1,268 research outputs found
Quantum FHE (Almost) As Secure As Classical
Fully homomorphic encryption schemes (FHE) allow to apply arbitrary efficient computation to encrypted data without decrypting it first. In Quantum FHE (QFHE) we may want to apply an arbitrary quantumly efficient computation to (classical or quantum) encrypted data.
We present a QFHE scheme with classical key generation (and classical encryption and decryption if the encrypted message is itself classical) with comparable properties to classical FHE. Security relies on the hardness of the learning with errors (LWE) problem with polynomial modulus, which translates to the worst case hardness of approximating short vector problems in lattices to within a polynomial factor. Up to polynomial factors, this matches the best known assumption for classical FHE. Similarly to the classical setting, relying on LWE alone only implies leveled QFHE (where the public key length depends linearly on the maximal allowed evaluation depth). An additional circular security assumption is required to support completely unbounded depth. Interestingly, our circular security assumption is the same assumption that is made to achieve unbounded depth multi-key classical FHE.
Technically, we rely on the outline of Mahadev (arXiv 2017) which achieves this functionality by relying on super-polynomial LWE modulus and on a new circular security assumption. We observe a connection between the functionality of evaluating quantum gates and the circuit privacy property of classical homomorphic encryption. While this connection is not sufficient to imply QFHE by itself, it leads us to a path that ultimately allows using classical FHE schemes with polynomial modulus towards constructing QFHE with the same modulus
Quantum Fully Homomorphic Encryption With Verification
Fully-homomorphic encryption (FHE) enables computation on encrypted data
while maintaining secrecy. Recent research has shown that such schemes exist
even for quantum computation. Given the numerous applications of classical FHE
(zero-knowledge proofs, secure two-party computation, obfuscation, etc.) it is
reasonable to hope that quantum FHE (or QFHE) will lead to many new results in
the quantum setting. However, a crucial ingredient in almost all applications
of FHE is circuit verification. Classically, verification is performed by
checking a transcript of the homomorphic computation. Quantumly, this strategy
is impossible due to no-cloning. This leads to an important open question: can
quantum computations be delegated and verified in a non-interactive manner? In
this work, we answer this question in the affirmative, by constructing a scheme
for QFHE with verification (vQFHE). Our scheme provides authenticated
encryption, and enables arbitrary polynomial-time quantum computations without
the need of interaction between client and server. Verification is almost
entirely classical; for computations that start and end with classical states,
it is completely classical. As a first application, we show how to construct
quantum one-time programs from classical one-time programs and vQFHE.Comment: 30 page
Quantum fully homomorphic encryption with verification
Fully-homomorphic encryption (FHE) enables computation on encrypted data while maintaining secrecy. Recent research has shown that such schemes exist even for quantum computation. Given the numerous applications of classical FHE (zero-knowledge proofs, secure two-party computation, obfuscation, etc.) it is reasonable to hope that quantum FHE (or QFHE) will lead to many new results in the quantum setting. However, a crucial ingredient in almost all applications of FHE is circuit verification. Classically, verification is performed by checking a transcript of the homomorphic computation. Quantumly, this strategy is impossible due to no-cloning. This leads to an important open question: can quantum computations be delegated and verified in a non-interactive manner? In this work, we answer this question in the affirmative, by constructing a scheme for QFHE with verification (vQFHE). Our scheme provides authenticated encryption, and enables arbitrary polynomial-time quantum computations without the need of interaction between client and server. Verification is almost entirely classical; for computations that start and end with classical states, it is completely classical. As a first application, we show how to construct quantum one-time programs from classical one-time programs and vQFHE
Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a Two-Party Secure Protocol
A fully homomorphic encryption system hides data from unauthorized parties,
while still allowing them to perform computations on the encrypted data. Aside
from the straightforward benefit of allowing users to delegate computations to
a more powerful server without revealing their inputs, a fully homomorphic
cryptosystem can be used as a building block in the construction of a number of
cryptographic functionalities. Designing such a scheme remained an open problem
until 2009, decades after the idea was first conceived, and the past few years
have seen the generalization of this functionality to the world of quantum
machines. Quantum schemes prior to the one implemented here were able to
replicate some features in particular use-cases often associated with
homomorphic encryption but lacked other crucial properties, for example,
relying on continual interaction to perform a computation or leaking
information about the encrypted data. We present the first experimental
realisation of a quantum fully homomorphic encryption scheme. We further
present a toy two-party secure computation task enabled by our scheme. Finally,
as part of our implementation, we also demonstrate a post-selective two-qubit
linear optical controlled-phase gate with a much higher post-selection success
probability (1/2) when compared to alternate implementations, e.g. with
post-selective controlled- or controlled- gates (1/9).Comment: 11 pages, 16 figures, 2 table
General Impossibility of Group Homomorphic Encryption in the Quantum World
Group homomorphic encryption represents one of the most important building
blocks in modern cryptography. It forms the basis of widely-used, more
sophisticated primitives, such as CCA2-secure encryption or secure multiparty
computation. Unfortunately, recent advances in quantum computation show that
many of the existing schemes completely break down once quantum computers reach
maturity (mainly due to Shor's algorithm). This leads to the challenge of
constructing quantum-resistant group homomorphic cryptosystems.
