 Thank you for getting up so early to attend my talk. So I'm going to be talking about quantum homomorphic encryption, which is a quantum version of a classical primitive that you've all probably heard of, homomorphic encryption. And this is for circuits of low T gate complexity. And a T gate is a kind of quantum gate, which you should think of as being kind of analogous to a multiplication gate. So the results I'm going to present in this talk are kind of a quantum version of a homomorphic encryption scheme that is homomorphic for circuits with arbitrary addition gates and some small number of multiplication gates. So the idea of homomorphic encryption has been around for several decades. And the goal is to be able to encrypt some message M so that we can evaluate some function F on the message M without decrypting. And this was fully realized in 2009 when Gentry presented the first fully homomorphic encryption scheme, allowing us to evaluate any function F on an encrypted message M. But what I'm going to be talking about is quantum homomorphic encryption. So the goal is to extend this functionality to quantum computing. So this would generalize classical non-quantum homomorphic encryption in two ways. So first, we would like to be able to encrypt quantum information. So we use this kind of funny asymmetric bracket to denote that something is a quantum state. And just without getting into too many details, what I mean by quantum state is just that if you want to fully describe certain systems, like the state of a photon, for example, you need a richer description than you would require for, say, describing a random variable. So we'd like to be able to encrypt some quantum state. And we would like to be able to apply quantum circuits homomorphically. So just like a classical computation, a quantum computation can be described as a circuit, which is a sequence of gates from some finite gate set. But now, of course, the gates will be different. They'll be quantum gates. So for example, if I wanted to encrypt an integer and have someone homomorphically factor it for me, this is something that would already be possible using classical fully homomorphic encryption. But this would necessarily take super polynomial time, because we don't know of any polynomial sized classical circuit for factoring. However, we do have a quantum algorithm for factoring, which takes polynomial time. So if we could do quantum homomorphic encryption, then someone could homomorphically factor my integer in polynomial time by homomorphically applying Schor's polynomial time algorithm for factoring. So the idea of secure delegated quantum computation has already received a lot of attention, because it really makes a lot of sense. When we finally realize full scale universal quantum computers, they're probably going to have to be kept in a lab somewhere. They need to be kept super cold. You're not going to have one in your home or in your business. So you're going to have to outsource your quantum computations much more than today where you might outsource some classical computations, but you also could have your own classical computer. And so people have already studied how to make the outsourcing of quantum computations secure, but these protocols involve constant interaction between the client and the server, whereas quantum homomorphic encryption would provide a way of delegating your quantum computations securely without the requirement for interaction. And there have been a few papers recently looking at quantum homomorphic encryption. For example, this work of you et al from 2014 showed that quantum fully homomorphic encryption is not possible with information theoretic security, something that was not obvious. And then there have been some works looking at quantum homomorphic encryption in certain non cryptographic kind of security models. For instance, this particular work of Tan et al looks at bounding information leakage, but this doesn't give any kind of semantic security. So our work is the first to consider quantum homomorphic encryption with cryptographic security. So I'll begin by defining what I mean by homomorphic encryption, just classical for now. So a homomorphic encryption scheme consists of four polynomial time algorithms. So first there's a key generation procedure, which takes some security parameter kappa and outputs three keys, a decryption key, an evaluation key, and an encryption key. Then an encryption procedure takes a message M and an encryption key and outputs a ciphertext C. Then an evaluation procedure, it takes an evaluation key and a ciphertext C, and it also takes some function f, which is given as some circuit that computes f. So f is just going to be some list of gates that gives us a circuit for computing f. And then the evaluation procedure outputs another ciphertext. And then finally, the decryption procedure takes a decryption key and a ciphertext and outputs a plaintext, which is hopefully f of M. So in the public key setting, we imagine Alice generating three keys and outputting the evaluation key and the encryption key. And then Bob can encrypt a message using Alice's evaluation key or encryption key. Charlie can then evaluate a function on that encrypted message using Alice's evaluation key. And then Alice will be able to decrypt and learn f of M. So the properties that we would like for such a