Classical Fully Homomorphic Encryption for Quantum Circuits: Difference between revisions

m
no edit summary
mNo edit summary
Line 1: Line 1:


== Functionality Description==
== Functionality Description==
The example protocol\cite{22} achieves the functionality of [[Secure Delegated Quantum Computation]] by a method which involves fully [[Secure Delegated Quantum Computation#Functionality Description|classical offline]] and no [[Secure Delegated Quantum Computation#Functionality Description|quantum communication]]. It uses only classical [[Supplementary Information#Quantum Cryptography Techniques#Quantum Capable Homomorphic Encryption]] (HE) to evaluate quantum circuits for classical input/input. It allows a fully classical Client to hide her data such that Server can carry out any arbitrary quantum computation on the encrypted data without having any knowledge about Client’s inputs. It hides the output and input of the computation while Server is allowed to choose the unitary operation (any quantum gate) for required computation. Quantum offline communication would be required if Client’s input and output is quantum.
The example protocol\cite{22} achieves the functionality of [[Secure Delegated Quantum Computation]] by a method which involves fully [[Secure Delegated Quantum Computation#Functionality Description|classical offline]] and no [[Secure Delegated Quantum Computation#Functionality Description|quantum communication]]. It uses only classical [[Supplementary Information#Quantum Cryptography Techniques#Quantum Capable Homomorphic Encryption]] (HE) to evaluate quantum circuits for classical input/input. It allows a fully classical Client to hide her data such that Server can carry out any arbitrary quantum computation on the encrypted data without having any knowledge about Client’s inputs. It hides the output and input of the computation while Server is allowed to choose the unitary operation (any quantum gate) for required computation. Quantum offline communication would be required if Client’s input and output is quantum.</br>
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Functionality|Quantum Functionality]], [[:Category:Universal Task|Universal Task]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], Classical Offline Communication, [[Supplementary Information#Superposition|Superposition]], [[Supplementary Information#Trapdoor Claw-Free Functions|Trapdoor Claw-Free Functions (TCF)]], [[Supplementary Information#Learning With Errors|Learning With Errors]], [[Supplementary Information#Encrypted CNOT Operation|Encrypted CNOT Operation]].
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Functionality|Quantum Functionality]], [[:Category:Universal Task|Universal Task]], [[Secure Delegated Quantum Computation|Secure Delegated Quantum Computation]], [[Prepare and Send Quantum Fully Homomorphic Encryption|Prepare and Send Quantum FHE]], Classical Offline Communication, [[Supplementary Information#Superposition|Superposition]], [[Supplementary Information#Trapdoor Claw-Free Functions|Trapdoor Claw-Free Functions (TCF)]], [[Supplementary Information#Learning With Errors|Learning With Errors]], [[Supplementary Information#Encrypted CNOT Operation|Encrypted CNOT Operation]].
 
[[Category:Two Party Protocols]][[Category:Quantum Functionality]][[Category:Universal Task]]
[[Category:Two Party Protocols]][[Category:Quantum Functionality]][[Category:Universal Task]]
 
==Assumptions==
==See Also==
* This protocol is secure against honest but curious adversary setting.
[[Prepare and Send Quantum Fully Homomorphic Encryption|Prepare and Send Quantum FHE]]
* HE is a classical leveled fully homomorphic encryption scheme which is quantum capable for depth Lc.
 
