Homomorphic encryption of quantum data

Slides:



Advertisements
Similar presentations
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Advertisements

Improved Simulation of Stabilizer Circuits Scott Aaronson (UC Berkeley) Joint work with Daniel Gottesman (Perimeter)
Quantum Lower Bounds The Polynomial and Adversary Methods Scott Aaronson September 14, 2001 Prelim Exam Talk.
Quantum Software Copy-Protection Scott Aaronson (MIT) |
University of Queensland
Quantum Computing MAS 725 Hartmut Klauck NTU
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic Tea, ILLC Tuesday, 14/02/2012.
Short course on quantum computing Andris Ambainis University of Latvia.
Quantum Computing MAS 725 Hartmut Klauck NTU
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
Interactive Proofs For Quantum Computations Dorit Aharonov, Michael Ben-Or, Elad Eban School of Computer Science and Engineering The Hebrew University.
CSEP 590tv: Quantum Computing
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Homomorphic Encryption: WHAT, WHY, and HOW
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Position-Based Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Advances in Quantum Cryptography Workshop.
Quantum Homomorphic Encryption
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.
You Did Not Just Read This or did you?. Quantum Computing Dave Bacon Department of Computer Science & Engineering University of Washington Lecture 3:
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
Quantum Cryptography Christian Schaffner ILLC, University of Amsterdam Centrum Wiskunde & Informatica Logic, Language and Computation Monday, 21 September.
1 Modeling Quantum Information Systems Paul E. Black National Institute of Standards and Technology Andrew W. Lane University of Kentucky.
CSEP 590tv: Quantum Computing Dave Bacon July 20, 2005 Today’s Menu n Qubit registers Begin Quantum Algorithms Administrivia Superdense Coding Finish Teleportation.
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
Quantum Cryptography Christian Schaffner
Communicating Quantum Processes Simon Gay Department of Computing Science University of Glasgow Rajagopal Nagarajan Department of Computer Science University.
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
Quantum Cryptography Christian Schaffner
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam.
China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Fully Homomorphic Encryption and Bootstrapping.
Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.
Packing Techniques for Homomorphic Encryption Schemes Scott Thompson CSCI-762 4/28/2016.
Simulation and Design of Stabilizer Quantum Circuits Scott Aaronson and Boriska Toth CS252 Project December 10, X X +Z Z +ZI +IX
Quantum Shift Register Circuits Mark M. Wilde arXiv: National Institute of Standards and Technology, Wednesday, June 10, 2009 To appear in Physical.
Attendance Syllabus Textbook (hardcopy or electronics) Groups s First-time meeting.
Bounded key-dependent message security
Quantum Bits (qubit) 1 qubit probabilistically represents 2 states
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Spring School on Lattice-Based Crypto, Oxford
Richard Cleve DC 2117 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 667 / Phys 767 C&O 481 / C&O 681 Lecture.
Quantum Cryptography Christian Schaffner ICT OPEN 2017
Introduction to Quantum Computing Lecture 1 of 2
Foundations of Secure Computation
Umans Complexity Theory Lectures
Attack on Fully Homomorphic Encryption over Principal Ideal Lattice
Introduction to security goals and usage of cryptographic algorithms
Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel Kiyoshi Tamaki * *Perimeter Institute for.
Invitation to Quantum Information III
Course Business I am traveling April 25-May 3rd
Introduction to modern cryptology
Semantic Security and Indistinguishability in the Quantum World
Verifiable Oblivious Storage
Maliciously Secure Two-Party Computation
Quantum Cryptography Christian Schaffner
Four-Round Secure Computation without Setup
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Perfect security Samuel Ranellucci Défacne de these Date
Cryptography for Quantum Computers
Rishab Goyal Venkata Koppula Brent Waters
האם מכניקת הקוונטים יכולה לתת תאור שלם למציאות הפיסיקלית?
CSE838 Lecture notes copy right: Moon Jung Chung
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Identity Based Encryption from the Diffie-Hellman Assumption
Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Lecture 4 (2005) Richard Cleve DC 653
Presentation transcript:

