Privacy and correctness trade-offs for information-theoretically secure quantum homomorphic encryption

Quantum homomorphic encryption, which allows computation by a server directly on encrypted data, is a fundamental primitive out of which more complex quantum cryptography protocols can be built. For such constructions to be possible, quantum homomorphic encryption must satisfy two privacy properties: data privacy which ensures that the input data is private from the server, and circuit privacy which ensures that the ciphertext after the computation does not reveal any additional information about the circuit used to perform it, beyond the output of the computation itself. While circuit privacy is well-studied in classical cryptography and many homomorphic encryption schemes can be equipped with it, its quantum analogue has received little attention. Here we establish a definition of circuit privacy for quantum homomorphic encryption with information-theoretic security. Furthermore, we reduce quantum oblivious transfer to quantum homomorphic encryption. By using this reduction, our work unravels fundamental trade-offs between circuit privacy, data privacy and correctness for a broad family of quantum homomorphic encryption protocols, including schemes that allow only the computation of Clifford circuits.


Introduction
Given the difficulty of building reliable quantum computers at scale, it is reasonable to expect the first such quantum computers to be controlled by a few service providers with the prerequisite infrastructure and resources [1]. In such a scenario, individual users will, in contrast, only hold quantum computers with far more limited capabilities and must delegate complex computations to large servers. However, there is also an inherent lack of trust between the service providers and the users: individuals would like to keep their data private from large corporations, while the service providers would like to keep their exact implementation private from competitors. Protocols such as blind quantum computing [2,3,4,5,1,6] are proposed to help with the situation; they require only minimal quantum capabilities of the client but require extensive communication. Quantum homomorphic encryption [7,8,9,10,11,12,13], which allows a server to compute on encrypted data of a client without first decrypting it, offers an alternative solution to this problem. Here, all communication can be done in one round, but the client needs a quantum computer for encoding the input and decoding the output.
Because classical homomorphic encryption [14,15,16] can build a broad range of more complex classical cryptographic primitives such as multiparty secure computation and private information retrieval, it has been called the "Swiss army knife" of classical cryptography [17,18,19]. These reductions 1 rely crucially on the data and circuit privacy of homomorphic encryption schemes. While data privacy is inherent in homomorphic encryption, circuit privacy encapsulates the property that no additional information about the computation circuit is leaked beyond its action on the encoded data.
It is natural to conjecture a quantum analogue of the classical reduction, i.e. reducing quantum oblivious transfer to quantum homomorphic encryption. In this paper, we progress in understanding the extent to which quantum homomorphic encryption can be analogously a "Swiss army knife" of quantum cryptography. In particular, we explore the limitations of quantum homomorphic encryption in the paradigm of information-theoretic security.
Quantum homomorphic encryption that allows the delegation of an arbitrary quantum computation while also assuring the privacy of the client's encrypted data cannot exist because its existence would violate well-known information-theoretic bounds, such as Nielsen's no-programming bound [7] or fundamental coding-type bounds [21,22] such as Nayak's bound [23] which bounds the amount of classical information that can be stored in a quantum state. On the other hand, if we consider quantum homomorphic encryption schemes that support only Clifford computations, such schemes exist with asymptotically perfect data privacy and correctness [11]. Hence, there is the hope that, by restricting ourselves to quantum homomorphic encryption schemes that support a limited set of operations [10,24,11,21,25,13], such schemes can still have enough functionality (data privacy, correctness and circuit privacy) to serve as a Swiss army knife. Here we show that this is not possible. Namely, even if we restrict ourselves to quantum homomorphic encryption protocols that can perform only two-qubit Clifford gates, we find that data privacy, circuit privacy and correctness cannot be simultaneously achieved. In particular, we obtain non-trivial trade-offs between these parameters for such computationally-restricted quantum homomorphic encryption schemes.
Our main contributions are as follows: • We introduce a formal definition of circuit privacy for quantum homomorphic encryption schemes. (See Definition 4.) We achieve this by introducing a quantum counterpart of the simulation paradigm [18] in classical cryptography. Roughly speaking, the simulation paradigm is a pattern of using a simulator to compare a possibly insecure actual protocol with a naturally secure ideal protocol.
• We give an explicit reduction from quantum oblivious transfer to quantum homomorphic encryption by constructing a quantum oblivious transfer protocol with a quantum homomorphic encryption protocol. In this reduction, we use only quantum homomorphic encryption protocols that perform delegated Clifford circuits and additionally utilize genuine random classical bits. (See Theorem 21).
• The reduction allows us to inherit no-go results for quantum oblivious transfer [26,27,28] to quantum homomorphic encryption. We find that, for any informationtheoretically secure quantum homomorphic encryption scheme support (at least) Clifford operations, it holds that where d , c and are parameters describing data privacy, circuit privacy and correctness, respectively, and ideally, we would want them to all be small.
It is worth emphasizing that our results apply only to quantum homomorphic encryption schemes with information-theoretic security. In particular, quantum homomorphic encryption schemes based on computational hardness assumptions [8,9,12] might be able to support better trade-offs for these parameters. Notably, circuit privacy for computationalsecure semi-honest quantum homomorphic encryption was discussed in [9].
Our paper is structured as follows. In Section 2, we give formal definitions of quantum cryptographic primitives. In Section 2.3, we give the scheme of quantum homomorphic encryption and define the correctness, data privacy and circuit privacy. In Section 2.4, we discuss two types of quantum oblivious transfer, standard and semi-random oblivious transfer, and show their equivalence. In Section 4, we reduce standard oblivious transfer to quantum homomorphic encryption. In Section 3, we present a bound for semi-random oblivious transfer. In Section 5, we present bounds for quantum homomorphic encryption. In Section 5.1, we obtain our lower bound for quantum homomorphic encryption by reduction. In Section 5.2, we derive our upper bound.

