishability experiment

Full size image

The CPA indistinguishability experiment is given below and illustrated in Fig. 1. The experiment interacts with an adversary \({\mathscr {A}}\), which is a pair of polynomial-time quantum algorithms \(({\mathscr {A}}_1,{\mathscr {A}}_2)\) (which we also call adversaries).

The quantum CPA indistinguishability experiment \(\mathsf {PubK^{cpa}_{{\mathscr {A}}, QHE}} (\kappa )\)

  1. 1.

    \(\mathsf {KeyGen}(1^\kappa )\) is run to obtain keys \((pk,sk,\rho _{evk})\).

  2. 2.

    Adversary \({\mathscr {A}}_1\) is given \((pk,\rho _{evk})\) and outputs a quantum state on \(\mathcal {M} \otimes \mathcal E\).

  3. 3.

    For \(r\in \{0,1\}\), let \(\varXi _{\mathsf{QHE}}^{\mathsf{cpa},r}: D(\mathcal {M}) \rightarrow D(\mathcal {C})\) be: \(\varXi _{\mathsf{QHE}}^{\mathsf{cpa},0}(\rho )= \mathsf{QHE.Enc}_{pk}({|\mathbf{0 }\rangle }{\langle \mathbf{0 }|})\) and \(\varXi _{\mathsf{QHE}}^{\mathsf{cpa},1}(\rho )= \mathsf{QHE.Enc}_{pk}(\rho )\). A random bit \(r \in \{0,1\}\) is chosen and \(\varXi _{\mathsf{QHE}}^{\mathsf{cpa},r}\) is applied to the state in \(\mathcal {M}\) (the output being a state in \(\mathcal {C}\)).

  4. 4.

    Adversary \({\mathscr {A}}_2\) obtains the system in \(\mathcal {C} \otimes \mathcal {E}\) and outputs a bit \(r'\).

  5. 5.

    The output of the experiment is defined to be 1 if \(r'=r\) and 0 otherwise. In case \(r=r'\), we say that \({\mathscr {A}}\) wins the experiment.

Definition 3

(Quantum Indistinguishability under Chosen Plaintext Attack (q-IND-CPA)). A quantum homomorphic encryption scheme \(\mathsf {QHE}\) is q-IND-CPA secure if for any quantum polynomial-time adversary \({\mathscr {A}}= ({\mathscr {A}}_1, {\mathscr {A}}_2)\) there exists a negligible function \(\eta \) such that \(\Pr [\mathsf {PubK^{cpa}_{{\mathscr {A}}, QHE}} (\kappa ) =1] \le \frac{1}{2} + \eta (\kappa )\).

In the case of classical cryptosystems, it is known that IND-CPA security, the classical analogue of Definition 1, implies a seemingly stronger security against an adversary who can send multiple messages to a challenger. In the quantum case, we can analogously define an experiment similar to \(\mathsf {PubK}_{{\mathscr {A}},\mathsf{QHE}}^\mathsf{cpa}\), but where the adversary prepares a state in \(\mathcal {M}^{\otimes t}\otimes \mathcal {M}^{\otimes t}\) and sends it to the challenger, who traces out either the first half or the second half of the system, before applying an encryption map to each of the remaining subspaces. The adversary must then decide which system was traced out. In the full version [9], we give a formal definition of this notion of security, which we call q-IND-CPA-mult, and prove the equivalence of q-IND-CPA and q-IND-CPA-mult. This strengthens our results since security in the most general case (q-IND-CPA-mult) follows from security for the simplest definition (q-IND-CPA).

3.3 Correctness and Compactness of QHE

Next, we give a notion that encapsulates correctness of both encryption and evaluation, with respect to a class \(\mathscr {S}\) of quantum circuits. In the classical context, it is common to restrict attention to circuits that output a single bit, since any deterministic string can be computed bit-by-bit. We cannot do this quantumly, as a quantum state cannot be described qubit-by-qubit. We therefore consider correctness as a global property of the output. Furthermore, as quantum data can be entangled, we require that a correct scheme preserve this entanglement and thus explicitly include an auxiliary space in the definition below.

Definition 4

(\(\mathscr {S}\)-homomorphic). Let \(\mathscr {S} = \{{\mathscr {S}}_\kappa \}_{\kappa \in \mathbb {N}}\) be a class of quantum circuits. A quantum encryption scheme QHE is \(\mathscr {S}\)-homomorphic (or homomorphic for \(\mathscr {S}\)) if for any sequence of circuits \(\{\mathsf {C}_\kappa \in \mathscr {S}_\kappa \}_{\kappa }\) with induced channels \(\varPhi _{\mathsf {C}_\kappa }:\mathcal{M}^{\otimes n(\kappa )}\rightarrow \mathcal{M}^{\otimes m(\kappa )}\), and input \(\rho \in D({\mathcal {M}^{\otimes n(\kappa )}\otimes {\mathcal {E}}})\), there exists a negligible function \(\eta \) such that for \((pk, sk, \rho _{ evk}) \leftarrow \mathsf {QHE.Keygen(1^\kappa )}\):

$$\begin{aligned} \varDelta \left( \mathsf {QHE.Dec}^{\otimes m(\kappa )}_{sk} \left( \mathsf {QHE.Eval}^{\mathsf {C}_\kappa } \left( \rho _{evk}, \mathsf {QHE.Enc}^{\otimes n}_{pk} (\rho )\right) \right) , \varPhi _{\mathsf {C}_\kappa } (\rho )\right) = \eta (\kappa )\,. \end{aligned}$$
(1)

We point out two properties of the above definition. First, we do not require that ciphertexts be decryptable themselves, only that they become decryptable after homomorphic evaluation, however, as long as \(\mathsf{QHE}\) is homomorphic for the class of identity circuits, we can effectively decrypt a ciphertext by first homomorphically evaluating the identity. Second, we do not require that the output of \(\mathsf{QHE}.{\mathsf {Eval}}\) be able to undergo additional homomorphic evaluations; indeed, if the evaluation key \(\rho _{evk}\) is quantum, it will in general be “consumed” by the \(\mathsf{QHE}.{\mathsf {Eval}}\) process, rendering any future applications of \(\mathsf{QHE}.{\mathsf {Eval}}\) impossible.

Analogously to the classical case, we define compactness, which requires that the complexity of \(\mathsf{QHE}.\mathsf{Dec}\) be independent of the evaluated circuit, ruling out schemes where applying the circuit is delayed until after decryption.

Definition 5

(\(\mathscr {S}\)-compactness). Let \(\mathscr {S}=\{\mathscr {S}_{\kappa }\}_{\kappa \in \mathbb {N}}\) be a class of quantum circuits. A quantum encryption scheme \(\mathsf {QHE}\) is \(\mathscr {S}\)-compact if there exists a polynomial p such that for any sequence of circuits \(\{\mathsf {C}_\kappa \in \mathscr {S}_\kappa \}_\kappa \), the circuit complexity of applying \(\mathsf{QHE}.\mathsf{Dec}\) to the output of \(\mathsf{QHE}.{\mathsf {Eval}}^{\mathsf {C}_{\kappa }}\) is at most \(p(\kappa )\).

If \(\mathsf{QHE}\) is \(\mathscr {S}\)-compact for \(\mathscr {S}\) the class of all quantum circuits over some universal gate set, then we simply say that \(\mathsf{QHE}\) is compact.

Although this work leaves open the question of quantum fully homomorphic encryption, we have established all the machinery relevant for a formal definition:

Definition 6

(Quantum Fully Homomorphic Encryption). A scheme is a quantum fully homomorphic encryption scheme if it is both compact and homomorphic for the class of all quantum circuits over some universal gate set.

