 My name is Gautam Kamath and I'm today's moderator for this TCS Plus talk. I'm joined also behind the scenes by Clemence Canan, Thomas Vidic, Oded Regev, Anindya Day, and Ilya Razenstein. I'm going to start by going around the table to introduce the different groups we have joining us. First we have Ijun from University of Michigan. Say hi. We have the University of Toronto theory group. Next we have the Caltech group, which it says Thomas Vidic, but I believe this is run by Ben Lee. We have Shravas Rao, representing NYU. We have Sayed from Shahid Bahasti University. We have Max Hopkins, who's running the UCSD group. We have Vinakaran from University of Waterloo. Clemence Canan, who's at Stanford, representing the Stanford group. Charlie at UC Boulder. And finally we have Benjamin, who's at Texas A&M University. So those are all the groups. We've got a lot of groups today. I want to let everyone know that two weeks from now we're going to have a talk by Eric Balkansky. And two weeks after that, we're going to have Julia Shuzoi. And that's going to round up the fall 2018 semester for TCS+. I hope many of you will join us for those talks. But today in particular, we're very lucky to have Ramila Mahadev, who recently completed her PhD at UC Berkeley. She's now a postdoc at UC Berkeley. And she's, she recently had some big breakthroughs in quantum computing for which she's been awarded best student paper and best paper at Fox 2018. And we're very lucky to have her telling us about these advances today. So without further ado, I'm going to hand it off to Ramila. Thanks for the introduction. Okay, so this, I can't, is everything okay with the video and mic? Yeah, it's fine. Okay, so this talk will be on classical homomorphic encryption for quantum circuits. This topic is an intersection of quantum computing and classical cryptography. I'll try to keep it at a high enough levels for general theory audience, but I really appreciate if you interacted with questions as frequently as you would like. And if not, I'll stop for questions pretty frequently. Okay, so the question of quantum homomorphic encryption is as follows. Can a classical computer use the computing power of a quantum device while maintaining privacy? So this question is particularly relevant to proposals for quantum computing in the cloud. You can imagine you have a classical laptop and you'd like to use the computing power of a quantum computer on the cloud to run some computation on your data, but you'd like to make sure that the quantum computer learns nothing about your data while he's running the computation. So to put this question a little bit more formally, there is a classical client and a quantum computer, which is called a server. The classical client wants to encrypt his data in some classical manner, but the quantum computer should be able to run a quantum computation on top of that data. So I'm assuming the input and the output to the quantum computations are classical. So then the server should be able to send back the output to the quantum computation in an encrypted form, and the client should just be able to decrypt it to recover his final answer, and you should know that the whole time, the quantum server never learned anything about the state. Now, this question has been really well studied in classical cryptography, and it's called classical homomorphic encryption. So here the setting is a little bit different. Instead of a quantum server, there's a weak classical client and a more powerful classical server. But the goal is the same. The client sends over encrypted data, and the server should be able to compute an arbitrary classical circuit on encrypted data. This was studied for a while, and it was first shown to be possible by Craig Gentry in 2000. Now, once we look at this classical homomorphic encryption scheme, the first question to ask is whether I can directly take these schemes and use them to apply quantum operation. So can the client encrypt his data classically and send it over to the quantum server, and the server should be able to apply a quantum operation rather than just a classical homomorphic operation? Now, it seems like this is a pretty difficult question because there are properties of classical homomorphic encryption and quantum computation which seem to conflict. So now I'm going to tell you a little bit more about that. So the property of classical homomorphic encryption, which seems to be a bit troublesome, is the following. Classical homomorphic encryption schemes are probabilistic. So they have many different encryptions for a single bit. If you think about it, this is actually necessary for classical homomorphic encryption schemes because the server is running a computation. So if the encryption was deterministic, then what he could do is he could run two different computations. He could compare the output ciphertext. And if they were the same, then he would learn something, like he would learn the two different computations had the same output. But if they're probabilistic, of course, this kind of cheating falls apart. Now, the property that this conflicts with is the quantum property of interference. So to tell you why these two properties conflict, I need to define what quantum interference is. And in order to do this, I'm going to define a fundamental quantum operation, which is called the Hadamard transform. So the Hadamard transform is just the quantum Fourier transform. So it's a reflection by pi by 8. Okay. What it does is, so in this picture, I'm showing you what the Hadamard transform does. And just to briefly recall, this ket zero just represents a complex vector in two-dimensional states. So what the Hadamard transform is doing is it's reflecting by pi by 8. It's taking zero and it's mapping it to a uniform superposition over zero and one. And it's taking one and it's also mapping it to a uniform superposition, but one has a phase in front of one. So it's