A quantum approach to homomorphic encryption

Encryption schemes often derive their power from the properties of the underlying algebra on the symbols used. Inspired by group theoretic tools, we use the centralizer of a subgroup of operations to present a private-key quantum homomorphic encryption scheme that enables a broad class of quantum computation on encrypted data. The quantum data is encoded on bosons of distinct species in distinct spatial modes, and the quantum computations are manipulations of these bosons in a manner independent of their species. A particular instance of our encoding hides up to a constant fraction of the information encrypted. This fraction can be made arbitrarily close to unity with overhead scaling only polynomially in the message length. This highlights the potential of our protocol to hide a non-trivial amount of information, and is suggestive of a large class of encodings that might yield better security.

The discovery that quantum systems could be harnessed to process data in a fundamentally new way has led to the burgeoning field of quantum information processing.This approach to computation holds the promise of more efficient algorithms for a variety of tasks including integer factorization [1], search [2] and quantum simulation [3].However, quantum information processing has also found applications in the area of cryptography, which has been a focus of the field since the discovery of secure quantum key distribution protocols by Bennett and Brassard [4] and Ekert [5].The information theoretic security of these protocols stands in stark contrast to the reliance of classical key agreement protocols on assumptions of computational hardness, and indeed a major goal of quantum cryptography research is to replicate and extend the functionality present in existing classical schemes while providing stronger, information theoretic, security guarantees.
In the world of classical cryptography, a central topic in recent years has been the study of homomorphic encryption [6][7][8].Homomorphic encryption is a form of encryption which allows data processing to be performed on encrypted data without access to the encryption key.In general, a homomorphic encryption system is composed of four components: a key generation algorithm, an encryption algorithm that encrypts the data using the generated key, a decryption algorithm that decrypts the data using the key, and an evaluation algorithm which is used to process the data without decryption.Thus homomorphic encryption allows for secret data to be processed by third parties without allowing them access to the plaintext.After decryption, the plaintext output reveals the processed data.A scheme is termed fully homomorphic if it allows for arbitrary processing of the encrypted data.Although the idea for homomorphic encryption has existed for some time [6], it was not until 2009 that a fully homomorphic encryption scheme was discovered by Gentry [7].Gentry's scheme is only computationally secure, relying on the assumed hardness of certain worst-case problems over ideal lattices, and the sparse subset sum problem, although the condition requiring ideal lattices was later dropped [8].
Recent successes in quantum cryptography in finding information theoretically secure protocols for blind computation [9][10][11][12][13][14] and verifiable computing [15][16][17][18], problems closely linked to homomorphic encryption, have motivated the question of whether quantum mechanics allows for information theoretically secure fullyhomomorphic encryption schemes.Indeed, a number of attempts have been made to find a quantum analogue of homomorphic encryption [19][20][21][22], however these attempts have inevitably run into a barrier.It is now known that it is not possible to achieve perfect information theoretic security while enabling arbitrary processing of encrypted data, unless the size of the encoding is allowed to grow exponentially [23].As a result, such schemes have required interaction between parties to enable deterministic computation.These requirements parallel those of blind quantum computation which hides both the data and the computation being done on it.The question then remains as to whether information theoretically secure homomorphic encryption is possible without expanding the definition to include interactive protocols.A first step in the direction of non-interactive quantum protocols was presented in [24] for a restricted model of quantum computation known as the BosonSampling model [25] which is non-universal.Furthermore, the scheme ensures only that the encoded information and the accessible information differ by an amount proportional to log 2 m bits when m bits are encrypted, which is a relatively weak security guarantee.An informationtheoretically secure scheme that allows for arbitrary processing of encrypted data is not known to date, and is the focus of the present paper.
In this paper, we present what we believe to be the first known private-key homomorphic encryption protocol that supports universal classical or quantum computation while providing information theoretic security guarantees.The protocol we present ensures a gap between the information accessible to an adversary and actual information encoded that grows as m/ log 2 m bits when m bits are encrypted.This is a significantly stronger security guarantee than that offered by the scheme presented in [24], which offers only limited com-putation on encrypted data.We present our results in three parts.First we present a general approach to homomorphic encryption stemming from the group theoretic structure of quantum operations.We then present a family of operations which allow universal computation on encrypted data for a broad class of encryption schemes satisfying certain symmetry constraints.Finally we present a concrete encoding satisfying these constraints and show that it limits the accessible information as described above.
Group theoretic approach -We approach the problem of creating a homomorphic encryption scheme via the most naive route: we try to construct a set of encryption operations which commute with the operations used to implement computation on the encrypted data.However, this approach immediately encounters a barrier when applied to the case of universal computation.In such a case the computation operations form a group, either the unitary group in the case of quantum computation or the symmetric group in the case of classical reversible computation, which does not usually commute with other operations.Indeed, any irreducible representation of these groups only commutes with operators proportional to the identity, precluding non-trivial encryption.However, for reducible representations of these groups, there can exist non-trivial operators which commute with the entire group.This provides a natural route to constructing a homomorphic encryption scheme which allows the evaluation of operators chosen from some group G on encrypted data, by choosing a representation of the group with a non-trivial centralizer.In the case where the group has a trivial center, this means that the operations used to perform the computation must form a subgroup of a larger group from which the centralizer elements are drawn.While it is not immediately obvious that encryption operations chosen from the centralizer of some reducible representation of G should actually be able to hide information, the BosonSampling scheme presented in [24] provides an example of such an encoding where a non-trivial amount of information is hidden.
