# Quantum computing on encrypted data

###### Abstract

The ability to perform computations on encrypted data is a powerful tool for protecting privacy. Recently, protocols to achieve this on classical computing systems have been found. Here we present an efficient solution to the quantum analogue of this problem that enables arbitrary quantum computations to be carried out on encrypted quantum data. We prove that an untrusted server can implement a universal set of quantum gates on encrypted quantum bits (qubits) without learning any information about the inputs, while the client, knowing the decryption key, can easily decrypt the results of the computation. We experimentally demonstrate, using single photons and linear optics, the encryption and decryption scheme on a set of gates sufficient for arbitrary quantum computations. Because our protocol requires few extra resources compared to other schemes it can be easily incorporated into the design of future quantum servers. These results will play a key role in enabling the development of secure distributed quantum systems.

While quantum computers promise to solve certain classes of problems that are intractable for classical computersFeynman (1982); Deutsch and Jozsa (1992); Grover (1996); Shor (1997), their development is still in its infancy. It is probable that the first quantum computers will act as servers that potential clients can access remotely. In such a server model, the ability to efficiently implement quantum algorithms on encrypted quantum information is crucial. In 2009, the first classical method for fully homomorphic encryption (i.e. for performing arbitrary computations over encrypted data) was developedGentry (2009). This enables a client with comparatively little computational power to use an untrusted classical server for performing a computation, without compromising the security of their data. Here we have developed the first scheme for carrying out arbitrary computations on encrypted qubits where the client only needs to be able to prepare and send single qubits chosen among a set of four possibilities, and to perform some limited classical communication and computation. An important feature of our protocol is that during the computation no quantum communication between the client and the server is required. Strictly speaking, fully homomorphic encryption requires that the client’s total number of operations be proportional to the size of the input and output only. Our scheme satisfies this requirement at the quantum level, but not at the classical one, since the client’s total number of classical operations is proportional to the size of the circuit. Nevertheless, our scheme is efficient, requiring only a constant overhead for performing gates on encrypted data, whereas the best known fully homomorphic classical solutionGentry et al. (2012) requires a polylog overhead.

Our protocol (see Fig. 1) starts with a client who has quantum information that needs to be sent to a remote server for processing. The client first encrypts the input qubits. In the circuit model of quantum computing, a universal set of gates, composed of unitary operations from the Clifford group and one additional non-Clifford gate, is required. For each non-Clifford gate to be performed in the algorithm, the client must also prepare an auxiliary qubit according to a prescription we will specify. The client sends the encrypted quantum information and the auxiliary qubits to the server, and the server then sequentially performs the gates specified by the quantum algorithm. A round of classical communication between the server and client is required every time a non-Clifford gate is implemented (as shown in Fig. 1h), allowing the client to update the decryption key. After the algorithm is completed, the server returns the encrypted qubits to the client who then decrypts them. Once decrypted, the client has the answer to the computation the server performed while the server has no knowledge about the quantum information it has processed. The server, however, can choose to perform a different computation. However, for many algorithms of interestShor (1997), efficient classical verification methods exist, thus enabling the detection of an incorrect output.

Our scheme is part of a rapidly developing field that tackles the problem of secure delegated quantum computation. There have been several novel approaches to this problem, including hiding a circuit from the remote quantum server Broadbent et al. (2009); Barz et al. (2012), computing on encrypted quantum data using multiple rounds and bits of quantum communicationChilds (2005); Aharonov et al. (2010); Dupuis et al. (2012); Broadbent et al. (2012), and sophisticated methods that provide an additional verification mechanismAharonov et al. (2010); Dupuis et al. (2012); Broadbent et al. (2012) (see Supplementary Table 1 for more details). While some of these schemes, in principle, can be used to accomplish similar outcomes as our protocol, they can lead to very different client-server relationships in practice. For example, a recent experiment used the measurement-based model of quantum computing to demonstrate the complementary problem of hiding from a server the circuit that is to be performedBroadbent et al. (2009); Barz et al. (2012). This method, known as blind quantum computing, can be extended to compute on encrypted data, but would require more than eight times as many auxiliary qubits and significantly more rounds of classical communication. Furthermore, blind computation uses random qubits chosen from a set of eight possibilities—our contribution reduces this to just four.

