Quantum Fully Homomorphic Encryption by Integrating Pauli One-time Pad with Quaternions

Quantum fully homomorphic encryption (QFHE) allows to evaluate quantum circuits on encrypted data. We present a novel QFHE scheme, which extends Pauli one-time pad encryption by relying on the quaternion representation of SU(2). With the scheme, evaluating 1-qubit gates is more efficient, and evaluating general quantum circuits is polynomially improved in asymptotic complexity. Technically, a new encrypted multi-bit control technique is proposed, which allows to perform any 1-qubit gate whose parameters are given in the encrypted form. With this technique, we establish a conversion between the new encryption and previous Pauli one-time pad encryption, bridging our QFHE scheme with previous ones. Also, this technique is useful for private quantum circuit evaluation. The security of the scheme relies on the hardness of the underlying quantum capable FHE scheme, and the latter sets its security on the learning with errors problem and the circular security assumption.


Introduction
Fully homomorphic encryption (FHE) scheme is an encryption scheme that allows any efficiently computable circuit to perform on plaintexts by a third party holding the corresponding ciphertexts only. As the quantum counterpart, quantum FHE (QFHE) allows a client to delegate quantum computation on encrypted plaintexts to a quantum server, in particular when the client outsources the computation to a quantum server and meanwhile hides the plaintext data from the server.
There are two main differences between quantum FHE and classical FHE. First, in QFHE, the plaintexts are quantum states (or qubits), rather than classical bits. Second, in QFHE, the homomorphic operations are quantum gates, rather than arithmetic ones. Since it is possible to simulate arbitrary classical computation in the quantum setting, a QFHE scheme allows to perform any computation task running on a classical FHE, but not vice versa. From this point, QFHE is a more general framework. It has drawn a lot of attention in the last decade, e.g., [1,2,3,4,5,6,7].
Previous Works. In 2015, Broadbent and Jeffery [2] proposed a complete QHE scheme based on quantum Pauli one-time pad encryption. Specifically, They encrypted every single-qubit of a quantum state (plaintext) with a random Pauli gate (called Pauli onetime pad [8]), and then encrypted the two classical bits used to describe the Pauli pad with a classical FHE, and considered homomorphic evaluations of the universal gates {Clifford gates, T -gate} for quantum computation. They showed that the evaluation of a Clifford gate can be easily done by public operations on the quantum ciphertext and classical encrypted bits of the pad; the latter will make use of the homomorphic property of classical FHE. They also showed two different approaches to evaluating the non-Clifford gate T , at the cost of ciphertext size (or depth of decryption circuit) growing with the number of supported T -gate, yielding a QHE for circuits with a constant number of T -gates. Since then, how to efficiently evaluate the non-Clifford gate became a key issue.
In 2016, Dulek, Schaffner and Speelman [4] introduced some special quantum gadgets for achieving the evaluation of T -gate, where each gadget is not reusable and duplicable due to its quantum property. Their scheme requires the client to generate a number of quantum gadgets proportional to the number of the T -gates to be evaluated, allowing to privately and compactly outsource quantum computation at the cost of additional preparation of quantum evaluation key. In comparison with [2], the dependence on the number of non-Clifford gate is transformed from the ciphertext size (or depth of decryption circuit) to the quantum key.
In 2018, Mahadev proposed the first QFHE scheme with a fully classical key generation process, which reduced the requirement for the quantum capability on the client, so that the client can be completely classical. This scheme used the Pauli one-time pad encryption, and made the evaluations of the universal gates {Clifford gates, Toffoli-gate}. To evaluate a Toffoli gate, Mahadev proposed a revolutionary technique called controlled-CNOT operation, which allows to implement a controlled-CNOT gate while keeping the control bit private. With a new approach to evaluating non-Clifford gates, the scheme of [5] satisfies the compactness requirement of fully homomorphic encryption, and meanwhile there is no longer an explicit bound on the number of supported non-Clifford gates.
One particular requirement of Mahadev's encrypted CNOT operation is that the control bit must be encrypted by an FHE scheme of exponential modulus and equipped with a trapdoor. Later in 2018, Brakerski [1] improved Mahadev's work by proposing an alternative approach to realize the encrypted CNOT operation, where the underlying FHE was significantly simplified by reducing the exponential modulus to polynomial modulus, and where the requirement of a trapdoor was also removed. Due to the polynomial noise ratio of the underlying FHE, Brakerski's QFHE scheme achieves a higher level of security, which matches the best-known security for classical FHE, up to polynomial factors. Also, Brakerski showed a close connection between the quantum homomorphic evaluation and the circuit privacy of classical FHE.
As pointed out in [1], one of the most promising applications of QFHE in anticipation is private outsourcing of quantum computation. Improving the efficiency of evaluation is a fundamental question in the studies on homomorphic encryption. In this paper, we focus on improving the efficiency of evaluating quantum algorithms (circuits).
Usually, quantum algorithms (gate-level circuits) are designed by using single-qubit gates and controlled gates (CNOT), such as the famous quantum Fourier transform (cf. Figure 1). When evaluating "1-qubit+CNOT"-style quantum algorithms with existing "Clifford+non-Clifford"-style QHE schemes, e.g., [2,4,5,1], it is required to first decompose each evaluated 1-qubit gate into Clifford/non-Clifford gates, followed by evaluating them one by one (each evaluation requires to perform at least 1 quantum gate). Practically, in average cases, tens of thousands of Clifford/non-Clifford gates are required to approximate a 1-qubit gate within a few bits of precision [9]. So, we consider that if it is possible to design a QFHE scheme that allows to more conveniently and efficiently evaluate 1-qubit gates and thus quantum algorithms, particularly measured in terms of the quantum cost.
This inconvenience in evaluating 1-qubit gate is essentially derived from the small pad space of the encryption scheme. One idea for improvement is to enlarge the pad space from Pauli group to the group SU (2), relying on the notion of approximate computation. This notion, useful for classical FHE [10], has recently been used in the QFHE setting [5]. We design a new QFHE scheme based on the above idea, where an important issue addressed is evaluating the CNOT gate in the much more complicated pad setting. Interestingly, our work also provides a tool that allows hiding the evaluated 1-qubit gate from the server. It may be useful for private circuit evaluation in the quantum setting [11,12,13].
Our Contributions. We design a new QFHE scheme, which is based on a generalized one-time pad encryption method, called the quaternion one-time pad encryption. We call our quantum ciphertext the quaternion one-time pad encrypted state (QOTP-encrypted state), in contrast to the Pauli one-time pad encrypted state (Pauli-encrypted state) used in [2]. Our scheme has several properties as follows: • Efficiency. The cost of evaluating single-qubit is completely classical and not expensive compared to previous QFHE schemes.
With previous "Clifford+non-Clifford" QFHE schemes, evaluating a general 1-qubit gate within a specific precision requires to evaluate a sequence of Clifford and non-Clifford gates of length O(log 2 1 ) (by the optimal Solovay-Kitaev algorithm 1 ), which requires to perform at least O(log 2 1 ) 1-qubit quantum gates; in comparison, using our scheme only requires to classically homomorphically compute a simple degree-2 polynomial function in O(log 1 )-bit numbers, cf. (2.14).
Practically, in the average case, a sequence of Clifford+T gates of length 25575 is required to approximate a general element of SU(2) within 0.0443 trace distance [9]; in contrast, 14-bit gate key can represent any element of SU(2) within 1 2 12.5 L 2 -distance, cf. Lemma 5.3, which guarantees the trace distance no more than 1 2 5 = 0.0315, cf. (2.3).
• Privacy. Our scheme achieves the private 1-qubit gate evaluation.
In our scheme, the server only needs to know the encryption of the 1-qubit gate to be evaluated. In contrast, previous schemes require each evaluated gate to be applied in an explicit way.
Roughly speaking, the overhead of transforming a QOTP-encrypted state to its Pauliencrypted form in precision is only a fraction O( 1 log 1 ) of that of evaluating a general 1-bit gate in the same precision using the previous QFHE scheme of [5], cf. 'Efficiency Comparison' in Section 5.
In comparison with the previous "Clifford+non-Clifford"-style QFHE schemes, our scheme is less costly in evaluating 1-qubit gates, but more costly in evaluating CNOT gates. For evaluating quantum circuits consisting of p percentage CNOT gates and (1 − p) percentage 1-qubit gates within the precision negl(λ), the complexity advantage of our scheme over the previous ones is O( (1−p)λ 2 pλ ) = O(λ), when constant p is away from both one and zero. Therefore, except for the extreme case where there are overwhelmingly many CNOTs and negligible 1-qubits gates, our scheme is polynomially better asymptotically, cf. Section 5.
Moreover, by the conversion between our new QFHE scheme and previous "Clifford +non-Clifford" QHE schemes [2,4,5,1], one can evaluate the quantum circuits in a hybrid way, which may be more efficient than using a single scheme: for parts of circuits mainly consisting of Clifford gates (or easily approximated by Clifford gates), they can be evaluated in the Pauli one-time pad setting; for parts containing single-qubit gates difficult to approximate, they can be evaluated in the QOTP setting.
The second contribution of this work is a new technique called encrypted conditional rotation (encrypted-CROT), which allows the server to perform (up to a Pauli mask) any 1-qubit unitary operator whose parameters are given in encrypted form, cf. Theorem 3.5. This technique can bring the following benefits: • It provides an approach to private 1-qubit gate evaluation for the QHE schemes based on the Pauli one-time pad.
To be more explicit, this technique allows the server to perform any 1-qubit gate whose parameters are given in encrypted form, and the introduced Pauli mask can be merged with the encryption pad.
• It can be used in the QHE scheme of [2] towards constructing a "Clifford +T"-style QFHE scheme, cf. Remark 3.3.
It is providing a meaningful alternative to "Clifford+Toffoli"-style QFHE of [5], because although any non-Clifford gate, together with Clifford group, is universal for quantum computation, the efficiency of approximating a particular quantum gate with different non-Clifford gates is different. In practice, the 1-qubit-level T-gate is a more popular choice than the 3-qubit-level Toffoli gate, as the representative element of non-Clifford gates [14,15,9].
• It allows to transform a QOTP-encrypted state into its Pauli-encrypted form.
To the best of our knowledge, this work enriches the family of QFHE schemes by providing the first one of not "Clifford +non-Clifford"-style. Due to the absence of the Clifford gate decomposition, the scheme avoids some difficulties in its (practical) implementation, but possibly loses some potential advantages in error-correction or fault-tolerant. With the conversion between these QFHE schemes, it is possible to exploit their respective strengths, and provide diverse options for evaluating distinct quantum circuits. This work also provides a useful tool for private circuit evaluations in the quantum setting.