a negative one. And of course, if the Hadamard transform is applied twice, it doesn't have any effect. So it takes zero plus one and maps it back to zero. Now, the reason that I showed you the Hadamard transform was so I could define interference. And here's what interference is. So interference just says that elements of a superposition representing the same bit stream, but with opposite amplitudes must cancel. Now, if we look at the Hadamard applied to zero plus one, like I just said, this is just rotating it. It's reflecting it back by pi by 8. So it maps it to zero. But the Hadamard is a linear transform. So I can break this down. And the result of applying it to zero is zero plus one. The result of applying the Hadamard to one is even minus one. And interference is just saying that the two different ones cancel out. So that's all I'm saying. Now, if I tried to use homomorphic encryption here in the most obvious way, what I would do is I would just take zero and I would replace it with an encryption of zero and do the same thing for one. But now what if the two encryptions of one are different? Then interference falls apart because if the two encryptions of one are different, they might not cancel. And then the final output, there's no reason it should be the encryption of zero. So this kind of thing was the major obstacle in extending classical homomorphic encryption schemes to work for quantum computations. And because of this, the question was weakened. So in my ideal setting, I had a classical client delegating a quantum computation. But we didn't know how to do that. So we weakened the question to allow a quantum client to delegate a quantum computation. And now the quantum client is just supposed to be weaker in some sense than the quantum server. But he wants to take it into the more powerful combination. In this model, the question has been studied since 2005 in two different settings. So in the first setting, the question was weakened a little bit further to allow many rounds of interaction between the client and the server. And this Andrew Child showed in 2005 that in this model, it is possible for a weak quantum client to delegate a quantum computation with information theoretic security. And then in two different lines of work in 2008, the quantum capabilities of the client were reduced so that the client only required a single qubit quantum register. So he did have to create many states. But at any point in time, he only had to be operating on a single qubit. So he only held one qubit at a time, and maybe he would do a polynomial in many operations. Now, this work was further improved by Delech, Schachtner, and Spielman, who showed that the interaction could be removed entirely at the cost of replacing information theoretic security with computation security. This was kind of the end of the line for a blind delegated quantum computation and resulted in a quantum homomorphic encryption scheme with a quantum client. Now, this line of work was really interesting. It introduced new techniques and advanced the field of quantum delegated computation. However, there is a major problem with using a quantum client. And the issue is that a quantum client sends quantum evaluation keys to assist the server in performing a computation. So the server needs these quantum states to perform the quantum computation. And the client needs to create a number of quantum evaluation keys corresponding to the size, not depth, of the delegated circuit. And on top of this, quantum keys are not reusable. This is just the nature of quantum states. So once the quantum server uses the quantum keys to run a computation, the next time he runs a computation, the client has to prepare fresh keys and send them over. So if I put everything together, what I'm saying is that this quantum client, each time he wants to delegate a quantum computation, he has to run a quantum computation of the same size as a quantum server. So this is a big weakness that in order to get delegated computation, we really do want to cut down the client much further than this. So I'd like to go back to the original model with a classical client and a quantum server. And I'm going to show that this is possible. So I'm going to show that there are certain classical homomorphic encryption schemes which can be used to homomorphically evaluate quantum circuits. So if you remember, this is how I started and I said that it's difficult to use classical homomorphic encryption schemes to evaluate quantum circuits. But it turns out if the classical homomorphic encryption scheme satisfies certain properties, I can get around these obstacles. And of course, if I use classical homomorphic encryption schemes to evaluate quantum computations, I get the same advantages. So the keys are of course reusable, so there's no issues like with the quantum client. And for those who know, I can also get circular security to get a pure fully homomorphic encryption scheme. And this is the first of its kind. So this is the first scheme to allow blind quantum computation between a classical client and a quantum server. Because in all previous schemes, we used quantum clients to delegate computations. So now it's a good time to stop the question in case anyone has anything. If not, I'll continue. The core of my protocol is something called the encrypted Sina operation. I'm not going to have time to go through the entire protocol. So for this talk, I'll focus on the encrypted Sina operation and I'll show how we do it. And I'm going to ask you to take in on faith that quantum homomorphic encryption boils down to this operation. I'm not going to tell you the reduction, but the reduction is not new in my work. It was in all previous works as well. Now, in order to tell you what, so the encrypted Sina operation is an operation that the quantum server should be able to perform given classical encryption. And in order to tell you what it is, the first thing