[] \ofoot\pagemark \pdfstringdefDisableCommands
Experimental Quantum Homomorphic Encryption
Jonas Zeuner*, Ioannis Pitsios, SiHui Tan, Aditya N. Sharma, Joseph F. Fitzsimons, Roberto Osellame and Philip Walther
Vienna Center for Quantum Science and Technology, Faculty of Physics, University of Vienna, Boltzmanngasse 5, Vienna A1090, Austria.
Istituto di Fotonica e Nanotecnologie  Consiglio Nazionale delle Ricerche (IFNCNR), p.za Leonardo da Vinci 32 20133, Milano, Italy
Department of Physics  Politecnico di Milano, p.za Leonardo da Vinci, 32, 20133 Milano, Italy
Singapore University of Technology and Design, 8 Somapah Rd, Singapur 487372
Centre for Quantum Technologies, National University of Singapore, 3 Science Drive 2, Singapore 117543
Erwin Schrödinger International Institute for Mathematics and Physics, Boltzmanngasse 9A, 1090 Wien, Austria

Quantum computers promise not only to outperform classical machines for certain important tasks [feynman1982], but also to preserve privacy of computation. For example, the blind quantum computing protocol [bqc_theo, barz2012demonstration] enables secure delegated quantum computation, where a client can protect the privacy of their data and algorithms from a quantum server assigned to run the computation. However, this security comes at the expense of interaction: the client and server must communicate after each step of the computation. Homomorphic encryption, on the other hand, avoids this limitation. In this scenario, the server specifies the computation to be performed, and the client provides only the input data, thus enabling secure noninteractive computation [gentry, vanDijk2010, pointcheval2010public, broadbent2015quantum, dulek2016quantum, mahadev2017classical, lai2017statistically, ouyang2015quantum, newman2017limitations]. Here we demonstrate a homomorphicencrypted quantum random walk using singlephoton states and nonbirefringent integrated optics. The client encrypts their input state in the photons’ polarization degree of freedom, while the server performs the computation using the path degree of freedom [rohde2012quantum]. Our random walk computation can be generalized, suggesting a promising route toward more general homomorphic encryption protocols [homo2016quantum].
Secure delegated computing has been a longstanding research goal for both the classical and quantum computation communities. The aim is to provide a client (Alice) access to remote computational resources (Bob), while protecting the privacy of the data or the algorithm. In his seminal 2009 paper, Gentry described the first computationally secure, fully homomorphic encryption scheme for classical computing [gentry]. Here, “computational security” means that the privacy guarantees of the protocol are based on assumptions about an adversary’s computational capabilities; “fully” means that any computation is possible. Blind quantum computation was as well introduced in 2009 [bqc_theo, barz2012demonstration], enabling a client to protect both their data and algorithm while running arbitrary computations on a remote quantum computer. While blind quantum computation has the important advantage of being informationtheoretically secure — i.e., it does not rely on assumptions about the adversary’s technological capabilities — its efficiency is limited by the need for interaction: Alice and Bob must exchange classical information after each step of the computation. Quantum homomorphic encryption removes the requirement of interactive computation but necessarily sacrifices either security or computational power to achieve this, in accordance with a nogo theorem [nogotheorem]: fully homomorphic encryption is impossible if perfect privacy and nonexponential resource overhead are required. Therefore, in the protocol implemented here, the requirements for (1) universal computation and (2) perfect privacy are relaxed, based on the following two observations [rohde2012quantum]. (1) Certain classes of computations, such as quantum random walks, while only subsets of universal quantum computation, are nevertheless of great interest [aaronson2011computational, tillmann2013experimental, spagnolo2014experimental, broome2013photonic, carolan2015universal]. (2) In any practical encryption application perfect privacy is not required, as long as the maximum amount of information potentially available to an attacker is sufficiently small.
In this experiment, we use singlephoton qubit input states and an integratedoptics server to demonstrate a quantum random walk using homomorphicencrypted data, as proposed in [rohde2012quantum]. Quantum random walks are typically implemented with either or photon in each input mode, distributing photons over spatial modes. The protocol we implement here instead uses the photons’ polarization to encode Alice’s input state for the quantum random walk, taking advantage of the fact that orthogonally polarized photons do not interfere.
