Summary

In the last blog post, I introduced my plan to make the safest cryptographic box in the world, and to make it widely available. This would, in theory, make it possible to run infinitely dangerous programs (including superintelligences) safely. This cryptographic box was supposed to use a scheme that is fully homomorphic and perfectly secret at the same time. However, in the last four months, something has changed:

This post explains in more details these points. I will also raise concerns about whether such QFHE scheme could help malevolent actors hide the training of superintelligences. If you know about any other FHE or QFHE scheme with perfect secrecy than the ones I have cited, please let me know.

Prerequisites to understand this post

In quantum computing, quantum gates are represented by matrices, and quantum states are either represented as vectors or as density matrices. If we want to apply a gate  on a state  in the vector paradigm, we compute , whereas if we want to do so in the density matrix paradigm, we compute . I will use the density matrix paradigm, as it gives more information, and because it is the paradigm used in the article that introduced this QFHE scheme. To understand this post, we need to know about the following quantum gates and quantum states:

  • , and  are called the Pauli gates. The most familiar of these is the  gate, which is a generalization of the classical  gate. Indeed, it transforms zeros into ones and ones into zeros. The other two gates do not have any analog gate in classical programming. They are called , and  because they flip the state of the qubit 180 degrees along the , and  axes.
  •  is a two-qubit gate which applies an  gate on the second qubit if and only if the first one is active. We call it the controlled NOT gate because it applies a  gate on the target qubit according to the control qubit. We often say that it is a generalization of the  gate, because it sets the target qubit to the  between itself and the control qubit. Along with the Hadamard gate  and the gate , they form a group of gates called the Clifford group. This group contains the Pauli group.
  • , and  are called the rotation operator gates. They are generalizations of the Pauli gates: They perform a rotation of  radians along the , and  axes. They together can form any one-qubit gate.
  •  is the universal one-qubit gate, which also can form any one-qubit gate. To do so, it takes four parameters. It can represent any one-qubit gate. Together with , they form a universal gate set, which means that any quantum operation (and therefore any classical operation) can be performed using only these gates.
  •  is the identity matrix of length . It leaves everything unchanged.
  •  is the vector that contains zeros everywhere except for a 1 at position , whereas  is the matrix that contains zeros everywhere except for a 1 at position .
  •  is the Kronecker product, which converts a -qubit gate and a -qubit gate into a -qubit gate.
  • A matrix to the power of zero is equal to the identity matrix.

The scheme

Encryption

If we want to encrypt a message of  bits, we firstly have to transform it into a standard unit vector. For instance, to encrypt the sequence of bits 011, we first convert it into decimal (in which case we get 3), and we then convert it into the vector of  elements with zeros everywhere except for a 1 at position 3+1, which is the vector :

After that, we convert it into a density matrix that we note  (we call it the plaintext). As the message is not a superposition, the density matrix is simply a square matrix whose diagonal is the vector we just computed:

Then, we select two random sequences  and , each of length . These sequences are called the keys. With these sequences, we can now compute the ciphertext, which is:

Evaluation of CNOT

To apply a  gate on the -th bit according to the -th bit, we firstly have to compute a matrix  like so:

Then, we update  according to this formula:

Evaluation of the universal one-qubit gate

To apply  on the -th bit, we compute  like so:

And we then update  according to this formula:

Decryption

To get back the plaintext from the ciphertext, we use the following formula:

At this point,  is the density matrix we were looking for. If the result is not a superposition, then we can transform  into a standard unit vector of the form  by taking the diagonal (If the diagonal is not a standard unit vector, or that the matrix has non-zero elements outside of the diagonal, then the result is not a classical state). Finally, we convert  back to binary to get the initial sequence of bits.

How the scheme looks like in Python

I coded the QFHE scheme in Python. It may help you understand how the scheme is supposed to work. If you are interested, you can find my programs here. One program shows how to implement the Toffoli gate using the scheme, and another one shows how to implement Rule 60, which outputs a Sierpiński triangle (but a very small one because we are trying to simulate a quantum computer inside of a classical computer, which takes a lot of time to compute).

