Classical Fully Homomorphic Encryption for Quantum Circuits: Difference between revisions

m
Line 8: Line 8:


== Outline==
== Outline==
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit; Encryption encodes the input into a secret text using the encryption key generated during Key Generation; Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key generated and Decryption transforms result of the evaluation step hidden in the secret text, to outcome of the circuit for Client's input using decryption key. Following the stages of [[Secure Delegated Quantum Computation]], in preparation stage, Client encrypts her input to hide it from the Server performing [[Supplementary Information#Quantum Cryptography Techniques#Quantum One Time Pad|Quantum One Time Pad]] (QOTP) using her encryption key, who, in the computation stage, performs quantum computation by a completely classical evaluation step. There are two kinds of gates in Quantum Computation (See Heirarchy of Quantum Gates in [[Supplementary Information]]) Clifford Gates, which consists of Hadamard gate, CNOT and Pauli gates (X, Y, Z) and Toffoli gates (any single qubit phase/rotation gate). A universal scheme can perform both these types of gates implying that it can perform any quantum operation. Now, applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Clifford gates]] remains a simple step as it leaves the state with only Pauli corrections (X, Z) which are easy to handle as these gates commute with every quantum gate and hence can be shifted and cancelled out by applying corresponding inverse gate later by the Client, but when applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Toffoli Gates]], it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for encryption key used by Client. Decryption key cannot deal with Clifford gate errors as they do not commute with all quantum operations and hence it needs to be corrected by applying corresponding inverse gate before the operation of next gate for computation by the Server. These Clifford gate corrections are a combination of CNOT corrections dependent on encryption key and a Hadamard correction independent of encryption key. Applying Hadamard requires no extra information but CNOT gate errors require revelation of the encryption key. FHE deals with this problem via [[Supplementary Information#Quantum Cryptography Techniques#Encrypted CNOT operation|Encrypted CNOT operation]] using [[Supplementary Information#Quantum Cryptography Techniques#Trapdoor Claw-Free Function (TCF)|Trapdoor Claw-Free Function (TCF)]] without revelation of encryption key to the Server. Finally, in the Output Correction stage, Client gets her inputs and updated encryption keys to get the correct final outcome from the secret text using her decryption key. Following is an outline of the steps to illustrate the above mentioned scheme, assuming depth of circuit (see notations used) equal to L.
FHE presents a classical protocol with the help of which a completely classical Client could assign Server a quantum computation for her encrypted (hidden) input/output. Similar to any classical HE this scheme is divided into four steps: Key Generation generates keys for encryption, decryption and evaluation of the circuit; Encryption encodes the input into a secret text using the encryption key generated during Key Generation; Evaluation performs operations (implements the circuit) on the encrypted input using evaluation key generated and Decryption transforms result of the evaluation step hidden in the secret text, to outcome of the circuit for Client's input using decryption key. Following the stages of [[Secure Delegated Quantum Computation]], in preparation stage, Client encrypts her input by performing [[one time pad]] to hide it from the Server, who, in the computation stage, performs quantum computation by a completely classical evaluation step. There are two kinds of gates in Quantum Computation (See Heirarchy of Quantum Gates in [[Supplementary Information]]) Clifford Gates, which consists of Hadamard gate, CNOT and Pauli gates (X, Y, Z) and Toffoli gates (any single qubit phase/rotation gate). A universal scheme can perform both these types of gates implying that it can perform any quantum operation. Now, applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Clifford gates]] remains a simple step as it leaves the state with only Pauli corrections (X, Z) which are easy to handle as these gates commute with every quantum gate and hence can be shifted and cancelled out by applying corresponding inverse gate later by the Client, but when applying [[Supplementary Information#A General Introduction to Quantum Information#Heirarchy of Quantum Gates|Toffoli Gates]], it leaves the state with some Pauli corrections and Clifford gate corrections depending on the one pad key used for encryption key used by Client. Decryption key cannot deal with Clifford gate errors as they do not commute with all quantum operations and hence it needs to be corrected by applying corresponding inverse gate before the operation of next gate for computation by the Server. These Clifford gate corrections are a combination of CNOT corrections dependent on encryption key and a Hadamard correction independent of encryption key. Thus, applying Hadamard requires no extra information but CNOT gate errors require revelation of the encryption key. FHE deals with this problem via [[Supplementary Information#Quantum Cryptography Techniques#Encrypted CNOT operation|Encrypted CNOT operation]] using [[Supplementary Information#Quantum Cryptography Techniques#Trapdoor Claw-Free Function (TCF)|Trapdoor Claw-Free Function (TCF)]] without revelation of encryption key to the Server. Finally, in the Output Correction stage, Client gets her inputs and updated encryption keys to get the correct final outcome from the secret text using her decryption key. Following is an outline of the steps to illustrate the above mentioned scheme, assuming depth of circuit (see notations used) equal to L.</br>
* '''Key Generation:''' Client generates L+1 classical homomorphic key sets consisting of public key, evaluation key, secret key, trapdoor information using HE.KeyGen (classical HE step). Evaluation key consists of first L pairs of secret key-trapdoor information encrypted with last L public keys such that secret key-trapdoor key pair and public key do not belong to the same key set. Evaluation key also contains this public key used to encrypt the pair.