3.4 Indivisible Schemes

In general, a quantum system is not equal to the sum of its parts. Because of this, for one of our schemes (as given in Sect. 6), it is convenient (if not necessary, by the no-cloning theorem [34]) to define the output of \(\mathsf{QHE}.{\mathsf {Eval}}\) as containing, in addition to a series of cipherstates corresponding to each qubit, some auxiliary quantum register, possibly entangled with each cipherstate. Then the decryption operation, \(\mathsf{QHE}.\mathsf{Dec}\) must operate on the entire quantum system, rather than qubit-by-qubit. This is in contrast to a classical scheme, in which we could make a copy of the auxiliary register for each encrypted bit, enabling the decryption of individual bits, without decrypting the entire system.

Definition 7

An indivisible quantum homomorphic encryption scheme is a QHE scheme with \(\mathsf{QHE}.{\mathsf {Eval}}\) and \(\mathsf{QHE}.\mathsf{Dec}\) re-defined as:

  • Homomorphic Evaluation. \(\mathsf{QHE}.{\mathsf {Eval}}^{\mathsf {C}}: D({\mathcal {R}}_{evk}\otimes \mathcal {C}^{\otimes n}) \rightarrow D({\mathcal {R}}_{aux} \otimes \mathcal {C'}^{\otimes m})\). Compared to \(\mathsf{QHE}.{\mathsf {Eval}}\) in a standard QHE, this algorithm outputs an additional auxiliary quantum register \({\mathcal {R}}_{aux}\). This extra information is used in the decryption phase. Since the state of \(\mathcal {R}_{aux}\) may be entangled with the state of each \(\mathcal C'\), the system in \(\mathcal {R}_{aux}\otimes \mathcal{C'}^{\otimes m}\) can no longer be considered subsystem-by-subsystem.

  • Decryption. \(\mathsf {QHE.Dec}_{sk} : D({\mathcal {R}}_{aux} \otimes \mathcal {C'}^{\otimes m}) \rightarrow D(\mathcal {M}^{\otimes m})\). For every possible value of sk, \(\mathsf {Dec}_{sk}\) is a quantum channel that maps an auxiliary register, together with an m-fold cipherstate, to an m-fold message in \(D(\mathcal {M}^{\otimes m})\).

We need to define compactness for an indivisible scheme.

Definition 8

(\(\mathscr {S}\)-compactness for an indivisible scheme). Fix a class of quantum circuits, \(\mathscr {S}=\{\mathscr {S}_{\kappa }\}_{\kappa \in \mathbb {N}}\). An indivisible QHE scheme \(\mathsf {QHE}\) is \(\mathscr {S}\)-compact if there exists a polynomial p such that for any sequence of circuits \(\{\mathsf {C}_{\kappa } \in \mathscr {S}_{\kappa }\}_{\kappa }\) with channels \(\varPhi _{\mathsf {C}_\kappa }:\mathcal {M}^{\otimes n(\kappa )}\rightarrow \mathcal {M}^{\otimes m(\kappa )}\), the circuit complexity of applying \(\mathsf{QHE}.\mathsf{Dec}^{\otimes m(\kappa )}\) to the output of \(\mathsf{QHE}.{\mathsf {Eval}}^{\mathsf {C}_\kappa }\) is at most \(p(\kappa ,m(\kappa ))\).

The trivial quantum fully homomorphic encryption scheme, \(\mathsf{TRIV}\), is easily phrased as an indivisible scheme. Informally, \(\mathsf{TRIV}\) is defined by taking \(\mathsf{TRIV}.{\mathsf {KeyGen}}\) and \(\mathsf{TRIV}.\mathsf{Enc}\) from any public-key encryption scheme, letting \(\mathsf{TRIV}.{\mathsf {Eval}}^{\mathsf {C}}\) append a description of \(\mathsf {C}\) to the cipherstate, and \(\mathsf{TRIV}.\mathsf{Dec}\) decode the cipherstate, and then apply \(\mathsf {C}\). Clearly, \(\mathsf{TRIV}\) is homomorphic, but it is not compact, since \(\mathsf{TRIV}.\mathsf{Dec}\) must evaluate the quantum circuit \(\mathsf {C}\), and so its complexity scales with \(G(\mathsf {C})\), the number of gates in \(\mathsf {C}\).

Although a decryption procedure with any dependence on G, or any other property of \(\mathsf {C}\), is not compact, it is still interesting to consider schemes whose decryption procedure has complexity that scales sublinearly in G (such schemes are called quasi-compact schemes [14]). We give a formal definition that quantifies this notion for indivisible quantum homomorphic encryption schemes.

Definition 9

(quasi-compactness). Let \({\mathscr {S}}=\{{\mathscr {S}}_{\kappa }\}_{\kappa }\) be the set of all quantum circuits over some fixed universal gate set. For any \(f:{\mathscr {S}}\rightarrow \mathbb {R}_{\ge 0}\), an indivisible QHE scheme \(\mathsf{QHE}\) is f-quasi-compact if there exists a polynomial p such that for any sequence of circuits \(\{\mathsf {C}_{\kappa }\in {\mathscr {S}}_{\kappa }\}_{\kappa }\) with induced channels \(\varPhi _{\mathsf {C}_{\kappa }}:\mathcal {M}^{\otimes n(\kappa )}\rightarrow \mathcal {M}^{\otimes m(\kappa )}\), the circuit complexity of decrypting the output of \(\mathsf{QHE}.{\mathsf {Eval}}^{\mathsf {C}_{\kappa }}\) is at most \(f(\mathsf {C}_{\kappa })p(\kappa ,m(\kappa ))\).

This definition allows us to consider schemes whose decryption complexity scales with some property of the evaluated circuit. We consider such a scaling non-trivial when it is smaller than \(G(\mathsf {C})\), the number of gates in \(\mathsf {C}\).

3.5 Symmetric-Key Quantum Homomorphic Encryption

We have defined quantum homomorphic encryption as a public-key encryption scheme. For technical reasons, our final scheme, \(\mathsf{AUX}\) is given in the symmetric-key setting, so in this section we define symmetric-key quantum homomorphic encryption. In the case of classical FHE, symmetric-key encryption is known to be equivalent to public-key encryption [28]. In the quantum case, this is not known. This section also contains the definition of a bounded QHE scheme, which we again require for technical reasons in our symmetric-key scheme, \(\mathsf{AUX}\).

Definition 10

A symmetric-key QHE scheme is a quantum homomorphic encryption scheme with \(\mathsf{QHE}.{\mathsf {KeyGen}}\) and \(\mathsf{QHE}.\mathsf{Enc}\) re-defined as:

  • Key Generation. \(\mathsf{QHE}.{\mathsf {KeyGen}}: 1^\kappa \rightarrow (sk, \rho _{evk})\). This algorithm takes a unary representation of the security parameter as input and outputs a secret encryption/decryption key \({ sk}\) and a quantum evaluation key \(\rho _{evk}\in D({\mathcal {R}}_{evk})\).

  • Encryption. \(\mathsf{QHE}.\mathsf{Enc}_{sk}: D(\mathcal {M}) \rightarrow D(\mathcal {C})\). For every possible value of sk, the quantum channel \(\mathsf {Dec}_{sk}\) maps a state in the message space \(\mathcal M\) to a state (the cipherstate) in the cipherspace \(\mathcal{C}\).

