[1]\fnmIlKwon \surSohn

[1]\orgdivQuantum Network Research center, \orgnameKorea Institute of Science and Technology Information, \orgaddress\cityDaejeon, \postcode34141, \countryRepublic of Korea

Error-correctable efficient quantum homomorphic encryption using Calderbank–Shor–Steane codes

[email protected] \fnmBoseon \surKim [email protected] \fnmKwangil \surBae [email protected] \fnmWooyeong \surSong [email protected] \fnmWonhyuk \surLee [email protected] *

Abstract

The integration of quantum error correction codes and homomorphic encryption schemes is essential for achieving fault-tolerant secure cloud quantum computing. However, owing to the significant overheads associated with these schemes, their efficiency is paramount. In this study, we develop an efficient quantum homomorphic encryption scheme based on quantum error correction codes that uses a single encoding process to simultaneously perform encryption and encoding. By using a longer quantum error correction code, both the security and error-correction capabilities of the scheme are improved. Through comprehensive evaluations, we demonstrate that the proposed scheme is more secure than the conventional permutation-key-based QHE scheme when the number of maximally mixed states is not more than twice the length of the quantum error-correction code. The proposed scheme offers a more secure and efficient approach to quantum cloud computing, potentially paving the way for more practical and scalable quantum cryptographic protocols.

keywords:

Quantum error correction code, Quantum homomorphic encryption, Quantum cloud computing, Calderbank–Shor–Steane codes

1 Introduction

Cloud computing, which refers to the use of virtual computing resources over the Internet [1], has gained popularity owing to the increasing availability of internet connectivity across various devices. However, as all operations are performed on a server, security issues still persist [2]. Moreover, the service provider can access the data stored in the cloud, thereby posing the threat of potential personal or sensitive data leaks. Therefore, the data must be encrypted before being sent to the server. Standard symmetric key encryption does not fully address the issue of information leakage because it requires the data to be decrypted before executing operations. These security issues can be solved through homomorphic encryption (HE) [3], which allows complex mathematical operations to be performed on encrypted data without decryption [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14].

Quantum HE (QHE) [15, 16, 17, 18, 19, 20, 21, 22, 23, 24] has emerged as a viable solution for securely encrypting quantum information, especially considering that cloud-computing systems are widely employed in current commercial quantum-computing platforms [25], and large-scale quantum networks are becoming more feasible. In particular, several studies have investigated using the logical gate construction properties of quantum error-correction codes (QECCs) to implement QHE [18, 19, 24]. These QHE based on QECCs offers the advantage of fault-tolerant quantum computing because the encryption is based on random quantum codes, which simplifies the application of additional codes for error correction. However, these methods handle HE and error correction separately and require individual encoding for both, leading to inefficient resource usage. This results in the consumption of considerable resources because a concatenated code structure is required for fault-tolerant universal quantum computation [26, 27, 28, 29, 30].

To address these challenges, this paper introduces an error-correctable, efficient QHE scheme by encoding with a single quantum error correction code. Our scheme leverages the inherent properties of QECCs to perform encryption and error correction simultaneously, eliminating the need for separate encoding steps and reducing resource consumption. Through detailed numerical analysis, we demonstrate that the proposed scheme offers higher security than other QHE schemes [18, 24], particularly effective for 84.10% of combinations involving maximally mixed states (MMSs) and QECC lengths of up to 50 qubits. Furthermore, our scheme achieves this improved security without a significant increase in resource requirements, making it a practical and scalable solution for fault-tolerant secure quantum cloud computing.

2 Permutation-key-based quantum homomorphic encryption supports quantum error correction

This section describes the permutation-key-based QHE, which offers the advantage of simple error correction assisted by the QECC formalism [18, 24] compared with the random Pauli key-based QHE scheme [16, 31]. Fig. 1 shows the final state after a qubit of a message is encrypted using the permutation-key-based QHE scheme proposed in [24]. The encryption process comprises the following steps:

1.

The message is expressed in coordinates starting from the top-left corner as (1,1) and located at position (1,1), whereas the remaining $2mn-1$ qubits are in MMSs, which are represented by gray spheres.
2.

QECC encoding is applied to the $n$ qubits in the first column.
3.

The $m$ columns in the front are encoded row-wise into random quantum codes. The blue spheres represent their encoded states.
4.

The final state is obtained through column-wise permutation of the remaining half of columns and those encoded with random quantum codes.

The QECC used for error correction is concatenated with the one used for encryption and disperses messages into the MMSs. Thus, $m$ and $n$ should be increased to enhance the error-correction capability and improve security.

Refer to caption — Figure 1: Schematic of the quantum homomorphic encryption scheme proposed in [24]: $2m$ denotes the length of the maximally mixed state columns required for encryption and $n$ denotes the length of the quantum error correction code. Based on each factor, permutation-key-based quantum homomorphic encryption is performed over two encoding rounds.

Although concatenation is advantageous for suppressing errors in quantum computers [26, 32] and constructing gate sets for universal quantum computing [33, 34], the resource overhead increases exponentially as the concatenation level increases [26]. This overhead is particularly significant in non-transversal gate operations that require several magic states [35]. Consequently, various studies have focused on mitigating the concatenation overhead [30, 36, 37]. However, we propose an approach that performs both encoding and encryption in a single encoding step, thereby simultaneously securing error correction and security and lowering the computational overhead by avoiding concatenation.

3 Error correctable efficient QHE scheme using single encoding

This section presents an efficient QHE scheme that corrects errors using a single encoding. This scheme is further elucidated in Section 3.1, whereas Sections 3.2, 3.3, and 3.4 elaborate on its support for fault-tolerant universal quantum computing.

3.1 Permutation-key-based QHE scheme using single encoding

This section systematically describes the proposed symmetric QHE scheme that uses the same key for encryption and decryption [15].

3.1.1 Definition

A symmetric quantum homomorphic encryption scheme $\mathcal{H}$ :

Key Generating algorithm $KeyGen_{\mathcal{H}}$ is for generating a key $\kappa$ ;
$Encrypt_{\mathcal{H}}$ ( $\mathcal{E}_{\mathcal{H}}$ ) is the encryption algorithm: $\rho_{\mathcal{H}}=\mathcal{E}_{\mathcal{H}}(\kappa,\rho_{m})$ ;
$Decrypt_{\mathcal{H}}$ ( $\mathcal{D}_{\mathcal{H}}$ ) is the decryption algorithm: $\rho_{m}=\mathcal{D}_{\mathcal{H}}(\kappa,\rho_{\mathcal{H}})$ ;
$Evaluate_{\mathcal{H}}(\textit{Eval}_{\mathcal{H}})$ is the evaluation algorithm: $\textit{Eval}_{\mathcal{H}}(\kappa,U_{C,\kappa},\rho_{\mathcal{H}})$ .

