 Hello, my name is Ores Canvubilis and I'm really happy to be presenting this joint work with Nicodori Nejuivaravolta, titled Great 1.1.2 full homomorphic encryption. First off, I'm going to start with some introduction about everything that I just mentioned in the title, starting with full homomorphic encryption, or F8C scheme, which is basically an encryption scheme that allows analysts to encrypt some messages in, such that later Bob, holding an arbitrary function F, can compute the encryption of F8C. In other words, we want for Bob to be able to perform computations over encrypted data without first having to put the original messages. Now, this is very interesting in the setting where we have a worker client that wants to outsource computations to a more powerful server. That's why in the figure we have for Ken, who's supposed to be the worker client and Superman, who's the more powerful server. Of course, in a setting like this, we want to achieve security. And first of all, we want semantic security, which means that we want for Alice's message M to be hidden at all times. Or in other words, we want Bob or the server to not be able to tell apart encryption of two different messages, M0 and M1. Now, apart from security for Alice or client, also you want security for Bob, which comes in the form of server privacy. That means that we want for the client or Alice to not get any information about the server creation function used for the computation. Now, when talking about server privacy, you can refer either to the Wicker notion of semi-owner server privacy, where server privacy holds only for well-informed messages from Alice, or we can refer to the stronger notion of malicious server privacy, where it holds for any arbitrary message from Alice. Now, in this paper from Mostofsky et al, they actually showed a way to compile any classical FAT which is semi-owner server private into a malicious server private one. Now, apart from security, we also want to achieve efficiency, especially if we opt to use these schemes in real life systems. And what happens is because of security reasons, the message from the server to the client is bigger. So there's a communication overhead introduced, and we want that to not be too big, so as to nullify the efficiency of outsourcing the computations in the first place. And that's why the communication complexity is of very high interest, and we want for communication complexity to be compact, and that means to be dependent of the size of the server used for the computation. And if that's true, then the communication overhead is not too big, and we can use it in applications, such as security by using function, or an encrypted databases, such as in private information retrieval, where we retrieve an item from a database without revealing which one. And so the best communication complexity of an FAT was introduced in this paper by Ebrokesky et al, where it approaches that of the insecure protocol, where Alice would just send her message in plain. So we have an asymptotically optimal efficiency here. Now, as a metric for communication complexity, we're going to use rate, which is basically the message to site the X-ray signal. But if you want to get a bit more technical, it's the size of the encrypted data in plain over the size of the homomorphically evaluated data under encryption. Now, we want the rate to be as big as possible, because we want the homomorphically evaluated data to be as small as possible. And when we refer to rate 1 schemes, we refer to schemes that asymptotically approach rate equal to 1, such as the one adopted before from Ebrokesky et al. Now, what happens if we move to the quantum setting? Of course, we also have quantum for the homomorphic encryption schemes. And it's basically the same notion. But here we have, instead of a classical message, we have a quantum state sign. And both the client and the server can be quantum. And of course, instead of a function, we have a unitary matrix because in order to perform quantum computations, you have to do that with a unitary matrix. Now, much less is known for the quantum setting. But in our opinion, it's even more important to do the large gap between quantum capabilities of regular users and servers on the cloud in the future. And the more important, the more interesting case here is why we have a quantum output, because the classical output, maybe we can use classical techniques to to store it optimally and get the rate 1. But if we have a quantum output, again, much less is known for the quantum setting. So this is exactly the question we pose. If we can get a rate 1 secure quantum FAT, and the result is yes, that's exactly what we construct. So we're getting quantum FATC in the malicious setting with optimal communication complexity. And in order to do that, we do it with a combination of two main technical steps. First, we construct the maliciously circuit private quantum FATC. And then we construct a rate 1 quantum FATC. Now, these results, they can be independent interests, but they're also compatible with each other. So we can combine them and get our main result. Now, before getting into any actual construction or paper, I need to talk about some existing quantum free home of encryption scheme and techniques that we're going to use. And I want to start with some intuition about why we can use classical methods and the methods of classical encryption schemes and just extend them into the quantum setting. And why this is not trivial. And one of the reasons is interference. So in quantum computations, interference is very important. And what it means is that elements of the superposition representing the same bit stream, but with opposite amplitudes, they cancel out. And to make this more evident, I'm going to use an example. And I'm going to focus on the Hanover transformation. Now, this is a quantum transformation, a quantum computation. And here you can see the Hanover transformation within the ket zero. And here with ket one, with the symbol ket, we symbolize qubits. And the actual result is not too important. But what I want to focus on is that if we apply the Hanover transformation onto this superposition and replace Hanover of zero, ket zero and Hanover of ket one, we get this result. And here we have ket one, and we have minus ket one, where these are qubits with the same bit