Skip to main content

Thank you for visiting You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

Quantum Search on Encrypted Data Based on Quantum Homomorphic Encryption


We propose a homomorphic search protocol based on quantum homomorphic encryption, in which a client Alice with limited quantum ability can give her encrypted data to a powerful but untrusted quantum server and let the server search for her without decryption. By outsourcing the interactive key-update process to a trusted key center, Alice only needs to prepare and encrypt her original data and to decrypt the ciphered search result in linear time. Besides, we also present a compact and perfectly secure quantum homomorphic evaluation protocol for Clifford circuits, where the decryption key can be calculated by Alice with polynomial overhead with respect to the key length.


Due to the great challenge of building large-scale quantum computers, it is very likely that only a few powerful quantum computers are initially available and act as quantum servers. Suppose Alice has some confidential data and wishes to search on them with the aid of a remote quantum server, Bob, but is unwilling to reveal the data to him. A natural approach to achieving this is to encrypt the data before handing them over and to let Bob directly search on the cipher-state, namely, to employ a quantum search scheme on encrypted data.

The classical counterpart of this issue has been studied extensively, where mainly two approaches are adopted: (1) devising a special cryptosystem supporting search operations and (2) utilizing a pre-built searchable cipher index offered by the client, both of which provide computational security rather than information-theoretic security1. In the quantum context, Sun proposed a quantum symmetric searchable encryption scheme for classical inputs2, in which encryption and decryption are rotations along a coordinate axis, and the secret key composes of random rotation angles. The search procedure of this scheme is to linearly check and compare the encrypted items, which is inefficient for a large search space. Intuitively, linear search on encrypted data could be accelerated by Grover’s algorithm3, provided that there exists an encryption method allowing quantum operations without the encryption key. Fortunately, quantum homomorphic encryption (QHE) satisfies this requirement, which intrigued us to take advantage of its merits and to construct a quantum homomorphic search protocol.

The notion of QHE was first introduced by Liang4 in 2013, who observed the commutation rules between the encryption operators of quantum one-time pad (QOTP)5 and a universal set of quantum gates (containing rotation operators and CNOT gate) and demonstrated a symmetric one-party QHE scheme where homomorphic evaluations require the secret key. Later, he presented an interactive two-party scheme6 based on commutation rules for another universal gate set (consisting of H, S, CNOT and T gates). Aside from QHE, there are many other closely related constructions based on the combination of QOTP and commutation rules, such as secure assisted quantum computation7, quantum computing on encrypted data8, and delegating private quantum computations9, which could be considered as early forms of QHE.

In 2014, Yu et al.10 came up with a no-go result on QHE, which concludes that “quantum mechanics does not allow for efficient information-theoretically-secure fully homomorphic encryption scheme”. In view of this result, Broadbent and Jeffery devised two remarkable T gadgets for non-Clifford circuits and presented three efficient QHE schemes based on classical q-IND-CPA secure homomorphic encryption (CHE), one of which is designed for Clifford circuits and the other two are for non-Clifford circuits with a limited number of T gates11. They also formally defined an important property—compactness—for QHE. In outline, a QHE scheme is compact if the circuit complexity of the decryption procedure for any allowed evaluation C is independent of the circuit complexity of C; the decryption procedure is the task being performed by the client to recover the outcome evaluated by the server. For example, the interactive schemes4,6,7,8,9 based on QOTP are not compact, and some non-interactive ones—the CL scheme for Clifford circuits and the AUX scheme for circuits with constant T-depth—provided by Broadbent and Jeffery11 are compact. Subsequently, Dulek and Schaffner extended Broadbent’s work and proposed a QHE scheme for polynomial-sized T gates utilizing another kind of T gadget12. In addition, other issues, such as multi-party decryption, circuit privacy, quasi-compactness, and generalization to classical encrypted data are also investigated in various QHE schemes13,14,15. It should be noted that introducing CHE (combining with some sophisticated techniques) into QHE is double edged: it not only reduces the communication complexity and gains compactness or quasi-compactness but also compromises security and narrows the schemes’ applicability. These hybrid QHE schemes cannot reach perfect security as many pure quantum cryptosystems do, and they become inefficient for circuits with a large number of T gates (e.g. the circuit of Grover’s search).

Apart from the foregoing QHE schemes based on CHE and QOTP, constructions utilizing other techniques are explored, such as a private-key QHE protocol based on the centralizer of a subgroup of operations16, a practical somewhat-secure QHE on coherent states17, a QHE scheme for circuits with constant number of T gates based on quantum codes18, and a QHE scheme with multiple evaluators based on (k,n)-threshold quantum state sharing19. These schemes only apply to limited circuit families.

In consideration of the huge number of iterations in Grover’s search, where each Grover iteration contains T gates, we need to fall back on the early QHE schemes with interactions6,8,9 rather than non-interactive ones11,12 based on CHE, because the latter is unable to handle so many T gates. To reduce Alice’s workload, a trusted third party is introduced. To prevent Bob from knowing the original search condition (say, Co), the proposed search protocol encrypts the qubits involved in Co twice and let Bob searches on the cipher state according to a new search condition Cn, which can be viewed as the cipher-text of Co.

As for Clifford circuits without any T gate, their homomorphic evaluations become much easier, since the Clifford gates can be applied on a cipher state without causing any undesirable error. For this type of circuits, a compact and perfectly secure homomorphic evaluating protocol is proposed. A main distinction between the two protocols lies in the different treatments on the key-update process, which is an important part of QOTP-based QHE.

Key Update in Quantum Homomorphic Encryption Based on Quantum One-time Pad

A QHE scheme consists of four components: key generation, encryption, decryption, and homomorphic evaluation. In a QOTP-based QHE scheme, quantum states are encrypted or decrypted using QOTP, which transforms the input state qubit by qubit with Pauli operators {X, Z} depending on a classical encryption key ek = (x0z0). In this scheme, the homomorphic evaluation for a Clifford gate is to apply this gate directly on an encrypted state, whereas the evaluation for a non-Clifford gate (the T gate) is to perform a T gadget on the cipher-state. Additionally, the decryption key for ek needs to be refreshed synchronously with respect to the evaluation.

For clarity, we rephrase the key-update rules for arbitrary unitary transforms and quantum measurements in Algorithms 1 and 2, respectively, which are derived from refs. 7,8. The frequently used variables in this paper are listed in Table 1.

Table 1 Explanations for frequently used variables and notations.

