Homomorphic encryption of linear optics quantum computation on almost arbitrary states of light with asymptotically perfect security

Future quantum computers are likely to be expensive and affordable outright by few, motivating client/server models for outsourced computation. However, the applications for quantum computing will often involve sensitive data, and the client would like to keep her data secret, both from eavesdroppers and the server itself. Homomorphic encryption is an approach for encrypted, outsourced quantum computation, where the client's data remains secret, even during execution of the computation. We present a scheme for the homomorphic encryption of arbitrary quantum states of light with no more than a fixed number of photons, under the evolution of both passive and adaptive linear optics, the latter of which is universal for quantum computation. The scheme uses random coherent displacements in phase-space to obfuscate client data. In the limit of large coherent displacements, the protocol exhibits asymptotically perfect information-theoretic secrecy. The experimental requirements are modest, and easily implementable using present-day technology.


I. INTRODUCTION
In the upcoming quantum era, it is to be expected that client/server models for quantum computing will emerge, owing to the high expected cost of quantum hardware. This necessitates the ability for a client (Alice), possessing data she wants processed, to outsource the computation to a host (Bob), who possesses the costly quantum computer. In such a model, security will be a major concern. The types of applications to which quantum computing will initially be most relevant will contain sensitive data, whether it be strategically important information, or valuable intellectual property, or confidential personal information. This raises the important question of how Alice can outsource computation of her data such that no adversary Eve, or even the server Bob, can read her data -she trusts no one! Homomorphic encryption is a cryptographic protocol that achieves this objective. Alice sends encrypted data to Bob, who processes it in encrypted form, before returning it to Alice. The essential feature is that computing the data does not require first decrypting it -it remains encrypted throughout the computation, ensuring that even if Bob is compromised, Alice retains integrity of her data.
Classical homomorphic encryption has only been described very recently [1-3], and a number of results for homomorphic quantum computation have been described [4][5][6][7][8][9][10][11]. In the case of universal quantum computation, such protocols require a degree of interaction between Alice and Bob. However, it was shown in [4] that under certain restricted, non-universal models for quantum computation, homomorphic encryption may be implemented passively, without any client/server interaction, and requiring only separable, non-entangling encoding/decoding operations. In that protocol, in which single photons encode data, random polarisation rotations on Alice's input photonic state obfuscate data from Bob. And in [8], a similar protocol was presented using phasekey encoding, whereby random rotations in phase-space obfuscate Alice's data, encoded into coherent states.
These two protocols are limited in their security by the fact that the rotations in phase-/polarisation-space are correlated across all inputs, thereby limiting the entropy of the encoded input states, and hence its security. For example, with m optical modes, polarisation-key encoding is only able to hide O(log(m)) bits of information, falling far short of our utopian ideal of perfect information theoretic security (i.e hiding all m bits of information in the case of 0 or 1 photons per mode).
The polarisation-and phase-key homomorphic encryption techniques are specific examples of a more general framework for encryption, whereby the encoding and decoding operations commute with the computation, thereby mitigating the need for elaborate interactive protocols.
Here we consider an alternate technique that supersedes both polarisation-and phase-key encoding -displacement key encoding, whereby random coherent displacements obfuscate optically-encoded quantum information. This idea has been recently explored by Mar-shall et al. [12], where it was argued heuristically why the scheme might be secure. Based on experimental data generated, Marshall et al. numerically showed that the mutual information between the encrypted and the unencrypted data can be made small as the variance of the random displacements increases. This encouraging evidence suggests that a displacement key encoding might offer perfect security in the asymptotic limit. However, obtaining analytical bounds to quantify the security of the scheme has been recognized to be a challenging issue, yet to be solved.
In this paper, we rigorously obtain explicit bounds on the security of using a displacement key encoding, thereby confirming the intuition of Ref. [12]. Moreover, the displacement key encoding improves on the earlier polarisation-and phase-key techniques in two important respects. First, we demonstrate that by choosing the encoding displacement operators to be independent on each optical mode and to follow a Gaussian distribution with an increasing variance, any pair of encoded codewords will become increasingly close in trace-distance and thereby increasingly indistinguishable. Our encoding scheme is a weak information-theoretic security encryption scheme with secrecy error that is twice of this maximum trace distance, and this security definition has been introduced in [13, Definition 5]. We also remark that the trace-distance metric we use is preferable to the mutual information used in Ref. [12], because the trace distance directly quantifies the indistinguishability of quantum states while the mutual information does not. Second, our technique is applicable to linear optics computations acting on quantum states of light with no more than a fixed number of photons. Constraining quantum states to have no more than a fixed number of photons is reasonable, because quantum states that are bounded in energy can always be well approximated by quantum states that bounded in photon number, given that sufficiently many photons is considered. This is far more general than polarisation-key encoding, which applies to single-photon input states, or phase-key encoding, which applies to input coherent states.