Homomorphic encryption of quantum data Christian Schaffner (joint work with Yfke Dulek and Florian Speelman) http://arxiv.org/abs/1603.09717 Colloquium KdVI, UvA, Wednesday 5 April 2017

example: image tagging Classical homomorphic encryption: Gentry [2009] What about quantum? CAPITOL WASHINGTON CAPITOL WASHINGTON

Quantum cloud computing

1. HOMOMORPHIc ENCRYPTION 2. Previous results: Clifford scheme 3. New Scheme

Homomorphic encryption public key secret key evaluation key Key Generation Encryption ↦ x + x (secure) Evaluation + + x ↦ CAPITOL f(x) Decryption ↦ + CAPITOL f(x) f(x) CAPITOL Classical homomorphic encryption: Gentry [2009]

Homomorphic encryption public key secret key evaluation key Key Generation quantum Encryption ↦ |𝜓⟩ + |𝜓⟩ (secure) Evaluation + + |𝜓⟩ ↦ 𝑈|𝜓⟩ Decryption ↦ + 𝑈|𝜓⟩ 𝑈|𝜓⟩

1. HOMOMORPHIc ENCRYPTION 2. Previous results: Clifford scheme 3. New SCHEME

Classical One-time pad See explanations on black board

Quantum bits + basis £ basis Measurements: with prob. 1 yields 1 0/1

Q Circuits and Pauli group X CNOT T Y H Pauli operators X= 0 1 1 0 , Y= 0 −𝑖 𝑖 0 , Z= 1 0 0 −1 Self-inverse: 𝑋 2 =𝕀= 1 0 0 1 , 𝑌 2 =𝕀, 𝑍 2 =𝕀 Anti-commute: 𝑋𝑍=−𝑍𝑋, 𝑋𝑌=−𝑌𝑋, 𝑌𝑍=−𝑍𝑌

Quantum One-time pad Pauli operators X= 0 1 1 0 , Y= 0 −𝑖 𝑖 0 , Z= 1 0 0 −1 Self-inverse: 𝑋 2 =𝕀= 1 0 0 1 , 𝑌 2 =𝕀, 𝑍 2 =𝕀 Anti-commute: 𝑋𝑍=−𝑍𝑋, 𝑋𝑌=−𝑌𝑋, 𝑌𝑍=−𝑍𝑌 Flip two random bits 𝑎,𝑏← 0,1 , encryption of a qubit |𝜓⟩: 𝑋 𝑎 𝑍 𝑏 |𝜓⟩ Perfect security: not knowing 𝑎,𝑏, the density matrix becomes fully mixed: 1 4 𝑎,𝑏 𝑋 𝑎 𝑍 𝑏 𝜓⟩⟨𝜓 𝑍 𝑏 𝑋 𝑎 =𝕀/2

Quantum Homomorphic enc homomorphic for compactness security Not encrypting Quantum circuits yes no Quantum OTP no yes append evaluation description Quantum circuits Complexity of Dec 
prop to (# gates) yes Clifford Scheme Clifford circuits yes computational Quantum one-time pad: pick a,b ∈R {0,1} |𝜓⟩ ↦ XaZb |𝜓⟩ P X CNOT T Y H

The Clifford Group 𝑃= 1 0 0 𝑖 Generated by {𝐻, 𝑃, CNOT} 𝐻= 1 2 1 1 1 −1 𝑃= 1 0 0 𝑖 Generated by {𝐻, 𝑃, CNOT} Commutation maps Pauli operators to Paulis (normalizer of Pauli group) CNOT(𝑋⊗𝐼)= 𝑋⊗𝑋 CNOT CNOT(𝐼⊗𝑍)= 𝑍⊗𝑍 CNOT Not a universal gate set (e.g. efficient classical simulation possible) 𝐶𝑁𝑂𝑇= 1 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0 𝐻𝑋=𝑍𝐻 𝑃𝑍=𝑍𝑃 𝐻𝑍=𝑋𝐻 𝑃𝑋=𝑋𝑍𝑃