Quantum homomorphic encryption and oblivious transfer 2.1 Notations
When x ∈ {0, 1} denotes a bit, we let x = x ⊕ 1 ∈ {0, 1} denote its complement. An n-bit string is a binary vector (x 1 , ..., x n ) ∈ {0, 1} n . A random bit is denoted by $. We use Latin capital letters in a sans serif font, such as X, to denote the system and also its Hilbert space. The set of density matrices of a system X is denoted by S (X). The set of completely positive trace-preserving maps from a system X to a system Y is denoted by CPTP(X, Y). The set of unitary channels on X is denoted by U (X). The adjoint channel N * ∈ CPTP(Y, X) of a channel N ∈ CPTP(X, Y) is defined by the relation Tr(ρN (σ)) = Tr(N * (ρ)σ) for all ρ ∈ S (Y) and σ ∈ S (X). The identity channel of n dimensions is denoted by I n . The identity channel on X is denoted by I X . For simplicity, we will omit identity channels I X and I X if it does not cause any confusion. The set of unitary operators on X is denoted by U(X). The identity operator acting on n dimensions and on X are denoted by I n and I X , respectively. The Schatten 1-norm is defined by The Hermitian conjugate of a term in an equation is denoted by a h.c. following the term. Table 1 summarizes the notations.

Classical homomorphic encryption
For the formal definition of classical homomorphic encryption, interested readers may refer to [15,18]. Here we only introduce classical homomorphic encryption informally, emphasising its scheme and circuit privacy. In a classical homomorphic encryption protocol, Alice, the user, encrypts the input and sends the ciphertext to Bob, the server. Next, Bob evaluates a function on the ciphertext without decryption and sends the evaluated ciphertext back to Alice. Finally, Alice decrypts the evaluated ciphertext and obtains the output.

Description $
A random bit.

X
The system and also its Hilbert space. S (X) The set of density matrices on X.
The set of CPTP maps from X to Y. U (X) The set of unitary channels on X. N * The adjoint channel of N . I n The identity channel of n dimensions. I X The identity channel on X. U(X) The set of unitary matrices on X.

I n
The identity operator of n dimensions.

I X
The identity operator on X.
The trace distance between two states.
The fidelity between two states. h.c.
The Hermitian conjugate of a term. The correctness of classical homomorphic encryption requires that the output is the same as the function computed on the input. Data privacy requires that Bob cannot distinguish the ciphertexts corresponding to different inputs.
Circuit privacy is defined in a simulation paradigm. It is defined by comparing a possibly insecure actual protocol to a naturally secure ideal protocol. Alice knows the input, the ciphertext, and the modified ciphertext in the actual protocol. In the ideal protocol, Alice knows the input and the function computed by the input. Bob's circuit is private if Alice does not learn more information about the circuit in the actual protocol than in the ideal protocol. This happens when a simulator can simulate the results of the actual protocol with the results of the ideal protocol. Hence, circuit privacy quantifies the simulator's performance.
In classical cryptography, we can reduce classical oblivious transfer to classical homomorphic encryption. For a generic but simple classical reduction from classical oblivious transfer to classical homomorphic encryption, interested readers may refer to [19]. The essence of the reduction is that classical homomorphic encryption ensures not only data privacy but also circuit privacy. We will use this idea in the quantum analogue of classical reduction.

Quantum homomorphic encryption
In this subsection, we introduce relevant definitions of quantum homomorphic encryption. The scheme of quantum homomorphic encryption is similar to that of classical homomorphic encryption, which is presented in Definition 1. Both data privacy and circuit privacy are essential if we treat quantum homomorphic encryption as a "Swiss army knife" primitive. We formally define correctness, data privacy and circuit privacy as a quantum analogue of their classical counterparts in Definition 2, Definition 3 and Definition 4, respectively. Figure 1 describes a quantum homomorphic encryption scheme. In a quantum homomorphic encryption protocol, Alice computes a function KeyGen to obtain the key, uses the key and encryption map Enc to encrypt Alice's input and then sends the encryption to Bob. Bob applies Eval to evaluate Bob's channel F on the encryption and sends the evaluated encryption back to Alice. Alice decrypts the evaluated encryption with the key and a decryption map Dec and obtains Alice's output.  For simplicity, we will denote Enc(k, · ) by Enc k , Eval(F, · ) byF( · ), {Eval(F, · ) : F ∈ F } byF and Dec(k, · ) by Dec k ( · ).
For a quantum homomorphic encryption protocol to be meaningful, it needs to return the correct output. This is quantified by a property known as correctness.
Definition 2 (Correctness of quantum homomorphic encryption). A quantum homomorphic encryption protocol (F , KeyGen, Enc, Eval, Dec) is -correct if, for every channel F ∈ F , every Alice's input and its purification |ψ ∈ AR A and every key k ∈ {0, 1} L , Specifically when = 0, we say that the protocol is perfectly correct. Quantum homomorphic encryption needs to protect an honest Alice's data when a malicious Bob strives to learn it, as is shown in Figure 2. A quantum homomorphic encryption protocol is data private if a malicious Bob cannot distinguish different inputs of an honest Alice. The trace distance between encrypted states describes their indistinguishability.
Specifically when d = 0, we say that the protocol is perfectly data private.
Quantum homomorphic encryption needs to protect an honest Bob's circuit when a malicious Alice strives to learn Bob's circuit more than what an honest Alice's output indicates, as is shown in Figure 3. However, even an honest Alice can learn some information about Bob's circuit. Therefore, we identify the information indicated by an honest Alice's output with an ideal protocol in Figure 4. In the ideal protocol, we imagine a trusted Charlie. Alice sends the input, and Bob sends the channel to Charlie. Charlie applies Bob's channel to Alice's input and sends the output to Alice. Alice ought to learn no more information in the actual protocol than what Alice can learn in the ideal protocol in a circuit private protocol. This circuit private case happens if a channel can turn Alice's output in the ideal protocol into Alice's output in the actual protocol. The trace distance between the two states can quantify the channel's performance. Now we describe the actual protocol and the ideal protocol in detail. In the actual protocol, Alice sends her message σ ∈ S (Â) (whose purification is |ψ ∈ÂRÂ) to Bob. Bob appliesF ∈F on σ according to Bob's channel F, and sends Bob's messageF(σ) ∈ S (Ô) to Alice. Alice finally possesses the joint stateF[|ψ ψ|] ∈ S (ÔRÂ) of Bob's message and Alice's referencing system. In the ideal protocol, Alice sends Alice's input ρ ∈ S (A) (whose purification is |ψ ∈ AR A ) and Bob sends Bob's channel F ∈ F to Charlie. Charlie applies F on ρ according to Bob's channel F and sends Charlie's message F(ρ ) ∈ S (O) to Alice. Alice finally possesses the joint state F(|ψ ψ |) ∈ S (OR A ) of Charlie's message and Alice's referencing system. Alice further applies a post-processing channel N ∈ CPTP(OR A ,ÔRÂ) on F(|ψ ψ |) and obtains Alice's output N (F(|ψ ψ |)) ∈ S (ÔRÂ).
Specifically when c = 0, we call that the protocol is perfectly circuit private.
Our definition of circuit privacy is a good definition for the trivial protocol where Alice sends plaintexts to Bob. The trivial protocol where Alice sends plaintexts to Bob has no data privacy and perfect circuit privacy. We can write circuit privacy in terms of an optimization problem which is useful both theoretically and numerically.