The quantum state used for encryption, i.e., the plaintext, is denoted as $\rho_{m}$ , and the ciphertext is denoted as $\rho_{\mathcal{H}}$ . All evaluation operations are denoted as $U_{C,\kappa}$ , representing the general operation $U_{C}$ encrypted using $\kappa$ . $U_{C,\kappa}$ is decomposed and approximated according to the universal quantum-gate set $\{H,T,CNOT\}$ . The result of the evaluation algorithm is equivalent to $\mathcal{E}_{\mathcal{H}}(\kappa,Eval(U_{C},\rho_{m}))$ , where $Eval$ denotes the evaluation process without the QHE. We demonstrate the proposed scheme based on this definition.

3.1.2 Proposed QHE scheme

This scheme involves the following processes, as illustrated in Fig. 2:

$KeyGen_{\mathcal{H}}$ :
- Input: None.
- Processing: Generate a random bit-string $\kappa=\kappa_{1}\kappa_{2}...\kappa_{n}$ , where each $\kappa_{i}$ is of length $2m$ with Hamming weight 1.
- Output: The random key $\kappa$ .

$Encrypt_{\mathcal{H}}$ :

Input: The one-qubit message state $\rho_{m}$ , MMSs, zero-state ancilla qubits, an arbitrary permutation operator $P$ , a QECC encoding operator $U_{E}$ , and a permutation operator $P_{\kappa}$ according to $\kappa$ .

Processing: Compute

\rho_{\mathcal{H}}=P_{\kappa}[U_{E}(P\otimes I^{\otimes n-k})\rho_{m||a}(P^{\dagger}\otimes I^{\otimes n-k})U^{\dagger}_{E}\otimes\left(\frac{I}{2}\right)^{\otimes 2mn-n}]P^{\dagger}_{\kappa},

where $\rho_{m||a}$ represents $\rho_{m}$ concatenated with $k-1$ MMSs and $n-k$ zero-state ancilla qubits.

Through this process, $\rho_{m}$ is concealed among the $k-1$ MMSs and undergoes QECC encoding alongside $n-k$ zero-state ancilla qubits. Then, using $P_{\kappa}$ , the $2mn-n$ MMSs are grouped into sets of $2m-1$ qubits, within which the encoded state is interleaved one qubit at a time to complete the encryption.

Output: The encrypted state $\rho_{\mathcal{H}}$ .

$Decrypt_{\mathcal{H}}$ :
- Input: Encrypted state $\rho_{\mathcal{H}}$ and key $\kappa$ .
- Processing: Compute
  
  $(P\otimes I^{\otimes n-k})U_{E}\mathrm{Tr_{MMS}}[\rho_{\mathcal{H}}]U^{\dagger}_{E}(P^{\dagger}\otimes I^{\otimes n-k}).$
  
  In the decryption process, decrypting the parts encrypted via $P_{\kappa}$ can be accomplished without reversing this operation. Instead, it is done by partially tracing out the MMSs located in positions where $\kappa$ has zeros, as indicated by $\mathrm{Tr_{MMS}}$ .
- Output: The decrypted message state $\rho_{m}$ .
$Evaluate_{\mathcal{H}}$ :
- Input: Encrypted state $\rho_{\mathcal{H}}$ and a unitary operation $U_{C,\kappa}$ .
- Processing: Compute
  
  $\rho_{O}=U_{C,\kappa}\rho_{\mathcal{H}}U^{\dagger}_{C,\kappa},$
  
  where $U_{C,\kappa}$ is a unitary transformation applied homomorphically and depends on the key.
- Output: The evaluated state $\rho_{O}$ .

3.1.3 KeyGeneration.

The client generates $\kappa$ used as encryption keys and constructs $P_{\kappa}$ . Even if the specifications of the employed QECC and number of qubits within each group are disclosed, decryption remains theoretically challenging for servers or eavesdroppers. Subsequently, the client prepares a one-qubit message state $\rho_{m}$ for computation. Additionally, the permutation-key $\kappa$ of the proposed scheme with a length of $2mn$ is $n$ times longer than that used in the permutation-key-based QHE scheme proposed in [24] with a length of $2m$ . If the entity delegating the computation to the server differs from that receiving the result, the encryption-key transmission uses $n$ -times more data. However, we primarily assumed scenarios involving a single user.

3.1.4 Encryption.

First, $\rho_{m||a}$ must be computed for the QECC encoding as follows:

\rho_{m||a}=\rho_{m}\otimes\left(\frac{I}{2}\right)^{\otimes k-1}\otimes|0\rangle\langle 0|^{\otimes n-k}.

(1)

Subsequently, using the permutation operator $P$ , $\rho_{m}$ is placed at random positions among the MMSs. Mixing the message qubit at arbitrary positions within $k-1$ MMSs enhances security because it transforms the problem into $\binom{k}{1}$ . However, this is not considered in Section 4. Furthermore, from the perspective of logical operations, operators that perform the same operation on all the expanded $k$ -qubit messages are used for the homomorphic operations. Therefore, these operations are not affected by the positions of the actual message qubits, as explained in Section 3.2.

The QECC encoding operator $U_{E}$ is applied to $\rho_{m||a}$ to generate the encoded state $\rho_{E}$ , thus implementing the $[[n,k,d]]$ error correction code. However, the proposed scheme does not exploit all QECCs. Owing to syndrome extraction and non-transversal gate operation, the QECCs are confined to self-dual and doubly even Calderbank–Shor–Steane (CSS) codes [38, 39, 40], such as the $[[7,1,3]]$ Steane code. Although applying this code to arbitrary QECCs may be advantageous, transversality is prioritized owing to the quantum-computing overhead, necessitating the use of self-dual and doubly even CSS codes with transverse $H$ , $CNOT$ , and $S$ gates.

