 Thank you. Okay. You all hear me all right? So good morning. This morning I want to discuss with you a quantum version of a well-known concept, homomorphic encryption. You're probably all familiar with it, but because it's so early in the morning, I just want to start with a refresher. So let's start with some example and let's consider the following scenario. So we have Dora the Explorer. I hope you all know her. She goes on tons of adventures, and she takes a lot of pictures on those adventures, and she would like to assign tags to those pictures describing what is on them. However, she doesn't have the time to do this by hand because, you know, she has to leave for her next adventure. So she would like to do this automatically. Ideally, she would like to outsource this computation to a third party, for example, Google, who can do this for her. But of course, the content of her data, in this case images, might be private. So what homomorphic encryption would allow her to do is it would allow her to to encrypt her data before sending it to Google. Then she can send it over. She can just go off, do something else, and in the meantime, Google can compute on her encrypted data. So he cannot ever see the content of her pictures, but he can still perform operations on the encrypted data. In this case, he can evaluate some image tagging algorithm and produce an encryption of the resulting tags for this algorithm. Then, when Dora comes back, no communication is needed during this process. When Dora comes back, she can get back those tags, and she can use her own secret key to decrypt those tags, and now she has the result of the computation that she wanted. During this talk, I'm first going to update you a bit on what homomorphic encryption is. I'm sure you're probably all heard of it, if not before crypto, then certainly yesterday during a lot of the talks. But just to be a bit more formal, just give an idea of what do we need when we're defining a homomorphic encryption scheme, and in particular, what changes if we're going to map this to a quantum setting. Then, for the most part of the talk, I'm going to discuss some previous results, and in particular, there's one scheme that I want to discuss in a bit more detail, because our new result, which is the third part of this talk, is going to be built on this scheme. So that's the outline. So homomorphic encryption, basically, a scheme for homomorphic encryption consists of four polynomial time algorithms. I'm going to go over this pretty quickly. The first one is key generation. So given some security parameter, we generate a public key, a secret key, and also, as a third key, we generate an evaluation key, which is just some extra information independent of the input that can help during the evaluation phase, which we'll see later. Then, of course, there is the encryption phase, which just takes your data, X. This is just a classical data, produces an encryption, and, of course, this encryption has to be secure for some notion of security. Then, the most interesting part is the evaluation phase. The evaluator just takes the encrypted input, and for some function that he would like to evaluate on this input, he produces, possibly using this evaluation key that I mentioned earlier, he produces an encryption of the output. This is where the meat of the scheme is usually. Then, of course, at the end, we have to have a way to, from this encrypted result, get back to the actual plain text result that we're interested in using the secret key. The class of functions for which we can do this evaluation is the class of functions that we say that such a scheme is homomorphic for. Usually, a scheme can be homomorphic for, for example, all functions with a limited number of multiplications, or maybe it's homomorphic for the class of all functions in general, and that's, of course, the end goal that we're aiming for. One other thing is that the decryption has to, the complexity of the decryption has to be independent of the complexity of this function F. The complexity of this function F is, for example, measured in the size of the circuit. If the decryption has this property, then we say that the scheme is compact. So what changes in the quantum setting? Quantum homomorphic encryption is actually really similar to classical homomorphic encryption with the big difference that instead of working with classical data, we are now working with quantum data. So this psi here is, you know, it's a quantum state. I've written as a pure state, but in general it can also be a mixed state. And, of course, when we're working with quantum data, that also means that the type of operations that we're going to do are going to be different. So instead of classical functions, we're now going to work with quantum operations or quantum circuits. You can think of these as just this, similar to classical circuits, only with a different basic set of universal, different universal set of basic gates. And one other difference is that now we also allow this evaluation key to be a quantum state. So the public key and the secret key are still going to be classical, but the evaluation key can be a quantum state. So it has to be independent of the input data psi, though. All right, so now we have an idea of what our goal is. We want to design these four algorithms. They have to run in polynomial time, and they have to be secure and compact. Now I want to discuss some previous results. I'm going to start off with a few very trivial schemes that you can design. Oh, sorry. Just for the classical case, I mean, I'm sure you all know this. It has been solved by Gentry in 2009. This is by now a very famous result. I'm not going to go into the classical case too much, but it's just good to mention that in subsequent work, the assumptions from Gentry's scheme have been standardized more. So now we can do classical amorphic encryption or classical fully amorphic encryption under quantum-safe assumptions, for example, LWE. And this will be important for our work. And in the quantum setting, things are still a little bit more complicated, and that's what I'm going to discuss now. And here's where I want to start with those few trivial things that you might want to do. First one might seem silly, but one thing that you can do is just not encrypt at all. So just have this client, Dora, send over her data in the clear to the evaluator, who can then just apply any circuit, so it's homomorphic for all circuits, and just send the result back. The client