Data availability

[] \ofoot\pagemark \pdfstringdefDisableCommands

Experimental Quantum Homomorphic Encryption

Jonas Zeuner*, Ioannis Pitsios, Si-Hui Tan, Aditya N. Sharma, Joseph F. Fitzsimons, Roberto Osellame and Philip Walther

Vienna Center for Quantum Science and Technology, Faculty of Physics, University of Vienna, Boltzmanngasse 5, Vienna A-1090, Austria.

Istituto di Fotonica e Nanotecnologie - Consiglio Nazionale delle Ricerche (IFN-CNR), Leonardo da Vinci 32 20133, Milano, Italy

Department of Physics - Politecnico di Milano, Leonardo da Vinci, 32, 20133 Milano, Italy

Singapore University of Technology and Design, 8 Somapah Rd, Singapur 487372

Centre for Quantum Technologies, National University of Singapore, 3 Science Drive 2, Singapore 117543

Erwin Schrödinger International Institute for Mathematics and Physics, Boltzmanngasse 9A, 1090 Wien, Austria

  • Quantum computers promise not only to outperform classical machines for certain important tasks [feynman1982], but also to preserve privacy of computation. For example, the blind quantum computing protocol [bqc_theo, barz2012demonstration] enables secure delegated quantum computation, where a client can protect the privacy of their data and algorithms from a quantum server assigned to run the computation. However, this security comes at the expense of interaction: the client and server must communicate after each step of the computation. Homomorphic encryption, on the other hand, avoids this limitation. In this scenario, the server specifies the computation to be performed, and the client provides only the input data, thus enabling secure non-interactive computation [gentry, vanDijk2010, pointcheval2010public, broadbent2015quantum, dulek2016quantum, mahadev2017classical, lai2017statistically, ouyang2015quantum, newman2017limitations]. Here we demonstrate a homomorphic-encrypted quantum random walk using single-photon states and non-birefringent integrated optics. The client encrypts their input state in the photons’ polarization degree of freedom, while the server performs the computation using the path degree of freedom [rohde2012quantum]. Our random walk computation can be generalized, suggesting a promising route toward more general homomorphic encryption protocols [homo2016quantum].

Secure delegated computing has been a longstanding research goal for both the classical and quantum computation communities. The aim is to provide a client (Alice) access to remote computational resources (Bob), while protecting the privacy of the data or the algorithm. In his seminal 2009 paper, Gentry described the first computationally secure, fully homomorphic encryption scheme for classical computing [gentry]. Here, “computational security” means that the privacy guarantees of the protocol are based on assumptions about an adversary’s computational capabilities; “fully” means that any computation is possible. Blind quantum computation was as well introduced in 2009 [bqc_theo, barz2012demonstration], enabling a client to protect both their data and algorithm while running arbitrary computations on a remote quantum computer. While blind quantum computation has the important advantage of being information-theoretically secure — i.e., it does not rely on assumptions about the adversary’s technological capabilities — its efficiency is limited by the need for interaction: Alice and Bob must exchange classical information after each step of the computation. Quantum homomorphic encryption removes the requirement of interactive computation but necessarily sacrifices either security or computational power to achieve this, in accordance with a no-go theorem [nogotheorem]: fully homomorphic encryption is impossible if perfect privacy and non-exponential resource overhead are required. Therefore, in the protocol implemented here, the requirements for (1) universal computation and (2) perfect privacy are relaxed, based on the following two observations [rohde2012quantum]. (1) Certain classes of computations, such as quantum random walks, while only subsets of universal quantum computation, are nevertheless of great interest [aaronson2011computational, tillmann2013experimental, spagnolo2014experimental, broome2013photonic, carolan2015universal]. (2) In any practical encryption application perfect privacy is not required, as long as the maximum amount of information potentially available to an attacker is sufficiently small.

Figure 1: Homomorphic encryption scheme. Alice prepares her input state by encoding the desired photon-number state in the basis and then encrypting it by applying a randomly chosen polarization transformation on all photons (). Bob performs the quantum computation on the encrypted state and returns the photons to Alice. Alice undoes the previous transformation () and measures the photons in the basis, obtaining the outcome of the quantum computation.

