Computers, Materials & Continua DOI:10.32604/cmc.2022.029125
Article

A Secure Multiparty Quantum Homomorphic Encryption Scheme

Jing-Wen Zhang1, Xiu-Bo Chen1,*, Gang Xu2,3, Heng-Ji Li4, Ya-Lan Wang5, Li-Hua Miao6 and Yi-Xian Yang1

1Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
2School of Information Science and Technology, North China University of Technology, Beijing, 100144, China
3Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Sichuan, 610025, China
4Quantum Technology Lab & Applied Mechanics Group, University of Milan, Milan, 20133, Italy
5Department of Computer Science, Faculty of Engineering and Physical Sciences, University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom
6Huawei Technologies Co. Ltd, Shenzhen, 518129, China
*Corresponding Author: Xiu-Bo Chen. Email: flyover100@163.com
Received: 25 February 2022; Accepted: 22 April 2022

Abstract: The significant advantage of the quantum homomorphic encryption scheme is to ensure the perfect security of quantum private data. In this paper, a novel secure multiparty quantum homomorphic encryption scheme is proposed, which can complete arbitrary quantum computation on the private data of multiple clients without decryption by an almost dishonest server. Firstly, each client obtains a secure encryption key through the measurement device independent quantum key distribution protocol and encrypts the private data by using the encryption operator and key. Secondly, with the help of the almost dishonest server, the non-maximally entangled states are pre-shared between the client and the server to correct errors in the homomorphic evaluation of T gates, so as to realize universal quantum circuit evaluation on encrypted data. Thirdly, from the perspective of the application scenario of secure multi-party computation, this work is based on the probabilistic quantum homomorphic encryption scheme, allowing multiple parties to delegate the server to perform the secure homomorphic evaluation. The operation and the permission to access the data performed by the client and the server are clearly pointed out. Finally, a concrete security analysis shows that the proposed multiparty quantum homomorphic encryption scheme can securely resist outside and inside attacks.

Keywords: Quantum homomorphic encryption; secure multiparty computation; almost dishonest server; security

1  Introduction

Classical homomorphic encryption (HE) is focused on the related notion of homomorphism in the field of abstract algebra. Its central idea is to take advantage of homomorphism as a preserving function to ensure the security of private data. Under this premise, the operations on the ciphertext are outsourced to a server with powerful computing capabilities. The idea of homomorphic encryption first emerged in 1978 when the professional term was called privacy homomorphism that was proposed by Rivest et al. [1] at that time. Since then, an open question in the international cryptographic circle is how to construct a fully homomorphic encryption scheme capable of arbitrary function transformation of the ciphertext. Until 2009, The first fully homomorphic encryption (FHE) algorithm came into view which was presented by Gentry [2]. It inspired the rapid development of the FHE scheme in the following decades. According to the FHE schemes based on difficult problems, it is mainly divided into the problem of approximate greatest common divisor over the integers [3–5] and learning with errors problem based on lattices [6–8].

The development and progress of quantum computers provide access to accelerate the calculation based on the properties of quantum mechanics. The application of quantum computation in quantum communication network [9,10] and quantum blockchain [11–13] will be practical and feasible in the future, and in the meantime, the concept of quantum homomorphic encryption (QHE) has also been proposed. Similar to the homomorphic characteristics used in classical HE, QHE also completes homomorphic quantum computations without decryption by the server. The ciphertext after the homomorphic quantum computation is the same as a valid ciphertext after performing the same quantum computation on the original plaintext. The difference is that all the above processes are completed in the background of quantum data and quantum computation. In the beginning, a large amount of research work [14–16] addressed the task of secure implementation of delegated quantum computation on the encrypted data, but the interaction requirements of the above schemes lead to the workload of the client is proportional to the size of the homomorphic evaluation circuit. The non-interactive schemes have been given in [17,18], but neither of them is suitable for universal quantum computation. The QHE scheme described in [17] realized a restricted class of quantum computation on the encoded input quantum state through the boson-sampling model under the premise of satisfying some information-theoretic security. Reference [18] used the group theoretical insights to make the scheme support quantum computing tasks including and extending beyond the boson-sampling model with improved security. In 2014, Yu et al. [19] proved that achieving a certain balance between security and compactness in a quantum fully homomorphic encryption (QFHE) scheme would be the optimal trivial scheme. In other words, if a QFHE scheme with information-theoretic security is to meet the non-interactivity and realize universal quantum computation, it will inevitably lead to exponential storage overhead. This allows more research to dive into the study of whether a QFHE scheme can be achieved under the condition of relaxing some properties and requirements. In 2015, Broadbent et al. [20] weakened the security level to computational security and gave the definitions of QHE and QFHE. They proposed two QHE schemes, which were suitable for the homomorphic evaluation of the quantum circuit containing a finite number of T gates. Subsequently, Dulek et al. [21] improved the quantum circuit to the size of any polynomial level and presented a QFHE scheme under the computational security by using auxiliary quantum gadgets. In 2018, Ouyang et al. [22] used quantum codes to encode plaintext and evaluation circuits in parallel under the entropy security model to realize universal quantum computation. In the same year, Mahadev [23] utilized the classical leveled FHE scheme to encapsulate the key and constructed a quantum leveled FHE under the assumption of cyclic security.

