Presentation is loading. Please wait.

Presentation is loading. Please wait.

Homomorphic encryption of quantum data

Published byEllen Floyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Homomorphic encryption of quantum data"— Presentation transcript:

1 Homomorphic encryption of quantum data
Christian Schaffner (joint work with Yfke Dulek and Florian Speelman) Colloquium KdVI, UvA, Wednesday 5 April 2017

2 example: image tagging
Classical homomorphic encryption: Gentry [2009] What about quantum? CAPITOL WASHINGTON CAPITOL WASHINGTON

3 Quantum cloud computing

4 1. HOMOMORPHIc ENCRYPTION
2. Previous results: Clifford scheme 3. New Scheme

5 Homomorphic encryption
public key secret key evaluation key Key Generation Encryption x + x (secure) Evaluation x CAPITOL f(x) Decryption + CAPITOL f(x) f(x) CAPITOL Classical homomorphic encryption: Gentry [2009]

6 Homomorphic encryption
public key secret key evaluation key Key Generation quantum Encryption |𝜓⟩ + |𝜓⟩ (secure) Evaluation |𝜓⟩ 𝑈|𝜓⟩ Decryption + 𝑈|𝜓⟩ 𝑈|𝜓⟩

7 1. HOMOMORPHIc ENCRYPTION
2. Previous results: Clifford scheme 3. New SCHEME

8 Classical One-time pad
See explanations on black board

9 Quantum bits + basis £ basis Measurements: with prob. 1 yields 1 0/1

10 Q Circuits and Pauli group
X CNOT T Y H Pauli operators X= , Y= 0 −𝑖 𝑖 0 , Z= −1 Self-inverse: 𝑋 2 =𝕀= , 𝑌 2 =𝕀, 𝑍 2 =𝕀 Anti-commute: 𝑋𝑍=−𝑍𝑋, 𝑋𝑌=−𝑌𝑋, 𝑌𝑍=−𝑍𝑌

11 Quantum One-time pad Pauli operators X= , Y= 0 −𝑖 𝑖 0 , Z= −1 Self-inverse: 𝑋 2 =𝕀= , 𝑌 2 =𝕀, 𝑍 2 =𝕀 Anti-commute: 𝑋𝑍=−𝑍𝑋, 𝑋𝑌=−𝑌𝑋, 𝑌𝑍=−𝑍𝑌 Flip two random bits 𝑎,𝑏← 0,1 , encryption of a qubit |𝜓⟩: 𝑋 𝑎 𝑍 𝑏 |𝜓⟩ Perfect security: not knowing 𝑎,𝑏, the density matrix becomes fully mixed: 𝑎,𝑏 𝑋 𝑎 𝑍 𝑏 𝜓⟩⟨𝜓 𝑍 𝑏 𝑋 𝑎 =𝕀/2

12 Quantum Homomorphic enc
homomorphic for compactness security Not encrypting Quantum circuits yes no Quantum OTP no yes append evaluation description Quantum circuits Complexity of Dec 
prop to (# gates) yes Clifford Scheme Clifford circuits yes computational Quantum one-time pad: pick a,b ∈R {0,1} |𝜓⟩ ↦ XaZb |𝜓⟩ P X CNOT T Y H

13 The Clifford Group 𝑃= 1 0 0 𝑖 Generated by {𝐻, 𝑃, CNOT}
𝐻= −1 𝑃= 𝑖 Generated by {𝐻, 𝑃, CNOT} Commutation maps Pauli operators to Paulis (normalizer of Pauli group) CNOT(𝑋⊗𝐼)= 𝑋⊗𝑋 CNOT CNOT(𝐼⊗𝑍)= 𝑍⊗𝑍 CNOT Not a universal gate set (e.g. efficient classical simulation possible) 𝐶𝑁𝑂𝑇= 𝐻𝑋=𝑍𝐻 𝑃𝑍=𝑍𝑃 𝐻𝑍=𝑋𝐻 𝑃𝑋=𝑋𝑍𝑃

14 Clifford Scheme pick a,b ∈R {0,1} encryption: = XaZb |𝜓⟩ ↦ |𝜓⟩
Ingredient 1: quantum one-time pad pick a,b ∈R {0,1} |𝜓⟩ ↦ XaZb |𝜓⟩ encryption: a,b |𝜓⟩ a,b = XaZb |𝜓⟩ ↦ |𝜓⟩ decryption: Ingredient 2: classical homomorphic encryption (as black box) [AMTW00] A. Ambainis, M. Mosca, A. Tapp, and R. De Wolf. Private quantum channels. FOCS’00 [Gentry 09] C. Gentry: Fully homomorphic encryption using ideal lattices. STOC’09