Thus, the encoded state, $\rho_{E}$ , is expressed as

\rho_{E}=U_{E}(P\otimes I^{\otimes n-k})\left[\rho_{m||a}\right](P^{\dagger}\otimes I^{\otimes n-k})U^{\dagger}_{E},

(2)

where $\rho_{E||a}=\rho_{E}\otimes\left(\frac{I}{2}\right)^{\otimes 2mn-n}$ . Finally using the previously constructed $P_{\kappa}$ to permute the qubits of $\rho_{E||a}$ , the QHE state is obtained as follows:

\rho_{\mathcal{H}}=P_{\kappa}\left[\rho_{E||a}\right]P^{\dagger}_{\kappa}.

(3)

The client receives $r$ from the server which is the specific number of required $T$ -gates, along with the counts of logical zero and plus states. Upon receiving this information, the client prepares magic, logical-zero, and logical-plus states using the same method used to generate the message. These states, along with the encrypted message, $\rho_{\mathcal{H}}$ , and gate-operation set, are then transmitted to the server, indicating its readiness to perform cloud-computing tasks.

3.1.5 Evaluation.

The server decomposes and approximates the circuit of the desired quantum algorithm into gates using a universal quantum-gate set $\{H,T,CNOT\}$ . Additionally, $r$ which is the total number of $T$ -gate operations, required is communicated to the client, which then prepares the appropriate number of magic states. Further details regarding the universality are provided in Sections 3.2 and 3.3. Upon receiving $\rho_{\mathcal{H}}$ , ancilla states, and the gate-operation set from the client, the server performs error correction to rectify any errors that may have occurred during the quantum-state transmission. Using the logical ancilla states and $\rho_{\mathcal{H}}$ received from the client, the server performs the decomposed and approximated operation $U_{C}$ . While performing the $T$ -gate operations or error correction, which are described in Sections 3.3 and 3.4, respectively, the server supplements the measurement-output interpretations by communicating classically with the client. Once all operations are completed, the server obtains the output state $\rho_{O}$ , which is defined as

\rho_{O}=U_{C,\kappa}\rho_{\mathcal{H}}U_{C,\kappa}^{\dagger}.

(4)

and transmits it to the client.

3.1.6 Decryption.

The client does not have to reverse the entire encryption process for decryption because it already knows the identity of each qubit. Thus, it can obtain the resulting state $\rho_{R}$ by tracing out all MMSs of $\rho_{O}$ according to $\kappa$ , where

\rho_{R}=\mathrm{Tr_{MMS}}\left[\rho_{O}\right].

(5)

Finally, the computation result can be obtained through a logical measurement on $\rho_{R}$ [41].

To analyze the decryption complexity of the proposed scheme, the number of SWAPs required for decryption is $O((r+1)\times nm)$ because the proposed scheme uses only one row of data. This complexity can then be expressed as $O(r^{3}+r^{2})$ because $m$ and $n$ are linear in $r$ . Consequently, the proposed scheme is compact for a polynomial number of $T$ -gates. However, as it is based on leveled fully HE (FHE) [21, 42, 43], it cannot be bootstrapped or used for computing an arbitrarily large number of $T$ -gates.

3.2 Transversal gate operation

To evaluate the feasibility of fault-tolerant universal quantum computing, a more detailed discussion beyond the scope of the evaluation is necessary. From this section onward, an in-depth explanation of performing transversal gate operations, non-transversal $T$ -gate operations, and syndrome extraction will be provided for the fault-tolerant universal quantum computing.

It is well-known that all quantum gates can be decomposed [44, 45, 46] or approximated [47, 48] using this universal quantum gate set. Although QECC-encoded data retain QECC characteristics in universal quantum computing, it is essential to investigate the influence of MMSs used for encryption on gate operations and syndrome extraction. In this section, we discuss the operations involved in the universal gate set of the proposed scheme. This study focused on the ${H,T,CNOT}$ gate sets within a QECC-encoded environment, even though various forms of universal-gate sets exist [49, 50]. Because the QECCs for self-dual and doubly even CSS codes are already constrained, the $H$ and $CNOT$ gates of the universal gate set are implemented transversally. Furthermore, $S$ -gate correction can be transversally executed during gate teleportation to perform non-transversal $T$ -gate operations.

The transversal gate operations of the proposed scheme are performed as follows. In an MMS where the state remains unchanged for all unitary operations, individually applying gate operations to each qubit facilitates transversal gate operations. Because the logical Pauli and $CNOT$ gates of all CSS codes are transversal [51], they were implemented as shown in Fig. 3. The $[[n,k,d]]$ code yields $k$ independent logical Pauli operators and $CNOT$ gates for each code. However, as the choice of a specific operator can indicate the required decryption, gate operations are performed by multiplying all $k$ independent operators to ensure that the non-transversal gates follow the same principle. For instance, if the logical $X$ operators for bit-flipping the $i$ th data qubit are denoted as $\bar{X_{i}}$ in the $[[n,k,d]]$ code, it is sufficient to perform $\bar{X_{1}}\bar{X_{2}}...\bar{X_{k}}$ operations in the proposed scheme, where bit-flip operations are necessary. This ensures that the server cannot determine the locations of the data bits.

3.3 Non-transversal $T$ -gate operation

For non-transversal $T$ -gate operations, the well-known $T$ -gate teleportation described in [24] was employed [49], as shown in Fig. 4. After performing a logical $CNOT$ operation with the magic state, the measurement outputs are sent to the client, which interprets whether the results correspond to logical zeros or ones.

In the method proposed in [24], the ancillary states (magic, logical-zero, and logical-one) pre-generated by a client are used for deterministic $T$ -gate teleportation. The client does not disclose the specific state at each position on the server and instead, based on the measurement outputs, passes the ancillary-state position to the server for controlled $S$ -gate correction, thereby performing encrypted $T$ -gate teleportation. However, this method has several limitations. First, as the controlled $S$ gate is not transversal in most QECCs, its execution requires decomposition and additional $T$ -gates [52, 53]. Thus, multiple $T$ -gate operations are required to perform a single $T$ -gate operation, which increases the computational overhead considerably. Furthermore, the client may require information regarding how the server stores the states sent by the client. However, this information may not be ideal in scenarios involving HE [54].