I need to tell you is what Sina operations are. So a Sina operation is just the quantum XOR gate. So it's a reversible XOR gate. It takes as input two bits, A and B, and it XORs A into the second register continuing B. Now in this picture, I've written it as bits, but of course, this would be applied to a quantum state, which is a superposition over bits. And so this is a Sina gate. The encrypted Sina gate is kind of an extension of this gate in which the Sina gate should be conditionally applied based on an encrypted bit S. So for the encrypted Sina operation, the server takes as input the encryption of a classical bit S and should conditionally apply the quantum Sina gate based on this classical bit S. So here's what it looks like. The first wire is the encryption of a classical bit S. And the next two is just the standard Sina gate. But what the server is doing is that he's XORing A based on the encrypted bit. And so this is also what's depicted in the last slide. I said this is just a quantum state, which is written in superposition. Now we should pause for a second here because this Sina gate is doing something very strange. The quantum server can't see the classically encrypted bit. He doesn't know the value. It's hidden to him under this homomorphic encryption scheme. But he's still able to take this value and convert it into a quantum operation. So he should be able to take this hidden bit S and either apply the Sina or not to an arbitrary two-qubit quantum state of mistress. And it makes sense that quantum homomorphic encryption boils down to this because what's happening in quantum homomorphic encryption is that the server is taking in classical encryption and applying a quantum operation based on this. We've got a question in the chat from Paul. He's asking, he's not sure how to parse the operators is O plus having precedence over dot I A plus B dot S? Okay. So A dot S. So all this is saying is that if S equals zero, nothing happened. If S equals zero, nothing happens. It's just B. If S equals one, you're taking B X or A. Does that clarify? He says yes. Yeah. They say yes. Okay. Okay. So that's a good question. So yeah, that's if S equals zero, nothing's happening and S equals one, he's performing the Sina. So he's choosing whether to apply the Sina or not based on an encrypted bit that he cannot see. And that's really the difficulty. How does he do this? Now, the first thing to know is that as I've written this encrypted Sina operation, it's not possible because if he could do this, if he could apply the Sina to an arbitrary two qubit state, then of course he could fix this value. He could fix A equals one, B equals zero, and then from the output, he would directly learn S. And so he's violating the security of the classical encryption scheme because he's taking the encryption of the bit S and extracting the value of S from it. So what I skipped over is that of course this output state has to be suitably encrypted. So this output that I've written here will be suitably encrypted. And on the next slide, I'll tell you exactly what this encryption is. Now, so what I said is that all previous work used this reduction to the encrypted Sina operation. But the difference is that they all required quantum states. So in order for the server to apply the encrypted Sina operation, the client would have to send the server some quantum states. And that's why the evaluation key was quantum and that's why the client had to be quantum. And here I'm going to show that actually the server can do it by himself just by looking at the encryption of S. If the encryption of S satisfies, if the classical homomorphic encryption scheme used to encrypt S satisfies certain properties. That's a key part of this work, just using the classical encryption to apply a quantum operation. Now let me tell you what the suitable encryption is. So I'm going to use an encryption scheme, which is very commonly used in quantum computing. It's called the Pauly one-time-pad encryption. This is an information theoretic method to encrypt quantum states. So let me tell you how it works for a single qubit quantum state. And here, remember, this is again, ket notation. This is a two-dimensional complex sector and the components are alpha zero and alpha one. The first step of the Pauly one-time-pad encryption, so it's a two-step process. The first step is just to sample a bit Z at random and apply something called the Pauly phase operator, which is represented by a Z to the quantum state. So if Z equals one, what's happening is that there's a negative one phase inserted for the one component of the state. And if Z equals zero, nothing happens. This operator is the Pauly phase operator. Now the second step is to apply the classical one-time-pad. So a bit X is sampled at random and now the classical one-time-pad is applied in superposition based on a bit X. And this is called the Pauly X operator. So the Pauly X operator is just the classical one-time-pad. And now if X equals one, you can see that zero is flipped to one and one is flipped to zero. If X equals zero, nothing happens. So this is a full Pauly one-time-pad encryption. All that happens is two bits X and Z are picked at random to encrypt the state and then the Pauly X and Z operators are applied to the state. Now it's quite easy to show that once these random Pauly operators are applied to the state, it's entirely hidden. It's information theoretically hidden, as long as the adversary doesn't know the key. And for cryptographers, you might know what I'm going to do next. I'm going to convert this into a computational encryption. And to do this, all we have to do is use a two-part encryption. So the first part of the encryption is the one-time-pad and quantum state. And the second part is the encryption of the one-time-pad keys Z and X under a classical one-time-pad encryption scheme. So this is a full encryption of a quantum state that I'm going to use