Next, we define a quantum homomorphic encryption scheme that is bounded by n, which forces the number of ciphertexts encrypted by sk to be at most n. Furthermore, the scheme maintains a counter, d, of the number of previous encryptions, which can be thought of as allowing the scheme to avoid key reuse.

Definition 11

A bounded symmetric-key QHE scheme is a symmetric-key QHE scheme with \(\mathsf{QHE}.{\mathsf {KeyGen}}\), \(\mathsf{QHE}.\mathsf{Enc}\), and \(\mathsf{QHE}.\mathsf{Dec}\) re-defined as:

  • Key Generation. \(\mathsf{QHE}.{\mathsf {KeyGen}}: (1^\kappa , 1^n) \rightarrow (sk, \rho _{evk})\).

  • Encryption. \(\mathsf{QHE}.\mathsf{Enc}_{sk,d}: D(\mathcal {M}) \rightarrow D({\mathcal {C}})\). Every time \(\mathsf{QHE}.\mathsf{Enc}_{sk,d}\) is called, the register containing d is incremented: \(d\leftarrow d+1\). If \(d>n\), \(\mathsf{QHE}.\mathsf{Enc}_{sk,d}\) outputs \(\bot \), indicating an error.

  • Decryption. \(\mathsf{QHE}.\mathsf{Dec}_{sk,d}:D(\mathcal {C}')\rightarrow D(\mathcal {M})\).

We can define q-IND-CPA security for the symmetric-key setting by allowing the adversary access to an encryption oracle \(\mathsf {Enc}_{sk}(\cdot )\). We give details in [9].

4 Main Contributions

We now formally state our main results. Our first theorem, Theorem 1, establishes quantum homomorphic encryption for Clifford circuits.

Theorem 1

(Clifford scheme, \(\mathsf{CL}\) ). Let \({\mathscr {S}}\) be the class of Clifford circuits. Then assuming the existence of a classical fully homomorphic encryption scheme that is q-IND-CPA secure, there exists a quantum homomorphic encryption scheme that is q-IND-CPA, compact and \(\mathscr {S}\)-homomorphic.

Next, we consider two variants of the scheme given by Theorem 1. Each variant deals with non-Clifford \(\mathsf{T}\)-gates in a different way. The first scheme, described in Theorem 2 and formally defined in Sect. 6, uses entanglement to implement \(\mathsf{T}\)-gates, resulting in a QHE scheme in which the complexity of decryption scales with the number of \(\mathsf{T}\)-gates in the homomorphically evaluated circuit.

Theorem 2

(entanglement-based scheme, \(\mathsf{EPR}\) ). Let \({\mathscr {S}}\) be the set of all quantum circuits over the universal gate set \(\{\mathsf{X},\mathsf{Z},\mathsf{P},\mathsf{H},\mathsf{CNOT},\mathsf{T}\}\). Then assuming the existence of a classical fully homomorphic encryption scheme that is q-IND-CPA secure, there exists an indivisible quantum homomorphic encryption scheme that is q-IND-CPA, \({\mathscr {S}}\)-homomorphic and \(R^2\)-quasi-compact, where \(R(\mathsf {C})\) is the number of \(\mathsf{T}\)-gates in a circuit \(\mathsf {C}\).

The compactness of the scheme \(\mathsf{EPR}\) is nontrival for all circuits in which \(R^2\ll G\), where G is the number of gates.

Our second scheme, formally defined in Sect. 7, is based on the use of auxiliary qubits to implement \(\mathsf{T}\)-gates, resulting in a QHE scheme that is homomorphic for circuits with constant \(\mathsf{T}\)-depth, as described in the following theorem:

Theorem 3

(auxiliary-qubit scheme, \(\mathsf{AUX}\) ). Fix a constant L. Let \({\mathscr {S}}\) be the set of quantum circuits over the universal gate set \(\{\mathsf{X},\mathsf{Z},\mathsf{P},\mathsf{H},\mathsf{CNOT},\mathsf{T}\}\) with \(\mathsf{T}\)-depth at most L. Then assuming the existence of a classical fully homomorphic encryption scheme that is q-IND-CPA secure, there exists a bounded symmetric-key quantum homomorphic encryption scheme that is q-IND-CPA, \({\mathscr {S}}\)-homomorphic and compact.

The QHE scheme in Theorem 3 can be seen as somewhat analogous to an important building block in classical fully homomorphic encryption: a levelled fully homomorphic scheme, which is a scheme that takes a parameter L, which is an a-priori bound on the depth of the circuit that can be evaluated. However, we note that in contrast to a levelled fully homomorphic scheme, in which operations are polynomial in L, the complexity of our scheme is a polynomial of degree exponential in L, so we really require L to be constant.

As previously noted, Theorems 2 and 3 are complementary: the scheme \(\mathsf{EPR}\) becomes less compact as the number of \(\mathsf{T}\)-gates increases, while the scheme \(\mathsf{AUX}\) becomes inefficient as the depth of \(\mathsf{T}\)-gates increases.

5 Homomorphic Encryption for Clifford Circuits: \(\mathsf{CL}\)

In this section, we present \(\mathsf{CL}\), a compact quantum homomorphic encryption scheme for Clifford circuits. This is a building block for the schemes that follow in Sects. 6 and 7. In the full version [9], we prove that \(\mathsf{CL}\) is q-IND-CPA secure, and homomorphic for Clifford circuits, hence proving Theorem 1.

By definition, Clifford circuits conjugate Pauli operators to Pauli operators [19]. In other words, for any Clifford \(\mathsf {C}\), and any Pauli, \(\mathsf {Q}\), there exists a Pauli \(\mathsf {Q}'\) such that \(\mathsf {C}\mathsf {Q}=\mathsf {Q}'\mathsf {C}\). Furthermore, applying a random Pauli operator is a perfectly secure symmetric-key quantum encryption scheme: the quantum one-time pad. Thus, it is possible to perform any Clifford circuit on quantum data that is encrypted using the quantum one-time pad. We can apply the desired Clifford, \(\mathsf {C}\), to the encrypted state \(\mathsf {Q}{|{\psi }\rangle }\) to get \(\mathsf {Q}'(\mathsf {C}{|{\psi }\rangle })\). Now decrypting the state requires applying the Pauli \(\mathsf {Q}'\). If \(\mathsf {Q}\) can be described by the encryption key \((a_1,\dots ,a_n,b_1,\dots ,b_n)\) — that is, \(\mathsf {Q}=\mathsf{X}^{a_1}\mathsf{Z}^{b_1}\otimes \dots \otimes \mathsf{X}^{a_n}\mathsf{Z}^{b_n}\) — then \(\mathsf {Q}'\) can be described by some key \((a_1',\dots ,a_n',b_1',\dots ,b_n')\) depending on \(\mathsf {C}\) and \((a_1,\dots ,a_n,b_1,\dots ,b_n)\). We describe this dependence by a function \(f^{\mathsf {C}}:\mathbb {F}_2^{2n}\rightarrow \mathbb {F}_2^{2n}\), which we call a key update rule. We need only consider key update rules for each gate in our gate set, which consists of the one- and two-qubit gates in \(\{\mathsf{X},\mathsf{Z},\mathsf{P},\mathsf{CNOT},\mathsf{H}\}\). For a single-qubit gate \(\mathsf {C}\), since the only keys that are affected are those corresponding to the wire to which \(\mathsf {C}\) is applied, an update rule can be more succinctly described by a pair of functions \(f_a^{\mathsf {C}},f_b^{\mathsf {C}}:\mathbb {F}_2^2\rightarrow \mathbb {F}_2\) such that when \(\mathsf {C}\) is applied to the \({i}^{\text {th}}\) wire, \(a_i'=f_a^{\mathsf {C}}(a_i,b_i)\) and \(b_i'=f_b^\mathsf {C}(a_i,b_i)\):

figure a

For the \(\mathsf{CNOT}\)-gate, the update rule is described by a 4-tuple of functions, since \(\mathsf{CNOT}\) acts on two wires. We give the key update rules for all gates in the full version [9, App. C] (We also give key update rules for single-qubit measurement and qubit preparation, so that our scheme is actually homomorphic for stabilizer circuits.) By applying these rules after each gate, we can update the key so that the output is correctly decrypted (since we are actually carrying out computations on encrypted quantum data—in contrast to merely simulating a quantum computation—we note that all gates except the Pauli gates require quantum operations). Such a technique was already used, e.g. in [6, 10, 13].