To circumvent these issues, we employed doubly even CSS codes to create a transversal $S$ gate, and the client performed the following steps after interpreting the measurement results. In gate teleportation, a logical measurement result of zero indicates the execution of $T$ -gate teleportation, whereas a result of one indicates that $S$ -gate correction is required [24]. Therefore, when the result is zero in the proposed scheme, the client instructs the server to apply the following configured operators: identity operators to the data-qubit positions and randomly arranged identity operators and $S$ -gates to the remaining MMSs. However, when the result is one, the client instructs the server to apply an operator composed of $S$ -gates to the data qubit position and randomly arranges the identity operators and $S$ -gates within the remaining MMSs. If the operator comprises identity operators and $S$ -gates, the server remains oblivious to the logical measurement results and data-qubit positions, regardless of the results. This approach facilitates non-transversal $T$ -gate operations. The need for client support to interpret measurement outputs presents a problem beyond the inability of the server to perform computing independently, and exposes information about the $T$ -gate operations within the circuit being computed by the server, partially compromising circuit privacy. However, if the server receives numerous encrypted logical qubits for computation, the client cannot determine the qubits subjected to $T$ -gate operations. Moreover, because it does not have information regarding all other transverse gate operations, it cannot reconstruct the entire circuit.

The requirement for client support can be eliminated if the server can interpret the logical measurement results without its assistance. However, interpreting logical measurement results is equivalent to knowing the data-qubit positions, which poses a challenge that requires further improvements.

We show that the states encoded and encrypted using the proposed scheme enable universal quantum computation by demonstrating a method to perform transversal Pauli operators, $H$ and $CNOT$ gate, and non-transversal $T$ -gate within the QHE framework. Additionally, secure syndrome extraction was implemented to demonstrate the error-correction capabilities of the proposed scheme.

3.4 Syndrome extraction

Syndrome extraction, which is similar to non-transversal gate operations, requires the processing of measurement results, thereby necessitating client assistance. The restrictions of QECCs render them usable as CSS code. To address the ambiguity in the data-qubit positions, the QECCs were constrained to CSS codes that can handle bit- and phase-flip errors independently using the Steane method [40], as shown in Fig. 5. When using syndrome extraction directly to generate stabilizer QECCs, it is essential to align the operators of the stabilizer generator with the positions of data qubits. This information can offer a significant clue to the server for determining the data qubit positions, thereby posing a substantial threat to encryption security. By applying the aforementioned conditions, the syndrome extraction proceeds as follows: based on the Steane method, the server operates on the logical-zero, logical-plus, and encryption states with logical $CNOT$ gates and subsequently measures the ancilla state. Thereafter, it sends the measurement outputs to the client. The information in this syndrome pertains only to errors and does not affect security. Based on this sequence, the client transmits the correction operators, which are the same for each group of $m$ -qubit states, to the server. To analyze the error-correction capability of the encrypted state, we assumed the following depolarizing channel model for communication between the client and the server, as well as for the computational channel of the server:

\rho\mapsto\rho^{\prime}=(1-p)\rho+\frac{p}{3}\left(X\rho X+Y\rho Y+Z\rho Z\right),

(6)

where $\rho$ is the density operator for the channel input and $p$ is the physical error probability. In this scenario, the logical error probability, $p_{L}$ , of the final state is equivalent to that of standard CSS codes [55] and is expressed as follows:

p_{L}=1-\sum_{i=0}^{t}{\binom{n}{i}p^{i}(1-p)^{n-i}},

(7)

where $t=\lfloor\frac{d-1}{2}\rfloor$ is the error-correction capability. Despite incorporating MMSs, the logical-error probability is unchanged compared with the standard CSS code because the errors in the depolarizing channel are also unitary. Additionally, communicating with the client during syndrome extraction allows extracting errors specific to the encoded state. Thus, the proposed QHE is error-correctable and enables universal quantum computing.

4 Security proof

The quantum error correction code acts as a mechanism to facilitate homomorphic operations. In this context, the logical operations on the encoded state perform a role analogous to the homomorphic encrypted operations on a homomorphically encrypted state. Consequently, security must be ensured through other means. In the proposed scheme, security is derived from how closely the encrypted state approximates the MMSs. Based on the methods described in [18, 24], the security of the proposed method can be assessed by determining the maximal trace distance ( $\Delta$ ) between encrypted states. Although the gate teleportation is encrypted, revealing the measurement output discloses the quantum state. Therefore, for security analysis, we must evaluate both the encrypted quantum state and $r$ magic states used throughout the computation. Thus, the states for security analysis are considered in a form wherein the $\rho$ and $r$ magic states are arranged in rows. Subsequently, $\Delta$ is defined as follows:

\Delta=\max_{\rho_{E||a},\rho^{\prime}_{E||a}\in\mathcal{S}}\frac{1}{2}{\|\rho_{\textnormal{Eve}}-\rho^{\prime}_{\textnormal{Eve}}\|}_{1}.

(8)

where $\|\cdot\|_{1}$ is the trace-distance and $\mathcal{S}$ is a set of all possible $\rho_{E||a}$ states. Let $\rho_{\mathcal{H}}$ , $\rho^{\prime}_{\mathcal{H}}$ denote any two arbitrary encrypted states and $\rho_{Eve}$ , $\rho^{\prime}_{Eve}$ denote any two arbitrary encrypted states perceived by the server or a potential eavesdropper. The server or eavesdropper perceives these states as a uniformly mixed state of all possible permutation keys, $\kappa\in K$ , used for encryption as they lack knowledge of the key. Subsequently, $\rho_{\textnormal{Eve}}$ is defined as

\rho_{\textnormal{Eve}}=\frac{1}{|K|}\sum_{\kappa\in K}P_{\kappa}\rho_{E||a}P^{\dagger}_{\kappa},

(9)

where $|K|$ represents the number of possible encryption combinations from the server’s perspective while decrypting without encryption information, that is, the number of all possible combinations of $\kappa$ .

With a smaller $\Delta$ , it becomes more difficult for the server to distinguish the encrypted messages of the client; hence, less information is available regarding the message in the cipher text. Therefore, a smaller $\Delta$ implies that the QHE security is enhanced. By simplifying equation (8) from the server’s perspective [24], the maximal trace distance between the encrypted quantum state and MMSs is expressed as

\Delta=\sqrt{\frac{2^{r}}{|K|}}.

(10)

Similar to [24], the number of $T$ -gates, $r$ , weakens the security of the proposed scheme, whereas more permutation-key combinations increase it. This simplified process and the effect of $r$ are explained in the Appendix.