The problem

The problem in the evaluation of CNOT

Suppose we have a ciphertext  corresponding to a plaintext  that contains only classical states. Let's try to homomorphically apply a , where the control qubit is  and the target qubit is . From this operation, we obtain a ciphertext  corresponding to a plaintext  is equivalent to , which is equivalent to , which is equivalent to , which is equivalent to saying that the target qubit of the  didn't change, which is equivalent to saying that the control qubit of the  was equal to 0, which is equivalent to . Therefore, . In other words, by checking whether the ciphertext changed after homomorphically applying a , we can deduce the value of the control qubit in the plaintext.

The same problem in the evaluation of the universal one-qubit gate

Initially, I thought that the problem arose only for the evaluation of . For the problem to arise for one-qubit gates, we would need a one-qubit gate  and two states  and  such that applying  on  changes , but that applying  on  doesn't change . I initially failed to find such a gates, and wrongly thought that it may not exist. However, such gates do exist. For instance, applying the  gate on the  state does change it, but applying it on the  state doesn't change it. Therefore, if Alice takes one of these two states randomly, encrypts it, and asks you to homomorphically perform an  gate on it, then you could guess which state she chose by looking at whether the ciphertext changes after evaluating the  gate.

Actually, this problem arises for every one-qubit gate, except for the identity gate. Indeed, since a one-qubit gate corresponds to a rotation of the Bloch sphere, and that every non-null rotation of a sphere has exactly two fixed points, then for every one-qubit gate that is different than the identity gate, there are exactly two inputs that do not change, while the other inputs do change.

A more general version of the problem

Suppose you have a program which, when given the sequence 000, loops back after three timesteps, but which, when given the sequence 111, loops back after two timesteps. Suppose then that Alice took one of these two possible inputs randomly, encrypted it, sent the ciphertext to you, and then asked you to homomorphically run the program on the ciphertext. When running the program, you will see that the ciphertext will loop either every two timesteps or every three timesteps. From this observation, you will be able to guess whether the input Alice took was 000 or 111. That is, you learned something from the plaintext by just applying the evaluation phase.

It turns out that this problem is a generalization of the first one: The first problem is the specific case where the program loops back instantly according to one input, but loops back after two timesteps according to another input.

What we would need to solve this problem

When the plaintext/program loops back, we would want the ciphertext not to loop back too. In other words, we would want "same plaintext  different ciphertexts" to be possible. To do this, we need a key update. But, which key update do we need? To answer this question, I will show in the next section that, in classical computing, the  gate can be evaluated safely. By "evaluated safely", I mean that no one involved in the computation can learn anything about the program, unless they cheat by communicating to each other.

How we would solve the problem in classical computing

The XOR gate can be evaluated safely

Suppose that Phoebe has a plaintext, that she generates a random key of identical length, and that she s the two to get a ciphertext (this is the One-time pad that was discussed it in the last post). Then, she sends the key to Kevin and the ciphertext to Charlie. In this way, neither Kevin and Charlie can have any information about the plaintext. After a while, Kevin and Charlie give back the key and the ciphertext, that they modified without communicating to each other or to Phoebe. Phoebe then s the two results to get a new plaintext. Now the question is, is there a scheme that Kevin and Charlie can follow in order to compute any function in this way?

We want to know whether Phoebe, Kevin and Charlie can compute any function in this way. We assume that Kevin and Charlie know the function that they want to compute.

I do not know whether this is possible. But it is very easy to see that at least one function is computable in this way. The most obvious example is the identity function, where Kevin and Charlie just do nothing. However, are there other functions? The answer is yes. Actually, every circuit  that consist only of  gates can can be computed in this way. To do so, Kevin and Charlie just need to apply  on the key and the ciphertext. For instance, in this picture, Kevin and Charlie help Phoebe to compute a circuit that consists of a single  gate:

Phoebe applies a  between the key and the plaintext to get a ciphertext. She then sends the key to Kevin and the ciphertext to Charlie, who both apply  on the bits that they received. They then send the result back to Phoebe, who applies a  between the two results to get back a new plaintext. As we can see, the new plaintext is indeed the result we would have got if Phoebe performed  herself on the initial plaintext. This works because  contains only  gates.