Technical Overview.
Our basic idea to improve the efficiency is to avoid decomposing 1-qubit gate into numerous Clifford+non-Clifford gates during the evaluation process. This idea is hard to realize in previous Pauli one-time pad setting. We show why it is hard. In the QHE scheme based on Pauli one-time pad, traced back to [2], a 1-qubit state (plaintext) is encrypted in form X a Z b |ψ , where X, Z are Pauli matrices, and the Pauli keys a, b ∈ {0, 1} are also encrypted by using a classical FHE. Any Clifford gate can be easily evaluated in this setting. Now, we use U (α, β, γ) to denote a 1-qubit gate U in Euler angle representation, i.e., α, β, γ ∈ [0, 1), known as (scaled) Euler angles, To evaluate a 1-qubit gate U (α, β, γ), by the conjugate relation between the 1-qubit gate U (α, β, γ) and Pauli pads X a Z b , i.e., it seems sufficient to directly perform the operator U (−1) a α, (−1) a+b β, (−1) a γ on the encrypted state. Unfortunately, things are not so simple. We ignore the fact that the parameters of this operator depend on the secret keys a, b, which are not allowed to be known by the server. Indeed, even realizing a simple operation with a private 1-bit parameter takes a lot of effort (cf. CNOT x of [5]). On the other hand, we observe that the ease of evaluating Clifford gates comes from the Pauli pad, since the encrypted pad keys make private Pauli operators possible. If we choose the pad among all single-qubit unitary gates, then it will be easy to evaluate any 1-qubit gate; below, we call this new one-time pad encryption scheme the quaternion one-time pad encryption (QOTP). Specifically, to evaluate a 1-qubit gate V on a QOTP-encrypted state U |ψ , it suffices to update the one-time pad from U to U V −1 , since U |ψ = U V −1 (V |ψ ). This update can be easily done by classical FHE computations on encrypted pad keys, cf. Section 4.2.
Still, things are not so simple. Indeed, in the QOTP setting, the evaluation of CNOT gate (necessary for universal quantum computation) is not easy: similar to the case of (1.2), the 2-qubit-level CNOT gate does not preserve the pad space SU(2)×SU(2) by conjugation, and the problem seems to be more complicated than before, since it is now on a 2-qubit system. Looking closely, we find that this problem can be solved in a relatively simple way by going back to the 1-qubit system.
Our solution is to rely on a conversion between QOTP and Pauli one-time pad. Specifically, we want to be able to transform a QOTP-encrypted state, together with the encrypted pad key into a Pauli-encrypted form. This allows to easily evaluate the CNOT gate on the converted ciphertext, and the resulting Pauli-encrypted state is in natural QOTP-encrypted form.
Transforming a QOTP-encrypted state to its Pauli-encrypted form is highly nontrivial. In fact, this means evaluating the decryption circuits of QOTP in the Pauli one-time pad setting, similar to the implementation of bootstrapping in classical FHE. However, apart from the hard-to-use information-theoretical secure quantum ciphertexts, the only thing we can use here for bootstrapping is the encrypted pad keys. Current QFHE techniques of taking one encrypted 1-bit as control are insufficient in utilizing encrypted multi-bit pad key. To achieve the desired conversion, we develop a new technique.
Key Technique. The new technique is an encrypted multi-bit control technique, which allows to implement (up to a Pauli matrix) any 1-qubit gate whose parameters are given in encrypted form. To see the transformation functionality of this technique, given a QOTP encryption U (α, β, γ) |ψ and the encrypted pad key Enc(α, β, γ), performing U (α, β, γ) −1 on the QOTP encryption will output a state |ψ in Pauli-encrypted form.
As for the implementation of the technique, by the Euler representation (1.1), the key is to implement such an operation that allows to perform any rotation R α of the angle α given in encrypted form. We call such an operation the encrypted-CROT. Below, we outline how to achieve it.
Inspired by the fact that the conditional rotation is realized by successive 1-bit controlled rotations, i.e., R −1 , we first consider the implementation of the encrypted 1-bit controlled rotation. By the idea of [5] for achieving encrypted 1-bit controlled CNOT operation, we show that it is possible to implement the encrypted 1-bit controlled rotation of arbitrary rotation angle ω ∈ [0, 1), up to a Pauli matrix and a rotation of double angle 2ω. Unlike Mahadev's encrypted-CNOT, there is an additional random rotation R d 2ω (the random bit d ∈ {0, 1}) that is introduced to the output state. Although such rotation is undesired, it also serves as a mask to protect the output and is necessary for security, making it difficult to remove directly. Looking closely, in the multi-bit case, we observe that these undesired rotations can be removed gradually by relying on the implementation structure of the multi-bit conditional rotation.
Specifically, to realize the Enc(α)-controlled rotation R −1 α , given the encrypted angle Enc(α), first use as control the encrypted least significant bit α m to perform the encrypted 1-bit controlled rotation R αm 2 −m . The resulting undesired rotation is of angle 2 −(m−1) , and then can be merged with the controlled rotations in the waiting list; this merging is done by homomorphic evaluations on encrypted pad keys. Using an iterative procedure, we are able to realize the desired rotation R −1 α , and the undesired rotation is of an angle finally growing to 1/2, becoming a Pauli mask.
While the above implementation of encrypted-CROT relies on the Euler angle representation of SU(2), we observe that the quaternion representation of SU(2) provides an arithmetic circuit implementation of much smaller depth for the product in SU(2), more consistent with our main purpose of speeding up the evaluation of 1-qubit gate. So, in the QOTP encryption scheme, we use the quaternion-valued pad key, and the corresponding Euler angles of the pad can be obtained by classical homomorphic computations.
The encrypted-CROT technique is useful. It can make QHE of [2] a QFHE. Specifically, the main problem in [2] is to evaluate non-Clifford gate T , as defined in (2.25), on the Pauli-OTP encrypted state X a Z b |ψ . By the conjugate relation 2 T X a Z b = P a X a Z b T , after performing T on X a Z b |ψ , the server still needs to correct P a . Simple implementation of the operator P a may reveal the secret Pauli key a. Now with the encrypted-CROT, it is able to perform controlled phase-gate P a (i.e., rotation of angle a/4) with control bit a given in encrypted form; see Remark 3.3 for more details.
Also, the encrypted-CROT enables the private 1-bit gate evaluation in the Pauli-OTP setting. To evaluate a 1-qubit gate V privately on some Pauli-encrypted state Z a X b |ψ , when given the encrypted parameters of the unitary operator V X −b Z −a , using the encrypted-CROT allows to prepare the desired state V |ψ in Pauli-encrypted form.
In comparison with the scheme in [5], our QFHE scheme avoids the Clifford decomposition of 1-qubit gates during evaluations, while the 1-qubit pads still need to be split into many 1-bit rotations to achieve encrypted-CROT when evaluating CNOT gates. This eventually leads to an improvement in asymptotic complexity of evaluating general circuits, as analyzed in detail in Section 5. Intuitively, the improvement relies on the simple fact that using O(λ)-bit binary parameters allows to describe the 1-qubit gate within approximation error 1 2 λ ; while approximating 1-qubit gate to the same accuracy, on average case O(λ 2 ) number of T-gate is required by the best known algorithms. At a high level, our QFHE harnesses the efficiency advantage of binary decomposition over Clifford decomposition. In practice, finding the binary decomposition is also much easier than finding the Clifford decomposition.