In this experiment, we use single-photon qubit input states and an integrated-optics server to demonstrate a quantum random walk using homomorphic-encrypted data, as proposed in [rohde2012quantum]. Quantum random walks are typically implemented with either or photon in each input mode, distributing photons over spatial modes. The protocol we implement here instead uses the photons’ polarization to encode Alice’s input state for the quantum random walk, taking advantage of the fact that orthogonally polarized photons do not interfere.

Figure 2: Experimental setup. A Ti:Sapphire laser is used to pump two non-linear -barium borate crystals, each probabilistically producing exactly one pair via type-II spontaneous parametric down conversion. These photons are spectrally filtered and sent through polarizers to prepare a pure, separable four-photon state. The four photons are coupled to single-mode fibers and synchronized in the delay stage, using adjustable free-space delays (indicated by the double arrows). Using half-wave plates (HWPs) and quarter-wave plates (QWPs) Alice can prepare arbitrary polarization states before sending the photons to Bob, who will perform the random walk. After exiting Bob’s chip, the four output modes are collimated by a lens and sent back to Alice. She uses the detection stage (HWP, QWP, polarizing beam splitter (PBS), single-photon detector for each photon) to projectively measure the photons and recover the outcome of the random walk.

Thus, to implement an -mode quantum random walk of “walker” photons, rather than inputting one photon into each of modes and leaving the remaining empty, we also input “dummy” photons in the otherwise empty modes, with polarizations orthogonal to the photons representing the walkers. For example, an input state for a traditional quantum random walk (written in the occupation-number basis) would be encoded in this scheme as , where represents horizontal (vertical) polarization. Measuring the output photons in the basis then yields the same result as the traditional occupation-number quantum random walk. The purpose of this approach is to enable polarization encryption of Alice’s input state: without knowing the basis in which Alice’s input is encoded, Bob can guess Alice’s input state with only limited probability of success. To encrypt the input state , Alice randomly chooses a key, a polarization state taken from a set of uniformly distributed points on the Poincaré sphere, where is the number of polarization basis choices available to her. To encrypt her data, Alice rotates the polarizations of her qubits from and to and Alice sends this encrypted state to Bob, who performs the quantum random walk. Bob returns the output photons to Alice, and she measures them in the basis, obtaining the result of the random walk.

Figure 3: Results of the encrypted random walk. We use two different devices to execute multiple encrypted random walk computations (see Figure 5 for the equivalent results on the second device). (a) One walker, (b) two walker, and (c) three walker are launched into different input modes alongside a corresponding number of dummy photons. Here the output probabilities for three different input cases for two mutually unbiased polarization bases are shown, alongside the values expected based on the reconstructed unitary (see Appendix). The fidelities (Bhattacharyya distance [bhattacharyya1943measure]) between the expected and both measured probabilities are (a) , (b) and (c) and demonstrate the polarization independence of the computation. More data and discussion of error analysis is provided in the Appendix.

If Bob tried to decipher Alice’s encrypted state, the amount of information he could extract is bounded by the Holevo quantity [holevo1973bounds]. One straightforward attack Bob could employ is to randomly choose a basis in which to measure all photons: in fact, this attack is close to optimal, almost saturating the Holevo bound. In the limit of large and , the success probability of this attack is [rohde2012quantum]. The protocol also ensures the privacy of Bob’s algorithm. Since Alice only knows the input and output states of the computation, the amount of information that she can extract about Bob’s algorithm is proportional to that of a “black-box” function: the more queries she is allowed to send, the more accurately she can guess the function. It is important to note that both Alice and Bob have an interest in performing a certain computation on a certain input state exactly once, since both of them increasingly compromise the privacy of their respective secrets with increasing number of repetitions of the computation. The no-go theorem [nogotheorem] asserts that this limitation is unavoidable.

In our experimental demonstration, Alice produces four photons using two spontaneous parametric down-conversion (SPDC) sources (see Appendix) and prepares them in a randomly chosen polarization state using a polarizer, half-wave plate (HWP), and quarter-wave plate (QWP) for each photon. Alice can create input states of any polarization with a fidelity of , the main source of error being imperfect polarization compensation of the single-mode fibers leading to the chip. After preparing the encrypted input state, Alice sends the photons to Bob, who performs the random walk.