At the same time, the functionality and application scenarios of the QHE scheme have also been extensively studied. In 2017, Alagic et al. [24] proposed a verifiable leveled QHE scheme by using classical computing logs, proving that homomorphic evaluation results of the QHE scheme can be verified in a non-interactive way. In 2019, Chen et al. [25] combined the characteristics of the QHE algorithm with the quantum secret sharing scheme to achieve a flexible and variable number of honest evaluators to perform homomorphic evaluation operations in sequence. Later, Liang [26] corrected errors occurring in the homomorphic quantum computation of T gates based on the quantum technology of gate teleportation and proposed a QHE scheme that allows quantum circuits with arbitrary polynomial size. Reference [27,28] completed the Grover retrieval scheme on secret superposition state based on QHE in 2020. Besides, there are some experimental studies [29–31] on QHE schemes.

At present, the existing schemes [20,21,24,26,27] apply the maximally entangled state to remove the P error, that is, an arbitrary quantum calculation can be achieved through the maximally entangled channel. However, the quantum system is generally open in the real physical environment. When coupled with the realistic environment, the maximally entangled state is affected by the ambient noise, resulting in the problem of degenerating into a non-maximally entangled state. Therefore, our scheme uses non-maximally entangled states as quantum resources to assist solve the error problem in the evaluation of T gate. While ensuring the correct execution of the scheme, it reduces the requirements for quantum channels in the previous QHE scheme. In order to improve the universality of the QHE scheme, we will study the QHE scheme with multiple clients and extend its application scenarios to secure multi-party computation. In this paper, we propose a novel secure multi-party QHE scheme by introducing pre-shared non-maximally entangled states that are relatively well prepared between the client and the server as an auxiliary resource. The error correction of the T gate evaluation is completed and the universal quantum circuit evaluation on the quantum ciphertext can be achieved. It is possible for multiple clients to send computation requests to an almost dishonest server in parallel, and guarantee the perfect security of private data.

2  Preliminaries

2.1 Quantum Computation

We will give the symbols and concepts that are essential for the construction of the scheme. For a more detailed introduction to quantum computation, refer to Nielsen et al. [32].

Our work will employ the universal quantum circuit model, denoted as QC, consisting of Clifford gates and non-Clifford gates, where Clifford gates include Pauli gates X and Z, as well as H gate, P gate and CNOT gate, and T gate is chosen as a representative of the non-Clifford gate for computation. Coupled with the computational basis measurements, it is sufficient to realize universal quantum computation.

The entanglement appearance between quantum states is a property of the quantum composite system described in quantum mechanics. Bell state, as the representative of the two-qubit entangled state, is in the maximally entangled state, also known as the EPR (Einstein-Podolsky-Rosen) pair. It consists of four entangled states as follows,

|Φ±⟩=12(|00⟩±|11⟩),|Ψ±⟩=12(|01⟩±|10⟩).(1)

We define |Θ⟩=u|00⟩+v|11⟩ to be a non-maximally entangled state, where u and v are complex numbers and satisfy the normalization condition |u|2+|v|2=1. Let Id denote the identity matrix of dimension d, then the completely mixed state can be expressed as Id/d.