More fundamentally, blind quantum computing demands a very different relationship between the client and server as compared to our approach that is inspired by homomorphic encryption. In the blind model, the client must provide both the hidden algorithm to be performed and the encrypted data to be computed on; in our scheme the client provides only the data while the server provides the agreed upon algorithm. Our protocol mirrors the client-server relationships that exist today where a server is free to focus on iterating and improving the algorithms they provide. This frees the client from needing to develop and optimize the algorithms they use, while the server is able to specialize in providing targeted services. In the blind model this division of labour does not exist; the server is treated as a “dumb” resource while the client is fully responsible for maintaining and supplying the algorithms. While there are many scenarios where carrying out blind quantum computing is desirable, our protocol enables secure delegated quantum networks to develop that closely resemble today’s client-server relationships.

In our scheme, to encrypt a qubit , a client applies a combination of Pauli and operations:

(1) |

where and are randomly assigned to the values of or and form the key. The action of the encryption maps the initial state of the qubit to one of four possible final states, which sum to the completely mixed state; as long as the values and are used only once, this is the quantum equivalentAmbainis et al. (2000) of the classical one-time pad. Knowing and , it is possible to decrypt the state by reversing the and rotations. The Clifford gates we study include the single-qubit Pauli and rotations, the two-qubit controlled-NOT () gate, and the single-qubit Hadamard, , and phase, , gates where Nielsen and Chuang (2000). The actions of the Clifford gates on an encrypted qubit are straightforward due to their commutation relations with the Pauli operators (see Fig. 1b–f), and do not require any additional classical or quantum resourcesChilds (2005). The client only needs to know what gates are being carried out to update the knowledge of the decryption key.

Clifford gates alone are insufficient for universal quantum computingGottesman (1998); at least one non-Clifford gate is required. We study the non-Clifford gate, which has the following action: for . Performing the gate on encrypted qubits is not trivial as it does not commute through the encryption in the same simple manner as the Clifford gates. This is because the server, when applying the gate, can introduce an error, equivalent to applying an extra gate, when : . To prevent the client from needing to divulge the value of , compromising the security of the computation, the server implements a hidden gate that is controlled by the client (see Fig. 1g). To do this, before the server begins the computation the client sends as many auxiliary qubits as there are gates in the circuit. These auxiliary qubits are encoded as with , resulting in one of the four following states that lie along the equator of the Bloch sphere: . These are the four standard BB84 statesBennett and Brassard (1984) rotated to a different basis. After the server implements an gate, it then performs a between one of the auxiliary qubits and the encrypted state The server measures the encrypted qubit in the computational basis, and returns the outcome to the client to update the decryption key. After the , the state of the auxiliary qubit is ; the extra unwanted phase gate now depends on the values of both and which only the client knows. The client sends a single classical bit, , which controls whether the server implements an additional corrective gate without ever revealing the value of . The final state is then as desired, and the decryption key bits, and , now depend on the values of , , , , and as shown in Fig. 1g. This solution is inspired by circuit manipulation techniquesZhou et al. (2000); Childs et al. (2005). The Supplementary Information provides a detailed proof. It also provides a novel simulation-based security definition, applicable to any untrusted server sharing arbitrary prior information with the client, and a proof via an entanglement-based protocolShor and Preskill (2000).

We implement a proof-of-principle of the protocol using linear optics. The state of the qubit is encoded into the polarization of single photons with the horizontal and vertical polarizations representing and respectively. Single photons are generated (see Fig. 2a) via spontaneous parametric downconversion (SPDC). The state preparation and encryption, , are carried out using a polarizing beamsplitter (PBS), quarter-waveplate (QWP) and half-waveplate (HWP), and the single-qubit Clifford gates are implemented using waveplates (see Fig. 2b). The gate (see Fig. 2c) is implemented using two-photon interferenceHong et al. (1987) at a partially-polarizing beamsplitter (PPBS)Kiesel et al. (2005); Langford et al. (2005); Okamoto et al. (2005), which fully transmits horizontally polarized light, but reflects of the vertical polarization.