II. COMMUTATIVE HOMOMORPHIC ENCRYPTION OF PASSIVE LINEAR OPTICS
A linear optics network [14], comprising only beamsplitters and phase-shifters, implements a photonnumber-preserving unitary map on the photonic creation operators, whereâ † i is the creation operator for the ith mode, there are m optical modes, and U is an SU(m) matrix characterising the linear optics network.
Bob possesses both the hardware and software for implementing the computation (Û ), which Alice would like applied to her input state (|ψ in ), yielding the computed output state (|ψ out =Û |ψ in ).
Before sending her input state to Bob, Alice, who has limited quantum resources, wishes to encode her input state using operations separable across all modes, similarly for decoding, i.e we rule out entangling gates for Alice. To achieve this, we require the commutation rela- to hold, whereÊ i (k) (Ê i (k)) is the encoding (decoding) operation, with key k. Since Alice has limited classical computational power, she should determine the encoding/decoding operations efficiently with a classical computer, and implement these operations efficiently. The model is summarised in Fig. 1.

Alice
Bob Alice

E'
FIG. 1. General protocol for commuting homomorphic encryption of optical states under linear optics evolutionÛ , whereÊi (Ê i ) are the encoding (decoding) operations, which we require to be separable.
The most natural examples of schemes complying with this model are ones where systems encoding quantum information comprise two subsystems: a primary one in which the computation is taking place; and, a secondary independent one, which does not directly couple with the primary and is unaffected by the computational operations. This allows us to exploit the secondary subsystem (e.g polarisation) to control the entropy of our codewords, without affecting the computation in the primary subsystem (e.g photon-number).

III. DISPLACEMENT-KEY ENCODING
Phase-space displacement operations satisfy the required commutation relation of Eq. (2). The displacement operation adds coherent amplitude to an optical state, thereby translating it in phase-space. This process is described by the unitary displacement operator, given by,D (α) = exp αâ † − α * â . (3) Displacement operations are easily experimentally implemented using a low-reflectivity beamsplitter and a coherent state (well approximated by a laser source) [15,Eq (9.15)], of the form, (see Fig. 2). The displacement amplitude is directly proportional to the coherent state amplitude and the beamsplitter reflectivity. A special case of displaced states are displaced vacuum states, which are identically coherent states of the same amplitude,D(α)|0 = |α . The commutation relation between displacement operators and linear optics evolution relates the output displacement amplitudes β = (β 1 , . . . , β m ) to the input displacement amplitudes α = (α 1 , . . . , α m ), and is given bŷ , and β relates to α according to the unitary map The computation required for Alice to determine her decoding operations from her encoding operations is simple matrix multiplication, which is efficiently computable [16]. Thus, our condition on the complexity of encoding/decoding is satisfied. An input tensor product of displacement operations with amplitudes α on multiple modes may be be reversed by applying inverse displacement operations with amplitudes β at the output,D( β) † =D(− β). Specifically, allowing the computation,Û |ψ in , to be recovered from the encoded computation,ÛD( α)|ψ in , via application of the inverse of the encoding operation. Our scheme extends trivially to the case where the server is asked to perform any Gaussian operation, rather than only passive linear optical evolution. This is because displacements similarly commute with squeezing as one can see fromD and all Gaussian operations can be expressed as linearsqueezing-linear evolutions according to the Bloch-Messiah decomposition [17,18], together with displacements, whereŜ(re iθ ) denotes a squeezing operator with r ≥ 0, θ ∈ R and γ = α cosh r + α * e iθ sinh r.
The decryption circuit that Alice uses is identical in structure to her encryption operation, and Alice does not need to able to perform arbitrary linear optical operations that potentially requires up to m(m − 1)/2 beamsplitters. Rather, Alice's decryption circuit on m modes always requires only m beamsplitters. Because of this, Alice's decryption circuit has exactly the same structure as her encryption circuit. Both the encryption and decryption circuits can then in principle be implemented using m Mach-Zehnder interferometers, and such an optical circuit is independent of Bob's LOQC. To find out what coherent states to input into the beamsplitters for the decryption, Alice needs only to know (1) her own secret encrypting displacements, and (2) the unitary that Bob's linear optical circuit implements.
Unlike phase-key or polarisation-key encoding, where the encoding operations applied to each mode must be identical for the encryption/decryption commutation relation to hold, for displacements the amplitudes may be chosen independently for each mode, while still preserving the desired commutation relation. Intuitively, one would anticipate that the ability to choose keys independently for each mode would improve security, since the elimination of correlations between input encoding operations allows the entropy of the encoded state to be greatly increased, thereby making codewords less distinguishable.
We examine this protocol in the context of input data comprising of arbitrary pure quantum states of light with no more than n photons. In the photon-number basis this implies that, where |j = 1 √ j! (â † ) j |0 is a photon-number (Fock) state andâ † is the photonic creation operator, and |ψ in has unit norm so that ∞ j=0 |λ j | 2 = 1. We consider states supported on no more than n photons, because such states can well approximate states of bounded energy in the following sense. Lemma 1. Let ρ = j p j |φ j φ j | be a density operator where every |φ j has expected energy at most µ. Let n ≥ µ. Then there exists a density operator ρ = j p j |φ j φ j | where |φ j has at most n photons and expected energy at most µ for every j, such that ρ − ρ 1 ≤ 4 µ/n + 4µ/n. (10) One can see that the approximation error becomes small when n becomes large for fixed µ. The proof of Lemma 1 follows trivially from Lemma 12 and Lemma 13 in the appendix. Lemma 12 and Lemma 13 show respectively that the trace-distance between states can be related to the Euclidean norms, and the approximation error for pure states can be bounded using a connection with Markov's inequality.