The preparation stage incorporates,
* '''Encryption Client''' uses one time pad to hide her input and encrypts the pad key using a public key not used to encrypt the trapdoors and secret in the previous step. She then sends the hidden input with encypted pad key and classical evaluation key to the Server. In case of classical input Client uses the public key to encrypt her classical message and send it to the Server over classical channel.
* '''Key Generation:''' Client generates L+1 classical homomorphic key sets consisting of public key, evaluation key, secret key, trapdoor information (a piece of information required to invert the function used for encrypted CNOT operation, as explained in Circuit Evaluation) using HE.KeyGen() (classical HE step). Evaluation key consists of first L pairs of secret key-trapdoor information encrypted with last L public keys such that secret key-trapdoor key pair and public key do not belong to the same key set. Evaluation key also contains this public key used to encrypt the pair.
* '''Circuit Evaluation''' For a quantum inputs, Server starts with the quantum one time padded state from the Client, while in case of a classical Client, Server prepare quantum states for the encrypted input. For each gate of the circuit that Server applies, he updates the encrypted Pauli encryption. In case of Toffoli gate operation, he also corrects the extra Clifford group error performing encrypted CNOT operation and then Hadamard operations on the target qubit. Operation of encrypted CNOT operation is performed using evaluation key as follows.<br/>
* '''Encryption:''' Client uses classical one time pad to hide her input and encrypts the pad key with the first public key (not used to encrypt any trapdoor-secret key pair) using HE.Enc() (classical HE step). She then sends the hidden classical input with encrypted pad key and classical evaluation key to the Server over classical channel. This step marks the end of preparation stage.</br>
'''Encrypted CNOT operation''' This operation uses Trapdoor Claw Free function pairs which have the same image (output) for different pre-images(inputs) called random claw pair. Given the image it is rendered hard to find corresponding random claw without a trapdoor (inverse function). For this protocol, the HE Encryption function under a particular public key (provided in the evaluation key) is taken as one of the functions whose distribution is shifted from the other function by a natural (homomorphic) XOR operation of encrypted key bit. The functions have a common range and hence, any element in this range set would have a pre-image in the domain set of each function, together called random claw. Any pre-image pair (random claw) thus, obtained hides the pad key used for CNOT by a XOR operation. This is implied from the properties of homomorphic XOR. In simple language, if the functions are separated by encrypted pad key via a homomorphic XOR operation, so their inputs for a common output (random claw) would be separated by the (not encrypted) pad key bit. Thus, Server creates a superposition of inputs for the functions over some distribution. Next, in case of a classical input he creates a superposition of one time padded quantum state using the encrypted key. After applying the gates on qubits, for correction of CNOT gates he has two one time padded qubits as quantum state and a pad key for CNOT. The encrypted pad key was sent to the Server by the Client. For each correction, Server thus creates three registers. First has the superposition of quantum states to be operated, second has the superposition of inputs while third register has the output of the function, where function is chosen depending on the first qubit of quantum state register and input is taken from the second qubit. Hence these registers are entangled. Server, now measures the third register which reduces second register to a random claw pair as discussed before, hiding the pad key. Now, after some calculations it can be shown that if one performs Hadamard operation on the second register and then measures it, the first register is reduced to CNOT error corrected quantum state with some extra Pauli corrections. These final Pauli corrections require trapdoor information and measurement outcome of the second register (if this outcome is zero the Z correction is zero). To perform the above operation one needs ciphertext to be same throughtout the protocol and existence of a natural XOR operation. This is not known to have been achieved by a single HE together. Hence, one uses AltHE which can operate XOR for encrypted CNOT operation and HE for updation of Pauli keys. In order to do this, HE provides a conversion of ciphertext under HE to ciphertext under AltHE and vice versa. Thus, after encrypted CNOT operation, encrypted pad key bit and other measurement outcomes recrypted using public key of the evaluation key under HE. Hence, after using trapdoor functions and other information, he finds Pauli corrections encrypted under the same public key.<br/>
Further, the computation stage incorporates,
Server repeats the same procedure for each layer and finally sends the updated Pauli encryption and quantum one time padded output of the circuit to Client. Client uses the encrypted pad keys of both qubits related to the CNOT error and converts it to another ciphertext using AltHE.