This shows that it is possible to run any infinitely dangerous program safely as long as they consist only of  gates. Indeed, if the program could affect Kevin or Charlie, then they would have gained information about the plaintext, which would contradict the perfect secrecy of the One-time pad.

Are there other classical gates evaluable in this way?

By looking at the picture closely, we can see that asking ourselves whether we can evaluate a function  in this way is equivalent to asking ourselves whether there exist two functions  and  such that:

If we assume that  and  are classical circuits, then the only classical circuits that we can compute in this way are the ones that can be built using only  gates (Technically, I considered only two-bit and three-bit programs, but it seems very unlikely to me that adding more bits would change the result). To show this, I created a program that brute-forces the problem:

"""We want to find Kevin and Charlie such that Kevin(k1, k2) ⊕ Charlie(k1 ⊕ p1, k2 ⊕ p2) = F(p1, p2)"""
import itertools

def allBinaryFunctions():
    return [(lambda x, y, array=arr: array[2*x + y]) for arr in itertools.product([0, 1], repeat=4)]

for F in allBinaryFunctions():
    for Kevin, Charlie in itertools.product(allBinaryFunctions(), repeat=2):
        areValid = True
        for (k1, k2, p1, p2) in itertools.product([0, 1], repeat=4):
            areValid &= Kevin(k1, k2) ^ Charlie(k1 ^ p1, k2 ^ p2) == F(p1, p2)
            if not areValid:
                break
                                
        if areValid:
            print("Found", F(0, 0), F(0, 1), F(1, 0), F(1, 1))
            print("Kevin :", Kevin(0, 0), Kevin(0, 1), Kevin(1, 0), Kevin(1, 1))
            print("Charlie :", Charlie(0, 0), Charlie(0, 1), Charlie(1, 0), Charlie(1, 1), "\n")
            break

This program outputs every two-bit functions that Kevin and Charlie can compute together. However, it turns out that all of those programs are exactly those that can be built using only the  gate.

This is unfortunate for us, because the  gate isn't a universal gate. However, not all hope is lost, as we focused only on classical computing. Is there a way to compute more functions than that using quantum computing?

I will now show that a similar technique can be applied for the QFHE scheme. However, there are still a few differences. For instance, in the QFHE scheme, we have two keys instead of one.

Which quantum gates can be evaluated safely without ancilla qubits?

An algorithm to know whether a one-qubit gate can be evaluated safely without ancilla qubits

Suppose, without loss of generality, that our ciphertext has a single qubit. We would want to safely evaluate a one-qubit gate  without any ancilla qubit. Kevin will be given the two keys, which are the two bits  and , whereas Charlie will be given the ciphertext, which is a qubit . Kevin and Charlie will have to update  and  respectively, using two functions  and a quantum gate  like so:

For the evaluation to be valid, it should be the case that encrypting a plaintext , then applying the update, and then decrypting it gives us the right plaintext. In other words, it should be the case that, for all  and all , this equation holds:

Firstly, given  and , how can we verify whether the equation holds for every  and ? We cannot enumerate all the possible , as there is an infinite amount of them. We could also try a lot of different , but this would take a while, and we may still miss some rare exceptions. To solve this problem, I will firstly have to show that for every gate  and , we have  for every state  if and only if there exists  such that . (This post initially had a proof that worked only for  reversible matrices. Thankfully, one of my classmates, Julia PHAM BA NIEN, gave me a proof that works for every reversible matrix, which is now included here).

Therefore,  has to commute with every other matrices. Let's prove that only matrices of the form  do so. Firstly, it is trivial that every matrix of the form  commutes with every other matrices, as . Now, let's prove that every matrix that commutes with every other matrices are of the form . Let  be a matrix that commutes with every other matrices. Note in particular that, for every , we have:

Therefore, for every  and , we have  if i , and  if . Therefore, all non-diagonal elements are equal to zero, and all diagonal elements are pairwise equal. As such,  is of the form . In our case, we therefore have , and therefore , which concludes the proof.