Algorithm 1 (Key update for unitary transforms). Suppose that \(\left|\psi \right\rangle \) is an n-qubit state, V is an n-qubit unitary transform consisting of gates from the universal gate set \({\mathcal{G}}=\{I,X,Y,Z,H,S,\,{\rm{CNOT}}\,,T\}\), and G is a two-level unitary transform that merely performs one gate from \({\mathcal{G}}\) on two or fewer qubits. Let ek = (x0z0) be an encryption key and dkr = (xrzr) the decryption key for V and ek, such that \(V\left({\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}{X}^{{x}_{0}(k)}\right)\left|\psi \right\rangle =\left({\otimes }_{k=1}^{n}{Z}^{{z}_{r}(k)}{X}^{{x}_{r}(k)}\right)V\left|\psi \right\rangle \). Then the updated decryption key dkr+1 = (xr+1zr+1) for GV and ek satisfying \(G\cdot V({\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}{X}^{{x}_{0}(k)})| \psi \rangle =\)\(({\otimes }_{k=1}^{n}{Z}^{{z}_{r+1}(k)}{X}^{{x}_{r+1}(k)})G\cdot V| \psi \rangle \) is calculated as follows:

  • If G = IXiYi, orZi, then dkr+1 = dkr.

  • If G = Hi, then (xr+1(i), zr+1(i)) = (zr(i), xr(i)).

  • If G = Si, then (xr+1(i), zr+1(i)) = (xr(i), xr(i) zr(i)).

  • If G = CNOTi,l, then (xr+1(i), zr+1(i)) = (xr(i), zr(i) zr(l)) and (xr+1(l), zr+1(l)) = (xr(i) xr(l), zr(l)).

  • If G = Ti (suppose the secret bits Alice chooses for this T gate are \({\hat{y}}\) and \(\widehat{d}\), and the related one-bit measurement result from the server is \({\hat{c}}\)), then \(\left({x}_{r+1}(i),{z}_{r+1}(i)\right)=[{x}_{r}(i)\oplus {\hat{c}},{x}_{r}(i)\cdot ({\hat{c}}\oplus {\hat{y}}\oplus 1)\oplus {z}_{r}(i)\oplus \widehat{d}\oplus {\hat{y}}]\) (where denotes addition modulo 2).

Algorithm 2 (Key update for quantum measurements). Let \(\left|\widetilde{\psi }\right\rangle =\left({\otimes }_{k=1}^{n}{Z}^{{z}_{r}(k)}{X}^{{x}_{r}(k)}\right)\left|\psi \right\rangle \) be an n-qubit cipher state under key dkr = (xrzr) and \({\mathcal{M}}\) a computational basis measurement. Then the updated decryption key dkr+1 for the classical measurement outcome \({\mathcal{M}}\left|\widetilde{\psi }\right\rangle \equiv {\widetilde{\psi }}_{{\mathcal{M}}}\) satisfying \({\widetilde{\psi }}_{{\mathcal{M}}}\oplus d{k}_{r+1}={\psi }_{{\mathcal{M}}}\) is dkr+1 = xr, where \({\psi }_{{\mathcal{M}}}\) is the underlying plaintext of \({\widetilde{\psi }}_{{\mathcal{M}}}\).

It follows that, the final decryption key dk for a unitary transform U depends on the encryption key ek, the concrete circuit \({{\mathcal{C}}}_{U}\) of U, the secret parameters (yd) for the T gates in \({{\mathcal{C}}}_{U}\), and the measurement result c corresponding to those T gates. Hence, during a homomorphic execution of \({{\mathcal{C}}}_{U}\), there is a unitary decryption-key-obtaining transform \(D{K}_{{{\mathcal{C}}}_{U}}\) that satisfies the equation \(\left|ek,y,d,c,dk\right\rangle =D{K}_{{{\mathcal{C}}}_{U}}\left|ek,y,d,c,0\right\rangle \), where \(\left|0\right\rangle \) serve as the auxiliary qubits in workspace.

A critical barrier on the route to an efficient and perfectly secure quantum fully homomorphic encryption scheme is caused by the T gate, which, however, is an indispensable ingredient of universal gate set. To homomorphically perform a T gate, a phase correction depending on the encryption key has to be applied, whereas the key cannot be revealed to the server. To overcome this obstacle, some schemes introduce a round of communication conveying some evaluated information determined by the encryption key between the client and the server6,8,9, whereas others resort to classical homomorphic encryption11,12.

On the other hand, homomorphically performing a Clifford circuit (not involving any T gate) could be more convenient. Before we present this, we conclude an important feature of the key-update procedure for Clifford circuits in Lemma 1, which will be used in our second protocol.

Lemma 1. The key-update process corresponding to a Clifford circuit \({\mathcal{C}}\) acting on n qubits can be encoded as a 4n2-bit string \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\), whose computational complexity is O(nlog2n).

Proof. According to Algorithm 1, the key-update operations for gates except T only involve bit exchanges and some . Since bit exchange (djdk) → (dkdj) (where dj is the jth bit of d, j ≠ k, and d {0, 1}2n) can be implemented with three : (djdk) → (djdj dk), (djdj dk) → (dj (dj dk), dj dk) = (dkdj dk), (dkdj dk) → (dk, (dj dk) dk) = (dkdj), the key-update procedure for \({\mathcal{C}}\) can be implemented by a sequence of commands of the form (djdk) → (djdj dk); that is, add (modulo 2) one key bit dj to a target key bit dk. During this procedure, each key bit may act as a target and other key bits that are effectively added to this target constitute a set of size less than 2n. Here, a bit dj is effectively to dk if dj is added to dk odd times. Note that the operations that adding one bit to another bit for even times are also part of the key-update process and convey considerable information about \({\mathcal{C}}\), which are ignored due to the calculating rule of . Thus, each decryption key bit can be expressed as u0 d0 u1 d1 u2n−1 d2n−1 (uj {0, 1}), which can be encoded as a 2n-bit string u0u1u2n−1. Since 2n additions can be parallelized, they can be computed with log2n steps. As a result, the complete decryption key can be encoded as a 4n2-bit string \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\) and be computed with O(nlog2n) steps.□

Quantum Search on Encrypted Data

Since Grover’s algorithm excepting the final measurement is a unitary transform, one can certainly apply it homomorphically on a cipher-state and then obtain the encrypted search result. Here, we consider the situation that Alice wants Bob to search on her encrypted superposition state (which could be obtained by a QRAM addressing scheme20) but does not care how he carries out the operations exactly. In other words, Alice prefers to prepare the input data and handles the evaluated output rather than participate in the entire process of the evaluation. This requirement is reasonable in the sense that it coincides with the relationship between the client and the server in cloud computing, which is a prevalent paradigm nowadays.

It is known that Grover’s search is made up of a sequence of Grover iterations, each of which contains an oracle that is able to mark items satisfying a specific search condition. When it is used to speed up the solution of an NP problem of size m (there are at least 2m candidates for the solution of this problem), the oracle requires O(poly(m)) elementary gates (where poly(m) is a polynomial in m), since a solution of an NP problem can be recognized in polynomial time. Since each Grover iteration contains poly(m)T gates, the total number of T gates in the search circuit reaches O(2m/2 poly(m)), which is beyond the capability of CHE-based QHE schemes. A dilemma seems to appear: the key shall neither be updated homomorphically using CHE by Bob11,12 nor be renewed interactively by Alice. As a way out of this impasse, we introduce a third party—a trusted key center, Carol—between Alice and Bob, to undertake the interactive work.