IV. SECURITY PROOF
The main result of our paper is the following theorem, which implies that our encoding scheme in the limit of large coherent displacements has weak informationtheoretic security.
Theorem 2. The trace-distance between arbitrary encrypted states with at most n photons is at most , where Our scheme thus is a weak information-theoretic security encryption scheme with secrecy error at most 2 .
Our proof employs a continuous-variable (CV) representation for optical states [19]. We omit some intermediate mathematical steps in the main text, delegating the complete step-by-step derivation to the appendix.
Photon-number (Fock) states are related to the x and p quadrature CVs using Hermite functions [20, Section 18.1]. The Hermite polynomials are defined as, and the corresponding Hermite functions as, These provide the direct relation between discrete variable (DV) and CV representations of optical states. Most importantly, for Fock states we have, where x is a position eigenstate in phase-space. The position eigenstates form a complete basis, satisfying, Our input state from Eq. (9) can therefore be expressed in the position basis aŝ Let Alice's encoding operation be represented by the quantum process E enc , which applies a random complexvalued displacement, chosen from a normal distribution with zero mean and standard deviation σ. Experimentally, σ is bounded by the energy output of coherent laser sources. An unknown encoding operation can be represented as a quantum process, where is a Gaussian measure and d 2 α = d( (α))d( (α)) indicates that the integral is performed over the real and imaginary parts of α. Then our encrypted stateρ enc = E enc (ρ in ) can be interpreted as a weighted mixture over all possible displacement amplitudes associated with the entire key-space. Displacing a position eigenstate by α = u + iv shifts its position by v and appends a phase that depends on its position, u and v. After performing the integral over the imaginary part of the complex number α = u + iv, we get The security of the scheme can be quantified using the trace-distance between any pair of its encrypted inputs. When the trace-distance between a pair of states in an encryption scheme approaches zero, the resolution of this pair of states as perceived by Eve or Bob vanishes. Such a scheme is said to exhibit weak information-theoretic security [13], and we proceed to show that our encryption scheme indeed exhibits such a form of security.
To show that the trace-distance between almost arbitrary input states with no more than a fixed number of photons approaches zero as the standard deviation of the random displacements grows, we require detailed information of every matrix element a|ρ enc |b . To get a handle on a|ρ enc |b , it suffices to consider a|ρ i,j |b whereρ i,j = E(|i j|) becauseρ enc = 0≤i,j≤n λ * i λ jρi,j . Since a| and |b can be both expressed in terms of Hermite polynomials in the position basis, we find that a|ρ i,j |b is just an integral of the product of four Hermite polynomials. To evaluate these integrals, we recall that any Hermite polynomial H j (x) can be expressed as the coefficient of t j in the Gaussian generating function e −x 2 /2+2xt−t 2 e −x 2 /2 j! [20, Eq. 18.5]. Hence, a|ρ i,j |b may be evaluated by writing all of the Hermite polynomials in terms of their Gaussian generating functions, performing the Gaussian integrals, and then reading off the respective coefficients. In doing so, we find the exact form of a|ρ i,j |b in Lemma 4 of the appendix. Namely, a|ρ i,j |b is only non-zero when b − a = j − i. Moreover, we have that and when k ≥ 1, we find in Lemma 11 of the appendix that where y = 1 2σ 2 and x = 2σ 2 1+2σ 2 . Now let T denote the difference between two encrypted inputs. Let us write T = D + O in the Fock basis, where D is the diagonal of T . From this decomposition of T , we will obtain an upper bound on the trace norm of T . First we prove that the trace norm of D is O(σ −2 ). To see this, we show in Lemma 7 of the appendix that We can use this fact to show in Lemma 8 of the appendix that ρ i+1,i+1 −ρ i,i 1 ≤ 2 i σ −2 for σ 2 ≥ 2, from which it follows from a telescoping sum that trace-distance between any pair of encrypted Fock states is at most 2 n−1 nσ −2 . Next, we upper bound the trace norm of O.
To see this, note that the Gersgorin circle theorem [21] implies that O 1 is at most the sum of the absolute values of all its matrix elements. By applying a summation of Eq. (19) over the indices a and k and by doing the summation in a first, we can use simple binomial identities to find that O 1 ≤ 8(n + 1)σ −2 . Together, with the triangle inequality on the trace norm of D + O, this allows us to show that the trace-distance between arbitrary encrypted states with at most n photons is at most, which asymptotes to zero for large maximum coherent amplitudes in the encoding operations. This thereby proves Theorem 2.
When the client Alice has as her input to the scheme a separable state on m modes, where each mode has at most n photons, it is easy to see using a telescoping bound on the modes that the trace-distance between arbitrary multi-mode separable states is at most m times of the value in (21). Coherent states with mean photon number of up to 10 8 can be easily generated in a cavity mode of a pumped laser [22,Section 4.1]. Since the intensity of a laser can be attenuated with an variable attenuator, this corresponds to having |α| value that ranges between 0 and 10 4 , which allows one to create random displacements with σ = 10 4 . If each mode has at most 15 photons, then using (19), we find that the trace-distance between arbitrary encrypted states on a single mode is at most 6.8 × 10 −7 .

