 It's a paper by Goriand Alaghi, if you could do like this and shaft that are Goriand's billboard, and if you will give the talk. Thank you. Let's turn this on. So yeah, like was introduced, this talk will be about quantum fully homomorphic encryption, so fully homomorphic encryption of quantum data, with some added property and verification. But before I dive into the topic, let me first pose a somewhat broader question, namely, what's the future of quantum computing? Now I only have 25 minutes, so I won't answer this question in full detail, but by now we've reached kind of consensus that quantum computers will come at some point, and we see already also this cryptography conference that we're focusing on post-quantum secure cryptography, but also people in the quantum algorithms realm are building on useful quantum algorithms. So we know that they're coming, but especially in the beginning probably we won't all have quantum computers in our homes. They require very expensive hardware to run, maybe very precise lasers or some very super cold refrigerator, something like this. So a more realistic scenario, at least for the beginning of quantum computers, would look a little bit like this. I think that at some point several places around the world will probably be able to say that they have a universal quantum computer. With universal quantum computer, I mean a quantum computer that can hold a sufficient number of qubits and that can perform any quantum computation on those qubits. And there will be probably lots of other people around the world that are interested in using these quantum computing centers, and maybe you already see where the homomorphic encryption here comes in. They will want to send their data over to these quantum computing centers to have some computation performed on this data, but they will have some guarantees. The first one is of course that their data remains private. This is what homomorphic encryption will give you. A second requirement is that it's recently efficient. I mean with efficient I don't only mean that they don't want the whole computation to take too long, but there's a second aspect here that these clients in blue dots, they don't want to have to do a lot of work themselves, both in time-wise, but also in terms of the amount of quantum memory data themselves need. They might want to only run this on a classical computer. They might be content with having a small quantum device that has limited functionality or some higher error rate, but in these terms you want to consider efficiency. And lastly, they want to check at the end of the computation that whatever they get back is actually a result of the computation that they wanted to perform. This is what I call verifiability and this is what the focus of this talk will be on. So today I'm first going to introduce the framework a little bit. We all know hopefully homomorphic encryption here, but I want to emphasize what changes if we're talking about the quantum scenario. Then I want to walk you through a already known classical application of fully homomorphic encryption, namely constructing zero-knowledge rules. And the reason that I do this is because it becomes very clear that also in these sort of theoretical applications verifiability is a very important aspect. And then in the last part of this talk I will talk about our contributions, which include definitions of what this verifiability means formally. We give a construction of a quantum fully homomorphic encryption scheme that has this property and we show one application in the quantum setting. So classical fully homomorphic encryption consists of these four algorithms which are all well known by now. You have some key generation, some encryption that takes a plain text x, produces a psychotext x bar. I'll always denote psychotext with a bar over them. Then some evaluation function that given an evaluation key, some description of function f and some psychotext produces a different psychotext and this whole thing is homomorphic if at the description whatever this psychotext decrypts to is equal to the function of light on our input. And well, it's possible to construct a scheme that's fully homomorphic and it's homomorphic that works for all functions under some computational assumptions. This was first shown of course by Gentry in 2009, very famous result and after that lots of improvements have been made, mostly on efficiency. And also by simplifying these computational assumptions. What changes have we moved to a quantum setting? So quantum fully homomorphic encryption. What I understand of quantum fully homomorphic encryption, the things that change is now instead of having classical plain text, classical data, we have quantum data that we want to encrypt. So we have some quantum state sigma, we want to create some quantum ciphertext and that also of course means that instead of evaluating a classical function f we don't want to compute some quantum circuit c. But the main idea remains the same that this thing needs to be homomorphic so that the decrypted output is equal to the circuit of light to the input. And so far the developments in this field have been pretty similar only a few years behind. So quantum fully homomorphic encryption is also possible in a lateral form under computational assumptions and it's worth mentioning that these computational assumptions they're the same assumptions as any classical scheme that it uses. So you can build a quantum fully homomorphic encryption using classical fully homomorphic encryption as a black