stream, but opposite amplitudes, so they cancel out. And the result is ket zero. And that thing is really important for quantum business. Now, what happens if we had encryption? So we use classical methods for this. The result would look kind of like this. By the way, what happens is that in classical encryptions, we have probabilistic encryptions, which means that its bit can have many different encryptions. So this ket encryption one and this ket one encryption one, they're not the same. And thus they cannot cancel each other, so interferes with the work. So that's why we're not just using classical techniques. Now, in order to solve the problem, we use the quantum one-time pad. Now, the quantum one-time pad is a similar notion to the classical one-time pad, but instead of using a string and extraordinary with our messes, we use these Pauli operators, which are just unitary matrices, and we have x instead. Now, x, if applied on cubic, performs a flip bit. Just like the classical one-time pad. And the separator performs a phase shift. So now, if we want to apply a quantum one-time pad, what we do is we sample a one-time key, lower case x and lower case z. So we assemble two bits. And let's say we apply the quantum one-time pad into this arbitrary superposition. What we do is apply x to the power of x instead to the power of z. So what happens here is that if x equals 0, nothing happens, the Pauli operator x is not applied. But if x, lower case x equals 1, then we apply the operator x and we perform bit flip. The same thing for z. If it's 0, nothing happens. If it's 1, we perform the phase shift. And it is proven that the result of this computation is a completely hidden quantum state, statistically hidden. And of course, you can only confirm back if you know the one-time keys, if you know x and z. Now, using this quantum one-time pad, there have been some constructions of quantum ATT. There was also one from Brookesky in the same year, but I'm going to focus on the one from Hadeb because this is the one we're also going to use. And the main idea here is that you can use a hybrid ciphertext. A ciphertext in a hybrid form that has both the quantum part and the classical part. So if we have a message sign, the client sends the quantum one-time padded state of the message along with the encryption of the one-time keys using a full comorbid encryption scheme. And then she shows her way on how to apply quantum computations on the one-time pad states. So here we apply the under a hue that are dependent on the classical comorbid computations of the keys. So we send this hybrid ciphertext that has the quantum one-time padded state along with the encryption of the keys. And then the server performs computations. Now the keys change, but he also updates the keys. I'm going to repeat this again one more time in a slide. So what we do is perform classical homework computations on the classical keys along with dependent quantum computations. So let's say we have like an interview and this is our original message. Now the quantum one-time padded state is still a quantum one-time padded state of the evaluated message. But the keys are different, but they're simultaneously updated under encryption. And thus, in the end, when we get the last message, we can to create the classical encryption, get the classical keys, one-time keys and use it to get our evaluated message. Now, just to get a bit of intuition in order to do this transformation and have a fully homomorphic encryption scheme, we want a universal set of gates. And one universal set is cliford gates along with the top of the gate. Now the cliford gates are the easy keys because the cliford gates they preserve the poly matrices by conjugation. So if we apply cliford gate, if this unit is a cliford gate, the structure looks the same after like from implementation. And just the keys are different, but it's trivial to some baby keys. Now the problem is with the top of the gate where the case is not the same. And at some point we would have to perform a quantum operation dependent on the classical keys. Of course, this is not trivial at all. And the results are interesting, but I'm not going to get into details. What I'm going to say is that Mohamed showed that if you have a classical AC scheme with certain properties, specific properties, then you can use that to do this computation here. And thus, you can use it to evaluate quantum circuits. And the classical AC with set properties is called the quantum capable AC scheme. Now, in our constructions, what we need and the properties of interest to us are that the scheme has this hybrid ciphertext consisting of the quantum part, which is our quantum anti-messages, and the classical part, which is a classical encryption of the classical, again, quantum keys of the quantum anti-message state. And we also use that the classical component of the ciphertext, so the classical AC, satisfies semi-honest rubric privacy. And by using these properties, and actually for any quantum AC with these properties, we have our results that I also mentioned earlier. So we leave the protocol from semi-honest security to my list of these rubric private security. And we also construct a rate one quantum AC. Now in this presentation, I'm just going to focus on the rate one part. And to begin with, I'm going to let's take a look at the rate of existing quantum AC protocols. For example, in the Mohamed scheme, if you remember, the rate was the message ciphertext or the evaluated message in plane over the homomorphic evaluated message. Now the actual message is just all qubits. But the homomorphic evaluated message, if you remember, would have the quantum part, which is still a qubit, because the quantum anti-message doesn't introduce any more size, plus the size of the classical keys of the homomorphic evaluated classical keys. And now this definition of rate looks a bit weird, because we combine both qubits and bits, but this is fine, because basically both qubits and bits are the most basic unit of info in their corresponding setting. And yeah, so this is a rate of a quantum AC scheme right now. But the classical utility that we use is now rate one actually blows up the ciphertext by polynomial factor. And thus the overall rate is very low, we have inverse polynomial rate. We aim to increase that. Before getting into the construction