This property is useful to us, because our equation can be rewritten in the form  like so:

Therefore, given  and , we can verify whether the above equation holds for every  and  by checking that, for every , there exists  such that:

Now that we know how to test in finite time whether a given  and  enable us to safely evaluate , how can we find such  and ? Since there are infinitely many quantum gates, we cannot enumerate all the possible gates . However, we can do better than this. Indeed, if we look at the equation that we deduced, we have:

Therefore, to verify whether  can be evaluated safely, we can do as follows: For every function  and , we try to see whether, for all , the result of  stays the same up to a scalar (as we removed ). If we find such  and , then it means that we can safely evaluate . After finding  and , we can choose any  that is equal to  up to a scalar. Here, the choice of  shouldn't matter when we generate  (more precisely, we may get different , but they would all work, as they would differ only by a scalar).

What happens if we don't find such  and ? It would mean that, either the gate cannot be evaluated safely, or that this gate needs more than one qubit. It may be that the second scenario never happens, and that if we don't find such  and , then this gate is out of reach forever, whether or not we use ancilla qubits. However, I haven't investigated this yet.

Combinatorial explosion of generalizing this algorithm for n-qubit gates

The algorithm shown above can theoretically be generalized for -qubit gates. For every  and , we look at whether, for all   and , this stays the same up to a scalar:

If we find such  and , we can choose any  that is equal to this up to a scalar.

However, this program suffers from combinatorial explosion. Indeed, even for 2-qubit gates, we need to look at every quadruple of functions  that take four parameters each. That is, we need to look at  quadruples of functions.

So, this algorithm cannot be used in practice for two-qubit gates. However, it works fine for one-qubit gates. Indeed, I have implemented this algorithm in Python for one-qubit gates, and it has proven useful to me when writing the next sections.

Every Clifford gate can be evaluated safely

The Clifford group is the group of gates that can be made from . It is not universal, but it contains useful gates like the Pauli group that can be made from. Using the algorithm of the last section, we can prove that  and  can be evaluated safely. Finding a way to safely evaluate the  gate is a bit harder, as we cannot use the algorithm because of combinatorial explosition. However, with a bit of math and brute-force, I managed to find a safe evaluation of . Therefore, every Clifford gate can be evaluated safely. Although the algorithm finds many different ways to evaluate  and , I will present only the ones that I consider the simplest.

Evaluation of CNOT

Instead of computing , we will instead update  and  like so:

Here is the reason why this will give us the right result: Without loss of generality, let's assume that our initial sequence has only two bits. We would want to encrypt , apply a  on it in this way, and decrypt it. In that case, the plaintext we will obtain is:

Which is the plaintext that we wanted. The first equality holds because  is equal to . I found this result by creating a program that brute-forces the problem, which you can see here. The second equality holds because applying twice the same sequence of  and  on a quantum state yields back the same quantum state.

Evaluation of H

To apply a  gate on the -th qubit, we update  and  like so:

Indeed, without loss of generality, suppose that our plaintext  has a single qubit. In that case, when we encrypt it, apply a  gate on it in this way, and decrypt it, then the plaintext we obtain is:

The equality holds because  for all . This technique was firstly proposed by Andrew Childs in this article in a slightly different context.

Evaluation of S

To apply a  gate on the -th qubit, we do:

Now, to prove that the evaluation of  gives the right result, we ask ourselves whether encrypting a qubit, then applying  on it in the way shown above, and then decrypting it gives us the right plaintext. In other words, we ask ourselves whether this equation holds:

And indeed, this equation holds because, for all  differs from  by only a scalar.

The T gate cannot be evaluated safely without ancilla qubits

Earlier, I said that the Clifford group made from  is not universal. However, if we augment this group by adding the  gate, then the group becomes universal. Therefore, it may be interesting to see whether the  gate can be evaluated safely, as this would enable us to evaluate safely every program.