Paper Organization
We begin with some preliminaries in Section 2. Section 3 presents the encrypted multi-bit control technique -the main technique of this paper. Section 4 provides the QOTP encryption scheme and methods for performing homomorphic evaluations on QOTP-encrypted state. In Section 5, we present a new QHE scheme, show that it is a leveled QFHE, and make an efficiency comparison between the new QFHE and the previous QFHE in [5].

Notation
A negligible function f = f (λ) is a function in a class negl(·) of functions, such that for any polynomial function P (λ), it holds that lim . For all q ∈ N, let Z q be the ring of integers modulo q with the representative elements in the range (−q/2, q/2] Z. We use i to denote the imaginary unit, and use I to denote the identity matrix whose size is obvious from the context. We use S 3 = {t ||t|| 2 = 1, t ∈ R 4 } to denote the unit 3-sphere. The L 2 -norm of vector a = (a j ) is denoted by For a qubit system that has probability p i in state |ψ i for every i in some index set, the density matrix is defined by ρ = i p i |ψ i ψ i |.
H-distance and trace distance. Let X be a finite set. For two quantum states |ψ 1 = x∈X f 1 (x)|x and |ψ 2 = x∈X f 2 (x)|x , the H-distance 3 between them is The trace distance between two normalized states |ψ 1 and |ψ 2 is If |ψ 1 and |ψ 2 are pure states, their H-distance and trace distance are related as following (cf. Thm 9.3.1 in [17]):

3)
where |ψ 1 −ψ 2 denotes |ψ 1 −|ψ 2 , and the last inequality is by Cauchy-Schwarz inequality. Discrete Gaussian distribution. The discrete Gaussian distribution over Z q with parameter B ∈ N (B ≤ q 2 ) is supported on {x ∈ Z q : |x| ≤ B} and has density function For m ∈ N, the discrete Gaussian distribution over Z m q with parameter B is supported on {x ∈ Z m q : ||x|| ∞ ≤ B} and has density Pauli matrices. The Pauli matrices X, Y, Z are the following 2 × 2 unitary matrices: The Pauli group (on 1-qubit) is generated by Pauli matrices. Any element in the group can be written (up to a global phase) as X a Z b where a, b ∈ {0, 1}.

Representation of Single-qubit Gate
Any single-qubit gate can be represented by a 2 × 2 unitary matrix. We restrict our attention to the special unitary group SU(2), i.e., the group consisting of all 2 × 2 unitary matrices with determinant 1, since any 2 × 2 unitary matrix can be written as the product of an element of SU(2) with a global phase factor, the latter being unimportant and unobservable by physical measurement (cf. Section 2.27 in [18]). We first present the quaternion representation of SU (2). Recall from (2.6) the Pauli matrices X, Z, Y , and denote σ 1 = iX, σ 2 = iZ, σ 3 = iY , where σ 1 , σ 2 , σ 3 ∈ SU (2). Remember that I 2 denotes the 2 × 2 identity matrix. It is easy to verify that So σ 1 , σ 2 , σ 3 can be viewed as a basis of the R-space of pure quaternions.
Any element of SU(2) has a unique unit 4-vector index. The inversion and multiplication in SU(2) are realized in the unit vector index form by: (2.14) When | t 2 − 1| 1 and t 2 = 1, there are several methods to approximate the non-unitary operator U t by a unitary operator. We give a specific method as follows: Proof: We proceed by constructing an approximate vector t . Starting from a 4-dimensional vector t = 0, assign values t i = t i for i from 1 to 4, one by one, as much as possible until 4 i=1 |t i | 2 = 1. More specifically, there are two cases in total: Let sgn(t l ) be the sign of t l . We set

and then
In cases 2, we have (t 4 − t 4 ) 2 ≤ t 2 4 − t 2 4 , and then In both cases, we have The following is a direct corollary of Lemma 2.3.

