Enhanced delegated computing using coherence

A long-standing question is whether it is possible to delegate computational tasks securely. Recently, both a classical and a quantum solution to this problem were found. Here, we study the interplay of classical and quantum approaches and show how coherence can be used as a tool for secure delegated classical computation. We show that a client with limited computational capacity - restricted to an XOR gate - can perform universal classical computation by manipulating information carriers that may occupy superpositions of two states. Using single photonic qubits or coherent light, we experimentally implement secure delegated classical computations between an independent client and a server. The server has access to the light sources and measurement devices, whereas the client may use only a restricted set of passive optical devices to manipulate the light beams. Thus, our work highlights how minimal quantum and classical resources can be combined and exploited for classical computing.


I. INTRODUCTION
The storage and processing of data on remote servers has become highly relevant to modern information processing [1]. With the progress from stand-alone machines to large connected networks, the security of delegated computations has become increasingly important. In 2009, a classical scheme, the fully homomorphic encryption protocol, was invented which provides computational security in data processing at remote servers [2]. At the same time, a quantum computing protocol was found which allows an almost-classical client to delegate a quantum computation securely to a quantum server [3,4]. In contrast to the classical algorithm, the quantum version provides unconditional security [3,[5][6][7].
Here, we study the first step towards the interplay between classical and quantum delegated computation [8,9]. To this end, we consider a game setting with a restricted client with access to only an XOR gate. We then explore what additional resources enable the client to delegate the secure computation of a NAND gate to an untrusted server. A similar (noncrypto) setting has been also explored recently to highlight the role of quantum contextuality [10] and quantum correlation [11] in boosting linear classical computation (done by XOR gates) to a nonlinear classical computation (done by NAND gates). Furthermore, it has been used to study multiparty cryptographic settings in [12] and the relation of entangled quantum states and multiparty computational games in [13].
In this paper we show that secure delegated NAND computation can be accomplished using cobits, short for systems capable of being in a coherent superposition of two states (see Fig. 1), for example, single photonic qubits or coherent laser beams. In our scheme, the server has access to cobits and the client is restricted to parity computations and the local manipulation of the cobits. The protocol works in the following manner: The server sends cobits, and the client applies simple operations to them, dependent on the classical bits the client wants to compute the NAND gate on. The cobits are then sent back to the server, which performs a measurement. The result contains the encrypted outcome of the NAND operation performed on the client's classical bits. This means that the cobit enables the client to compute problems beyond her own power, since the NAND gate is universal for classical computation. We note that the word cobit was introduced in another context with a different meaning [14], where it referred to a type of physical process which can convey a cobit of information. In our context cobit means a physical carrier of information, which can store two orthogonal states or fields and a (equally weighted) coherent superposition of the two.
Further, we experimentally implement a classical secure delegated computation by using single qubits or coherent laser beams as cobits. In our implementation, the client and the server are set up in two different laboratories, separated by more than 50 m and connected by optical fibers. Photonic systems are ideally suited for this task, since they can be easily manipulated and transmitted over large distances; however,

3-state system
FIG. 1. Bits, three-state systems, cobits, and qubits. Our secure delegated computing protocol can be achieved by means of a threestate classical system. It can also be accomplished using cobits and qubits, which are two-state systems capable of being in a coherent superposition of both states. Here, the operation U transforms basis states into superposition states and vice versa. In the context of this work, cobit means a physical carrier of information, which can store two orthogonal states or fields and coherent superpositions of the two, for example, coherent laser beams. Qubits are quantum systems and can be realized experimentally, for example, by using different degrees of freedom in single photons. Thus, encoding information in a classical light beam's polarization would constitute a cobit, whereas doing the same with single photons realizes a qubit. our scheme can be implemented using every physical system that provides coherence.