A density matrix ρ is regarded as the quantum plaintext, by randomly selecting the Pauli key, that is, the classical bit a,b∈{0,1} and applying the Pauli operator X and Z on ρ, any quantum plaintext is mapped to the quantum ciphertext, which is in a completely mixed state, since

∀ρ:∑a,b∈{0,1}n122nXaZbρ(XaZb)†=12nI2n.(2)

This property is allowed to construct a quantum one-time pad (QOTP) and qubits are encrypted in a quantum cryptography scheme. The Pauli key used only once will be randomly generated. Only with the correct key can the quantum ciphertext be decrypted to obtain valid information. So, even if an attacker intercepts the complete quantum ciphertext, it is meaningless to ensure the security of privacy information.

2.2 Quantum Homomorphic Encryption

Quantum homomorphic encryption refers to that the client encrypts the quantum state and sends it to the server. After the server is delegated to perform quantum evaluation operations on the quantum ciphertext, the calculation result is returned to the client for decryption. And the intended result of the quantum evaluation operations on the original quantum state is finally obtained. The concepts introduced in this section include QHE, correctness, compactness, and QFHE. For a more in-depth understanding of the above definitions, refer to Broadbent et al. [20].

Definition 1 (Quantum homomorphic encryption). We now provide the definition of the QHE scheme in the asymmetric key setting. It consists of the following algorithms: key generation, encryption, evaluation, and decryption.

(i) Key Generation. (pk,sk,ρevk)←QHE.KeyGen(1κ), where κ∈N is the security parameter. pk is used as a public key for encryption, sk is used as a private key for decryption, and both are classical keys. ρevk is worked as an evaluation key for evaluating the quantum circuit, which is a quantum state.

(ii) Encryption. σ←QHE.Encpk(ρ). For the quantum plaintext ρ of the message space, the effective public key pk is employed to map it to the quantum ciphertext σ of the cipher space through the encryption algorithm.

(iii) Homomorphic Evaluation. σ′←QHE.EvalρevkQC(σ), where QC is a universal quantum circuit that acts on the quantum ciphertext σ. The evaluation function maps σ to a certain output space to generate a new quantum ciphertext σ′ and consumes the evaluation key ρevk.

(iv) Decryption. ρ′←QHE.Decsk(σ′). Using the correct private key sk and decryption algorithm, the quantum state σ′ is mapped from the output space to the message space to obtain another quantum plaintext ρ′, which is consistent with the homomorphic quantum computation conducted on the original quantum plaintext ρ.

Definition 2 (Correctness). A QHE scheme is correct if for any quantum circuit QC and the quantum plaintext ρ, there is a negligible function η such that

Pr[QHE.Dessk(QHE.EvalρevkQC(QHE.Encpk(ρ)))≠ΦQC(ρ)]≤η(κ),(3)

where Φ denotes a quantum channel, which represents any physically achievable mapping on the quantum register, namely, the quantum circuit QC is applied to the quantum state.

Definition 3 (Compactness). For any quantum circuit QC and quantum ciphertext σ′, a QHE scheme is compact, the complexity of the decryption function is independent of the size of the quantum circuit QC, that is, there is a polynomial p(κ), the computational complexity of applying QHE.Decsk to decrypt the quantum ciphertext σ′ is at most p(κ).

Definition 4 (Quantum fully homomorphic encryption). If a QHE scheme is correct and compact for all quantum circuits formed by a set of universal quantum gates, the scheme is a QFHE scheme.

3  Secure Multiparty Quantum Homomorphic Encryption Scheme

In this section, we first introduce the probabilistic QHE scheme that uses the non-maximally entangled state to accomplish T gate evaluation. Based on Zhang et al.’s result [33], the main idea of the scheme is described in Section 3.1 which is helpful for our proposal. Then, in Section 3.2, we propose our secure multiparty quantum homomorphic encryption (MQHE) scheme in detail, combined with the evaluation method of T gate, to realize the universal quantum circuit evaluation for multiple clients.