Clifford gates and Pauli one-time pad encryption
The following are formal definitions [8,2] of some terminology mentioned in Section 1.
The Pauli group on n-qubit system is The Clifford group is the group of unitaries preserving the Pauli group: A Clifford gate refers to any element in the Clifford group. A generating set of the Clifford group consists of the following gates: Adding any non-Cliffod gate, such as T = 1 , to (2.25), leads to a universal set of quantum gates.
• Enc((a, b), |ψ ). Apply the Pauli operator X a Z b to a 1-qubit state |ψ , and output the resulting state ψ .
Since XZ = −ZX, the decrypted ciphertext is the input plaintext up to a global phase factor (−1) ab . In addition, the Pauli one-time pad encryption scheme guarantees the information-theoretic security, since for any 1-qubit state |ψ , it holds that (2.26)

Pure and Leveled Fully Homomorphic Encryption
The following definitions come from [1] and [5]. A homomorphic (public-key) encryption scheme HE = (HE.Keygen, HE.Enc, HE.Dec, HE.Eval) for single-bit plaintexts is a quadruple of PPT algorithms as following: • Key Generation. The algorithm (pk, evk, sk) ← HE.Keygen(1 λ ) on input the security parameter λ outputs a public encryption key pk, a public evaluation key evk and a secret decryption key sk.
• Encryption. The algorithm c ← HE.Enc pk (µ) takes as input the public key pk and a single bit message µ ∈ {0, 1}, and outputs a ciphertext c. The notation HE.Enc pk (µ; r) will be used to represent the encryption of message µ using random vector r.
• Decryption. The algorithm µ * ← HE.Dec sk (c) takes as input the secret key sk and a ciphertext c, and outputs a message µ * ∈ {0, 1}.

Definition 2.5 (Classical pure FHE and leveled FHE)
A homomorphic encryption scheme is compact if its decryption circuit is independent of the evaluated function. A compact scheme is (pure) fully homomorphic if it can evaluate any efficiently computable boolean function. A compact scheme is leveled fully homomorphic if it takes 1 L as additional input in key generation, where parameter L is polynomial in the security parameter λ, and can evaluate all Boolean circuits of depth ≤ L.
Trapdoor for LWE problem. Learning with errors (LWE) problem [19] is the security basis of most FHE schemes. Let m, n, q be integers, and let χ be a distribution on Z q . The search version of LWE problem is to find s ∈ Z n q given the LWE samples (A, As + e mod q), where A ∈ Z m×n q is sampled uniformly at random, and e is sampled randomly from the distribution χ m . Under a reasonable assumption on χ (namely, χ(0) > 1/q + 1/poly(n)), an algorithm for the search problem with running time 2 O(n) is known [20], while no polynomial time algorithm is known.
Although it is hard to solve LWE problem in the general case [21,22,23,19], it is possible to generate a matrix A ∈ Z m×n q and a relevant matrix, called the trapdoor of A (cf. Definition 5.2 in [24]), that allow to efficiently recover s from the LWE samples (A, As + e): Lemma 2.6 (Theorem 5.1 in [24]; Theorem 3.5 in [5]) Let n, m ≥ 1, q ≥ 2 such that m = Ω(n log q). There is an efficient randomized algorithm GenTrap(1 n , 1 m , q) that returns a matrix A ∈ Z m×n q and a trapdoor t A ∈ Z (m−n log q)×n log q , such that the distribution of A is negligibly (in n) close to the uniform distribution on Z m×n q . Moreover, there is an efficient algorithm "Invert" that, on input A, t A and As + e, where s ∈ Z n q is arbitrary, e 2 ≤ q/(C T √ n log q), and C T is a universal constant, returns s and e with overwhelming probability.
GenTrap(·) can be used to generate a public key (matrix A) with a trapdoor (t A ) for LWE-based FHE schemes.
In the quantum setting, a quantum homomorphic encryption (QHE) is a scheme with syntax similar to the above classical setting, and is a sequence of algorithms (QHE.Keygen, QHE.Enc,QHE.Dec, QHE.Eval). A hybrid framework of QHE with classical key generation is given below.
• QHE.Keygen The algorithm (pk, evk, sk) ← HE.Keygen(1 λ ) takes as input the security parameter λ, and outputs a public encryption key pk, a public evaluation key evk, and a secret key sk.
• QHE.Enc The algorithm |c ← QHE.Enc pk (|m ) takes the public key pk and a singlequbit state |m , and outputs a quantum ciphertext |c .
• QHE.Dec The algorithm |m * ← QHE.Dec sk (|c ) takes the secret key sk and a quantum ciphertext |c , and outputs a single-qubit state |m * as the plaintext.
• QHE.Eval The algorithm |c 1 , . . . , |c l ← QHE.Eval(evk, C, |c 1 , . . . , |c l ) takes the evaluation key evk, a classical description of a quantum circuit C with l input qubits and l output qubits, and a sequence of quantum ciphertexts |c 1 , . . . , |c l . Its output is a sequence of l quantum ciphertexts |c 1 , . . . , |c l . The difference between leveled QFHE and pure QFHE is whether there is an a-priori bound on the depth of the evaluated circuit. A circular security assumption can help convert a leveled classical FHE into a pure classical FHE [25,26]. In the existing QFHE schemes [1,5], the security assumption is required to make the classical FHE that encrypts Pauli keys a pure FHE. In [1,5], there is no quantum analogy of 'bootstraping' that is able to reduce the noise of a quantum ciphertext.

Quantum Capable Classical Homomorphic Encryption
In [5], Mahadev proposed a FHE scheme called quantum capable classical homomorphic encryption (Definition 4.2 in [5]), which is an LWE-based FHE scheme of GSW-style with a trapdoor to the public key. The scheme consists of two sub-schemes: Mahadev's HE (MHE) and Alternative HE (AltMHE). Notation 1.The parameters in MHE scheme are the following: 1. The security parameter: λ. All other parameters are functions in λ.
2. The modulus: q, which is a power of 2. Also, q satisfies item 7 below.
3. The size parameters: n=poly(λ), m = Ω(n log q), and N = (m + 1) log q. The gadget matrix is 4. L ∞ -norm of the initial encryption noise: it is bounded by the parameter β init ≥ 2 √ n.
There are two more parameters indicating the evaluation capability of the HE scheme: 5. (Classical capability) the maximal evaluation depth η c before bootstrapping. η c = Θ(log(λ)) is required to be larger than the depth of the decryption circuit, so that before bootstrapping, the accumulated noise of the ciphertext can be upper bounded by β init (N + 1) ηc (cf. Theorem 5.1 in [5]).
Mahadev's (public-key) homomorphic encryption scheme MHE=(MHE.Keygen; MHE.Enc; MHE.Dec; MHE.Convert; MHE.Eval) is a PPT algorithm as follows [5]: is the matrix composed of A (the first m rows) and e T sk A mod q (the last row).
• MHE.Enc pk (µ): To encrypt a bit µ ∈ {0, 1}, choose S ∈ Z n×N q uniformly at random Output 0 if b is closer to 0 than to q 2 mod q, otherwise output 1.
XOR. The XOR operation on two bits a, b ∈ {0, 1} is defined by a ⊕ b := a + b mod 2.
Although the MHE scheme preserves the ciphertext form during homomorphic evaluation, when evaluating XOR operation, the noise in the output ciphertext is not simply the addition of the two input noise terms. To overcome this drawback, Mahadev defined an extra operation MHE.Convert, which is capable of converting a ciphertext of the MHE scheme to a ciphertext of the following AltMHE scheme: • AltMHE.KeyGen: This procedure is the same as that of MHE.KeyGen.
• AltMHE.Enc pk (µ): To encrypt a bit µ ∈ {0, 1}, choose s ∈ Z n q uniformly at random and create e ∈ Z m+1 q by sampling each entry from Output 0 if b is closer to 0 than to q 2 mod q, otherwise output 1. There are several useful facts: 1. AltMHE scheme has a natural evaluation of the XOR operation: adding two ciphertexts encrypting µ 0 and µ 1 respectively results in a ciphertext encrypting µ 0 ⊕ µ 1 .
3. The trapdoor t A can be used to recover the random vectors s, e from ciphertext AltMHE.Enc(u; (s, e)) ∈ Z m+1 q , and thus the plaintext u can also be recovered. To see this, note that the first m entries of the ciphertext can be written as As + e , where e ∈ Z m q . Therefore, the inversion algorithm "Invert" in Lemma 2.6 outputs s, e on input As + e and t A , as long as e 2 < q C T √ n log q for the universal constant C T in Lemma 2.6.   ; (s , e )) by using the function MHE.Convert. Then ||e || ∞ ≤ β init (N + 1) ηc , ||e || 2 ≤ β init (N + 1) ηc √ m + 1, and the Hellinger distance between the following two distributions:

The trapdoor t
is equal to the Hellinger distance between the following two distributions:

29)
which is negligible in λ. Lemma 2.9 Let parameter β f = β init (N + 1) ηc+η be as in Notation 1, and let e ∈ Z m+1 q satisfy ||e || ∞ ≤ β init (N + 1) ηc . Let ρ 0 be the density function of the truncated discrete Gaussian distribution D Z m+1 q ,β f , and let ρ 1 be the density function of the shifted distribution e + D Z m+1 q ,β f . Let D Z m+1 q be the distribution of the random vector sampled from the distribution D Z m+1 q ,β f and the distribution e +D Z m+1 q ,β f with probability p and 1−p, respectively. For any 0 ≤ p ≤ 1, any one-qubit state |c = c 0 |0 + c 1 |1 , any vector ω ∈ Z m+1 q ← D Z m+1 q , the trace distance between state |c and the state is λ-negligible with overwhelming probability.

Encrypted Multi-bit Control Technique
The main technique in this section, called encrypted conditional rotation (encrypted-CROT), is to use the encrypted m-bit angle MHE.Enc(α) to perform R −1 α , up to a Pauli matrix, where α = m j=1 α j 2 −j , α j ∈ {0, 1}. 6 Below, we first explain the basic idea for achieving the encrypted-CROT.
Observe that the classical conditional rotation R −1 α is realized by m successive 1-bit controlled rotations: for each 1 ≤ j ≤ m, the corresponding rotation is 1} is the control bit. We first consider the implementation of 1-bit control rotation R −α j w when both w ∈ [0, 1) and the encrypted 1-bit MHE.enc(α j ) are given. By Mahadev's idea for achieving encrypted CNOT operation (also 1-bit controlled operation), we will show in Lemma 3.1 that given the encrypted 1-bit Enc(α j ) and a general 1-qubit state |ψ , one can perform |ψ , in addition to Pauli mask Z d 1 , there is also an undesired rotation R d 2 2w . Fortunately, when using MHE.Enc(α) to implement R −1 α , if we use MHE.Enc(α m ), the encryption of the least significant bit of α, to perform conditional rotation R −2 −m αm by Lemma 3.1 (i.e., setting w = 2 −m in (3.1)), then the undesired operator is R d 2 2 −(m−1) . Since the conditional rotations that remained to be performed are R −1 in the waiting list. By iteration, as to be shown in Theorem 3.3, we realize the encrypted-CROT as follows:
The following are formal definitions of some terms to be used in this section: Up to Pauli operator. We say that a unitary transform U is applied to a 1-qubit state |ψ up to a Pauli operator, if the following is implemented: The case of using MHE.Enc(α) to to implement Rα is similar.
Uniform distribution. U Zq denotes the uniform distribution over Z q for some q ∈ Z.
Bit string. A bit string is a sequence of bits, each taking value 0 or 1.
k-bit binary fraction. For m ∈ N, the m-bit binary fraction represents a real number in the range 1} is the sign bit, and x 1 is the most significant bit. The sign bit of 0 is 0, so  (x 0 , x 1 , x 2 , ...) = (1, 0, 0, ...) will never be used in this representation.

Encrypted 1-bit Controlled Rotation
Given encrypted 1-bit MHE.Enc(α j ), the goal is to implement the controlled rotation R −α j w for fixed angle w ∈ [0, 1) on a general 1-qubit state |k = k 0 |0 + k 1 |1 . The basic idea follows [5]. Below, we present it in a brief but not very precise way. First, apply conditional operations with qubit |k as control to create a superposition of the form: l,u∈{0,1} e −2iπuw k l |l |u |AltMHE.Enc(u ⊕ lα j ) . (3.6) After measuring the last register of (3.6) to obtain an encryption of some u ∈ {0, 1}, the resulting state is So far, the rotation factor e −2iπα j w is introduced to the relative phase for l = 0, 1. After using Hadamard transform to eliminate the entanglement between the first two qubits of (3.7), the resulting first qubit will be what we need. Details are as follows: For any angle w ∈ [0, 1), consider the conditional rotation R ζ −w whose control bit is ζ. With parameters m, n, q defined by Notation 1, there exists a quantum polynomial time algorithm that on input w, MHE.Enc(ζ) and a general single-qubit state |k , outputs: (1) an AltMHE encryption y = AltMHE.Enc(u 0 ; r 0 ), where u 0 ∈ {0, 1} and r 0 ∈ Z m+n+1 q , (2) a bit string d ∈ {0, 1} 1+(m+n+1) log 2 q , and (3) a state within λ-negligible trace distance to AltMHE.Enc(u 0 ; r 0 ) = AltMHE.Enc(u 1 ; r 1 ) ⊕ MHE.Convert(MHE.Enc(ζ)). (3.9) Remark 3.1 In the realization of the encrypted controlled rotation R −ζ w , Z d·((u 0 ,r 0 ) (u 1 ,r 1 )) and R u 0 ζ 2w are both serving to protect the privacy of ζ in (3.8), where the former is a Pauli mask, and the latter is to be removed later.
Proof: We prove the lemma by providing a BQP algorithm-Algorithm 1 below. Recall in Notation 1 the parameters q, m, n, β f . In Algorithm 1, Step 1 requires to create a superposition on discrete Gaussian distribution D Z m+1 q ,β f , a typical procedure that can be found in Lemma 3.12 of [Reg05], or (70) in [5]. Then by creating superposition on discrete uniform distribution U Z 2 × U Z n q , adding an extra register |0 G whose label is G, and using AltMHE.Enc in the computational basis, one can efficiently prepare (3.20) in Algorithm 1.
After applying Step 2, by equality R −ω |u = e −2πiωu |u for u = 0, 1, the resulting state is (3.21). In step 4, after adding an extra qubit initially in state |k to the leftmost of the qubit system in (3.21), then applying conditional homomorphic XOR, the resulting state is (3.22). By Lemma 2.8, the following distributions are λ-negligibly close to each other:

20)
where G is the label of the last register, and δ is the density function of distribution q ,β f .

23)
where M is the label of the middle register.

