#### DMCA

## Quantum homomorphic encryption for circuits of low

Citations: | 1 - 0 self |

### Citations

1544 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ... 30 years. Some early public-key encryption schemes were homomorphic over the set of circuits consisting of only additions [GM84, Pai99] or over the set of circuits consisting of only multiplications =-=[ElG85]-=-. Several steps were made towards FHE, with schemes that were homomorphic over increasingly large circuit classes, such as circuits containing additions and a single multiplication [BGN05], or of loga... |

1379 | S: Probabilistic encryption - Goldwasser, Micali - 1984 |

1175 |
Can quantum-mechanical description of physical reality be considered complete? Phys
- Einstein, Podolsky, et al.
(Show Context)
Citation Context ...rror. Our main contribution is to present two schemes, EPR and AUX, that deal with this situation in two different ways: EPR: The main idea of EPR (named after the famous Einstein-Podolski-Rosen trio =-=[EPR35]-=-) is to use entangled quantum registers to enable corrections within the circuit at the time of decryption. This scheme is efficient for any quantum circuit, however, it fails to meet a requirement fo... |

1006 | Public-Key Cryptosystems Based on Composite Degree Residuosity Classes - Paillier |

977 |
Quantum cryptography: Public-key distribution and coin tossing.
- Bennett, Brassard
- 1984
(Show Context)
Citation Context ...tography revisits classical primitives in the light of quantum information, establishing either no-go results (e.g. [LC97, May97]), or qualitative improvements achieved with quantum information (e.g. =-=[BB84]-=-). Another branch of quantum cryptography seeks to establish quantum cryptographic functionality, for instance in multiparty quantum computation [BOCG+06] or quantum message authentication [BCG+02]. T... |

658 | Fully homomorphic encryption using ideal lattices
- Gentry
(Show Context)
Citation Context ...additions and a single multiplication [BGN05], or of logarithmic depth [SYY99], until finally in 2009, Gentry established a breakthrough result by giving the first fully homomorphic encryption scheme =-=[Gen09b]-=-. Follow-up work showed that FHE could be simplified [DGHV10], and based on standard assumptions, such as learning with errors [BV11]. The advent of FHE has unleashed a series of far-reaching conseque... |

361 | On Lattices, learning with errors, random linear codes, and cryptography - Regev - 2009 |

228 | Evaluating 2-dnf formulas on ciphertexts
- Boneh, Goh, et al.
- 2005
(Show Context)
Citation Context ...iplications [ElG85]. Several steps were made towards FHE, with schemes that were homomorphic over increasingly large circuit classes, such as circuits containing additions and a single multiplication =-=[BGN05]-=-, or of logarithmic depth [SYY99], until finally in 2009, Gentry established a breakthrough result by giving the first fully homomorphic encryption scheme [Gen09b]. Follow-up work showed that FHE coul... |

228 |
Introduction to Modern Cryptography,
- Katz, Lindell
- 2007
(Show Context)
Citation Context ...quivalent; this strengthens our results since security in the most general case follows from security for the simplest definition. The proof of equivalence is similar to the classical case (see, e.g. =-=[KL08]-=-), and is included in App. B for completeness. We note that, by taking the evaluation key to be empty, our definitions and theorems are trivially applicable to the scenario of quantum public-key encry... |

223 |
A single quantum cannot be cloned
- Wootters, Zurek
- 1982
(Show Context)
Citation Context ... Schemes In general, a quantum system is not equal to the sum of its parts. Because of this, for one of our schemes (as given in Sec. 6), it is convenient (if not necessary, by the no-cloning theorem =-=[WZ82]-=-) to define the output of QHE.Eval as containing, in addition to a series of cipherstates corresponding to each qubit, some auxiliary quantum register, possibly entangled with each cipherstate. Then t... |