Outsourcing key update to a trusted key center

In QHE, key generation includes randomly choosing a classical encryption key and calculating the decryption key using the key update algorithm, which becomes long and tedious if there are a large number of T gates in the evaluation. To ease the burden of Alice and to keep the homomorphic search going successfully, we introduce a trusted key center, Carol, to negotiate a random encryption key with Alice and then to calculate the corresponding decryption key by communicating with Bob. That is, we divide the client in the interactive QHE scheme9 into two parts: a thin client (Alice) and a trusted key center (Carol). The requirements and constraints on Carol are given in Constraint 1.

Constraint 1 (Requirements and constraints on the key center). The key center Carol obeys the following four constraints:

  1. 1.

    Carol is a classical computer augmented with the ability to prepare qubits in \(\{| +\rangle =(| 0\rangle +| 1\rangle )/\sqrt{2}\), \(|-\rangle =(|0\rangle -|1\rangle )/\sqrt{2}\), \(\,| \,{+}_{y}\rangle =(| 0\rangle +i| 1\rangle )/\sqrt{2}\), \(| {-}_{y}\rangle =(| 0\rangle -i| 1\rangle )/\sqrt{2}\}\), which serve as auxiliary qubits for T gates in homomorphic evaluations as well as the encoded results of random bits in quantum key distribution (QKD).

  2. 2.

    Carol honestly obeys the subsequent search protocol and would not reveal the encryption and decryption keys to parties other than Alice.

  3. 3.

    Carol would not reveal the circuit detail (including the auxiliary states and the measurement outcomes) performed by Bob to parties other than Bob.

  4. 4.

    Carol would not be corrupted by any adversary who wishes to obtain some information about the plain input provided by Alice or the quantum circuit performed by Bob.She would not reveal the key-update procedure (including the intermediate keys) to others (including Alice and Bob).

Our search protocol runs among Alice (the client), Bob (the search server), and Carol (the trusted key center) as illustrated in Fig. 1, where key generation is split into three parts: Alice negotiates an encryption key with Carol, Carol calculates the corresponding decryption key using the key-update algorithm, and Carol securely sends the decryption key to Alice. With the help of QKD and classical one-time pad (COTP), these tasks can be accomplished with perfect security. Moreover, since the key update operations are classical, Carol could be a classical computer augmented with the ability to prepare only four types of quantum states listed in Constraint 1. In this protocol, Alice needs to prepare superposed data items using QRAMs and to perform single-qubit measurements (in the Pauli-X and Y bases), Pauli operators {X, Z}, and classical bitwise additions (modulo 2) to implement the BB84 protocol, encrypt the plain data, and decrypt the evaluated result, respectively.

Figure 1
figure 1

Tasks of each party and interactions among parties. First, Alice negotiates an encryption key for her data with Carol. Then, Alice encrypts her superposed data with the encryption key and sends the encrypted state to Bob. Once Bob receives the encrypted data, the homomorphic search and the key-update process (performed by Carol) begin and proceed synchronously. During the homomorphic search, Carol sends some auxiliary data to Bob and then receives some related measurement results, which are needed for key update. When Bob finishes the homomorphic search and obtains an encrypted solution, Carol finishes the key-update process and produces the corresponding decryption key as well. After that, Alice receives the search result and the decryption key from Bob and Carol, respectively. Finally, Alice decrypts the ciphered search result with the decryption key.

A homomorphic search protocol with a key center

With the assistance of the key center, an interactive protocol for quantum search on encrypted data proceeds as shown in Protocol 1. For clarity, we call the the collection of qubits (identified by their locations in Alice’s data \(\left|{\psi }_{0}\right\rangle \)) appearing in the plain (original) search condition Co “the search field” of \(\left|{\psi }_{0}\right\rangle \), and denote it by \(\left|\zeta \right\rangle \), which is a part of \(\left|{\psi }_{0}\right\rangle \). In the first two steps, Alice encrypts \(\left|\zeta \right\rangle \) and produces a modified search condition to conceal the original one from Bob, so that Bob knows nothing about her plain search target. To briefly explain this, suppose that \(\left|\zeta \right\rangle \) consists of the 3rd, 5th and 6th qubits of \(\left|{\psi }_{0}\right\rangle \), Alice wants to find out the items satisfying the clause \({C}_{{\rm{o}}}={d}_{3}\vee \bar{{d}_{5}}\vee {d}_{6}\) (a clause in 3-conjunctive normal form, where dj is the jth bit of a data item d, \(\bar{{d}_{j}}\equiv 1\oplus {d}_{j}\), the symbol “ ” indicates “OR”), and the 3-bit encryption key srk for \(\left|\zeta \right\rangle \) is r0r1r2 (r0r1r2 {0, 1}), then \({C}_{{\rm{n}}}=({d}_{3}\oplus {r}_{0})\vee \left(\bar{{d}_{5}}\oplus {r}_{1}\right)\vee ({d}_{6}\oplus {r}_{2})\). From Bob’s point of view, srk can be arbitrary 3-bit string, each with the same probability 1/8 and maps the received Cn to one of the eight possible clauses associated with \(\left|\zeta \right\rangle \), that is, P(CoCn) = P(Co) for any Cn and any Co, so Bob knows nothing about the plain search condition from a given Cn.

The schematic circuit for this protocol is depicted in Fig. 2. To make our circuit more comprehensible, we adapt the T gadget in ref. 8 to Fig. 2 and illustrate the jth  T gadget in the lth  G iteration on the gth wire in Fig. 3, where \(\left|{\psi }_{g}\right\rangle \) is the gth qubit of the plain state \(\left|\psi \right\rangle \), and \({Z}^{ {\hat{z}} }{X}^{\widehat{x}}\left|{\psi }_{g}\right\rangle \) is the encrypted qubit of \(\left|{\psi }_{g}\right\rangle \) just before the application of this T gadget.

Figure 2
figure 2

Schematic circuit implementing Protocol 1. There are \(t=O\left(\sqrt{M}\right)\)G iterations in the circuit, which carries out the homomorphic search transform denoted by hGrv. A G iteration is a homomorphic version of the standard Grover iteration, which is obtained by replacing each T gate in the normal Grover iteration with the T gadget illustrated in Fig. 3. Suppose there are sT gadgets in each G iteration; then, the lth  G iteration (l {1, 2, …, t}) needs an auxiliary state \(\left|au{x}_{l}\right\rangle \) of s qubits and an evaluation key wl of s bits to perform sS corrections. \({P}_{{y}_{l},{d}_{l}}\equiv {\otimes }_{j=1}^{s}{P}_{{y}_{l}(j),{d}_{l}(j)}\) is the phase transform for the lth  G iteration, where yl and dl are s-bit binary strings randomly chosen by Carol for all T gadgets in the lth  G iteration, and \({P}_{{y}_{l}(j),{d}_{l}(j)}\equiv {Z}^{{d}_{l}(j)}{S}^{{y}_{l}(j)}\) is the phase transform for the jth  T gadget in the lth  G iteration. Applying \({P}_{{y}_{l}(j),{d}_{l}(j)}\) on \(\left|+\right\rangle \) gives the jth qubit of \(\left|au{x}_{l}\right\rangle \), which is \(\left|+\right\rangle ,\left|-\right\rangle ,\left|{+}_{y}\right\rangle \) or \(\left|{-}_{y}\right\rangle \). wl is the Boolean XOR result between some intermediate key bits and yl; cl is an s-bit measurement result from the lth  G iteration. yldl and cl are involved in key update for the lth  G iteration.