To implement the gate on an encrypted qubit we use an auxiliary qubit along with the as shown in Fig. 2c. The auxiliary qubit is randomly prepared by the client in one of the four rotated BB84 states, , using waveplates and Pockels’ cells as fast optical switchesPittman et al. (2002); Prevedel et al. (2007); Ma et al. (2012) (see Methods), and then sent to the server. The Pockels’ cells are switched at 1MHz – two orders of magnitude faster than our singles rate from SPDC. This means that the probability of more than one photon being present for each Pockels’ cell setting is very small, making negligible the amount of information the server can obtain about the state of the auxiliary qubit, and hence the value of . The server first performs an gate on the encrypted qubit followed by a with the auxiliary qubit. The client then sends the server a classical bit, , which controls whether the server implements an additional corrective gate using a third Pockels’ cell. Finally, the server returns to the client the encrypted auxiliary qubit containing the final state for processing.

In order to characterize our gates we use quantum process tomography (QPT)Nielsen and Chuang (2000); Poyatos et al. (1997); O’Brien et al. (2004); Chow et al. (2009); this provides us with complete information, in the form of a process matrix , about how each gate acts on and transforms an arbitrary input state. The client first prepares a set of encrypted input states that the server acts on, and then the client performs measurements on the outputs. For our single-qubit gates the client prepares an overcomplete set of inputs that are the eigenstates of the Paulis . Our encryption scheme, , maps each of these Pauli eigenstates into one another. After the server processes the gate, the client performs measurements in each Pauli basis. By choosing this set of input states, and keeping track of the values of and , the client is able to completely characterize the action of the gate over all possible encryptions. Similarly, for the two-qubit gate the client prepares and measures all 36 eigenstates of the tensor products of the Paulis . Again, the encryption scheme maps each of the input eigenstates of the Pauli tensor products into one another, allowing all encryption possibilities to be studied.

The client, knowing the decryption key, is able to decrypt and post-process the tomography data. The results for the decrypted single-qubit gates are shown in Fig. 3 and the results for the are shown in Fig. 4. The fidelitiesNielsen and Chuang (2000) of the , , , , and gates are , , , , and respectively. Loss of fidelity for single-qubit Clifford gates is predominately due to coherent noise, i.e. over- or under-rotation of a unitary, meaning that multiple gates can be performed in sequence maintaining high fidelity. Loss of fidelity for the and gates originates from emitted double pairs in the photon source and mode mismatch at the main PPBS. From the client’s perspective, the server has performed the correct computations on the encrypted inputs. However, if the decryption keys are not known, then each gate acts as a completely depolarizing channel that leaves input qubits in the maximally mixed state (as shown in Fig.g 3 and Fig. 4). The process matrices were then reconstructed from the same data as before, but without decryption. Each case had high fidelity with the completely depolarizing channel: for the single-qubit gates, and for the . Without knowledge of the decryption keys, the server gains no information about the state. For a more detailed analysis of the experimental security of our implementation see the Supplementary Information.

In information security often the weakest link is not the transmission of encrypted data, but, rather, security breaches at the end points where the data is no longer encrypted. A major advance of our scheme is that it eliminates one of the end points as a security risk; a remote server no longer needs to decrypt the quantum information in order to process it and carry out computations. The overhead in quantum resources required to compute on encrypted quantum data is so low (only one auxiliary qubit per non-Clifford gate) that it will be straightforward for future quantum servers to incorporate our protocol in their design, dramatically enhancing the security of client-server quantum computing; our protocol has even less overhead than the best classical fully homomorphic encryption scheme, and provides information-theoretic (as opposed to just computational) security. This method for computing on encrypted quantum data, combined with the techniques developed for quantum circuit hidingBroadbent et al. (2009); Barz et al. (2012), form a complete security system that will enable secure distributed quantum computing to take place, ensuring the privacy and security of future quantum networks.