207 | A fully homomorphic encryption scheme
- Gentry
- 2009
(Show Context)
Citation Context ... other property of C, is not compact, it is still interesting to consider schemes whose decryption procedure has complexity that scales sublinearly in G (such schemes are called quasi-compact schemes =-=[Gen09a]-=-). We give a formal definition that quantifies this notion for indivisible quantum homomorphic encryption schemes. Definition 3.11 (quasi-compactness). Let S = {Sκ}κ be the set of all quantum circuits... |

195 | On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1978
(Show Context)
Citation Context ...s to the output of the circuit C on input m, for any C ∈ S . In fully homomorphic encryption (FHE), S is the set of all classical circuits. FHE was introduced in 1978 by Rivest, Adleman and Dertouzos =-=[RAD78]-=-, but the existence of such a scheme was an open problem for over 30 years. Some early public-key encryption schemes were homomorphic over the set of circuits consisting of only additions [GM84, Pai99... |

176 | Unconditionally Secure Quantum Bit Commitment - Mayers |

139 | Fully homomorphic encryption over the integers
- Dijk, Gentry, et al.
- 2010
(Show Context)
Citation Context ...mic depth [SYY99], until finally in 2009, Gentry established a breakthrough result by giving the first fully homomorphic encryption scheme [Gen09b]. Follow-up work showed that FHE could be simplified =-=[DGHV10]-=-, and based on standard assumptions, such as learning with errors [BV11]. The advent of FHE has unleashed a series of far-reaching consequences, such as delegating computations in a cloud architecture... |

117 | Efficient fully homomorphic encryption from (standard) LWE
- Brakerski, Vaikuntanathan
(Show Context)
Citation Context ...h result by giving the first fully homomorphic encryption scheme [Gen09b]. Follow-up work showed that FHE could be simplified [DGHV10], and based on standard assumptions, such as learning with errors =-=[BV11]-=-. The advent of FHE has unleashed a series of far-reaching consequences, such as delegating computations in a cloud architecture, and functional encryption [GKP+13]. For a survey on fully homomorphic ... |

101 | The Heisenberg representation of quantum computers
- Gottesman
(Show Context)
Citation Context ...of quantum circuits, it had been known for some time now that the non-Clifford part of a quantum computation is the “difficult” one (this phenomena appears, e.g. in the context of quantum simulations =-=[Got98]-=-, fault-tolerant quantum computation [BK05] and quantum secure function evaluation [DNS10, DNS12, BOCG+06]). This has motivated a series of theoretical work seeking to optimize quantum circuits in ter... |

92 | Non-interactive CryptoComputing for NC1
- Sander, Young, et al.
- 1999
(Show Context)
Citation Context ...s were made towards FHE, with schemes that were homomorphic over increasingly large circuit classes, such as circuits containing additions and a single multiplication [BGN05], or of logarithmic depth =-=[SYY99]-=-, until finally in 2009, Gentry established a breakthrough result by giving the first fully homomorphic encryption scheme [Gen09b]. Follow-up work showed that FHE could be simplified [DGHV10], and bas... |

78 |
Universal quantum computation with ideal Clifford gates and noisy ancillas, Phys
- Kitaev
- 2005
(Show Context)
Citation Context ...ome time now that the non-Clifford part of a quantum computation is the “difficult” one (this phenomena appears, e.g. in the context of quantum simulations [Got98], fault-tolerant quantum computation =-=[BK05]-=- and quantum secure function evaluation [DNS10, DNS12, BOCG+06]). This has motivated a series of theoretical work seeking to optimize quantum circuits in terms of their T-gate complexity [Sel13, KMM13... |

70 | Is quantum bit commitment really possible - Lo, Chau - 1997 |

66 | Lattice-based cryptography
- Micciancio, Regev
- 2009
(Show Context)
Citation Context ...e scheme from [BV11], we get security based on the learning with errors (LWE) assumption [Reg05, Reg09]; this has been equated with worstcase hardness of “short vector problems” on arbitrary lattices =-=[MR09]-=-, which is widely believed to be a quantum-safe (or “post-quantum”) assumption. For universal quantum computations, we must evaluate a non-Clifford gate, for which we choose the “T” gate (also known a... |