V. ADAPTIVE LINEAR OPTICS
Thus far, we have exclusively considered passive linear optics, where there is no measurement or feedforward. However, feedforward -the ability to measure a subset of the optical modes, and use the measurement outcome to dynamically control the subsequent linear optics network -is an essential ingredient in many linear optics quantum information processing protocols. For example, when employing single-photon encodings for qubits, it is well known that universal quantum computing is possible with the addition of fast-feedforward [23], which is known to require non-linearity [24]. On the other hand, it is strongly believed that without non-linearity such as feedforward, such schemes cannot be made universal [24].
Let us understand intuitively how feedforward and non-linearities can enable two different notions of universality in quantum optical computing. The first notion is CV universality [19], where Braunstein and Lloyd show using Baker-Campbell-Hausdorff arguments how one can in principle implement Hamiltonian evolutions that are arbitrary polynomials of quadrature operators. To achieve this notion of CV universality, it suffices to implement Gaussian unitaries which our scheme can handle natively, along with any non-Gaussian operation which can be achieved using non-linearities. The second notion of universality is involves DV encoded within CV states, and achieving universal DV quantum computation. In this notion of DV universality with CV states, non-linearities can help to initialize non-Gaussian states, which are resource states to be consumed during gate teleportation to produce a non-Gaussian gates. To perform the gate teleportation, one entangles the resource state with a target mode where the non-Gaussian gate is to be computed, and subsequently measures the resource state. One then applies a Gaussian gate on the target mode, conditioned on the measurement outcome. For instance, on a GKP encoding [25], a combination of non-Gaussian gates with Gaussian gates can be universal, and such gates can be achieved with feedforward operations with non-linearities.
Can we accommodate for fast-feedforward in the displacement-key homomorphic encryption protocol? Yes we can. Without loss of generality, let us imagine that we wish to measure just one mode and feedforward the measurement outcome to a subsequent round of linear optics, to be once again executed by Bob. For server Bob to perform this measurement, he would have to know the appropriate decryption operator for that mode. However, he does not have this by virtue of the protocol, and Alice cannot provide it to him, lest he misuses it to compromise security.
The only avenue to accommodating the feedforward is to make the protocol interactive. That is, whenever Bob requires a measurement result, to proceed with the computation he outsources the measurement of that mode back to Alice, who returns to him a classical result. This doesn't undermine the viability of the protocol, since Alice is already assumed to have the ability to apply decoding operations, which are by definition separable and can therefore be performed on a per-mode basis.
It is clear that any computation requiring feedforward will necessarily require turning the encryption protocol into an interactive one between Alice and Bob. While this is undesirable, it is to be expected given that no-go proofs have been provided against universal, non-interactive, fully homomorphic protocols [9, 26,27].