24)
7: Set |ψ to be the first qubit of (3.24). Proposition 3.2 Let pk 1 and pk 2 be two public keys generated by MHE.Keygen, and let t 1 be the trapdoor of public key pk 1 . Using an encrypted control bit MHE.Enc pk 1 (ζ) and the encrypted trapdoor MHE.Enc pk 2 (t 1 ), for any angle w ∈ [0, 1), any single-bit state |k , one can efficiently prepare (1) state of the form 1} are random parameters obtained by quantum measurement, and (2) a ciphertext MHE.Enc pk 2 (d 1 , d 2 ).
Proof: By Lemma 3.1, it suffices to show how to produce the ciphertext MHE.Enc pk 2 (d 1 , d 2 ) using the encrypted trapdoor MHE.Enc pk 2 (t 1 ). Recall from Lemma 2.6 that trapdoor t 1 allows the random vector r and plaintext u to be recovered from a ciphertext AltMHE.Enc pk 1 ( u; r).
. It makes the QHE of [2] a QFHE scheme. Specifically, to evaluate non-Clifford gate T , one can directly perform T on the ciphertext X a Z b |ψ , and then perform P a by the encrypted-CROT. By T X a Z b = P a X a Z b T , the above sequence of operations yield and the encrypted Pauli keys can be updated by homomorphic arithmetics on MHE. Enc(a, b, d). Now a "Clifford+T"-style QFHE is obtained.

Corollary 3.4
Consider an angle α ∈ [0, 1) represented in m-bit binary form as α = m j=1 2 −j α j , where α j ∈ {0, 1}. Let pk i be the public key with trapdoor t i generated by MHE.Keygen for 1 ≤ i ≤ m. Suppose the encrypted trapdoor MHE.Enc pk j+1 (t j ) is public for 1 ≤ j ≤ m − 1. Given the bitwise encrypted angle MHE.Enc pk 1 (α) and a general singlequbit state |k , one can efficiently prepare (within λ-negligible trace distance) the following state: Then for any α ∈ [0, 1), To prepare T −1 α |k up to Pauli operator, first act S −1 on |k . Then by Theorem 3.3, use MHE.Enc pk 1 (α) to prepare Finally, act S on (3.42) to get (3.39) (after ignoring a global phase factor), because where the equation is by combining (3.41) and the fact that for any d ∈ {0, 1},

Encrypted Conditional Unitary Operator on Single Qubit
The following is the main result of this paper: Theorem 3.5 Let m-bit binary fractions α, β, γ ∈ [0, 1) be the Euler angles of a 2 × 2 unitary U , that is, U = R α T β R γ . Let pk i be the public key with trapdoor t i generated by MHE.Keygen for 1 ≤ i ≤ 3m. Suppose the encrypted trapdoor MHE.Enc pk j+1 (t j ) is public for 1 ≤ j ≤ 3m − 1. Given the ciphertexts MHE.Enc pk 1 (α, β, γ) and a general onequbit state |k , one can efficiently prepare ciphertexts MHE.Enc pk 3m (d 1 , d 2 ), where random parameters d 1 , d 2 ∈ {0, 1}, and a state within λ-negligible trace distance to Proof: We prove the theorem by providing a BQP algorithm in Algorithm 3 below. By Theorem 3.3, in step 1 of Algorithm 3, by performing an encrypted conditional phase rotation R −1 α on state |k , one obtains an encrypted bit MHE.Enc pkm (w 1 ), where w 1 ∈ {0, 1}, and a state
The output is a state

Quaternion one-time pad Encryption (QOTP)
k-bit representation of unitary operator. Given a unitary U t where t ∈ S 3 , let t ∈ R 4 , whose elements in binary form are the sign bit and the k most significant bits in the binary representation of the corresponding elements of t. We call U t the k-bit finite precision representation of unitary U t . Note that U t is only a linear operator, not a unitary one.
Unitary approximation of k-bit precision linear operator. Given a linear operator U t , where each element of t ∈ R 4 is a k-bit binary fraction, the unitary approximation We use the following quaternion one-time pad method to encrypt a single qubit, and encrypt a multi-qubit state qubitwise.
• Quaternion one-time pad encryption of a single qubit message , which is a random permutation of (h 1 , h 2 , h 3 , h 4 ) followed by multiplying each element with 1 or −1 of equal probability. Notice that 4 i=1 t 2 i = 1 in general.
The following lemma guarantees the information-theoretic security of the QOTP encryption scheme. Proof: Let S 4 be the 4-th order symmetric group. From the symmetry in generating t = (t 1 , t 2 , t 3 , t 4 ), we get that the probability function p satisfies: It is not difficult to verify that for any matrix A = a 11 a 12 a 21 a 22 ∈ C 2×2 , where X = iσ 1 , Z = iσ 2 are Pauli matrices. By (4.2), (4.3) and (2.12), for any a, b ∈ {0, 1}, where g σ a where the last equality follows from A common confusion is why the length of pad key is irrelevant to the security. Particularly, it seems impossible to securely encrypt 1-qubit whose amplitudes store a continuous number of information by just a finite-length pad key (even 1-bit pad key of Pauli-OTP). This intuition ignores an important quantum nature: extracting information from the amplitude of a 1-qubit is hard. Specifically, each 1-qubit collapses after a single measurement with an outcome |0 or |1 . To extra the information in amplitudes, numerous copies of the same 1-qubit are required to be measured.
The concrete meaning behind (4.1) is that the encrypted numerous copies of arbitrary 1-qubit (with each copy encrypted by independently random pads) form the same system, which can not be distinguished by measurements on any basis. So, in the current quantum setting, QOTP is as secure as Pauli-OTP, regardless of how long the pad key is.
From the pure mathematical model lens, QOTP has a potential advantage that it can provide security against super adversaries who can directly read the amplitude of qubits with a single measurement [27], whereas Pauli-OTP must fail to be secure against such an adversary.
The following lemma guarantees that the decryption of a ciphertext by QOTP.Dec is correct up to negl(k) L 2 -distance, where k is the number of bits for representation. Lemma 4.2 (Correctness) Given a unitary operator U t where t ∈ R 4 and ||t|| 2 = 1, let U t be the k-bit finite precision representation of U t , and let U t be the unitary approximation of linear operator U t . Then Proof: Let t i be the i-th coordinate of vector t for 1 ≤ i ≤ 4. Now that t is the k-bit approximation of t,

Homomorphic Evaluation of Single-qubit Gates
Single qubit gates and the CNOT gate are a set of universal quantum gates. We show below how the server evaluates a single-qubit quantum gate homomorphically. In our QFHE scheme, the server receives a ciphertext that is composed of a quantum message encrypted by QOTP, together with the (classical) QOTP key (called the gate key) encrypted by MHE. Let the encrypted gate key held by the server be Enc(t), where t = (t 1 , t 2 , t 3 , t 4 ) is a vector whose elements are k-bit binary fractions.
To evaluate a unitary gate whose k-bit precision representation is U k , the server needs to use Enc(k) and Enc(t) to compute a new ciphertext Enc(t ) that satisfies U t = U t U −1 k , where t is a 4-dimensional vector whose elements are k-bit binary fractions. This can be done by homomorphic computation, according to (2.13) and (2.14). The ciphertext Enc(t ) serves as the new encrypted gate key for the next round of evaluation.