scheme, we say a scheme is C homomorphic, where C is some set of circuits if for all f and C. If Charlie evaluates f, when Alice decrypts, she will get f of M. And of course, we also would like a homomorphic encryption scheme to be secure. Specifically, we would like some kind of indistinguishability under chosen plaintext attack. And there's actually one more property that we require for a homomorphic encryption scheme. And so to illustrate this, let me show you how we can easily get a scheme that is homomorphic for all circuits and also secure. So this is called the trivial scheme. And for this, we start with any semantically secure public key encryption scheme. And now we can create a homomorphic encryption scheme as follows. To generate the keys, we just use the public key scheme. We don't need an evaluation key. And to encrypt, we just use the public key scheme to encrypt the message. To evaluate, we just take a ciphertext and a circuit f. And we just concatenate them. And then to decrypt, we just decrypt the ciphertext C to get the message M. And then we apply f to M. And so this is homomorphic for all circuits, f. We can homomorphically evaluate any circuit f this way. And it is secure. But this is clearly not what we mean by a homomorphic encryption. We've just cheated by pushing all of the work of evaluation into the decryption phase. So what we really want is a scheme which also has a property called compactness, which means that the complexity of decryption should not depend on the circuit that we've evaluated. So all of the work of evaluating the circuit must be done in the evaluation phase and not in the decryption phase. And a scheme that is homomorphic for all classical circuits and in CPA secure and compact is called a fully homomorphic encryption scheme. A quantum homomorphic encryption scheme is almost the same. However, now we want to be able to encrypt a quantum state. So the input, the message here, is going to be an arbitrary quantum state. And then the ciphertext is necessarily also going to be a quantum state. And the evaluation procedure is going to take a quantum circuit. So as I said before, a quantum circuit is just like a classical circuit. It's a list of gates from some finite gate set. So this description of the quantum circuit is just going to be a classical string. And then when we decrypt, what we would like to get is what we would have gotten by applying the circuit c, the quantum circuit c, to this quantum state, size of m. And we have the same three properties that we would like to achieve. So for a class of quantum circuits q, we say that a scheme is q-homomorphic if we can homomorphically evaluate any quantum circuit in q. And one of our contributions is to define a quantum version of in-CPA security, which we call q-in-CPA. And it basically just says that no polynomial time adversary, and of course, our adversaries are allowed to be quantum, can distinguish between an encryption of some quantum state and an encryption of a random bit. And we also still would like a scheme that is compact. So the complexity of decryption should be independent of the quantum circuit that we evaluate. OK, so to talk more about how we might homomorphically evaluate a quantum circuit, let's consider circuits a bit. In the classical case, we have addition and multiplication forming a universal gate set. So any classical function can be expressed as a circuit using the gate's addition and multiplication. So when we want to consider classical homomorphic encryption, it's sufficient to consider how we might homomorphically add two ciphertexts and homomorphically multiply two ciphertexts. And traditionally, addition is often very easy, whereas adding homomorphic multiplication is kind of the hard operation. OK, so quantum computation can also be expressed as a circuit, but we have different gate sets. So a couple of things that you might notice about this quantum circuit that may seem strange. Three out of the four gates shown here only act on a single wire. So they're only acting on a single quantum bit. And classically, the only interesting thing you can do with a single bit is to apply a knot gate. Whereas quantumly, there are many single quantum bit gates, which have very interesting behavior. And the other thing that you might notice that might look a little bit strange is that every gate here has the same number of inputs as outputs. And that's required in a quantum circuit because every gate must be reversible. It must be invertible. So for example, this gate here, which looks a bit like an addition gate, is actually a classical gate. It's a reversible addition gate. And so it takes two inputs, two input bits, b1 and b2, and it outputs b1 and b2 plus b1. We call this a c knot gate or a controlled knot gate, but it really just does reversible addition. So this is really a classical gate, but these other gates here are not classical. They cannot be described classically. These are really quantum gates. And these gates, HP and c knot, generate a very important class of circuits called the Clifford group. And when we add a gate called a t gate, we get a universal gate set for quantum computations. OK, so let's compare quantum and classical circuits. Classically, we can start with an addition gate, which generates the not very interesting set of circuits called linear circuits. And quantumly, we