in my homeomorphic encryption protocol. And now I'm going to tell you, I'm just going to tell you at a very high level how quantum dates are applied and why everything reduces to the encryption. Are there any questions right now? Okay. So now, so this is the encryption. The client just encrypts his data using the Pauly, the computational version of the Pauly one-time-pad and sends it over to the server. And now the server is supposed to be able to apply a quantum operation, quantum operations on this data. And roughly how he does it is he does a classical homeomorphic computation on the one-time-pad key. And he also does a quantum computation on the one-time-padded state, which is dependent on the keys. And this dependence on the keys is exactly what the encrypted CNOT operation encapsulates. So now I can state the encrypted CNOT operation more precisely. This is what it is. The server should take as input the encryption of a bit s and a two-qubit state psi. He should output the one-time-padded state, which is the result of applying CNOT conditional on s to the state psi. This is what I meant by the suitable encryption. So the suitable encryption, so this was our target state before, CNOT to the power s psi. And the suitable encryption is the encryptions of the one-time-pad keys as well as the one-time-pad states, one-time-padded state. Now, so for the rest of this talk, I'm only going to talk about the encrypted CNOT operation. So if there are any questions on the structure right now, it's a good time to ask. Okay, so to build the encrypted CNOT operation, I'm going to rely heavily on a classical pictographic primitive called trapdoor-claw-free function. And these functions have been really useful in the quantum setting recently. So what I'm going to do now is introduce these functions and give you some context about how they've been used in related works in the past two. So a trapdoor-claw-free function pair is a pair of functions f0, f1, which are injected and they have the same image. And there's a trapdoor which allows for efficient inversion. So given y and the trapdoor, there exists an algorithm which can output the two pre-images of y. So it can output the two pre-images x0 and x1, which map to the same y. Now, the final constraint is that it's hard to find a claw. So a claw is a pair of pre-images, which map to the same point y. And what this condition is saying is that without a trapdoor, it should be computationally difficult to find such a pair of pre-images. And the claw-free name is referring to the fact that these two form a claw essentially according to the picture. Okay. And then, now these functions are very useful in the quantum setting for the following reason. A quantum machine can sample a random image y and create a uniform superposition over the force one and claw. So this claw is just f0 and x1. And what he's done is created a superposition over it. It's very easy for him to do this. All he has to do is create a uniform superposition over the domain. And then he applies the function f0, f1 in superposition. And now when he measures this final register containing the output of the function, he gets a random image y and due to the entanglement in the state, it collapses. So the remaining registers collapse only to the values which are consistent with y, which are just the two pre-images of y. So this is just how entanglement works. Any questions? Okay. So this is what the quantum machine does. And one thing to note here is that I said it's computationally difficult to find a claw. And of course, this holds for the quantum machine too. But what he's done now is he hasn't found a claw. He's just created a uniform superposition over a claw. So right now he hasn't extracted any information. It's still in superposition. It's in a quantum state. In order to extract any information from the state, he would have to measure it. So now what I'm going to tell you is what would happen if he measured the state in two different bases. So in the first basis, he could measure the state in the standard basis. And all that does is now he obtains one of the two pre-images, x0 or x1 with equal probability. This isn't particularly useful because a classical machine could have also sampled the same information quite easily because all he's done at this point is he's sampled a random pre-image image pair. And this is not a special, this is not a hard thing to do. Now, the reason this gets interesting is because the quantum machine has another option. He can also measure it in the Hadamard basis. Remember, this is what I showed you earlier for interference. And the Hadamard basis is just reflecting the state by pi by 8. So performing the quantum Fourier transform and then measuring it. And the result of measuring this state in the Hadamard basis is something interesting. It's a string D which satisfies this equation. So x0 plus x1 is the xor of the two pre-images and it's a long string and so is D. And this is just the dot product of the two. So it outputs a single bit. So when he measures it in the Hadamard basis, he obtains a string D which satisfies this equation. Now, this is the part that we don't know how we can reproduce classically because the quantum machine can't find a claw, but he can find the string D which is correlated to both members of the claw x0 and x1. So in this sense, the quantum machine can do something that a classical machine cannot do in this setting. So now let me formalize what I'm saying here and I'll give you a protocol in which a classical verifier can use trapdoor claw free functions to actually test that the computer he's interacting with is a quantum machine. So it's a pretty straightforward protocol and this is how it goes. So here I have a verifier and a quantum and a prover who we want to be a quantum machine, but we'd like to verify that he's actually quantum and not classical. So the verifier just selects a trapdoor claw free function