Figure 3
figure 3

The T gadget within the schematic circuit.

Protocol 1. Homomorphic quantum search on encrypted states

  1. 1.

    Alice prepares a plain superposition state \(\left|{\psi }_{0}\right\rangle =\frac{1}{\sqrt{M}}{\sum }_{j=0}^{M-1}\left|\,{\rm{data}}\,(j)\right\rangle \) from her classical database.

  2. 2.

    Alice encrypts the search fields \(\left|\zeta \right\rangle \) (within her plain state \(\left|{\psi }_{0}\right\rangle \)) with a random encryption key srk using QOTP and obtains an encrypted result \(En{c}_{srk}\left|\zeta \right\rangle \), which is a part of the partially encrypted state \(\left|\psi \right\rangle =En{c}_{srk}\left|{\psi }_{0}\right\rangle \) (Here, Enksrk is the extended encryption transform on \(\left|{\psi }_{0}\right\rangle \), which applies the encryption on \(\left|\zeta \right\rangle \) and leaves the other qubits unaffected).

  3. 3.

    Alice translates the original search condition Co (on \(\left|\zeta \right\rangle \)) into the new condition Cn on \(En{c}_{srk}\left|\zeta \right\rangle \) such that \(\left|\zeta \right\rangle \) satisfies Co if and only if \(En{c}_{srk}\left|\zeta \right\rangle \) satisfies Cn.

  4. 4.

    Alice sends a number n—the length of her encrypted state—to Carol.

  5. 5.

    Carol shares a binary string of 3n random bits with Alice by the BB84 protocol21, where \(\left|+\right\rangle ,\left|{+}_{y}\right\rangle \) stands for 0, and \(\left|-\right\rangle ,\left|{-}_{y}\right\rangle \) stands for 1. The first 2n bits of the binary string act as ek and the remaining n bits act as the encryption key sk for dk.

  6. 6.

    Alice encrypts \(\left|\psi \right\rangle \) with ek = (x0z0) and sends the encrypted state \({Enc}_{ek}\left|\psi \right\rangle ={\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}{X}^{{x}_{0}(k)}\left|\psi \right\rangle \) along with Cn to Bob.

  7. 7.

    Bob searches on \(En{c}_{ek}\left|\psi \right\rangle \) homomorphically using hGrv, and Carol updates the key synchronously. During the search, once a T gate appears, Bob asks Carol to send an auxiliary qubit from \(\{\left|+\right\rangle ,\left|-\right\rangle ,\left|{+}_{y}\right\rangle ,\left|{-}_{y}\right\rangle \}\) along with a related evaluating key bit (wl(j) in Fig. 3) to him and then performs the T gadget with those data. After that, he returns a one-bit measurement result (cl(j) in Fig. 3) to Carol for key update.

  8. 8.

    When the homomorphic search is completed, Bob measures the search result \(hGrv(En{c}_{ek}\left|\psi \right\rangle )\) and returns the (encrypted) classical outcome \({\mathcal{M}}[hGrv(En{c}_{ek}\left|\psi \right\rangle )]\) to Alice. Meanwhile, Carol finishes the key update process and obtains the decryption key dk for ek and hGrv; she then encrypts dk with sk using COTP and sends it to Alice.

  9. 9.

    Alice first recovers dk with sk and decrypts \({\mathcal{M}}[hGrv(En{c}_{ek}\left|\psi \right\rangle )]\) with dk to obtain the partially encrypted search result, then recovers the search fields in the search result with srk. After that, she can check this result with her search condition and decide whether Bob honestly performed the homomorphic search.

In step 1, Alice needs to utilize two kinds of QRAMs: the first one maps \(\frac{1}{\sqrt{M}}{\sum }_{j=0}^{M-1}\left|j\right\rangle \left|0\right\rangle \) to \(\frac{1}{\sqrt{M}}{\sum }_{j=0}^{M-1}\left|j\right\rangle \left|\,{\rm{data}}\,(j)\right\rangle \), which is connected to a memory array where data (j) is stored in the jth memory cell; the second one maps \(\frac{1}{\sqrt{M}}{\sum }_{j=0}^{M-1}\left|j\right\rangle \left|\,{\rm{data}}\,(j)\right\rangle \) to \(\frac{1}{\sqrt{M}}{\sum }_{j=0}^{M-1}\left|0\right\rangle \left|\,{\rm{data}}\,(j)\right\rangle \), which is connected to a memory where j is stored in the data(j)th memory cell (we assume that data(i) ≠ data(j) if i ≠ j).

In Fig. 2, Carol gives \(\left|au{x}_{l}\right\rangle ={P}_{{y}_{l},{d}_{l}}{\otimes }_{j=1}^{s}H\left|0\right\rangle \) and wl to Bob for the lth  G iteration, and Bob then returns an s-bit measurement result cl from this iteration to Carol, which is used to update the key. More precisely, as illustrated in Fig. 3, the jth qubit of \(\left|au{x}_{l}\right\rangle \) and the jth bit of wl (or wl(j)) together with an encrypted qubit \({Z}^{ {\hat{z}} }{X}^{\widehat{x}}\left|{\psi }_{g}\right\rangle \) under key \((\widehat{x}, {\hat{z}} )(\widehat{x}, {\hat{z}} \in \{0,1\})\) act as the input of the jth  T gadget in the lth  G iteration. This T gadget then outputs a one-bit measurement outcome cl(j) and an encrypted result of \(T\left|{\psi }_{g}\right\rangle \) under a refreshed key \(\left(\widehat{x}{\prime} , {\hat{z}} {\prime} \right)\ \left(\widehat{x}{\prime} , {\hat{z}} {\prime} \in \{0,1\}\right)\), which satisfies \(\widehat{x}{\prime} =\widehat{x}\oplus {c}_{l}(j)\) and \( {\hat{z}} {\prime} =\widehat{x}[{c}_{l}(j)\oplus {y}_{l}(j)\oplus 1]\oplus {\hat{z}} \oplus {d}_{l}(j)\oplus {y}_{l}(j)\). The classical decryption (performing a bitwise addition between the encrypted search result and the decryption key) after the quantum measurement is omitted.

Simulation of two-qubit homomorphic search

To verify the effectiveness of Protocol 1, we present the detailed circuit for two-qubit homomorphic search in Supplementary Fig. S1 and simulate its process using MATLAB. The detailed simulation code is listed in the Supplementary File, which always outputs the expected search target.

