How to Construct Quantum FHE, Generically

TL;DR

The paper presents a generic method to build a quantum fully homomorphic encryption (QFHE) scheme with a classical client by starting from a leveled classical FHE with shallow ($O(\log \lambda)$) decryption and a dual-mode trapdoor function (dTF) family. Central to the construction is the remote state preparation of the DSS gadget, enabled by 4-to-2 dTFs, which allows the server to prepare the quantum evaluation keys while the client remains classical. The approach yields a plug-and-play route from Ring-LWE (and other post-quantum foundations such as group actions or IO) to QFHE, with security grounded in quantum IND-CPA and mode indistinguishability. The work also introduces (i) a new dTF construction from group actions and (ii) an amplification lemma to boost correctness, enabling practical instantiations from a broad set of cryptographic assumptions. Overall, this advances flexible, assumption-driven QFHE frameworks suitable for quantum-cloud scenarios, while preserving a classical client and leveraging established lattice- and group-action-based cryptography.

Abstract

We construct a (compact) quantum fully homomorphic encryption (QFHE) scheme starting from (compact) classical fully homomorphic encryption scheme with decryption in $\mathsf{NC}^{1}$, together with a dual-mode trapdoor function family. Compared to previous constructions (Mahadev, FOCS 2018; Brakerski, CRYPTO 2018) which made non-black-box use of similar underlying primitives, our construction provides a pathway to instantiations from different assumptions. Our construction uses the techniques of Dulek, Schaffner and Speelman (CRYPTO 2016) and shows how to make the client in their QFHE scheme classical using dual-mode trapdoor functions. As an additional contribution, we show a new instantiation of dual-mode trapdoor functions from group actions.

Figures (4)

• Figure 1: The functionality of the DSS quantum gadget $\ket{\Gamma(sk)}$: take as input a state $P^xX^xZ^z\ket{\psi}$ as well as encryptions of $x$ and $z$, and produce as output $X^{x'}Z^{z'}\ket{\psi}$ together with encryptions of the new one-time pad keys $x'$ and $z'$.
• Figure 2: Dual-mode trapdoor functions (dTFs): In mode $\mu = 0$, the functions $f_{0}$ and $f_{1}$ have disjoint images, and in mode $\mu = 1$ they have the same image. The two modes are computationally indistinguishable.
• Figure 3: $4$-to-$2$ Dual-mode trapdoor functions ($4$-to-$2$ dTFs): In mode $\mu = 0$, the functions $f_{b_1, b_2}, f_{b'_1, b'_2}$ have the same image if and only if $b_1 = b'_1$, and otherwise they have disjoint images. In mode $\mu =1$, the functions $f_{b_1, b_2}, f_{b'_1, b'_2}$ have the same image if and only $b_2 = b'_2$ and otherwise they have disjoint images. The two modes are computationally indistinguishable.
• Figure 4: (Taken from dulek2016quantum, Figure 4): Structure of the (first half of the) gadget, with measurements, coming from the 5-permutation branching program for the $\mathsf{OR}$ function on the input $(sk, \tilde{x}) = (0,0)$. The example program's instructions are displayed above the permutations. The solid lines correspond to Bell measurements, while the wavy lines represent EPR pairs.

Theorems & Definitions (40)

• Definition 1: Hellinger Distance
• Lemma 1
• Lemma 2
• Definition 2: Classical Homomorphic encryption scheme
• Definition 3: Full homomorphism and compactness
• Definition 4: Quantum Homomorphic Encryption
• Definition 5: Quantum Full Homomorphism and Compactness
• Definition 6: The Quantum IND-CPA Game broadbent2015quantum
• Definition 7: Quantum CPA Indistinguishability broadbent2015quantum
• Definition 8: Truncated Discrete Gaussian