pair f0, f1. He sends over the function pair to the prover, but he hangs on to the trapdoor by himself. Now, what the prover is supposed to do is create a superposition over a claw and report the image y back to the verifier. Once he does this, then the verifier will choose to challenge him at random. He'll either ask for a preimage at zero or x1, or he'll ask for a string D which satisfies the secretion. Now, if the prover is honest, and if he's actually a quantum machine, it's very easy for him to meet this challenge. If the verifier sends him zero, meaning he's asking for a preimage, the prover just measures the state in the standard basis. When he's done, he has a preimage. If the verifier said one, meaning asking for a string D, the prover just measures the state in the Hadamard basis and he automatically obtains a string D which satisfies the secretion. So what I've told you so far is here's a protocol with which a quantum machine can very easily pass. Now what I need to tell you is why it's hard for a classical machine to pass the same kind of challenge. So the key issue is that if a classical machine could pass both of the challenges, then he can actually hold both pieces of information at once. So this is because a classical machine can be rewound. So let's say a classical machine could pass both on zero and both on one. Then what we can do is we can run the classical machine on zero, extract a preimage from him, then rewind him, run him on one, and extract a string D from him. And at this point, we can the classical machine can hold both a preimage and the string D at once. And now remember the guarantee. I said it's a claw-free function, so it's computationally difficult to hold both X0 and X1. But what's happening here is let's say he holds X0 and he also holds a string D. The string D is revealing something about X1. So intuitively, he's learning something about the claw which should be difficult. And in the next slide, I'll formalize why exactly this is difficult. But just for this slide, the remaining thing to say here is that a quantum machine does not run into this difficulty because a quantum machine cannot be rewound. If we run the quantum machine on zero, he's measuring his state to obtain his answer. So we can't remove, we can't undo the measurement and then run him again on one. So that's why this task is easy for a quantum machine that is very difficult for a classical machine. Now, so to formalize this type of protocol, in joint work with Zvika Brikerski, Paul Christiano, Umesh Basrani, and Tomas Witte, we built an approximate trafter claw-free function from learning with errors. And we showed that it is computationally difficult to hold both the string D and the preimage at one time. So we called this a hardcore bit and we proved that essentially, if a machine could hold both of these pieces of information at once, then he could break the claw-free property of the trafter claw-free function. Now, this hardcore bit statement has a couple of indications. The first is what I outlined in the previous slide. If a machine can perform both of the challenges of preimage and the string D, we're guaranteed that the machine is quantum. It cannot be a classical machine. And this gives us a proposal for something called verifiable quantum supremacy. So quantum supremacy just means that this is a task which differentiates between quantum and classical. It's easy for quantum, but it's hard for classical. And verifiable just means it's classically verifiable. So a classical machine can actually verify that the quantum machine is performing this task by using the trapdoor. And another implication is that if a machine can perform both tasks, it cannot be deterministic, because if it were deterministic, then it could hold both pieces of information at once, and therefore violating the hardcore bit statement. So if the machine is performing both tasks, it must be generating randomness. And we also use this type of protocol to generate certified randomness. And finally, I also use this trapdoor-claw-free structure to build a protocol in which general quantum computations can be verified classically. Now, here I'm going to tell you how this, how trapdoor-claw-free functions can be used in homomorphic encryption. And before I get to that, are there any questions about trapdoor-claw-free functions? Okay, so now I can continue to showing you how trapdoor-claw-free functions can be used in homomorphic encryption. And remember, the key building block that I'm going to talk about is called the encrypted CNOT operation. And I told you quantum homomorphic computation boils down to this, but I did not tell you how. What the encrypted CNOT operation is, is a method for which, a method in which this quantum server can convert a classical encryption into a quantum operation. So he takes his input, the encryption of a bit s, and a two qubit state sign. And he outputs the result of conditionally applying CNOT to the two qubit state. And this result is one time pad. Now, what I'll show you is that this encrypted CNOT operation is very easy. If this encryption of s has some structure which has to do with trapdoor-claw-free functions. So this is the first thing I'll show you. And then I'll take a link back to classical homomorphic encryption schemes. So right now, what I'll show you is if a bit s is encrypted using a trapdoor-claw-free function pair f0 of 1, then the encrypted CNOT operation is very easy. Meaning then it's very easy for the quantum server to apply the CNOT condition on the split s. So in order to show you this, the first thing I have to tell you is what does it mean for a bit to be encrypted using a TCF pair? So what this means is that the encryption of the bit s is just a trapdoor-claw-free function pair. And this trapdoor-claw-free function pair satisfies some extra property which essentially makes it an encryption of the bit s. So okay, a trapdoor-claw-free encryption