3.1 T gate Evaluation in Quantum Homomorphic Encryption

As a non-Clifford gate, T gate does not have the property of commuting with the Pauli group. When it is applied to the encrypted quantum state, we will get TXaZb|ϕ⟩=PaXaZbT|ϕ⟩. This result contains an unexpected P error and is unable to be corrected by using Pauli corrections. Therefore, the main method we adopt is to pre-share the non-maximally entangled state |Θ12⟩=u|00⟩+v|11⟩(|u|2+|v|2=1) between the client and the server, where the first particle is owned by the client, and the second particle is owned by the server. After a series of operations, the P error is successfully corrected with a certain probability, and the T gate evaluation in the QHE scheme is realized. Next, we will give the specific process of the main method, which be minutely illustrated in Fig. 1 below.

Figure 1: Quantum circuit of T gate evaluation

At first, the client prepares a quantum state |ϕ0⟩=α|0⟩+β|1⟩. The secure encryption key is ek=(a,b)(a,b∈{0,1}). The client encrypts the initial quantum state by using QOTP and we will get |ϕ1⟩=XaZb|ϕ0⟩=XaZb(α|0⟩+β|1⟩) which then be sent to the server. The server performs T gate and outputs |ϕ2⟩=T|ϕ1⟩=TXaZb(α|0⟩+β|1⟩). Meanwhile, the non-maximally entangled state |Θ12⟩ is introduced. The server performs the CNOT gate with the second particle of |Θ12⟩ as the control qubit and |ϕ2⟩ as the target qubit. Then we will have |Λ⟩=(I⊗CNOT)(|Θ12⟩⊗|ϕ2⟩).The client performs the Pa operation and the Hgate on the first particle of the |Θ12⟩ in the hand, and the quantum state becomes |Ω⟩=(HPa⊗I⊗I)|Λ⟩=(HPa⊗CNOT)(|Θ12⟩⊗|ϕ2⟩). More specifically, if a=0, the quantum states in the circuit are as follows

(H⊗CNOT)(〈|Θ12⊗〈|ϕ2)=(H⊗CNOT)(u〈|00+v〈|11)⊗( α〈|0±eiπ4β〈|1 )=u⋅H〈|0〈|0(α〈|0±eiπ4β〈|1)+v⋅H〈|1〈|1(α〈|1±eiπ4β〈|0)=12[ u(〈|0〈|0+〈|1〈|0)(α〈|0±eiπ4β〈|1)+v(〈|0〈|1−〈|1〈|1)(α〈|1±eiπ4β〈|0) ].(4)

Similarly, if a=1, the quantum state obtained can be expressed as Eq. (5).

(HP⊗CNOT)(〈|Θ12⊗〈|ϕ2)=(HP⊗CNOT)(u〈|00+v〈|11)⊗( eiπ4α〈|1±β〈|0 )=u⋅HP〈|0〈|0( eiπ4α〈|1±β〈|0 )+v⋅HP〈|1〈|1( eiπ4α〈|0±β〈|1 )=12[ u(〈|0〈|0+〈|1〈|0)( eiπ4α〈|1±β〈|0 )+iv(〈|0〈|1−〈|1〈|1)( eiπ4α〈|0±β〈|1 ) ].(5)

Then the first and third particles in the |Ω⟩ are measured with the basis {|0⟩,|1⟩}, and we denote the corresponding outputs as y and r. The obtained quantum states will be in the following set which all hold up to an irrelevant global phase, namely {12(uα|0⟩±eiπ4vβ|1⟩),12(eiπ4uβ|0⟩±vα|1⟩)}. It can be seen that the quantum state of the entire system contains the uncertain values u and v. For the purpose of attaining the correct T gate evaluation results, the server prepares an auxiliary quantum state |0⟩aux and carries out the defined unitary operator, which is denoted as U=(I00Ua). The unitary matrix Ua=e−iπ2eiπ⋅n^⋅σ2, where n^=(1−u2/v2,0,u/v) and σ=(σx,σy,σz), and its calculation process is concretely given in [33]. Here we give the matrix expression form as follows,

U=[1000010000uv1−u2v2001−u2v2−uv].(6)

Without loss of generality, we take the 12(uα|0⟩+eiπ4vβ|1⟩) as an example to elaborate the operation which is shown in Eq. (7). Other quantum states also have a similar calculation process.