box and you inherit only those assumptions. So we have improvements in classical FHE both in terms of assumptions or in terms of efficiency these directly translate into these schemes. And again we're still focusing on making these things more efficient and here I want to emphasize again that efficiency I don't only mean time but it also means quantum resources of the client. Ideally the client can be completely classical. So applications of fully homomorphic encryption while in my introduction I really gave you kind of a classical application, this sort of well-known story around it, outsourcing of computation but also in theoretical realm classically we know lots of applications of fully homomorphic encryption there's multi-party computation, functional encryption private information retrieval, zero-knowledge proofs and much much more. And in the quantum setting we don't know many applications yet it's a younger field of research so we're still figuring out whether these classical cryptographic primitives also follow in the quantum case whether they're even meaningful. And while we're trying to do this we've figured out that there is some crucial property that classical fully homomorphic encryption the client has automatically that our quantum fully homomorphic encryption scheme didn't seem to have. And this is verification. And to illustrate this I want to walk you through this zero-knowledge proof construction from classical fully homomorphic encryption so that you see what this property is and how it becomes apparent. So just a very short introduction into zero-knowledge proofs, classical zero-knowledge proofs Suppose you have some NP-hard problem for example satisfiability you're given some formula phi and you want to know does phi have a satisfying assignment is it satisfiable? And some mysterious all-powerful being comes along and says oh I know it's satisfiable but you're like okay that's great can you show it to me or can you convince me that it is indeed satisfiable should I just believe you when you say this of course not. And then this other, this stats tells you well I do know a satisfying assignment W I'll call this the witness but I'm not going to tell you I want to keep this a secret so now you appear to be a sort of impasse like you want to be convinced that this formula is satisfiable but this other person is not willing to tell you a satisfying assignment so how can you ever be convinced of this and zero-knowledge proof kind of gives a solution to this it's an interactive protocol between the two of them such that at the end Alice is convinced that the cat knows a witness but she doesn't know anything about the witness so how do we build this using FHE this is already a known construction was described by Boris Barak in 2012 so this prover, the cat, he knows a witness let's start with trying the following he just encrypts his witness using the fully homomorphic encryption scheme and sends over the encryption to Alice now Alice is going to set up kind of a challenge for the prover she does the following privately she flips a random bit B and on the witness, the encrypted witness that she just precedes she evaluates the witness check function the witness check function is just a function that returns 1 if it's a correct witness and 0 if it's not and she stores the result in a sci-fi type C bar then what she does is she multiplies B with C bar so she evaluates the function to multiply with B on C bar and this resulting sci-fi text D is what she sends over to the cat and now we see that if this W is indeed a correct witness then C bar will be 1 so D will be equal to B B times 1 is B whereas if W is not a correct witness then C will be 0 always so D will always be 0 and now we ask the cat to send back the decrypted form of D so if it was and then with this result we accept his proof if and only if D was equal to B as we just saw if he sent a correct witness then D does indeed contain B so we can just do this if W was not a correct witness then this information that she sends to the cat is just an encryption of 0 so in order to win this game he has to basically guess the random bit B and this is probably hard so from this thing we can see that indeed the cat cannot really cheat but the verifier can in principle we have no guarantee that she actually these computations that she did here in ciphertext D, D bar we have no guarantee that they're actually the result of these computations maybe she's just sending back the first bit of W and the cat is just decrypting it for her and she learned something about W and this is not what's supposed to happen so let's go back a little bit and try a slightly different method so instead of the cat sending over the decryption of D he just commits using some bit commitment scheme to this decrypted value but he doesn't reveal it yet he first asks Alice give me a proof of your FHE computation and I think of this as a transcript and in principle she can always do this she can just give a list of all the steps that she did in her computation so she says ok I received this ciphertext from you then I flipped this bit and then I performed these actions that are described by my evaluation algorithm just step by step she can give a sort of proof that she arrived from W bar to D bar in a sort of legal manner and then the cat just checks this transcript he just also reviews these steps and if it's ok then he reveals D and then Alice does the same the same check again and this instruction shows that with some more encryption we can use this to construct