Efficient Quantum Fully Homomorphic Encryption
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-07-01 09:51 UTCgrok-4.3pith:XXRX6B4Arecord.jsonopen to challenge →
The pith
A modular arithmetic program for LWE decryption reduces EPR pairs in quantum fully homomorphic encryption from O(lambda squared) to O(lambda log squared lambda).
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
LWE decryption is realized as a modular inner product via an MA-Program whose state space is Z_q, yielding programs of state count O(lambda) and length O(lambda log lambda) that reduce the required EPR pairs from O(lambda squared) to O(lambda log squared lambda) while enabling a fully classical client and parallel evaluation.
What carries the argument
The MA-Program, which tracks partial sums modulus q with state space Z_q to produce short programs for non-symmetric modular inner products.
If this is right
- QFHE evaluation of each T-gate now consumes only O(lambda log squared lambda) EPR pairs instead of O(lambda squared).
- The client performs solely classical LWE key generation and encryption under classical FHE, with no quantum operations required.
- A layered key structure removes the need for circular security assumptions.
- Up to O(log lambda) parallel measurements per layer are supported while keeping evaluation deterministic.
- Offline EPR preparation is separated from online adaptive measurements.
Where Pith is reading between the lines
- The same modular-tracking idea might apply to other lattice-based schemes whose decryption involves non-symmetric modular arithmetic.
- If the offline EPR preparation can be made reusable across multiple evaluations, the amortized cost per computation could drop further.
- The reduction in per-gate quantum resources could be combined with classical FHE batching techniques to handle larger circuits.
- Testing whether the MBQC flow functions preserve the exact O(lambda) state count under realistic noise models would be a direct next measurement.
Load-bearing premise
The MA-Program can be embedded in the MBQC framework without increasing the stated state-space size or breaking correctness, and LWE decryption cannot exploit prior symmetric-function shortcuts.
What would settle it
A concrete construction or lower-bound proof showing that any correct MA-Program for LWE decryption requires length omega(lambda log lambda) or that the resulting gadget uses more than O(lambda log squared lambda) EPR pairs would falsify the efficiency claim.
Figures
read the original abstract
Quantum fully homomorphic encryption (QFHE) enables arbitrary quantum computations on encrypted data, but prior constructions require prohibitive quantum resources--specifically, O(lambda^2) EPR pairs per T-gate evaluation using the Barrington-based approach (DSS16). This paper introduces a unified framework achieving exponential improvement over the generic Barrington-based approach in program length. The central innovation is a novel modular arithmetic program (MA-Program) tailored to learning with errors (LWE) decryption. We show that LWE decryption computes the inner product <sk,ct> mod q, a modular inner product that is NOT a symmetric function. Thus, prior symmetric-function optimizations (Sinha's O(n)-state branching programs) do not apply. Our MA-Program tracks partial sums modulus q with state space Z_q requiring O(log q) bits, yielding programs of state count O(lambda) with binary encoding O(log lambda) and length O(lambda log lambda). This reduces the quantum gadget size from O(lambda^2) to O(lambda log^2 lambda) EPR pairs. To achieve a fully classical client, we transfer all quantum resources (EPR preparation, Bell measurements, adaptive error correction) to the server via the MA-Program gadget framework. Clients only perform classical LWE key generation, Pauli key encryption under classical FHE, and no quantum operations; a layered key structure further eliminates circular security assumptions. For parallel computation, we adopt the MBQC framework with flow functions, supporting up to O(log lambda) parallel measurements per layer. This separates offline resource preparation from online adaptive measurement, enabling parallel processing while maintaining deterministic evaluation.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript claims to introduce a modular arithmetic program (MA-Program) for LWE decryption in QFHE. By treating LWE decryption as a non-symmetric modular inner product (unlike prior symmetric-function optimizations), it constructs programs with state count O(λ), binary encoding O(log λ), and length O(λ log λ). This purportedly reduces the quantum gadget size from O(λ²) to O(λ log² λ) EPR pairs per T-gate, transfers all quantum resources to the server for a fully classical client, and uses MBQC with flow functions for O(log λ) parallel measurements per layer.
Significance. If the claimed resource reduction and MA-Program construction hold without hidden assumptions on q or the MBQC embedding, the result would constitute a substantial efficiency gain over Barrington-based QFHE, moving the field closer to practical quantum homomorphic encryption with classical clients and no circular security assumptions.
major comments (1)
- [Abstract] Abstract: The central efficiency claim rests on the MA-Program having 'state count O(λ)' while 'tracks partial sums modulus q with state space Z_q'. A state space Z_q requires q states, yet the text asserts state count O(λ) and derives O(λ log² λ) EPR pairs from program length O(λ log λ). Standard LWE parameters set q polynomial or superpolynomial in λ for security, creating an internal inconsistency that prevents the stated reduction from following. This is load-bearing for the main result.
minor comments (1)
- The abstract uses 'lambda' inline without consistent mathematical formatting; ensure uniform notation (e.g., λ) throughout the manuscript.
Simulated Author's Rebuttal
We thank the referee for their careful reading and for identifying the potential inconsistency in the abstract. We respond point-by-point below.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central efficiency claim rests on the MA-Program having 'state count O(λ)' while 'tracks partial sums modulus q with state space Z_q'. A state space Z_q requires q states, yet the text asserts state count O(λ) and derives O(λ log² λ) EPR pairs from program length O(λ log λ). Standard LWE parameters set q polynomial or superpolynomial in λ for security, creating an internal inconsistency that prevents the stated reduction from following. This is load-bearing for the main result.