doesn't have to do any work for a decryption, so it's compact, but of course it's not secure at all. On the other end of the spectrum, we can use a quantum one-time pad, which is analogous to the classical one-time pad, in that it provides perfect information theoretic security. But if we send over an encrypted state to the evaluator, then he cannot do anything with it. So either he can just send it back to the client, and in that case we have a scheme that's homomorphic for no circuit at all, or maybe just the identity circuit. Or alternatively, slightly less trivial, what he can do is he can append a description of the circuit that he would have liked to evaluate on the data, and then basically have the client do all the work. So it doesn't touch the quantum state, he just sends it back, and also sends back a decryption of what he would have liked to evaluate, and then the client can decrypt and do all the work herself. While this technically is a homomorphic, and it's also still secure because nothing about the input data is revealed, it's not compact anymore because the amount of work in the end phase and the decryption phase is proportional to the size of the circuit. And this is also why this compactness requirement is so important for us. Then we're moving out of these trivial schemes, and another well-known scheme is called the Clifford scheme. This is homomorphic for all Clifford circuits, and if you're not familiar with quantum computation, the Clifford circuits is basically all circuits that can be built up using the Clifford gates, which are just P, H and C naught, and you can think of them as an analogy to additional gates. And in order to do universal quantum computation, though, we need this additional T gate, basically the analogous to the multiplication gate, and this is also the one that poses all of our problems, just like in the classical work for homomorphic encryption. So this Clifford scheme, it only works for these simple gates, and it's built on some classical homomorphic encryption scheme, and therefore it inherits some computational assumptions, so the security is not information theoretic anymore. Last year, here at crypto, Broadman and Jeffrey, they presented an extension of the Clifford scheme that could deal in some sense with these difficult T gates. So they presented a scheme that could deal with a constant depth of T gates, so the T depth of the circuit could be constant, and then they could do homomorphic encryption for those circuits, or alternatively they presented a scheme that was homomorphic for all circuits, but then the client at the end had to do some work during the decryption phase, so it's not completely compact anymore. On a different line of work, we have a result from Ooyang Town of Fitzsimmons. They provide an information theoretically secure scheme, which basically can handle the same class of circuits as the scheme of Broadman and Jeffrey. However, it is known that it's impossible to design a quantum homomorphic encryption scheme that's homomorphic for all circuits and still provides information theoretic security. So in this talk, I want to continue along the lines of these works, our scheme is going to also be an extension of the Clifford scheme, just like the other two, and therefore I want to discuss this Clifford scheme in a bit more detail with you. So this Clifford scheme, it's going to be an encryption scheme so that we can evaluate the following gates on them, the P, H, and the C naught, these are the Clifford gates, and we are going to use two ingredients for that. The first one is a quantum encryption form, now it's a quantum one-time pad, I mentioned it earlier, and the idea is really similar to a classical one-time pad. So to encrypt, we pick two random bits instead of one, and this is going to be our key, two random bits A and B, and then to encrypt our quantum state Psi, we're just going to apply a bit flip, just like in a classical case, conditioned on A, and then also a phase flip conditioned on B, this completely hides the state of the quantum, or the information about the quantum state. So the result is just this state basically locked in a box with respect to the keys A and B. And then to decrypt, we basically do the same operation again, and this cancels out because X and Z, these bit and phase flips, they are their own inverses. And the second ingredient we're going to use for this Clifford scheme is any classical homomorphic encryption scheme. It has to adhere to some restrictions, for example, the assumptions that you're going to need for this classical homomorphic encryption scheme. They, of course, have to be quantum safe, so they have to be safe against the quantum adversary, but there are some known schemes that adhere to all of these requirements, so that's not a problem. It's important to note that you can pick any classical homomorphic encryption scheme that meets these requirements. If there are some advancements in a better scheme there, you can just plug and play and pick your favorite set of assumptions. So with these two ingredients, how is this going to work? Of course, we start off with our input quantum state, and what we're going to do is we're going to use this quantum one-time pad to encrypt this state. So now it's completely secure and we can send it over to the evaluator. And let's say this evaluator wants to evaluate the Hadamard gate on this state. This is this H gate. Basically, what it's going to do is it's just going to apply this state to the encrypted input, and we can do the math, and then we can see that because of the way this Hadamard gate interacts with this quantum one-time pad, I mean you just have to know about this, but you can do the math yourself, we end up actually with a valid encryption of the results, so we end up with an encryption of H applied to psi, only if you're paying close attention, you will see that the key has changed. So the key to the quantum one-time pad is not the same as it was before. It used to be A, B, and now it's B, A. For the Hadamard gate, always these two values flip. For the phase gate and the C-naught, things are a little bit different, but they are always some simple function of the original key. So in this case it's a swap, maybe for the phase gate there's some addition involved, but it's always a simple way. So Google just applies this Hadamard gate to the encrypted state, ends up with a valid encryption of the result, but if you would just send this back to Dora now, she would be unable to