Quantum Searchable Encryption for Cloud Data Based on Full-Blind Quantum Computation

Searchable encryption (SE) is a positive way to protect users sensitive data in cloud computing setting, while preserving search ability on the server side, i.e., it allows the server to search encrypted data without leaking information about the plaintext data. In this paper, a multi-client universal circuit-based full-blind quantum computation (FBQC) model is proposed. In order to meet the requirements of multi-client accessing or computing encrypted cloud data, all clients with limited quantum ability outsource the key generation to a trusted key center and upload their encrypted data to the data center. Considering the feasibility of physical implementation, all quantum gates in the circuit are replaced with the combination of <inline-formula> <tex-math notation="LaTeX">${\pi / 8}$ </tex-math></inline-formula> rotation operator set <inline-formula> <tex-math notation="LaTeX">$\{ {R_{z}}({\pi / 4})$ </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">${R_{y}}({\pi / 4})$ </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">$C{R_{z}}({\pi / 4})$ </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">$C{R_{y}}({\pi / 4})$ </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">$CC{R_{z}}({\pi / 4})$ </tex-math></inline-formula>, <inline-formula> <tex-math notation="LaTeX">$CC{R_{y}}({\pi / 4})\} $ </tex-math></inline-formula>. In addition, the data center is only allowed to perform one <inline-formula> <tex-math notation="LaTeX">${\pi / 8}$ </tex-math></inline-formula> rotation operator each time, but does not know the structure of the circuit (i.e., quantum computation), so it can guarantee the blindness of computation. Then, through combining this multi-client FBQC model and Grover searching algorithm, we continue to propose a quantum searchable encryption scheme for cloud data. It solves the problem of multi-client access mode under searchable encryption in the cloud environment, and has the ability to resist against some quantum attacks. To better demonstrate our scheme, an example of our scheme to search on encrypted 2-qubit state is given in detail. Furthermore, the security of our scheme is analysed from two aspects: external attacks and internal attacks, and the result indicates that it can resist against such kinds of attacks and also guarantee the blindness of data and computation.


