 Thanks. I also do Bermitsfels. Thanks, Rovav. So, let me start by talking about classical fully homomorphic encryption. So, in this case, we have a weak client that wants to use the computational power of a strong server to compute some function. So, the client has input x and wants to get f of x. And the restriction is that we don't want the server to learn anything about the input x. And the way this is done with fully homomorphic encryption is that the client generates a pair of keys, a secret key and a public key, and just encrypts its input using the public key. And our security requirement is just standard semantic security, just like any other encryption scheme. But with the fully homomorphic encryption, the server can perform homomorphic evaluation on ciphertext and get from an encryption of x to an encryption of f of x. Now, this doesn't have to look like a fresh encryption of f of x, but it needs to decrypt to the right value. And of course, we require this notion of compactness, which means that the length of this encryption of f of x and the time that it takes to decrypt it should be independent of the complexity of the function f itself. Another property that is not always required, but is actually going to be important for this talk, is called circuit privacy. And for our purposes, circuit privacy just means that this encryption of f of x really does need to look like a fresh encryption of f of x. And this should hold even for a computationally unbounded distinguisher. So this is circuit privacy. And homomorphic encryption schemes classical have been constructed based on the hardness of the learning with errors problem. And this problem is considered to be intractable even from quantum computers. This gives you a plausible post quantum candidate for fully homomorphic encryption. So post quantum means that the actual users of the scheme are classical, but the adversary might be quantum. So quantum fully homomorphic encryption was presented by broadband and Jeffrey. And there you want to outsource a quantum computation. So the server has quantum powers, and you wanted to quantumly evaluate a function on encrypted on encrypted ciphertext. Now we want to allow the client to be either classical or quantum, whatever it wants. So for that purpose, we need the key generation and the keys to be classical so that the classical client can use them as well. And we also need the property that when we encrypt the classical message, we actually get a classical ciphertext. So this can be done by classical client. But if the client is quantum and it wants to encrypt the quantum message, then you should be able to do that as well. So we want to be able to encrypt quantum messages in such a way that it can degenerate to classical in a straightforward way. So this is what we want. And broadband Jeffrey didn't only present the concept but also presented an approach on how to achieve it and essentially uses hybrid encryption. So they propose to combine classical fully homomorphic encryption with the quantum one-time pad to get a quantum fully homomorphic encryption. And this approach was used by all previous works and also by the work that I'm going to talk about today. However, it seems pretty hard to actually apply this approach to actually get the full-fledged definition. And in fact, the only prior works that achieves the definition that I described is the very recent work of Mahadev. And she constructed the scheme based on the hardness of the learning with errors problem. So similarly to the classical schemes, but with a super polynomial modulus Q. So the modulus is a parameter of the learning with errors problem. And the smaller the modulus gets, the harder problem becomes. So the assumption becomes more favorable or weaker. So originally, Regev proposed the hardness of LWE with polynomial modulus. But as far as we know, super polynomial should also be hard. So this is an assumption that we're okay to rely on. The reason why super polynomial modulus was needed was because this quantum homomorphic evaluation actually had correctness error. And the correctness error scaled more or less with the size of the quantum function that you wanted to evaluate divided by the modulus. So if you want the scheme that works for every polynomial size function, then you want the super polynomial modulus so that the correctness error remains small. So additionally, if you want the strongest notion of fully homomorphic encryption, you need an additional assumption. And this holds even in the classical setting. So even in the classical setting for the strongest possible notion of homomorphism, you actually need what's called a circular security assumption. And this is needed even in Mahadev's quantum scheme. But actually she needed a new circular security assumption, which seems stronger than the assumptions that were used for classical schemes. However, this is pretty amazing that this can be done, that this definition can be achieved. But let's be greedy and ask, now that we know that it's possible, why can't it be as good as classical fully homomorphic encryption schemes? So let's do the comparison here. So in terms of the modulus for classical schemes, we know how to get it from randomly with the polynomial modulus. In terms of circular security, you need a weaker flavor of circular security assumption, or seemingly weaker at least. And for correctness error, actually in the classical setting, you can get schemes with perfect correctness. So there's no correctness error at all. What we do here is get close to getting to the classical setting. So it all sort of boils down, or most of it boils down to the correctness error. So instead of getting correctness error that is size of function divided by modulus, we get size of function divided by 2 to the modulus, which allows us to use a polynomial modulus to get an exponentially small correctness error. This allows us to use LWE with just polynomial modulus, which is slightly larger than the modulus that you need for the classical setting, but is still polynomial. In terms of the circular security assumption, we don't get the same assumption as in the classical setting, but we're actually getting an assumption that appeared in literature before, and perhaps surprisingly, it appeared in the context of multi-key fully homomorphic encryption. So this is the same assumption that you need in order to get the strongest flavor of multi-key