Without loss of generality, suppose Alice wants to find the item 10 out of the set {00, 01, 10, 11} (the partially encrypted results corresponding to \(En{c}_{srk}\left|{\psi }_{0}\right\rangle \)); thus, a single Grover iteration is enough, and the oracle within the iteration can be built with X and Toffoli gates as illustrated in Fig. 422. After decomposing the Toffoli gate into the universal gates supporting homomorphic evaluations (i.e. XZHS, CNOT, T), a quantum circuit for two-qubit plain-state search is obtained as depicted in Fig. 5. To perform a two-qubit cipher-state search, this circuit needs to be transformed into its homomorphic version, which is achieved by replacing each T gate (or T gate) in Fig. 5 with a T gadget (or T gadget). The T gadget is obtained by replacing each S gate in Fig. 3 with an S gate. The key-update rules for T and T gadgets are identical.

Figure 4
figure 4

The oracle for finding 10 out of {00, 01, 10, 11}.

Figure 5
figure 5

The two-qubit Grover’s search circuit.

With QOTP encryption and COTP decryption being included, the resultant homomorphic quantum search circuit for two-qubit states is presented in Supplementary Fig. S1. The input of this circuit is the superposed (partially encrypted) state \(\left|\psi \right\rangle =\frac{1}{2}(\left|00\right\rangle +\left|01\right\rangle +\left|10\right\rangle +\left|11\right\rangle )\) along with the oracle qubit \(\,| \,-\rangle \), and the output should be the classical search target (still partially encrypted) together with the unchanged oracle qubit.

In outline, the simulation proceeds in six steps, where the operations carried out by the three parties are included.

  1. 1.

    Randomly generate a four-bit encryption key ek = (x0z0) for \(\left|\psi \right\rangle \).

  2. 2.

    Randomly generate a 14-bit evaluation key evk = (y1d1) for the seven T gadgets (in Supplementary Fig. S1).

  3. 3.

    Encrypt \(\left|\psi \right\rangle \left|-\right\rangle \) with ek using QOTP. The encrypted result acts as the input state encState of the quantum homomorphic search.

  4. 4.

    Perform the homomorphic search circuit on encState and obtain the encrypted output state. Meanwhile, refresh the intermediate key using the key update algorithm.

  5. 5.

    Measure the encrypted output state; update the intermediate key and then get a two-bit decryption key dk.

  6. 6.

    Decrypt the output cipher-state with dk using COTP and get the search result.

The simulation indicates that with different encryption keys (ek = (x0z0)), evaluation keys (evk = (y1d1)) and intermediate measurement results (c1), one may get different decryption keys (dk) and different encrypted search results, but the decrypted outcome is always 10—the partially encrypted search target that we predetermined at the beginning of this section. Here, we list some representative outcomes in Table 2, where the last bit of x0 and the last bit of z0 stay 0 since the oracle qubit does not need to be encrypted.

Table 2 Outcomes of the simulation.

A Compact Quantum Homomorphic Evaluation Protocol for Clifford Circuits

In this section, we demonstrate a non-interactive homomorphic evaluation protocol for Clifford circuits, where the decryption key can be calculated by Alice with polynomial overhead (with respect to the size of ek) by Lemma 1.

Protocol 2. Quantum homomorphic evaluation for a Clifford circuit \({\mathcal{C}}\).

  1. 1.

    Alice randomly chooses a 2n-bit encryption key ek for her n-qubit plain input \(\left|\psi \right\rangle \).

  2. 2.

    Alice encrypts her plain state \(\left|\psi \right\rangle \) with ek and sends the ciphered output \({Enc}_{ek}\left|\psi \right\rangle =\) \({\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}{X}^{{x}_{0}(k)}\left|\psi \right\rangle \) to Bob.

  3. 3.

    Bob initiate a 4n2-bit binary string \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\), which will encode the simplified key-update expressions for \({\mathcal{C}}\), then applies \({\mathcal{C}}\) on \({Enc}_{ek}\left|\psi \right\rangle \). During the performance of C, he synchronously updates \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\). When the evaluation is completed, Bob returns the evaluated result \({U}_{{\mathcal{C}}}({Enc}_{ek}\left|\psi \right\rangle )\) and \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\) to Alice.

  4. 4.

    Alice performs the simplified key-update process indicated by \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\) on ek and obtains the decryption key dk, then decrypts \({U}_{{\mathcal{C}}}({Enc}_{ek}\left|\psi \right\rangle )={Enc}_{dk}({U}_{{\mathcal{C}}}\left|\psi \right\rangle )\) and gets the plain evaluated result \({U}_{{\mathcal{C}}}\left|\psi \right\rangle \).

In step 3, \({U}_{{\mathcal{C}}}\) is the unitary transform corresponding to \({\mathcal{C}}\). The simplified key-update expressions for \({\mathcal{C}}\) consists of 2n binary polynomials \({\{{p}_{j}\}}_{j=0}^{2n-1}\), where pj indicates the relationship between ek and dkj. Concretely, the kth bit of ek is denoted by a binary-coefficient monomial xk (which satisfies xk xk= 0) and dkj is a binary polynomial dkj = u0x0 u1x1 u2n−1x2n−1 (uj {0, 1}). Since dk = ek before the evaluation, Bob initially sets pj = xj for all j, which corresponds to the initial value {20, 21, …, 22n−1} of \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\). As an example, suppose the key-update commands for \({\mathcal{C}}\) are sequentially (dkidkj) → (dkidkj dki), (dkjdkk) → (dkj dkkdkk), (dkidkl) → (dki dkldkl), (dkidkj) → (dki dkjdkj), then Bob updates the corresponding polynomials as follows: (1) pj = pj pi = xj xi; (2) pj = pj pk = (xj xi) xk; (3) pi = pi pl = xi xl; (4) pi = pi pj = (xi xl) (xj xi xk) = xj xk xl. At this point, the ith and jth substrings of \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\) become 2j + 2k + 2l and 2i + 2j + 2k, respectively.

Security and Performance

In what follows, we discuss four important properties—data security, circuit privacy, computational complexity, and compactness—of Protocol 1 and Protocol 2, which characterize the security level and performance of each protocol.

Data security and circuit privacy

Since protocol 1 involves a trusted third party (TTP), which does not appear in standard quantum homomorphic encryption schemes, we thus define a new type of security for quantum homomorphic evaluation protocols assisted by TTP. Intuitively, such type of security can be achieved by a quantum cryptographic protocol with a well-defined TTP if the presence of this TTP can preserve the same level of security as that of the underlying (perfectly secure) cryptographic primitives (without TTP).

Definition 1. (TTP-assisted perfect security). Let Π be a quantum homomorphic evaluation protocol assisted by a trusted third party, Carol, who honestly follows Π and would not be corrupted by any adversary. For an arbitrary plain-state ρM (the input state, a density matrix) provided by Alice, if

  1. 1.

    The cipher-states of ρM (including the initial cipher-state that has not yet been evaluated, the intermediate cipher-states that have undergone some unitary transforms, and the output cipher-state of the evaluation, which can be accessed by the evaluator Bob) are all equivalent to the totally mixed state;

  2. 2.