Introduction
In recent years, cloud computing has achieved great development in different fields, such as wireless networks [1][2][3], IoT [4][5][6][7][8], resource allocation [9][10][11] and so on.As it provides economic and convenient service, more and more clients are planning to upload their data onto the public clouds now.And with the popularity of mobile devices, more and more companies can push the content they want based on the data uploaded by clients, which greatly promotes the development of mobile Internet [12][13][14][15].However, data stored in the cloud server may suffer from malicious use by cloud service providers since data owners have no longer direct control over data.For instance, data stored in a bank must not be arbitrarily obtained [16][17][18].Considering data privacy and security, it is a recommended practice for data owners to encrypt data before uploading onto the cloud [19].Therefore, an efficient search technique for encrypted data is extremely urgent.
A popular way to search over encrypted data is searchable encryption (SE), which is desirable to support the fullest possible search functionality on the server side, without decrypting the data, and thus, with the smallest possible loss of data confidentiality.The first searchable encryption was proposed by Song et al. [20].This scheme uses stream ciphers and pseudo-random functions to implement ciphertext retrieval, but it also has a series of problems, such as low search efficiency and data privacy.Therefore, Goh [21] built a index structure based on the Bloom filter to achieve fast retrieval of ciphertext data.However, the Bloom filter itself has a certain error rate, and the result returned by the cloud server to the data user may not be accurate.Besides, Curtmola et al. [22] and Boneh et al. [23] use the idea of "keyword-file" to construct a symmetric searchable encryption scheme and a public key search able encryption scheme, respectively.Both schemes have significant improvements in safety and efficiency.Nowadays, many researchers have tried to use kNN algorithm [24,25], user interest model [26], blockchain technology [27,28], multi-keyword ranked search [29] and so on, to improve the search efficiency and data privacy.
However, with the development of quantum computation, the powerful computing power of quantum computers poses an increasingly strong threat to public key systems [30] and symmetric key systems [31,32].Besides, quantum computation are also applied in other fields, such as quantum key agreement (QKA) [33,34], quantum steganography (QS) [35,36], quantum machine learning [37,38], and so on.Especially, to protect the privacy of client's data, many researchers have proposed a novel quantum computation model: blind quantum computation (BQC), where the client with limited quantum resources can perform quantum computation by delegating the computation to an untrusted quantum server, and the privacy of the client can still be guaranteed.BQC can be generally divided into two categories: one is the measurement-based blind quantum computation (MBQC), and the other is the circuit-based blind quantum computation (CBQC).In MBQC, measurement is the main driving force of computation, which follows the principle of "entangle-measure-correct", and a certain number of quantum qubits are entangled to form a standard graph state [39][40][41].
Different from MBQC, CBQC is based on the quantum circuit, which is composed of many kinds of quantum gates [42][43][44][45][46][47][48][49][50].Among them, Fisher [44] and Broadbent [45] firstly proposed a representative CBQC model: delegating quantum computation (DQC).In their schemes, an untrusted server can perform arbitrary quantum computations on encrypted quantum bits (qubits) without learning any information about the inputs, where the quantum computations are implemented by a universal set of quantum gates (X, Z, H, S, T , CNOT ).And then the client can easily decrypt the results of the computation with the decryption key.Then, Tan et al. [43] give 3 circuits of other quantum gates (CZ, SWAP, and Toffoli ) for blind quantum computation.However, in their schemes, the server knows the content of delegating computation.To further protect computation privacy, a few universal circuit-based "full-blind" quantum computation (FBQC) schemes are proposed [46,47], i.e., the server also does not know the content of delegated computation.These two schemes use two different strategies to achieve full blindness.Zhang et al.'s scheme decomposes all quantum gates into several basic rotation operators, and inserts trap qubits and trap gates to achieve full blindness, where the trap gate is composed of basic rotation operators and does not affect the computation results.In Liu et al.'s scheme, the client uses the strategy of oblivious mechanism to make the computation blind, where the desirable delegated quantum operation, one of {H, P, CN OT, T }, is replaced by a fixed sequence (H, P , CZ, CNOT, T ).However, all these mentioned CBQC schemes are only a single-client model, i.e., clients can only delegate the server to compute their own data, which are not convenient for different clients to compute others' data.
In order to implement multi-client universal circuit-based FBQC for searchable encryption, i.e., different clients can store or search their data in the quantum cloud server, we propose a quantum searchable encryption scheme for cloud data based on full-blind quantum computation (QSE-FBQC).Clients with limited quantum ability firstly use X and Z gates to encrypt their data with the encryption keys generated by the key center, and then upload the encrypted data to the data center.The data center performs search computation on the encrypted data if other clients need, where the search computation are implemented by a universal set of quantum gates (X, Z, H, S, T , CNOT, CZ, Toffoli ).But, the data center only performs one π/8 rotation operator from π/8 rotation operator set {R z (π/4), R y (π/4), CR z (π/4), CR y (π/4), CCR z (π/4), CCR y (π/4)} on qubits sent by the key center each time, and sends these qubits back to the key center.Repeating this process multiple times can complete any quantum gate in the circuit of search computation.This kind of strategy can make the data center unable to know the positions and the orders of quantum gates in the circuit, which guarantees the blindness of computation.When the search computation finishes, the key center generate corresponding decryption key.Finally, the clients who need the search result from the data center, also use X and Z gates to decrypt the encrypted search result with the decryption key.
The rest of the paper is organized as follows.Sect. 2 provides some preliminary knowledge about quantum computation and circuit-based blind quantum computation.Then, a quantum searchable encryption scheme for cloud data based on full-blind quantum computation is proposed in Sect.3.Moreover, we give a concrete example that use Grover algorithm to search on encrypted 2qubit state in Sect. 4. And the security of our scheme is analysed in Sect. 5. Sect.6 is devoted to compare our scheme with some existing SE schemes and BQC schemes.Finally, Sect.7 gives discussion and conclusion of this paper.