12U(uα|0⟩+eiπ4vβ|1⟩)⊗|0⟩aux=12(uα|0⟩|0⟩aux+eiπ4uβ|1⟩|0⟩aux+eiπ4v1−u2v2⋅β|1⟩|1⟩aux)=12[u(α|0⟩+eiπ4β|1⟩)⊗|0⟩aux+eiπ4v1−u2v2⋅β|1⟩⊗|1⟩aux](7)

At last, the auxiliary particle |0⟩aux is measured under the basis {|0⟩,|1⟩}. When the measurement result is |0⟩, the T gate evaluation is accomplished and the expected result can be obtained with a probability of u2/2. Otherwise, the P error cannot be corrected this time. Hence, we can see that our method verifies that the non-maximally entangled state can solve the obstacles in the homomorphic quantum computation of the T gate but at the expense of the probability of successfully correcting the P error. From the perspective of experimental implementation, our scheme can not only be true of the homomorphic evaluation of the universal quantum circuit, but is also more flexible in the choice of quantum resources.

3.2 Multiparty Quantum Homomorphic Encryption Scheme

In this subsection, we propose a secure MQHE scheme, which allows multiple clients to complete the evaluation of the universal quantum circuit on encrypted private data in parallel with the assistance of the almost dishonest server. In particular, the quantum circuit includes Clifford gates and a finite number of non-Clifford gates. The almost dishonest server in our scheme is the one with great computing capability, which will loyally perform quantum computations. It will not cooperate with clients to launch a collusion attack but will take the initiative to steal clients’ private data. At the same time, a trusted key center is introduced and responsible for the execution of the key generation algorithm, and updating the encryption key to obtain the decryption key.

Next, we will specifically describe our MQHE scheme. Assume that there are n(n≥2) clients which are denoted as Pi(i=1,2,⋯,n). Firstly, the server uses the measurement device independent quantum key distribution (MDI-QKD) protocol to distribute secure keys to multiple clients and the trusted key center, i.e., Charlie. Each client uses QOTP technology to encrypt their private data and sends it to the server. The expected quantum circuit is determined and sent to Charlie and the server simultaneously. Then, the server successively acts on the received quantum ciphertext according to the order of the quantum gates in the quantum circuit to complete the homomorphic evaluation while keeping the private data in the quantum ciphertext. And the result of the homomorphic evaluation is received by the client. Finally, according to the quantum circuit and the encryption key shared with each client, Charlie updates the encryption key through the key update rules to acquire the decryption key, which is transmitted to the corresponding client for decryption. The client decrypts to obtain the intended outcome of the quantum circuit acted on the quantum plaintext. The above process is depicted in Fig. 2 below.

The complete process of our scheme is illustrated by step as follows.

S1. Key generation. eki=(ai,bi)←MQHE.KeyGen, where ai,bi∈{0,1}, i∈{1,2,⋯,n}. There are clients Pi and Charlie randomly prepare one of the quantum states |0⟩, |1⟩, |+⟩, and |−⟩. Let |φpij⟩ denotes the j-th quantum state prepared by the i-th client, and |φcij⟩ denotes the quantum state prepared by Charlie. When Pi and Charlie transmit them to the server, they form j pairs of quantum states |φpij⟩|φcij⟩. The server performs joint Bell state measurement on |φpij⟩|φcij⟩ and returns the measurement results to both parties through a trusted and authenticated classical channel. According to the measurement results {|Φ±⟩pijcij,|Ψ±⟩pijcij}, Pi and Charlie retain the quantum state corresponding to the successful measurement and announce the preparation basis used. Only the quantum states with the same preparation basis are reserved. At this time, the key obtained is the sifted key. Finally, Pi and Charlie publishes a part of the sifted key to perform post-processing. If the error rate is lower than the set threshold, it is confirmed that there is no eavesdropper, the quantum channel between the two parties is secure. And in accordance with the agreed encoding rules, |0⟩ and |+⟩ are encoded as the classic bit “0”, |1⟩ and |−⟩ are encoded as the classic bit “1”. Whereupon, both parties can get the same security key which is of the form eki=(ai,bi).