Thus, to implement an mode quantum random walk of “walker” photons, rather than inputting one photon into each of modes and leaving the remaining empty, we also input “dummy” photons in the otherwise empty modes, with polarizations orthogonal to the photons representing the walkers. For example, an input state for a traditional quantum random walk (written in the occupationnumber basis) would be encoded in this scheme as , where represents horizontal (vertical) polarization. Measuring the output photons in the basis then yields the same result as the traditional occupationnumber quantum random walk. The purpose of this approach is to enable polarization encryption of Alice’s input state: without knowing the basis in which Alice’s input is encoded, Bob can guess Alice’s input state with only limited probability of success. To encrypt the input state , Alice randomly chooses a key, a polarization state taken from a set of uniformly distributed points on the Poincaré sphere, where is the number of polarization basis choices available to her. To encrypt her data, Alice rotates the polarizations of her qubits from and to and Alice sends this encrypted state to Bob, who performs the quantum random walk. Bob returns the output photons to Alice, and she measures them in the basis, obtaining the result of the random walk.
If Bob tried to decipher Alice’s encrypted state, the amount of information he could extract is bounded by the Holevo quantity [holevo1973bounds]. One straightforward attack Bob could employ is to randomly choose a basis in which to measure all photons: in fact, this attack is close to optimal, almost saturating the Holevo bound. In the limit of large and , the success probability of this attack is [rohde2012quantum]. The protocol also ensures the privacy of Bob’s algorithm. Since Alice only knows the input and output states of the computation, the amount of information that she can extract about Bob’s algorithm is proportional to that of a “blackbox” function: the more queries she is allowed to send, the more accurately she can guess the function. It is important to note that both Alice and Bob have an interest in performing a certain computation on a certain input state exactly once, since both of them increasingly compromise the privacy of their respective secrets with increasing number of repetitions of the computation. The nogo theorem [nogotheorem] asserts that this limitation is unavoidable.
In our experimental demonstration, Alice produces four photons using two spontaneous parametric downconversion (SPDC) sources (see Appendix) and prepares them in a randomly chosen polarization state using a polarizer, halfwave plate (HWP), and quarterwave plate (QWP) for each photon. Alice can create input states of any polarization with a fidelity of , the main source of error being imperfect polarization compensation of the singlemode fibers leading to the chip. After preparing the encrypted input state, Alice sends the photons to Bob, who performs the random walk.
In order for the scheme to work, Bob’s chip must implement the same unitary for the photons’ path degree of freedom regardless of the input polarizations used — otherwise, the outcome would depend on Alice’s choice of key. Although laserwritten waveguides support propagation of all polarizations, they typically have slightly different refractive indices for and polarizations (), making it a challenge to implement nontrivial polarizationindependent path unitaries. To achieve this, we used an annealing procedure to fabricate waveguides with birefringences (see Appendix).
After the random walk, Bob returns the photons to Alice, who projects them in her previously chosen polarization basis using QWPs, HWPs, polarizing beam splitters (PBSs), and singlephoton detectors. To demonstrate the fidelity of the homomorphicencrypted random walk we chose a canonical set of two mutually unbiased polarization bases and performed random walks with one, two, and three walkers using two different unitaries, each with inputs and outputs. We used (parallel and orthogonal, respectively, to the chip surface) and ( and ). We characterized the unitary and compared the output probability distributions with theoretical predictions, finding the mean overlap (Bhattacharyya distance [bhattacharyya1943measure]) between the predictions and results from all random walks to be for the first device (Fig. 5) and for the second (see Appendix).
The security guarantees for Alice’s plaintext input state can be quantified in various ways. The trace distance between the different input states that she can produce with four photons is 0.81 for Hamming distances 1 and 3 and 0.85 for Hamming distance 2 [hamming1950error]. As a result, Bob cannot perfectly distinguish any pair of possible plaintexts. Furthermore, the mutual information between her plaintext string and Bob is bounded by the Holevo quantity to be no more than bits (see Appendix). To experimentally verify the security of Alice’s input, we implemented the attack described above: Bob measures all of Alice’s four photons in a randomly chosen basis (here we choose for simplicity). Alice encrypts her plain text inputstate (here we use ) by choosing between different linear polarization bases (keys). The probability of Bob guessing Alice’s plaintext inputstate can then be determined from the fraction of fourfold coincidence detections Bob measures with polarization (see Fig. 4). For , this probability asymptotically approaches for large . Note that with current technology it is already straightforward, in principle, to achieve arbitrarily large , although this leads to only a minor improvement: Alice could “autocalibrate” her encrypting and decrypting operations by using a single QWP, HWP set to both prepare and measure all of her photons’ polarizations. Improving Alice’s security requires increasing (for example, for ). Additionally, Alice can reduce the Holevo information by a factor of 2 by selecting keys from the whole Poincaré sphere, rather than constraining herself to linear polarizations.