15 Clifford Scheme H H ( ) = HXaZb|𝜓⟩ = XbZaH|𝜓⟩ = |𝜓⟩ |𝜓⟩ H|ψ⟩ H|𝜓⟩ a,b
b,a = a,b H|ψ⟩ XbZaH|𝜓⟩ = b,a H|𝜓⟩ Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

16 Classical homomorphic encryption
Clifford Scheme Classical homomorphic encryption Quantum one-time pad a,b |𝜓⟩ update function (x,y) ↦ (y,x) H b,a a,b H|𝜓⟩ b,a Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

17 Clifford Scheme: CNOT CNOT X a Z 𝑏 ⊗ X c Z 𝑑 |𝜓⟩ 2 qubit |𝜓⟩ CNOT|𝜓⟩
a,b c,d 2 qubit |𝜓⟩ CNOT a,b update function a,b⊕d CNOT|𝜓⟩ a⊕c,d a,b⊕d a⊕c,d c,d Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

18 how to apply correction P-1 iff a = 1?
The challenge: T gate T = 𝑒 𝑖𝜋/4 TZ=ZT TX=PXT 0,b |ψ⟩ 1,b |ψ⟩ a,b T T error! T|ψ⟩ 0,b P( ) T|ψ⟩ 1,b how to apply correction P-1 iff a = 1?

19 Previous results: overview
homomorphic for compactness security Not encrypting Quantum circuits yes no Quantum OTP No inf theoretic append evaluation description Complexity of Dec 
prop to (# gates) Clifford Scheme Clifford circuits computational [BJ15]: AUX QCircuits with constant T-depth yes computational [BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2 [OTF15] QCircuits with constant #T-gates yes inf theoretic Our result QCircuits of polynomial size (levelled FHE) yes computational (comparison based on Stacey Jeffery’s slides) [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015 [OTF15] Y. Ouyang, S-H. Tan, J. Fitzsimons. Quantum homomorphic encryption from quantum codes. arxiv:

20 1. HOMOMORPHIc ENCRYPTION
2. Previous results: Clifford Scheme 3. New SCHEME

21 Error-correction ‘gadget’
𝑃 𝑎 ( ) T|𝜓⟩ a,b a,b Build a ‘gadget’ that applies 𝑃 −1 iff a = 1 Apply correction iff : Properties: Efficiently constructable Destroyed after single use GADGET T|𝜓⟩ c,d c,d a=decrypt( , ) = 1 a

22 Excursion 1 Quantum Information Theory: Quantum Teleportation

23 [Einstein Podolsky Rosen 1935]
EPR Pairs [Einstein Podolsky Rosen 1935] prob. ½ : 0 prob. ½ : 1 EPR magic! prob. 1 : 0 “spukhafte Fernwirkung” (spooky action at a distance) EPR pairs do not allow to communicate (no contradiction to relativity theory) can provide a shared random bit

24 Quantum Teleportation
[Bennett Brassard Crépeau Jozsa Peres Wootters 1993] [Bell] ? 𝜎 ∈ 𝑅 {𝕀, 𝑋, 𝑌, 𝑍} ? ? Bob’s qubit is encrypted with quantum one-time pad Bob can only recover the teleported qubit after receiving the classical information ¾

25 Excursion 2 Theoretical Computer Science: Barrington’s Theorem

26 Permutation Branching Program
f : {0,1}n x {0,1}n → {0,1} computes some Boolean function f(x,y) list of instructions: permutations of {1,2,3,4,5} 0: π ∈ S5 output: … ° σ’’ ° σ’ ° π xi 1: σ id (fixed) cycle ⇒ f(x,y) = 0 yj 0: π’ ⇒ f(x,y) = 1 1: σ’ length: # of instructions xk 0: π’’ 1: σ’’

27 EXAMPLE PBP OR(x,y) length 4: OR(0,0) OR(0,1) OR(1,0) OR(1,1) x
1 EXAMPLE PBP OR(x,y) length 4: OR(0,0) OR(0,1) OR(1,0) OR(1,1) x 0: (12345) 1: id y 0: (12453) 1: id x 0: (54321) 1: id 0: (15243) y 1: (14235) id (14235) 1 (14235) 1 (14235) 1 output:

28 Barrington’s theorem (1989)
Theorem (variation): if f : {0,1}n x {0,1}n → {0,1} is in NC1, then there exists a width-5 permutation branching program for f with length polynomial in n. P NC1 L NP NC1: Boolean circuits with, fan-in 2 gates, Polynomial size, Depth is log(n) Classical homomorphic decryption functions happen to be in NC1… [BV11] [Barrington 89] Bounded-Width Polynomial-Size Branching Programs Recognize Exactly Those Languages in NC1, J. Comput. Syst. Sci. 38 (1): 150–164, 1989 [BV11] Z. Brakerski, V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. FOCS 2011

29 Error-correction gadget
𝑃 𝑎 ( ) T|𝜓⟩ a,b a,b Build a ‘gadget’ that applies 𝑃 −1 iff a = 1 Apply correction iff GADGET a = decrypt( , ) = 1 a c,d T|𝜓⟩ c,d has a poly-size PBP

30 error correction Gadget
𝑃 𝑎 ( ) T|𝜓⟩ a,b GADGET { PBP for a=decrypt( , ) a P-1 iff permutation ≠ id { P-1 { reverse PBP for a=decrypt( , ) a

31 Error correction gadget
Branching program for decrypt( , ) 1: σ 0: π i EPR pairs teleportation measurements 1: σ’ 0: π’ a j 1: σ’’ 0: π’’ k EPR pairs teleportation measurements 1: σ’’’ 0: π’’’ a l

32 error correction Gadget
a,b 𝑃 𝑎 ( ) a,b GADGET Update key depending on teleportation outcomes & gadget structure gadget structure { PBP for a=decrypt( , ) a P-1 iff permutation ≠ id { P-1 { reverse PBP for a=decrypt( , ) a T|𝜓⟩ c,d c,d

33 security a,b All quantum information: quantum one-time pad (perfectly secure if classical info is hidden) Gadget structure, each ‘connection’: Random choice out of 4 Bell states (perfectly secure if classical info is hidden) All classical information: classical homomorphic scheme Security of classical scheme is the only assumption

34 New scheme: overview Key generation ENCRYPTION Evaluation Decryption
classical keys gadgets ENCRYPTION a,b apply quantum one-time pad classically encrypt pad keys |𝜓⟩ a,b Evaluation after / / : classically update keys after : use H P CNOT T Decryption c,d classically decrypt pad keys remove quantum one-time pad U|𝜓⟩ c,d

35 Applications Delegated quantum computation in two rounds
No memory needed on Alice’s side ”Low-tech” generation of gadgets Gadget generation on demand Circuit privacy

36 FUTURE WORK non-leveled QFHE? verifiable delegated quantum computation
quantum obfuscation?

37 Thank you!

Download ppt "Homomorphic encryption of quantum data"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Improved Simulation of Stabilizer Circuits Scott Aaronson (UC Berkeley) Joint work with Daniel Gottesman (Perimeter) 0 0 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0.

Improved Simulation of Stabilizer Circuits Scott Aaronson (UC Berkeley) Joint work with Daniel Gottesman (Perimeter)
Quantum Lower Bounds The Polynomial and Adversary Methods Scott Aaronson September 14, 2001 Prelim Exam Talk.

Quantum Lower Bounds The Polynomial and Adversary Methods Scott Aaronson September 14, 2001 Prelim Exam Talk.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
University of Queensland

University of Queensland
Quantum Computing MAS 725 Hartmut Klauck NTU 5.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.

Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU 12.3.2012.

Quantum Computing MAS 725 Hartmut Klauck NTU
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Interactive Proofs For Quantum Computations Dorit Aharonov, Michael Ben-Or, Elad Eban School of Computer Science and Engineering The Hebrew University.

Interactive Proofs For Quantum Computations Dorit Aharonov, Michael Ben-Or, Elad Eban School of Computer Science and Engineering The Hebrew University.
CSEP 590tv: Quantum Computing

CSEP 590tv: Quantum Computing
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Homomorphic Encryption: WHAT, WHY, and HOW

Homomorphic Encryption: WHAT, WHY, and HOW
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Advances in Quantum Cryptography Workshop.

Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Advances in Quantum Cryptography Workshop.
Quantum Homomorphic Encryption

Quantum Homomorphic Encryption

Similar presentations

Ads by Google