classical fully homomorphic encryption. So this is an assumption that already appeared in literature. But perhaps as important as the specific contributions here, we have sort of a conceptual approach to the problem that connects a quantum homomorphism with this circuit privacy notion that I was mentioning before, and this starts to light even on previous works. So let me tell you a little bit about it, but first let's do a little primer about qubits and quantum registers. So a quantum register is a register that can be in superposition between a few classical states, and if these two states are just 0 and 1, then we call it a qubit. In terms of notation, we use this Dirac notation, which presents a quantum state as a linear combination of classical states, where these coefficients, w0 and w1, are related to the probability of measuring the value 0 or 1 when you measure this quantum register. In particular, if you measure the register, then the probability of getting 0 is the amplitude square of w0, and this means that the sum of squares of all the amplitudes should be 1. So when you measure a quantum register, you actually collapse its states to a classical state. So if I measured 0, then the register is now going to be in classical state 0. But in fact, you can collapse a register without measuring it directly if it's entangled with another register. So for example, let's consider a two qubit state. So the state 0, 0, plus 1, 1. This is a state over two qubits, and these two qubits are related or entangled, or even less formally you can say that if you see qubit number 2, then it leaks information on qubit number 1. In such a case, measuring qubit number 2 will collapse the state of qubit number 1 as well. So even though I didn't measure qubit number 1 explicitly, I can collapse its state just by measuring a related qubit. Two properties that we're going to need about quantum registers, so if I have a super position over states a, then I can create a superposition with the same weights, but on states a comma f of a for every function for any function f with the same weights as before. And the last thing is that you can efficiently do Fourier transform on a quantum register if the states come from like a nice abelian groups, which they will. Alright, so let's try to see how to use fully homomorphic encryption together with quantum one-time pad to get quantum fully homomorphic encryption. So I should tell you what is quantum one-time pad. So this was presented by Ambinus et al. And the cool thing is that it allows to encrypt a quantum state using a classical key. So using a sequence of classical beats and get perfect security. So in particular to perfectly encrypt a single qubit all you need is two random classical bits. And you can do this. And in terms of notation we're going to denote alpha sub yz, the quantum one-time pad encryption of the state alpha using pad keys, using pad bits y and z. So if you're wondering how this is done, so in the quantum one-time pad you use one of the bits to do exactly the same thing as classical one-time pad. So you use the bit y to do a bit flip of the quantum register that you have. And then you use the bit z to do the dual operation. So you're doing a phase flip. If you don't know what a phase flip is, don't worry about it. We're not really going to mention needed today. But importantly, note that the classical one-time pad is just a special case of the, can be derived as a special case of quantum one-time pad when you take the bit z to be zero. So a classically one-time padded value, classical value, can be seen as a quantumly one-time padded value. So the Bob and Jeffrey approach is the following. So if I want to quantumly encrypt a quantum state, what I'm going to do is I'm going to generate a quantum one-time pad. So I'm going to generate two classical bits y and z. I'm going to use them to quantum one-time pad my register alpha. And then I'm going to use a classical encryption scheme to encrypt y and z. And for the sake of my own sanity, instead of writing you know classical fully homomorphic encryption, classical fully homomorphic encryption of y and z, I'm just going to use brackets. So things in brackets are encrypted with a classical scheme. So this is a pretty cool idea. Even regardless of homomorphism, it shows that you can get a quantum public encryption from any classical public encryption scheme. And security is pretty immediate just by just by a hybrid argument. As usual with homomorphic encryption, the problem is how to how to get correctness, how to get the homomorphic evaluation to work. And as I said, this is sort of always the problem. So we're going to forget about security. Once we got to this point, security is guaranteed. There's no nothing that I can do from this point and on can harm security. All you need to worry about now is to get the functionalities, to get the correctness. How do you get the correctness? Well, it turns out that the following building block is required in order to get a homomorphic evaluation for this type of schemes. So you can think about this in analog for homomorphism for linear functions in the classical setting. So I have an encrypted bit x and two bits A and B. And what I want is to get an encryption of A x plus B. This is sort of a pretty basic primitive. But its quantum analog is slightly more complicated. So now, again, we have an encrypted classical bit and a super position over two qubits. And what I want is to get an encryption of A x plus B. But now using our sort of new using our encryption method. So this super position needs to be encrypted with a quantum one time pad. And the quantum one time pad needs to be encrypted with a classical scheme. So if I'm able to perform this type of transformation given a classically encrypted bit x and a super position over A and B, then I'm going to be able to get the entire quantum evaluation that I want. And actually another way to think about it is that this operation in fact takes this bit x, which is sort of inside a ciphertext, and teleports it into the quantum superposition. So this is actually approach that was was useful in the past. So let's see how to actually do it. So this is kind of complicated. So I'm just going to simplify it a little bit. I'm going to do something that's I think is as hard. And I'm just going to take I'm just going to take a classical bit x and now a superposition just over a single