We have demonstrated homomorphicencrypted quantum random walks of up to three walkers in four modes. Our photonic system’s specially engineered features allowed us to encrypt Alice’s plaintext input state in polarization, while performing computations using the path degree of freedom. The security of Alice’s plaintext input is necessarily limited by the number of modes used, i.e. by the number of available photons — however, the continuing advances in photonsource technology will enable similar demonstrations using more modes in the future. Further improvements can be made by encrypting in a different photonic degree of freedom with more than two levels. For example, orbital angular momentum enables, in principle, arbitrarily highdimensional encoding, and transmission of such states in optical fiber has already been demonstrated [Bozinovic1545]. Using an level degree of freedom for encoding, instead of polarization, the amount of hidden information can be improved from scaling to [homo2016quantum]. As we have shown here, although perfect security for universal computation (without exponential resource overhead) is forbidden [nogotheorem], relaxing these conditions can enable interesting applications. Determining the ideal mix of security, performance, and generality of the computation remains an active topic of research.
Data availability
The authors declare that the main data supporting the finding of this study are available within the article and its Appendix. Additional data can be provided upon request.
Acknowledgements
P.W. acknowledges support from the research platform TURIS, the Austrian Science Fund (FWF) through the Doctoral Programme CoQuS (no. W12104) and NaMuG (P30067N36), the United States Air Force Office of Scientific Research via QAT4SECOMP (FA23861714011) and Red Bull GmbH.
R.O. acknowledges support from the ERCAdvanced Grant CAPABLE (Composite integrated photonic platform by femtosecond laser micromachining; no. 742745).
P.W. and R.O. acknowledge support from the European Commission via Photonic Integrated Compound Quantum Encoding (PICQUE) (no. 608062) and Quantum Simulation on a Photonic Chip (QUCHIP) (no. 641039) projects.
S.T. and J.F. acknowledge support from Singapore’s National Research Foundation under NRF award NRFNRFF201301 and from the United States Air Force Office of Scientific Research under grant no. FA23861514082.
Competing interests
J.F. has financial holdings in Horizon Quantum Computing Pte Ltd.
Author contributions
J.Z, A.S. built the setup and carried out data collection, J.Z., A.S. performed data analysis, I.P. designed and fabricated the chip, S.T. and A.S. contributed to the theoretical calculations, J.F., R.O. and P.W. supervised the project. All authors contributed to writing the paper.
References
\printbibliography[heading=none]
Appendix
Experimental Setup.
Our experimental setup is shown in Figure 2. We generate all four photons using degenerate, noncollinear typeII spontaneous parametric downconversion (SPDC). Two separate thick barium borate (BBO) crystals are pumped by a Ti:Sapphire laser (Coherent Chameleon Ultra II, , duration, repetition rate, average power) which has been frequency doubled to using second harmonic generation in a thick lithium triborate (LBO) crystal. The photons emitted by the crystals pass through thick BBO crystals of the same cut angle as the SPDC crystals to compensate for spatial and temporal walkoff before being spectrally filtered by bandwidth spectral filters centered at , and spatially filtered by singlemode optical fibers (SMFs) of type Nufern 780HP. All photons pass through polarizers to create pure polarization states and then through a halfwaveplate (HWP) and quarterwaveplate (QWP) to enable the creation of arbitrary polarizations states. The QWP and HWP were rotated using highly precise motorized rotation mounts with a precision of . Adjustable freespace delay lines are used to synchronize the photons such that they all arrive at the chip within their coherence time of approximately . The photons are coupled to the chip using a pitch vgroove array of Nufern 780HP fibers. The fiber modefield has a high overlap with the modefield of the waveguides, which are of equivalent size. On the output facet of the chip the photons are collimated using a lens and sent to the detection stage. Using a QWP, HWP and a polarizingbeamsplitter (PBS) and avalanche photodiodes (APDs) the photons can be detected in any desired polarization basis. The overall transmission (from fiber incoupling to APDs) was measured to be ()%.
Waveguide Details.
The fourmode optical circuit for our quantum random walk was fabricated by direct laser writing in Corning EagleXG borosilicate glass. The laser source we employed was a Yb:KYW cavitydumped oscillator at wavelength, emitting pulses of duration, and at repetition rate. The laser beam was focused into the bulk of the glass substrate using a 50x, microscope objective, and the inscription of the optical waveguides was performed by translating the glass (with respect to the objective’s focus), with a computercontrolled threeaxis Aerotech FiberGlide 3D series stage, at a tangential velocity of . The waveguides were inscribed at a depth of , with of laser power, using a multiple irradiation approach (5times per waveguide), and then they were annealed. The thermal processing makes the optical circuits polarization insensitive [corrielliAnnealing], and helps reduce the optical losses due to the waveguide bends [arriola2013low]. Overall, we were able to achieve transmissivities of up to for long devices, with bending radii of . We fabricated several different photonic circuits with the geometry shown in Figure 2, and tuned the power splitting of the directional couplers by modifying their interaction length. We reconstructed the unitary transformations implemented by the two devices of choice (see Appendix), using methods demonstrated in [brisbanemethod, szameitchara] and subsequent numerical optimization.