zero-knowledge proofs but it's crucial that the cat can verify Alice's evaluation so this is what we just saw that verification of computation is crucial in applications both practical in the sense that you want to as a client you want to know whether the computation was performed was actually the computation that you wanted to be ready for if you want to construct other cryptographic proofs such as zero-knowledge and classical FHG kind of has this verification automatically like I just argued you can just give a transcript all the steps are kind of deterministic you might need some randomness to perform it but if you just say this is the randomness that I used maybe it was predetermined then anybody can check this but then once I'm setting things are a little bit different because maybe Alice needs to perform some measurements during her computation and as you may know in quantum setting if you measure a qubit this qubit collapses and there's some inherent randomness in there so she makes right in her transcript I measure this qubit and then I got a zero as an outcome please believe me like there's no way you can check this you cannot just get a complete description of the quantum state that ever joined in her computation it's just not possible so here it's slightly more different difficult and we have to think a little bit about how to approach this so now I get to our contributions first of all we have to define a little bit more formally what do we mean with verifiable quantum for the own more encryption and more specifically we give a semantic definition which I'll get to in a moment which is sort of intuitively grasped what we want and we also give a verifiable definition in terms of indistinguishability games in security proofs but it's not so intuitive to see why it captures what we want but we show that these two are equivalent and finally I want to mention but I don't have time to go into it too much that we also have to rethink compactness a little bit here because usually compactness states that at the definition time the amount of work that the client has to do cannot depend on the size of the function or the circuit that you're evaluating in this case we want to verify that the evaluator did some kind of circuit so at least we need to read the circuit description so we come up with a slightly more subtle definition that allows the client to do some amount of classical work but the amount of quantum work that has to do it at least has to be independent of the circuit and there are some more subtle keys there but I don't have time to go into it secondly we give a construction of a verifiable quantum for the own more encryption scheme as ingredients this construction uses any classical for the own more encryption scheme that is that is post quantum secure because of course we're in quantum setting now we use a classical authentication code MAC and it also uses some quantum authentication code and worth mentioning with this quantum authentication code is information theoretically secure so the only computational assumptions that we need to come from this top two ones and also the scheme that we end up with is leveled and this is because we our evaluation key is a quantum state and sort of consumed during the computation so we need to know in advance some upper bound to the size of the circuit but this also means that we only need a leveled classical authentication scheme and finally we show an application which is kind of like a group of concept it's not a new result but we show that using classical authentication programs and a scheme that has this QFG with verification you can super easily build quantum one-time programs the previous proof of this was quite complicated with like 40 page paper and we get with much simpler construction so this is a sort of proof that this QFG with verification captures some powerful primitive so before I delve into the into the definition of quantum for the own more encryption with verification or verifiability I want to talk about some related topics you get a little bit of inspiration and some feeling about what it is that we exactly want and the first topic is quantum authentication in the quantum setting authentication implies encryption so if you have an authentication code for a qubit that also necessarily means that your qubit is also encrypted and in this sense we can view quantum authentication as a kind of verifiable homomorphic encryption within quotation marks that only works for the identity circuit so this cat, he can encrypt a qubit, give it to Alice and once he gets it back he can verify that she performed the identity circuit, in other words she didn't touch it and there are several quantum authentication codes out there, they're all information you really can secure and we're going to use this last one, this trap code because it has some nice properties concerning measurement of ciphertext but one step up from this is quantum computing on authenticated data so this starts with authenticating your input and evaluating some function on it together, so the cat who has the input and encrypted it talks to Alice and during the computation they kind of go back and forth and maybe the cat gives some extra challenges to Alice that she has to respond on, Alice gives some proof immediately that she's still holding the right state that kind of thing and in the end it has some verification that whatever he gets back, whatever he ends up with is the correct output of the computation and of course on the other side of the spectrum we have what I