of a bit s is a function pair f0 f1. These are almost the same as last time except I split up the domain. So the first part of the domain is a bit, the second part is a finite set r, and the image is a finite set y. Now the first two conditions are just saying that the function pair is a trapdoor-claw-free function. So they are injective, they have the same image, and there's a trapdoor. And it's computationally difficult to find a claw. And here my notation for the claw is mu0 and mu1 are the bits, r0 and r1 are the finite set spot. And now I have an extra condition which turns this trapdoor-claw-free function pair into an encryption. And the extra condition is that all claws hide the bit s. So if you look at any claw, mu0 x or mu1 is equal to the bit s. And now this makes the trapdoor-claw-free function pair an encryption of a bit s. Because if this trapdoor-claw-free function pair did actually reveal s, that would mean the adversary could find a claw because the bit s is only hidden in each claw. So this is a secure encryption of a bit s. And now what I'll show you is how the server can take this encryption and convert it into this conditional c0 operation. So remember this is what the server wants to do. He's given this encryption which is actually just a trapdoor-claw-free function pair hiding the bit s. And he wants to either apply the c0 or not to an arbitrary two qubit quantum state. Now to simplify things, I'm just going to force b to be equal to zero, just to clean up the presentation. And so this is what the server is going to do. And this is actually quite easy for the server. All he has to do is he has to take his state and entangle it with a claw and then essentially performs the operation. Okay, so he uses f0 and f1 to sample a random image y and entangle the input state with the corresponding claw. So this is what the state looks like after he's entangled it with the claw. Now how does he do this? In the same exact way as before. So he takes his state, he creates a uniform superposition over the domain, and then he applies the function f0 f1 in superposition, depending on the bit a. So if a equals zero, he applies f0. If a equals one, he applies f1. Now he measures the image and he obtains a random image y. And due to the entanglement in the state, the remaining registers collapse so that they have to be consistent with y. So they collapse to the two free images, mu0 r0 and mu1 r1 of y. Now the point here is that once he's entangled the state with the claw, due to this claw, due to this property that each claw hides a bit s, he has essentially applied the c0 operation. And to see this, so first note that mu a is equal to mu0 x or a.s. This is easy to see because if you fix a equals to zero, you get mu0 equals to zero. If you put a equals one, you get mu1 equals mu0 x or s, which is the condition of the impressions. So given this, we can write the state entangled with the claw as follows. I've just taken mu a. I've replaced it with mu0 x or a.s. And now if you compare this second line to the first line, we're almost there. So we've almost applied the encrypted c0 operation, but it's a little bit off. There are these parameters mu0 and r a. And these parameters will serve as a suitable encryption. So they'll make sure that this bit s is still hidden and can't be found by the server. And these encryptions, so remember I had these Polly one-time pad encryptions, that's what mu0 and r0 r1 will turn into. So mu0 is a classical one-time pad. It's just x ord with a.s, which is our target value. Remember the classical one-time pad is just a Polly x operator. And now r0 and r1 can actually be, so the reason r0 and r1 are there is because a classical one-time pad is not sufficient to hide the bit s because it's stored in superposition. So r0 and r1 are kind of used to hide the bit s even though it's in superposition. And essentially they can be turned into Polly z operators by performing a quantum operation. So this is a c0 operation. It's pretty straightforward. All he does is he entangles the state with a claw. And now let me just recap the encrypted c0 operation. So I first told you that homomorphic computation of quantum circuits boils down to the server's ability to convert a classical cypher test into the quantum operation c0 gate, where he conditionally applies c0 gate based on classical cypher tests. Now to put this more precisely, the server has to be able to take his input, the classical encryption of a bit s, a two qubit state side, and conditionally apply the c0 gate based on the bit s and output the encrypted resulting state. And what I told you just now is that if this encryption of s is a tractor claw for encryption, then this encrypted c0 operation is very easy. And the server does it just by entangling his state, the state side with a claw. Are there any questions on the encrypted c0 operation? Okay. Now I'm going to continue. So there's there's still one missing link that I need to cover. And this is to link it back to classical homomorphic encryption scheme. Actually, sorry, I've got a question. These magic beasts, the trapdoor claw free functions, like, do we have, do we have constructions? Because I mean, right now these balls down on this. Yeah, so in this joint paper with Zika and Paul, we built an approximate trap star claw free function from learning of errors. Yes, sorry, I couldn't hear the response. They say good. Okay, great. Okay, so now what I need to do is I need to link back to classical homomorphic encryption schemes. So if you remember when I first told you about the encrypted c0 operation, I said that the encryption of s and the encryption of xz have to be under classical homomorphic encryption schemes. But what I've told you so far is that the encrypted c0 operation can be done. If the encryption of s is this special trapdoor claw free encryption. So in order to wrap everything up, I need to link this back. So there's two ways