By applying the proposed scheme to equation (10), we obtain

\Delta_{\textnormal{pro}}=\sqrt{\frac{2^{r}}{|K|}}=\sqrt{\frac{2^{r}}{{{\binom{2m}{1}}}^{n}}}=\sqrt{\frac{2^{r}}{(2m)^{n}}}.

(11)

This indicates that the security and error-correction capabilities of the proposed scheme improve simultaneously as $n$ increases. Thus, the proposed scheme provides exponentially increasing security as $n$ increases, thereby ensuring a constant security level by adjusting $n$ based on $r$ .

5 Performance analysis

In this section, we analyze the security of the proposed scheme by comparing its $\Delta_{\textnormal{pro}}$ with $\Delta_{\textnormal{pre}}$ of the permutation-key-based QHE scheme employed in [24], as well as their error-correction capabilities when both schemes use the same overhead. By applying equation (10) to the previous permutation-key-based QHE scheme, $\Delta_{\textnormal{pre}}$ is computed as follows:

\Delta_{\textnormal{pre}}=\sqrt{\frac{2^{r}}{{\binom{2m}{m}}}}\sim\sqrt{\pi n\frac{2^{r}}{4^{m}}},

(12)

The approximation in equation (12) is obtained using Stirling’s formula [56]. Hence, to exponentially enhance security, the previous permutation-key-based QHE scheme requires increasing the number of MMSs, whereas the proposed scheme requires extending the QECC lengths. Therefore, in a scenario wherein the same number of qubits is used and an equivalent level of security is required, the conventional permutation-key-based QHE scheme cannot employ longer QECCs than the proposed scheme. Additionally, even if the value of $n$ increases, that of $k$ remains fixed. In such cases, the efficient construction of QECCs can increase the minimum distance associated with the error-correction capability [57, 58]. Additionally, the proposed scheme restricts the encryption to single-qubit messages to mitigate the risk of information leakage owing to differences in the logical operators of messages encrypted with more than two qubits. Thus, higher $n$ values can enhance the error-correction capability of the proposed scheme.

To compare the securities of the conventional permutation-key-based QHE and proposed schemes, inequalities were established based on the $\Delta$ values of both schemes, yielding

\frac{\pi n}{4^{m}}>\frac{1}{4^{m}}>\frac{1}{(2m)^{n}}.

(13)

The term $\pi n$ in the numerator of $\Delta_{\textnormal{pre}}$ weakens security; however, to simplify the comparison, we eliminated it. The inequality in equation (13) solved with $n$ is expressed as

n>\frac{\log{4^{m}}}{\log{2m}}.

(14)

In the integer domain where $m\leq n$ , the proposed scheme exhibits higher security. Even if $m$ is larger, it must be more than twice the size to ensure that the conventional scheme offers higher security. As a simple example, when using an equal number of qubits ( $n\times 2n$ in total), $\Delta_{\textnormal{pro}}=\sqrt{\frac{2^{r}}{(2n)^{n}}}$ , and $\Delta_{\textnormal{pre}}\sim\sqrt{\frac{2^{r}}{4^{n}}}$ . Thus, the proposed scheme offers higher security under the same overhead, because the growth rate of $(2n)^{n}$ is faster than that of $4^{n}$ for $n>2$ .

6 Conclusion

This paper presented an efficient QHE scheme based on CSS codes that supports error correction. Considering the current development of various quantum computers that support cloud computing and the essential role of QECCs in achieving future fault-tolerant universal quantum computing, efficiently using error correction and HE is crucial. The proposed scheme enhanced efficiency by integrating encryption and encoding into a single process, reducing resource overhead while simultaneously improving security and error-correction capabilities as the code length $n$ increases. Our analysis showed that the scheme offers higher security compared to previous permutation-key-based QHE methods, especially when the number of maximally mixed states $m$ is not more than twice the QECC length. Furthermore, we simplified non-transversal gate operations by eliminating the need for a secure pre-generated set of ancilla qubits and presented a novel approach for syndrome extraction. Our QHE scheme, which efficiently realizes the quantum homomorphic encryption, provides a new insight into the field of quantum cryptography. It is also expected to be potentially applied to a secure quantum cloud computing which is the one of the imminent challenges in this field.

\bmhead

Acknowledgements This research was supported by Korea Institute of Science and Technology Information (KISTI). (No. K25L5M2C2). This research was supported by the National Research Council of Science & Technology (NST) grant by the Korea government (MSIT) (No. CAP22053-000)

Appendix A Derivation of security proof

The trace norm of equation (8) can be expressed,

	$\displaystyle\|\rho_{\textnormal{Eve}}-\rho^{\prime}_{Eve}\|_{1}$	$\displaystyle=\mathrm{Tr}[\sqrt{(\rho_{Eve}-\rho^{\prime}_{Eve})^{2}}]$			(15)
		$\displaystyle=\mathrm{Tr}[M(\rho_{Eve}-\rho^{\prime}_{Eve})],$			(15)

where $M=\sum_{i}\mathrm{sgn}(\lambda_{i})|v_{i}\rangle\langle v_{i}|$ and $\sum_{i}\lambda_{i}|v_{i}\rangle\langle v_{i}|$ is the spectral decomposition of $\rho_{Eve}-\rho^{\prime}_{Eve}$ ( $\mathrm{sgn}(x)$ is the signum function groups zero with the positive numbers). We define $\frac{1}{|K|}\sum_{\kappa\in K}P_{\kappa}MP^{\dagger}_{\kappa}$ as $\tilde{M}$ . Using the cyclic property of the trace and non-negativity of the trace norm, we get

\|\rho_{Eve}-\rho^{\prime}_{Eve}|_{1}=|\mathrm{Tr}\tilde{M}(\rho_{E||a}-\rho^{\prime}_{E||a})|.