Holevo Information.
To analyze the amount of information Bob can gain from a single copy of Alice’s state we calculate the Holevo quantity
where and and when the th bit of is 0, otherwise [rohde2012quantum]. In our experiment and , yielding
Note that for elliptical polarization encodings the Holevo information is halved but the scaling in remains the same (see Appendix).
Bob’s random attack.
The simplest attack is realized by measuring all photons in the same basis as described in [rohde2012quantum]. The probability of inferring the correct state is then given by
(1) 
with the number of spatial modes and the number of possible polarization bases .
Measurement errors.
The main drawback of downconversionsources is that their emission is probabilistic. This is especially problematic for our experiment, where the probability of simultaneously generating exactly one pair in each crystal, as desired, equals the probability of generating exactly two pairs in one of the crystals. In our setup, we circumvented this problem by making the pairs from the two sources distinguishable by polarization. For input states in which one photon has polarization orthogonal to that of the other three, the input polarization could be set to either or for source 1, as needed, and for source 2: then Alice’s final polarization measurement would distinguish the events of interest from those in which one crystal created all four photons. We can also deal with input states with two photons and two photons by having sources 1 and 2 produce and , respectively, and rewiring the input channels to the chip as needed. Doublepair emission for input states and cannot be dealt with this way, but these states are not of interest for a quantum random walk.
Having suppressed errors from doublepair emission, we must now consider triplepair emission. The noise contributed by these events is on the order of the sources’ perpulse emission probability, which is .
To quantify the spectral distinguishability of our photons, we measured HongOuMandel interference visibility for all four combinations of signal and idler from source 1 with signal and idler from source 2. After subtracting statistically expected higherorder noise, we measured the visibilities to be
(2) 
and without subtracting higher order noise. For more discussion of experimental errors in quantum random walks, see [tillmann2015generalized]. We assumed Poissonian error for all singlephoton detection rates, so that for detections, we assume an error of .
The error in the reconstructed unitary propagates from errors in our intensity measurements, which are in turn used to infer amplitudes and phases. Here we are able to limit the error on the inferred transmission amplitudes and phases to and , respectively. The discrepancy in errorbar size for the various output possibilities stems from the nature of the unitary: phase errors can lead to large changes in some output probabilities, while having hardly any effect in others.
Unitary of the devices
Here we present the two unitaries used for the random walk experiments.
Holevo information for encryption using random rotations over the Poincare sphere
Any operation on the Poincare sphere is a SU(2) transformation for which an arbitrary element can be expressed as
(3) 
where , , and
(4) 
Then explicitly in the basis ,
(5) 
The Haar measure on SU(2) is
(6) 
So, to sample uniformly from SU(2) on the Poincare sphere, we have to pick , and and compute (see Section 2.3 in essay “How to generate a random unitary matrix" by Maris Ozols).
Encryption
Alice selects secret keys , and at random uniformly, where . She performs a modebymode random polarization on her input state from the Poincare defined by the (Euler) angles of the transformation:
(7) 
If Alice’s mode input state is , then she implements . As in Rohde et al., each mode of Alice input state is either for logical 0, or for logical 1. Let us denote Alice’s encoded bitstring by . After encryption, Alice sends her encrypted state to Bob for processing. Since Bob does not know Alice’s secret keys, he sees a superposition of all the states corresponding to the different possible secret keys,
(8) 
where when the th bit of is 0, and when the th bit of is 1.
Let . Then, the Holevo quantity is given by
(9) 
where is the von Neumann entropy of density matrix . As in Rohde et al., the first term is equal to because forms a complete set of basis. Owing to the invariance of the von Neumann entropy under unitary transformation, we have
(10) 
Hence, it suffices to find the eigenvalues of . First, we observe that
(11) 
where is a global phase factor. Let denote a state that is the symmetric sum of all states with qubits in the state. So simplifies to
(12)  
(13)  
(14) 
The sum over is
(15)  
(16)  
(17)  
(18)  
(19) 
As such, eq. (14) simplifies to
(20)  
(21) 
In the limit of large , we can approximate the sum over as an integral, i.e.
(22) 
Using an identity
(23) 
we have
(24)  
(25) 
Putting all this together, we have
(26)  
(27) 
When , is completely mixed over the symmetrized basis states and its entropy, which represents the number of bits hidden from Bob, is . For linear polarization the entropy of the encrypted allzero bit string is . Hence, the randomization over the whole Poincare sphere decreases the Holevo information by a constant factor, but the scaling in remains .