Homomorphic Evaluation of the CNOT Gate
CNOT 1,2 operation. For a two-qubit state |ψ , the notation U ⊗ V |ψ refers to performing U on the first qubit of |ψ , and performing V on the second qubit. The notation CNOT 1,2 denotes a CNOT operation with the first qubit as the control and the second qubit as the target.
To evaluate the CNOT gate, we first change a QOTP-encrypted state into a Pauliencrypted state, and output the encryptions of Pauli-keys. Then, we evaluate the CNOT gate on the Pauli-encrypted state by the following relation: (4.13) where |ψ is a two-qubit state, and a i , b i ∈ {0, 1} are the Pauli keys of the i-th qubit for i = 1, 2. Now, we show how to transform a QOTP-encrypted state into its Pauli-encrypted version. First, with the encrypted gate key MHE.Enc(t) at hand, one can homomorphically compute Euler angles for unitary operator U t according to relation (2.24). The detailed procedure involves several lemmas, all of which are moved to the Appendix 7.2. Then, by the encrypted conditional rotation technique, one can transform a QOTP-encrypted state into its Pauli-encrypted version, by the following proposition: Proof: Let α, β, γ ∈ [0, 1) be defined as in (2.24), such that U (α, β, γ) i.g.p.f = === = U t . Now that ||t − t|| ∞ =negl(k). By Lemma 7.3 in the Appendix, from MHE.Enc(t ) one can produce a ciphertext MHE.Enc (α , β , γ ), such that where e iδ is a global phase factor. (4.14) Theorem 3.5 allows to use the encrypted angles MHE.Enc(α , β , γ ) to perform 15) and meanwhile get two encrypted bits MHE. Enc(d 1 , d 2 ). Below, we prove that U (α , β , γ ) −1 U t |ψ is within k-negligible trace distance from |ψ . First, By (2.2), the trace distance of two states is invariant under a global phase scaling to one of the states, so Remark 4.1 The reason why we do not directly adopt the Euler representation of SU(2) at the beginning, but rather use the quaternion representation, is that the latter provides an arithmetic circuit implementation of much smaller depth for the product in SU(2), as shown in (2.14). This change of representation is not necessary in the real representation of quantum circuits and states (cf. [28], Lemma 4.6 of [29]), where all the involved 1-qubit quantum gates are in SO (2), and in that case, the rotation representation: cos 2πα − sin 2πα sin 2πα cos 2πα where α ∈ [0, 1), already provides a low-depth circuit implementation for the product in SO(2).

Our Quantum FHE Scheme
The design of our QFHE scheme follows the following guideline/idea: 1. The client uses the QOTP scheme to encrypt a quantum state (the message), and then encrypts the gate keys with MHE scheme.
2. The client sends both the encrypted quantum state and the gate keys to the server, and also sends the server the following tools for homomorphic evaluation: the public keys, encrypted secret keys and encrypted trapdoors.
3. To evaluate a single-qubit gate, the server only needs to update the encrypted gate keys.
4. To evaluate a CNOT gate on an encrypted two-qubit state: (4.1) The server first computes the encryptions of the Euler angles of the 2×2 unitary gates that are used to encrypt the two qubits, by homomorphic evaluations on the gate keys.
(4.2) Then, the server applies the encrypted conditional rotations to obtain a Pauliencrypted state, as well as the encrypted Pauli keys. (4. 3) The server evaluates the CNOT gate on the Pauli-encrypted state, and updates the encrypted Pauli keys according to (4.13).
(4.4) By Lemma 5.1 below, the resulting state in Pauli-encrypted form is (up to a global factor) in natural QOTP-encrypted form. It can be directly used in the next round of evaluation.
5. During decryption, the client first decrypts the classical ciphertext of the gate keys, then uses the gate keys to decrypt the quantum ciphertext received from the server.

Lemma 5.1
For any x 1 , x 2 ∈ {0, 1}, any 1-qubit state |ψ , the Pauli-encrypted state Z x 1 X x 2 |ψ can be written (up to a global factor) in QOTP-encrypted form as follows: . Then by (2.12), Parameters to be used in the scheme: 1. Assume the quantum circuit to be evaluated can be divided into L levels, such that each level consists of serval single-qubit gates, followed by a layer of nonintersecting CNOT gates.
2. Let L c = L m + L s , where L m = maximum depth of the quantum circuit composed of all the single-qubit gates in a level, L s = depth of the classical circuits on the encrypted gate key for homomorphically evaluating a CNOT gate. The MHE scheme is assumed to have the capability of evaluating any L c -depth circuit.
3. Let k be the number of bits used to represent the gate key, i.e, the parameter of QOTP.Keygen(·) in Section4.1. A typical choice is k = log 2 λ, where λ is the security parameter.
• Our new QHE scheme • QHE.KeyGen(1 λ , 1 L , 1 k ): where t sk i is the trapdoor required for randomness recovery from the ciphertext.
• QHE.Enc pk 1 (|ψ ): Use QOTP to encrypt each qubit of |ψ ; for any single-qubit state |v , its ciphertext consists of U t |v and MHE.Enc pk 1 (t), where the 4k-bit gate key t = (t • QHE.Eval: 1. To evaluate a single-qubit unitary U k on an encrypted qubit U t |ψ 1 , only needs to update the encrypted gate key from MHE.Enc pk j (t) to MHE.Enc pk j (t ) where t = tk −1 according to Section 4.2, for some 1 ≤ j ≤ 3kL + 1.

2.
To evaluate the CNOT gate on two encrypted qubits U t 1 ⊗ U t 2 |ψ 2 with encrypted gate key MHE.Enc pk j (t 1 , t 2 ): (a) Compute the Euler angles of unitary operators U t 1 , U t 2 homomorphically, with the angles represented in k-bit binary form to approximate the unitary operators to precision negl(k) (not necessarily 1 2 k ). Denote the encrypted Euler angle 3-tuples of t 1 , t 2 in binary form by MHE.Enc pk j (α 1 , α 2 ), where α 1 , α 2 ∈ {0, 1} 3k . (b) Use the encrypted angles MHE.Enc pk j (α 1 , α 2 ) to apply the corresponding encrypted conditional rotation to the input quantum ciphertext U t 1 ⊗ U t 2 |ψ 2 . The result is a Pauli-encrypted state. The MHE encryption of the Pauli key can also be obtained. (c) Evaluate the CNOT gate on the Pauli-encrypted state according to (4.13).
The resulting state is in QOTP-encrypted form, whose encrypted gate key can be computed by homomorphic evaluation according to (5.1).
Leveld FHE property of our QHE scheme.
We show that any choice of parameter k that satisfies 1 2 k = negl(λ) is sufficient to make the new QHE scheme leveled fully homomorphic.

