Papers
Topics
Authors
Recent
Search
2000 character limit reached

Efficient Quantum Fully Homomorphic Encryption

Published 26 Apr 2026 in quant-ph and cs.CR | (2604.23490v1)

Abstract: Quantum fully homomorphic encryption (QFHE) promises secure delegated quantum computation but has been impeded by the prohibitive quantum resource demands of existing constructions. This paper introduces a unified framework that achieves an \textbf{exponential improvement} in efficiency by synergistically integrating three theoretical tools: \textbf{modular arithmetic programs (MAP)}, the \textbf{garden-hose model}, and \textbf{measurement-based quantum computation (MBQC)}. Our central innovation is a novel MAP tailored to the algebraic structure of Learning-with-Errors (LWE) decryption. Unlike generic approaches that incur exponential overhead, our MAP computes the inner product $\langle \boldsymbol{sk}, \boldsymbol{c} \rangle \bmod q$ by tracking a partial sum modulo $q$, requiring only $O(\log q)$ bits of state width. This yields branching programs of width $O(\log λ)$ and length $O(λ\log λ)$, thereby reducing the size of the essential quantum gadget from $O(λ{2.58})$ to $O(λ\log2 λ)$ EPR pairs -- a concrete improvement factor of $2{15}$ to $2{18}$ for standard security parameters. Critically, we demonstrate that LWE decryption is not a \textbf{symmetric function}, necessitating our specialized MAP design beyond prior symmetric-function optimizations. The framework provides a direct mapping from the MAP to an efficient gadget via the garden-hose model, with MBQC furnishing the deterministic control flow for homomorphic evaluation. The resulting QFHE scheme supports \textbf{fully classical clients}, relies solely on the \textbf{classical LWE assumption} (avoiding circular security or quantum hardness assumptions), and maintains compactness. This work dramatically lowers the quantum resource barrier for practical QFHE, paving the way for realistic privacy-preserving quantum cloud computing.

Summary

  • The paper introduces a modular arithmetic program that reduces gadget size from exponential to polynomial scaling, enabling near-term QFHE feasibility.
  • It integrates the garden-hose model and MBQC to deterministically evaluate T-gates, allowing a fully classical client to delegate quantum state preparation.
  • The scheme achieves exponential efficiency improvements, cutting EPR pair requirements (e.g., from 2^33 to 2^18 for 128-bit security) while preserving LWE security.

Exponential Efficiency for Quantum Fully Homomorphic Encryption via Modular Arithmetic Programs

Introduction and Motivation

Quantum Fully Homomorphic Encryption (QFHE) is a critical cryptographic primitive for enabling secure delegated quantum computation, allowing an untrusted quantum server to perform arbitrary quantum computations on encrypted quantum data. This primitive is foundational for privacy-preserving quantum cloud computing, as it bridges the gap between the computational power of quantum hardware and the information-theoretic or computational secrecy of clients' data.

The principal obstacle to practical QFHE has been quantum resource inefficiency. Previous schemes, notably the DSS construction [Dulek, Schaffner, Speelman; CRYPTO 2016], require gadgets whose size (measured in EPR pairs) scales exponentially with the security parameter due to generic branching program representations of LWE decryption, concretely leading to unfeasible quantum overheads on the order of billions of EPR pairs for practical settings.

This work introduces a unified framework rooted in modular arithmetic programs (MAPs) that addresses the fundamental efficiency bottleneck by exploiting the algebraic properties of LWE decryption rather than relying on generic equivalence to Boolean circuits. By integrating MAPs with the garden-hose model and measurement-based quantum computation (MBQC), the scheme achieves an exponential improvement in quantum resource costs—enabling near-term feasibility for QFHE.

Prior Work and Limitations

Early constructions, notably Broadbent and Jeffery [CRYPTO 2015], utilize the quantum one-time pad (QOTP) with classical FHE, supporting non-interactive evaluation of Clifford gates by updating encrypted Pauli keys through the underlying classical scheme. The obstruction arises at the TT gate, whose evaluation requires conditional quantum corrections dependent on encrypted classical data, not directly compatible with homomorphic manipulation.

Dulek-Schaffner-Speelman (DSS) [DSS16] circumvent interaction at TT-gates using gadgets based on Barrington's theorem, transforming the decryption logic into constant-width, exponentially-long branching programs. This yields gadgets scaling as O(λ2.58)O(\lambda^{2.58}) EPR pairs for LWE parameters, an exponential overhead far exceeding current (and foreseeable) quantum capacities.

Other directions—such as Mahadev's classical verification of quantum computation [Mah18] and Gupte-Vaikuntanathan-Wee’s fully classical-client QFHE [GVW22]—address different aspects, such as verification or client quantum requirements, but do not resolve the core quantum resource inefficiency.