59 | Authentication of quantum messages - Barnum, Crépeau, et al. |

54 | Private quantum channels
- Ambainis, Mosca, et al.
- 2000
(Show Context)
Citation Context ..., including encoding and decoding into stabilizer codes. Our quantum public-key encryption scheme is a hybrid of a classical publickey fully homomorphic encryption scheme and the quantum one-time pad =-=[AMTW00]-=-. Intuitively, the scheme works by encrypting the quantum register with a quantum one-time pad, and then encrypting the one-time pad encryption keys with a classical public-key FHE scheme. Since Cliff... |

54 | Zero-knowledge against quantum attacks. - Watrous - 2009 |

42 | Reusable garbled circuits and succinct functional encryption. - Goldwasser, Kalai, et al. - 2013 |

37 | Quantum public-key cryptosystems - Okamoto, Tanaka, et al. |

34 | Methodology for quantum logic gate constructions. - Zhou, Leung, et al. - 2000 |

33 | Unified derivations of measurement-based schemes for quantum computation. Physical Review A 71, - Childs, Leung, et al. - 2005 |

29 | Universal blind quantum computation
- Broadbent, Fitzsimons, et al.
- 2009
(Show Context)
Citation Context ...rewinding” [Wat06, Unr12]). A number of works have studied the cryptographic implications of the secure delegation of quantum computation, including: Childs [Chi05]; Broadbent, Fitzsimons and Kashefi =-=[BFK09]-=-; Aharonov, Ben-Or and Eban [ABOE10]; Vedran, Fitzsimons, Portmann and Renner [VFPR14]; Broadbent, Gutoski and Stebila [BGS13]; Fisher et al. [FBS+14]; and Broadbent [Bro15]. None of these works, howe... |

24 | A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. arXiv:1206.0758v2 [quant-ph
- Amy, Maslov, et al.
- 2012
(Show Context)
Citation Context ...2, BOCG+06]). This has motivated a series of theoretical work seeking to optimize quantum circuits in terms of their T-gate complexity [Sel13, KMM13]. In particular, Amy, Maslov, Mosca, and Roetteler =-=[AMMR13]-=- recently proposed T-depth as a cost function, the idea being to count the number of T-layers in a quantum circuit and optimize over this parameter. Our contribution adds to this understanding, showin... |

24 | Computing Blindfolded: New Developments in Fully Homomorphic Encryption
- Vaikuntanathan
(Show Context)
Citation Context ...FHE has unleashed a series of far-reaching consequences, such as delegating computations in a cloud architecture, and functional encryption [GKP+13]. For a survey on fully homomorphic encryption, see =-=[Vai11]-=-. Quantum cryptography is the study of cryptography in light of quantum information. One branch of quantum cryptography revisits classical primitives in the light of quantum information, establishing ... |

20 | Secure multiparty quantum computation with (only) a strict honest majority. - Ben-Or, Crepeau, et al. - 2006 |

17 | Random oracles in a quantum world - Boneh, Dagdelen, et al. - 2011 |

16 | M.: Secure assisted quantum computation
- Childs
- 2005
(Show Context)
Citation Context ...que to the quantum world (such as “quantum rewinding” [Wat06, Unr12]). A number of works have studied the cryptographic implications of the secure delegation of quantum computation, including: Childs =-=[Chi05]-=-; Broadbent, Fitzsimons and Kashefi [BFK09]; Aharonov, Ben-Or and Eban [ABOE10]; Vedran, Fitzsimons, Portmann and Renner [VFPR14]; Broadbent, Gutoski and Stebila [BGS13]; Fisher et al. [FBS+14]; and B... |