* '''Circuit Evaluation:''' Server starts with the classical one time padded states from the Client and generates the required quantum states. For each gate of the circuit that Server applies, he updates the encrypted Pauli encryption according to rules given in Pseudo code below. In case of Toffoli gate operation, an additional step is incorporated where he corrects the extra Clifford gate error performing encrypted CNOT operation and then Hadamard operation on the target qubit. This step uses evaluation key and can be explained as follows.</br>
* '''Decryption''' The sent Pauli corrections are updated with public key of the last evaluation key used. This is the (L + 1)th public key and hence, Client uses (L + 1)th secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. Thus, she uses the resulting pad key to undo the quantum one time pad on the sent output state.
'''Encrypted CNOT operation''' All errors imposed by Toffoli gates can be represented using encrypted CNOT operation, a Hadamard operation and a set of Pauli gates (X, Z). All errors imposed by Clifford gates can be represented by a combination of Pauli gates. A mathematical representation of this step can be found in the [[Supplementary Information]].
#'''TCF:''' This operation uses Trapdoor Claw Free function pairs which have the same image (output) for different pre-images(inputs) called 'random claw pair'. Given the image, it is rendered a hard problem to find this corresponding random claw without its trapdoor information (example, a piece of information required to invert the function). For this protocol, the HE Encryption function (HE.Enc()) is taken as one of the functions. A second function whose distribution is shifted from the previous function by a natural (homomorphic) XOR operation (a requirement for the [[Supplementary Information#Quantum cryptography Techniques#Quantum Capable Homomorphic Encryption|classical HE]] scheme used) of encrypted key bit used for that encryption function. This means, the functions have a common range such that for every image (output), the pre-images (input) for each of the functions stated above would also differ by a XOR operation of actual (not encrypted) key bit. Thus, any element in the said range set would have one pre-image in the domain set of each function, together called random claw pair. If one performs a XOR operation on the pair, the result is pad key bit. This is implied from the properties of homomorphic XOR. Thus, any pre-image pair (random claw) thus, obtained, hides the pad key (to be used later for Encrypted CNOT operation). In simple words, the above paragraph implies that if two functions are separated by encrypted pad key via a homomorphic XOR operation, their inputs for a common output (random claw pair) would be separated by the (not encrypted) pad key bit.
#'''Server's preparation''' Thus, Server creates a superposition of inputs for the functions over some distribution. Next, he creates a superposition of quantum states generated from Client's input. After applying the gates on qubits, for correction of CNOT errors, Server creates three registers. First has the superposition of single qubit states, second has the superposition of quantum states generated from Client's input while third register has the output of one of the two functions illustrated above, where the function (one of the two) is chosen according to the first register and its quantum input is taken from the second register. Hence, these registers are entangled. Server, now measures the third register which reduces second register to a random claw pair as discussed before, hiding the pad key. It is still hidden from the Server as he does not know trapdoor information to be able to know the random claw pair and he cannot compute it from the measured output as it is a hard problem.
#'''Server's Toffoli gate operation''' After some calculations it can be shown that if Server performs Hadamard operation on the second register and then measures it, the first register is reduced to corrected quantum state with some extra Pauli corrections. These final Pauli corrections require trapdoor information and measurement outcome of the second register. To perform the above operation one needs the secret text to be same throughtout the protocol and existence of a natural XOR operation. This is not known to have been achieved by a single HE together. Hence, this protocol uses AltHE (an alternate HE) which can operate XOR for encrypted CNOT operation while he uses HE for updation of Pauli keys. In order to do this, HE provides a conversion of secret text under HE to secret text under AltHE and vice versa. Thus, after encrypted CNOT operation, encrypted pad key bit and other measurement outcomes are recrypted using public key provided in the evaluation key for that step, under HE. Thus, the trapdoor information and pad key bit are encrypted under same public key. Now, using the measurement outcome and the encrypted trapdoor information with recrypted pad key, Server obtains Pauli corrections. The Server encrypts Pauli corrections under public key for corresponding layer and hence updates the recrypted pad key<br/>
#'''Server's Clifford gate operation''' Server obtains with Pauli corrections according to rules described in the Pseudo code and updates the recrypted pad key as before.</br>
* '''Decryption''' Server repeats the same procedure for each layer and at the end of last layer, sends the updated recryption of pad key and classical measurement output of the first register (containing the corrected quantum state encrypted by pad key) to Client. Client converts the pad key to another secret text using AltHE. The sent pad key is recrypted with public key of the last (<math>L_{th}</math>) evaluation key used. This is the <math>(L + 1)_{th}</math> public key. Hence, Client uses <math>(L + 1)_{th}</math> secret key (which was not included in the evaluation keys) to decrypt the updated encryption of pad key sent by the Server. She (Client) uses the resulting pad key to undo the one time pad on the sent output.


== Notations ==
== Notations ==
Write, autoreview, editor, reviewer
3,129

edits