Continuous-variable quantum computing on encrypted data

The ability to perform computations on encrypted data is a powerful tool for protecting a client's privacy, especially in today's era of cloud and distributed computing. In terms of privacy, the best solutions that classical techniques can achieve are unfortunately not unconditionally secure in the sense that they are dependent on a hacker's computational power. Here we theoretically investigate, and experimentally demonstrate with Gaussian displacement and squeezing operations, a quantum solution that achieves the security of a user's privacy using the practical technology of continuous variables. We demonstrate losses of up to 10 km both ways between the client and the server and show that security can still be achieved. Our approach offers a number of practical benefits (from a quantum perspective) that could one day allow the potential widespread adoption of this quantum technology in future cloud-based computing networks.


SUPPLEMENTARY FIGURES
Supplementary Figure 1: Average fidelity between | α + β|t 2 α + tβ | 2 for an initial coherent state subject to the protocol with and without loss, which corresponds to a channel with transmission factor t. Both α and β are distributed according to Gaussians with zero mean and variance ∆ 2 .   Figure 4: (a) Average fidelity between | α + β|t 2 α + tβ | 2 for an initial coherent state subject to the protocol with and without loss, which corresponds to a channel with transmission factor t. (b) The same plot as in part (a) but where the final displacement does not take into account the channel loss t, given by | α + β|t 2 α + tβ + (t 2 − 1)γ| 2 , where γ is the encryption parameter. All of α, β and γ are distributed according to Gaussians with zero mean and variance ∆ 2 .

SUPPLEMENTARY TABLES
Step Operation Table 1: The transformations induced by the protocol in the framework of the Wigner function, where we have limited the server to simply applying a displacement. The calculation for U2(T ) proceeds in a similar fashion, but U3(T ) does not have a linear transformation in terms of the operatorsq,p and would be more complicated to calculate in this fashion.

Supplementary Note 1: Gate Decryption Operators
In this section we first define a set of continuous-variable gates as well as the following conventions. Identities: We define a encryption operation, D(Q, P ), consisting of a random displacement in phase space. We consider a universal set of gates G ∈ {X(Q), Z(P ), U 2 (T ), U 3 (T ), F, C Z,12 }. We wish to demonstrate the existence of a correction operator, C(Q, P, G), which depends on the encryption parameters and G such that C(Q, P, G)GD(Q, P )|ψ = G|ψ . Correction: Correction: Correction: However, U 2 (T ) does not slide nicely through F so we wish to have the server handle this correction on the fly.
Let |φ = F † U 3 (T )D(Q, P )|ψ so that the output of the teleportation is given by It is clear that applying the correction operator U 2 (−3QT )X(−m 1 ) to this state would eliminate the appearance of U 2 , however we cannot divulge the value of Q as this would compromise the security. Consider the circuit given by where A + B = −3QT . We can then slide U 2 (A) all the way to the left as where the output is given by Z(Q 2 )Z(2m 1 A)Z(P − 3Q 2 T )X(Q)U 3 (T )|ψ and we also include another Z gate as part of the preparation. Note that the Z(2m 1 A) gate can be deferred to the client, who knows the value of A, by including it as an update to their decryption key. If we choose A at 'random' then we are giving the server negligible information about the encryption parameter Q by telling them the value of B. In particular, we can see the transmission of −3QT is modulated by the Gaussian noise A and this channel behaves as an additive white Gaussian noise channel. Explicitly, the channel capacity goes as C = log 2 (1 + 9T 2 Var(Q)/Var(A)), and so for large enough displacements, A, this can be made negligible. Note that the server will also have to inform the client of m 1 obtained so that they can correct for the additional Z(2m 1 A) gate, and thus implementing this gate requires a single round of communication. Furthermore the density operator corresponding to the state U 2 (A)Z(Q 2 )|0 p when averaged over Q 2 is proportional to the identity, and thus no information about Q can be attained from the state itself. This can be seen from the fact that if we choose Q 2 according to some Gaussian probability density function, P (Q 2 ), whose variance tends towards infinity. CZ,12 Correction:

Supplementary Note 2: Compositions of Gates
To implement a single gate from the universal set defined above, we have demonstrated that there exists a correction (decryption) operator, C G , that satisfiesĈ and similarly for the two-qumode C Z,12 gate. We would like the server to be able to compose gates without needing the client to decrypt (or correct) between applications. Namely we wish to demonstrate that or that the client can update their correction operator while only requiring possibly classical communication with the server. Suppose thatĈ can we construct aĈ from our knowledge ofĈ 1,2 ? Notice that for all of the gates in the universal set the decryption operators, C, involve (up to a phase) only products of operators from the set C ∈ {X(Q), Z(P )}; aside from the special case of , F, C Z,12 } we would like to show that there exists a modified decryption operator C such that so that we can slide a new correction through the gate as Notice first that gates, G, with Hamiltonians involving only powers ofq slide trivially through each other. The only correction operator, in {X(Q), Z(P )}, that does not involve powers of onlyq is precisely X(Q). But we have already shown how to rewrite it is easy to insert the extra displacement D(Q, P ) between the two terms in the RHS of the above equation since Z(P ), X(Q) easily slide through all elements G as illustrated in the above work. Also note for the case where G = X(Q) and C involving powers ofq we can apply the same identities by shifting the extra terms to the other side. By recursively applying the identities to swap orderings by applying new corrections we can not only slide the gate through the encryption operation, we can also slide corrections through other gates. In this manner we can build up more complicated gates, with no communication between the client and server for Gaussian gates and one additional round of communication for U 3 .

Supplementary Note 3: Effect of Transmission
To consider the action of each step of the protocol on our state we move to the Wigner function representation; this is convenient as all operations of interest are linear transformations in the canonical operationsq,p and thus are simple transformations of the associated Wigner function. We model the loss as a beamsplitter B 12 (t) where the transmission (reflection) factor is given by t = cos θ (r = sin θ). This is associated with the input-output relations and similarly for p 1,2 . When subjecting our mode of interest to loss we inject the vacuum state, W vac (q, p) = 1/π exp(−q 2 −p 2 ), in the spare port of the beam splitter. We can study the effect of loss in comparison to the ideal case by integrating over the loss modes and calculating the fidelity between the resulting Wigner function and the one that would be obtained in the absence of loss. If the initial state is a coherent state, |α , then these steps lead to the transformation |α → t 2 α + tβ where β is the displacement provided by the server, the general case is presented in Supplementary Table 1. The symmetric case, where the encryption and the server's displacement are distributed according to a Gaussian probability distribution function with zero mean and variance ∆ 2 , is plotted in Supplementary Fig. 1.
To see why this is true, notice that D(β) provides an irreducible representation, up to a phase, of the Heisenberg-Weyl group.
Furthermore, the operator X commutes with D(β) and hence by Schur's Lemma, for unitary groups, X ∝ 1. Using the fact that |ψ is normalized it is easy to show that the constant of proportionality is 1, and thus we have the relationship. From a physical point of view it is not possible to apply a random displacement over R 2 as this would require infinite energy; from a mathematical perspective it's not clear what a 'random' displacement over R 2 even means. Instead we consider applying a displacement that is Gaussian distributed with zero mean and variance ∆ 2 which follows the mapping The finite width of the Gaussian will lead to this state differing from the maximally mixed state; in general the resulting state will depend on the initial state. A simple figure of merit we can study is the purity of the state Trρ 2 , in discrete variable systems the purity is always greater than 1/d but in continuous variable systems the purity can be zero, as is the case for the maximally mixed state. We can find the purity of an arbitrary initial state, ρ → W (α), subject to the map X(|ψ ψ|) by working in the Wigner function formalism Note that this transformation is also just the convolution of our initial Wigner function with a Gaussian probability distribution. We can then use the purity to characterize how well our encryption operation simulates the ideal encryption procedure, given a particular class of input states. Consider the case where our initial state is also a coherent state, given by |α Note that a thermal state ρ th (n) of average excitation numbern has Glauber-Sudarshan representation given by Thus we have that X(|α α|) corresponds to a thermal state withn = 2∆ 2 which is displaced by an amount α. For a fixed amount of energy, thermal states maximize their Von Neumann entropy S(ρ) = −Tr(ρ log ρ) which is also related to purity; S(ρ) is maximized by the maximally mixed state and is zero for pure states. The purity of ρ th (n) can be calculated as Tr(ρ th (n) 2 ) = 1/(1 + 2n) so that the purity of X(|α α|) is given by 1/(1 + 4∆ 2 ). In general one can use the Wigner function to evaluate the action of the encryption and to determine how mixed the resulting state is. In Supplementary Fig. 2 we show the action of imperfect encryption on the vacuum state and in Supplementary Fig. 3 we show the same for a squeezed vacuum state. In general, we want the Gaussian envelope to be large enough to smear out any details about the set of possible initial states.

