quantum homomorphic encryptionschaffne/mypresentations/... · 2016. 6. 29. · quantum homomorphic...

QUANTUM HOMOMORPHIC ENCRYPTION

Christian Schaffner

(joint work with Yfke Dulek and Florian Speelman)http://arxiv.org/abs/1603.09717

Centrum Wiskunde&Informa3ca

Ins3tuteforLogic,LanguageandComputa3on(ILLC)UniversityofAmsterdam

ResearchCenterforQuantumSoCware

TrustworthyQuantumInforma1on2016,Shanghai,China,Wednesday29June2016

http://arxiv.org/abs/1603.09717

EXAMPLE: IMAGE TAGGING


SKYLINE JED

1. HOMOMORPHIC ENCRYPTION

2. PREVIOUS RESULTS

3. NEW RESULT

HOMOMORPHIC ENCRYPTION


KEY GENERATION


public keyKEY GENERATION


public keysecret key

KEY GENERATION


public keysecret keyevaluation key

KEY GENERATION



KEY GENERATION

ENCRYPTION



KEY GENERATION

ENCRYPTION + ↦



KEY GENERATION

ENCRYPTION +(secure)

↦



KEY GENERATION

ENCRYPTION

EVALUATION

+(secure)

↦


JED ↦


KEY GENERATION

ENCRYPTION

EVALUATION

+

+

(secure)↦


JED ↦


KEY GENERATION

ENCRYPTION

EVALUATION

DECRYPTION

+

+

(secure)↦


JED ↦

JED JED↦


KEY GENERATION

ENCRYPTION

EVALUATION

DECRYPTION

+

+

+

(secure)↦


↦

↦


KEY GENERATION

ENCRYPTION

EVALUATION

DECRYPTION

+

+

+

(secure)↦x x

x f(x)

f(x) f(x)


↦

↦


KEY GENERATION

ENCRYPTION

EVALUATION

DECRYPTION

+

+

+

(secure)↦|ψ⟩ |ψ⟩

|ψ⟩ U|ψ⟩

U|ψ⟩ U|ψ⟩


↦

↦


KEY GENERATION

ENCRYPTION

EVALUATION

DECRYPTION

+

+

+

(secure)↦|ψ⟩ |ψ⟩

|ψ⟩ U|ψ⟩

U|ψ⟩ U|ψ⟩

(quantum)


2. PREVIOUS RESULTS

3. NEW RESULT

PREVIOUS RESULTS: OVERVIEW

C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938

http://arxiv.org/pdf/1508.00938


Classical homomorphic encryption: solved! [Gentry 2009]




Classical homomorphic encryption: solved! [Gentry 2009]

Quantum homomorphic encryption: only partial results

Clifford scheme allowing evaluation of {P, H, CNOT}

schemes for {P, H, CNOT} + limited # of T gates



SCHEME FOR {P, H, CNOT}

[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09


Ingredient 1: quantum encryption (one-time pad)




encryption:




a,bencryption: pick a,b ∈R {0,1}




|ψ⟩ a,b


|ψ⟩ ↦ XaZb|ψ⟩ =




|ψ⟩ a,b


|ψ⟩ ↦ XaZb|ψ⟩

decryption:

=




|ψ⟩ a,b



decryption: XaZb|ψ⟩ ↦ |ψ⟩

=



Ingredient 2: classical homomorphic encryption


|ψ⟩ a,b



decryption: XaZb|ψ⟩ ↦ |ψ⟩

=



Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015


|ψ⟩


a,b


|ψ⟩

a,b


a,b


|ψ⟩

b,a

H|ψ⟩a,b H


a,b


|ψ⟩

b,aH|ψ⟩

a,b H


a,b


|ψ⟩

b,aH|ψ⟩

a,b H


a,b


|ψ⟩

b,aH|ψ⟩

a,b

H


a,b


|ψ⟩

b,aH|ψ⟩

a,b

b,a

UPDATEFUNCTION(x,y) ↦ (y,x) H


a,b


|ψ⟩

H|ψ⟩

a,b

b,a

UPDATEFUNCTION(x,y) ↦ (y,x) H


THE CHALLENGE: T GATE


H


a,b|ψ⟩

H


a,b|ψ⟩

b,aH|ψ⟩

H


a,b|ψ⟩

b,aH|ψ⟩

H T


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H T


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H

T|ψ⟩ 0,b

T


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H

T|ψ⟩ 0,b

1,b|ψ⟩

T T


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H

T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b

1,b|ψ⟩

T T


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H

T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b

1,b|ψ⟩

T Terror!


a,b|ψ⟩

b,aH|ψ⟩

0,b|ψ⟩

H

T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b

1,b|ψ⟩

T T

how to apply correction P-1 iff a = 1?

error!


(comparisonbasedonStaceyJeffery’sslides)[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015[OTF15]Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938


PREVIOUS RESULTS: OVERVIEWhomomorphic for compactness security

Not encrypting Quantum circuits yes no

append evaluation description Quantum circuits

Complexity of Dec prop to (# gates) yes

Quantum OTP no yes inf theoretic

Clifford Scheme Clifford circuits yes computational









[BJ15]: AUX QCircuits with constant T-depth

yes computational

[BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2

computational

[OTF15] QCircuits with constant #T-gates

yes inf theoretic









[BJ15]: AUX QCircuits with constant T-depth

yes computational

[BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2

computational

[OTF15] QCircuits with constant #T-gates

yes inf theoretic

Our resultQCircuits of

polynomial size (levelled FHE)

yes computational




2. PREVIOUS RESULTS

3. NEW RESULT

ERROR-CORRECTION “GADGET”

A quantum state that:

can be efficiently constructed and used


GADGET



applies correction iff error was present (iff a = 1)