Quantum computation
In quantum compution, the quantum bit (called qubit) [51] is the basic unit of quantum information and has two possible states |0⟩ and |1⟩, which is often referred to as quantum superposition state, where α, β are complex numbers, and |α| 2 + |β| 2 = 1.|0⟩ and |1⟩ can be represented by vectors, Then, |φ⟩ can be expressed in vector form |φ⟩ = ( α β ).With the information carrier (qubit), we also need some quantum gates to implement the information processing.For single-qubit gates, we have Pauli-X, Pauli-Z, H (Hadamard ), S and T gates, which can be described as 2 × 2 unitary matrices as below, Especially, Ref. [51] also points out that for arbitrary unitary operator U performed on single-qubit, there exist θ, α, β and γ, s.t.
For double-qubit gates, the commonly used multi-qubit gates are CNOT and CZ gates.The matrix representations and quantum circuits of CNOT and CZ are shown in Fig. 1 and Fig. 2, respectively.Finally, for triple-qubit gates, Toffoli gate is another frequently used multiqubit gate, which is illustrated in Fig. 3.With these single-qubit gates and multi-qubit gates, we can implement arbitrary quantum computation.

Circuit-based blind quantum computation
Fisher [44] and Broadbent [45] proposed a specific blind quantum computation scheme based on quantum circuit.It (see Fig. 4 a) starts with a client who has quantum information that needs to be sent to a remote server for processing.The client first encrypts one input qubit |ψ⟩ and sends it to a quantum server, who performs a computation U on the encrypted qubit.The server returns the state which the client decrypts to get U |ψ⟩.
In the scheme, to encrypt a qubit |ψ⟩, a client applies a combination of Pauli X and Z operations to get a encrypted qubit X a Z b |ψ⟩, where a, b ∈ {0, 1} (as well as c, d ∈ {0, 1} for the CNOT gate in Fig. 4f).Then, the server perform quantum computing U , which is composed of unitary operations from the Clifford group {X, Z, H, S, CNOT} and one additional non-Clifford gate, T gate.As shown in Fig. 4 b-f, when U ∈ {X, Z, H, S, CNOT}, clifford gates do not require any additional resources, and decryption is straightforward.However, when U = T (see Fig. 4 g), the server requires the client to send an auxiliary qubit Z d P y |+⟩, where y, d ∈ {0, 1}. to control a CNOT gate with the encrypted qubit.The server measures the encrypted qubit and outcome c ∈ {0, 1} is returned to the client, which is used in decryption.The client sends a single classical bit, x = a ⊕ y, to control a S gate on the auxiliary qubit, which is returned to the client as  Step 1: Alice 1 sends a number n (the number of qubits in |ψ⟩) to Charlie.
Step 3: Alice 1 encrypts her data |ψ⟩ with ek and sends encrypted state Step 4: Alice 2 asks for Charlie to delegate Bob to perform quantum computation over E ek |ψ⟩, and Charlie gets E ek |ψ⟩ from Bob.
Step 7: Bob performs rotation operator U on 3 qubits, and sends back to Charlie.
Step 8: Charlie performs X and Z operations on 3 qubits as needed.
, where G gate can be composed of a plurality of U gates (as shown in Eq. 5) and x ′ i , z ′ i ∈ {0, 1}.When U is used as a trap gate, it can be executed in any order. where . In our scheme, the global phase factors (e iθ 2 ) are ignored.
Step 10: Repeat Step 5 to 9 until Charlie gets |result⟩ and generates final decryption key dk = (x ′ i , z ′ i ), where s represents the number of G gate in the circuit of quantum computation, j ∈ {1, 2, • • • , s} and |result⟩ is the computation result which Alice 2 needs.
Step 11: Charlie sends E dk |result⟩ and dk to Alice 2 , where dk is transformed by BB84.
Step 12: Alice 2 decrypts the encrypted result E dk |result⟩ with dk, to get |result⟩.
To better understand our multi-client universal FBQC scheme, we give three examples of delegating Bob to perform one single-qubit gate (X gate in Fig. 7), one double-qubit gate (CZ gate in Fig. 8), and one triple-qubit gate (Toffoli gate in Fig. 9), respectively.For the sake of simplicity, we mainly explain Step 5 to 9 in these examples.
single-qubit gate -X gate 1. Charlie sends 3 encrypted qubits   double-qubit gate -CZ gate 1. Charlie sends 3 encrypted qubits (X   As can be seen from the above, through trap gates, trap qubits and ways of constant interaction, Bob cannot distinguish these qubits from Charlie every time whether belong to the same original quantum state.Meanwhile, he also cannot distinguish which rotation operators belong to the same original quantum gate.

