Post on 19-Sep-2020
transcript
QUANTUM HOMOMORPHIC ENCRYPTION
Christian Schaffner
(joint work with Yfke Dulek and Florian Speelman)http://arxiv.org/abs/1603.09717
Centrum Wiskunde&Informa3ca
Ins3tuteforLogic,LanguageandComputa3on(ILLC)UniversityofAmsterdam
ResearchCenterforQuantumSoCware
TrustworthyQuantumInforma1on2016,Shanghai,China,Wednesday29June2016
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
SKYLINE JED
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
EXAMPLE: IMAGE TAGGING
SKYLINE JED
EXAMPLE: IMAGE TAGGING
SKYLINE JED
EXAMPLE: IMAGE TAGGING
SKYLINE JED
1. HOMOMORPHIC ENCRYPTION
2. PREVIOUS RESULTS
3. NEW RESULT
HOMOMORPHIC ENCRYPTION
HOMOMORPHIC ENCRYPTION
KEY GENERATION
HOMOMORPHIC ENCRYPTION
public keyKEY GENERATION
HOMOMORPHIC ENCRYPTION
public keysecret key
KEY GENERATION
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION + ↦
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION +(secure)
↦
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION +(secure)
↦
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION +(secure)
↦
HOMOMORPHIC ENCRYPTION
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
+(secure)
↦
HOMOMORPHIC ENCRYPTION
JED ↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
+
+
(secure)↦
HOMOMORPHIC ENCRYPTION
JED ↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
DECRYPTION
+
+
(secure)↦
HOMOMORPHIC ENCRYPTION
JED ↦
JED JED↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
DECRYPTION
+
+
+
(secure)↦
HOMOMORPHIC ENCRYPTION
↦
↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
DECRYPTION
+
+
+
(secure)↦x x
x f(x)
f(x) f(x)
HOMOMORPHIC ENCRYPTION
↦
↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
DECRYPTION
+
+
+
(secure)↦|ψ⟩ |ψ⟩
|ψ⟩ U|ψ⟩
U|ψ⟩ U|ψ⟩
HOMOMORPHIC ENCRYPTION
↦
↦
public keysecret keyevaluation key
KEY GENERATION
ENCRYPTION
EVALUATION
DECRYPTION
+
+
+
(secure)↦|ψ⟩ |ψ⟩
|ψ⟩ U|ψ⟩
U|ψ⟩ U|ψ⟩
(quantum)
1. HOMOMORPHIC ENCRYPTION
2. PREVIOUS RESULTS
3. NEW RESULT
PREVIOUS RESULTS: OVERVIEW
C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEW
Classical homomorphic encryption: solved! [Gentry 2009]
C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEW
Classical homomorphic encryption: solved! [Gentry 2009]
Quantum homomorphic encryption: only partial results
Clifford scheme allowing evaluation of {P, H, CNOT}
schemes for {P, H, CNOT} + limited # of T gates
C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEW
Classical homomorphic encryption: solved! [Gentry 2009]
Quantum homomorphic encryption: only partial results
Clifford scheme allowing evaluation of {P, H, CNOT}
schemes for {P, H, CNOT} + limited # of T gates
C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
SCHEME FOR {P, H, CNOT}
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
encryption:
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
a,bencryption: pick a,b ∈R {0,1}
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
|ψ⟩ a,b
a,bencryption: pick a,b ∈R {0,1}
|ψ⟩ ↦ XaZb|ψ⟩ =
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
|ψ⟩ a,b
a,bencryption: pick a,b ∈R {0,1}
|ψ⟩ ↦ XaZb|ψ⟩
decryption:
=
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 1: quantum encryption (one-time pad)
|ψ⟩ a,b
a,bencryption: pick a,b ∈R {0,1}
|ψ⟩ ↦ XaZb|ψ⟩
decryption: XaZb|ψ⟩ ↦ |ψ⟩
=
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Ingredient 2: classical homomorphic encryption
Ingredient 1: quantum encryption (one-time pad)
|ψ⟩ a,b
a,bencryption: pick a,b ∈R {0,1}
|ψ⟩ ↦ XaZb|ψ⟩
decryption: XaZb|ψ⟩ ↦ |ψ⟩
=