already mentioned fully homomorphic encryption where there's no interaction needed during the evaluation but there's also completely no verification at the answer and our goal today is to combine these last two things or the best part of these last two things to have a homomorphic encryption scheme so no interaction needed but to be able to verify the result at the end and as an ingredient we'll use this quantum authentication scheme so how do we do it how do we find verification due to a routine we replace the decryption function by a function called verdeck for verified decryption and this function rather than just taking a key and a output ciphertext it also takes and something that I'll call proof this is a classical object so no quantum state but it's just some think about the transcript for the classical case and it produces an output ciphertext and some accept or reject flag and as a sort of we kind of assume that if the flag is set to reject then this output state is just some dummy state like all zero states for example and the real image now kind of looks like this so we start with an input state sigma and some side information this is just some extra thing that might be floating around possibly entangled with sigma but let's not worry about it too much this is encrypted the encryption is sent to the adversary Alice and she produces a state that she claims is the result of her homomorphic evaluation and she events to it this is some classical thing this is why it's like double wires I mean classical state with this she events some kind of proof that this is actually the correct output of the computation then this magical verite function comes along and produces the output state and accept reject flag and the real or the ideal world that we would like to mimic is the following just the circuit c is applied to the input whatever comes out well c applied to the input this is the quantum notation for this and there's some simulator that just acts on the side information just like Alice would and it's accepted and it's all fine so we say that a QFG scheme is verifiability if for any polynomial time Alice there exists a simulator such that for all the inputs all sigma and all side information whatever comes out here is indistinguishable and you may notice that this is not achievable because what Alice can do she can just throw out the input and force a reject she can just put an empty proof and the simulator is not able to simulate this so we have to give the simulator a little bit of extra power by saying that the simulator can also force a reject so you can also choose to output reject and then the output will just be discarded and replaced by the study state so this is our semantic definition of verification we also give an indistinguishability gain that encapsulates the same thing I have a little bit more time so I will go into the idea of construction just to give you a very brief idea of what's going on so how do we actually build a verifiable QFG scheme well we need to specify encryption evaluation description so for the encryption we start with just authenticating our state using the trap code the trap code versus follows you start with a single qubit the one you want to input and you apply some quantum error correcting code so this builds in some redundancy and you have your like several qubits that together encode your single qubit then you hide these qubits in between some traps so these yellow and red ones they're dummy qubits but they're just dummy qubits that are in state 0 for example in state plus they input them in random positions and only you know where your real data is hidden and then on top of that you apply a quantum one-time path which is like a quantum equivalent of a one-time path so it completely hides all the information and the reason that this is authenticating is that if somebody would like to manipulate the data say perform an x operation which is like a not operation then you would first have to guess a sufficient number of these blue positions and then apply x to all of them for example or at least to depending on the distance of the error correcting code apply an x operation to many of them without accidentally setting up one of these traps, one of these dummy codes when we're decrypting we'll remove the quantum one-time path and check whether these traps are still untouched and if they are then we'll say ok this is rejected so in order to manipulate this state you kind of have to know where these traps are and otherwise it's super impossible oh I should have mentioned that the secret key contains both the key to the quantum one-time path and the positions where they are this is the secret part of the encryption and now as an additional thing we encode the secret key so these secret things with a classical FHG scheme and a message authentication code and we just give this to the evaluator so the evaluator still doesn't have any information about the reading of these positions but he has some encoded another thing here and the reason that we do this is for the evaluation I just argued that we want to change this authenticated state but we want them to we want them to perform computations on it so if you cannot do anything then we don't really have anything so what we give him is we give him the power to change the keys so if you wanted to for example do this knot operation here what you would do is just apply the knot everywhere set up some traps but then flip the keys for the one-time path so that the traps are kind of restored then you can update the key