Unfortunately, the algorithm doesn't find any way to safely evaluate the  gate. Because of the way that the algorithm was made, this proves that the  gate cannot be safely evaluated without ancilla qubits.

Can the  gate be safely evaluated with ancilla qubits? As Min Liang has made another QFHE scheme with perfect secrecy which uses ancilla qubits for the  gate, it may be possible, as long as this QFHE scheme doesn't contain any flaw. I haven't investigated this yet, and this is my next step in my plan.

Concerns about bad actors hiding the training of superintelligences

Without FHE with perfect secrecy, bad actors could hide the training of superintelligences by making air-gapped computers hidden from the public. They may be caught in this process, or they may not have enough resources. However, if they had an efficient FHE scheme with perfect secrecy, they could directly use the computing power of the Cloud, which is way easier to do, and which would make them able to use way more computing power. This would help them avoid getting caught by authorities, and therefore would help them bypass any safety regulation.

After a few days of thought, I concluded that the problem does not arise from the fact that the QFHE scheme I try to develop is perfectly secret. Indeed, although FHE schemes without perfect secrecy aren't safe enough in order to control misaligned superintelligences, they are safe enough to avoid getting broken by authorities.

Instead, the problem is that the FHE scheme I try to develop has a low time complexity. Indeed, current FHE schemes have a very high time complexity, which makes them useless in order to hide the training of superintelligences.

However, the high time complexity of current FHE schemes can already be partially bypassed by bad actors, by using only partially homomorphic encryption schemes or FHE schemes that work well for very specific computations. These schemes can have a time complexity low enough in order to run neural networks, where the most famous example is this article.

I started getting worried since the moment I first thought about the possibility that bad actors would try to hide their attempts to train superintelligences. I started thinking about whether I should stop my research. I am still unsure about whether it causes any harm, as the problem also somewhat arises from partially homomorphic encryption schemes. The way that my plan, if achieved, could help bad actors is by making the encryption of programs automatic (there is no need to change the code or the architecture of the superintelligence, as long as it is written for quantum computers), and making their evaluation faster because of a lower time complexity.

Personally, I think that bad actors will mostly be caught before starting to train their superintelligence. Indeed, it seems very likely that developing the source code of the superintelligence needs way more people and time than the superintelligence's training. However, helping bad actors not to be caught during the training is still a significant help for them, and therefore it is a significant harm for everyone else.

Overall, I think that bad actors already have other ways to hide the training of superintelligences while using the computing power of the Cloud, but that QFHE schemes may have a significant chance to help them in this process. I do not know whether the safety that the QFHE provides against superintelligences is outweighted by the risks of bad actors hiding the training of superintelligences. I hope not, but if most people think that my research is net negative, I will stop it.

Conclusion

In this post, we have seen that the symmetric QFHE scheme had a flaw that enables us to obtain information about the plaintext by just making computations on the ciphertext. To prevent this, we added a key update that is independent of the ciphertext, and we made the ciphertext update independent of the key. This enables us to safely evaluate any program made out of Clifford gates, which means that no party involved can have any information about the plaintext, unless they communicate to each other (which is forbidden). However, this fix doesn't work for the  gate, which means that if this gate can be evaluated safely, then it needs at least one ancilla qubit. I also raised my concerns about whether QFHE schemes could help malevolent actors train superintelligences without being detected by authorities. In the future, I will try to find whether there are non-Clifford gates that can be evaluated safely.

New Comment
1 comment, sorted by Click to highlight new comments since:

At the risk of missing something obvious, any distributed quantum circuit without a measurement step it is not possible for Kevin and Charlie to learn anything about the plaintext per the no cloning theorem.

Eavesdropping in the middle of the circuit should lead to measurable statistical anomalies due to projecting the state onto the measurement basis.

(I'll add a caveat that I am talking about theoretical quantum circuits and ignoring any nuances that emerge from their physical implementations.)

Edit:

On posting, I think I realize my error. 
We need Kevin and Charlie to not have knowledge of the specific gates that they are implementing as well.