Quantum oblivious transfer
Quantum oblivious transfer is a vital quantum cryptographic primitive. Following [26,27,28], we consider two types of quantum oblivious transfer protocols, namely standard oblivious transfer and semi-random oblivious transfer in our work which we define in Definition 6 and Definition 7, respectively. In Theorem 8, we prove that standard oblivious transfer and semi-random oblivious transfer are equivalent by constructing reductions between them in both directions.
In standard oblivious transfer, Bob possesses two data bits, and Alice interacts with Bob to learn one specific data bit, as shown in Figure 5. Furthermore, Alice does not want Bob to know which data bit Alice desires. Bob does not want Alice to know both data bits. Next, we define standard oblivious transfer with δ-completeness and soundness against a cheating Alice or Bob following Ref. [26,Definition 6]. Definition 6 (Standard oblivious transfer). A standard oblivious transfer protocol with δcompleteness, P A -soundness against a cheating Alice and P B -soundness against a cheating Bob is a two-party protocol where Alice begins with i ∈ {0, 1} and Bob begins with (x 0 , x 1 ) ∈ {0, 1} 2 , and Alice ends with output A ∈ {0, 1} ∪ {Abort}, and Bob ends with output B ∈ {Accept, Abort}. If Alice does not output Abort, we say that Alice accepts and outputŝ The following properties should be satisfied and Note that the above equations should hold for any choice (x 0 , x 1 ).
• Soundness against a cheating Alice: Suppose that Bob's (x 0 , x 1 ) is uniformly random. With a probability of at most P A , a cheating Alice can guess (x 0 ,x 1 ) for an honest Bob's (x 0 , x 1 ) correctly and Bob accepts. That is, when only Bob is honest, • Soundness against a cheating Bob: Suppose that Alice's i is uniformly random. With a probability of at most P B , a cheating Bob can guessî for an honest Alice's i correctly and Alice accepts. That is, when only Alice is honest, In semi-random oblivious transfer, Bob possesses two data bits, and Alice interacts with Bob to learn one data bit uniformly at random and the index of the data bit, as is shown in Figure 6. Furthermore, Alice does not want Bob to know the index of the data bit. Bob does not want Alice to know both data bits. We formally define semi-random oblivious transfer with δ-completeness by extending [28, Definition 2]. Definition 7 (Semi-random oblivious transfer). A semi-random oblivious transfer protocol is a two-party protocol where Bob begins with (x 0 , x 1 ) ∈ {0, 1} 2 , Alice ends with output A ∈ {0, 1} 2 ∪{Abort}, and Bob ends with output B ∈ {Accept, Abort}. If Alice does not output Abort, we say that Alice accepts and outputs (i,x) ∈ {0, 1} 2 .

SemirandomOT :
Bob The protocol has δ-completeness, P A -soundness against a cheating Alice and P B -soundness against a cheating Bob if the following holds.
• Completeness: If Alice and Bob are both honest, then both parties accept, i is uniformly random and with a probability of at least 1 − δ,x = x i . That is, when both parties are honest, and Note again that above equations should hold for any (x 0 , x 1 ).
• Soundness against a cheating Alice: Suppose that Bob's (x 0 , x 1 ) is uniformly random. With a probability of at most P A , a cheating Alice can guess (x 0 ,x 1 ) for an honest Bob's (x 0 , x 1 ) correctly and Bob accepts. That is, when only Bob is honest, • Soundness against a cheating Bob: With a probability of at most P B , a cheating Bob can guessî for an honest Alice's i correctly and Alice accepts. That is, when only Alice is honest, Following the same technique in [26, Proposition 9,10] and [28, Proposition 1], we prove that standard oblivious transfer is equivalent to semi-random oblivious transfer in Theorem 8.

Theorem 8. A standard oblivious transfer protocol with δ-completeness, P A -soundness against a cheating Alice and P B -soundness against a cheating Bob is equivalent to a semirandom oblivious transfer protocol with δ-completeness, P A -soundness against a cheating Alice and P B -soundness against a cheating Bob.
The proof works by constructing reductions between semi-random and standard oblivious transfer. We can easily reduce semi-random oblivious transfer to standard oblivious transfer. A semi-random oblivious transfer protocol can be viewed as Alice chooses the index of the data bit Alice wants to learn and performs a standard oblivious transfer protocol with Bob. It is trickier to reduce standard oblivious transfer to semi-random oblivious transfer. A semi-random oblivious transfer protocol can work as a subprotocol to generate keys in a standard oblivious transfer protocol. Initially, Bob holds two keys. After a semi-random oblivious transfer protocol, Alice learns one key uniformly at random and the key index, while Bob does not know the index of the key. Alice can then encrypt Alice's request with the key index, and Bob can encrypt Bob's two data bits with two keys. In this way, Alice can only decrypt one data bit, and Bob cannot decrypt Alice's request. We provide the detailed proof in Appendix A.