This solution, however, requires that the key updates be executed by the party holding the encryption keys: an “easy” classical computation, but nevertheless a computation that is polynomial in the size of the circuit. In the context of quantum homomorphic encryption, the challenge is therefore to allow the execution of arbitrary Clifford circuits, while maintaining the compactness condition. Here, we present a quantum public-key encryption scheme which is a hybrid of the quantum one-time pad and of a classical fully homomorphic encryption scheme. This encryption scheme is used to perform key updates on encrypted quantum one-time pad keys, enabling the computation of arbitrary Clifford group circuits on the encrypted quantum states, while maintaining the compactness condition. More precisely, to homomorphically evaluate a Clifford circuit consisting of a sequence of gates \(\mathsf {c}_1,\dots ,\mathsf {c}_G\), we apply the gates to the quantum one-time pad encrypted message, and homomorphically evaluate the function \(f^{\mathsf{c}_1}\circ \dots \circ f^{\mathsf{c}_G}\) on the encrypted one-time pad keys \(a_1,\dots ,a_n,b_1,\dots ,b_n\), where \(\circ \) denotes function composition. To accomplish this, we keep track of functions for each bit of the quantum one-time pad encryption key, \(\{f_{a,i},f_{b,i}\}_{i=1}^n\). Since each of the key update rules (see [9]) is linear, each \(f_{a,i}\) and \(f_{b,i}\) is a linear polynomial in \(\mathbb {F}_2[a_1,\dots ,a_n,b_1,\dots ,b_n]\) (from the perspective of the evaluation procedure, \(a_1,\dots ,a_n,b_1,\dots ,b_n\) are unknowns), so we refer to them as key-polynomials. Before we begin to evaluate the circuit, the key polynomials are the monomials \(f_{a,i}=a_i\) and \(f_{b,i}=b_i\). As we evaluate each gate \(\mathsf {c}_j\), we update the key-polynomials corresponding to the affected wires by composing them with the key update rules. To compute the new encrypted one-time pad keys once the circuit is complete, we homomorphically evaluate each key-polynomial on the old encrypted one-time pad keys. We note that since the key update rules (see [9]) are all linear, for the scheme \(\mathsf{CL}\), the underlying classical fully homomorphic scheme only needs to be additively homomorphic.

We define our scheme \(\mathsf{CL}\) as a QHE scheme. Here and throughout, we assume \(\mathsf {HE}\) to be a classical FHE scheme that is q-IND-CPA secure (see Definition 1). As noted, such a scheme could be derived from [5]. All of our schemes operate on qubit circuits, and encrypt qubit-by-qubit. Thus we fix \(\mathcal {M}=\mathbb {C}^{\{0,1\}}\). Ciphertexts consist of quantum states in \(\mathbb {C}^{\{0,1\}}\), combined with classical strings. Specifically, if C is the output space of \(\mathsf{HE}.\mathsf{Enc}\), and \(C'\) is the output space of \(\mathsf{HE}.{\mathsf {Eval}}\), then we define \(\mathcal {C}= \mathbb {C}^{C\times C}\otimes \mathcal{X}\), where \(\mathcal{X}\equiv \mathbb {C}^{\{0,1\}}\), and \(\mathcal {C}'=\mathbb {C}^{C'\times C'}\otimes \mathcal X\).

  • Key Generation. \(\mathsf{CL}.{\mathsf {KeyGen}}(1^\kappa )\). For key generation, execute \(({ pk}, { sk}, { evk}) \leftarrow \mathsf {HE.Keygen(1^\kappa )}\). Output the obtained secret key, \({ sk}\), and public key, \({ pk}\). The evaluation key \(\rho _{ evk}\) takes the value of the classical state \(\rho ({{ evk}})\).

  • Encryption. \(\mathsf {CL.Enc}_{pk}: D(\mathcal {M})\rightarrow D(\mathcal {C})\). Encryption is defined as

    $$\begin{aligned} \mathsf {CL.Enc}_{pk}(\rho ^\mathcal {M})=\sum _{a,b\in \{0,1\}}\frac{1}{4}\rho (\mathsf {HE.Enc}_{pk}(a),\mathsf {HE.Enc}_{pk}(b))\otimes {\mathsf {QEnc}}_{a,b}(\rho ^\mathcal{M}). \end{aligned}$$

  • Homomorphic Evaluation. \(\mathsf {CL.Eval}^{\mathsf {C}}:D(\mathcal {R}_{evk}\otimes \mathcal {C}^{\otimes n})\rightarrow D(\mathcal {C'}^{\otimes m})\).

    Suppose \(\mathsf {C}=\mathsf {c}_1,\dots ,\mathsf {c}_G\) is a Clifford circuit.

    1. 1.

      For all \(i\in [n]\), set \(f_{a,i}\leftarrow a_i\), \(f_{b,i}\leftarrow b_i\).

    2. 2.

      For \(j=1,\dots ,G\) such that \(\mathsf {c}_j\) is a gate or a measurement:

      1. (a)

        Apply the gate \(\mathsf {c}_j\) to the state: \(\rho \leftarrow \mathsf {c}_j\rho \mathsf {c}_j^{-1}\).

      2. (b)

        Compose the key update rules with the key-polynomials of the affected wires: if \(\mathsf {c}_j\) is a single qubit gate or measurement acting on the \({i}^{\text {th}}\) wire, update as \((f_{a,i},f_{b,i})\leftarrow ( f_{a,i}\circ f_a^{\mathsf {c}_j}, f_{b,i}\circ f_b^{\mathsf {c}_j})\). If \(\mathsf {c}_j\) is a \(\mathsf{CNOT}\)-gate acting on wires i and \(i'\), update \((f_{a,i},f_{a,i'},f_{b,i},f_{b,i'})\).

    3. 3.

      Update the classical encryptions by computing

      $$c_i = (\mathsf{HE}.{\mathsf {Eval}}_{evk}^{f_{a,i}}(\tilde{a}_i), \mathsf{HE}.{\mathsf {Eval}}_{evk}^{f_{b,i}}(\tilde{b}_i)).$$
    4. 4.

      Output \((c_1,\dots ,c_m,\rho )\).

  • Decryption. \(\mathsf {CL.Dec}_{sk}: D (\mathcal {C'})\rightarrow D(\mathcal {M})\). For \(\tilde{a},\tilde{b} \in C'\), decryption is defined:

    $$\begin{aligned} \mathsf{CL}.\mathsf{Dec}_{sk}:{|{\tilde{a}}\rangle }{\langle {\tilde{a}}|}\otimes {|{\tilde{b}}\rangle }{\langle {\tilde{b}}|}\otimes \rho ^\mathcal{X}\mapsto {\mathsf {QDec}}_{\mathsf{HE}.\mathsf{Dec}_{sk}(\tilde{a}),\mathsf{HE}.\mathsf{Dec}_{sk}(\tilde{b})}(\rho ^\mathcal{X}), \end{aligned}$$

We prove the homomorphic and security properties of \(\mathsf{CL}\) in [9].