have these three gates, HP and c knot, which is a reversible addition. And these generate an important class of quantum circuits called the Clifford group. And the Clifford group is also, I mean, it's very interesting theoretically, but it's somehow not very interesting as a class of circuits. It's not very powerful. So in fact, it's less powerful than classical computation. You can't do multiplication with Clifford circuits, but you can do any classical linear circuit using Clifford circuits. And so on the classical side, to get universal computation, we need to add a multiplication gate. This together with addition gives us universal classical computation. And on the quantum side, we add this non-Clifford gate called a t gate. But in fact, we could have added any non-Clifford gate to the Clifford generators to get a universal quantum gate set. We could even have added reversible multiplication. Reversible multiplication is not a Clifford operation. It cannot be generated by these gates. And so we could have added reversible multiplication here. But we instead work with this t gate, since it's just a very well-studied gate, quantumly, but you should think of this as being kind of analogous to multiplication. It's very related to this reversible multiplication gate. So just to summarize, we have Clifford's, which are kind of the quantum version of linear circuits. And then we add this t gate, which you should think of as analogous to a multiplication gate. And now I can state our results. So a scheme which is homomorphic for all quantum circuits and compact and Q in CPA would be a quantumfully homomorphic encryption scheme. And we don't achieve such a scheme, but we have some partial results. So let's first consider as a baseline what we could do trivially. By not encrypting, we get a scheme which is homomorphic for all quantum circuits and compact, but has no security. And as I mentioned before, the trivial scheme is homomorphic and secure, but it is not compact at all. The complexity of decryption scales with the number of gates in the evaluated circuit. And similarly, if we apply some sort of encryption scheme, like something called a quantum one-time pad, or any other kind of secure quantum encryption, this is not homomorphic, but it's vacuously compact and it is Q in CPA secure. And so we present some schemes which are sort of intermediate. They're between these trivial results and the ultimate goal, which would be quantumfully homomorphic encryption. Our first scheme is homomorphic for all Clifford circuits and it's compact and Q in CPA secure. So this first scheme should be thought of as analogous to a classical scheme, which is homomorphic for linear circuits. And it's conceptually very simple. I'll actually be able to go through the scheme towards the end of my talk. But it's very important because our other schemes build on this idea. So our second scheme extends the first to quantum circuits that have arbitrary Clifford gates, but are constant in the depth of T gates. And this is also compact and Q in CPA secure. And then our third scheme, it extends the first scheme in a different way. So it's homomorphic for all quantum circuits, but it is not compact. The complexity of decryption depends on the number of T gates. It scales like the square of the number of T gates. So this is better than the trivial scheme in which the complexity decryption depends on all gates in the evaluated circuit, but it is still not compact. And the scheme is also Q in CPA secure. Okay, so my remaining time, I'd like to explain how our first scheme works. It's actually a fairly straightforward extension of a classical homomorphic encryption scheme, which is homomorphic for linear circuits. But before I get into that, I'll just say our first and third schemes are both public key and our second scheme is symmetric key. And I should tell you what I mean by quantum information. So we all know what classical information is. To describe a fully general classical system, which could be in some sort of a random state, we need some probability density function. So this is just a positive real valued function on n-bit strings with unit L1 norm. So some examples of one-bit randomized systems. They could be in a state, for instance, this is a uniform random bit where P of zero equals one-half and P of one equals one-half. So we can just express this very succinctly as a two-dimensional vector. We could also have all of the weight on zero. So P of zero equals one. We actually usually just refer to this as zero. Or we could have all the weight on one. So P of one equals one. We usually just call this the bit one. So the state of a quantum system can be described in a very similar way. An n-quantum bit or qubit system is described by a complex valued function on n-bit strings with unit L2 norm. So some examples of one qubit states. We could, for example, have all of the weight on zero. So this would be Q of zero equals one. And we call this zero as well, but we put it in these funny brackets to remind ourselves that it is the state of a quantum system. And similarly, we could have all of the weight on one. So Q of one equals one. And we call this one. We could also have the weight uniformly distributed. So Q of zero equals Q of one equals one over root two. We'll call this hat zero, since it's actually just a Fourier transform of zero. And