    The decryption keys for the input state and the ultimate output (a quantum state or a classical binary string after quantum measurement) cannot be (undetectably) obtained by parties other than Alice and Carol; and

  3. 3.

    The decryption keys for the intermediate outcomes during the homomorphic evaluation cannot be obtained by parties other than Carol;

then Π satisfies TTP-assisted perfect security.

The first condition in the above is due to the definition of perfect security for quantum encryption schemes23,24. A requirement for the (classical) evaluated result after quantum measurement is not included in Definition 1, since the measured outcome of a totally mixed state would not reveal any information about ρM: the probability of getting a specific classical ciphertext C (C {0, 1}n) is \(\,{\rm{tr}}\,\left[\left|C\right\rangle \left\langle C| C\right\rangle \left\langle C\right|(I/{2}^{n})\right]=1\)/2n, namely the a posteriori distribution of the ciphertext given ρM is the same as the a priori distribution of a valid cryptogram of size n.

Definition 1 is mainly concerned with data privacy, which ensures that the plain-states of the input, the intermediate outcomes, and the output can only be accessible to legitimate parties. Taking into account circuit privacy, we exclude Alice from knowing the intermediate keys (calculated by Carol) in the last condition. In particular, if Alice has two intermediate keys (xrzr) and (xr+1zr+1) for the cipher-states immediately before and after an elementary Clifford gate, then she can deduce which kind of gate was performed by comparing (xrzr) and (xr+1zr+1). With the previous definition, we can now prove that the proposed homomorphic search protocol satisfies this new kind of security.

Theorem 1. Protocol 1 satisfies TTP-assisted perfect security.

Proof. In Protocol 1, the initial cipher-state \({\rho }_{C}^{0}\) of the plain input ρM is an encryption of ρM using quantum one-time pad under key (x0z0), where x0z0 {0, 1}n and each candidate value is assumed to be chosen with the same probability 1∕22n. Taking into account all possible key values, the initial cipher-state is

$${\rho }_{C}^{0}=\frac{1}{{2}^{2n}}\mathop{\sum }\limits_{{x}_{0},{z}_{0}=0}^{{2}^{n}-1}\left({\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}{X}^{{x}_{0}(k)}\right)\ {\rho }_{M}\ \left({\otimes }_{k=1}^{n}{X}^{{x}_{0}(k)}{Z}^{{z}_{0}(k)}\right)=\frac{1}{{2}^{2n}}\mathop{\sum }\limits_{{x}_{0},{z}_{0}=0}^{{2}^{n}-1}{Z}^{{z}_{0}}{X}^{{x}_{0}}{\rho }_{M}{X}^{{x}_{0}}{Z}^{{z}_{0}}=\frac{I}{{2}^{n}},$$

where \({X}^{{x}_{0}}={\otimes }_{k=1}^{n}{X}^{{x}_{0}(k)}\) and \({Z}^{{z}_{0}}={\otimes }_{k=1}^{n}{Z}^{{z}_{0}(k)}\). The detailed derivation of the equation above can be found in ref. 24. Thus, \({\rho }_{C}^{0}\) is the totally mixed state. After Bob performs a Clifford gate or a T gadget (denoted by G1) on \({\rho }_{C}^{0}\), it becomes the encrypted result of \({G}_{1}{\rho }_{M}{G}_{1}^{\dagger }\) under the updated key (x1z1). According to Algorithm 1, there is a one-to-one correspondence between (x0z0) and (x1z1), which means that the distribution of an original key is the same as that of its updated key. So the intermediate cipher-state after the first elementary gate can be written as

$${\rho }_{C}^{1}=\frac{1}{{2}^{2n}}\mathop{\sum }\limits_{{x}_{1},{z}_{1}=1}^{{2}^{n}-1}{Z}^{{z}_{1}}{X}^{{x}_{1}}\left({G}_{1}{\rho }_{M}{G}_{1}^{{\rm{\dagger }}}\right){X}^{{x}_{1}}{Z}^{{z}_{1}}.$$

By ref. 24,

$$\frac{1}{{2}^{2n}}\mathop{\sum }\limits_{\gamma ,\delta =0}^{{2}^{n}-1}{X}^{\gamma }{Z}^{\delta }\rho {Z}^{\delta }{X}^{\gamma }=\frac{1}{{2}^{2n}}\mathop{\sum }\limits_{\gamma ,\delta =0}^{{2}^{n}-1}{Z}^{\delta }{X}^{\gamma }\rho {X}^{\gamma }{Z}^{\delta }=\frac{I}{{2}^{n}}$$

for an arbitrary density operator ρ. Take \(\rho ={G}_{1}{\rho }_{M}{G}_{1}^{\dagger }\), x1 = γ, and z1 = δ, the two equations above gives \({\rho }_{C}^{1}=I\)/2n. Analogously, during the sequential performances of the elementary gates within the homomorphic search circuit, all intermediate cipher-states and the ultimate cipher-state obtained by Bob equal the totally mixed state. Therefore, the first requirement of Definition 1 is satisfied.

The decryption key ek for ρM is shared between Alice and Carol by using the BB84 protocol; thus, ek cannot be obtained by any eavesdropper without being detected. Since the decryption key dk for the measurement outcome is encrypted with sk using perfectly secure COTP and sk is also protected under the BB84 protocol, so dk cannot be obtained without sk, which cannot be undetectably accessed by parties except Alice and Carol. Therefore, the second requirement of Definition 1 is fulfilled.

Let \({\rho }_{C}^{j}\) (j ≥ 1) be the intermediate outcome after the first j elementary gates are applied on \({\rho }_{c}^{0}\) and suppose the total number of quantum gates is η. To get the decryption key dkj for \({\rho }_{C}^{j}\), either the value of the decryption key dki for \({\rho }_{C}^{i}\) (0 ≤ i < j) plus the key-update procedure between dki and dkj (or the gate-sequence between \({\rho }_{C}^{i}\) and \({\rho }_{C}^{j}\)) need to be known, or the value of dkk for \({\rho }_{C}^{k}\) (j < k ≤ η) plus the key-update procedure between dkj and dkk (or the gate-sequence between \({\rho }_{C}^{j}\) and \({\rho }_{C}^{k}\)) should be known. According to the third constraint on the key center, the only party except Carol knowing the gate-sequence between \({\rho }_{C}^{i}\) and \({\rho }_{C}^{j}\) or between \({\rho }_{C}^{j}\) and \({\rho }_{C}^{k}\) is Bob, who can obtain neither dki nor dkk from Carol due to the last constraint. According to the second constraint, the only party except Carol knowing dk0 (or dk, the partial content of dkη) is Alice, who can learn neither the gate-sequence between \({\rho }_{C}^{0}\) and \({\rho }_{C}^{j}\) (or between \({\rho }_{C}^{j}\) and \({\rho }_{C}^{\eta }\)) nor the key-update procedure between dk0 and dkj (or between dkj and dkη) due to the last two constraints on Carol. Therefore, the last requirement of Definition 1 is satisfied.