(16)

Following the approach in [18, 24], we decompose $\tilde{M}$ and $\rho_{E||a}-\rho^{\prime}_{E||a}$ individually using Pauli decomposition, equation (16) can be expressed as

\|\rho_{Eve}-\rho^{\prime}_{Eve}\|_{1}=|\mathrm{Tr}\sum_{A\in\mathcal{S}}{a_{A}\tilde{\sigma}_{A}}\sum_{\mathrm{v}\in\Omega}\frac{r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}}}{2^{2(r+1)nm}}\sigma_{\varphi(\mathrm{v})}|,

(17)

where $A$ is the arbitrary $(r+1)$ -by- $2mn$ matrix with each element belonging to $\mathbb{Z}_{4}$ . The matrix $\sigma_{A}$ is constructed by placing Pauli operators at each position according to the values of the elements of $A$ . Furthermore, $\tilde{\sigma}_{A}$ is the sum of $\sigma_{A}$ over all possible permutation-keys $P_{\kappa}$ . $\Omega$ is the set of all nonzero column vectors with length $(r+1)$ and each element belonging to $\mathbb{Z}_{4}$ . $\varphi(\mathrm{v})$ is also an $(r+1)$ -by- $2mn$ matrix for $\mathrm{v}\in\Omega$ . Its first $n$ columns are identical to $\mathrm{v}$ and the remaining $2mn-n$ columns are all zeros. $\mathcal{S}$ is some minimal subset of the set of all matrices $\mathcal{M}$ with $(r+1)$ rows and $2n$ columns and entries from $\{0,1,2,3\}$ satisfying $\{\tilde{\sigma}_{A}:A\in\mathcal{S}\}=\{\tilde{\sigma}_{A}:A\in\mathcal{M}\}$ . Now if $\mathrm{v}$ in $\Omega$ , then $\varphi(\mathrm{v})$ in $\mathcal{S}$ . $a_{A}$ , $r_{\mathrm{v}}$ , $r^{\prime}_{\mathrm{v}}$ are all real constants associated with the Pauli decomposition of each term. After, simplifying the above using orthogonality, we get

|\rho_{Eve}-\rho^{\prime}_{Eve}|_{1}=|{\sum_{\mathrm{v}\in\Omega}{a_{\varphi(\mathrm{v})}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})}}|,

(18)

Applying the Cauchy-Schwarz inequality to the aforementioned yields

|\rho_{Eve}-\rho^{\prime}_{Eve}|_{1}\leq\sqrt{\sum_{\mathrm{v}\in\Omega}{\left(a_{\varphi(\mathrm{v})}\right)^{2}}}\sqrt{\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}}.

(19)

To find the upper bound of the first term on the right-hand side of the inequality, we obtain upper and lower bounds on $\mathrm{Tr}(\tilde{M}^{2})$ . By Hölder’s inequality, we get

\mathrm{Tr}(\tilde{M}^{2})\leq|\tilde{M}|_{1}|\tilde{M}|_{\infty}=2^{2(r+1)nm},

(20)

where $|\cdot|_{\infty}$ is the $\infty$ -norm, because $\tilde{M}$ is a matrix related to $(r+1)2mn$ -qubits, so $|\tilde{M}|_{1}$ is $2^{2(r+1)nm}$ .

The lower bound on $\mathrm{Tr}(\tilde{M}^{2})$ is

	$\displaystyle\mathrm{Tr}(\tilde{M}^{2})$	$\displaystyle=\sum_{A\in\mathcal{S}}a^{2}_{A}\mathrm{Tr}(\tilde{\sigma}^{2}_{A})$			(21)
		$\displaystyle\geq\sum_{\mathrm{v}\in\Omega}a^{2}_{\varphi(\mathrm{v})}\mathrm{Tr}(\tilde{\sigma}^{2}_{\varphi(\mathrm{v})}),$			(21)

Since the set containing $\varphi(\mathrm{v})$ is smaller than $S$ , the above inequality holds. The $\tilde{\sigma}_{\varphi(\mathrm{v})}$ represents the sum of $|K|$ variations of $\sigma_{\varphi(\mathrm{v})}$ and all Pauli operators in $\tilde{\sigma}^{2}_{\varphi(\mathrm{v})}$ become the Identity, thus $\mathrm{Tr}(\tilde{\sigma}^{2}_{\varphi(\mathrm{v})})=|K|2^{2(r+1)nm}$ . Thus

\mathrm{Tr}(\tilde{M}^{2})\geq\sum_{\mathrm{v}\in\Omega}a^{2}_{\varphi(\mathrm{v})}|K|2^{2(r+1)nm}.

(22)

Thus, the first term on the right-hand side of equation (19) is transformed to

\sqrt{\sum_{\mathrm{v}\in\Omega}{\left(a_{\varphi(\mathrm{v})}\right)^{2}}}\leq\frac{1}{\sqrt{|K|}}.

(23)

To determine the upper bound of the second term $\sqrt{\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}}$ on the right-hand side of equation (19), we decompose the arbitrary quantum message state $\rho_{m}$ using Pauli decomposition to be,

\rho_{m}=\frac{I^{\otimes(r+1)}+\sum_{\mathrm{v}\in\Omega}r_{\mathrm{v}}\sigma_{\mathrm{v}}}{2^{(r+1)}}.

(24)

The maximum eigenvalue of this state is $2^{-h}$ , where $h$ is their minimum entropies [18].

Using Hölder’s inequality, we can obtain an upper bound,

\mathrm{Tr}[(\rho_{m}-\rho^{\prime}_{m})^{2}]\leq|\rho_{m}-\rho^{\prime}_{m}|_{1}|\rho_{m}-\rho^{\prime}_{m}|_{\infty}.

(25)

By utilizing the triangular inequality, $|A-B|\leq|A|+|B|$ , we can derive,

	$\displaystyle\|\rho_{m}-\rho^{\prime}_{m}\|_{1}$	$\displaystyle\leq\|\rho_{m}\|_{1}+\|\rho^{\prime}_{m}\|_{1}\leq 2,$			(26)
	$\displaystyle\|\rho_{m}-\rho^{\prime}_{m}\|_{\infty}$	$\displaystyle\leq\|\rho_{m}\|_{\infty}+\|\rho^{\prime}_{m}\|_{\infty}=2^{-h+1}.$			(27)

Therefore, substituting the results of the above equations into equation (25), we obtain $\mathrm{Tr}[(\rho_{m}-\rho^{\prime}_{m})^{2}]\leq 2^{-h+2}$ .

Subsequently, rearranging $\mathrm{Tr}[(\rho_{m}-\rho^{\prime}_{m})^{2}]$ using orthogonality of Pauli operators in equation (24),

	$\displaystyle\mathrm{Tr}[(\rho_{m}-\rho^{\prime}_{m})^{2}]$	$\displaystyle=\mathrm{Tr}[\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}2^{-2(r+1)}I^{\otimes(r+1)}]$			(28)
		$\displaystyle=\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}2^{-(r+1)}.$			(28)

Therefore the upper bound of $\sqrt{\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}}$ is

\sqrt{\sum_{\mathrm{v}\in\Omega}(r_{\mathrm{v}}-r^{\prime}_{\mathrm{v}})^{2}}\leq 2\sqrt{2^{(r+1)-h}}.

