Quantum Homomorphic Encryption

Classical homomorphic encryption (HE) allows a server to evaluate functions on encrypted data and return an encrypted result that the client can decrypt, without the server ever seeing the plaintext. The quantum analogue seeks the same property for quantum data: a client encrypts a quantum state, sends it to a quantum server, the server applies a quantum circuit, and the client decrypts the result, with the server learning nothing about the input state or the output. The practical motivation is identical to classical cloud computing privacy: a client with limited quantum hardware could delegate expensive quantum computation to a powerful server without exposing proprietary quantum data or algorithms.

The quantum one-time pad provides the foundation for quantum HE on the Clifford group. In the quantum one-time pad, a client encrypts a qubit |psi> by applying a random Pauli operator from {I, X, Y, Z}, sending the result to the server. Clifford gates commute through Pauli operators in a predictable way: applying a Clifford gate C to a Pauli-encrypted state P|psi> produces CP|psi> = (CPC†)C|psi>, so the effective encryption after the gate is the conjugated Pauli CPC†. Since the Clifford group maps Paulis to Paulis under conjugation, the client can track the evolving encryption key classically and decrypt at the end. This makes Clifford circuits homomorphically evaluable with no overhead beyond the classical key update, and the server learns nothing because each encrypted state is uniformly distributed over the Pauli orbit.

The bottleneck is non-Clifford gates, particularly the T gate (pi/8 rotation), which is necessary for universal quantum computation but does not preserve the Pauli group under conjugation. Applying a T gate to a Pauli-encrypted qubit produces a state whose effective encryption involves a non-Pauli operator, breaking the simple key-tracking scheme. Several approaches address this: Broadbent and Jeffery showed that T gates can be evaluated homomorphically if the client supplies specially prepared auxiliary states (analogous to classical HE bootstrapping), at the cost of interaction or pre-shared resources. Other schemes use approximate HE that tolerates a small leakage per T gate, suitable for circuits with few non-Clifford gates.

Quantum HE is closely related to blind quantum computing (BQC), in which a client delegates a quantum computation to a server while keeping the input, circuit, and output private. In measurement-based BQC protocols such as the Broadbent-Fitzsimons-Kashefi scheme, the client sends single qubits one at a time and the server’s measurement outcomes are driven by the client’s adaptive angle choices, hiding the computation through a form of one-time-pad encryption on the measurement basis. Quantum HE and BQC differ primarily in the interaction model: HE aims for non-interactive or minimal-round protocols, while BQC protocols are often inherently interactive. Both directions are active research areas as quantum cloud platforms emerge, with security reductions being built to standard quantum-hardness assumptions such as the learning-with-errors problem.