Supplementary Note 5: Entanglement-Based Analogy
One can exploit the well-known equivalence between preparing a coherent state, chosen according to a Gaussian distribution, and performing Heterodyne detection on half of an EPR pair to show an analogous entanglement-based encryption scheme. In conventional CV teleportation [1], where the parties share a perfectly squeezed EPR pair, the final correction operator is precisely a displacement. Using the principle of deferred measurement, where we simply wait to perform the two homodyne measurements until after the state has been returned from the server, it is clear that the server could not have known of the measurement outcomes and hence the encryption parameters. This analogy works only in the limit of infinite squeezing; in the realistic scenario of finite squeezing there is excess noise introduced onto the mode of interest and the entanglement-based scheme is not a perfect analogy. However, in the limit of large squeezing, or equivalently a Gaussian distribution with large variance, the excess noise tends to zero and this is a good approximation to the actual implementation.
One can also show that the interactive U 3 (T ) gate has an entanglement-based equivalent. First note that, If we now measure the second mode and obtain an outcome P we have the following, Thus we can use the above procedure to modify the implementation of U 3 (T ) and defer the final measurement to construct an entanglement-based version. Explicitly, the client can implement U 2 (A) on half of an EPR pair, shared with the server, before measuring thep quadrature; this will have the same effect as the previous scheme. As before, this holds in an exact sense only in the unphysical limit of perfect squeezing.

Supplementary Note 6: Channel Estimation
When accounting for loss, as seen in 1, we require the displacement D(−t 2 Q, −t 2 P ) as part of the correction. To perform this displacement we must know the transmission coefficient t, however we could forgo this stipulation and assume that t ≈ 1, but doing so will result in a reduced fidelity. In order to partially correct for loss it is necessary to do parameter estimation on the channel. This can be done, for example, by periodically sending random coherent states and asking the server to apply some random displacement, after which one can measure the state in order to learn information about the loss parameter. Generally, there will also be additional noise that one can not correct for as well, but if desired one can estimate the magnitude of this noise by sending an appropriate ensemble of initial states. By doing this frequently enough one can ensure that the channel is not varying appreciably with time, and if so to adjust the necessary correction.
This process ensures that the server is not maliciously altering the channel parameters, in fact we can take this notion one step further and check that the server is indeed performing the desired displacement thus verifying the X, Z operations in our full calculation. In the original proposal for blind quantum computation, the ability to verify that the server is performing the desired calculation arises from the capability of hiding the gates that one is performing. Through doing so one is able to periodically perform a check by doing an easy computation of which one already knows the answer. Since the server is unable to discriminate this check from the actual computation it is unable to pass the check without operating faithfully. In our case the server is fully aware of all gates being performed and could for example perform all operations except U 3 (T ) as intended. Fortunately, there is a large class of desirable computations for which there exist efficient classical verification methods and so one is able to detect an incorrect answer with classical post-processing.
We show the advantage of accounting for the loss in the channel by comparing the fidelities to the ideal state both with and without taking into account the loss parameter in Supplementary Fig. 4.

Supplementary Note 7: Limitations on U2(T )
Suppose we wish to decompose U 2 (X tot ) = U 2 (X in )U 2 (X enc ) as the sum of two parts X tot = X in + X enc , as in the case where we split the operator U 2 (−3QT ) between the client and server in order to implement U 3 (T ). Furthermore, assume that we do not want the knowledge of X enc to reveal the value of X tot . To attempt to hide the value of X tot , we choose X in to be a random variable of zero mean and variance V in . One method of characterizing the amount of information that a random variable carries about a parameter upon which its probability distribution depends on is with the Fisher information, given by Explicitly, in the case where X tot = −3QT , the Fisher information for X enc has the property that I(Q) ∝ T 2 /V in . Notice that as V in → 0 the Fisher information increases without bound indicating that X enc allows one to make a very good estimate of the encryption parameter Q. However, when V in → ∞ then Fisher information approaches zero and the server learns no information of the encryption parameter.

Supplementary Note 8: Equivalence of the Squeezing Gate
To demonstrate more than simply shifts in phase space, we implemented a squeezing operation, S(r) = exp(r(â 2 −â †2 )/2), in the experiment. To see why this squeezing operation is as challenging as the U 2 (T ) gate which is required for universal computation, simply notice that it is equivalent up to rotations U 2 (T ) = R(θ)S(r)R(φ) [2] where R(θ) = exp(iθâ †â ) is generated by the free Hamiltonian. To compose gates, these additional phase shifts must be performed by the server, however to demonstrate a single U 2 (T ) gate one can notice the following We have defined a modified decryption operatorC † (α, T, θ) = C † (α, T )R(θ), reinterpreted the phase reference for the input state |ψ → R(φ)|ψ , and the encryption parameter has simply changed viaα = αe iφ . A similar trick can be used to shift the rotation R(θ) through the decryption operator, which is only some displacement, to show thatC † (α, T, θ) = R(θ)C † (α, T, θ) for some displacement C. Thus up to an appropriate redefinition of the initial and final phase references, implementation of a squeezing operation S(r) is sufficient to demonstrate a U 2 (T ) gate.