16 | Homomorphic encryption: From private-key to public-key
- Rothblum
- 2011
(Show Context)
Citation Context ...ality and security for symmetric-key quantum homomorphic encryption. In the case of classical fully homomorphic encryption, symmetric-key encryption is known to be equivalent to public-key encryption =-=[Rot11]-=-. In the quantum case, this is not known. This section also contains the definition of a bounded QHE scheme, which we again require for technical reasons in our symmetric-key scheme, AUX. Definition 3... |

14 | i-hop homomorphic encryption and rerandomizable yao circuits
- Gentry, Halevi, et al.
- 2010
(Show Context)
Citation Context ...ctness in this context. Finally, for technical reasons, one of our schemes (AUX) must be used in the symmetric-key setting, which we define in Sec. 3.5. We do not address the issue of circuit privacy =-=[GHV10]-=-, leaving this question for future work. 3.1 Classical and Quantum Homomorphic Encryption Our schemes rely on a classical fully homomorphic encryption scheme; for completeness, we include a definition... |

12 | Interactive proofs for quantum computations
- Aharonov, Ben-Or, et al.
- 2010
(Show Context)
Citation Context ...r of works have studied the cryptographic implications of the secure delegation of quantum computation, including: Childs [Chi05]; Broadbent, Fitzsimons and Kashefi [BFK09]; Aharonov, Ben-Or and Eban =-=[ABOE10]-=-; Vedran, Fitzsimons, Portmann and Renner [VFPR14]; Broadbent, Gutoski and Stebila [BGS13]; Fisher et al. [FBS+14]; and Broadbent [Bro15]. None of these works, however directly address the question of... |

10 |
L.: Blind quantum computation
- Arrighi, Salvail
- 2006
(Show Context)
Citation Context ... being evaluated (and thus, they do not satisfy the compactness requirement of fully homomorphic encryption, even if we allow interaction). Non-interactive approaches are given by Arrighi and Salvail =-=[AS06]-=-, Rohde, Fitzsimons and Gilchrist [RFG12] and Tan, Kettlewell, Ouyang, Chen and Fitzsimons [TKO+14]. However, none of these approaches are applicable to universal circuit families. Furthermore, in the... |

10 | Asymptotically optimal approximation of single qubit unitaries by Clifford and T circuits using a constant number of ancillary qubits. - Kliuchnikov, Maslov, et al. - 2012 |

10 | Quantum proofs of knowledge, - Unruh - 2010 |

9 | How to construct quantum random functions - Zhandry - 2012 |

7 | Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World. Cryptology ePrint Archive, - Boneh, Zhandry - 2013 |

7 | L.: Secure two-party quantum evaluation of unitaries against specious adversaries - Dupuis, Nielsen, et al. - 2010 |

7 | L.: Actively secure two-party evaluation of any quantum operation - Dupuis, Nielsen, et al. - 2012 |

5 | A Note on Quantum Security for Post-quantum Cryptography
- Song
- 2014
(Show Context)
Citation Context ...eme is IND-CPA can potentially be turned into a proof for q-IND-CPA if all statements still hold when “probabilistic polynomial-time adversary” is replaced by “quantum polynomial-time adversary” (see =-=[Son14]-=-). We now give our new definitions for quantum homomorphic encryption. In our definitions, both pk, the public encryption key, and sk, the secret decryption key, are classical, whereas the evaluation ... |

4 | Quantum one-time programs
- Broadbent, Gutoski, et al.
(Show Context)
Citation Context ...computation, including: Childs [Chi05]; Broadbent, Fitzsimons and Kashefi [BFK09]; Aharonov, Ben-Or and Eban [ABOE10]; Vedran, Fitzsimons, Portmann and Renner [VFPR14]; Broadbent, Gutoski and Stebila =-=[BGS13]-=-; Fisher et al. [FBS+14]; and Broadbent [Bro15]. None of these works, however directly address the question of quantum homomorphic encryption, since they are interactive schemes, and the work of the c... |