Consequently, Protocol 1 provides TTP-assisted perfect security. □

Since the privacy of the plain search condition in Protocol 1 has been addressed before the detailed description of this protocol, the security definition (as well as the security proof) only considers the confidentiality of decryption keys and the relationship between the plain and cipher states, so that Definition 1 is applicable to general quantum homomorphic evaluation protocols with TTP.

In the proof of Theorem 1, the derivation of the fulfilment of the first condition in Definition 1 can also be used to prove that the initial cipher-state, every intermediate cipher-states, and the ultimate cipher-state in Protocol 2 are also equivalent to the totally mixed state, so Protocol 2 satisfies (standard) perfect security defined in ref. 24. Apart from data security, circuit privacy is also an important property of homomorphic encryption. Here, we define two kinds of circuit privacy and then prove that they are achieved by Protocol 1 and Protocol 2, respectively.

Definition 2. (TTP-assisted circuit privacy). A quantum homomorphic evaluation protocol Π assisted by a trusted third party, Carol, satisfies TTP-assisted circuit privacy if, for any circuit \({\mathcal{C}}\) supported by Π,

  1. 1.

    Alice cannot obtain any information about \({\mathcal{C}}\) from the homomorphically evaluated result \({U}_{{\mathcal{C}}}(En{c}_{ek}\left|\psi \right\rangle )\) on any cipher-state \(En{c}_{ek}\left|\psi \right\rangle \) (or the measurement outcome of this result), except for what can be learned from the decrypted output state \({U}_{{\mathcal{C}}}\left|\psi \right\rangle \) (or the decrypted result of the measurement outcome).

  2. 2.

    Alice cannot gain any information about \({\mathcal{C}}\) from Carol.

Theorem 2. Protocol 1 satisfies TTP-assisted circuit privacy.

Proof. In protocol 1, Alice asks Bob to perform hGrv for her. By Theorem 1, the density operator of the output state \(hGrv(En{c}_{ek}\left|\psi \right\rangle )\) is a totally mixed state. Without decryption, this state reveals nothing about the details of the homomorphic search except the input/output length of hGrv, which has been known by Alice. Clearly, the measurement outcome of a totally mixed state would not reveal any circuit detail, too. After decryption, Alice can get the plain search result, which is the only thing she can learn about hGrv. Therefore, the first requirement of Definition 1 is satisfied.

According to Algorithm 1, one can derive some details of hGrv if he learns some key-update steps, some intermediate keys, some auxiliary qubits for T gadgets, or some measurement outcomes from T gadgets. However, the last two constraints on the key center ensure that no one can obtain such information from Carol, including Alice. Therefore, the second requirement of Definition 1 is satisfied. □

Due to the deterministic relationship between the key-update process and a Clifford circuit evaluated in a QOTP-based QHE, the circuit information cannot be completely hidden from the key-updater. For schemes using CHE, the key is homomorphically updated by the evaluator, so that circuit privacy can be achieved if a circuit private CHE is adopted12. However, the use of CHE leads to q-IND-CPA security rather than perfect security (on input data). Besides, the data owner can always learn O(n) bits of information about the evaluated circuit by looking at the output14, where n is the input/output size of the circuit. Although a QOTP-based QHE protocol not using CHE cannot achieve standard circuit privacy (where the key is updated by the data owner), it may satisfy bounded circuit privacy, which is a weaker notion for circuit privacy.

Definition 3. (O(n2)-bounded circuit privacy). A quantum homomorphic evaluation protocol Π with an input of size n satisfies O(n2)-bounded circuit privacy if, for any circuit \({\mathcal{C}}\) supported by Π, the information about \({\mathcal{C}}\) obtained by the data owner is bounded by O(n2).

Theorem 3. Protocol 2 satisfies O(n2)-bounded circuit privacy.

Proof. In addition to the evaluated cipher-state \({U}_{{\mathcal{C}}}(En{c}_{ek}\left|\psi \right\rangle )\), the data owner Alice gets a 4n2-bit string \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\) that depends on the key-update procedure for \({\mathcal{C}}\). If the decrypted result \({U}_{{\mathcal{C}}}\left|\psi \right\rangle \) is also included (which surely depends on \({\mathcal{C}}\) and may be related with \(st{r}_{\,{\rm{ku}}\,}^{{\mathcal{C}}}\)), then the information (after measurement) obtained by Alice does not exceed 4n2 + n. Thus, the information about C obtained by Alice is bounded by O(n2). If one views \({\mathcal{C}}\) as a sequence of random choices from the set {HS, CNOT} (a universal gate set for Clifford circuits), and each choice of gate is followed another random choice (indexing the input qubit or qubits of the chosen gate) from {0, 1, …, n − 1} or {0, 1, …, n − 1} × {0, 1, …, n − 2}, then the whole information contained in \({\mathcal{C}}\) can be measured by the entropy of those choices. By Shannon’s information theory25, this entropy equals L[log3 + logn + (1/3)log(n − 1)], where L is the number of gates in \({\mathcal{C}}\). Therefore, the leakage ratio of the circuit information is bounded by \(\frac{4{n}^{2}+n}{L[\,{\rm{\log }}3+{\rm{\log }}\,n+(1/3)\,{\rm{\log }}\,(n-1)]}\), which is negligible if L is exponential in n. □

Computational complexity and compactness

In both protocols, the client needs to encrypt her plain data before the homomorphic evaluation and to decrypt the ciphered result after the evaluation (additionally, to measure qubits in the Pauli-X and Y basis in Protocol 1), which is linear in the size of the input; the server performs the homomorphic evaluation, whose computational complexity is the same as that of the non-homomorphic version (up to a multiplicative constant).

In Protocol 1, the communication complexity between the key center and the server is in proportion to the size of the evaluated circuit, so it is not compact. In Protocol 2, the simplified key-update procedure performed by the client is polynomial in the input size of the evaluated circuit \({\mathcal{C}}\), which is independent of the length of \({\mathcal{C}}\). Thus, Protocol 2 is compact and is especially suitable for a long evaluation with a short input.

Protocol 2 satisfies perfect security and compactness simultaneously, which is rarely achieved among related works. After this work is completed, we find a similar work in ref. 26, where the server in scheme GT also generates a key-update polynomial f(x0z0) for the final decryption key (when considering only Clifford circuits). However, the formulas for this polynomial is not presented in detail and the calculation rule for \({\{{p}_{j}\}}_{j=0}^{2n-1}\) in Protocol 2 is derived independently.

In Table 3, we give a comparison between our protocols and other closely related schemes. The abbreviations CI, QI, and q-IND-CPA is short for classical interaction, quantum interaction, and indistinguishability under chosen plaintext attack by quantum polynomial-time adversary. The variable “R” is the number of T gates in the circuit to be evaluated. For a detailed definition of “R2-quasi-compact”, please refer to Definition 9 in Section 3.4 of ref. 11.