Determination of information content
A shot-noise limited laser at 1064 nm generated a highly coherent beam, which was split into two. One part was designated as a local oscillator (LO), the other as the signal beam. A sketch of the setup is shown in Supplementary Fig. 5.
The local oscillator was sent directly to the detection stage, while the signal beam was passed through a set of optical modulators, to be modulated in the phase and amplitude quadratures. The electronic input to the modulators in either quadrature was an addition of two signals, one representing the alphabet of the different input states of the client, the other the client's encryption noise. The noise was determined to be white within the measurement bandwidth of 1 MHz. The alphabet was recorded by the data acquisition to establish the size of the correlations. The homodyne detector output was demodulated at 10.5 MHz, with a 1 MHz lowpass filter to set the measurement bandwidth. The sampling rate was 5 MHz, with 14 bit resolution. The variance of the Gaussian distributed input state alphabet was V in = 0.6 SNU. From the measured data we determined the variances and covariances which give an estimate for the mutual information by the formula, where C is the covariance between the recorded alphabet and the signal, and V = V in + V enc , i.e. the variance of the signal and the encryption.

Displacement gates
A shot-noise limited laser at 1064 nm generated a highly coherent beam, which was split into two. One part was designated as a local oscillator (LO), the other as the signal beam. A sketch of the setup is shown in Supplementary Fig. 6.
The local oscillator was sent directly to the detection stage, while the signal beam was passed through a set of optical modulators, to be modulated in the phase and amplitude quadratures. The electronic input to the modulators in either quadrature was an addition of two noise signals, one representing the alphabet of the different input states of the client, the other the client's encryption noise. The noise signals were determined to be white within the measurement bandwidth of 1 MHz. The state then passed through a half-wave plate and polarizing beam splitter combination which simulated an attenuation t from the client to the server.
Then the state was further displaced by the server, with another signal representing the alphabet of a simple linear gate. Like the previous modulations the displacement signal was also white within the measurement bandwidth. The state was then attenuated with another polarizing beam splitter and a half-wave plate, with a setting identical to the first. This was done to simulate a state experiencing the same loss on the return trip from the server to the client. Following this final loss simulation, the state was modulated again by the client, to eliminate the encryption noise. This elimination was possible down to less than 0.2 SNU in both quadratures. This was in part made possible due to a custom-made noise generator with extremely well correlated outputs at the relevant frequencies. To obtain the right phase between the noise modulation and the cancelling modulation, a controllable phase delay between the modulations was also introduced, by using a DB64 Coax Delay Box from Stanford Research Systems from the noise generator to the modulator. The state was then interfered with the local oscillator at a 50/50 beam splitter, with the output modes subsequently detected by PIN photo diodes with a quantum efficiency of 90 %. The visibility of the interference was 92 %, due to the distortion of the spatial beam profile by the many modulators. Obtaining this visibility was made easier by introducing a cavity to which both the signal and the local oscillator were matched, to ensure efficient overlap despite the spatial distortions.
Two types of measurements were made. The first type was where the relative phase of the local oscillator with the signal was continuously scanned by a slow function generator at 5 Hz. The outputs of the two photo detectors were subtracted and mixed down to DC using a strong electronic local oscillator at 10.5 MHz. The output of the mixer was amplified and low-pass filtered at 1 MHz before being sent to a data acquisition card (DAC) where the voltages were sampled with a rate of 5 MHz. Digitally a 10 kHz high-pass filter was implemented to dampen a strong 50 Hz modulation originating from the AC line, which was detrimental to the quality of the state reconstruction. The measurements were used to reconstruct the density matrices and Wigner functions of the input and output states using a maximum likelihood algorithm [3] and the Python module QuTiP [4].
The first measurements were used to estimate the fidelity of the decryption operation relative to an unencrypted state going through the gate and the channel, applying the definition of fidelity [5], to the reconstructed density matrices. The different Wigner functions are shown in Supplementary Fig. 7. The second type of measurement had the relative phase locked such that the phase quadrature was measured. Here the subtracted photo detector signals were sent to a spectrum analyzer (SA), which monitored the signal strength using a zero span trace at 10.5 MHz. This was done to easily monitor the variance of the applied Gaussian noise modulations. Though this variance was only monitored in the phase quadrature, the state reconstruction was done on-line to ensure generation of states with approximately symmetric variances. The estimation of the residual noise can be seen in Figure 7c.