Quantum searchable encryption for cloud data based on full-blind quantum computation
We have established a multi-client universal circuit-based FBQC framework for easy data sharing.To achieve the aim of searchable encryption, we propose a concrete quantum searchable encryption scheme for cloud data based on fullblind quantum computation (QSE-FBQC).For the sake of simplicity, we take four roles (the data owner Alice 1 , the data searcher Alice 2 , the data center Bob and the key center Charlie) as an example to describe our scheme.The specific process of QSE-FBQC scheme is as follows and shown in Fig. 11. 1. Alice 1 sends a number n to Charlie, where n is the number of qubits which she wants to encrypt.
Bob, where the item index j within |ψ⟩ is not encrypted and composed of m qubits, M = 2 m , data(j) is the data and composed of n qubits.4. Alice 2 wants Bob to search over E ek |ψ⟩, and Charlie interacts with Bob according to the quantum circuit of search computing, which is as same as Step 5 to 10.The search computation can be composed of Grover algorithm, which is illustrated in Fig. 10.For a search space of N = 2 n elements and one solution, we only need to apply the search oracle O( √ N ) times to obtain a solution.During the interaction between Bob and Charlie, the sender needs to add decoy qubits to the data and record their location.When the receiver receives the data, the sender announces the states and locations of the decoy qubits (selected from {|0⟩ , |1⟩ , |+⟩ , |−⟩}), and the receiver confirms whether it is the same as the published state by measuring the state of the decoy qubits.If they are the same, the receiver proceeds to the next step; otherwise, the sender resends the data.
6. Alice 2 uses dk to decrypt the state (X , and abandons the auxiliary third qubit to get |0⟩ 1 |1⟩ 2 (the global phase factors are ignored).

Security analysis
In this section, the security of the proposed QSE-FBQC scheme is analyzed as below.We analyze the security from two aspects: external attacks and internal attacks.The former refers to the attacks by the eavesdroppers outside the protocol, while the latter refers to the attacks by the data center in the scheme.
Fig. 12: The circuit of Grover algorithm for x z X Z x z X Z 

External attack
Let Eve be an eavesdropper, who tries to get some information about clients' data.To get the information, he firstly needs to get encryption or decryption key from Charlie, because all of the transmitted data are encrypted by the key.First, he can perform the intercept-and-resend attack by intercepting all qubits sent from Charlie and resending fake qubits to the client in Step 2 or 11.However, due to the use of BB84 protocol, all qubits are encoded into X or Z basis according to the classical key, Eve cannot distinguish which basis each qubit belongs to and gets nothing form these qubits.And the client can check for the existence of such attack by measuring the received fake qubits.Then, the client can abandon this key and ask Charlie to regenerate a new key.
Besides, Eve may also perform the intercept-and-resend attack during the communication between Bob and Charlie.Due to the existence of tarp qubits and trap gates, Eve cannot distinguish which qubits are not trap qubits, and which required operations are actual operations.But this kind of attack will destroy the results of the delegated computation because of fake qubits sent by Eve.Charlie can insert decoy qubits randomly, which consist of X-basis and Z-basis, and record the positions of them.Similar to BB84 protocol, when Bob gets all qubits, Charlie announce the positions and the state of decoy qubits.Bob can check for the existence of such attack with a higher probability by measuring the decoy qubits.For example, if the number of decoy qubits used for eavesdropping checking is m, the success probability of detecting the existence of Eve is 1−(3/4) m , which obviously increases with the increase of m, and which is close to 1 when m is large enough.