Bounds for quantum oblivious transfer
In this section, we extend the bound for quantum oblivious transfer in [28,Eq. (27)] to δcorrectness with the same technique. We first describe the general scheme of semi-random oblivious transfer and then bound Alice's and Bob's cheating probabilities by proposing their cheating strategies.
The general scheme of semi-random oblivious transfer with N rounds of communication [28, Section IIIA] is illustrated in Figure 7. Alice and Bob keep their memories private and exchange their messages publicly. Each time either Alice or Bob receives the message, they apply a unitary that acts jointly on the memory and the message. In the last step, they measure their state to obtain their output. Any semi-random oblivious transfer can be described by such a general scheme.
Protocol 1 formally describes the general scheme depicted in Figure 7. Alice begins with the state |ψ ∈ R A A, where R A is Alice's referencing system and A is Alice's message. Bob begins with the state |0 ∈ R B and the data bits (x 0 , x 1 ) ∈ {0, 1} 2 , where R B is Bob's referencing system. The joint state of Alice and Bob is |ψ |0 |x 0 , x 1 ∈ AR A BR B . Bob prepares the program |x 0 , x 1 ∈ B. Then Alice and Bob repeat N rounds of communication: Alice sends A to Bob; Bob applies a unitary U (x 0 ,x 1 ), ∈ U(AR B ) that acts trivially on R A and depends on (x 0 , x 1 ); Bob sends A back to Alice; Alice applies a uni- We denote the maximum fidelity between distinct pairs of Alice's final states by f , i.e.
relates the post-measurement state to the pre-measurement state. Alice's output is the measurement outcome (i,x).
Applying a similar method as in [28, Section IIIB,C,D], we can obtain a bound for the semi-random oblivious transfer protocol. Theorem 9. Any semi-random oblivious transfer protocol and any standard oblivious transfer protocol with δ-completeness, P A -soundness against a cheating Alice and P Bsoundness against a cheating Bob satisfies In order to show a violation of soundness, it suffices to exhibit a specific cheating strategy. Therefore, we will only deal with certain strategies of cheating Alice and Bob in the proof. Alice's cheating strategy involves performing a pretty-good measurement in the last step to try to learn Bob's input. Bob can input a well-chosen superposition at the beginning and measure at the end to try to learn Alice's input.
Proof. Here we prove a bound for semi-random oblivious transfer, and due to the equivalence between semi-random oblivious transfer and standard oblivious transfer in Theorem 8, the same bound applies to standard oblivious transfer. Consider a semi-random Protocol 1 Scheme of semi-random oblivious transfer with N rounds of communication Alice's and Bob's outputs 1: Alice: Prepare |ψ ∈ R A A 2: Bob: Prepare |0 ∈ R B . 3: for = 1 to = N do Alice and Bob performs N rounds of communication.

4:
Alice: Send A to Bob.

6:
Bob: Send A back to Alice.

7:
Alice: Alice measures to determine whether to accept. 10 Alice measures to determine (i,x).

16:
Alice: output A ← (i,x). 17: end if oblivious transfer protocol with δ-completeness described by Protocol 1. The positive operator valued measure where θ i,(x 0 ,x 1 ) is the error probability that depends on i and (x 0 , x 1 ). In order to satisfy the δ-completeness of standard oblivious transfer, θ i,(x 0 ,x 1 ) must satisfy for any (x 0 , We first discuss the soundness against Alice. Suppose that Alice is malicious and Bob is honest. Alice can follow Protocol 1 through Step 14 while performing the pretty Step 15 and guess (x 0 ,x 1 ) for (x 0 , x 1 ). A cheating Alice will not be caught by an honest Bob since Alice follows the protocol until Bob accepts. If (x 0 , x 1 ) is uniformly random, then the probability that Alice can guess correctly is bounded in [29,Theorem 3.1], and satisfies the inequality As shown in Eq. (19), the required measurement {N (i,x) } i,x∈{0,1} distinguishes σ (x 0 ,x 1 ) and σ (x 0 ,x 1 ) with a probability of at least 1−δ. Therefore, the Holevo-Helstrom theorem [30,31] (see [32,Theorem 3.4] for a modern version) implies that Applying the Fuchs-van de Graaf inequality in [33, Theorem 1] we obtain Recall the maximum fidelity f defined in (17). By reordering terms in Eq. (21), we obtain Applying Eq. (24), we obtain Therefore, a cheating Alice can guess an honest Bob's (x 0 , x 1 ) and both parties accept with a probability of at least 1 − f − δ(1 − δ), and thus Second we discuss the soundness against Bob. Suppose that Alice is honest and Bob is malicious. Let (x 0 , x 1 ) and (x 0 , x 1 ) be the two data bit strings corresponding to the maximum fidelity f defined in (17), i.e. f = F (σ (x 0 ,x 1 ) , σ (x 0 ,x 1 ) ). There is at least one different bit between (x 0 , x 1 ) and (x 0 , x 1 ). Let us assume that x 1 = 0 and x 1 = 1, and other cases follow analogously. According to Uhlmann's theorem [34] (or see a textbook e.g. [32, Theorem 3.22]), we can find a purification |φ (x 0 ,0) ∈ AR A R B of σ (x 0 ,0) and a purification |φ Based on the above facts, Bob can cheat by considering the two inputs (x 0 , 0) and (x 0 , 1), preparing the program in superposition and otherwise honestly following the protocol, and making a measurement on his state in the end to try to learn Alice's input. More precisely, instead of following Protocol 1, Bob will prepare the superposition |(x 0 , 0) + |(x 0 , 1) ∈ B and apply the controlled Step 5 of each round of communication. Before Step 9, the joint state of both parties is the superposition |ψ (x 0 ,0) |x 0 , 0 + |ψ (x 0 ,1) |x 0 , 1 . A cheating Bob will not be caught by an honest Alice because Π Accept Alice |ψ (x 0 ,0) = |ψ (x 0 ,0) and Π Accept Alice |ψ (x 0 ,1) = |ψ (x 0 ,1) , hence Π Accept Alice |ψ (x 0 ,0) |x 0 , 0 + |ψ (x 0 ,1) |x 0 , 1 = |ψ (x 0 ,0) |x 0 , 0 +|ψ (x 0 ,1) |x 0 , 1 .