Squeezing gate
A shot-noise limited laser at 1064 nm generated a highly coherent beam, which was split into three. One part was designated as a local oscillator (LO), the second as the signal beam, and the third as the decryption beam. A sketch of the setup is shown in Supplementary Fig. 8.
The signal beam was modulated with a single displacement in Q and P , and in addition a noise modulation generated by a noise generator. Another output of each of the noise generators, highly correlated with the first, was connected to the corresponding modulators in the decryption path. The signal beam then encountered a half-wave plate and polarizing beam splitter combination to simulate the channel, and was then forwarded through a Faraday rotator and another half-wave plate to ensure that the light was mostly in the s-polarization before entering the squeezing cavity. The light entered the resonant linear semimonolithic cavity containing the 1 × 2 × 10 mm 3 periodically poled potassium titanyl phosphate crystal pumped with a 532 nm pump beam of 7 mW through the coupling mirror. The outer crystal face was coated to have a high reflectivity of 99.95 % for both wavelengths, while a curved mirror with a radius of curvature of 20 mm, a reflectivity of 90 % for the fundamental wavelength at 1064 nm and a reflectivity of 20 % for the pump wavelength served as a piezo-tunable coupling mirror. The crystal was kept at a phase matching temperature of 36.2 • C , and most of the signal returned from where it entered, towards the Faraday rotator, but having been squeezed by performing round trips in the cavity. Before hitting the Faraday rotator, a beam sampler redirected 2 % of the light for generating an error signal for cavity and pump phase locking. Because the squeezing cavity was birefringent, the small p-polarization component was used to generate an error signal with the Hänsch-Couillaud locking technique [6]. The phase of the pump beam with respect to the signal beam was locked using a phase modulation of the signal beam at 36.7 MHz generated using the phase modulator used for encrypted input state generation.
After entering the Faraday rotator from the other direction, the beam was now reflected, rather than transmitted, on the polarizing beam splitter. It then went through a half-wave plate and polarizing beam splitter combination with the same setting as the initial one, to simulate identical channels to and from the server. It was then interfered with the decryption beam on another beam sampler, to minimize loss to the signal. The two beams were locked to destructive interference by another sideband lock, using the same 36.7 MHz sideband, with a photodiode monitoring the interference fringes in the secondary output port of the beam sampler. The offset on this error signal allowed for optimizing the relative phase between the beams, and this, in addition to the adjustable gain settings for the correlated outputs, made it possible to cancel the encryption modulation very accurately. Following the decryption operation the signal was interfered with the local oscillator for scanned homodyne detection for density matrix reconstruction. Data acquisition was the same as for the displacement gate experiment. To compute the fidelity the definition in Equation (38) was used. To reconstruct the encrypted states, which are highly thermal with a slowly decaying photon distribution, a maximum likelihood algorithm which requires a truncation of the Fock space of the density matrix is not feasible. Instead the Wigner function was obtained directly from the data with the help of the inverse Radon transform and the filtered back-projection algorithm [3]. For states of smaller magnitude where one can justify the truncation of the density matrix, the maximum likelihood algorithm is far superior [3]. A plot of the scanned squeezing, obtained by homodyne detection, is shown in Supplementary Fig. 9.
We here list the factors contributing to optical loss in the system. Firstly, the mode matching of the input beam into the squeezer was 97 %. This was partly because of a very high sensitivity to the focus of the incoming beam, but also because, as mentioned, the Hänsch-Couillaud lock required some deviation from the ideal polarization. This intentional misalignment directly translated into loss of squeezing. Secondly, the reflected squeezed beam encountered a beam sampler, which directly produced 2 % of transmission loss, but was necessary for the locking scheme, as the pump phase error signal was not sufficiently strong in the transmission of the squeezing cavity. Further, the Hänsch-Couillaud lock clearly only works in reflection. The Faraday rotator induced 3 % loss, and the beam sampler for interfering the signal with the decryption beam produced another 2 % of loss. Lastly, the visibility of the homodyne detection was above 98 % and the photodiodes in the homodyne detector both had a quantum efficiency of 99 %.