qubit. And what they want is to get sort of the quantum analog of an encryption of A times x. So this is what I'm going to work on from now on. And naively, so if I'm saying that this is the quantum analog of getting an encryption of A times x, well, I know my original x bit was encrypted using a classical fully homomorphic encryption. So I can start from a superposition over the A's and get to a superposition over a comma encryption of A times x. This just follows from the from the classical homomorphic evaluation. So what I got now is a superposition over classical homomorphic ciphertext. And this is not what I want. I mean, I'd want to now pull out this classical ciphertext from outside of my superposition because what I want in the end is that all classical encryptions are outside of the superposition. And I'm only getting a superposition that is one time padded and not like encrypted using classical homomorphic encryption. So maybe the right thing to do is to just sort of measure the register that contains A times x. But this is not going this is not good because it's going to collapse the superposition. So the first thing that we could notice is that the value A times x actually depends on A. So once I measure an encryption of A times x, I'm going to collapse the super position of A and this is going to destroy me the correctness of my the correctness of my evaluation. However, this is not so hard to fix. I'm just going to introduce a mediator between A times x and the classically encrypted value. And we're going to see that this is going to solve our problem. So I'm going to introduce a new register Y prime. This Y prime is just in superposition between zero and one. And now instead of computing A x plus just A x, I'm computing A x plus Y prime. And I'm going to call this value Y. Now, why do I claim that this solved the problem? And what I'm going to try to do is pull Y out. This is going to be my new goal. But first, let's see why this is like why this is progress. So just by definition, Y equals A x plus Y prime, which means that equivalently Y prime equals A x plus Y. So Y prime is just the value A times x one time padded by Y. So if we measured the encryption of Y then really what we would get is A times x one time padded with this value Y for which we get the ciphertext for. So this seems like a step in the right direction. So this is really what we're going to do. However, we observed that even though now if we just measure the value Y, this is not going to collapse our superposition for the reason that I just explained, we're not measuring Y itself. But actually we're measuring an encryption of Y. We're measuring a whole ciphertext. And the ciphertext might leak about the history, about the way that it was created. And this actually has to be the case so long as your homomorphic evaluation is a deterministic process. So if we were to measure Y then we'd be okay, but we need to measure this ciphertext of Y and this could create a problem because the ciphertext itself contains some information about the value A that was used to create it and this will still collapse our superposition. So this is like sort of the hard problem. Any suggestions on how this can be fixed? Okay, never mind. So circuit privacy seems like a tool that could be useful here because circuit privacy essentially says that the information in the ciphertext should not be much more than just the information that exists in the plaintext. So let's sort of talk a little bit more in depth about circuit private classical fully homomorphic encryption. So what we have is instead of having a deterministic evaluation process, so remember now we're talking about the classical setting, our homomorphic evaluation is going to be randomized. So in addition to taking the encrypted input X and the function F, there's also going to be a random tape and this is going to be a randomized functionality and the guarantee is that the distribution of the outputs, the outputs Y is going to only depend on the plaintext on the encryption of Y, it only depends on Y and this is true even if you know X and even if you know F, even if you know everything except the random tape. So in a sense, the circuit private homomorphic evaluation actually pushes all of this ugly information that we don't want into the randomness register. So so long as you don't see the randomness register, you don't get any bad information. So property for randomized evaluation that is going to matter for us is the conditional distribution of the randomness condition on like all this other information, the input, the output and the function that was evaluated. So I'm going to explain why this is important in the next slide but for now, let's just think about the definition. So if you know the encryption of X, encryption of Y and F, what can you tell me about the randomness R? And the way we interpret Mahadev's construction is that she requires a circuit private classical homomorphic encryption scheme where the randomness R is uniquely determined by these values X, Y and F. Sorry. Whereas here, we want to work with sort of more efficient or more elaborate ways to get to get circuit privacy, especially we rely on a scheme by Boris Adal from crypto 2016. And there the conditional distribution of randomness is much uglier. So it's a Gaussian distribution over a lattice coset that is determined by these X, Y and F. So if you don't know what these lattice cosets are, don't worry about it. We won't need them much. But it's like a much uglier distribution. OK, good. So let's see how to use this circuit privacy in order to teleport X into our state. So before, we said that we are going to evaluate AX plus Y prime. Now we're just going to do it using a circuit private scheme. So we need additionally a randomness register. So in addition, in our quantum state, we're going to have a randomness value. And we're going to do circuit private homomorphic evaluation of this value AX plus Y prime. And this actually works. Now if I do this, then I can actually measure this part of the register and get this classical encryption of Y. But now the quantum part, well, it contains A and Y prime, which is good. This is what I want. But in addition, it contains this randomness value, which as I said before, now it contains all this sort of bad information that I didn't want the ciphertext Y to contain before. So now I need to find a way to get rid or uncompute, as