An Obfuscated Journey
The room was quiet except for the faint hum of the monitor and the scribbling of markers against the whiteboard. Equations spilled into every corner like constellations of thought, half-erased, half-rewritten.
It was early 2023, and our paper on multiparty quantum computation with publicly verifiable identifiable abort was finally done. Eurocrypt 2024 would later take it, but at that moment (2023), I was already restless. My mind kept drifting toward a new question, one that glimmered just beyond the edges of what we knew.
Could quantum fully homomorphic encryption (QFHE) ever be publicly verifiable?
The idea wouldn’t leave me alone. I would walk home under the dim campus lights, and the question would echo in my head, refusing to quiet. Part of the curiosity came from another project I was working on with Baiyu Li, Xinyu Mao, and Jiapeng Zhang. We had been exploring post-quantum FHE with public verifiability, and somehow I had become enchanted with that phrase: public verifiability.
What if we could make everything publicly verifiable?
The following months were a blur of discussions and drafts. I would sit with Xinyu, Yu-Hsuan, and Er-Cheng, drawing circuits on ipad until the digital ink dried out. We tried, failed, argued, and tried again.
Then, one night in January 2024, it clicked my mind. A definition emerged in my dream, one that preprocesses the circuit during KeyGen. It wasn’t perfect, but it felt alive.
The next morning, I rushed to share it with Kai-Min and Wei-Kai. They listened with patience, and after a long silence, Kai-Min smiled slightly.
“This,” he said, “sounds more like a garbled circuit than an FHE.”
For a few seconds, my mind went blank. Then, slowly, it made sense.
That moment of realization was oddly freeing. I laughed and said, “So it’s not an FHE, it’s something else.”
And just like that, publicly verifiable quantum garbled circuits (pvQGC) were born.
The pieces started to fit together. The techniques from our earlier MPQC work such as EPR pairs for teleporting quantum inputs and outputs, Clifford authentication codes to protect quantum states, all of it could be repurposed here. The puzzle had a shape now.
A few weeks later, at the Simons Quantum Workshop, I caught up with Er-Cheng and began to formalize the idea. It felt like the start of something real. Then summer came, and I flew to the University of Washington to visit Andrea and Er-Cheng.
Seattle greeted me with soft rain and long evenings. In one of those meetings with Andrea, while all of us were both half-lost in thought, he suddenly looked up and said,
“Maybe you can try to lift this Clifford-based pvQGC to quantum obfuscation?”
His words hung in the air like lightning.
I felt my pulse quicken. Er-Cheng and I had talked about this before: Clifford-based QGCs, already had this strange and obfuscation-like flavor, except that the input is fixed. Now, it felt like a path opening before us.
But the road turned rough quickly. When we tried to lift our Clifford-based pvQGC into a full quantum obfuscation scheme, we stumbled upon a subtle attack. It was elegant, almost beautiful in how it broke our construction. I remember staring at the equations, half in frustration, half in admiration.
We later learned that other groups exploring Clifford-based obfuscation ran into similar attacks. It wasn’t an impossibility result, it just meant that this particular route couldn’t reach the destination. Like finding a locked door at the end of a corridor you had mapped out for months.
So we turned around and started again.....
This time, we decided to build quantum obfuscation from the ground up. We dove into [BKNY23] and [BBV24], tracing every line, every definition. Both were limited to pseudo-deterministic and classical input-output only, but they had hints of deeper possibilities.
[BKNY23] drew the formal barrier clearly, due to Mahadev’s CVQC results for decision problems. [BBV24], though, whispered a different promise: that maybe, with the right tools, we could extend their approach to general quantum functionalities.
That whisper became our motivation.
And somehow, we did it. We found a way to extend [BBV24] to support general functionality, though we had to make one compromise—the final oracle call had to be classical.
It felt like solving a riddle only to realize the answer had a cost. The restriction weakened the security and made the scheme feel less like quantum obfuscation and more like a quantum one-time program. The STOC reviewers pointed that out, and though it stung, I knew they were right.
After that, I began to ask myself a quieter question.
If we don't know how to obfuscate everything, what can we obfuscate meaningfully?
For days, we would sit at my desk and stare at the whiteboard. Then, one evening, it struck us.
Unitary transformations!
They behaved so much like deterministic quantum functions: predictable, reversible, elegant. Maybe this was where we were supposed to look.
That realization felt different from the others. Not explosive, but calm, like watching the first light of dawn after a long night.
Now, when I think back, I see that this was never just about one definition or one theorem. It was about learning when to let go of an idea and when to chase it harder.
The road ahead is still uncertain, but at least we have a direction, a faint constellation to follow. Somewhere among those stars lies the promise of true quantum obfuscation.