After
Step 15, Bob wants to learn i. This can be done by a unitary U (x 0 ,0) The reduced density matrix ρ B ∈ S (B) is or more explicitly The difference between ρ (0) The trace norm of a two-dimensional Hermitian matrix with only off-diagonal elements is just the absolute value of its off-diagonal elements. Hence we obtain Since i,x∈{0,1} N (i,x) = I AR A , we obtain Applying the reverse triangle inequality, we obtain Furthermore, applying the Cauchy-Schwarz inequality, we obtain where the last inequality follows from Eq. (19). Substituting into Eq. (35), we find Therefore, we obtain Pr[î = i] ≥ 1 2 (1 + f − 2 √ 2δ). Hence, a cheating Bob can guess an honest Alice's i and both parties accept with a probability of at least Combining Eq. (27) with Eq. (38) and eliminating F , we obtain a bound for semirandom oblivious transfer By further using we have

Reduction from quantum oblivious transfer to quantum homomorphic encryption
In this section, we reduce quantum oblivious transfer to quantum homomorphic encryption. We construct a set of channels which can realize quantum oblivious transfer in Definition 10. We then use a quantum homomorphic encryption protocol with the set of channels as a black-box subprotocol to construct a quantum oblivious transfer protocol, as shown in Figure 8. Alice inputs the index of the data bit, Bob inputs two data bits to the black-box subprotocol, and the black-box subprotocol outputs the desired data bit to Alice. We complete the reduction by translating the correctness, data privacy and circuit privacy of quantum homomorphic encryption into the completeness, soundness against Bob and soundness against Alice of quantum oblivious transfer in Lemma 16, Lemma 17 and Lemma 20, respectively. We now define the set of strong oblivious transfer channels. Roughly speaking, the set of strong oblivious transfer channels can realize standard oblivious transfer in a classical manner.

can be compactly given by
where O 2 denotes the second qubit in the output.
Remark 11. Strong oblivious transfer channels F (x 0 ,x 1 ) can be explicitly expressed as where A 1 and A 2 denotes the first and second qubit in the input, respectively.

Remark 12. When
We explicitly construct F (x 0 ,x 1 ) with Cliffords CL, completely dephasing channels D and completely depolarising channels P in Figure 9.
The completely dephasing channel D can further be constructed by applying I 2 and Z uniformly at random. The completely depolarising channel P can be constructed by applying I 2 , Z, X and XZ uniformly at random. That motivates us to define the set of strong oblivious transfer Cliffords. Equivalently, strong oblivious transfer Cliffords can realize strong oblivious transfer channels.

Lemma 14. A quantum homomorphic encryption protocol that allows to delegate
and with -correctness, d -data privacy, c -circuit privacy can simulate a quantum homomorphic encryption protocol that allows to delegate F (x 0 ,x 1 ) with -correctness, d -data privacy and c -circuit privacy.  Proof. Suppose that there is a quantum homomorphic encryption protocol Q that delegates F with -correctness, d -data privacy, c -circuit privacy. The quantum homomorphic encryption protocol Q that delegates F (x 0 ,x 1 ) can be constructed from Q as follows. The key generation, encryption and decryption maps of Q are the same as that of Q . The evaluation map of Q requires further randomization, i.e. Bob fixes (x 0 , x 1 ), generates (r 0 , r 1 , r 2 , r 3 ) uniformly at random and evaluates F (r 0 ,r 1 ,r 2 ,r 3 ) (x 0 ,x 1 ) . Namely, and henceF The correctness of Q implies that for any F , any |ψ ∈ AR A and any key k = KeyGen(κ) Averaging over the uniform distribution of (r 0 , r 1 , r 2 , r 3 ), applying the convexity of the trace distance in [35,Theorem 9.3] and substituting Eq. (52) and Eq. (53), we conclude that for any F (x 0 ,x 1 ) , any |ψ ∈ AR A and any key k = KeyGen(κ) which is exactly the correctness of Q . The data privacy of Q translates directly to the data privacy of Q , because both the key generation and encryption maps are identical. That is, for any ρ ∈ S (A) for both Q and Q .
The circuit privacy of Q requires that for any |ψ ∈ÂRÂ, there must exist |ψ ∈ AR A and N ∈ CPTP(ARÂ,ÂRÂ) such that for any F Similar to the technique we use for the correctness, averaging over the uniform distribution of (r 0 , r 1 , r 2 , r 3 ), applying the convexity of the trace distance in [35,Theorem 9.3] and substituting Eq. (52) and Eq. (53), we conclude that for any |ψ ∈ÂRÂ, there must exist |ψ ∈ AR A and N ∈ CPTP(ARÂ,ÂRÂ) such that for any F (x 0 ,x 1 ) This shows that Q has c -circuit privacy.

Remark 15.
We can reduce quantum homomorphic encryption which allows the delegation of F (x 0 ,x 1 ) to quantum homomorphic encryption which allows the delegation of F . However, the converse is not necessarily true. Quantum homomorphic encryption allowing F (x 0 ,x 1 ) is weaker than quantum homomorphic encryption allowing F In the following part, we will prove that one can construct a standard oblivious transfer protocol by a quantum homomorphic encryption protocol with {F (x 0 ,x 1 ) } x 0 ,x 1 ∈{0,1} ⊂ F . The -correctness, d -data privacy and c -circuit privacy of quantum homomorphic encryption translates to the -completeness, 1 2 (1 + d )-soundness against a cheating Bob and 1 2 + c -soundness against a cheating Alice of standard oblivious transfer. Now we clarify once more the notations before we state the lemmas. Recall the notations in the actual protocol. Alice's message is σ ∈ S (Â) and the purification of Alice's message is |ψ ∈ÂRÂ. Bob's program is |x 0 , x 1 x 0 , x 1 | B ∈ S (B). Bob's channel isF (x 0 ,x 1 ) ∈ CPTP(Â,Ô) which maps Alice's message σ ∈ S (Â) to Bob's messagê Recall the notations in the ideal protocol. Alice's input is ρ ∈ S (A) and the purifica- We sketch the proof of the reduction from quantum oblivious transfer to quantum homomorphic encryption. In Protocol 2, we show how one can realize the standard oblivious transfer protocol using quantum homomorphic encryption. In Lemma 16, we translate the -correctness of quantum homomorphic encryption to the -completeness of standard oblivious transfer. In Lemma 17, we translate the d -data privacy to the 1 2 (1 + d )-soundness against a cheating Bob. In Lemma 20, we translate the c -circuit privacy of a quantum homomorphic encryption protocol to the ( 1 2 + c )-soundness of a quantum oblivious transfer protocol against a cheating Alice. We piece these lemmas together in Theorem 21, where we show how a quantum homomorphic encryption protocol can apply a standard oblivious transfer protocol while taking into account the properties of completeness and soundness.