6 \(\mathsf{T}\)-gate Computation Using Entanglement: \(\mathsf{EPR}\)

In order to achieve universality for quantum circuits, we need to add a non-Clifford group gate, such as the \(\mathsf{T}\)-gate. As noted in Sect. 1.1, if we apply the same technique as in Sect. 5 (i.e. to apply the \(\mathsf{T}\)-gate on the encrypted quantum data) we run into a problem, since \(\mathsf{T}\mathsf{X}^a \mathsf{Z}^b = \mathsf{X}^a \mathsf{Z}^{a \oplus b} \mathsf{P}^a \mathsf{T}\) That is, conditioned on a, the output picks up an undesirable \(\mathsf{P}\) error, which cannot be corrected by applying Pauli corrections. In [10], Childs arrives at the same conclusion, and makes the observation that, in the case where \(a=1\), the evaluation algorithm could be made to correct this erroneous \(\mathsf{P}\)-gate. As long as the evaluation algorithm does not find out if this correction is being executed or not, security holds. The solution in [10] involves quantum interaction; this was recently improved to a single auxiliary qubit, coupled with classical interaction [6, 13]. As a proof technique (for establishing security), [6, 13] considers an equivalent, entanglement-based protocol. Here, we use the idea of exploiting entanglement in order to delay the correction required for the evaluation of the \(\mathsf{T}\)-gate on encrypted data. The protocol is illustrated in Fig. 2. Correctness of Fig. 2 is proven in the full version [9].

Fig. 2.
figure 2

Evaluation protocol for the \({t}^{\text {th}}\) \(\mathsf{T}\)-gate, on the \({i}^{\text {th}}\) wire. The key-polynomials \(f_{a,i}\) and \(f_{b,i}\) are in \(\mathbb {F}_2[V]\). After the protocol, V gains a new variable corresponding to the unknown measurement result \(k_t\). The dashed box shows part of the decryption, which happens at some point in the future, after the complete evaluation is finished.

Full size image

Figure 2 shows that, using the state \({|{\varPhi ^+}\rangle } = \frac{1}{\sqrt{2}}({|{00}\rangle } + {|{11}\rangle })\), the conditional \(\mathsf{P}\) correction can be delayed. The cost of this is that the value of the measurement result, \(k_t\), on auxiliary register \({\mathcal {R}}_t\), is undetermined until later, when it is measured as part of the decryption. Thus we view the key updates as a symbolic computation: each time a \(\mathsf{T}\)-gate is applied, an extra variable, \(k_t\), is introduced.

For the first \(\mathsf{T}\)-gate evaluation (\(t=1\)), the evaluation procedure does not have the knowledge to evaluate \(f_1=f_{a,i}\), where i is the wire upon which the gate is performed, in order to perform the correction. It is possible (using the classical scheme \(\mathsf{HE}\)), to compute a classical ciphertext \(\widetilde{f_1}\) that decrypts to \(f_1(a_1,b_1,\dots ,a_n,b_n)\). Thus, for this \(\mathsf{T}\)-gate, the output part of the auxiliary system contains both \(\widetilde{f_1}\) and the register \({\mathcal {R}}_1\). As part of the decryption operation, compute \(f_1 \leftarrow \mathsf{HE}.\mathsf{Dec}(\widetilde{f_1})\), and apply \(\mathsf{P}^{f_1}\) on \({\mathcal {R}}_1\) before measuring in the Hadamard basis and obtaining \(k_1\). From the point of view of the evaluation procedure, \(k_1\) is unknown and so it becomes an unknown part of the encryption key (in contrast with the previous keys, which are also “unknown”, but to a lesser degree, since we have access to the classical encrypted values of these keys). The algorithm \({\mathsf {Eval}}\) continues in this fashion for values of t up to R; each time, the set of unknown variables increasing by one. Note that, according to Fig. 2, as well as the linearity of the key update rules, for all t, \(f_t\in \mathbb {F}_2[a_1,\dots ,a_n,b_1,\dots ,b_n,k_1,\dots ,k_{t-1}]\) is linear (since c is a known constant), so we can write \(f_t=f_t^k+f_t^{ab}\) for \(f_t^k\in \mathbb {F}_2[k_1,\dots ,k_{t-1}]\) and \(f_t^{ab}\in \mathbb {F}_2[a_1,\dots ,a_n,b_1,\dots ,b_n]\).

The cost of this construction is that each \(\mathsf{T}\)-gate adds to the complexity of the decryption procedure, since, in particular, for each \(\mathsf{T}\)-gate, we must perform a possible \(\mathsf{P}\)-correction and a measurement on an auxiliary qubit. In addition, we cannot evaluate the key-polynomials, nor the \(f_t\), until the variables \(k_t\) have been measured, so this evaluation must take place in the decryption phase, increasing the dependence on R, the number of \(\mathsf{T}\)-gates, to \(O(R^2)\) (see full version [9]).

We now formally define the indivisible QHE scheme, \(\mathsf{EPR}\). As in \(\mathsf{CL}\), we have message space \(\mathcal{M}=\mathbb {C}^{\{0,1\}}\) and cipherspace \(\mathcal{C}=\mathbb {C}^{C\times C}\otimes \mathcal X\), where C is the output space of \(\mathsf{HE}.\mathsf{Enc}\) and \(\mathcal{X}\equiv \mathbb {C}^{\{0,1\}}\). Since \(\mathsf{EPR}\) is indivisible, the output space of \(\mathsf{EPR}.{\mathsf {Eval}}^{\mathsf {C}}\) has the form \(\mathcal {R}_{aux}\otimes \mathcal{C'}^{\otimes m}\). In our case, we have \(\mathcal {R}_{aux}=\mathcal {R}_1\otimes \dots \otimes \mathcal {R}_R\otimes (\mathbb {C}^{\{0,1\}^{R+1}})^{\otimes R}\otimes (\mathbb {C}^{C'})^{\otimes R}\), where R is the number of \(\mathsf{T}\)-gates, \(C'\) is the output space of \(\mathsf{HE}.{\mathsf {Eval}}\), and \(\mathcal {R}_t\equiv \mathbb {C}^{\{0,1\}}\). The classical parts of the auxiliary space allow us to output R linear polynomials in \(\mathbb {F}_2[k_1,\dots , k_R]\) corresponding to \(\{f_t^k\}_{t=1}^R\), each of which can be represented with \(R+1\) bits; as well as R \(\mathsf{HE}.{\mathsf {Eval}}\) outputs, corresponding to encryptions of \(\{f_t^{ab}(a_1,\dots ,a_n,b_1,\dots ,b_n)\}_{t=1}^R\). Similarly, we have \(\mathcal {C}'=(\mathbb {C}^{\{0,1\}^{R+1}})^{\otimes 2}\otimes \mathbb {C}^{C'\times C'} \otimes \mathcal X\).

The key generation, \(\mathsf{EPR}.{\mathsf {KeyGen}}\), and encryption, \(\mathsf{EPR}.\mathsf{Enc}\), are defined exactly as \(\mathsf{CL}.{\mathsf {KeyGen}}\) and \(\mathsf{CL}.\mathsf{Enc}\). We now define \(\mathsf{EPR}.{\mathsf {Eval}}\) and \(\mathsf{EPR}.\mathsf{Dec}\).

