- The paper introduces a modular arithmetic program that reduces gadget size from exponential to polynomial scaling, enabling near-term QFHE feasibility.
- It integrates the garden-hose model and MBQC to deterministically evaluate T-gates, allowing a fully classical client to delegate quantum state preparation.
- The scheme achieves exponential efficiency improvements, cutting EPR pair requirements (e.g., from 2^33 to 2^18 for 128-bit security) while preserving LWE security.
Exponential Efficiency for Quantum Fully Homomorphic Encryption via Modular Arithmetic Programs
Introduction and Motivation
Quantum Fully Homomorphic Encryption (QFHE) is a critical cryptographic primitive for enabling secure delegated quantum computation, allowing an untrusted quantum server to perform arbitrary quantum computations on encrypted quantum data. This primitive is foundational for privacy-preserving quantum cloud computing, as it bridges the gap between the computational power of quantum hardware and the information-theoretic or computational secrecy of clients' data.
The principal obstacle to practical QFHE has been quantum resource inefficiency. Previous schemes, notably the DSS construction [Dulek, Schaffner, Speelman; CRYPTO 2016], require gadgets whose size (measured in EPR pairs) scales exponentially with the security parameter due to generic branching program representations of LWE decryption, concretely leading to unfeasible quantum overheads on the order of billions of EPR pairs for practical settings.
This work introduces a unified framework rooted in modular arithmetic programs (MAPs) that addresses the fundamental efficiency bottleneck by exploiting the algebraic properties of LWE decryption rather than relying on generic equivalence to Boolean circuits. By integrating MAPs with the garden-hose model and measurement-based quantum computation (MBQC), the scheme achieves an exponential improvement in quantum resource costs—enabling near-term feasibility for QFHE.
Prior Work and Limitations
Early constructions, notably Broadbent and Jeffery [CRYPTO 2015], utilize the quantum one-time pad (QOTP) with classical FHE, supporting non-interactive evaluation of Clifford gates by updating encrypted Pauli keys through the underlying classical scheme. The obstruction arises at the T gate, whose evaluation requires conditional quantum corrections dependent on encrypted classical data, not directly compatible with homomorphic manipulation.
Dulek-Schaffner-Speelman (DSS) [DSS16] circumvent interaction at T-gates using gadgets based on Barrington's theorem, transforming the decryption logic into constant-width, exponentially-long branching programs. This yields gadgets scaling as O(λ2.58) EPR pairs for LWE parameters, an exponential overhead far exceeding current (and foreseeable) quantum capacities.
Other directions—such as Mahadev's classical verification of quantum computation [Mah18] and Gupte-Vaikuntanathan-Wee’s fully classical-client QFHE [GVW22]—address different aspects, such as verification or client quantum requirements, but do not resolve the core quantum resource inefficiency.
Modular Arithmetic Program Construction and Technical Innovations
The paper’s central insight is that LWE decryption is not a symmetric function—it depends on a modular inner product ⟨sk,c⟩modq where the ciphertext coefficients ci break permutation invariance. This precludes direct application of efficient branching program techniques for symmetric functions (e.g., Sinha’s logarithmic-width BPs). Instead, the paper designs a modular arithmetic program tailored to this algebraic structure.
The program maintains a state in Zq (requiring O(logq) bits), sequentially accumulating ci coefficients conditioned on ski, thus computing the modular sum with logarithmic width and length O(nlogλ) for security parameter T0. This yields a BP width of T1, length T2, and hence a drastically reduced gadget size of T3 EPR pairs.
The garden-hose model provides a conduit for translating the MAP into quantum resources: each layer (width) of the BP maps to parallel EPR pairs, and control transitions are implemented as connection configurations and Bell measurements. The MBQC framework leverages flow functions to deterministically steer the adaptive quantum computation, supporting deterministic homomorphic evaluation and error correction via feed-forward.
Figure 1: QFHE T-gate gadget, illustrating conditional T4 application using garden-hose-style EPR routing.
Figure 2: MBQC measurement dependency flow in the evaluation of the modular arithmetic program for LWE decryption.
Encryption and Evaluation
Quantum states are QOTP-encrypted; the QOTP keys are themselves encrypted via a classical leveled homomorphic encryption (LHE) scheme under the classical LWE assumption. Homomorphic evaluation of Clifford circuits proceeds by updating the encrypted keys, but T5-gates are handled using the MAP-based gadget, where the server evaluates conditional corrections on encrypted values by dynamically traversing the appropriate pipe configurations built from modular arithmetic transitions.
Classical Client Support
Extending [GVW22], all quantum state preparation is performed by the server. The client generates only classical gadget keys; all quantum resources and measurements are delegated, which is feasible due to the MBQC framework’s clean separation between resource preparation and evaluation. No circular security or quantum LWE assumptions are invoked.
Numerical Results and Efficiency Analysis
The MAP-based approach yields an exponential reduction in gadget size:
| Security Level |
DSS EPR pairs |
MAP-based EPR pairs |
Improvement Factor |
| 128-bit |
T6 |
T7 |
T8 |
| 192-bit |
T9 |
O(λ2.58)0 |
O(λ2.58)1 |
| 256-bit |
O(λ2.58)2 |
O(λ2.58)3 |
O(λ2.58)4 |
For 128-bit security, the quantum resource cost shrinks from billions of EPR pairs in DSS to hundreds of thousands, with the overhead scaling polynomially rather than exponentially in O(λ2.58)5. The gadget is compact, and the scheme inherits the compactness property of the underlying classical FHE, ensuring ciphertexts remain independent of evaluated circuit size.
Theoretical and Practical Implications
Theoretical Advancements:
- The modular arithmetic program formalism generalizes efficient BP compilation to functions outside the symmetric regime, filling a crucial hole in the interface between lattice-based crypto and quantum evaluation.
- The integration with MBQC demonstrates a deterministic, resource-efficient template for future quantum cryptographic schemes, distinct from static, circuit-based gadgetry.
Practical Prospects:
- By lowering the quantum resource barrier by factors between O(λ2.58)6 and O(λ2.58)7, this construction represents the first QFHE scheme feasible for plausible near-term QFHE demos (subject to further advances in realistic EPR pair generation and error correction).
- The architecture supports a fully classical client—critical for practical deployments—without recourse to circular security or quantumly hard underlying assumptions.
Security and Limitations:
- The scheme is provably q-IND-CPA secure under standard LWE. All major security claims reduce to the hardness of LWE in the strong standard parameters, making assumptions transparent.
- The current analysis applies to the semi-honest server setting, with resistance to malicious servers (e.g., active attacks during quantum measurement or state delivery) reserved as an open problem.
Future Directions
Key open questions include: optimizing the MBQC flow for more parallel evaluation of O(λ2.58)8-gate gadgets, quantifying and mitigating decoherence and physical errors in practical MBQC-based QFHE pipelines, extending the modular arithmetic approach to ring-LWE and NTRU settings (with trade-offs between quantum and classical-side efficiency and security assumptions), and practical mechanisms for quantum state verification or authentication to approach security for malicious servers.
Conclusion
This work provides a rigorous and resource-efficient construction of QFHE, breaking the longstanding exponential gadget size barrier through modular arithmetic program compilation. The framework achieves polynomial gadget size—O(λ2.58)9 EPR pairs—while supporting a fully classical client and compact ciphertexts under the LWE assumption. These innovations set the stage for both the theoretical expansion and potential practical realization of quantum-secure, privacy-preserving delegated quantum computation.