GADGET





P ( ) T|ψ⟩ 1,b

GADGET





T|ψ⟩ 1,b

GADGET





T|ψ⟩ 0,b

GADGET




is destroyed after a single use


GADGET




is destroyed after a single use


EXCURSIONTheoretical Computer Science

PERMUTATION BRANCHING PROGRAM


computes some Boolean function f(x,y)


computes some Boolean function f(x,y)list of instructions:



xi 1: σ

yj0: π’

xk0: π’’

…

0: π

1: σ’

1: σ’’



xi 1: σ

yj0: π’

xk0: π’’

…

0: π

1: σ’

1: σ’’

permutations of {1,2, …, k}

∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…

output: … ° σ’’ ° σ’ ° π0: π

1: σ’

1: σ’’


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…

output: … ° σ’’ ° σ’ ° πid

0: π

1: σ’

1: σ’’


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…

output: … ° σ’’ ° σ’ ° πid(fixed) cycle

0: π

1: σ’

1: σ’’


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…


0: π

1: σ’

1: σ’’

⇒ f(x,y) = 0


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…


0: π

1: σ’

1: σ’’

⇒ f(x,y) = 0⇒ f(x,y) = 1


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…


0: π

1: σ’

1: σ’’

⇒ f(x,y) = 0⇒ f(x,y) = 1

length: # of instructions


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk



xi 1: σ

yj0: π’

xk0: π’’

…


0: π

1: σ’

1: σ’’

⇒ f(x,y) = 0⇒ f(x,y) = 1

length: # of instructionswidth: k


∈ Sk∈ Sk

∈ Sk∈ Sk

∈ Sk∈ Sk

EXAMPLE PBP (OR)

length 4, width 5:

EXAMPLE PBP (OR)

x1

y1

x1

y1

1: id0: (12453)

0: (54321)

0: (12345)

1: id

1: id0: (15243)1: (14235)

length 4, width 5:

EXAMPLE PBP (OR)

x1

y1

x1

y1

OR(0,0)

output: id0

1: id0: (12453)

0: (54321)

0: (12345)

1: id

1: id0: (15243)1: (14235)

length 4, width 5:

EXAMPLE PBP (OR)

x1

y1

x1

y1

OR(0,0) OR(0,1)

output: id0

(14235)1

1: id0: (12453)

0: (54321)

0: (12345)

1: id

1: id0: (15243)1: (14235)

length 4, width 5:

EXAMPLE PBP (OR)

x1

y1

x1

y1

OR(0,0) OR(0,1) OR(1,0) OR(1,1)

output: id0

(14235)1

(14235)1

1: id0: (12453)

0: (54321)

0: (12345)

1: id

1: id0: (15243)1: (14235)

length 4, width 5:

EXAMPLE PBP (OR)

x1

y1

x1

y1

OR(0,0) OR(0,1) OR(1,0) OR(1,1)

output: id0

(14235)1

(14235)1

(14235)1

1: id0: (12453)

0: (54321)

0: (12345)

1: id

1: id0: (15243)1: (14235)

length 4, width 5:

BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:

[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011


width 5



width 5length polynomial in (n+m)





P

NC1

L

NP

no proof that NP≠NC1



Classical homomorphic decryption functionshappen to be in NC1… [BV11]


P

NC1

L

NP

no proof that NP≠NC1

ERROR CORRECTION GADGET


GADGET


GADGET

PBP fordecrypt( , )a {


GADGET

P-1 P-1 P-1 P-1

PBP fordecrypt( , )a {P-1 iff permutation ≠ id {


GADGET

P-1 P-1 P-1 P-1


reverse PBP fordecrypt( , )a {


1: σ0: π

i

1: σ’’0: π’’

k

1: σ’0: π’

a j

1: σ’’’0: π’’’

a l

……


1: σ0: π

i

1: σ’’0: π’’

k

1: σ’0: π’

a j

1: σ’’’0: π’’’

a l

………


1: σ0: π

i

1: σ’’0: π’’

k

1: σ’0: π’

a j

1: σ’’’0: π’’’

a l

EPR pairs

EPR pairs

………


1: σ0: π

i

1: σ’’0: π’’

k

1: σ’0: π’

a j

1: σ’’’0: π’’’

a l

EPR pairs

EPR pairs

Bellmeasurements

Bellmeasurements

………


GADGET

P-1 P-1 P-1 P-1


reverse PBP fordecrypt( , )a {

NEW SCHEME: OVERVIEW


KEY GENERATION


KEY GENERATIONclassical keys


KEY GENERATIONclassical keys gadgets



ENCRYPTION|ψ⟩



ENCRYPTIONapply quantum one-time pad a,b|ψ⟩ a,b



ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b




EVALUATION




EVALUATIONafter / / : classically update keysH P CNOT




EVALUATIONafter / / : classically update keysafter : use

H P CNOT

T





DECRYPTION c,dU|ψ⟩ c,d

H P CNOT

T





DECRYPTIONclassically decrypt pad keys c,dU|ψ⟩ c,d

H P CNOT

T





DECRYPTIONclassically decrypt pad keys remove quantum one-time pad U|ψ⟩

c,d

H P CNOT

T

FUTURE WORK

FUTURE WORK

non-leveled QFHE?

FUTURE WORK

non-leveled QFHE?

verifiable delegated quantum computation

FUTURE WORK

non-leveled QFHE?


quantum obfuscation?

FUTURE WORK

non-leveled QFHE?


quantum obfuscation?

…

THANK YOU!

is hiring two principle investigators: http://tinyurl.com/qusoft-job

Application deadline: 1 September 2016

http://tinyurl.com/qusoft-job

quantum homomorphic encryptionschaffne/mypresentations/... · 2016. 6. 29. · quantum homomorphic...

Documents