Figure 2: Flow chart of the MQHE scheme

S2. Encryption. |ϕi1⟩=XaiZbi|ϕi0⟩←MQHE.Enceki(|ϕi0⟩). Pi has the quantum plaintext to be encrypted as |ϕi0⟩=αi|0⟩+βi|1⟩ and use eki in S1 as the encryption key of QOTP to execute the encryption algorithm. In the meantime, Pi determines the quantum circuit QCi containing m quantum gates Gd(d=1,2,…,m) to be performed on the quantum ciphertext, which is composed of {X,Z,H,P,CNOT,T}. After that, Pi transmits the quantum ciphertext |ϕi1⟩ and QCi to the server, and only sends QCi to Charlie. When QCi contains a T gate, the client should share the non-maximally entangled state, namely |Θi12⟩=ui|00⟩+vi|11⟩(|ui|2+|vi|2=1), with the server in advance.

S3. Homomorphic evaluation. QCi(XaiZbi|ϕi0⟩)←MQHE.EvalQCi(|ϕi1⟩). The form of the quantum ciphertext received by the server is as (Xa1Zb1⊗Xa2Zb2⊗⋯⊗XanZbn)|ϕ10⟩|ϕ20⟩⋯|ϕn0⟩. A server will faithfully perform operations on the corresponding quantum ciphertext according to the order of the quantum gates in QCi. When the quantum gate Gd∈{X,Z,H,P,CNOT}, it is directly applied to the encrypted qubits, and Charlie can update the encryption key in a direct way. When Gd=T, the server adopts the main method introduced in Section 3.1 to remove the P error and complete T gate evaluation, including the application of a CNOT gate, the introduction of an auxiliary particle |0⟩aux, the implementation of the defined unitary operator and the measurement. The client’s operation on the non-maximally entangled particle in his hands will be delayed until the decryption stage. After the homomorphic evaluation, the server returns the evaluated data to the corresponding client Pi.

S4. Decryption. QCi|ϕi0⟩←MQHE.Decdki(QCi(XaiZbi|ϕi0⟩)). In the final phase, Charlie updates the encryption key to acquire the decryption key, i.e., dki=(ai′,bi′), and sends it to Pi through the classical authenticated channel. Next, we show how the key is updated according to the key update rules.

(a) If Gd=X or Gd=Z, eki=(ai,bi)→updatedki=(ai,bi).

(b) If Gd=H, eki=(ai,bi)→updatedki=(bi,ai).

(c) If Gd=P, eki=(ai,bi)→updatedki=(ai,ai⊕bi).

(d) If Gd=CNOT, because CNOT is a two-qubit gate, both the control qubit and the target qubit need the encryption keys, namely eki=(ai,bi,ci,di), and the decryption key is dki=(ai′,bi′,ci′,di′). The corresponding key transformation is eki=(ai,bi,ci,di)→updatedki=(ai,bi⊕di,ai⊕ci,di).

(e) If Gd=T, the client operates on the first particle in the non-maximally entangled state, that is, (HPai⊗I)|Θ12⟩, where ai is the value of the X-encryption key obtained by the client in S1, and then measures this particle. In this case, the rule for updating the encryption key requires two measurement results after the evaluation of the T gate, namely yi and ri, then there is eki=(ai,bi)→updatedki=(ai⊕ri,ai⊕bi⊕airi⊕yi).

In the end, Pi uses the decryption key to decrypt the evaluated data, and acquire the homomorphic evaluation of the quantum circuit acting on the quantum plaintext |ϕi0⟩.

Through the description of the above scheme, we propose a novel MQHE scheme, which enables any number of clients to request homomorphic quantum computations from the almost dishonest but computationally capable server in parallel. The server implements homomorphic evaluation of the universal quantum circuit including a limited number of T gate while ensuring the perfect security of private data. In short, our scheme completes the secure homomorphic evaluation of multi-party quantum private data in a non-interactive way and guarantees key security through the trusted key center. From the perspective of simplifying the experimental implementation, we choose the pre-shared non-maximally entangled state to solve the difficult problems and guarantee the correctness of the proposed scheme.