II. THEORY
Our work is based on a protocol for secure delegated classical computation using quantum resources [8]. It was shown that manipulating only two-level bits are not sufficient for this task. Here, we reformulate the original work [8] and show that in the same setting adding classical coherence enables us to perform secure delegated classical computations.
The protocol is based on the implementation of a NAND gate using only parity computations and coherence. Here, we first describe the protocol using single cobits and show later its implementation with single photonic qubits and coherent beams, which relaxes the requirements of the initial theory [8]. In detail, the protocol works as explained in the following (see also Fig. 2). First, the server generates cobits in the state |0 and sends these cobits to the client. The client wants to implement a NAND gate on two input bits a and b. Therefore, the client encodes the result of a NAND(a,b) gate in the output cobit by applying the gate sequence Here, U is an operation which brings the state |0 into a superposition of |0 and |1 . If U is applied to the superposition of |0 and |1 , the cobit will be in state |1 after the operation (U (U |0 ) = |1 ). In our protocol, the application of the operation U is controlled, depending on the values of a and b. Only if a = b = 1 is the output cobit in state |1 ; for all other settings of a and b, the output cobit is in state |0 . Thus, the output cobit can be written as |NAND(a,b) ⊕ 1 and effectively contains a NAND gate. 1.

3.
FIG. 2. Scheme of delegated NAND gate. The steps of the protocol are described in detail in the main text.
In order to hide the state of the output cobit and achieve secure delegated computing, the client applies an additional random bit flip X: where r is a random value. The cobit is then sent back to the server, where a measurement in the |0/1 basis is performed. The result of this measurement, s, is returned to the client, who finally obtains the result NAND(a,b) by computing

A. Relation to previous work
We note that a NAND computation, without considering the security aspects, was first proposed in another work [11]. There, a classical parity computer controlled three-qubit Greenberger-Horne-Zeilinger states in order to perform universal classical computation in a measurement-based version fashion [15,16].
Reference [8] shows that a NAND computation can be performed using single qubits. Even more, it shows that computation can be performed in a secure client-server setting if the server has access to single qubits and the client to controlled single-qubit gates and an XOR gate.
Our work shows that the same functionality can be achieved without having any quantum resources at all. Compared to [8], we show that the resources required for a NAND computation can be reduced from single qubits to systems capable of being in a coherent superposition of two states, cobits. Furthermore, we achieve secure delegated computations by sending cobits. In our framework, the server needs to have access to cobits, for example, coherent laser beams of single photons; the requirements for the clients are the same as the ones in [8]. This reduction to the manipulation of "simple" resources, compared to the generation of entanglement, clearly decreases the experimental requirements and enables one to perform secure and delegated classical computations with minimal resources.

III. IMPLEMENTATION
All systems that allow for a coherent superposition of two states can be used as resources for the implementation of the protocol. Since optics facilitates transmission of information from the server to the client and back, we make use of single photonic qubits or a coherent laser beam.
Single photons as information carriers can be described by two quantum fields (a † 0 and a † 1 ) or states (|0 and |1 ) and superpositions thereof, such as (a † Here, the logical states |0 and |1 can, for example, be encoded in the photon's polarization. The operation U = R y (π/2) is a rotation of π/2 around the Y axis of the Bloch sphere: R y (θ ) = exp (−iθ/2σ y ), where σ y is the Pauli operator, and the bit flip X = σ X is given by the Pauli operator.
However, no quantum behavior is required in our setting. In fact, every system that provides coherence can be used to implement our protocol. In our scenario, using multiple photons, i.e., a product state |+ |+ · · · |+ , also allows the execution of our protocol. The reason for this is that our protocol is only based on classical coherence and the first-order correlation function [17,18], which is the same for true single photons and coherent beams or multiphoton states. This means that the protocol gives the same results for single photons and coherent beams, since higher-order correlation functions, which would show different results for these types of resources, do not play a role in our protocol.
This also means that the protocol we present here is completely classical in the sense of classical physics: it uses purely classical means, effects, and devices, including classical coherence. In a different setting, it could also be accomplished with a classical pointer instead of qubits and coherent beams. Here, the classical pointer represents a three-state system, which can naturally achieve the same functionality as a two-level system with coherence (see Fig. 1). However, this would also require the client to have a different functionality, which would allow the client to compute NAND on her own.