Internal attack
The internal attack mainly caused by Bob, who wants to know the information about the data and the computation.In a sense, to immunize internal attacks is actually to ensure the blindness of the data and the computation, which is analysed as below.
The blindness of data For the blindness of data in our scheme, Alice performs encryption operations X and Z on n-qubit state |ψ⟩, and then sends these encrypted qubits ⊗ n i=1 X xi i Z zi i |ψ⟩ to Bob.Although Bob intercepts them, he does not know the value of (x i , z i ) (i ∈ {1, 2, • • • , n}), he still cannot get anything from the encrypted data.
However, the circuit of T gate and Toffoli gate for blind quantum computation is special.Because Charlie is not able to perform the S, CNOT and CZ corrections, respectively, which the three operations should be delegated to Bob.Once Bob obtains the information of corrections, then the encryption keys of encrypted qubits are exposed.So, Charlie needs to encrypt qubits again with X and Z operations when the S, CNOT and CZ corrections need to be delegated.Therefore, Bob can not distinguish whether these qubits belong to the original quantum state and get nothing from the encrypted qubits.
The blindness of computation The computation that the client wants to implement can be seen as a desirable circuit which is made up of the delegated quantum gates, therefore the blindness of computation is equivalent to the blindness of the delegated quantum gates.In order to make the delegated quantum gates blind, these quantum gates (G gate) can be decomposed into the combination of rotation operators (U gate).Bob performs partial rotation operators in every round, which can compose the actual G gate or trap gates, so he does not know what is the correct gate.That is, Charlie can successfully hide quantum computation process.
Without loss of generality, we give an simple example to explain our model.Suppose Charlie wants to delegate quantum gates H, X, CZ and Toffoli to Bob, while Bob cannot know the data and the content of computation in our model.The data have already been all encrypted by Alice with gates X and Z.Let all rotation operators have labels according to the order in every quantum circuit from left to right.In quantum circuit of gate H, the performing order of these rotation operators is h 1 , h 2 , • • • , h m .In quantum circuit of gate X, the performing order of these rotation operators is x 1 , x 2 , • • • , x n .In quantum circuit of gate CZ, the performing order of these rotation operators is c 1 , c 2 , • • • , c d .In quantum circuit of gate Toffoli, the performing order of these rotation operators is t 1 , t 2 , • • • , t w .Note that, h i , x i , c i and t i ∈ U .In the model, all gates are started in an arbitrary way, i.e., the process is randomly designed by Charlie, such as t Bob cannot distinguish these qubits from Charlie every time whether belong to the same original quantum states.Meanwhile, he also cannot distinguish which rotation operators belong to a quantum gate.Therefore, Bob cannot know what gates are realized in our model.