In this work, we prove the general impossibility of (abelian) group
homomorphic encryption in the presence of quantum adversaries, when assuming
the IND-CPA security notion as the minimal security requirement. To this end,
we prove a new result on the probability of sampling generating sets of finite
(sub-)groups if sampling is done with respect to an arbitrary, unknown
distribution. Finally, we provide a sufficient condition on homomorphic
encryption schemes for our quantum attack to work and discuss its
satisfiability in non-group homomorphic cases. The impact of our results on
recent fully homomorphic encryption schemes poses itself as an open question.Comment: 20 pages, 2 figures, conferenc
Delegating Quantum Computation in the Quantum Random Oracle Model
A delegation scheme allows a computationally weak client to use a server's
resources to help it evaluate a complex circuit without leaking any information
about the input (other than its length) to the server. In this paper, we
consider delegation schemes for quantum circuits, where we try to minimize the
quantum operations needed by the client. We construct a new scheme for
delegating a large circuit family, which we call "C+P circuits". "C+P" circuits
are the circuits composed of Toffoli gates and diagonal gates. Our scheme is
non-interactive, requires very little quantum computation from the client
(proportional to input length but independent of the circuit size), and can be
proved secure in the quantum random oracle model, without relying on additional
assumptions, such as the existence of fully homomorphic encryption. In practice
the random oracle can be replaced by an appropriate hash function or block
cipher, for example, SHA-3, AES.
This protocol allows a client to delegate the most expensive part of some
quantum algorithms, for example, Shor's algorithm. The previous protocols that
are powerful enough to delegate Shor's algorithm require either many rounds of
interactions or the existence of FHE. The protocol requires asymptotically
fewer quantum gates on the client side compared to running Shor's algorithm
locally.
To hide the inputs, our scheme uses an encoding that maps one input qubit to
multiple qubits. We then provide a novel generalization of classical garbled
circuits ("reversible garbled circuits") to allow the computation of Toffoli
circuits on this encoding. We also give a technique that can support the
computation of phase gates on this encoding.
To prove the security of this protocol, we study key dependent message(KDM)
security in the quantum random oracle model. KDM security was not previously
studied in quantum settings.Comment: 41 pages, 1 figures. Update to be consistent with the proceeding
versio
Classical Homomorphic Encryption for Quantum Circuits
We present the first leveled fully homomorphic encryption scheme for quantum
circuits with classical keys. The scheme allows a classical client to blindly
delegate a quantum computation to a quantum server: an honest server is able to
run the computation while a malicious server is unable to learn any information
about the computation. We show that it is possible to construct such a scheme
directly from a quantum secure classical homomorphic encryption scheme with
certain properties. Finally, we show that a classical homomorphic encryption
scheme with the required properties can be constructed from the learning with
errors problem
Quantum Key Leasing for PKE and FHE with a Classical Lessor
In this work, we consider the problem of secure key leasing, also known as revocable cryptography (Agarwal et. al. Eurocrypt\u27 23, Ananth et. al. TCC\u27 23), as a strengthened security notion of its predecessor put forward in Ananth et. al. Eurocrypt\u27 21. This problem aims to leverage unclonable nature of quantum information to allow a lessor to lease a quantum key with reusability for evaluating a classical functionality. Later, the lessor can request the lessee to provably delete the key and then the lessee will be completely deprived of the capability to evaluate the function.
In this work, we construct a secure key leasing scheme to lease a decryption key of a (classical) public-key, homomorphic encryption scheme from standard lattice assumptions. Our encryption scheme is exactly identical to the (primal) version of Gentry-Sahai-Waters homomorphic encryption scheme with a carefully chosen public key matrix. We achieve strong form of security where:
* The entire protocol (including key generation and verification of deletion) uses merely classical communication between a classical lessor (client) and a quantum lessee (server).
* Assuming standard assumptions, our security definition ensures that every computationally bounded quantum adversary could only simultaneously provide a valid classical deletion certificate and yet distinguish ciphertexts with at most negligible probability.
Our security relies on the hardness of learning with errors assumption. Our scheme is the first scheme to be based on a standard assumption and satisfying the two properties mentioned above.
The main technical novelty in our work is the design of an FHE scheme that enables us to apply elegant analyses done in the context of classically verifiable proofs of quantumness from LWE (Brakerski et. al.(FOCS\u2718, JACM\u2721) and its parallel amplified version in Radian et. al.(AFT\u2721)) to the setting of secure leasing. This connection leads to a modular construction and arguably simpler proofs than previously known. An important technical component we prove along the way is an amplified quantum search-to-decision reduction: we design an extractor that uses a quantum distinguisher (who has an internal quantum state) for decisional LWE, to extract secrets with success probability amplified to almost one. This technique might be of independent interest
- …