you might think of this as being analogous to a uniform random bit. And in some sense it is, but unlike in the classical situation, we could also have a state like this. This is a Fourier transform of one. And it also has the same weight on zero and one. It just has a different sign. And this is an important difference between classical and quantum information. In quantum information, we have the concept of different bases. So we have this sort of standard basis. And we also have this Fourier basis. And of course, infinitely, many other bases. And more generally, we can also have complex numbers. And we usually just use this psi in these funny brackets to denote an arbitrary quantum state. And to give you an idea of what a quantum gate looks like, this H gate, which was one of our Clifford generators, this stands for Hadamard. And it's just the linear operator, which does a Fourier transform. So it maps zero to the Fourier transform of zero and one to the Fourier transform of one. And generally, all of our quantum gates will be unitary operators. So they'll be linear operators that map unit vectors to unit vectors. Okay, so now I can talk about our first scheme, the Clifford scheme. So a very important Clifford gate is an X gate, which is just a classical knot gate. So it takes as input some bit X, and it flipped that bit. And if we have some n-bit system and we choose a random n-bit string A, and we apply X everywhere where A equals one, and the identity everywhere where A equals zero, this is just like applying a classical one-time pad where the key is given by A. So we'll call this X to the A, but this is really just a one-time pad with A as the one-time pad key. So we're just adding in the vector A to our input. Okay, but as I mentioned, we also have these other bases to consider, in particular, the important Fourier basis. So there's also another Clifford gate called a Z gate, which just does a knot in the Fourier basis. So it just switches between our two Fourier basis vectors. So we could also consider doing a one-time pad in the Fourier basis. And we'll call this Z to the A. So the Pauly group is just the group of all circuits generated by X and Z gates. So it's just the group of all circuits where we essentially just apply Z to some random subset of the wires, and then apply X to some random subset of the wires. And the quantum one-time pad is just applying a random Pauly. So to do a quantum one-time pad, we just choose a random key A and apply a one-time pad, and we choose a random key B, and then we apply a one-time pad in the Fourier basis. Okay, so the Clifford group, which I have been mentioning, is defined as the normalizer of the Pauly group. So what this means is that if you conjugate a Pauly by a Clifford, you get another Pauly. Or in other words, for every Clifford C and every Pauly X to the A, Z to the B, there exists some Pauly X to the A prime, Z to the B prime, such that this identity holds. Or as a circuit, if we were to apply some Pauly followed by a Clifford, this would be equivalent to applying the Clifford followed by some different Pauly. And for every Clifford C, there's some function which maps this A and B to this A prime and B prime, and it's actually always a linear function. So for example, the P gate, which I didn't define, but it's one of our Clifford generators, it satisfies this identity here. So that's some specific version of this identity. And so we would say that F sub P of AB equals A, A plus B. Okay, so now I can actually describe our first scheme. All we need is the quantum one-time pad and this property of Clifford's, as well as some classical, fully homomorphic encryption scheme, or even weaker than that, just a classical scheme which is homomorphic for linear circuits. Okay, so now let's construct our first quantum homomorphic encryption scheme. So our key generation procedure will just be to call the classical key generation procedure and get three classical keys. And then to encrypt a quantum state psi, we will just choose random one-time pad keys A and B, apply the quantum one-time pad, and then we will encrypt these one-time pad keys. So these are just random bit strings. And then to evaluate a Clifford circuit, we will just apply the circuit on the encrypted quantum state. And then by this identity, we now have a quantum one-time pad encryption of C applied to psi. It's just that our one-time pad keys have changed. But we can get the new one-time pad keys using this function. So we're going to homomorphically evaluate F sub C, this linear function that corresponds to the Clifford C on our encryptions of A and B to get encryptions of A prime and B prime. So now when we decrypt, we're just going to decrypt A prime and B prime and use them to undo the quantum one-time pad, which gives us C applied to psi. So we have homomorphically evaluated the Clifford circuit C. Okay, so this gives us a scheme which is homomorphic for Clifford circuits and compact and Q and CPA secure. And our other two schemes are an extension of this. So I'll just very briefly mention our techniques. Our second scheme, we provide some auxiliary states. So we give auxiliary quantum states as part of the encryption key and these help us to do T-gate evaluation. But for depth L, and that should be the depth in only the T-gates, we need n to the two to the L auxiliary states. So we require the...