decrypt because her key doesn't match anymore. So this is where the second ingredient comes in, our classical homomorph encryption scheme. Dora just packs up her key to the quantum one-time pad using a classical encryption, which it then sends to Google. Google knows he has just applied this Hadamard gate, so he knows he has to flip or swap the two values of the key and he can do this homomorphically using our classical homomorph encryption scheme. So he starts off with the old key, he evaluates some update function and now he has an encryption of the new key, of the updated key. Then he can send everything back to Dora. She can first decrypt the new updated key to the quantum one-time pad and then she can use that key to decrypt the state that she's interested in, so Hadamard applied to PSI. And we can reiterate this, of course, for any number of Clifford gates. So this results in a scheme that works for all Clifford circuits. And the problem is now the T gate. So what happens if we try to do the same thing with the T gate here? Well, it depends. It depends on the key to the quantum one-time pad. If the key to the quantum one-time pad happened to start with a zero, so if A equals zero, then everything is fine. We can just do the same trick. We can just apply the T gate to the encrypted state, end up with an encryption of the result. However, if A happened to be one, so if the first key to the quantum one-time pad was a one, then this doesn't work. If we try to do the same thing, we do end up with an encryption of the result, but there is an error term here. So there's an extra phase applied to this state. And the challenge is now we have to remove this phase gate before we can continue the computation, but the evaluator, Google, he does not know which of these two cases he is in. So the challenge is how can Google apply this correction, P inverse, if and only if A equals one. So if and only if we're in the right case. So in the previous works, people have found different ways to deal with this, and our new result is now that we have a way to deal with these T gates such that we can evaluate more of them. So our homomorphic encryption scheme works for circuits of polynomial size. So in particular, we can deal with a polynomial number of T gates, and this polynomial is in the security parameter. And why is this? During the key generation phase, we generate a number of auxiliary states or gadgets. And of course, the number of gadgets that we can generate is limited by the security parameter because our key generation phase has to run in polynomial time. And these gadgets, they can be used to remove an error after the application of a T gate. And we need one error or one gadget for after every T gate to remove this error if it was present. And because our scheme is an extension of the Clifford scheme, we also have inherited the same computational assumptions but no additional assumptions. So unfortunately, I don't have any time to go into the exact details, but I just want to give you an idea. This error correction gadget, it's a quantum state. So we generated as part of the evaluation key which was allowed to be a quantum state. Of course, we have to be able to efficiently construct and use it, otherwise it's useless. The idea is, it can be used in such a way that it applies the correction P inverse if and only if an error was present to begin with. So if and only if this key A was equal to one. And the idea is the following. So we have our state and inside this gadget there's going to be a lot of permutations going on. Basically, we do some sort of permutation branching program inside for the decryption. I'm not going to go into the details, but the idea is that if there was an error present, if it was equal to one, then somewhere inside this gadget, this state is going to pass a correction gate and out comes the corrected state without the error. Whereas if A equals zero, so if there was no error to begin with, the gadget operated in a different way and somehow this state is not going to pass through this correction gate. So it's going to come out unharmed. So in the end, whether or not the error was present to begin with, we end up with a state where the error was not present anymore. Unfortunately, though, because the way the gadget is set up, we have to perform a lot of measurements during the use of the gadget, which means that after one use, this gadget has become useless. We can only use it once. So after one use, it's destroyed and we have to go to a new one. This is why we need as many gadgets as there are T-gays in this circuit. So just to give you an overview of what this is like, we get those four algorithms. First is key generation. We generate some keys for some classical homomorphic encryption scheme of our choice. And additionally, we generate a number of these gadgets. Any number up to some upper bound of the number of T-gates that we think we're going to evaluate during the evaluation phase. For the encryption, we first encrypt using the quantum one-time pad, and then we encrypt the key to the quantum one-time pad using our classical encryption scheme. For the evaluation, it depends on what kind of gates we want to evaluate. The Clifford gates, they're pretty easy. We can just apply them and then classically update the keys. For the T-gates, we have to use one of our gadgets in order to get rid of this error. And then finally to decrypt. We first decrypt the updated key because during the evaluation key, we use the classical secret key. And then we use this updated key to decrypt the final resulting state that we're interested in to get the plain sex of the result. So this scheme, it can deal with a polynomial number of T-gates, which is an improvement over the previously known results. And given that the classical scheme is secure and compact, our resulting scheme is also secure and compact. For some future work, of course, one obvious thing is, we need to do a version of this where we don't need to generate this number of so one gadget for every T-gate. So in technical terms, that would be a non-leveled version of our QFHE scheme, Quantum Fully or Morphic Encryption. And some other interesting things that we would like to look at which don't require this non-leveled version of QFHE is just to see if some of the things that follow classically from Homo Morphic Encryption would also follow in a quantum way. So multi-party computation, quantum obfuscation, but a lot of other things. So there's a lot to be done here. Thank you.