Performance evaluation
In order to evaluate our scheme, we chose two classical searchable encryption (SE) schemes [26,29] and two blind quantum computation (BQC) schemes [45,47] as references, and compare our QSE-FBQC scheme with them from the following aspects: time complexity of index construction, time complexity of search , fullblind, multi-client access and eavesdropping detection.
The classical SE schemes generally consists of three main parts: index construction, trapdoor generation and search.Since the process of index construction and trapdoor generation are to encrypt the keyword set W extracted from data or query keywords W through the encryption key SK, the time complexity of each process is similar.Therefore, we only consider the aspect of the time complexity of index construction.Suppose that the number of entries for the data is N .In Cao et al.'s and Fu et al.'s SE scheme, the major computation in the phase of index construction includes the splitting procedure and two multiplications of a (cN + u + 1) × (cN + u + 1) matrix and a (cN + u + 1) vector, where c and u are constants, and cN represents the number of keywords in W .So the time complexity is O(N 2 ).However, it does not need the process of in-dex construction and trapdoor generation, and make search computation over encrypted data directly in Broadbent's BQC scheme, Liu et al.'s BQC scheme and our scheme.So the time complexity of index construction is 0. On the other hand, although Fu et al.'s SE scheme based on user interest model is more efficient than Cao et al.'s scheme when users request more relevant data, the time complexity of search are both O(N ).But, these mentioned BQC schemes and our scheme use Grover algorithm to make a quadratic speedup in search, so the time complexity are O( √ N ).For a more intuitive representation, the results of the comparison are shown in Table 1.
As we can see, BQC schemes and our scheme are significantly more efficient than the classical SE schemes in the aspect of search efficiency.However, these BQC schemes do not support multi-client access, which is not convenient for data sharing in cloud environment.And all clients in our scheme outsource the key generation to a trusted key center, which is easy to make each client get search result by the decryption key from the key center.Besides, although Liu et al. consider that the desirable delegated quantum operation, one of {H, P, CN OT, T }, is replaced by a fixed sequence (H, P, CZ, CN OT, T ) to make the computation blind, they do not consider detecting eavesdroppers when two parties communicate with each other in their scheme.Our scheme takes the strategy of inserting decoy qubits into transmitted data to check for eavesdropping behavior.

Discussion and conclusion
In this paper, we firstly propose a multi-client circuit-based full-blind quantum computation model, and then apply this model on the searchable encryption to get a QSE-FBQC scheme.In our scheme, different clients with limited quantum ability can upload their encrypted data to a powerful but untrusted quantum data center and the data center can search on the encrypted data without decryption.Besides, the data center also cannot know what search computation he has implemented by himself, i.e., making the computation blind.
In the field of classical searchable encryption (SE), most schemes are either based on public key (RSA) [23], or based on symmetric key [20,22].As we know, RSA has been theoretically broken by Shor algorithm [30] in polynomial time, while some symmetric cryptosystems, such as CBC-MAC, GMAC, GCM, etc., also have been recently broken by using quantum period finding [31,32].Therefore, how to use quantum technology to implement SE becomes an interesting work worth studying, which motivates us to study searchable encryption using blind quantum computation.Although some circuit-based BQC schemes [42][43][44][45][46][47] have been continuously proposed in recent years, they only consider the singleclient model, which cannot meet the requirements of multi-client accessing or searching data in the cloud environment.Besides, almost all of these schemes focus on guaranteeing the blindness of the data, while ignoring the blindness of the computation.The second motivation of our work is to implement the multi-client access mode as well as guarantee the blindness of computation.
This work designs a multi-client FBQC model, and utilizes it to propose a quantum SE scheme in cloud environment, but it maybe need some improvements or extensions in a practical one.In our scheme, the trusted key center hosts all the keys, so he becomes the cornerstone of the security and would also be the target of attacks (including quantum attacks).How to guarantee his security, i.e., to protect him from various attacks, will become an aspect to be explored.Second, how to prevent illegal user access in the multi-party FBQC model is not considered in this article, maybe quantum identity authentication (QIA) [50] is a feasible one of the candidate solutions.

Fig. 4 :
Fig. 4: The process of blind quantum computation for each quantum gate in Fisher's and Broadbent's schemes

Fig. 5 :
Fig. 5: The process of blind quantum computation for CZ and Toffoli gate

Fig. 7 :
Fig. 7: Our model for single-qubit gates X, Z, H, S and T (a, b, c, d, e, f ∈ {0, 1}), where the sign 1 belongs to |ψ⟩ and the signs 2 and 3 belong to trap qubits, respectively.And the blue, green, red and brown dotted line indicates the encryption operations, the actual operations, the trap operations and the decryption operations, respectively.

Table 1 :
Comparison with classical SE schemes and BQC schemes