In order for the scheme to work, Bob’s chip must implement the same unitary for the photons’ path degree of freedom regardless of the input polarizations used — otherwise, the outcome would depend on Alice’s choice of key. Although laser-written waveguides support propagation of all polarizations, they typically have slightly different refractive indices for and polarizations (), making it a challenge to implement nontrivial polarization-independent path unitaries. To achieve this, we used an annealing procedure to fabricate waveguides with birefringences (see Appendix).

After the random walk, Bob returns the photons to Alice, who projects them in her previously chosen polarization basis using QWPs, HWPs, polarizing beam splitters (PBSs), and single-photon detectors. To demonstrate the fidelity of the homomorphic-encrypted random walk we chose a canonical set of two mutually unbiased polarization bases and performed random walks with one, two, and three walkers using two different unitaries, each with inputs and outputs. We used (parallel and orthogonal, respectively, to the chip surface) and ( and ). We characterized the unitary and compared the output probability distributions with theoretical predictions, finding the mean overlap (Bhattacharyya distance [bhattacharyya1943measure]) between the predictions and results from all random walks to be for the first device (Fig. 5) and for the second (see Appendix).

The security guarantees for Alice’s plain-text input state can be quantified in various ways. The trace distance between the different input states that she can produce with four photons is 0.81 for Hamming distances 1 and 3 and 0.85 for Hamming distance 2 [hamming1950error]. As a result, Bob cannot perfectly distinguish any pair of possible plain-texts. Furthermore, the mutual information between her plain-text string and Bob is bounded by the Holevo quantity to be no more than bits (see Appendix). To experimentally verify the security of Alice’s input, we implemented the attack described above: Bob measures all of Alice’s four photons in a randomly chosen basis (here we choose for simplicity). Alice encrypts her plain text input-state (here we use ) by choosing between different linear polarization bases (keys). The probability of Bob guessing Alice’s plain-text input-state can then be determined from the fraction of four-fold coincidence detections Bob measures with polarization (see Fig. 4). For , this probability asymptotically approaches for large . Note that with current technology it is already straightforward, in principle, to achieve arbitrarily large , although this leads to only a minor improvement: Alice could “auto-calibrate” her encrypting and decrypting operations by using a single QWP, HWP set to both prepare and measure all of her photons’ polarizations. Improving Alice’s security requires increasing (for example, for ). Additionally, Alice can reduce the Holevo information by a factor of 2 by selecting keys from the whole Poincaré sphere, rather than constraining herself to linear polarizations.

Figure 4: Privacy of Alice’s plain text input state. In our homomorphic encryption scheme, a random attack is optimal when Alice encrypts with all polarizations, and nearly optimal when she encrypts with only linear polarizations: Bob measures all photons in a randomly chosen basis. Alice’s security depends on the number of polarization bases (keys) she can choose from, and the input modes . In our case and we measure the probability of Bob guessing the correct state for (black dots, error bars lie within the points). The blue dashed line shows the asymptotic behaviour for an infinite key number. All lines are theoretical upper bounds (see Appendix).

We have demonstrated homomorphic-encrypted quantum random walks of up to three walkers in four modes. Our photonic system’s specially engineered features allowed us to encrypt Alice’s plain-text input state in polarization, while performing computations using the path degree of freedom. The security of Alice’s plain-text input is necessarily limited by the number of modes used, i.e. by the number of available photons — however, the continuing advances in photon-source technology will enable similar demonstrations using more modes in the future. Further improvements can be made by encrypting in a different photonic degree of freedom with more than two levels. For example, orbital angular momentum enables, in principle, arbitrarily high-dimensional encoding, and transmission of such states in optical fiber has already been demonstrated [Bozinovic1545]. Using an -level degree of freedom for encoding, instead of polarization, the amount of hidden information can be improved from scaling to [homo2016quantum]. As we have shown here, although perfect security for universal computation (without exponential resource overhead) is forbidden [nogotheorem], relaxing these conditions can enable interesting applications. Determining the ideal mix of security, performance, and generality of the computation remains an active topic of research.

Data availability

The authors declare that the main data supporting the finding of this study are available within the article and its Appendix. Additional data can be provided upon request.


P.W. acknowledges support from the research platform TURIS, the Austrian Science Fund (FWF) through the Doctoral Programme CoQuS (no. W1210-4) and NaMuG (P30067-N36), the United States Air Force Office of Scientific Research via QAT4SECOMP (FA2386-17-1-4011) and Red Bull GmbH.