Methods. In the gate protocol, we initialize auxiliary photons to one of the four states using Pockels’ cells. A Pockels’ cell performs a fast-switching unitary operation triggered by applying a strong electric field which rapidly changes the index of refraction of a nonlinear medium; here the medium is rubidium titanyl phosphate, RbTiOPO (RTP). The values of bits and are randomly generated by a computer, and a trigger circuit (based on a self-built CPLD design) is used to drive the Pockels’ cells at a rate of . Single-photon rates are reduced to Hz to limit the probability of two auxiliary photons being present in the Pockels’ cells during a single setting of and . Reduced rates also limit the effect of emitted double pairs on the fidelity of the operation. Photons are detected using silicon avalanche photo-diodes (PerkinElmer four-channel SPCM-AQ4C modules), and coincidence photon events are recorded using a custom design coincidence logic. For all gates, the process that the server observed was attained by summing the measured counts over the all the encryption cases . For example, if the client input the state , then the server, not knowing the encryption key, would half the time assume was input and sort the measured counts accordingly. For the gate the client decrypts by sorting photon counts into 8 bins based on the values of , and . The server, not knowing values of and , could at most sort counts into two bins based on , and observes a maximally mixed state due to the active switching, before summing over the encryption key cases. QPT was performed using a maximum likelihood techniqueJames et al. (2001); Chow et al. (2009). Uncertainties in these values are found by adding Poissonian noise to the measured photon counts and performing 100 Monte Carlo iterations of the matrix reconstructions.

## References

- Feynman (1982) R. Feynman, Int. Journ. of Theor. Phys. 21, 467 (1982).
- Deutsch and Jozsa (1992) D. Deutsch and R. Jozsa, Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences, Proc. R. Soc. A 439, 553 (1992).
- Grover (1996) L. Grover, in Proceedings of the 28th annual ACM Symposium on Theory of Computing (STOC) (ACM, New York, 1996) pp. 212–219.
- Shor (1997) P. Shor, SIAM J. Comput. 26, 1484 (1997).
- Gentry (2009) C. Gentry, in Proceedings of the 41st annual ACM Symposium on Theory of Computing (STOC) (ACM Press, New York, 2009) pp. 169–178.
- Gentry et al. (2012) C. Gentry, S. Halevi, N. Smart, D. Pointcheval, and T. Johansson, in Proceedings of the 31st annual conference theory and applications of cryptographic techniques (EUROCRYPT) (Springer-Verlag Berlin, Heidelberg, 2012) pp. 465–482.
- Broadbent et al. (2009) A. Broadbent, J. Fitzsimons, and E. Kashefi, in Proceedings of the 50th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE Press, Los Alamitos, 2009) pp. 517–526.
- Barz et al. (2012) S. Barz, E. Kashefi, A. Broadbent, J. Fitzsimons, A. Zeilinger, and P. Walther, Science 20, 303 (2012).
- Childs (2005) A. Childs, Quantum Information and Computation 5, 456 (2005).
- Aharonov et al. (2010) D. Aharonov, M. Ben-Or, and E. Eban, in Proc. Innov. Comp. Sci. (ICS) 2010 (2010) pp. 453–469.
- Dupuis et al. (2012) F. Dupuis, J. B. Nielsen, and L. Salvail, in Advances in Cryptology – Proc. CRYPTO 2012, LNCS, Vol. 7417 (Springer, 2012) pp. 794–811.
- Broadbent et al. (2012) A. Broadbent, G. Gutoski, and D. Stebila, “Quantum one-time programs,” (2012), available as arXiv:1211.1080.
- Ambainis et al. (2000) A. Ambainis, M. Mosca, A. Tapp, and R. D. Wolf, in Proceedings of the 41st Annual IEEE Symposium on Foundations of Computer Science (FOCS) (IEEE Press, Los Alamitos, 2000) pp. 547–553.
- Nielsen and Chuang (2000) M. Nielsen and I. Chuang, Quantum Computation and Quantum Information (Cambridge Univ. Press, Cambridge, 2000) p. 558.
- Gottesman (1998) D. Gottesman, in Group 22: Proceedings of the 22nd International Colloquium on Group Theoretical Methods in Physics (International Press, Cambridge, MA, 1998) pp. 32–43.
- Bennett and Brassard (1984) C. Bennett and G. Brassard, Proc. IEEE Int. Conf. Comp. Syst. Signal Proc. 11, 175 (1984).
- Zhou et al. (2000) X. Zhou, D. Leung, and I. Chuang, Phys. Rev. A 62, 052316 (2000).
- Childs et al. (2005) A. Childs, D. Leung, and M. Nielsen, Phys. Rev. A 71, 032318 (2005).
- Shor and Preskill (2000) P. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000).
- Hong et al. (1987) C. K. Hong, Z. Y. Ou, and L. Mandel, Phys. Rev. Lett. 59, 2044 (1987).
- Kiesel et al. (2005) N. Kiesel, C. Schmid, U. Weber, R. Ursin, and H. Weinfurter, Phys. Rev. Lett. 95, 1 (2005).
- Langford et al. (2005) N. Langford, T. Weinhold, R. Prevedel, K. Resch, A. Gilchrist, J. O‘Brien, G. J. Pryde, and A. White, Phys. Rev. Lett. 95, 3 (2005).
- Okamoto et al. (2005) R. Okamoto, H. Hofmann, S. Takeuchi, and K. Sasaki, Phys. Rev. Lett. 95, 210506 (2005).
- Pittman et al. (2002) T. Pittman, B. Jacobs, and J. Franson, Phys. Rev. A 66, 052305 (2002).
- Prevedel et al. (2007) R. Prevedel, P. Walther, F. Tiefenbacher, P. Bohi, R. Kaltenbaek, T. Jennewein, and A. Zeilinger, Nature 445, 65 (2007).
- Ma et al. (2012) X.-S. Ma, T. Herbst, T. Scheidl, D. Wang, S. Kropatschek, W. Naylor, B. Wittmann, A. Mech, J. Kofler, E. Anisimova, V. Makarov, T. Jennewein, R. Ursin, and A. Zeilinger, Nature 489, 269 (2012).
- Poyatos et al. (1997) J. Poyatos, J. Cirac, and P. Zoller, Phys. Rev. Lett. 78, 390 (1997).
- O’Brien et al. (2004) J. O’Brien, G. Pryde, A. Gilchrist, D. James, N. Langford, T. Ralph, and A. White, Phys. Rev. Lett. 93, 080502 (2004).
- Chow et al. (2009) J. Chow, J. Gambetta, L. Tornberg, J. Koch, L. Bishop, A. Houck, B. Johnson, L. Frunzio, S. Girvin, and R. Schoelkopf, Phys. Rev. Lett. 102, 090502 (2009).
- James et al. (2001) D. James, P. Kwiat, W. Munro, and A. White, Phys. Rev. A 64, 052312 (2001).