Modular Arithmetic Program Construction and Technical Innovations

The paper’s central insight is that LWE decryption is not a symmetric function—it depends on a modular inner product sk,cmodq\langle \text{sk}, c \rangle \bmod q where the ciphertext coefficients cic_i break permutation invariance. This precludes direct application of efficient branching program techniques for symmetric functions (e.g., Sinha’s logarithmic-width BPs). Instead, the paper designs a modular arithmetic program tailored to this algebraic structure.

The program maintains a state in Zq\mathbb{Z}_q (requiring O(logq)O(\log q) bits), sequentially accumulating cic_i coefficients conditioned on ski\text{sk}_i, thus computing the modular sum with logarithmic width and length O(nlogλ)O(n\log\lambda) for security parameter TT0. This yields a BP width of TT1, length TT2, and hence a drastically reduced gadget size of TT3 EPR pairs.

The garden-hose model provides a conduit for translating the MAP into quantum resources: each layer (width) of the BP maps to parallel EPR pairs, and control transitions are implemented as connection configurations and Bell measurements. The MBQC framework leverages flow functions to deterministically steer the adaptive quantum computation, supporting deterministic homomorphic evaluation and error correction via feed-forward. Figure 1

Figure 1: QFHE T-gate gadget, illustrating conditional TT4 application using garden-hose-style EPR routing.

Figure 2

Figure 2: MBQC measurement dependency flow in the evaluation of the modular arithmetic program for LWE decryption.

Formal Scheme Overview

Encryption and Evaluation

Quantum states are QOTP-encrypted; the QOTP keys are themselves encrypted via a classical leveled homomorphic encryption (LHE) scheme under the classical LWE assumption. Homomorphic evaluation of Clifford circuits proceeds by updating the encrypted keys, but TT5-gates are handled using the MAP-based gadget, where the server evaluates conditional corrections on encrypted values by dynamically traversing the appropriate pipe configurations built from modular arithmetic transitions.

Classical Client Support

Extending [GVW22], all quantum state preparation is performed by the server. The client generates only classical gadget keys; all quantum resources and measurements are delegated, which is feasible due to the MBQC framework’s clean separation between resource preparation and evaluation. No circular security or quantum LWE assumptions are invoked.

Numerical Results and Efficiency Analysis

The MAP-based approach yields an exponential reduction in gadget size:

Security Level DSS EPR pairs MAP-based EPR pairs Improvement Factor
128-bit TT6 TT7 TT8
192-bit TT9 O(λ2.58)O(\lambda^{2.58})0 O(λ2.58)O(\lambda^{2.58})1
256-bit O(λ2.58)O(\lambda^{2.58})2 O(λ2.58)O(\lambda^{2.58})3 O(λ2.58)O(\lambda^{2.58})4

For 128-bit security, the quantum resource cost shrinks from billions of EPR pairs in DSS to hundreds of thousands, with the overhead scaling polynomially rather than exponentially in O(λ2.58)O(\lambda^{2.58})5. The gadget is compact, and the scheme inherits the compactness property of the underlying classical FHE, ensuring ciphertexts remain independent of evaluated circuit size.

Theoretical and Practical Implications

Theoretical Advancements:

  • The modular arithmetic program formalism generalizes efficient BP compilation to functions outside the symmetric regime, filling a crucial hole in the interface between lattice-based crypto and quantum evaluation.
  • The integration with MBQC demonstrates a deterministic, resource-efficient template for future quantum cryptographic schemes, distinct from static, circuit-based gadgetry.

Practical Prospects:

  • By lowering the quantum resource barrier by factors between O(λ2.58)O(\lambda^{2.58})6 and O(λ2.58)O(\lambda^{2.58})7, this construction represents the first QFHE scheme feasible for plausible near-term QFHE demos (subject to further advances in realistic EPR pair generation and error correction).
  • The architecture supports a fully classical client—critical for practical deployments—without recourse to circular security or quantumly hard underlying assumptions.

Security and Limitations:

  • The scheme is provably q-IND-CPA secure under standard LWE. All major security claims reduce to the hardness of LWE in the strong standard parameters, making assumptions transparent.
  • The current analysis applies to the semi-honest server setting, with resistance to malicious servers (e.g., active attacks during quantum measurement or state delivery) reserved as an open problem.

Future Directions

Key open questions include: optimizing the MBQC flow for more parallel evaluation of O(λ2.58)O(\lambda^{2.58})8-gate gadgets, quantifying and mitigating decoherence and physical errors in practical MBQC-based QFHE pipelines, extending the modular arithmetic approach to ring-LWE and NTRU settings (with trade-offs between quantum and classical-side efficiency and security assumptions), and practical mechanisms for quantum state verification or authentication to approach security for malicious servers.

Conclusion

This work provides a rigorous and resource-efficient construction of QFHE, breaking the longstanding exponential gadget size barrier through modular arithmetic program compilation. The framework achieves polynomial gadget size—O(λ2.58)O(\lambda^{2.58})9 EPR pairs—while supporting a fully classical client and compact ciphertexts under the LWE assumption. These innovations set the stage for both the theoretical expansion and potential practical realization of quantum-secure, privacy-preserving delegated quantum computation.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.