Representation of computation -We now construct a specific reducible representation of the unitary group, by providing a set of logic gates which generate it.This representation of U (n m ) is a subgroup of the group of unitary transformations of all nm particles, in which it has a centralizer with a large number of independent elements.Later we will present an explicit encryption scheme built from elements of the centralizer of this subgroup, however we note that the gates we present now are compatible with any choice of encryption operators from the centralizer of this subgroup and not only with the specific scheme we explore in this paper.
In order to construct a reducible representation of the unitary group, we draw inspiration from the multi-rail qudit encoding prevalent in quantum optics [26].Let us consider nm bosonic particles, each with d internal states, partitioned into sets of n particles.Each set is used to represent a logical qudit of n levels.We consider a plaintext of m distinct n-dits, each one of which is encoded in a unique set of n particles.The state of the particle at site position x is given by |α x = â † x,α |vac , where the creation and annihilation operators satisfy [a x,α , a † y,β ] = δ α,β δ x,y , and α labels the internal state of the particle for 0 ≤ α ≤ d − 1.The internal states of the bosonic particles give them some degree of distinguishability [27]-a feature which will be utilized for the evaluation.
For the evaluation, a qudit is a state in C n and the plaintext is represented on an m-qudit state in the tensor product space (C n ) ⊗m .A local gate acting on a single qudit lies in U (n) and as there is more than one particle used to represent the qudit, we are working in a reducible representation of this group, a necessity as discussed earlier.The computational basis of the qudit is formed by the state of the n particles with their respective sites labeled by the tuples x = (x 1 , x 2 , . . ., x n ) and α = (α 1 , α 2 , . . ., α n ), where 0 ≤ α 1 , . . ., α n ≤ d − 1.Each qudit acts as an n-dimensional oscillator and there are d types of bosons for each site.We shall use the boson realization of the U (n) algebra [28][29][30] to describe the generators of local qudit gates for realizing computation on the encrypted data.The operators x,α ây,α , for 1 ≤ x, y ≤ n, form the set of generators for U (n).One can verify that the following commutator relations are satisfied for { C x,y }: To produce any m-qudit quantum gate which lies in U (n m ), we need an imprimitive 2-qudit gate together with the set of single qudit gates.A two-qudit gate is primitive if it maps separable states to separable states, and imprimitive otherwise.The following theorem from [31] establishes that the addition of any imprimitive gate suffices to generate a representation of U (n m ).
Theorem 1: The collection of all single-qudit gates and any imprimitive two-qudit gate is universal.
Let S(α, β) x,y be a representation of the unitary SWAP operator that swaps two particles at positions x and y given by S(α, β) x,y = 1 2 where |s(α, β) , and the subscripts label the sites.
For the particles of two qudits at x and y given by |α x |β y , we define the following 2-qudit gate to be the √ SWAP gate: We now show that this gate is an imprimitive 2-qudit gate (see Fig. 1).Lemma 1: N (α, β) x,y is an imprimitive 2-qudit gate.Proof: Consider the action of N (α, β) x,y on the separable state |α x |β y : The resulting state is not separable unless |β = |α .As such, N (α, β) x,y is an imprimitive gate.It follows from Theorem 1 and Lemma 1 that the collection of N (α, β) x,y and all single qudit gates, implemented as in [32], is universal.We now present an encryption scheme for which the encryption and decryption procedures commute with all local qudit gates and with N (α, β) x,y .Encoding scheme -For the encryption operation, a unitary operator, E, which only acts on the internal state of the constituent particles, is applied on each of the m partitions.Any E which acts symmetrically on the particles in each set will commute with the representation of U (n m ) described above.However, here we focus on one particular choice of encoding.For our encoding, we set the number of particles per qudit to be the same as the number of internal states per particle, i.e. n = d.A schematic of this encoding scheme is shown in Fig. 2.