4  Security Analysis

This section will discuss the security of our MQHE scheme in different aspects, mainly from the outside attack and inside attack. An outside attack means that an external eavesdropper attempts to grab the private data. An inside attack means that an attack initiated by the client, server, and key center.

4.1 Outside Attack

On the one hand, this scheme uses the MDI-QKD protocol to ensure the security of the key for possible security loopholes when the server performs measurement during the key distribution process. On the other hand, the QOTP technology is utilized to encrypt private data, thereby minimizing the risk of data leakage to guarantee the security of private data. According to the four stages of the QHE scheme, we specifically analyze and prove that our scheme can resist outside attacks.

Initially, the security of the key generation stage is analyzed. In our scheme, the distribution of quantum keys adopts the MDI-QKD protocol. It can resist the attack of the external eavesdropper Eve that has been rigorously proved in [34]. The device independence means that the security of the protocol does not depend on the actual measurement device, which is consistent with the security assumption that the server is almost dishonest in the proposed scheme. When the server sends the results of Bell state measurement to Pi and Charlie, there is an active interception behavior by Eve. Suppose |Φ+⟩pijcij=12(|00⟩+|11⟩) is intercepted, and since 12(|00⟩+|11⟩)=12(|++⟩+|−−⟩), Eve can only judge that Pi and Charlie have randomly prepared the same quantum state this time, and cannot effectively distinguish whether the quantum state is prepared in Z basis {|0⟩,|1⟩} or X basis {|±⟩=12(|0⟩±|1⟩)}. In addition, when performing post-processing on the sifted key, Pi and Charlie analyze whether there is an eavesdropper according to the error rate. The final key is secure and random, making Eve unable to accurately infer the genuine value of the key. Therefore, the key generation stage can resist outside attacks.

Then, in the encryption stage, each client has only access to their original private data and uses the secure key as the Pauli key to encrypt the private data in combination with the QOTP method. It is an asymmetric encryption method that uses random keys makes the encrypted quantum ciphertext in a totally mixed state. The effective information cannot be obtained by Eve without the correct key so that the security of private data is guaranteed in the transmission process. Now, we prove the aforesaid conclusion.

Proof. Define ρ to be a quantum plaintext and σ to be the quantum ciphertext. The encryption operator of QOTP is denoted with XαiZβi, where Xαi=⊗k=1nσxαi(k)(αi(k)∈{0,1}) and Zβi=⊗k=1nσzβi(k)(βi(k)∈{0,1}). As well as Xαi means whether to apply σx according to the classical bit at the k-th position in the n cbits string αi, namely the value of αi(k). The same goes for Zβi. The Eq. (8) is obtained below.

σ=∑i(XaiZbi)|ϕi0⟩⟨ϕi0|(ZbiXai)=122n∑αi,βi∈{0,1}n(⊗t=1nσxαi(k)σzβi(k))ρ(⊗t=1nσzβi(k)σxαi(k))=122n∑αi,βi∈{0,1}nXαiZβiρZβiXαi=I2n2n(8)

It can be seen that the quantum plaintext is mapped to the same output density matrix I2n/2n. If Eve intercepts the quantum ciphertext, he is ignorant of any information about the quantum input state without knowing the key. It is impossible for Eve to distinguish the plaintext state owned by each client Pi, so as to ensure the security of private information in the encryption stage. Similarly, in the homomorphic evaluation stage, after the server applies Gd∈{X,Z,H,P,CNOT,T} to the quantum ciphertext according to the MQHE scheme, the evaluated quantum state is still a completely mixed state. If the results of the homomorphic evaluation cannot be decrypted, it is unaware for Eve to get the specific content of the universal quantum circuit operating on the original quantum plaintext. So, the homomorphic evaluation can also be immune to outside attacks.

