Experimental Quantum Homomorphic Encryption

Quantum computers promise not only to outperform classical machines for certain important tasks, but also to preserve privacy of computation. For example, the blind quantum computing protocol enables secure delegated quantum computation, where a client can protect the privacy of their data and algorithms from a quantum server assigned to run the computation. However, this security comes at the expense of interaction: the client and server must communicate after each step of the computation. Homomorphic encryption, on the other hand, avoids this limitation. In this scenario, the server specifies the computation to be performed, and the client provides only the input data, thus enabling secure non-interactive computation. Here we demonstrate a homomorphic-encrypted quantum random walk using single-photon states and non-birefringent integrated optics. The client encrypts their input state in the photons' polarization degree of freedom, while the server performs the computation using the path degree of freedom. Our random walk computation can be generalized, suggesting a promising route toward more general homomorphic encryption protocols.

Secure delegated computing has been a longstanding research goal for both the classical and quantum computation communities.The aim is to provide a client (Alice) access to remote computational resources (Bob), while protecting the privacy of the data or the algorithm.In his seminal 2009 paper, Gentry described the first computationally secure, fully homomorphic encryption scheme for classical computing [4].Here, "computational security" means that the privacy guarantees of the protocol are based on assumptions about an adversary's computational capabilities; "fully" means that any computation is possible.Blind quantum computation was as well introduced in 2009 [2,3], enabling a client to protect both their data and algorithm while running arbitrary computations on a remote quantum computer.While blind quantum computation has the important advantage of being information-theoretically secure -i.e., it does not rely on assumptions about the adversary's technological capabilities -its efficiency is limited by the need for interaction: Alice and Bob must exchange classical information after each step of the computation.Quantum homomorphic encryption removes the requirement of interactive computation but necessarily sacrifices either security or computational power to achieve this, in accordance with a no-go theorem [15]: fully homomorphic encryption is impossible if perfect privacy and non-exponential resource overhead are required.Therefore, in the protocol implemented here, the requirements for (1) universal computation and (2) perfect privacy are relaxed, based on the following two observations [13].(1) Certain classes of computations, such as quantum random walks, while only subsets of universal quantum computation, are nevertheless of great interest [16][17][18][19][20]. (2) In any practical encryption application perfect privacy is not required, as long as the maximum amount of information potentially available to an attacker is sufficiently small.In this experiment, we use single-photon qubit input states and an integrated-optics server to demonstrate a quantum random walk using homomorphic-encrypted data, as proposed in [13].Quantum random walks are typically implemented with either 0 or 1 photon in each input mode, distributing n photons over m spatial modes.The protocol we implement here instead uses the photons' polarization to encode Alice's input state for the quantum random walk, taking advantage of the fact that orthogonally polarized photons do not interfere.Thus, to implement an m-mode quantum random walk of n "walker" photons, rather than inputting one photon into each of n modes and leaving the remaining m−n empty, we also input m−n "dummy" photons in the otherwise empty modes, with polarizations orthogonal to the n photons representing the walkers.For example, an input state |Ψ in = |1, 0, 0, 0 for a traditional quantum random walk (written in the occupation-number basis) would be encoded in this scheme as |Ψ in,encoded = |H, V, V, V , where |H (|V ) represents horizontal (vertical) polarization.Measuring the output photons in the {H, V } basis then yields the same result as the traditional occupation-number quantum random walk.The purpose of this approach is to enable polarization encryption of Alice's input state: without knowing the basis in which Alice's input is encoded, Bob can guess Alice's input state with only limited probability of success.To encrypt the input state Ψ in , Alice randomly chooses a key, a polarization state |X taken from a set of d uniformly distributed points on the Poincaré sphere, where d is the number of polarization basis choices available to her.To encrypt her data, Alice rotates the polarizations of her qubits from |H and |V to |X and |X ⊥ .Alice sends this encrypted state to Bob, who performs the quantum random walk.Bob returns the output photons to Alice, and she measures them in the {X, X ⊥ } basis, obtaining the result of the random walk.If Bob tried to decipher Alice's encrypted state, the amount of information he could extract is bounded by the Holevo quantity [22].One straightforward attack Bob could employ is to randomly choose a basis in which to measure all m photons: in fact, this attack is close to optimal, almost saturating the Holevo bound.In the limit of large d and m, the success probability of this attack is p B = 1/ √ πm [13].The protocol also ensures the privacy of Bob's algorithm.Since Alice only knows the input and output states of the computation, the amount of information that she can extract about Bob's algorithm is proportional to that of a "black-box" function: the more queries she is allowed to send, the more accurately she can guess the function.It is important to note that These photons are spectrally filtered and sent through polarizers to prepare a pure, separable four-photon state.The four photons are coupled to single-mode fibers and synchronized in the delay stage, using adjustable free-space delays (indicated by the double arrows).Using half-wave plates (HWPs) and quarterwave plates (QWPs) Alice can prepare arbitrary polarization states before sending the photons to Bob, who will perform the random walk.After exiting Bob's chip, the four output modes are collimated by a lens and sent back to Alice.She uses the detection stage (HWP, QWP, polarizing beam splitter (PBS), single-photon detector for each photon) to projectively measure the photons and recover the outcome of the random walk.