4 | Quantum circuits of T-depth one
- Selinger
- 2012
(Show Context)
Citation Context ...this is that the (reversible) quantum analogue of multiplication is the Toffoli gate: |x, y, z〉 7→ |x, y, x · y⊕ z〉. The Toffoli is a non-Clifford group gate that can be expressed in terms of T-gates =-=[Sel13]-=-. 7 Definition 3.1 (q-IND-CPA). A classical homomorphic encryption scheme HE is q-IND-CPA secure if for any quantum polynomial-time adversary A , there exists a negligible function η such that for (pk... |

3 |
Lecture notes on Theory of Quantum Information. Available at http://www.cs.uwaterloo.ca/ ˜ watrous/CS766
- Watrous
- 2011
(Show Context)
Citation Context ...ntext, we denote its encryption by ã. Throughout this work we use κ to indicate the security parameter. For a detailed and rigorous introduction to quantum information theory, we refer the reader to =-=[Wat13]-=-. In the remainder of this section, we give a brief overview of some of the necessary concepts, as well as our specific notation. A quantum register is a quantum system, which we view as a physical ob... |

2 | Quantum computing on encrypted data. Nature communications - Fisher, Broadbent, et al. |

2 | Indistinguishability and semantic security for quantum encryption scheme - Xiang, Yang - 2012 |

1 |
Delegating private quantum computations. arXiv:1506.01328[quant-ph
- Broadbent
- 2015
(Show Context)
Citation Context ...nt, Fitzsimons and Kashefi [BFK09]; Aharonov, Ben-Or and Eban [ABOE10]; Vedran, Fitzsimons, Portmann and Renner [VFPR14]; Broadbent, Gutoski and Stebila [BGS13]; Fisher et al. [FBS+14]; and Broadbent =-=[Bro15]-=-. None of these works, however directly address the question of quantum homomorphic encryption, since they are interactive schemes, and the work of the client is proportional to the size of the circui... |

1 | Security notions for quantum public-key cryptography - Koshiba - 2007 |

1 |
Quantum walks with encrypted data
- Rohde, Fitzsimons, et al.
- 2012
(Show Context)
Citation Context ...satisfy the compactness requirement of fully homomorphic encryption, even if we allow interaction). Non-interactive approaches are given by Arrighi and Salvail [AS06], Rohde, Fitzsimons and Gilchrist =-=[RFG12]-=- and Tan, Kettlewell, Ouyang, Chen and Fitzsimons [TKO+14]. However, none of these approaches are applicable to universal circuit families. Furthermore, in the case of [AS06], security is given only i... |

1 | A quantum approach to homomorphic encryption - Tan, Kettlewell, et al. - 2014 |

1 |
Composable security of delegated quantum computation
- Vedran, Fitzsimons, et al.
- 2014
(Show Context)
Citation Context ...ions of the secure delegation of quantum computation, including: Childs [Chi05]; Broadbent, Fitzsimons and Kashefi [BFK09]; Aharonov, Ben-Or and Eban [ABOE10]; Vedran, Fitzsimons, Portmann and Renner =-=[VFPR14]-=-; Broadbent, Gutoski and Stebila [BGS13]; Fisher et al. [FBS+14]; and Broadbent [Bro15]. None of these works, however directly address the question of quantum homomorphic encryption, since they are in... |

1 |
Limitations on information-theoreticallysecure quantum homomorphic encryption
- Yu, Perez-Delgado, et al.
(Show Context)
Citation Context ...ase of [AS06], security is given only in terms of cheat sensitivity, while both [RFG12] and [TKO+14] only bound the leakage of their encoding schemes. Recent work by Yu, Pérez-Delgado and Fitzsimons =-=[YPDF14]-=- examines the question of perfect security and correctness for quantum fully homomorphic encryption (QFHE), concluding that the trivial scheme is optimal in this context. In light of this result, it i... |