Finally, in the decryption stage, the trusted key center renews the decryption key according to the secure encryption key obtained in S1, the quantum gate used in the quantum circuit in S2, and the key update rule given in S4. The decryption key is sent to Pi through the trusted and authenticated classical channel. As time goes by, the key is irregular, so the adversary cannot get valid content about the decryption key. To conclude, the encryption and decryption keys have good performance in terms of security.

Through the discussion in this section, our MQHE scheme can securely against outside attacks, thereby protecting any information about private data and keys from being leaked.

4.2 Inside Attack

Clients, servers, and trusted key centers are the main participants in the scheme. If an inside attack is launched, it may pose a serious security threat to the cryptographic scheme. Without loss of generality, suppose there exists a dishonest client Pe(1≤e≤n) that wants to steal private data from n−1 honest clients and intercepts the quantum state sent by one of them during transmission, but Pe cannot possess the key of the honest client. In our scheme setting, with the assistance of the server, each client acquires a secure key by exploiting the MDI-QKD protocol to encrypt private data. The process of executing the encryption algorithm does not involve the help of other parties. Hence, in addition to using their own keys and operations to process private data, the clients have neither interaction with other clients, nor the authority to access other clients’ data or keys.

As an almost dishonest third-party server, there is data exchange with the client, and it can faithfully complete the homomorphic evaluation of the universal quantum circuit without colluding with the malicious client. Unfortunately, the server will evade eavesdropping detection and try to grab the private data. In our scheme, both the encrypted data and the evaluated data are in a completely mixed state and have information-theoretic security. If the server eavesdrops on the quantum channel in the transmission, it will be treated as an outside attacker and unable to extract meaningful information by the means of the outside attack. In QOTP, all keys are randomized and used only once. The security of the key distribution is guaranteed by the MDI-QKD protocol. The replication and retransmission of the quantum state by a malicious server will introduce errors with a certain probability and may be monitored in the post-processing step of the key. In other words, the server cannot infer the value of the key.

The trusted key center, Charlie, introduced in our scheme, is responsible for cooperating with each client to realize the secure distribution of the encryption key, and updating the correct decryption key depending on the quantum circuit and key update rules. Charlie will honestly abide by the requirements of the MQHE scheme, and will not disclose the encryption and decryption keys to anyone other than Pi. Not only the process of the key renewing but also the details of the quantum circuit are kept confidential and will not disclose. At the same time, Charlie will not be affected by any attacker who attempts to illegally get the Pi’ private data or the quantum circuit. It further guarantees that the private data and keys are secure. Therefore, our scheme has the ability to resist the participant’ attack and third-party’ attack.

In summary, it is demonstrated that the proposed MQHE scheme is good at security in terms of private data and keys, and has outstanding performance in resisting outside and inside attacks.

5  Conclusions

This paper presents a secure MQHE scheme. On the one hand, the non-maximally entangled state is used to tackle the computational issues of T gate evaluation that relaxes the technical requirements for implementation of the universal quantum circuit evaluation. On the other hand, drawing on the idea of secure multi-party quantum computation, we expand the application scenario of the QHE scheme and propose a workable scheme that multiple clients request a homomorphic evaluation from the third-party server in parallel, reflecting the significant advantages of QHE in protecting private data. In addition, the trusted key center is employed to ensure the security of key distribution and the encryption and decryption keys, so that the scheme performs well in terms of correctness and security. What’s more, we hope that the constructed scheme can inspire the application of the QHE scheme in secure multi-party computation scenarios, making it possible to transmit large-scale quantum information safely and efficiently.

Funding Statement: This work was supported by the Open Fund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province (Grant No. SKLACSS-202101), NSFC (Grant Nos. 62176273, 61962009), the Foundation of Guizhou Provincial Key Laboratory of Public Big Data (No. 2019BDKFJJ010, 2019BDKFJJ014), the Fundamental Re-search Funds for Beijing Municipal Commission of Education, Beijing Urban Governance Re-search Base of North China University of Technology, the Natural Science Foundation of Inner Mongolia (2021MS06006), Baotou Kundulun District Science and technology plan project (YF2020013), and Inner Mongolia discipline inspection and supervision big data laboratory open project fund (IMDBD2020020).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.

This work is licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.