[AMTW00]A.Ambainis,M.Mosca,A.Tapp,andR.DeWolf.Privatequantumchannels.FOCS’00[Gentry09]C.Gentry:Fullyhomomorphicencryp3onusingideallaJces.STOC’09
SCHEME FOR {P, H, CNOT}
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
SCHEME FOR {P, H, CNOT}
|ψ⟩
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
a,b
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
a,b
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,a
H|ψ⟩a,b H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b H
H ( ) a,b|ψ⟩
=HXaZb|ψ⟩
=XbZaH|ψ⟩
=
b,aH|ψ⟩
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
b,a
UPDATEFUNCTION(x,y) ↦ (y,x) H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
b,a
UPDATEFUNCTION(x,y) ↦ (y,x) H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
b,a
UPDATEFUNCTION(x,y) ↦ (y,x) H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
b,aH|ψ⟩
a,b
b,a
UPDATEFUNCTION(x,y) ↦ (y,x) H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
a,b
SCHEME FOR {P, H, CNOT}
|ψ⟩
H|ψ⟩
a,b
b,a
UPDATEFUNCTION(x,y) ↦ (y,x) H
Folklore,lastformalizedby[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015
THE CHALLENGE: T GATE
THE CHALLENGE: T GATE
H
THE CHALLENGE: T GATE
a,b|ψ⟩
H
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
H
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
H T
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H T
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H
T|ψ⟩ 0,b
T
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H
T|ψ⟩ 0,b
1,b|ψ⟩
T T
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H
T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b
1,b|ψ⟩
T T
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H
T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b
1,b|ψ⟩
T Terror!
THE CHALLENGE: T GATE
a,b|ψ⟩
b,aH|ψ⟩
0,b|ψ⟩
H
T|ψ⟩ 0,b P ( ) T|ψ⟩ 1,b
1,b|ψ⟩
T T
how to apply correction P-1 iff a = 1?
error!
PREVIOUS RESULTS: OVERVIEW
(comparisonbasedonStaceyJeffery’sslides)[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015[OTF15]Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEWhomomorphic for compactness security
Not encrypting Quantum circuits yes no
append evaluation description Quantum circuits
Complexity of Dec prop to (# gates) yes
Quantum OTP no yes inf theoretic
Clifford Scheme Clifford circuits yes computational
(comparisonbasedonStaceyJeffery’sslides)[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015[OTF15]Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEWhomomorphic for compactness security
Not encrypting Quantum circuits yes no
append evaluation description Quantum circuits
Complexity of Dec prop to (# gates) yes
Quantum OTP no yes inf theoretic
Clifford Scheme Clifford circuits yes computational
[BJ15]: AUX QCircuits with constant T-depth
yes computational
[BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2
computational
[OTF15] QCircuits with constant #T-gates
yes inf theoretic
(comparisonbasedonStaceyJeffery’sslides)[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015[OTF15]Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
PREVIOUS RESULTS: OVERVIEWhomomorphic for compactness security
Not encrypting Quantum circuits yes no
append evaluation description Quantum circuits
Complexity of Dec prop to (# gates) yes
Quantum OTP no yes inf theoretic
Clifford Scheme Clifford circuits yes computational
[BJ15]: AUX QCircuits with constant T-depth
yes computational
[BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2
computational
[OTF15] QCircuits with constant #T-gates