R.O. acknowledges support from the ERC-Advanced Grant CAPABLE (Composite integrated photonic platform by femtosecond laser micromachining; no. 742745).

P.W. and R.O. acknowledge support from the European Commission via Photonic Integrated Compound Quantum Encoding (PICQUE) (no. 608062) and Quantum Simulation on a Photonic Chip (QUCHIP) (no. 641039) projects.

S.T. and J.F. acknowledge support from Singapore’s National Research Foundation under NRF award NRF-NRFF2013-01 and from the United States Air Force Office of Scientific Research under grant no. FA2386-15-1-4082.

Competing interests

J.F. has financial holdings in Horizon Quantum Computing Pte Ltd.

Author contributions

J.Z, A.S. built the setup and carried out data collection, J.Z., A.S. performed data analysis, I.P. designed and fabricated the chip, S.T. and A.S. contributed to the theoretical calculations, J.F., R.O. and P.W. supervised the project. All authors contributed to writing the paper.





Experimental Setup.

Our experimental setup is shown in Figure 2. We generate all four photons using degenerate, noncollinear type-II spontaneous parametric down-conversion (SPDC). Two separate -thick -barium borate (BBO) crystals are pumped by a Ti:Sapphire laser (Coherent Chameleon Ultra II, , duration, repetition rate, average power) which has been frequency doubled to using second harmonic generation in a -thick lithium triborate (LBO) crystal. The photons emitted by the crystals pass through -thick BBO crystals of the same cut angle as the SPDC crystals to compensate for spatial and temporal walk-off before being spectrally filtered by -bandwidth spectral filters centered at , and spatially filtered by single-mode optical fibers (SMFs) of type Nufern 780-HP. All photons pass through polarizers to create pure polarization states and then through a half-wave-plate (HWP) and quarter-wave-plate (QWP) to enable the creation of arbitrary polarizations states. The QWP and HWP were rotated using highly precise motorized rotation mounts with a precision of . Adjustable free-space delay lines are used to synchronize the photons such that they all arrive at the chip within their coherence time of approximately . The photons are coupled to the chip using a -pitch v-groove array of Nufern 780-HP fibers. The fiber mode-field has a high overlap with the mode-field of the waveguides, which are of equivalent size. On the output facet of the chip the photons are collimated using a lens and sent to the detection stage. Using a QWP, HWP and a polarizing-beam-splitter (PBS) and avalanche photodiodes (APDs) the photons can be detected in any desired polarization basis. The overall transmission (from fiber in-coupling to APDs) was measured to be ()%.

Waveguide Details.

The four-mode optical circuit for our quantum random walk was fabricated by direct laser writing in Corning Eagle-XG borosilicate glass. The laser source we employed was a Yb:KYW cavity-dumped oscillator at wavelength, emitting pulses of duration, and at repetition rate. The laser beam was focused into the bulk of the glass substrate using a 50x, microscope objective, and the inscription of the optical waveguides was performed by translating the glass (with respect to the objective’s focus), with a computer-controlled three-axis Aerotech FiberGlide 3D series stage, at a tangential velocity of . The waveguides were inscribed at a depth of , with of laser power, using a multiple irradiation approach (5-times per waveguide), and then they were annealed. The thermal processing makes the optical circuits polarization insensitive [corrielliAnnealing], and helps reduce the optical losses due to the waveguide bends [arriola2013low]. Overall, we were able to achieve transmissivities of up to for long devices, with bending radii of . We fabricated several different photonic circuits with the geometry shown in Figure 2, and tuned the power splitting of the directional couplers by modifying their interaction length. We reconstructed the unitary transformations implemented by the two devices of choice (see Appendix), using methods demonstrated in [brisbanemethod, szameitchara] and subsequent numerical optimization.

Holevo Information.

To analyze the amount of information Bob can gain from a single copy of Alice’s state we calculate the Holevo quantity

where and and when the th bit of is 0, otherwise [rohde2012quantum]. In our experiment and , yielding

Note that for elliptical polarization encodings the Holevo information is halved but the scaling in remains the same (see Appendix).

Bob’s random attack.

The simplest attack is realized by measuring all photons in the same basis as described in [rohde2012quantum]. The probability of inferring the correct state is then given by


with the number of spatial modes and the number of possible polarization bases .