Lemma 16. If the quantum homomorphic encryption in Protocol 2 has -correctness, then the constructed standard oblivious transfer has -completeness.
Proof. From Definition 6, the correctness of the standard oblivious transfer requires that the output is approximately correct if both Alice and Bob are honest. Note that for any |i, 0 ∈ A and any (x 0 , x 1 ) ∈ {0, 1} 2 , we have Due to the -correctness of the quantum homomorphic encryption protocol defined in Definition 2, we have According to [35,Eq. (9.22)], the trace distance can be written as Suppose that Alice performs the positive operator valued measure {|0 0| O , |1 1| O } and obtains the measurement outcomex . Thus Since the optimal measurement performs better than the above measurement, we have Hence the standard oblivious transfer protocol in Definition 6 has -completeness.

Lemma 17.
In Protocol 2, if the quantum homomorphic encryption protocol has d -data privacy, then the constructed standard oblivious transfer protocol has 1 2 (1 + d )-soundness against Bob.
Proof. Suppose that the quantum homomorphic encryption protocol has d -data privacy. Consider an honest Alice and a malicious Bob. Suppose that Alice's input is |i, 0 i, 0| A . Because Bob does not know Alice's key, Bob perceives Alice's message as where the expectation is taken over a uniform distribution over all keys k. From the d -data privacy of the quantum homomorphic encryption protocol defined in Definition 3, we have Now Bob measures Alice's message and guessesî for i. Using the Holevo-Helstrom theorem in [30,31] (or in a textbook, e.g. [32,Theorem 3.4]), the cheating probability of Bob, i.e., the probability that Bob guesses the given state correctly when Bob is given either of two states, each with a probability of 1 2 , is at most Thus, the standard oblivious transfer protocol in Definition 6 has 1 2 (1 + d )-soundness against a cheating Bob.
Before we proceed to Lemma 20, we prove two more claims. In Claim 18, we show that the Schmidt basis of Alice's input can be chosen as the computational basis in Protocol 2 in the ideal protocol.

Claim 18. Consider Protocol 2 in the ideal protocol. Suppose that the input |ψ ∈ AR
and N ∈ CPTP(OR A ,ÔRÂ) is any channel. Then there exists an input |ψ ∈ AR A of the form and a post-processing channel N ∈ CPTP(OR A ,ÔRÂ) such that for any x 0 , x 1 = 0, 1, Proof. Here, we construct N explicitly. Consider an input |ψ ∈ AR A of the form Eq. (67). Using the definition of F (x 0 ,x 1 ) in Definition 10, we have where Consider an input |ψ ∈ AR A of the form Eq. (68). Hence, By observation, we can construct N ∈ CPTP(OR A , OR A ) such that which satisfies Hence we can construct N = N • N which satisfies Therefore, for any input |ψ ∈ AR A and any channel N ∈ CPTP(OR A ,ÔRÂ), there exist |ψ ∈ AR A and N ∈ CPTP(OR A ,ÔRÂ) such that for any F (x 0 ,x 1 ) , Eq. (74) holds.
In Claim 19 we show that the cheating probability of Alice is at most 1 2 in the ideal protocol if the Schmidt basis of Alice's input is the computational basis.
when (x 0 , x 1 ) are chosen uniformly at random.
Proof. Suppose that in the ideal protocol, Alice inputs |ψ ∈ AR A of the form Eq. (68). Alice applies N ∈ CPTP(OR A ,ÔRÂ). Let B denotes Bob's register. The definition of soundness against Alice requires Bob to input (x 0 , x 1 ) uniformly at random, or equivalently to input 1 The state of both Alice and Bob in the ideal protocol is Suppose that Alice measures {M (x 0 ,x 1 ) }x 0 ,x 1 ∈{0,1} and guesses (x 0 ,x 1 ) for (x 0 , x 1 ). The probability that Alice guesses correctly is where we substituted Eq. (76) and took the trace over B. Let N * be the adjoint of N and M (x 0 ,x 1 ) = N * (M (x 0 ,x 1 ) ). N is trace preserving, thus N * is unital. Since is also a positive operator valued measure on OR A . By replacing N and Recall that |ψ has the form Eq. (68) and thus F (x 0 ,x 1 ) (|ψ ψ | AR A ) has the form Eq. (71). Substituting both Eq. (68) and Eq. (71) into Eq. (79), we obtain To upper bound the probability, we replace , we obtain that the probability that Alice guesses correctly is at most 1 2 in the ideal protocol which completes the proof.
With Claim 18 and Claim 19 in hand, we are ready to prove the bound on soundness against Alice in Lemma 20. The circuit privacy bounds the trace distance between Alice's state in the ideal protocol and that in the actual protocol. The trace distance further bounds the difference between Alice's cheating probability in the actual model and the ideal model. Note that Alice's cheating probability in the ideal protocol is 1 2 . Hence we can upper-bound Alice's cheating probability in the actual protocol. Lemma 20. If the quantum homomorphic encryption protocol In Protocol 2 has c -circuit privacy, then the constructed standard oblivious transfer protocol has ( 1 2 + c )-soundness against Alice.
Proof. Suppose that in the actual protocol, Alice inputs |ψ ∈ÂRÂ. Again Let B denote Bob's register. The definition of soundness against Alice requires Bob to input (x 0 , x 1 ) uniformly at random, or equivalently Bob to input 1 4 x 0 ,x 1 |x 0 , x 1 x 0 , x 1 | B . Bob applieŝ F (x 0 ,x 1 ) according to his values for (x 0 , x 1 ). Alice and Bob's joint state in the actual protocol is Suppose that Alice measures {M (x 0 ,x 1 ) }x 0 ,x 1 ∈{0,1} and guesses (x 0 ,x 1 ) for (x 0 , x 1 ). The probability that Alice can guess correctly is The absolute value of Eq. (77) minus Eq. (83) can be bounded by the trace distance between ρ ideal and ρ actual , as shown in the Holevo-Helstrom theorem in [30,31] (or a modern version in [32,Theorem 3.4]) where the last inequality is due to the c -circuit privacy of the quantum homomorphic encryption protocol defined in Definition 4, which implies that for any |ψ we can find |ψ and N such that for any (x 0 , x 1 ) Thus, Substituting Eq. (81) in Claim 19 into Eq. (87), we obtain that the cheating probability of Alice is at most Hence, the oblivious transfer protocol in Definition 6 has ( 1 2 + c )-soundness. We can immediately prove Theorem 21 with Protocol 2, Lemma 16, Lemma 17 and Lemma 20.