###### Acknowledgements.

Acknowledgements: We are grateful for financial support from Ontario Ministry of Research and Innovation ERA, QuantumWorks, NSERC, OCE, Industry Canada and CFI. A.B., L.S. and T.J. acknowledge the support of the Canadian Institute for Advanced Research. R.P. acknowledges support from the FWF (J2960-N20), MRI, the VIPS Program of the Austrian Federal Ministry of Science and Research and the City of Vienna as well as the European Commission (Marie Curie, FP7-PEOPLE-2011-IIF). A.B. is grateful for Serge Fehr for pointing out the proof technique of ref. [18] and its applicability to our scenario. Author Contributions: A.B. designed the protocol and proved its security. K.F., L.S., R.P. and K.R. conceived the experiment. K.F. conducted the experiment with the help of J.L. and Z.Y. and under the supervision of K.R. and T.J. The first draft of the manuscript was written by K.F. and L.S. All authors contributed to the final draft.See pages 1 of SuppInfo_2013_9_9.pdf See pages 2 of SuppInfo_2013_9_9.pdf See pages 3 of SuppInfo_2013_9_9.pdf See pages 4 of SuppInfo_2013_9_9.pdf See pages 5 of SuppInfo_2013_9_9.pdf See pages 6 of SuppInfo_2013_9_9.pdf See pages 7 of SuppInfo_2013_9_9.pdf See pages 8 of SuppInfo_2013_9_9.pdf See pages 9 of SuppInfo_2013_9_9.pdf See pages 10 of SuppInfo_2013_9_9.pdf