* A BQP Server can generate a superposition of inputs for the encryption function over some distribution given the public key used for encryption. The protocol takes the learning with errors assumption.
== Outline==
== Outline==
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit, Encryption encodes the input into a ciphertext using encryption key, Homomorphic Evauation performs operations (imlpements the circuit) on the encrypted input using evaluation key and Decryption transforms result of the ciphertext to actual outcome of the circuit using decryption key. Following the stages of Delegated Quantum Computation, in preparation stage, Client encrypts (hides) her inputs from the Server who, in the computation stage, performs quantum computation by a completely classical evaluation step where applying Clifford gates remains a simple step as it leaves the state with only Pauli corrections which are easy to handle by QOTP, but when applying Toffoli Gates, it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for (QOTP) by Client. QOTP cannot deal with Clifford gate errors and hence it needs to be corrected before the operation of next gate. These Clifford gate corrections are a combination of CNOT corrections dependent on pad key and Hadamard correction independent of pad key. Applying Hadamard requires no extra information but CNOT gate errors require revelation of one pad keys. FHE deals with this problem via Encrypted CNOT operation using TCF which only needs client to prepare one-time padded superposition states. Sever thus, updates the Pauli keys accordingly and at the end of computation, sends encrypted output to the Client with updated Pauli keys. Client decrypts sent states and gets correct output in Output Correction stage. Following is an outline of the steps involved in the scheme, assuming depth of circuit (see notations used) equal to L.
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit, Encryption encodes the input into a ciphertext using encryption key, Homomorphic Evauation performs operations (imlpements the circuit) on the encrypted input using evaluation key and Decryption transforms result of the ciphertext to actual outcome of the circuit using decryption key. Following the stages of Delegated Quantum Computation, in preparation stage, Client encrypts (hides) her inputs from the Server who, in the computation stage, performs quantum computation by a completely classical evaluation step where applying Clifford gates remains a simple step as it leaves the state with only Pauli corrections which are easy to handle by QOTP, but when applying Toffoli Gates, it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for (QOTP) by Client. QOTP cannot deal with Clifford gate errors and hence it needs to be corrected before the operation of next gate. These Clifford gate corrections are a combination of CNOT corrections dependent on pad key and Hadamard correction independent of pad key. Applying Hadamard requires no extra information but CNOT gate errors require revelation of one pad keys. FHE deals with this problem via Encrypted CNOT operation using TCF which only needs client to prepare one-time padded superposition states. Sever thus, updates the Pauli keys accordingly and at the end of computation, sends encrypted output to the Client with updated Pauli keys. Client decrypts sent states and gets correct output in Output Correction stage. Following is an outline of the steps involved in the scheme, assuming depth of circuit (see notations used) equal to L.
Line 17: Line 16:
Server repeats the same procedure for each layer and finally sends the updated Pauli encryption and quantum one time padded output of the circuit to Client. Client uses the encrypted pad keys of both qubits related to the CNOT error and converts it to another ciphertext using AltHE.
Server repeats the same procedure for each layer and finally sends the updated Pauli encryption and quantum one time padded output of the circuit to Client. Client uses the encrypted pad keys of both qubits related to the CNOT error and converts it to another ciphertext using AltHE.
* '''Decryption''' The sent Pauli corrections are updated with public key of the last evaluation key used. This is the (L + 1)th public key and hence, Client uses (L + 1)th secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. Thus, she uses the resulting pad key to undo the quantum one time pad on the sent output state.
* '''Decryption''' The sent Pauli corrections are updated with public key of the last evaluation key used. This is the (L + 1)th public key and hence, Client uses (L + 1)th secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. Thus, she uses the resulting pad key to undo the quantum one time pad on the sent output state.
== Figure ==
== Notations ==
== Notations ==
* k, security parameter
* Lc, depth of the circuit/ no. of layers
* x˜ encryption of x
* x˜ encryption of x
* Lc, depth of a layer of circuit where each layer contains clifford gates and Toffoli gates
* Lc, depth of a layer of circuit where each layer contains clifford gates and Toffoli gates
Line 28: Line 26:
* (µ0,r0)(µ1,r1) random claw for TCF pair, for given y
* (µ0,r0)(µ1,r1) random claw for TCF pair, for given y
* d, measurement outcome of the second register
* d, measurement outcome of the second register
== Hardware Requirements ==


== Properties ==
== Properties ==
===Parameters===
* k, security parameter
* Lc, depth of the circuit/ no. of layers
===Adversarial Assumption===
* This protocol is secure against honest but curious adversary setting.
===Setup Assumptions===
* HE is a classical leveled fully homomorphic encryption scheme which is quantum capable for depth Lc.
* A BQP Server can generate a superposition of inputs for the encryption function over some distribution given the public key used for encryption. The protocol takes the learning with errors assumption.
===Security Claim/ Theorems===
*''Quantum Capable'' A classical HE is quantum capable i.e. can perform quantum computation efficiently if there exists AltHE which can execute natural XOR operations.
*''Quantum Capable'' A classical HE is quantum capable i.e. can perform quantum computation efficiently if there exists AltHE which can execute natural XOR operations.
*''Indistinguishability under Chosen Plaintext Attacks by adversary(IND-CPA)'' The presented classical FHE scheme is CPA secure i.e. it is not possible for any polynomial time adversary to distinguish between the encrypted classical message bits 0 and 1, by learning with errors.
*''Indistinguishability under Chosen Plaintext Attacks by adversary(IND-CPA)'' The presented classical FHE scheme is CPA secure i.e. it is not possible for any polynomial time adversary to distinguish between the encrypted classical message bits 0 and 1, by learning with errors.
Line 48: Line 37:
*''Circular Security'' This orotocol has a stronger notion of circular security where not only the secret key but also the trapdoor functions are encrypted when provided to the Server.
*''Circular Security'' This orotocol has a stronger notion of circular security where not only the secret key but also the trapdoor functions are encrypted when provided to the Server.


== Pseudo-Code==
== Pseudo-Code==  
==='''Stage 1''' Client’s Preparation===
==='''Stage 1''' Client’s Preparation===
   
   
Line 99: Line 87:
# Client decrypts ˜a,˜b using skL+1 to obtain a,b.
# Client decrypts ˜a,˜b using skL+1 to obtain a,b.
# She then uses the decrypted Pauli corrections to get the output XaZb |li, which can be represented as a ⊕ l.<br/>She operates XaZb on quantum output to get C|ψi, in case of quantum output.
# She then uses the decrypted Pauli corrections to get the output XaZb |li, which can be represented as a ⊕ l.<br/>She operates XaZb on quantum output to get C|ψi, in case of quantum output.
== References ==
== Requirements ==
Write, autoreview, editor, reviewer
3,129

edits