they say in quantum terminology, this register R in order to avoid the state from collapsing. So if I just measure this R to try to get rid of it, then I would collapse the state just as I did before. So what Mahadev showed was that in the case where R is unique, then you can actually remove it by performing binary Fourier transform on the register R. So it doesn't actually remove it. It just sort of pushes it into the phase in a way that is manageable, but let's not get into that. So for unique R, you can actually find a solution which is sort of, I would say it's combinatorial in nature, whereas what we try to do here is get some sort of an algebraic approach to removing this randomness register. So really at a super high level, what we try to do is replace the binary Fourier transform with qR where q is this LWE modulus. So all of our elements sort of natively live in Z mod q. So it's natural to try the qR Fourier transform. It doesn't work immediately. So you need to sort of work hard to make it work and then use this algebraic properties of these lattice cosets instead of the uniqueness property that was used before in order to show that when you do this Fourier transform, it allows you to sort of push the bad information again into the phase in a manageable way. And this involves sort of coming up with some additional tools and some analogs, quantum analogs of classical tools that were known before. But I'm not going to get into the details. Let me not summarize but give you some remaining some remaining questions from this work and then maybe tell you something else. So I think so the way that I view things is that what we did here was to sort of show that this approach of quantum evaluation actually requires circuit privacy and the question is whether this is inherent. It seems like in the quantum setting things are so delicate that you have to somehow prevent them from collapsing by something like circuit privacy. But I don't even know how to formally sort of define it so that I can try to prove it. So this is sort of one interesting question. So the second one is I said that we get a slightly larger modulus q than the classical setting. In fact, we match the classical modulus of the circuit private scheme of Bore-Sadal. I wouldn't be surprised if you can take it further down and get very close to the classical setting. The issue of correctness error is kind of annoying. So we get like really tiny correctness error but why can't we get perfect correctness like we do in the classical setting? It's not clear how to do it but I have an actually a purely classical question that you can think of and if you can solve it then I think it would be a good a big first step towards solving the quantum issue. So the question is to come up with a semi-honest oblivious transfer scheme that has both perfect correctness and perfect privacy for the sender. So we actually know how to do it based on DDH and other number theoretic assumptions but I want to get a post-quantum solution. So I want to come up with a post-quantum scheme oblivious transfer scheme that has both perfect correctness and perfect sender privacy. Completely classical question and I think if you solve it it would be a good step towards perfect correctness here. Lastly, there's some ugliness in the construction so we apply like every quantum gate that we apply requires afterwards a lot of post-processing in order to restore the state and again we have this slightly non-standard circular security assumption and you know we don't want to have these we actually want to get the same the same efficiency guarantees that we have in the classical setting. So I want to tell you I want to eat into my questions time and tell you a little bit about things that are slightly different so there's been pretty interesting developments in this whole area of quantum outsourcing so the setting where you have a quantum a quantum server that wants to perform some operation for a weaker possibly classical possibly classical client so we talked about the privacy issue but some other interesting things that are happening so you might want this quantum server to actually convince you that it's really doing a quantum operation so you only have classical communication and you're a classical dude but you want the server to compute to convince you that it's actually performing a quantum operation this is related to the so-called quantum supremacy problem that practitioners also care about. Other thing that you can want the quantum party to do is to provide you with pure randomness this is sort of the only way in the universe that we know to get pure randomness is to use quantum processes and me as a classical person want a proof that indeed my server produces produce randomness in a proper quantum way last thing that you may want is the delegation problem so you want the server to solve a quantum problem for you and you want to be able to sort of verify the solution is correct even though you're just a classical you're just a classical person so the first two issues were addressed in work by with Cristiano Mahadev Vazirani and Vidic and this last point was addressed by a recent work of Mahadev so both of these are going to appear in Fox in the upcoming Fox and all of these like these two works and Mahadev's original quantum FHE are actually related and let me sort of try to give you a super high level intuition that connects these three problems to the quantum homomorphism problem that we saw so the verifier can use a quantum sort of a quantum fully homomorphic encryption he generates classical keys and encrypts the classical message zero and he sends those to the server now the server does quantum homomorphic evaluation of a designated quantum function according to this specific task that we want the server to perform so there's some designated quantum function that the server needs to apply and then he sends back the classical part of the result and what you want to argue is that the verifier who has the secret key now knows why and also the randomness that was used to encrypt y in this you need to work hard to argue that this sort of straddles the prover in some meaningful way that allows you to get soundness for these sort of tasks so this is super high level connection also not chronological connection between these two things and I think there's some pretty cool progress and some interesting problems that lie ahead thank you