(29)

Therefore, if we denote the $h=0$ and omit the influence of the message qubit, the maximal trace-distance between encrypted states can be simplified as follows,

	$\displaystyle\Delta$	$\displaystyle=\max_{\rho_{E\|\|a},\rho^{\prime}_{E\|\|a}\in\mathcal{S}}\frac{1}{2}\|\rho_{Eve}-\rho^{\prime}_{Eve}\|_{1}$			(30)
		$\displaystyle=\sqrt{\frac{2^{r}}{\|K\|}}.$			(30)

Appendix B Performance analysis based on the combination of $n$ and $m$

The graph in Fig. 6 corresponds to equation (14), which demonstrates that, in the integer domain where $m\leq n$ , the proposed scheme exhibits higher security. Additionally, the slope of equation (14), $m>n$ and is consistently less than one and asymptotically approaches zero as $m$ approaches infinity. Therefore, in the region where $m>n$ , there is always an area between lines $m=n$ and equation (14) where the proposed scheme exhibits higher security. Evidently, it outperforms the conventional permutation-key-based QHE scheme for most feasible combinations of $m$ and $n$ . By numerically comparing the areas, the proportion of the region where the proposed scheme exhibits better security was determined to be 66.17% when $1\leq n,m\leq 5$ ; 84.10% when $1\leq n,m\leq 50$ ; and 98.34% when $1\leq n,m\leq 5000$ .