Evaluation. \(\mathsf{EPR}.{\mathsf {Eval}}_{evk}\). As in \(\mathsf {CL}\), apply gates in \(\{\mathsf{X}, \mathsf{Z}, \mathsf{P}, \mathsf{H}, \mathsf{CNOT}\}\) directly on the encrypted quantum registers. For the \(\mathsf{T}\)-gate, use the gadget defined in Fig. 2. This gadget differs from previous gadgets in that it uses an auxiliary Bell state, \({|{\varPhi ^+}\rangle }\). After the system of the \({i}^{\text {th}}\) wire, \(\mathcal {X}_i\), is measured, relabel half of the Bell state as \(\mathcal {X}_i\), and the other half as \({\mathcal {R}}_t\), which is returned as part of \(\mathcal {R}_{aux}\). The full evaluation procedure is as follows.

  1. 1.

    Set \(V\leftarrow \{a_i,b_i\}_{i\in [n]}\), and \(\forall \,i\in [n]\), \(f_{a,i}\leftarrow a_i\), \(f_{b,i}\leftarrow b_i\).

  2. 2.

    Let \(\mathsf {g}_1,\dots ,\mathsf {g}_G\) be a topological ordering of the gates in \(\mathsf {C}\). For \(j=1,\dots ,G\), evaluate \(\mathsf {g}_j\) using the appropriate gadget.

  3. 3.

    Let S be the set of output wires. Let \(\mathcal {L}\) be the set of labels \(\mathcal {L}=\{(a,i),(b,i):i\in S\}\cup \{1,\dots , R\}\). For each \(\alpha \in \mathcal {L}\), we want to homomorphically evaluate \(f_\alpha \) to obtain the actual (encrypted) key, but we can only actually evaluate the part of \(f_\alpha \) that is in the variables \(\{a_i,b_i\}_i\) — the \(\{k_t\}_t\) are still unknown. Recall that we can write \(f_\alpha =f_\alpha ^k+f_\alpha ^{ab}\) for \(f_\alpha ^k\in \mathbb {F}[k_1,\dots ,k_R]\) and \(f_\alpha ^{ab}\in \mathbb {F}_2[a_1,\dots ,a_n,b_1,\dots ,b_n]\). Compute \(\widetilde{f_\alpha ^{ab}}\leftarrow \mathsf {HE.Eval}_{evk}^{f_\alpha ^{ab}}(\tilde{a}_1,\dots ,\tilde{a}_n,\tilde{b}_1,\dots ,\tilde{b}_n)\).

  4. 4.

    Output: the \(m=|S|\) qubit registers \(\{\mathcal {X}_i:i\in S\}\) corresponding to the encrypted output of the circuit; the R qubit registers \(\mathcal {R}_1,\dots ,\mathcal {R}_R\) corresponding to auxiliary states created by \(\mathsf{T}\)-gadgets; the polynomials \(\{f_\alpha ^k\}_{\alpha \in \mathcal {L}}\subset \mathbb {F}_2[k_1,\dots ,k_R]\) and the homomorphically evaluated polynomials \(\{\widetilde{f_\alpha ^{ab}}\}_{\alpha \in \mathcal {L}}\).

Decryption. \(\mathsf{EPR}.\mathsf{Dec}_{sk}\). In order to decrypt, measure the \(\mathcal {R}_t\) in order from 1 to R, computing \(f_t(k_1,\dots ,k_{t-1})\) as required. Formally:

  1. 1.

    For \(t=1,\dots , R\):

    1. (a)

      Decrypt \(f^{ab}_t \leftarrow \mathsf {HE.Dec}_{sk}(\widetilde{f^{ab}_t})\).

    2. (b)

      Compute \(a \leftarrow f_t^k(k_1,\dots ,k_{t-1})\oplus f^{ab}_t\) and apply \(\mathsf{H}\mathsf{P}^a\) to \(\mathcal {R}_t\).

    3. (c)

      Measure \(\mathcal {R}_t\) to get \(k_t\).

  2. 2.

    Let S be the set of indices of the output qubit registers. For \(i\in S\):

    1. (a)

      Decrypt \(f^{ab}_{a,i} \leftarrow \mathsf {HE.Dec}_{sk}(\widetilde{f^{ab}_{a,i}})\) and \(f^{ab}_{b,i} \leftarrow \mathsf {HE.Dec}_{sk}(\widetilde{f^{ab}_{b,i}})\).

    2. (b)

      Compute \(a_i \leftarrow f^k_{a,i}(k_1,\dots ,k_t)\oplus f^{ab}_{a,i}\) and \(b_i \leftarrow f^k_{b,i}(k_1,\dots ,k_t)\oplus f^{ab}_{b,i}\).

  3. 3.

    To each register \(\mathcal {X}_i\), apply the map \({\mathsf {QDec}}_{a_i, b_i}\). Output registers \(\mathcal {X}_1, \ldots , \mathcal {X}_{m}\).

We prove that \(\mathsf{EPR}\) is homomorphic for all quantum circuits in the universal gate set \(\{\mathsf{X},\mathsf{Z},\mathsf{P},\mathsf{CNOT},\mathsf{H},\mathsf{T}\}\), \(R^2\)-quasi-compact, and q-IND-CPA, in [9].

7 \(\mathsf{T}\)-gate Computation Using Auxiliary States: \(\mathsf{AUX}\)

In the previous QHE scheme, we solved the problem of performing the \(\mathsf{P}\) correction by delaying the correction via entanglement. In this section, we present a quantum homomorphic encryption scheme, \(\mathsf{AUX}\), that takes a more proactive approach to dealing with the \(\mathsf{P}\) correction. At a high level, \(\mathsf{AUX}\) can be understood as the following: as part of the evaluation key, AUX.Keygen outputs a number of auxiliary states. These states “encode” parts of the original encryption key, and are used to correct for the errors induced by the straightforward application of the \(\mathsf{T}\)-gate on the cipherstates. In more details, the auxiliary states encode hidden versions of \(\mathsf{P}\) corrections, such as \({|{+_{a,k}}\rangle }:=\mathsf{Z}^{k}\mathsf{P}^{a} {|{+}\rangle }\) (where k is a random bit and a is an encryption key) that are useful for the evaluation of the \(\mathsf{T}\)-gate (see Fig. 3). In general (after having applied prior gates), the exact auxiliary state will not be available; instead, the \({\mathsf {Eval}}\) procedure combines a number of auxiliary states in order to create a single copy of a state that is useful for performing the correction. This combination operation, however, is expensive as it introduces new unknowns (in terms of new variables as well as “cross-terms”), that need to be corrected in any future \(\mathsf{T}\)-gate. Thus the size of the evaluation key grows rapidly, as a polynomial whose degree is exponential in the \(\mathsf{T}\)-depth. We can thus tolerate only a constant \(\mathsf{T}\)-gate depth for this scheme to be efficient.

Fig. 3.
figure 3

A \(\mathsf{T}\)-gadget for the scheme \(\mathsf{AUX}\) consists of the above circuit and key-update rules. We use \(\mathrm {var}(k)\) to denote the set of variables in the polynomial k, which depends on the construction of the auxiliary state \({|{+_{f_{a,i},k}}\rangle }\), described below.