A. Robustness
The challenge when single qubits are used for the protocol is that probabilistic generation and optical losses affect the robustness of the protocol. Since the client is capable of performing only parity computations and preparing random bits, she cannot check whether the computation is correct or not. If the server does not send a photon or the photon gets lost, then the server fails to register a result. The easiest solution would be to send an additional classical bit on a different channel from the server to the client, which indicates that the procedure has worked. Depending on the classical bit, the client could then repeat the computation. However, this is not possible in our framework as this routine would be equivalent to implementing a NAND gate and thus is beyond the client's capabilities. Using a laser beam for the implementation of the protocol has the advantage of providing robustness against these photon losses.

B. Security of implementation
The security of the implemented single-photon protocol follows immediately from the proof given in [8] under two assumptions: (1) Ideal devices and or devices with noise/loss, provided the noise/loss parameters are not controlled by the server.
(2) The malevolent server sends individual photon states that ensure the operation performed by the client's optical elements on the polarization degrees of freedom of the photons is correct.
Since the security effectively reduces to a classical information-theoretical encryption (effectively a one-time pad) and is not relying on quantum properties vital in most of quantum cryptography (e.g., the no-cloning result for quantum states), having multiple copies of the same state does not reduce the security. The cumulative action of optical devices on the client's side are easily seen to implement a polarization rotation of zero degrees, if NAND(a,b) ⊕ r = 0, and π otherwise. In other words, the map itself, implemented by the client, is classically one-time padded. Thus, irrespective of the of the actual state prepared by the server, the action of such a map results in a state that is one-time padded by the parameter r and thus independent of the client's inputs when averaged over the client's secret parameter r. The latter means the protocol is blind.
We note that the security may be jeopardized if the server utilizes other modes, e.g., frequency of light, which changes how the optical devices on the side of the client manipulate the polarization degrees of freedom. However, such behavior can in principle be prevented by quality control, which sporadically checks the characteristics of light used by the server. More general analyses of how particular implementations may be vulnerable to attacks are beyond the scope of this work.

IV. EXPERIMENTS
We implement the server and the client using two independent experimental setups running in two different laboratories which are separated by 50 m (see Fig. 3). We either use a heralded single-photon source or a weak coherent laser beam for the implementation of the protocol. For both cases, we encode the states |0 and |1 in polarization, denoting horizontal and vertical polarization, respectively.
The heralded single photons are produced by type-II parametric down-conversion in a potassium titanium oxide phosphate (KTP) crystal that has periodically poled waveguides [19]. A mode-locked fiber-based femtosecond laser produces 90 -fs-long pulses at 1575 nm with a repetition rate of 100 MHz. These pulses are frequency doubled in a 1-mm-long periodically poled potassium dihydrogen phosphate (KDP) crystal cut for type-II second harmonic generation, resulting in 7 mW of 787.5 -nm light. The fundamental 1575-nm light is filtered out with a dichroic mirror and short-pass filter, and the 787.5 -nm beam is focused through 3-μm-wide waveguides in a 10 -mm-long AR-coated KTP crystal, which is periodically poled to phase match for type-II parametric down-conversion. After the chip, long-pass filters are used to block out the pump light. The horizontally and vertically polarized downconverted photons, centered at 1570 nm and 1580 nm, are split with a polarizing beam-splitter cube. The photons are further filtered and coupled into single-mode fibers. The photons at 1570 nm are guided to the client's setup, whereas the photons at 1580 nm are kept on the server's side and produce the heralding signal. Alternatively, we use a coherent laser beam at 1550 nm that is attenuated to the single-photon level.
These polarization-encoded cobits are sent to the client who implements the required gates using wave plates. It is sufficient for the client to have access to three half-wave plates (HWPs) for the implementation of the NAND gate and to one additional HWP for the implementation of an additional one-time pad. By applying the following gate sequence, with ϕ = π/4 and θ = π/8, the client alters the output state, dependent on the values of a and b. The value of the random number r is generated via a classical computer in our implementation. However, this could be easily replaced by a quantum random number generator. The reason for implementing a random X or Z gate instead of X r is that a real physical implementation introduces state-dependent phase shifts: for the settings a = b = 0, a = 0,b = 1, a = 1,b = 0, the gate sequence HWP(−θ (a⊕b) ) · HWP(−θ b ) · HWP(θ a )|0 adds an additional phase shift of π to the state |1 . This phase shift can be compensated for if we choose to randomly switch between a bit flip X and a phase flip Z in our one-time pad.
In order to do so, we use a half-wave plate HWP(ϕ r ) with ϕ = π/4. Thus, we can implement the whole scheme using only four HWPs securely [see Eq. (4)].
The output cobit is sent back to the server who performs a measurement in the computational basis. Experimentally, for both implementations, the polarization of the photons returned to the server is analyzed using a half-wave plate, a Glan-Thompson polarizer and InGaAs avalanche photodiodes that are specified to be 20% efficient and a dead time set to 10 μs. The results of the server's measurement is then equal to AND(a,b).