again to let it be 0 again and if he has the encrypted information about the secret key then you can do this homomorphically and in this way you can manipulate the data but you can only do this in the allowed ways because at the end we will check whether all of these FHG key updates are legal so if he says I'm going to perform an X-gate I have to put it in a transcript otherwise he just cannot register so our method here is to ensure that during the whole computation we have an authenticated state always with a certain key that belongs to it and this key is updated throughout the computation the evaluator does this for us but we check at the end whether he did this correctly and notice that this means that our check is also completely classable because this transcript is completely classable but on some rights our contributions consist of formalizing what verifiability means in quantum fully homomorphic encryption we give an explicit construction of a scheme that has verifiability and we prove that it's secure under computational assumptions and that it has its verifiability property and we give an application to show how you can construct quantum one-time programs in classical one-time programs verifiable QFHG and of course the obvious future work is to figure out which of the all these other applications of classical FHG carry on in quantum thank you question in the background to come back to your 40-valve example because your knowledge I don't see fully how you can apply the verifiability of the HG because of the definition of the verifiability of the HG which verifies the two curves one step but in the 0HG work what was crucial was that it was secreted and permitted to verify so that's a good point so the application that I showed to zero knowledge actually means that there's some sort of separation there's some verification that you can do first and then there's some decryption that you can do after this was of course an application in classical realm so there you can separate this we haven't figured out how to do a zero-knowledge from quantum to quantum production yet we think we have construction but we haven't proven it yet but in our scheme this verification decryption step is also kind of separated because well the verification involves this checking of this transcript and then only if this accepts we do the decryption the reason that we put it into one algorithm is that the decryption also requires some additional check there because it still measures the drafts so we didn't want to separate this into two separate algorithms because then we would have a decryption function that could still choose to reject so there are some details to figure out there but in principle it shouldn't be a problem for the application okay but so far it's just the motivation but not something that's all right you solved the one-time problem yeah we solved the one-time problem and we have a candidate for zero-knowledge for Q and A but we haven't figured out the complete project but we think it might be a future thing my first question please go back to the construction your steps sorry this one yes yes only the third step are quantum all of the steps are quantum so this blue dot in the beginning it's already a qubit so this first step is a quantum error correcting code involves creating extra quantum states and entangling them with your qubit and this all quantum this second step is not really a quantum step it's just scrambling your qubits with storage kind of thing but it's not really a computation and this third step is also a simple quantum computation but all of these steps are relatively sort of the quantum operations that they require are relatively simple so the hard type of gates for example what we usually think the T gate is a hard type of gates to do on quantum computer the client doesn't have to do this but yes you're right the client does have to do quite some quantum work in order to improve the state you mean for all the quantum gates it satisfies the application yes so our homomorphic encryption scheme can do universal quantum computation that's your question that was question 2 then you said you had 2 questions any other question ok if there are there is still one question there is a problem if you ask the lines there is a second one one approach that I would think of in general if I have a QFHE you said the problem is I can't just reveal my transcript because I have these measurements what would happen if the n-crypto yeah well at least would instead of doing measurements just purify the computation and that is a proof sent over the rest of the purified state would that also be a QFHE scheme it might be possible to construct a scheme a scheme like that for our specific scheme this is not really possible because for the evaluation of this T gate which is one of the gates for the universal computation the evaluator has to perform measurements and the result of those measurements are classical outputs that she then then injects into the classical FHE scheme and she uses this to do the key update dependent on the key she has to do other so there's lots of other so it might work the evaluator is the proof of the right to make measurements but it will work yeah I think it might be possible but it would become a very big superposition because of how these T gate gadgets work it's sort of depending on the encryption she chooses to do lots of measurements and if it would I think it would branch out pretty big yeah there are no further questions that's it thank you and all the other speakers again