again, I want to focus on the failed approach to get some more intuition. So the quantum part, we cannot make them smaller, it's already optimal. So we have to shrink the classical information. And one idea is to use a pseudorandom generator. Now a pseudorandom generator is, well it's an generator, well if you put a small string, which is called the seed, you get a seemingly random string, bigger string. And the idea here is that instead of storing the whole one-time key, you just hold the seed that if you input it to the pseudorandom generator, you get the whole one-time key, which is the one-time key for many qubits, right? And that seems like a great idea at first, because this is how you would look, and instead of here storing the, like the one-time key would be the pseudorandom generator of the seed, and then here you would just store the seed. But the problem is that even after one homework evaluation, if you remember, the one-time key changed. So we have a new one-time key. And this new one-time key might exist outside the support of the pseudorandom generator. Or even if it wasn't the support of the generator, we're not sure how to be able to update the seed and then still store the seed. So this fails and seems like we're stuck with an encryption of classical encryption of the one-time key that looks like this. And if you think about it, we need two classical bits to input one qubit. So it seems like we're really stuck. Now, the solution is, for the solution, we have to consider these spooky interactions. And so there are some FAC schemes that pack k classical bits into ciphertext of this form. So we have the ciphertext that has a vector c0 and then one bit for its classical bits from plaintext. Now, the interesting thing here is that these last key bits are non-locally correlated with the secret key. And that means that we can use some spooky description, that sounds cool, that by using a function F, that's really my first name. Right now, we think put this first part of the ciphertext is zero, which is first most part of the ciphertext. If we explore that with the last key bits, we get the actual description. And in this paper, by using spooky interactions, they were able to construct this rate 2050 that I mentioned earlier. Now, in our construction, what we do is we use this spooky encryption scheme to get a rate one form. And how do we do that? So in the original protocol, we have we have to have a quantity capable if it's c. And when we want to store the information with key suites to the rate one if it's c. And I'm going to show you exactly how we get this rate one form. And then if we want to continue doing form of operations, we can switch back. So basically, we use both of these schemes. That is the main idea. So the first thing we do is convert from the classical from the quantum capable if it's a scheme to this spooky scheme, that looks like this, if you remember, we have a vector c zero, and then we have one bit for its one time key bit. Right. And then the main idea is that we take, we say store the first part of the cycle takes this vector c zero and then we incorporate all of these bits into the quantum one take back. So by doing this, what happens is that by incorporating them into the quantum one take back, we'd change the one time key. So if we consider one two bits that had the one time key x and z, now the one time keys out there will have x x short with cx and z extra with cz. But that's not a problem because if you remember, the spooky description equal to this function f x short with the last bits of safer text. Now if we solve for the function f, we get the decryption x short again for the last bit of the ciphertext, but the decryption is the original one time key. And then x short with the last bit of the ciphertext, we have this exactly the updated one time key that we created by incorporating these bits into the original quantum one thing by itself. So I don't know this color to technical, but the main idea here is that we get this spooky form. And we have the ciphertext that's in two parts, we just store the first part, this vector c zero, which is very small. And then the rest of the bits we incorporated into the quantum one time pad. And then by just using the function f, we can get the new updated keys just by storing this small part of the second. Now, if we take a look at the rate of this construction, of course, the message was al qubits, let's say we have an al qubit state. Now in the compressed evaluated safer text, the quantum information still al qubits, but the class confirmation is just this vector c zero. So calculate the rate, it looks a bit like this. And if we set the parameters accordingly, and we have l that's big enough, we can get rate asymptotically equal to one, just by assuming polynomial model noise ratio LWB. Great. So now this is the main construction of our protocol. And it is a generic approach because it works for any quantum FHC with these properties that I talked about. And what we do again to sum it up is we have the quantum capable FHC and we also have the rate one FHC and we key switch from one to the other to store it and then we can switch back to perform more computations. So in the full version of the paper, we also have another approach in non generic approach, which was built specifically on the Mahadev scheme, in which instead of having two FHC and key switching from one to the other, we construct a different classical FHC scheme that it's both quantum capable and rate one. So the scheme again uses this spooky properties, and we have to prove that it's both quantum capable, and we also have to prove that it is rate one. But the idea is essentially the same, but instead of key switching from one scheme to the other, we combine the best of both worlds and we get one scheme that is both. And that's basically it. I'm going to sum up the results one last time. So again, what we construct in this paper is a maliciously circuit private rate one quantum FHC. So by assuming a quantum FHC with this hybrid ciphertext form, we first leaves the protocol to maliciously circuit privacy. And then we also get optimal communication complexity construct the rate one quantum FHC. Here we have the link to the full version of the paper if you want to take it out for more details. And that's, that's pretty much it. Thank you and bye.