yes inf theoretic
Our resultQCircuits of
polynomial size (levelled FHE)
yes computational
(comparisonbasedonStaceyJeffery’sslides)[BJ15]A.Broadbent,S.Jeffery.QuantumHomomorphicEncryp3onforCircuitsofLowT-gateComplexity.CRYPTO2015[OTF15]Y.Ouyang,S-H.Tan,J.Fitzsimons.Quantumhomomorphicencryp3onfromquantumcodes.arxiv:1508.00938
1. HOMOMORPHIC ENCRYPTION
2. PREVIOUS RESULTS
3. NEW RESULT
ERROR-CORRECTION “GADGET”
A quantum state that:
can be efficiently constructed and used
ERROR-CORRECTION “GADGET”
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
ERROR-CORRECTION “GADGET”
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
ERROR-CORRECTION “GADGET”
P ( ) T|ψ⟩ 1,b
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
ERROR-CORRECTION “GADGET”
T|ψ⟩ 1,b
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
ERROR-CORRECTION “GADGET”
T|ψ⟩ 0,b
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
ERROR-CORRECTION “GADGET”
T|ψ⟩ 0,b
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
is destroyed after a single use
ERROR-CORRECTION “GADGET”
GADGET
A quantum state that:
can be efficiently constructed and used
applies correction iff error was present (iff a = 1)
is destroyed after a single use
ERROR-CORRECTION “GADGET”
EXCURSIONTheoretical Computer Science
PERMUTATION BRANCHING PROGRAM
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
0: π
1: σ’
1: σ’’
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
0: π
1: σ’
1: σ’’
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
0: π
1: σ’
1: σ’’
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° π0: π
1: σ’
1: σ’’
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid
0: π
1: σ’
1: σ’’
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid(fixed) cycle
0: π
1: σ’
1: σ’’
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid(fixed) cycle
0: π
1: σ’
1: σ’’
⇒ f(x,y) = 0
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid(fixed) cycle
0: π
1: σ’
1: σ’’
⇒ f(x,y) = 0⇒ f(x,y) = 1
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid(fixed) cycle
0: π
1: σ’
1: σ’’
⇒ f(x,y) = 0⇒ f(x,y) = 1
length: # of instructions
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
PERMUTATION BRANCHING PROGRAM
computes some Boolean function f(x,y)list of instructions:
xi 1: σ
yj0: π’
xk0: π’’
…
output: … ° σ’’ ° σ’ ° πid(fixed) cycle
0: π
1: σ’
1: σ’’
⇒ f(x,y) = 0⇒ f(x,y) = 1
length: # of instructionswidth: k
permutations of {1,2, …, k}
∈ Sk∈ Sk
∈ Sk∈ Sk
∈ Sk∈ Sk
EXAMPLE PBP (OR)
length 4, width 5:
EXAMPLE PBP (OR)
x1
y1
x1
y1
1: id0: (12453)
0: (54321)
0: (12345)
1: id
1: id0: (15243)1: (14235)
length 4, width 5:
EXAMPLE PBP (OR)
x1
y1
x1
y1
OR(0,0)
output: id0
1: id0: (12453)
0: (54321)
0: (12345)
1: id
1: id0: (15243)1: (14235)
length 4, width 5:
EXAMPLE PBP (OR)
x1
y1
x1
y1
OR(0,0) OR(0,1)
output: id0
(14235)1
1: id0: (12453)
0: (54321)
0: (12345)
1: id
1: id0: (15243)1: (14235)
length 4, width 5:
EXAMPLE PBP (OR)
x1
y1
x1
y1
OR(0,0) OR(0,1) OR(1,0) OR(1,1)
output: id0
(14235)1
(14235)1
1: id0: (12453)
0: (54321)
0: (12345)
1: id
1: id0: (15243)1: (14235)
length 4, width 5:
EXAMPLE PBP (OR)
x1
y1
x1
y1
OR(0,0) OR(0,1) OR(1,0) OR(1,1)
output: id0
(14235)1
(14235)1
(14235)1
1: id0: (12453)
0: (54321)
0: (12345)
1: id
1: id0: (15243)1: (14235)
length 4, width 5:
BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:
[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011
BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:
width 5
[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011
BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:
width 5length polynomial in (n+m)
[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011
BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:
width 5length polynomial in (n+m)
[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011
P
NC1
L
NP
no proof that NP≠NC1
BARRINGTON’S THEOREMTheorem (variation): if f : {0,1}n x {0,1}m → {0,1} is in NC1, then there exists a permutation branching program for f with:
width 5length polynomial in (n+m)
Classical homomorphic decryption functionshappen to be in NC1… [BV11]
[Barrington89]Bounded-WidthPolynomial-SizeBranchingProgramsRecognizeExactlyThoseLanguagesinNC1,J.Comput.Syst.Sci.38(1):150–164,1989[BV11]Z.Brakerski,V.Vaikuntanathan.Efficientfullyhomomorphicencryp3onfrom(standard)LWE.FOCS2011
P
NC1
L
NP
no proof that NP≠NC1
ERROR CORRECTION GADGET
ERROR CORRECTION GADGET
GADGET
ERROR CORRECTION GADGET
GADGET
ERROR CORRECTION GADGET
GADGET
PBP fordecrypt( , )a {
ERROR CORRECTION GADGET
GADGET
P-1 P-1 P-1 P-1
PBP fordecrypt( , )a {P-1 iff permutation ≠ id {
ERROR CORRECTION GADGET
GADGET
P-1 P-1 P-1 P-1
PBP fordecrypt( , )a {P-1 iff permutation ≠ id {
reverse PBP fordecrypt( , )a {
ERROR CORRECTION GADGET
GADGET
P-1 P-1 P-1 P-1
PBP fordecrypt( , )a {P-1 iff permutation ≠ id {
reverse PBP fordecrypt( , )a {
ERROR CORRECTION GADGET
ERROR CORRECTION GADGET
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
……
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
……
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
………
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
………
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
EPR pairs
EPR pairs
………
ERROR CORRECTION GADGET
1: σ0: π
i
1: σ’’0: π’’
k
1: σ’0: π’
a j
1: σ’’’0: π’’’
a l
EPR pairs
EPR pairs
Bellmeasurements
Bellmeasurements
………
ERROR CORRECTION GADGET
GADGET
P-1 P-1 P-1 P-1
PBP fordecrypt( , )a {P-1 iff permutation ≠ id {
reverse PBP fordecrypt( , )a {
ERROR CORRECTION GADGET
GADGET
P-1 P-1 P-1 P-1
PBP fordecrypt( , )a {P-1 iff permutation ≠ id {
reverse PBP fordecrypt( , )a {
NEW SCHEME: OVERVIEW
NEW SCHEME: OVERVIEW
KEY GENERATION
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTION|ψ⟩
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad a,b|ψ⟩ a,b
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATION
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATIONafter / / : classically update keysH P CNOT
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATIONafter / / : classically update keysafter : use
H P CNOT
T
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATIONafter / / : classically update keysafter : use
DECRYPTION c,dU|ψ⟩ c,d
H P CNOT
T
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATIONafter / / : classically update keysafter : use
DECRYPTIONclassically decrypt pad keys c,dU|ψ⟩ c,d
H P CNOT
T
NEW SCHEME: OVERVIEW
KEY GENERATIONclassical keys gadgets
ENCRYPTIONapply quantum one-time pad classically encrypt pad keys a,b|ψ⟩ a,b
EVALUATIONafter / / : classically update keysafter : use
DECRYPTIONclassically decrypt pad keys remove quantum one-time pad U|ψ⟩
c,d
H P CNOT
T
FUTURE WORK
FUTURE WORK
non-leveled QFHE?
FUTURE WORK
non-leveled QFHE?
verifiable delegated quantum computation
FUTURE WORK
non-leveled QFHE?
verifiable delegated quantum computation
quantum obfuscation?
FUTURE WORK
non-leveled QFHE?
verifiable delegated quantum computation
quantum obfuscation?
…
THANK YOU!
is hiring two principle investigators: http://tinyurl.com/qusoft-job
Application deadline: 1 September 2016