References

\bibcommenthead
Qian et al. [2009] Qian, L., Luo, Z., Du, Y., Guo, L.: Cloud computing: An overview. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Cloud Computing, pp. 626–631. Springer, Berlin, Heidelberg (2009)
Chen and Zhao [2012] Chen, D., Zhao, H.: Data security and privacy protection issues in cloud computing. In: 2012 International Conference on Computer Science and Electronics Engineering, vol. 1, pp. 647–651 (2012). https://doi.org/10.1109/ICCSEE.2012.193
Zhao et al. [2014] Zhao, F., Li, C., Liu, C.F.: A cloud computing security solution based on fully homomorphic encryption. In: 16th International Conference on Advanced Communication Technology, pp. 485–488 (2014). https://doi.org/10.1109/ICACT.2014.6779008
Rivest et al. [1978] Rivest, R.L., Adleman, L., Dertouzos, M.L., et al.: On data banks and privacy homomorphisms. Foundations of secure computation 4(11), 169–180 (1978)
Goldwasser and Micali [2019] Goldwasser, S., Micali, S.: Probabilistic encryption & how to play mental poker keeping secret all partial information. In: Providing Sound Foundations for Cryptography: on the Work of Shafi Goldwasser and Silvio Micali, pp. 173–201 (2019)
ElGamal [1985] ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory 31(4), 469–472 (1985)
BENALOH [1987] BENALOH, J.: Verifiable secret-ballot elections. PhD thesis, Yale University, Department of Computer Science (1987)
Naccache and Stern [1998] Naccache, D., Stern, J.: A new public key cryptosystem based on higher residues. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, pp. 59–66 (1998)
Okamoto and Uchiyama [1998] Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring. In: Advances in Cryptology—EUROCRYPT’98: International Conference on the Theory and Application of Cryptographic Techniques Espoo, Finland, May 31–June 4, 1998 Proceedings 17, pp. 308–318 (1998). Springer
Paillier [1999] Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 223–238 (1999). Springer
Boneh et al. [2005] Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-dnf formulas on ciphertexts. In: Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10-12, 2005. Proceedings 2, pp. 325–341 (2005). Springer
Gentry [2009] Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, pp. 169–178 (2009)
Fan and Vercauteren [2012] Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive (2012)
Brakerski et al. [2014] Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT) 6(3), 1–36 (2014)
Liang [2013] Liang, M.: Symmetric quantum fully homomorphic encryption with perfect security. Quantum information processing 12(12), 3675–3687 (2013)
Broadbent and Jeffery [2015] Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low t-gate complexity. In: Annual Cryptology Conference, pp. 609–629 (2015). Springer
Liang [2015] Liang, M.: Quantum fully homomorphic encryption scheme based on universal quantum circuit. Quantum Information Processing 14(8), 2749–2759 (2015)
Ouyang et al. [2018] Ouyang, Y., Tan, S.-H., Fitzsimons, J.F.: Quantum homomorphic encryption from quantum codes. Physical Review A 98(4), 042334 (2018)
Lai and Chung [2018] Lai, C.-Y., Chung, K.-M.: On statistically-secure quantum homomorphic encryption. Quantum Information and Computation 18, 0785 (2018)
Tan et al. [2016] Tan, S.-H., Kettlewell, J.A., Ouyang, Y., Chen, L., Fitzsimons, J.F.: A quantum approach to homomorphic encryption. Scientific reports 6(1), 33467 (2016)
Dulek et al. [2016] Dulek, Y., Schaffner, C., Speelman, F.: Quantum homomorphic encryption for polynomial-sized circuits. In: Advances in Cryptology–CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part III 36, pp. 3–32 (2016). Springer
Tan et al. [2018] Tan, S.-H., Ouyang, Y., Rohde, P.P.: Practical somewhat-secure quantum somewhat-homomorphic encryption with coherent states. Physical Review A 97(4), 042308 (2018)
Ouyang et al. [2020] Ouyang, Y., Tan, S.-H., Fitzsimons, J., Rohde, P.P.: Homomorphic encryption of linear optics quantum computation on almost arbitrary states of light with asymptotically perfect security. Physical Review Research 2(1), 013332 (2020)
Ouyang and Rohde [2022] Ouyang, Y., Rohde, P.P.: A general framework for the composition of quantum homomorphic encryption $\backslash$ & quantum error correction. arXiv preprint arXiv:2204.10471 (2022)
Devitt [2016] Devitt, S.J.: Performing quantum computing experiments in the cloud. Phys. Rev. A 94, 032329 (2016) https://doi.org/10.1103/PhysRevA.94.032329
Knill [2005] Knill, E.: Quantum computing with realistically noisy devices. Nature 434(7029), 39–44 (2005)
Chamberland et al. [2017] Chamberland, C., Jochym-O’Connor, T., Laflamme, R.: Overhead analysis of universal concatenated quantum codes. Physical Review A 95(2), 022313 (2017)
Fowler and Gidney [2018] Fowler, A.G., Gidney, C.: Low overhead quantum computation using lattice surgery. arXiv preprint arXiv:1808.06709 (2018)
Tremblay et al. [2022] Tremblay, M.A., Delfosse, N., Beverland, M.E.: Constant-overhead quantum error correction with thin planar connectivity. Physical Review Letters 129(5), 050504 (2022)
Noh et al. [2022] Noh, K., Chamberland, C., Brandão, F.G.: Low-overhead fault-tolerant quantum error correction with the surface-gkp code. PRX Quantum 3(1), 010315 (2022)
Lai and Chung [2019] Lai, C.-Y., Chung, K.-M.: Quantum encryption and generalized shannon impossibility. Designs, Codes and Cryptography 87, 1961–1972 (2019)
Chamberland et al. [2016] Chamberland, C., Jochym-O’Connor, T., Laflamme, R.: Thresholds for universal concatenated quantum codes. Physical review letters 117(1), 010501 (2016)
Jochym-O’Connor and Laflamme [2014] Jochym-O’Connor, T., Laflamme, R.: Using concatenated quantum codes for universal fault-tolerant quantum gates. Physical review letters 112(1), 010505 (2014)
Yoder et al. [2016] Yoder, T.J., Takagi, R., Chuang, I.L.: Universal fault-tolerant gates on concatenated stabilizer codes. Physical Review X 6(3), 031039 (2016)
Bravyi and Kitaev [2005] Bravyi, S., Kitaev, A.: Universal quantum computation with ideal clifford gates and noisy ancillas. Physical Review A 71(2), 022316 (2005)
Webster et al. [2015] Webster, P., Bartlett, S.D., Poulin, D.: Reducing the overhead for quantum computation when noise is biased. Physical Review A 92(6), 062309 (2015)
Sohn et al. [2019] Sohn, I., Bang, J., Heo, J.: Dynamic concatenation of quantum error correction in integrated quantum computing architecture. Scientific reports 9(1), 3302 (2019)
Calderbank and Shor [1996] Calderbank, A.R., Shor, P.W.: Good quantum error-correcting codes exist. Physical Review A 54(2), 1098 (1996)
Steane [1996] Steane, A.M.: Simple quantum error-correcting codes. Physical Review A 54(6), 4741 (1996)
Steane [1997] Steane, A.M.: Active stabilization, quantum computation, and quantum state synthesis. Physical Review Letters 78(11), 2252 (1997)
Google Quantum AI [2023] Google Quantum AI: Suppressing quantum errors by scaling a surface code logical qubit. Nature 614(7949), 676–681 (2023)
Brakerski et al. [2014] Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT) 6(3), 1–36 (2014)
Mahadev [2020] Mahadev, U.: Classical homomorphic encryption for quantum circuits. SIAM Journal on Computing 52(6), 18–189 (2020)
DiVincenzo [1995] DiVincenzo, D.P.: Two-bit gates are universal for quantum computation. Physical Review A 51(2), 1015 (1995)
Barenco et al. [1995] Barenco, A., Bennett, C.H., Cleve, R., DiVincenzo, D.P., Margolus, N., Shor, P., Sleator, T., Smolin, J.A., Weinfurter, H.: Elementary gates for quantum computation. Physical review A 52(5), 3457 (1995)
Lloyd [1995] Lloyd, S.: Almost any quantum logic gate is universal. Physical review letters 75(2), 346 (1995)
Knill [1995] Knill, E.: Approximation by quantum circuits. arXiv preprint quant-ph/9508006 (1995)
Kitaev [1997] Kitaev, A.Y.: Quantum computations: algorithms and error correction. Russian Mathematical Surveys 52(6), 1191 (1997)
Gottesman and Chuang [1999] Gottesman, D., Chuang, I.L.: Demonstrating the viability of universal quantum computation using teleportation and single-qubit operations. Nature 402(6760), 390–393 (1999)
Terhal [2015] Terhal, B.M.: Quantum error correction for quantum memories. Rev. Mod. Phys. 87, 307–346 (2015) https://doi.org/10.1103/RevModPhys.87.307
Lai et al. [2017] Lai, C.-Y., Zheng, Y.-C., Brun, T.A.: Fault-tolerant preparation of stabilizer states for quantum calderbank-shor-steane codes by classical error-correcting codes. Phys. Rev. A 95, 032339 (2017) https://doi.org/10.1103/PhysRevA.95.032339
Bergholm et al. [2005] Bergholm, V., Vartiainen, J.J., Möttönen, M., Salomaa, M.M.: Quantum circuits with uniformly controlled one-qubit gates. Physical Review A 71(5), 052330 (2005)
Kim and Choi [2018] Kim, T., Choi, B.-S.: Efficient decomposition methods for controlled-r n using a single ancillary qubit. Scientific reports 8(1), 5445 (2018)
Hu et al. [2023] Hu, Y., Ouyang, Y., Tomamichel, M.: Privacy and correctness trade-offs for information-theoretically secure quantum homomorphic encryption. Quantum 7, 976 (2023) https://doi.org/10.22331/q-2023-04-13-976
Forlivesi et al. [2023] Forlivesi, D., Valentini, L., Chiani, M.: Performance analysis of quantum error-correcting codes via macwilliams identities. arXiv preprint arXiv:2305.01301 (2023)
Dutka [1991] Dutka, J.: The early history of the factorial function. Archive for history of exact sciences, 225–249 (1991)
Grassl [2006] Grassl, M.: Searching for linear codes with large minimum distance. In: Discovering Mathematics with Magma: Reducing the Abstract to the Concrete, pp. 287–313 (2006). Springer
Grassl [2008] Grassl, M.: Bounds on the minimum distance of additive quantum codes. http://www.codetables.de (2008)

	$\displaystyle\|\rho_{m}-\rho^{\prime}_{m}\|_{1}$	$\displaystyle\leq\|\rho_{m}\|_{1}+\|\rho^{\prime}_{m}\|_{1}\leq 2,$			(26)
	$\displaystyle\|\rho_{m}-\rho^{\prime}_{m}\|_{\infty}$	$\displaystyle\leq\|\rho_{m}\|_{\infty}+\|\rho^{\prime}_{m}\|_{\infty}=2^{-h+1}.$			(27)