Clifford Scheme pick a,b ∈R {0,1} encryption: = XaZb |𝜓⟩ ↦ |𝜓⟩ Ingredient 1: quantum one-time pad pick a,b ∈R {0,1} |𝜓⟩ ↦ XaZb |𝜓⟩ encryption: a,b |𝜓⟩ a,b = XaZb |𝜓⟩ ↦ |𝜓⟩ decryption: Ingredient 2: classical homomorphic encryption (as black box) [AMTW00] A. Ambainis, M. Mosca, A. Tapp, and R. De Wolf. Private quantum channels. FOCS’00 [Gentry 09] C. Gentry: Fully homomorphic encryption using ideal lattices. STOC’09

Clifford Scheme H H ( ) = HXaZb|𝜓⟩ = XbZaH|𝜓⟩ = |𝜓⟩ |𝜓⟩ H|ψ⟩ H|𝜓⟩ a,b b,a = a,b H|ψ⟩ XbZaH|𝜓⟩ = b,a H|𝜓⟩ Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

Classical homomorphic encryption Clifford Scheme Classical homomorphic encryption Quantum one-time pad a,b |𝜓⟩ update function (x,y) ↦ (y,x) H b,a a,b H|𝜓⟩ b,a Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

Clifford Scheme: CNOT CNOT X a Z 𝑏 ⊗ X c Z 𝑑 |𝜓⟩ 2 qubit |𝜓⟩ CNOT|𝜓⟩ a,b c,d 2 qubit |𝜓⟩ CNOT a,b update function a,b⊕d CNOT|𝜓⟩ a⊕c,d a,b⊕d a⊕c,d c,d Folklore, last formalized by [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015

how to apply correction P-1 iff a = 1? The challenge: T gate T = 1 0 0 𝑒 𝑖𝜋/4 TZ=ZT TX=PXT 0,b |ψ⟩ 1,b |ψ⟩ a,b T T error! T|ψ⟩ 0,b P( ) T|ψ⟩ 1,b how to apply correction P-1 iff a = 1?

Previous results: overview homomorphic for compactness security Not encrypting Quantum circuits yes no Quantum OTP No inf theoretic append evaluation description Complexity of Dec 
prop to (# gates) Clifford Scheme Clifford circuits computational [BJ15]: AUX QCircuits with constant T-depth yes computational [BJ15]: EPR Quantum circuits Comp of Dec is prop to (#T-gates)^2 [OTF15] QCircuits with constant #T-gates yes inf theoretic Our result QCircuits of polynomial size (levelled FHE) yes computational (comparison based on Stacey Jeffery’s slides) [BJ15] A. Broadbent, S. Jeffery. Quantum Homomorphic Encryption for Circuits of Low T-gate Complexity. CRYPTO 2015 [OTF15] Y. Ouyang, S-H. Tan, J. Fitzsimons. Quantum homomorphic encryption from quantum codes. arxiv:1508.00938

1. HOMOMORPHIc ENCRYPTION 2. Previous results: Clifford Scheme 3. New SCHEME

Error-correction ‘gadget’ 𝑃 𝑎 ( ) T|𝜓⟩ a,b a,b Build a ‘gadget’ that applies 𝑃 −1 iff a = 1 Apply correction iff : Properties: Efficiently constructable Destroyed after single use GADGET T|𝜓⟩ c,d c,d a=decrypt( , ) = 1 a

Excursion 1 Quantum Information Theory: Quantum Teleportation

[Einstein Podolsky Rosen 1935] EPR Pairs [Einstein Podolsky Rosen 1935] prob. ½ : 0 prob. ½ : 1 EPR magic! prob. 1 : 0 “spukhafte Fernwirkung” (spooky action at a distance) EPR pairs do not allow to communicate (no contradiction to relativity theory) can provide a shared random bit