to do this. First, I can ask, are there classical homomorphic encryption schemes with this TCM structure? So are there classical homomorphic encryption schemes for which the side protects is actually just a trapdoor claw free function? I don't think this is the case, but there's another equivalent way of phrasing the question. Does, do there exist classical homomorphic encryption schemes for which the server can take his input and encryption of s under the classical homomorphic encryption scheme and convert it by himself to a trapdoor claw free encryption? So he takes his input, the encryption of s, and then he produces f0 and f1 by himself with no additional help just looking at the side protects. If he can do this, that's enough because now he can take the encryption of s, he can convert it to a trapdoor claw free function, and then he can just apply the encrypted c0 operation by entangling his state with the claw as I described earlier. So it turns out that there are certain classical homomorphic encryption schemes which allow this conversion. And what I'll do now is I'll tell you how the server performs this conversion. And then, so I need to tell you how the server performs the conversion. And then I need to argue that the functions he produces are trapdoor claw free functions. And to do this, I'm going to rely on specific properties. So I'll tell you the properties that I require of the classical homomorphic encryption scheme as I'm using them. Okay, so just as a reminder, the server is taking his input a class a homomorphic classical encryption of a bit s and he needs to produce this tcf encryption. And remember, all it is is a trapdoor claw free function pair with the extra property that all claws hide the bit s. Okay, so what he does is the function f0 is easy. It's just the public encryption function of the classical homomorphic encryption scheme. So it takes his input a bit mu0 to be encrypted. And remember, these encryption schemes are probabilistic. So it also takes his input a longer string r0, which represents the randomness that would be used to encrypt the ciphertext. And it outputs the encryption of the bit mu0 under the randomness r0. This is a public function, which can be computed just using the public key of the homomorphic encryption scheme. So the server needs no help here. Now f1 is almost the same, but it's shifted by the homomorphic xor of the ciphertext encryption of s. So f1 takes his input mu1 a string r1. It first applies x0. So it computes the encryption of the bit mu1 under the randomness r1. Then it takes the resulting ciphertext and homomorphically xors it with the encryption of the bit s. So remember, the encryption of the bit s is the encryption under the classical homomorphic encryption scheme which server took in and is trying to convert it to a function. So this is defining the function. These are publicly computable. And now what I need to tell you is that these serve as the TCF encryption of a bit s. So let's go through the properties one by one, and I'll go backwards. So for the last property, we need all clause to hide the bit s. Now this is immediate because of how the functions are defined. So remember, f1 is just the function f0 shifted by the homomorphic xor. So if they overlap, if they map to the same image, then it must be that mu0 plus mu1 equals s because that's how the homomorphic xor operation works. Now this property also implies the claw-free property because of course if an adversary could find a claw, then since each claw hides a bit s, he could break the encryption of the bit s. Now the next property is we need the functions to have a trap door. So all this means is that given a ciphertext, there must exist a trap door which allows for randomness recovery from the ciphertext. And certain classical homomorphic encryption schemes satisfy this property, so we will require that property for the classical homomorphic encryption schemes that we'll use. Now this property also implies injectivity because if there was a trap door, then the functions must be injected. And finally, there's this property that we need the two functions to have the same image. And that property is problematic. The reason is that f1 is shifted by the homomorphic xor. So their images will not overlap properly. So in order to make this work, I need to weaken the definition a little bit. So I'm going to weaken the definition by saying that instead of requiring that the images overlap perfectly, I'm going to require that there exist distributions over the domains of f0, f1 such that the resulting distributions over the images are statistically close. This is kind of a weaker notion of a trap door claw-free function, but it's enough for this thing. Now, okay, so this requirement is equivalently saying that there exists a distribution over ciphertext, which does not change much if it is shifted by the homomorphic xor. So there's some starting distribution f0d, and if it's shifted by the homomorphic xor, it stays almost the same. So this is what I require from the classical homomorphic encryption scheme. Now, this is a little bit tricky to satisfy, and it really relies on properties of classical homomorphic encryption schemes. So to satisfy this property, it's helpful to kind of picture what a ciphertext looks like. So generally in these schemes, well, not generally, but in certain schemes, a ciphertext has a following form. It's a random element of some set Sb perturbed by some noise. And what happens is what I require is that during the computation, the ciphertext has the same form, but maybe the noise parameter grows. So at any point in the computation, I can say a ciphertext encrypting a bit b is a random element of Sb perturbed by some noise. So that's the first property I need. This isn't satisfied by all classical homomorphic encryption schemes, but there are schemes which satisfy it, such as the Gentry-Sahai water scheme. The next property I need, so