Measurement errors.

The main drawback of downconversion-sources is that their emission is probabilistic. This is especially problematic for our experiment, where the probability of simultaneously generating exactly one pair in each crystal, as desired, equals the probability of generating exactly two pairs in one of the crystals. In our setup, we circumvented this problem by making the pairs from the two sources distinguishable by polarization. For input states in which one photon has polarization orthogonal to that of the other three, the input polarization could be set to either or for source 1, as needed, and for source 2: then Alice’s final polarization measurement would distinguish the events of interest from those in which one crystal created all four photons. We can also deal with input states with two photons and two photons by having sources 1 and 2 produce and , respectively, and rewiring the input channels to the chip as needed. Double-pair emission for input states and cannot be dealt with this way, but these states are not of interest for a quantum random walk.

Having suppressed errors from double-pair emission, we must now consider triple-pair emission. The noise contributed by these events is on the order of the sources’ per-pulse emission probability, which is .

To quantify the spectral distinguishability of our photons, we measured Hong-Ou-Mandel interference visibility for all four combinations of signal and idler from source 1 with signal and idler from source 2. After subtracting statistically expected higher-order noise, we measured the visibilities to be


and without subtracting higher order noise. For more discussion of experimental errors in quantum random walks, see [tillmann2015generalized]. We assumed Poissonian error for all single-photon detection rates, so that for detections, we assume an error of .

The error in the reconstructed unitary propagates from errors in our intensity measurements, which are in turn used to infer amplitudes and phases. Here we are able to limit the error on the inferred transmission amplitudes and phases to and , respectively. The discrepancy in error-bar size for the various output possibilities stems from the nature of the unitary: phase errors can lead to large changes in some output probabilities, while having hardly any effect in others.

Unitary of the devices

Here we present the two unitaries used for the random walk experiments.

Figure 5: Random Walk Results for device 2. a) One photon is polarized and launched into one of the four input modes of the chip while three polarized photons are send to the other inputs to mask the true input state. The graphs show the probability of finding the polarized photon in the different output modes. b) Two polarized photons are launched into the modes 1/2 alongside polarized photons in the other modes. The probabilities to find the two photons in different output modes are shown. c) Three photons are launched into the modes 2,3,4 alongside a photon in the remaining mode. The fidelities (Bhattacharyya distance) between the expected and measured probabilities are (a) , (b) and (c) .

Holevo information for encryption using random rotations over the Poincare sphere

Any operation on the Poincare sphere is a SU(2) transformation for which an arbitrary element can be expressed as


where , , and


Then explicitly in the basis ,


The Haar measure on SU(2) is


So, to sample uniformly from SU(2) on the Poincare sphere, we have to pick , and and compute (see Section 2.3 in essay “How to generate a random unitary matrix" by Maris Ozols).


Alice selects secret keys , and at random uniformly, where . She performs a mode-by-mode random polarization on her input state from the Poincare defined by the (Euler) angles of the transformation:


If Alice’s -mode input state is , then she implements . As in Rohde et al., each mode of Alice input state is either for logical 0, or for logical 1. Let us denote Alice’s encoded bit-string by . After encryption, Alice sends her encrypted state to Bob for processing. Since Bob does not know Alice’s secret keys, he sees a superposition of all the states corresponding to the different possible secret keys,


where when the th bit of is 0, and when the th bit of is 1.

Let . Then, the Holevo quantity is given by


where is the von Neumann entropy of density matrix . As in Rohde et al., the first term is equal to because forms a complete set of basis. Owing to the invariance of the von Neumann entropy under unitary transformation, we have


Hence, it suffices to find the eigenvalues of . First, we observe that


where is a global phase factor. Let denote a state that is the symmetric sum of all states with qubits in the state. So simplifies to


The sum over is


As such, eq. (14) simplifies to


In the limit of large , we can approximate the sum over as an integral, i.e.


Using an identity


we have


Putting all this together, we have


When , is completely mixed over the symmetrized basis states and its entropy, which represents the number of bits hidden from Bob, is . For linear polarization the entropy of the encrypted all-zero bit string is . Hence, the randomization over the whole Poincare sphere decreases the Holevo information by a constant factor, but the scaling in remains .

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description