Proof:
In the encryption step, we encrypt each qubit by using QOTP, with the 4k-bit gate key encrypted by MHE in poly(λ) time.
Due to the k-bit finite representation of quantum gates, each evaluation of a singlequbit gate introduces a quantum error, which is measured by the trace distance between the decrypted ciphertext and the correct plaintext. The following Proposition 5.5 guarantees that after evaluating poly(λ) number of single-qubit gates, the quantum error is still λnegligible.
To evaluate a CNOT gate, we first compute the encrypted approximate Euler angles for the 2 × 2 unitary operator represented by the gate keys. By Lemma 7.3, this can be done in time poly(k) to get negl(k)-approximation. By encrypted conditional rotation (see Theorem 3.5), we can transform the quantum ciphertexts into Pauli-encrypted form, and then evaluate the CNOT gate on the Pauli-encrypted states.
Although the quantum error increases with the use of encrypted conditional rotations, the evaluation of the CNOT gate on Pauli-encrypted states (see (4.13)) is so simple that it does not cause any increase in the quantum error. Each encrypted conditional rotation requires O(k) uses of Algorithm 1, and the output state of Algorithm 1 is correct within negl(λ) trace distance by Lemma 3.1. So the quantum error for evaluating a CNOT gate is λ-negligible. After evaluating poly(λ) number of CNOT gates, the quantum error is still negl(λ). for 1 ≤ i ≤ m. Given a multi-qubit system |ψ , let V j (V j ) be the multi-qubit gate on |ψ that describes the acting of U j (U j ) on some (the same) 1-qubit of |ψ for 1 ≤ j ≤ m. If m is a polynomial function in λ, and k is a function in λ such that m 2 k = negl(λ), then
Proposition 5.5 Let m(λ) be a polynomial function in λ, and let k(λ) be a function in λ such that m(λ) 2 k(λ) = negl(λ). Then, the new QHE scheme with precision parameter k = k(λ) allows to evaluate m = m(λ) number of single-qubit gates while guaranteeing the correctness of the decryption of the evaluation result to be within negl(λ) trace distance.
Proof: In the notations in the proof of Lemma 5.4, let V j be the unitary operator for 1 ≤ j ≤ m that realizes the 2 × 2 unitary U j on some multi-qubit system |ψ , let V j be the linear operator that realizes U j , the k-bit finite precision quaternion representations of U j (see Lemma 5.4) for 1 ≤ j ≤ m, and let V j be the unitary approximation (see Section 4.1) of U j for 1 ≤ j ≤ m. Define P = V m ....V 1 , P = V m ...V 1 and P = V m ...V 1 . We need to prove ||P |ψ − P |ψ || tr ≤ negl(λ), (5.13) for a general multi-qubit state |ψ . Firstly, group together those V j that act on the same qubit for 1 ≤ j ≤ m. Assume that the result consists of m 1 (m 1 ≤ m) unitary operators: V j , 1 ≤ j ≤ m 1 , each of which acts on a different qubit. Since linear operators that act on different qubits are commutative, we can rewrite P = m 1 j=1 V j . By grouping the operators acting on the same qubit, we can define V j and V j similarly, such that P = m 1 j=1 V j and P = m 1 j=1 V j . Now that each V j is composed of serval unitary operators, with V j being the approximation of V j . By (5.4), it holds that V j − V j 2 = negl(λ), and then (5.14) Similarly, V j − V j 2 = negl(λ) for 1 ≤ j ≤ m 1 . By making induction similar to (5.10), we can deduce that P − P 2 = negl(λ) (notice that m 1 ≤ m). It follows from (5.4) that P − P 2 = V m ....V 1 − V m ....V 1 2 = negl(λ). Therefore, ||P − P || 2 ≤ ||P − P || 2 + ||P − P || 2 = negl(λ). (5.15) According to (2.3), for any quantum state |ψ , ||P |ψ − P |ψ || tr = negl(λ). The security of our scheme is by combining the security of QOTP (see Lemma 4.1) and the security of Mahadev's HE scheme (see Theorem 6.1 of [5]).

Efficiency Comparison.
We make an efficiency comparison between our QFHE scheme and the QFHE scheme of [5] for the task of evaluating the quantum circuits. Overall, for evaluating a general circuit composed of p percentage of CNOTs and (1-p) percentage of 1-qubits gates within the precision negl(λ), the quantum complexity advantage of our scheme over the scheme of [5] is

16)
when constant p is away from both one and zero. The detailed analysis is as follows. First, let the quantum complexity of encrypted-CNOT operation of [5] be T Q , which is roughly equal 8 to that of Algorithm 1, so that it is the basis for comparison.
In the scheme of [5], to evaluate a 1-qubit gate and obtain a state within O( 1 2 λ ) trace distance from the correct result, by SK algorithm, the number of Hadamard/Toffoli gates required to be evaluated is O(λ 2 ). Since evaluating a Toffoli gate requires a constant number of encrypted-CNOT operations [5], in the worst case, the number of required Toffoli gates is O(λ 2 ), and the quantum complexity of evaluating 1-qubit gate within precision O( 1 2 λ ) (in trace distance) by the scheme of [5] is O(λ 2 )T Q ; the quantum complexity of evaluating a CNOT gate is O(1).
In our scheme, to evaluate 1-qubit gate within the precision negl(λ), we set the number of bits used to present the gate key to be k = λ, and then the complexity is totally classical and is O(λ)T C , where T C is the complexity required for homomorphic evaluations on each bit; evaluating a CNOT gate requires O(λ) uses of Algorithm 1, so the quantum complexity is O(λ)T Q .
For circuits composed of p percentage of CNOTs and (1-p) percentage of 1-qubits, the quantum complexity of the QFHE scheme of [5] is times of that by our QFHE scheme, when constant p = 0, 1. Also, if T Q , T C and p ( = 0, 1) are considered as constants, then our scheme has the overall complexity advantage

18)
According to the above arguments, in the worst case where there are overwhelmingly many CNOTs and negligible 1-qubits gates, our method is less efficient than previous QFHE schemes such as [5]. In the general case, however, our scheme is polynomially better asymptotically.
For some typical quantum circuits, like quantum Fourier transform (QFT) (cf. Figure  1 and Figure 2), the numbers of CNOTs and 1-qubits are roughly equal, and thus the percentage p = 1/2. This is the case of a tie, with no bias towards any one, showing that our scheme has advantage over the previous schemes in general.
There are two worthwhile points about the above comparison: (1) Compared to the QFHE scheme of [5] combined with the specific SK algorithm of approximation parameter c = 2, the advantage of our scheme is O(λ), significant. Moreover, the lowest bound for approximation parameter is c = 1 (see (23) in [DN05]). So, our method reaches the best complexity that can be achieved by [5] together with any approximation algorithm. To our best knowledge, no method in the literature has ever achieved this complexity.
(2) For particular quantum circuits (such as approximate-QFT [30]), there may exist some direct "Clifford+non-Clifford" implementation that makes the evaluation by QFHE scheme of [5] more efficient. However, for general quantum circuits (usually designed by 1-qubit/CNOT gates), finding their efficient "Clifford+non-Clifford" implementation is as (if not more) hard as redesigning the algorithm. So, using previous QFHE schemes to evaluate a circuit is generally done in two steps: first decompose each 1-qubit gate into Clifford gates and T gates, then evaluate them one by one.  There are also some follows-up of QFHE in [5]. The rate-1 QFHE in [13] mainly focuses on reducing communication complexity. It seems to have no obvious advantage over the QFHE of [5] in the efficiency of evaluating quantum circuits. The QFHE scheme in [1] achieves encrypted-CNOT by a different approach from [5]. Due to the lack of a basis for comparison, it is hard to make a fair comparison between our QFHE scheme and Brakerski's QFHE.
It is interesting to investigate the generalization of the encrypted-CNOT in [1], as what we have done for [5]. This will lead to a more efficient QFHE, because the encrypted-CNOT in [1] is more efficient, due to the underlying classical FHE with just polynomial modulus. By the shape of ρ 0 , for any x ∈ K, y ∈ sp(D 0 ) \ K, it holds that ρ 0 (x) > ρ 0 (y). Therefore,

4)
where the last inequality is by (1 − a)