Quantum Teleportation [Bennett Brassard Crépeau Jozsa Peres Wootters 1993] [Bell] ? 𝜎 ∈ 𝑅 {𝕀, 𝑋, 𝑌, 𝑍} ? ? Bob’s qubit is encrypted with quantum one-time pad Bob can only recover the teleported qubit after receiving the classical information ¾

Excursion 2 Theoretical Computer Science: Barrington’s Theorem

Permutation Branching Program f : {0,1}n x {0,1}n → {0,1} computes some Boolean function f(x,y) list of instructions: permutations of {1,2,3,4,5} 0: π ∈ S5 output: … ° σ’’ ° σ’ ° π xi 1: σ id (fixed) cycle ⇒ f(x,y) = 0 yj 0: π’ ⇒ f(x,y) = 1 1: σ’ length: # of instructions xk 0: π’’ 1: σ’’ …

EXAMPLE PBP OR(x,y) length 4: OR(0,0) OR(0,1) OR(1,0) OR(1,1) x 1 EXAMPLE PBP OR(x,y) length 4: OR(0,0) OR(0,1) OR(1,0) OR(1,1) x 0: (12345) 1: id y 0: (12453) 1: id x 0: (54321) 1: id 0: (15243) y 1: (14235) id (14235) 1 (14235) 1 (14235) 1 output:

Barrington’s theorem (1989) Theorem (variation): if f : {0,1}n x {0,1}n → {0,1} is in NC1, then there exists a width-5 permutation branching program for f with length polynomial in n. P NC1 L NP NC1: Boolean circuits with, fan-in 2 gates, Polynomial size, Depth is log(n) Classical homomorphic decryption functions happen to be in NC1… [BV11] [Barrington 89] Bounded-Width Polynomial-Size Branching Programs Recognize Exactly Those Languages in NC1, J. Comput. Syst. Sci. 38 (1): 150–164, 1989 [BV11] Z. Brakerski, V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. FOCS 2011

Error-correction gadget 𝑃 𝑎 ( ) T|𝜓⟩ a,b a,b Build a ‘gadget’ that applies 𝑃 −1 iff a = 1 Apply correction iff GADGET a = decrypt( , ) = 1 a c,d T|𝜓⟩ c,d has a poly-size PBP

error correction Gadget 𝑃 𝑎 ( ) T|𝜓⟩ a,b GADGET { PBP for a=decrypt( , ) a P-1 iff permutation ≠ id { P-1 { reverse PBP for a=decrypt( , ) a

Error correction gadget Branching program for decrypt( , ) 1: σ 0: π i EPR pairs teleportation measurements 1: σ’ 0: π’ a j 1: σ’’ 0: π’’ k EPR pairs teleportation measurements 1: σ’’’ 0: π’’’ a l … … …

error correction Gadget a,b 𝑃 𝑎 ( ) a,b GADGET Update key depending on teleportation outcomes & gadget structure gadget structure { PBP for a=decrypt( , ) a P-1 iff permutation ≠ id { P-1 { reverse PBP for a=decrypt( , ) a T|𝜓⟩ c,d c,d

security a,b All quantum information: quantum one-time pad (perfectly secure if classical info is hidden) Gadget structure, each ‘connection’: Random choice out of 4 Bell states (perfectly secure if classical info is hidden) All classical information: classical homomorphic scheme Security of classical scheme is the only assumption

New scheme: overview Key generation ENCRYPTION Evaluation Decryption classical keys gadgets ENCRYPTION a,b apply quantum one-time pad classically encrypt pad keys |𝜓⟩ a,b Evaluation after / / : classically update keys after : use H P CNOT T Decryption c,d classically decrypt pad keys remove quantum one-time pad U|𝜓⟩ c,d

Applications Delegated quantum computation in two rounds No memory needed on Alice’s side ”Low-tech” generation of gadgets Gadget generation on demand Circuit privacy

FUTURE WORK non-leveled QFHE? verifiable delegated quantum computation quantum obfuscation? …

Thank you!