remember I'm trying to satisfy this distribution requirement. Now, if this is true, I need one more property, which is that the homomorphic XOR is just the addition of ciphertext. Now, if this is true, we can picture, okay, so let's say the encryption of S has error epsilon, then we can picture F0 of D to a Gaussian distribution over ciphertext with an error parameter sufficiently larger than epsilon. So then when we add an encryption of S, it's just shifted by epsilon. And if the error parameter is large enough, it'll just wipe out epsilon, so the distribution will not change much. So if these two requirements are satisfied, then this distribution requirement is also satisfied. Now, there's another issue which comes up that known schemes don't satisfy both of these requirements. So what I have to do to make things work is I have to kind of alternate between schemes, which satisfy either one of the two requirements. And just very roughly what happens is we start with the scheme which satisfies the form requirement, meaning the ciphertext stays the same throughout. And then prior to the encryption operation, the server can convert to an alternate scheme, which satisfies the XOR. This isn't important to absorb, but the key point here is that I can put all of these requirements together to formally define something called quantum capable classical homomorphic encryption schemes. And these schemes, so these schemes allow the server to take as input a classical encryption and convert it into a trapdoor clock free encryption. And now from what I said earlier, this means that the server can now apply the encrypted C not operation, which means that quantum capable schemes allow for homomorphic evaluation of quantum circuits. And now it turns out that that does exist a scheme in literature, which is quantum capable. And we can create it by combining two existing schemes. There's a gentry to high water scheme from 2013. And then gentry to back into nothing scheme from 2007, which is a dual of the reggae encryption. So by combining these, I can obtain a quantum capable scheme, which can be used for homomorphic evaluation of quantum circuits. Now to wrap everything up, I first started by telling you that quantum homomorphic encryption boils down to something called the encrypted CNOT operation, which is the ability of the quantum server to convert a classically encrypted bit into a quantum operation. Then I said that if a bit is encrypted in a trapdoor clock refunction pair, meaning the encryption is just this function pair, which has the bit s hidden in each clock, then the encrypted CNOT operation is extremely easy for the server. And he does so just by entangling the input state with the clock. Then I had to link back to classical homomorphic encryption schemes. So I said if a classical homomorphic encryption scheme satisfies certain properties, I'll call it quantum capable. And what that means is that the server is able to take as input an encryption under the scheme and convert it into this trapdoor clock refunction pair encryption, and therefore use it to apply the encrypted CNOT operation and perform homomorphic evaluation of quantum circuits. I also told you that such a scheme can be constructed under the computational assumption of learning with errors, which is the basis of the classical homomorphic encryption schemes I'll be using. So to wrap up, what I've shown you is that blind delegation of quantum computation by a classical client is possible under the learning with errors assumption. Thank you. Thank you, Irmila. This is an excellent talk. We have time for questions. If there's any questions. Yeah. Hi. I think in a hypocrite to ask about like does it work in practice kind of questions? So that's not exactly my question, but like the first step when you say it boils down to do a non-crypton CNOT, if down the line, you know, you don't know like 20 or less years, people who want actually to do that kind of quantum encryption, is it actually something that seems like the right thing to do to first like do that tradition to CNOT, or would it be necessary to actually like unwrap the whole thing and not go through that tradition? The reduction, sorry, I'm not, okay, the reduction is actually very straightforward, but I'm not quite getting your question. So I mean, it's straightforward, but do you lose a lot in efficiency when you convert that whole quantum encryption to one that only relies on encrypted CNOT or not? So I don't know if that's very clear. Yeah. Are you just asking if homomorphic encryption has a high overhead? No, very specifically from that tradition to the CNOT part, if I come over. So the CNOT part is not particularly like that doesn't give you an overhead. It's basically, so what, how quantum homomorphic encryption works is you have to apply all these quantum operations to the state, and he also has to apply a classical homomorphic computation. And as part of these operations, one of those operations is the encrypted CNOT operation. And that's not really where the overhead comes from. Usually in these schemes, like even in classical homomorphic encryption, the overhead is that the encrypted ciphertext is much, much larger than the original bit string that you're working with. So that's usually the place where the overhead comes from. But the nice thing here is that now that we've tied this to classical homomorphic encryption schemes, as they improve efficiency, this will go with it. I don't know if I answered your question. Yeah, thank you. Any other questions from anyone? All right, I don't think there's any more questions immediately. So thank you to Emila again. I'm going to wrap up the live stream. We're still going to hang out a bit offline if anyone wants to ask more questions. Just want to remind you that two weeks from now we'll have Eric Balkanski talking, and four weeks from now we'll have Julia Chuzoi presenting. So again, thanks for joining.