both Alice and Bob have an interest in performing a certain computation on a certain input state exactly once, since both of them increasingly compromise the privacy of their respective secrets with increasing number of repetitions of the computation.The no-go theorem [15] asserts that this limitation is unavoidable.
In our experimental demonstration, Alice produces four photons using two spontaneous parametric down-conversion (SPDC) sources (see Appendix) and prepares them in a randomly chosen polarization state using a polarizer, half-wave plate (HWP), and quarter-wave plate (QWP) for each photon.Alice can create input states of any polarization with a fidelity of (99.5 ± 0.1)%, the main source of error being imperfect polarization compensation of the single-mode fibers leading to the chip.After preparing the encrypted input state, Alice sends the photons to Bob, who performs the random walk.
In order for the scheme to work, Bob's chip must implement the same unitary for the photons' path degree of freedom regardless of the input polarizations used -otherwise, the outcome would depend on Alice's choice of key.Although laser-written waveguides support propagation of all polarizations, they typically have slightly different refractive indices for H and V polarizations (∆n ≈ 10 −5 ), making it a challenge to implement nontrivial polarization-independent path unitaries.To achieve this, we used an annealing procedure to fabricate waveguides with birefringences ∆n < 10 −6 (see Appendix).
After the random walk, Bob returns the photons to Alice, who projects them in her previously chosen polarization basis using QWPs, HWPs, polarizing beam splitters (PBSs), and single-photon detectors.To demonstrate the fidelity of the homomorphic-encrypted random walk we chose a canonical set of two mutually unbiased polarization bases and performed random walks with one, two, and three walkers using two different unitaries, each with m = 4 inputs and outputs.We used {H, V } (parallel and orthogonal, respectively, to the chip surface) and {D, A} . We characterized the unitary and compared the output probability distributions with theoretical predictions, finding the mean overlap (Bhattacharyya distance [21]) between the predictions and results from all random walks to be (0.995 ± 0.014)% for the first device (Fig. 5) and (0.986 ± 0.012)% for the second (see Appendix).
The security guarantees for Alice's plain-text input state can be quantified in various ways.The trace distance between the different input states that she can produce with four photons is 0.81 for Hamming distances 1 and 3 and 0.85 for Hamming distance 2 [23].As a result, Bob cannot perfectly distinguish any pair of possible plain-texts.Furthermore, the mutual information between her plain-text string and Bob is bounded by the Holevo quantity to be no more than 1.96 bits (see Appendix).To experimentally verify the security of Alice's input, we implemented the attack described above: Bob measures all of Alice's four photons in a randomly chosen basis (here we choose |H for simplicity).Alice encrypts her plain text input-state (here we use |1, 1, 1, 1 ≡ |H, H, H, H ) by choosing between d = 2, 3, 4, 6, 12 different linear polarization bases (keys).The probability of Bob guessing Alice's plain-text input-state can then be determined from the fraction of four-fold coincidence detections Bob measures with polarization |H, H, H, H (see Fig. 4).For m = 4, this probability asymptotically approaches p = 0.27 for large d.Note that with current technology it is already straightforward, in principle, to achieve arbitrarily large d, although this leads to only a minor improvement: Alice could "auto-calibrate" her encrypting and decrypting operations by using a single QWP, HWP set to both prepare and measure all of her photons' polarizations.Improving Alice's security requires increasing m (for example, p B = 0.01 for m = 3500).Additionally, Alice can reduce the Holevo information by a factor of 2 by selecting keys from the whole Poincaré sphere, rather than constraining herself to linear polarizations.We have demonstrated homomorphic-encrypted quantum random walks of up to three walkers in four modes.Our photonic system's specially engineered features allowed us to encrypt Alice's plain-text input state in polarization, while performing computations using the path degree of freedom.The security of Alice's plain-text input is necessarily limited by the number of modes used, i.e. by the number of available photons -however, the continuing advances in photon-source technology will enable similar demonstrations using more modes in the future.Further improvements can be made by encrypting in a different photonic degree of freedom with more than two levels.For example, orbital angular momentum enables, in principle, arbitrarily high-dimensional encoding, and transmission of such states in optical fiber has already been demonstrated [24].Using an a-level degree of freedom for encoding, instead of polarization, the amount of hidden information can be improved from log 2 (m) scaling to m log 2 (a/m) + m(log( 2)) −1 [14].As we have shown here, although perfect security for universal computation (without exponential resource overhead) is forbidden [15], relaxing these conditions can enable interesting applications.Determining the ideal mix of security, performance, and generality of the computation remains an active topic of research.
idler from source 2. After subtracting statistically expected higher-order noise, we measured the visibilities to be and V = 0.77 ± 0.05 without subtracting higher order noise.For more discussion of experimental errors in quantum random walks, see [29].We assumed Poissonian error for all single-photon detection rates, so that for N detections, we assume an error of = √ N .The error in the reconstructed unitary propagates from errors in our intensity measurements, which are in turn used to infer amplitudes and phases.Here we are able to limit the error on the inferred transmission amplitudes and phases to 1% and 50 mrad, respectively.The discrepancy in error-bar size for the various output possibilities stems from the nature of the unitary: phase errors can lead to large changes in some output probabilities, while having hardly any effect in others.