Authors: We acknowledge that the abstract phrasing creates an ambiguity. The full manuscript constructs an MA-Program specifically for the non-symmetric modular inner product <sk, ct> mod q. This construction achieves O(λ) states (not q states) by using a binary-encoded representation and a sequence of modular additions tailored to the LWE structure, resulting in program length O(λ log λ) and binary encoding O(log λ) per state. The reference to 'state space Z_q requiring O(log q) bits' describes the per-state encoding size under standard LWE parameters where log q = O(log λ), but does not imply the program maintains q distinct states. Nevertheless, the wording is imprecise and risks misinterpretation. We will revise the abstract and introduction to explicitly state that the MA-Program uses O(λ) states via its non-symmetric structure, independent of q's magnitude, and will add a clarifying sentence on how the state count is derived. This is a presentation issue only; the underlying gadget size claim remains as stated. revision: yes
Circularity Check
No circularity: derivation chain is self-contained with no reductions to inputs by construction
full rationale
The paper asserts an MA-Program construction for LWE decryption that tracks partial sums in Z_q, states a resulting state count of O(lambda), program length O(lambda log lambda), and consequent gadget-size reduction to O(lambda log^2 lambda) EPR pairs. No quoted step equates a claimed output to an input parameter by definition, renames a fitted value as a prediction, or relies on a load-bearing self-citation whose content reduces to the present claim. The non-symmetric-function premise and MBQC embedding are presented as independent justifications. The derivation therefore stands as self-contained against external benchmarks; any inconsistency in state-space accounting is a potential correctness issue, not circularity.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption LWE decryption computes the inner product <sk,ct> mod q and is not a symmetric function
invented entities (1)
-
MA-Program
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Interactive Proofs For Quantum Computations
D. Aharonov, M. Ben-Or, E. Eban. Interactive proofs for quantum computations. arXiv:0810.5375, 2008
work page internal anchor Pith review Pith/arXiv arXiv 2008
-
[2]
A. Ambainis, M. Mosca, A. Tapp, R. de Wolf. Private quantum channels. FOCS 2000, 2000: 547--556
work page 2000
-
[3]
A. Broadbent, S. Jeffery. Quantum homomorphic encryption for circuits of low T-gate complexity. CRYPTO 2015, 2015: 609--629
work page 2015
-
[4]
Z. Brakerski, V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. FOCS 2011, 2011: 97--106
work page 2011
-
[5]
H. Buhrman, S. Fehr, C. Schaffner, F. Speelman. The garden-hose model. ITCS 2013, 2013: 145--158
work page 2013
-
[6]
D. A. M. Barrington. Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. J. Comput. Syst. Sci., 1989, 38(1): 150--164
work page 1989
- [7]
- [8]
- [9]
-
[10]
J. Bartusek, A. Gupte, S. Mutreja, O. Shmuel. Classical Obfuscation of Quantum Circuits via Publicly-Verifiable QFHE. e-Print: 2510.08400, 2025
-
[11]
A. M. Chiu. A garden-hose model for secure multiparty computation. PhD Thesis, University of Toronto, 2014
work page 2014
- [12]
- [13]
-
[14]
M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan. Fully homomorphic encryption over the integers. EUROCRYPT 2010, 2010: 24--43
work page 2010
-
[15]
S. Gorbunov, V. Vaikuntanathan, H. Wee. Attribute based encryption for circuits. STOC 2013, 2013: 545--554
work page 2013
- [16]
- [17]
-
[18]
S. Goldwasser, Y. Kalai, R. A. Popa, V. Vaikuntanathan, N. Zeldovich. How to run Turing machines on encrypted data. CRYPTO 2013, 2013: 536--553
work page 2013
-
[19]
J. Hoffstein, J. Pipher, J. H. Silverman. NTRU: A ring-based public key cryptosystem. ANTS III, 1998: 267--288
work page 1998
-
[20]
V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings. EUROCRYPT 2010, 2010: 1--23
work page 2010
-
[21]
M. Liang. Symmetric quantum fully homomorphic encryption with perfect security. Quantum Inf. Process. 2013: 12:3675–3687
work page 2013
-
[22]
U. Mahadev. Classical homomorphic encryption for quantum circuits. FOCS 2018, 2018: 332--338
work page 2018
-
[23]
Quantum Fully Homomorphic Encryption by Integrating Pauli One-time Pad with Quaternions
GS Ma, HB Li. Quantum Fully Homomorphic Encryption by Integrating Pauli One-time Pad with Quaternions. 2022,6,866
work page 2022
-
[24]
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 2009, 56(6): 1--40
work page 2009
-
[25]
R. Raussendorf, H. J. Briegel. A one-way quantum computer. Phys. Rev. Lett., 2001, 86: 5188--5191
work page 2001
-
[26]
R. Raussendorf, D. E. Browne, H. J. Briegel. Measurement-based quantum computation on cluster states. Phys. Rev. A, 2003, 68: 022312
work page 2003
-
[27]
R. K. Sinha. Some Topics in Parallel Computation and Branching Programs. PhD Thesis, 1995
work page 1995
- [28]
- [29]
-
[30]
B. Yu, C. A. P \'e rez-Delgado, J. F. Fitzsimons. Limitations on information-theoretically secure quantum homomorphic encryption. Phys. Rev. A, 2014, 90: 050303
work page 2014
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.