Full size image

We further specify that \(\mathsf{AUX}\) is a symmetric-key encryption scheme. This is because \(\mathsf{AUX}.{\mathsf {KeyGen}}\) generates auxiliary qubits that depend on the quantum one-time pad encryption keys. Also, KeyGen takes an extra parameter \(1^n\), where n is an upper bound on the total number of qubits that can be encrypted (\(\mathsf{AUX}\) acts much like a classical one-time pad scheme that picks a fixed-length encryption key ahead of time). After this bound on the number of encryptions has been attained, no further qubits can be encrypted. We will suppose without loss of generality that a circuit being homomorphically evaluated is on n wires. Furthermore, the number and type of auxiliary qubits will depend on the \(\mathsf{T}\)-depth of the circuit to be evaluated, L. The scheme will not be able to homomorphically evaluate circuits with \(\mathsf{T}\)-depth greater than L. Fix a constant L. We will now define a scheme \(\mathsf{AUX}=\mathsf{AUX}_L\) that is homomorphic for all circuits with \(\mathsf{T}\)-depth at most L.

Providing the necessary auxiliary states for each \(\mathsf{T}\)-gate would require advance knowledge of the key \(f_{a,i}\) at the time a \(\mathsf{T}\)-gate is applied to the \({i}^{\text {th}}\) wire. Since this depends on both the circuit being applied and prior measurement results, we appear to be at an impasse. The key observation that allows us to continue with this approach is that, given auxiliary states \({|{+_{f_1,k_1}}\rangle }\) and \({|{+_{f_2,k_2}}\rangle }\), we can combine them to get \({|{+_{f_1\oplus f_2,k}}\rangle }\), for some k, using the following circuit:

figure b

By iterating this procedure, given auxiliary states \({|{+_{f_1,k_1}}\rangle },\dots ,{|{+_{f_r,k_r}}\rangle }\), we can construct \({|{+_{f_1\oplus \dots \oplus f_r,k}}\rangle }\), where \(k=\bigoplus _{i=1}^m k_i\oplus \bigoplus _{i=2}^r c_if_i\oplus \bigoplus _{i=1}^r\bigoplus _{j=1}^{i-1}f_if_j\) for known values \(c_i\). Thus, if we give many initial auxiliary states of the form \(\{{|{+_{a_i,k_{a,i}}}\rangle },{|{+_{b_i,k_{b,i}}}\rangle }\}_i\) (with different keys for different copies), we can construct \({|{+_{f,k}}\rangle }\) for f a linear function of \(\{a_i,b_i\}_{i\in [n]}\). However, using an auxiliary state \({|{+_{f_{a,i},k}}\rangle }\) to facilitate a \(\mathsf{T}\)-gate on the \({i}^{\text {th}}\) wire introduces the unknown k into \(f_{b,i}\). In particular, suppose \(f_{a,i}=\bigoplus _{j=1}^r t_j\) for some monomial terms \(t_j\in \mathbb {F}_2[V]\). Then we will need to construct it from auxiliary states \({|{+_{t_1,k_1}}\rangle },\dots ,{|{+_{t_r,k_r}}\rangle }\), to get \({|{+_{f_{a,i},k}}\rangle }\) for \(k=\bigoplus _{i=1}^m k_i\oplus \bigoplus _{i=2}^r c_it_i\oplus \bigoplus _{i=1}^r\bigoplus _{j=1}^{i-1}t_it_j\). Thus, after the \(\mathsf{T}\)-gadget, the new keys \(f_{a,i}',f_{b,i}'\) are in unknowns \(V\cup \{k_1,\dots ,k_r\}\). Furthermore, because of the cross terms \(t_it_j\), the degree of the key-polynomials increases, so we can no longer assume they are linear. Since we can’t produce \({|{+_{f_1f_2,k}}\rangle }\) from \({|{+_{f_1,k_1}}\rangle }\) and \({|{+_{f_2,k_2}}\rangle }\), we need to provide additional auxiliary states for every possible term. We discuss this more formally below and in the full version [9].

As in \(\mathsf{CL}\) and \(\mathsf{EPR}\), we work with qubits: \(\mathcal {M}\equiv \mathbb {C}^{\{0,1\}}\). In contrast to our previous schemes, the classical encryptions of quantum one-time pad keys is part of the evaluation key (for convenience only), so we have \(\mathcal {C}\equiv \mathbb {C}^{\{0,1\}}\). However, after evaluation, the classical encryption of the new one-time pad keys is needed for decryption, so as in \(\mathsf{CL}\), we have \(\mathcal {C}'\equiv \mathbb {C}^{C'\times C'}\otimes \mathcal {X}\), where \(C'\) is the output space of \(\mathsf{HE}.{\mathsf {Eval}}\), and \(\mathcal {X}\equiv \mathbb {C}^{\{0,1\}}\).

Key Generation. \(\mathsf {\mathsf{AUX}.Keygen}(1^\kappa , 1^n)\). The evaluation key contains auxiliary states that allow each of L layers of \(\mathsf{T}\)-gates to be implemented. Thus, for each layer, since every wire must have the possibility to implement a \(\mathsf{T}\)-gate, for each wire, we need to be able to construct an auxiliary state \({|{+_{f_{a,i},k}}\rangle }\) for some k. Since we can add auxiliary states, we can construct this auxiliary state if we have an auxiliary state for each term in \(f_{a,i}\). Since \(f_{a,i}\) depends on the circuit, which we do not know in advance, we need to provide an auxiliary state for every term that could possibly be in \(f_{a,i}\) at the \({\ell }^{\text {th}}\) layer of \(\mathsf{T}\)-gates, for \(\ell =1,\dots ,L\).

We now define sets of monomials \(T_1,\dots ,T_L\) such that the keys in the \({\ell }^{\text {th}}\) layer consist of sums of terms from \(T_\ell \). Let \(V_1:={\{a_i,b_i\}_{i\in [n]}}\), and define \(T_1\subset \mathbb {F}_2[V_1]\) by \(T_1:=\{a_i,b_i\}_{i\in [n]}\). The monomials in \(T_1\) represent the possible terms in the key-polynomials before the first layer of \(\mathsf{T}\)-gates. Each of the up to n \(\mathsf{T}\)-gates in the first layer requires a copy of each of \(\{{|{+_{t,k^{(1)}_t}}\rangle }\}_{t\in T_1}\), with independent random keys for each, for a total of \(n|T_1|\) auxiliary states. More generally, for the \({\ell }^{\text {th}}\) layer of \(\mathsf{T}\)-gates, we let \(T_{\ell }\) be the set of possible terms in the key-polynomials before applying the \({\ell }^{\text {th}}\) layer of \(\mathsf{T}\)-gates. We can see from the \(\mathsf{T}\)-gadget, as well as the construction for adding auxiliary states that the keys from the previous layer’s auxiliary states, \(\{k^{(\ell -1)}_{1,i},\dots ,k^{(\ell -1)}_{|T_{\ell -1}|,i}\}_{i=1}^n\), may now be variables in the key-polynomials, and that products of terms from the previous layer may now be terms in the key-polynomials of the current layer. (This is caused by auxiliary state addition. See [9] for details). Thus, for \(\ell > 1\), we can define \(T_{\ell }\subset \mathbb {F}_2[V_{\ell }]\), where \(V_{\ell }:=V_{\ell -1}\cup \{k^{(\ell -1)}_{1,i},\dots ,k^{(\ell -1)}_{|T_{\ell -1}|,i}\}_{i=1}^n\), by

$$T_{\ell }:=T_{\ell -1}\cup \{tt': t,t'\in T_{\ell -1}, t\ne t'\}\cup \left\{ k^{(\ell -1)}_{1,i},\dots ,k^{(\ell -1)}_{|T_{\ell -1}|,i}\right\} _{i=1}^n.$$

We then provide each of the n wires with an auxiliary state for each term in \(T_{\ell }\), for \(\ell =1,\dots ,L\). We now make this more precise.