V. RESULTS
We first implement the protocol with single photons. Since the protocol is secure even when multiple photons pass at the same time through the same settings, a singleshot implementation is not necessary and we integrate the result over 10 s of measurement time. In our experiment, we use a Glan-Thompson polarizer and an additional HWP for analyzing the polarization. The results of the single-photon runs are shown in Fig. 4(a). We obtain count rates of 300 heralded photons per second. The average probability for finding the correct results is (98.8 ± 0.5) %.
We run the same experimental sequence with a laser beam that is attenuated to 30 000 single counts per second, measured after the transmission through the setup. In this experimental run, we obtain similar average probabilities of finding the correct results of (98.2 ± 0.06) %. [See detailed results in Fig. 4(b).] In both experiments, the errors are calculated assuming Poissonian errors. Experimental imperfections arise from polarizations drifts when the photons are transmitted through fibers and errors in the manipulations with wave plates as well as imperfection in the measurement in the |0,1 basis. . 4. Results of delegated secure NAND gate. Implementation with single photons (top row) and with an attenuated laser beam (bottom row) for the cases r = 0 (left) and r = 1 (right). We achieve probabilities for finding the correct output of (98.8 ± 0.5) % for the single-photon implementation and of (98.2 ± 0.06) % for the implementation with a coherent beam. The fibers connecting both laboratories are 50 m long and are placed partly outside the building. In order to test the long-term stability of our fiber connection and influences such as temperature changes and movements of the fibers, we perform a series of NAND-gate measurements for all possible inputs and repeat this measurement six times over 210 min. During this period, the obtained probabilities are stable and decrease only slightly from on average (98.2 ± 0.06) % to (97.1 ± 0.08) % (see Fig. 5).

VI. CONCLUSION
We have shown that the computational power of a classical entity limited to parity computations can be boosted to universal classical computation by exploiting coherence. A single qubit can be used as a simple system to accomplish this task-even though no quantumness is required. The extension of previous work to systems capable of being in a coherent superposition of two states provides a practical and robust way to implement the protocol experimentally while still being secure.
While the focus of our work is of a more fundamental nature-demonstrating the computational capability of cobits-a future potential application could be a hybrid quantum-classical secure computing scheme. In such a scheme, a set of NAND gates within a classical circuit may be performed using our protocol. Furthermore, our implementation can be easily extended to long distances using standard technology from quantum key distribution.
In conclusion, our work shows an alternative way of how to exploit the properties of both quantum particles and classical fields as tools for classical computing.