First, we define the logical basis of the qudits to be where the subscript L has been used to distinguish the logical state of the qudit from those of the individual particles.Note that this basis can be generated from |0 L via a repeated application of L = ŝ⊗d , where ŝ is a cyclic shift operation on the internal state of each particle such that ŝ |α x = |α + 1(mod d) x .The generators of the encoding are, for k = 1, . . ., d 2 , To simplify our calculations, we choose to express our generators in the following basis instead: ) and η = 1+(−1) d 2 cos( π).Data represented using the logical basis can be encrypted by choosing a key, κ = (κ 1 , . . ., κ d−1 ), where each κ is an integer chosen uniformly at random from {0, . . ., d}, and applying the corresponding random unitary operation on each qudit: where the angle φ := 2π d+1 κ .It is convenient to think of E as a product of integer powers of E := exp(i After the encoding, computation can still be performed on the qudits using the operations described in the previous section.However, for an adversary that does not have access to κ, the information encoded is obscured.Once the evaluation is completed, the qudits can be decrypted by applying E † on every qudit to yield the processed plaintext.Surprisingly, with this simple encryption-decryption process, any quantum computation done on the encrypted state yields the same result when decrypted, as if it was done on the unencrypted state; it is a fully homomorphic private-key quantum cryptosystem. To prove that our scheme works, we have to show that (1) E commutes with a local qudit gate in U (n), and that (2) E ⊗ E commutes with the 2-qudit N (α, β) x,y gate.Lemma 2: E commutes with any local qudit gate.Proof: The encoding operation acts only on the internal states of each particle, whereas the generators of the U (n) transform all internal states in the same way.As such the former must commute with the latter.More formally, we first show that ŝ ⊗ ŝ commutes with C x,y : where we have used the fact that the set of α's is a group under addition modulo d.Since C x,y commutes with ŝ⊗ŝ, then it must also commute with L, and hence with any power of L. As the generators of the encoding, depend only on powers of L, they must then commute with C x,y .Consequently, the groups generated by H k and C x,y also commute.Lemma 3: N (α, β) x,y commutes with E ⊗ E. Proof: First, we note that S = n k=1 S(α k , β k ) x k ,y k swaps the qudit states at x and y, while the first and second terms in the tensor product E ⊗E act on the qudit states at x and y respectively.Then S must commute with and both I and S commute with E ⊗ E, then N (α, β) Hidden information -Here we show that our quantum homomorphic scheme can hide a number of bits proportional to m.
Without knowing the key, the ensemble {ρ α , p α } for an input of |α = |α 1 , α 2 , . . ., α m , where It is illuminating to look at the ensemble in the Fourier transform basis as here the encoding is diagonal.We can write ρα in the form β,β ∈Z m d |β L L β |c β,β and the non-zero coefficients are those for which the number of 's in β is equal to the number of 's in β for all = 1, . . ., d − 1.Let F( Ô) denote (F † ) ⊗m ÔF ⊗m .Then where wt (β) is the Lee weight which counts the number of times appears in the vector β.The non-zero terms in eq. ( 1) can be partitioned into sets labeled by integer partitions of m.Let P m,d be the set of integer partitions of m into d (possibly empty) parts and let λ be a partition in P m,d .In eq. ( 1), strings for which all Lee weights are equal belong to the same partition λ.The entries in λ = (λ 0 , λ 1 , . . ., λ d−1 ) give the number of times a particular element appears in β.With this notation, we get is the multinomial coefficient, and which is invariant under permutation of the qudits.Theorem 2: For all probability distributions p α , the accessible information of the encoding E, without knowing the key, is upper bounded by log 2 m! bits when Alice sends m qudits.
Proof: First, we observe that the elements of {|α L , α = 0, . . ., d−1} are related by powers of L. Since L is unitary and commutes with the encoding E, it must be that S(ρ α ) is the same for all α.For simplicity, we analyze S(ρ 0 ): where we have used the orthogonality of the different partitions labelled by λ in third equality [33], and that |Ψ 0 λ Ψ 0 λ | has rank one in the final equality.Similar ar-guments can be made for ρ = α p α ρα , The inequality above occurs because applying a channel that randomizes over α, by applying a random power of L to each qudit, symmetrizes the probability distribution p α to the uniform distribution, but cannot decrease entropy.The second term of eq. ( 3) obeys the identity Thus if d = m and m log 2 m bits are encoded, this gap scales at least proportional to m.This is a significantly stronger security than that offered by [24], while at the same time dramatically extending the functionality by allowing universal computation to be performed on the encrypted data.As our bound in eq. ( 5) is independent of the probability distribution used for the encoding, the bound on the accessible information holds even if the a priori distribution on the plaintext is not uniform.
In conclusion, we have constructed a quantum fullyhomomorphic encryption scheme, with information theoretic security guarantees on the amount of information leaked.Our scheme serves as a proof-of-principle that such fully-homomorphic encryption schemes can exist.While our scheme does not offer perfect security, we believe that the approach to homomorphic encryption based on centralizers of reducible representations we describe offers a new approach which may lead to further improvements in security in the future.

FIG. 2 :
FIG.2: Figure showing Alice's encoding scheme for m qudits, in which each qudit is implemented on the state of n = d particles.The encoding operation E is effected across the qudits in a tensor product way.Post-evaluation, the encryption is removed via the inverse encoding operation to reveal the evaluted plaintext.
where F is the quantum Fourier transform given by F = 2πijk d ) |k L L j|.It is easy to verify that {|a L } are the eigenvectors of ∆ k with eigenvalues c (k) = cos( 2π k d ) and of ∆ k+ d 2 with eigenvalues s (k) = sin( 2π k d ).