Theorem 21.
Suppose that there is a quantum homomorphic encryption protocol Q with -correctness, d -data privacy and c -circuit privacy that delegates F (x 0 ,x 1 ) . Then one can use Q to execute standard oblivious transfer with -completeness, ( 1 2 + c )-soundness against a cheating Alice and 1 2 (1 + d )-soundness against a cheating Bob. Proof. Suppose that we apply Protocol 2 with a quantum homomorphic encryption protocol with -correctness, d -data privacy and c -circuit privacy. Lemma 16 shows that the -completeness of the standard oblivious transfer is satisfied, Lemma 17 shows that the 1 2 (1 + d )-soundness against a cheating Bob is satisfied, and Lemma 20 shows that the 1 2 + c -soundness against a cheating Alice is satisfied, which completes the proof.

Lower bounds for quantum homomorphic encryption
Here, we prove a lower bound for a broad family of quantum homomorphic encryption protocols. The reduction in Theorem 21 can translate a bound on quantum oblivious transfer to the bound on quantum homomorphic encryption that can delegate F (x 0 ,x 1 ) . Lemma 14 shows that quantum homomorphic encryption allowing Cliffords can simulate quantum homomorphic encryption allowing F (x 0 ,x 1 ) . Combining Theorem 21, Theorem 9 and Lemma 14, we obtain a lower bound for quantum homomorphic encryption with Cliffords.

Corollary 22.
A quantum homomorphic encryption protocol with -correctness, d -data privacy and c -circuit privacy that allows the delegated computation of F (x 0 ,x 1 ) satisfies Moreover, the above bound also applies to quantum homomorphic encryption allowing F or with Cliffords.

Upper bounds for quantum homomorphic encryption
In this section, we relate the circuit privacy of quantum homomorphic encryption that delegates a set of channels to the maximal error probability of multi-channel quantum hypothesis testing over the set of channels. In this way, we can prove upper bounds on circuit privacy of quantum homomorphic encryption. We first introduce the multi-channel quantum hypothesis testing problem. Suppose that we are given a quantum channel F which is chosen from a set F of quantum channels. We apply the quantum channel F on an input |ψ ∈ AR A , perform a positive operator valued measure {M F } F ∈F on the output F(|ψ ψ | AR A ) ∈ S (OR A ) and use the measurement outcome F to guess for F. The maximal error probability of multi-channel quantum hypothesis testing over F is Now, consider the circuit privacy of quantum homomorphic encryption that allows the delegation of a set of channels F . Suppose that Alice is malicious and Bob is honest. Recall the actual protocol in Figure 3 and the ideal protocol in Figure 4. In the actual protocol and the ideal protocol, Alice's final state isF(|ψ ψ|Â RÂ ) ∈ S (ÔRÂ) and F(|ψ ψ | AR A ) ∈ S (OR A ) respectively. The circuit privacy quantifies how well Alice in the ideal protocol can simulate Alice in the actual protocol. There is always a possible strategy for the simulation: Alice in the ideal protocol performs multi-channel quantum hypothesis testing and then uses the measurement outcome to simulate Alice in the actual protocol. More precisely, first, Alice in the ideal protocol sends |ψ ∈ AR A to Charlie, obtains F(|ψ ψ | AR A ) ∈ S (OR A ), measures {M F } F ∈F on F(|ψ ψ | AR A ) and guesses F for F; second, Alice in the ideal protocol useF (|ψ ψ|Â RÂ ) to simulateF(|ψ ψ|Â RÂ ). We can then use this strategy to upper bound the circuit privacy of quantum homomorphic encryption. Theorem 23. The circuit privacy of a quantum homomorphic encryption protocol that delegates a set F of channels is upper bounded by the maximal error probability of multichannel quantum hypothesis testing over a set F of channels Proof. Suppose that Alice in the actual protocol obtainsF(|ψ ψ|Â RÂ ) and that Alice in the ideal protocol obtains F(|ψ ψ | AR A ). Alice in the ideal protocol performs the multichannel quantum hypothesis testing and uses the measurement outcome to simulate Alice in the actual protocol. That is, Alice in the ideal protocol sends a state |ψ ∈ AR A to Charlie, obtains F(|ψ ψ | AR A ) ∈ S (OR A ), measures the positive operator valued measurement {M F } F ∈F , obtains the measurement outcome F and then constructsF(|ψ ψ|ÂRÂ). The corresponding quantum channel N ∈ CPTP(OR A ,ÔRÂ) is given by Substituting Eq. (92) into Eq. (4), applying the convexity of the trace distance in [35,Theorem 9.3] and note that trace distance is upper-bounded by 1, we obtain which holds for all possible F ∈ F , |ψ ∈ AR A , {M F } F ∈F , and |ψ ∈ÂRÂ. We now maximize over all possible F ∈ F , minimize over all possible |ψ ∈ AR A and {M F } F ∈F , and maximize over all possible |ψ ∈ÂRÂ. Recall Remark 5 and Eq. (90), we obtain which completes the proof.