To each \(T_\ell \), we associate a family of strings \(\{s^{(\ell )}(x)\}_{x\in \{0,1\}^{V_\ell }}\) in \(\{0,1\}^{T_{\ell }}\), defined so that for every \(f\in T_{\ell }\), the f-entry of \(s^{(\ell )}(x)\) is \(s^{(\ell )}_f(x)=f(x).\) That is, \(s^{(\ell )}(x)\) represents evaluating every monomial in \(T_{\ell }\) at x. For instance, we have, for any strings \(a,b\in \{0,1\}^n\), \(s^{(1)}(a,b)=(a_1,\dots ,a_n,b_1,\dots ,b_n)\).

For any strings \(s,k\in \{0,1\}^n\), define \(\sigma (s,k):=\bigotimes _{i=1}^n{|{+_{s_i,k_i}}\rangle }{\langle {+_{s_i,k_i}}|}\).

For any string s, let \(s^{*n}\) denote the concatenation of n copies of s. For any \(a,b\in \{0,1\}^n\) and \(k=(k^{(1)},\dots ,k^{(L)})\in \{0,1\}^{n|T_1|}\times \dots \times \{0,1\}^{n|T_L|}\), define

$$\sigma _{aux}^{a,b,k}:=\sigma (s^{(1)}(a,b)^{*n},k^{(1)})\otimes \dots \otimes \sigma (s^{(L)}(a,b,k^{(1)},\dots ,k^{(L-1)})^{*n},k^{(L)}).$$

We can now define the procedure \(\mathsf{AUX}.{\mathsf {KeyGen}}(1^\kappa ,1^n)\):

  1. 1.

    Execute \((pk,sk,evk)\leftarrow \mathsf{HE}.{\mathsf {KeyGen}}(1^{\kappa +n})\).

  2. 2.

    Choose uniform random \(a,b\in \{0,1\}^n\) and \(k=(k^{(1)},\dots ,k^{(L)})\in \{0,1\}^{n|T_1|}\times \dots \times \{0,1\}^{n|T_L|}\).

  3. 3.

    Output secret key (skabk).

  4. 4.

    Output evaluation key: pk, evk, \(\tilde{a}_1=\mathsf{HE}.\mathsf{Enc}_{pk}(a_1),\dots ,\tilde{a}_n=\mathsf{HE}.\mathsf{Enc}_{pk}(a_n)\), \(\tilde{b}_1=\mathsf{HE}.\mathsf{Enc}_{pk}(b_1),\dots ,\tilde{b}_n=\mathsf{HE}.\mathsf{Enc}_{pk}(b_n)\), \(\left( \tilde{k}^{(\ell )}_i=\mathsf{HE}.\mathsf{Enc}_{pk}\left( k^{(\ell )}_{j,i}\right) \right) _{\begin{array}{c} \ell \in [L]\\ i\in [n] \\ j\in [|T_\ell |] \end{array}}\), and \(\sigma _{aux}^{a,b,k}\).

Encryption. \(\mathsf{AUX}.\mathsf{Enc}_{(sk,a,b,k),d}: D(\mathcal {M}) \rightarrow D(\mathcal {C})\). The encryption procedure takes an extra parameter d that keeps track of the number of qubits already encrypted (we assume d is initially 1 and not modified outside of \(\mathsf{AUX}.\mathsf{Enc}\)). If \(d \le n \), it applies the quantum one-time pad channel \({\mathsf {QEnc}}_{a_d, b_d}: D(\mathcal {M}) \rightarrow D(\mathcal {C})\). The output is the cipherstate in register \(\mathcal {C}\); the parameter d is updated as \(d \leftarrow d+1\). If \(d >n \), then output \(\bot \) to indicate an error.

Decryption. \(\mathsf{AUX}.\mathsf{Dec}_{(sk,a,b,k),d}: D({\mathcal {C}}') \rightarrow D(\mathcal {M})\). The decryption is defined the same as \(\mathsf{CL}.\mathsf{Dec}_{sk}\).

Homomorphic Evaluation. \(\mathsf{AUX}.{\mathsf {Eval}}^{\mathsf {C}}: D({\mathcal {R}}_{evk} \otimes {\mathcal {C}}^{\otimes n}) \rightarrow D({\mathcal {C}}'^{\otimes m})\). For Clifford group gates, we apply the gadgets as in \(\mathsf{CL}.{\mathsf {Eval}}\). For \(\mathsf{T}\)-gates, we apply the gadget in Fig. 3. The full evaluation procedure is as follows:

  1. 1.

    Set \(V\leftarrow \{a_i,b_i\}_{i\in [n]}\), and \(\forall \,i\in [n]\), \(f_{a,i}\leftarrow a_i\), \(f_{b,i}\leftarrow b_i\).

  2. 2.

    Let \(\mathsf {g}_1,\dots ,\mathsf {g}_G\) be a topological ordering of the gates in \(\mathsf {C}\). For \(i=1,\dots ,G\), evaluate \(\mathsf {g}_i\) using the appropriate gadget.

  3. 3.

    Let S be the set of output wire labels. For each \(i\in S\):

    1. (a)

      Homomorphically evaluate \(f_{a,i}\) and \(f_{b,i}\) to obtain updated (encrypted) keys: \(\tilde{a}_i\leftarrow \mathsf{HE}.{\mathsf {Eval}}_{evk}^{f_{a,i}}(\tilde{v}:v\in V)\) and \(\tilde{b}_i\leftarrow \mathsf{HE}.{\mathsf {Eval}}_{evk}^{f_{b,i}}(\tilde{v}:v\in V)\).

  4. 4.

    Output in \(\mathcal{C'}_i\) the classical-quantum system given by:

    • The encrypted keys \(\{\tilde{a}_i,\tilde{b}_i\}_{i\in S}\).

    • The output corresponding to the encrypted output qubit i of the circuit.

The correctness of this scheme depends on two facts, which we prove in [9]. First, for every unknown \(v\in V\), we have an encrypted copy of \(\tilde{v}\), encrypted using \(\mathsf{HE}.\mathsf{Enc}\). We need these to compute the final keys \(\{\tilde{a}_i,\tilde{b}_i\}\) using \(f_{a,i},f_{b,i}\in \mathbb {F}_2[V]\). Finally, for each level \(\ell \), for each wire label i, we need an auxiliary state \({|{+_{t,k}}\rangle }\) for every term that may appear in the key \(f_{a,i}\) going into the \({\ell }^{\text {th}}\) level. This allows us to construct the auxiliary qubit required to execute each \(\mathsf{T}\)-gadget. In the full version [9], we prove that \(\mathsf{AUX}\) requires \(O(n^{2^{L-1}+1})\) auxiliary qubits, from which it follows that \(\mathsf{AUX}\) is homomorphic for quantum circuits with \(\mathsf{T}\)-depth L. We further show that \(\mathsf{AUX}\) is q-IND-CPA and compact.

We remark that if we only had a classical encryption scheme that was homomorphic over linear circuits, and not fully homomorphic, then we could get the same functionality from a slightly modified version of this scheme, in which we include with every auxiliary qubit \({|{+_{s,k}}\rangle }{\langle {+_{s,k}}|}\), \(\mathsf{HE}.\mathsf{Enc}_{pk}(s)\) — at the moment we only include some of these, but not those auxiliary states arising from products of terms, since we can compute products homomorphically. Since we have classical fully homomorphic encryption, we use this to slightly simplify the scheme, however the observation that the fully homomorphic property is not fully taken advantage of strengthens the idea that Clifford circuits are analogous to classical linear circuits in the context of QHE.