Table 3 Comparison with related works. The former nine proposals are for circuits containing T gates and the latter two are for Clifford circuits.


In this paper, we have presented a homomorphic quantum search protocol on encrypted superposition states based on QHE. To homomorphically perform the Grover’s algorithm successfully, the QHE schemes utilizing CHE are ruled out. Instead, a trusted third party is introduced to communicate with the search server and update the key, which greatly alleviates the client’s workload. This idea is not only applicable to homomorphic quantum search but also adapted to delegated quantum computing wherein the computing purpose is easy to describe but the computing process is long and complex. Moreover, this search protocol can be combined with other delegated quantum computing schemes, so that general tasks including normal computing as well as quantum search can be accomplished homomorphically. Besides, we have provided a non-interactive QHE protocol for Clifford circuits, which is both secure and compact. Based on a new security definition for QHE schemes with TTP, we have proved that the first protocol satisfies this security. We have also defined two kinds of circuit privacy and proved that they are fulfilled by the two protocols, respectively.

Data availability

All data generated or analysed during this study are included in this published article (and its Supplementary Information Files).


  1. Bösch, C., Hartel, P., Jonker, W. & Peter, A. A survey of provably secure searchable encryption. ACM Compt. Surv. 47, 18 (2015).

    Google Scholar 

  2. Sun, X. Q. et al. An efficient quantum somewhat homomorphic symmetric searchable encryption. Int. J. Theor. Phys. 56, 1335–1347 (2017).

    MathSciNet  Article  Google Scholar 

  3. Grover, L. K. Quantum mechanics helps in searching for a needle in a haystack. Phys. Rev. Lett. 79, 325 (1997).

    CAS  ADS  Article  Google Scholar 

  4. Liang, M. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process. 12, 3675–3687 (2013).

    ADS  MathSciNet  Article  Google Scholar 

  5. Boykin, P. O. & Roychowdhury, V. Optimal encryption of quantum bits. Phys. Rev. A 67, 042317 (2003).

    ADS  Article  Google Scholar 

  6. Liang, M. Quantum fully homomorphic encryption scheme based on universal quantum circuit. Quantum Inf. Process. 14, 2749–2759 (2015).

    ADS  MathSciNet  Article  Google Scholar 

  7. Childs, A. M. Secure assisted quantum computation. Quantum Inf. Comput. 5, 456–466 (2005).

    MathSciNet  MATH  Google Scholar 

  8. Fisher, K. A. G. et al. Quantum computing on encrypted data. Nat. Commun. 5, 3074 (2014).

    CAS  ADS  Article  Google Scholar 

  9. Broadbent, A. Delegating private quantum computations. Can. J. Phys. 93, 941–946 (2015).

    CAS  ADS  Article  Google Scholar 

  10. Yu, L., Pérez-Delgado, C. A. & Fitzsimons, J. F. Limitations on information-theoretically-secure quantum homomorphic encryption. Phys. Rev. A 90, 050303 (2014).

    ADS  Article  Google Scholar 

  11. Broadbent, A. &  Jeffery, S.  Quantum homomorphic encryption for circuits of low T-gate complexity. In International Cryptology Conference, August 16–20, 2015, California, USA, 609–629 (2015).

  12. Dulek, Y.,  Schaffner, C. &  Speelman, F.  Quantum homomorphic encryption for polynomial-sized circuits. In International Cryptology Conference, August 14–18, 2016, California, USA, 3–32 (2016).

  13. Goyal, R.  Quantum multi-key homomorphic encryption for polynomial-sized circuits. Preprint at IACR Cryptology ePrint Archive (2018).

  14. Yu, L.  A quantum homomorphic encryption scheme for polynomial-sized circuits. Preprint at Cornell University arXive (2019).

  15. Brakerski, Z.  Quantum FHE (almost) as secure as classical. In International Cryptology Conference, July 67–95 (2018).

  16. Tan, S. H., Kettlewell, J. A., Ouyang, Y., Chen, L. & Fitzsimons, J. F. A quantum approach to homomorphic encryption. Sci. Rep-UK 6, 33467 (2016).

    CAS  ADS  Article  Google Scholar 

  17. Tan, S. H., Ouyang, Y. K. & Rohde, P. P. Practical somewhat-secure quantum somewhat-homomorphic encryption with coherent states. Phys. Rev. A 97, 042308 (2018).

    CAS  ADS  Article  Google Scholar 

  18. Ouyang, Y. K., Tan, S. H. & Fitzsimons, J. F. Quantum homomorphic encryption from quantum codes. Phys. Rev. A 98, 042334 (2018).

    CAS  ADS  Article  Google Scholar 

  19. Chen, X. B., Sun, Y. R., Xu, G. & Yang, Y. X. Quantum homomorphic encryption scheme with flexible number of evaluator based on (k, n)-threshold quantum state sharing. Inform. Sciences 501, 172–181 (2019).

    MathSciNet  Article  Google Scholar 

  20. Giovannetti, V., Lloyd, S. & Maccone, L. Quantum random access memory. Phys. Rev. Lett. 100, 160501 (2008).

    ADS  MathSciNet  Article  Google Scholar 

  21. Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing. Theor. Comput. Sci. 560, 7–11 (2014).

    MathSciNet  Article  Google Scholar 

  22. Nielsen, M. A. &  Chuang, I. L.  Quantum Computation and Quantum Information (ed. Nielsen, M. A.) 182–183 (New York: Cambridge University Press, 2010).

  23. Boykin, P. O. & Roychowdhury, V. Optimal encryption of quantum bits. Physcal Review A 67, 042317 (2003).

    ADS  Article  Google Scholar 

  24. Boykin, P. O.  Information Security and Quantum Mechanics: Security of Quantum Protocols Doctor of Philosophy in Physics thesis, University of California, (2002).

  25. Shannon, C. E. A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423 (1948).

    MathSciNet  Article  Google Scholar 

  26. Liang, M. Teleportation-based quantum homomorphic encryption scheme with quasi-compactness and perfect security. Quantum Inf. Process. 19, 28 (2020).

    ADS  MathSciNet  Article  Google Scholar 

Download references


We gratefully acknowledge this work is supported by the Science and Technology Program of Shenzhen of China under Grant Nos. JCYJ20180306124612893. The 5th author also gratefully acknowledges the support from the China Postdoctoral Science Foundation under Grant No. 2017M620322.

Author information

Authors and Affiliations



Q.Z. and S.L. proposed the idea, Y.C. designed the quantum circuits, L.L. and J.S. analyzed the security. Q.Z. wrote the manuscript. All authors discussed and reviewed the manuscript.

Corresponding authors

Correspondence to Songfeng Lu or Yongquan Cui.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zhou, Q., Lu, S., Cui, Y. et al. Quantum Search on Encrypted Data Based on Quantum Homomorphic Encryption. Sci Rep 10, 5135 (2020).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI:

Further reading


By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.


Quick links

Nature Briefing

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

Get the most important science stories of the day, free in your inbox. Sign up for Nature Briefing