Corollary 24.
For any quantum homomorphic encryption which only allows the delegated computation of F (x 0 ,x 1 ) , the circuit privacy is bounded by Thus we have We then immediately obtain Corollary 24 from Theorem 23.

Conclusion
In conclusion, we formally define quantum homomorphic encryption and its informationtheoretic circuit privacy, correctness and data privacy. We then reduce quantum oblivious transfer to quantum homomorphic encryption with strong oblivious transfer channels. We show our reduction works for a broad class of quantum homomorphic encryption by further reducing quantum homomorphic encryption with strong oblivious transfer channels to quantum homomorphic encryption with Cliffords. Combining our reduction and a lower bound for quantum oblivious transfer, we obtain a lower bound for a broad class of quantum homomorphic encryption To be complete, we also prove an upper bound for quantum homomorphic encryption by constructing a simulation strategy for Alice from multi-channel quantum hypothesis testing. We show that the circuit privacy of quantum homomorphic encryption that delegates a set F of channels is upper bounded by the maximal error probability of multi-channel quantum hypothesis testing As a corollary, we find c ≤ 1 2 for quantum homomorphic encryption that only delegates F (x 0 ,x 1 ) .
In Figure 11, we present lower bounds for quantum homomorphic encryption protocols that only allow the delegation of F (x 0 ,x 1 ) with perfect correctness. Each point in Figure 11 is denoted by ( d , c ). The line corresponds to the lower bound, and the shaded area indicates the impossible region. The diamond point (0, 1 2 ) can be achieved using [11] asymptotically. The square point (1, 0) can be trivially achieved by Alice sending her input to Bob without encryption. It is still unknown whether the line is reachable at points other than the diamond point. In particular, we do not have quantum homomorphic encryption protocols which trade some data privacy for some circuit privacy, and thus we cannot achieve other points on the line without additional resources. (If Alice and Bob have shared randomness or can use weak coin flipping, then interpolation would be possible.) We note that the impossible region could potentially be enlarged if we consider more powerful function classes so that, for example, 1-out-of-n oblivious transfer can be reduced to homomorphic encryption, reducing the probability that Alice and Bob correctly guess their opponent's inputs by chance. We leave this for future work. Our definitions and techniques can also apply to reductions from other cryptographic primitives (e.g. secure multi-party computation [36,37], coin-flipping [38,39,40,41], bit commitment [42,43]) to quantum homomorphic encryption, which may allow better privacy and correctness trade-offs.

A Equivalence between standard oblivious transfer and semi-random oblivious transfer
In this subsection, we give the detailed proof for Theorem 8.
Proof. First, we reduce semi-random oblivious transfer to standard oblivious transfer, as is shown in Protocol 3. Bob inputs two data bits (x 0 , x 1 ) ∈ {0, 1} 2 in semi-random oblivious transfer. Alice generates i ∈ {0, 1} uniformly at random. Then Alice and Bob perform standard oblivious transfer in which Alice inputs i and Bob inputs (x 0 , x 1 ) and from which Alice obtains A and Bob obtains B. Each party accepts in semi-random oblivious transfer if and only if she or he accepts in standard oblivious transfer. If Alice accepts, Alice's output is output A = (i, A).
Bob accepts in SemirandomOT iff Bob accepts in StandardOT. Now we show that the δ-completeness, P A -soundness against Alice and P B -soundness against Bob also translate from standard oblivious transfer to semi-random oblivious transfer in the reduction.
• Completeness: Suppose that both Alice and Bob are honest. Then i is uniformly at random. Due to the δ-completeness of standard oblivious transfer, both parties accept, and with a probability of at least 1 − δ, y = x i . Hence the δ-completeness of semi-random oblivious transfer is satisfied.
• Soundness against a cheating Alice: Suppose that Alice is malicious while Bob is honest. Due to the P A -soundness against a cheating Alice of standard oblivious transfer, with a probability of at most P A , Alice can guess Bob's (x 0 , x 1 ) correctly and both parties accept. Therefore, the P A -soundness against a cheating Alice of semi-random oblivious transfer is satisfied.
• Soundness against a cheating Bob: Suppose that Alice is honest while Bob is malicious. Due to the P B -soundness against a cheating Alice of standard oblivious transfer, with a probability of at most P B , Bob can guess Alice's i correctly and both parties accept. Thus, the P B -soundness against a cheating Alice of semi-random oblivious transfer is satisfied.
Second, we reduce standard oblivious transfer to semi-random oblivious transfer, as is shown in Protocol 4. Alice inputs i ∈ {0, 1} and Bob inputs (x 0 , x 1 ) ∈ {0, 1} 2 in standard • Soundness against a cheating Alice: Suppose that Alice is malicious and Bob is honest. Due to the P A -soundness against a cheating Alice of semi-random oblivious transfer, with a probability of at most P A , Alice can guess Bob's (y 0 , y 1 ) and both parties accept. Since y 0 y 1 is uniformly random and x r = s 0 ⊕ y 0 and x r ) = s 1 ⊕ y 1 , with a probability of at most P A , Alice can guess Bob's (x 0 , x 1 ) and both parties accept. Hence, the P A -soundness against a cheating Alice of standard oblivious transfer is satisfied.
• Soundness against a cheating Bob: Suppose that Alice is honest and Bob is malicious. Due to the P B -soundness against a cheating Bob of semi-random oblivious transfer, with a probability of at most P 0 , Bob can guess Alice's j and both parties accept. Considering that j is uniformly random and that i = r ⊕ j, with a probability of at most P B , Bob can guess Alice's i and both parties accept. Therefore, the P Bsoundness against a cheating Bob of standard oblivious transfer is satisfied.