Unitary of the devices
Here we present the two unitaries used for the random walk experiments.

Holevo information for encryption using random rotations over the Poincare sphere
Any operation on the Poincare sphere is a SU(2) transformation for which an arbitrary element can be expressed as where R z (α) = e −iασz , R y (β) = e −iβσy , and Then explicitly in the basis {|H , |V },  Since Bob does not know Alice's secret keys, he sees a superposition of all the states corresponding to the different possible secret keys, where |P x,j = |H when the jth bit of x is 0, and |P x,j = |V when the jth bit of x is 1.
Then, the Holevo quantity is given by Hence, it suffices to find the eigenvalues of ρ 0 .First, we observe that where e − i 2 α is a global phase factor.Let |a V m denote a state that is the symmetric sum of all states with a qubits in the |V state.So ρ 0 simplifies to As such, eq. ( 14) simplifies to In the limit of large d 2 , we can approximate the sum over k 2 as an integral, i.e.

Figure 1 :
Figure 1: Homomorphic encryption scheme.Alice prepares her input state by encoding the desired photon-number state in the {H, V } basis and then encrypting it by applying a randomly chosen polarization transformation on all photons (R).Bob performs the quantum computation on the encrypted state and returns the photons to Alice.Alice undoes the previous transformation (R −1 ) and measures the photons in the {H, V } basis, obtaining the outcome of the quantum computation.

Figure 2 :
Figure 2: Experimental setup.A Ti:Sapphire laser is used to pump two non-linear β-barium borate crystals, each probabilistically producing exactly one pair via type-II spontaneous parametric down conversion.These photons are spectrally filtered and sent through polarizers to prepare a pure, separable four-photon state.The four photons are coupled to single-mode fibers and synchronized in the delay stage, using adjustable free-space delays (indicated by the double arrows).Using half-wave plates (HWPs) and quarterwave plates (QWPs) Alice can prepare arbitrary polarization states before sending the photons to Bob, who will perform the random walk.After exiting Bob's chip, the four output modes are collimated by a lens and sent back to Alice.She uses the detection stage (HWP, QWP, polarizing beam splitter (PBS), single-photon detector for each photon) to projectively measure the photons and recover the outcome of the random walk.

Figure 3 :
Figure 3: Results of the encrypted random walk.We use two different devices to execute multiple encrypted random walk computations (see Figure 5 for the equivalent results on the second device).(a) One walker, (b) two walker, and (c) three walker are launched into different input modes alongside a corresponding number of dummy photons.Here the output probabilities for three different input cases for two mutually unbiased polarization bases are shown, alongside the values expected based on the reconstructed unitary (see Appendix).The fidelities (Bhattacharyya distance [21]) between the expected and both measured probabilities are (a) 0.99 ± 0.02, (b) 0.99 ± 0.02 and (c) 0.99 ± 0.03 and demonstrate the polarization independence of the computation.More data and discussion of error analysis is provided in the Appendix.

Figure 4 :
Figure4: Privacy of Alice's plain text input state.In our homomorphic encryption scheme, a random attack is optimal when Alice encrypts with all polarizations, and nearly optimal when she encrypts with only linear polarizations: Bob measures all photons in a randomly chosen basis.Alice's security depends on the number of polarization bases (keys) d she can choose from, and the input modes m.In our case m = 4 and we measure the probability of Bob guessing the correct state for d = 2, 3, 4, 6, 12 (black dots, error bars lie within the points).The blue dashed line shows the asymptotic behaviour for an infinite key number.All lines are theoretical upper bounds (see Appendix).

Figure 5 :
Figure 5: Random Walk Results for device 2. a) One photon is H(A) polarized and launched into one of the four input modes of the chip while three V (D) polarized photons are send to the other inputs to mask the true input state.The graphs show the probability of finding the H(A) polarized photon in the different output modes.b) Two H(A) polarized photons are launched into the modes 1/2 alongside V (D) polarized photons in the other modes.The probabilities to find the two photons in different output modes are shown.c) Three H(A) photons are launched into the modes 2,3,4 alongside a V (D) photon in the remaining mode.The fidelities (Bhattacharyya distance) between the expected and measured probabilities are (a) 0.99 ± 0.02, (b) 0.99 ± 0.02 and (c) 0.96 ± 0.026.
where S(σ) is the von Neumann entropy of density matrix σ.As in Rohde et al., the first term is equal to m because m j=1 |P x,j , x ∈ Z m s forms a complete set of basis.Owing to the invariance of the von Neumann entropy under unitary transformation, we have S(ρ x ) = S(ρ 0 ) .

)
If Alice's m-mode input state is |ψ , then she implements R (α, β, γ) ⊗m |ψ .As in Rohde et al., each mode of Alice input state is either |H for logical 0, or |V for logical 1.Let us denote Alice's encoded bit-string by x.After encryption, Alice sends her encrypted state to Bob for processing.