VI. ROBUSTNESS
One might wonder how the robustness of our displacement-key encoding scheme to noise compares with the robustness of phase-key and polarization key encoding schemes. In short, because the demands on the structure of the input states of the client Alice is relatively mild, she can use bosonic quantum codes on a single mode [25,28]. If Alice uses GKP states [25], so that small imperfections in displacements can be be corrected while the large random displacements can still obfuscate her data from Bob. To constrain the photon number per mode, one can use approximate versions [29] of GKP states. In contrast, bosonic quantum coding schemes are not immediately compatible with the previous phase-key [30] and polarization-key schemes [31]. For the polarization-key encoding which encrypts boson sampling, without quantum error correction, simulating boson sampling classically remains classically hard with very little noise [32] but becomes classically simulable when there is too much noise [33]. The phase-key scheme [30] is only robust to loss errors when the computed states remains entirely classical, and become vulnerable to loss errors once they become entangled into cat states.

VII. CONCLUSION
We have presented a technique for homomorphic encryption of almost arbitrary optical states under the evolution of linear optics. The scheme requires only separable displacement operations for encoding and decoding, yet provides perfect secrecy in the limit of large displacement amplitudes. For passive linear optics, the protocol requires no client/server interaction, remaining entirely passive. For adaptive linear optics, an interactive protocol is required. The technology for implementing the encoding scheme is readily available today, making near-term demonstration of elementary encrypted optical quantum computation viable.  The displacement operator can be written as where α = u + iv is a complex number, with u, v ∈ R. Now the position and momentum operators which admit representations as x and 1 i d dx respectively can also be written as dimensionless quadratures X 1 and X 2 respectively which can be related to the ladder operators via the equalities Since [X 1 ,X 2 ] = i the dimensionless quadrature operatorsX 1 andX 2 indeed satisfy the canonical commutation relations. We then write the displacement operator in terms of the quadrature operators to get Now recall that the BCH formula for operators A, B whose commutator is proportional to the identity operator is Now let |x 1 denote an eigenstate of the quadrature operatorX 1 with eigenvalue x, so thatX 1 |x 1 = x|x 1 . Then it is clear that e iθX1 |x 1 = e iθx |x 1 . The position eigenstate can be written in the momentum basis, which is also its Fourier basis, so where |p 2 denotes an eigenstate of the second quadrature operatorX 2 with eigenvalues p. Hence Hence it follows that Appendix B: Representation of the encrypted state Lemma 3. Let |ψ = n i=0 λ i |i for any λ i ∈ C such that ψ|ψ = 1. Let E be the encryption operation that randomly displaces with a complex number u + iv, where u and v are chosen independently from normal distributions with mean 0 and standard deviation σ. Let ρ enc = E(|ψ ψ|). Then Proof. Note the Fock states can be written in the position basis, so that for all non-negative integers i we have Then |ψ ψ| = n i=0 n j=0 λ i λ * j |i j|. Expanding this out in the position basis, and dropping the labels on the first quadrature eigenstates, we get Then for real u and v, we get Encrypting the state |ψ ψ| and changing the variable with respect to u then giveŝ We can perform the integral with respect to v to arrive at Simplifying the above and relabeling the variables in the integration then gives the result.

Appendix C: Integrals of products of Hermite polynomials
The following lemma gives a bound for the exponential suppression of a certain integral of products of Hermite polynomials in the orders of the some of the Hermite polynomials. The key tools used here are generating functions for the Hermite polynomials, and this leads to a significant improvement of bounding the absolute value of the integral of product of Hermite functions over that in Ref. [34]. Now let us define the integral so that If we encrypt another state of the form n i=0 µ i |i , then the difference between the two matrix elements will be n i=0 n j=0 Defineρ i = E(|i i|), and defineρ i,j = E(|i j|). Then Clearly for ρ = i,j λ i λ * j |i j|, by linearity of the encryption operation, We use the method of generating functions to evaluate the exact form for the integral I a,b,i,j .
Lemma 4. Let a, b, i, j be non-negative integers and σ > 0. Let x = 2σ 2 1+2σ 2 and y = 1/(2σ 2 ) . Then Proof. Let I = I a,b,i,j . The generating function of the Hermite polynomial is given by Hence, using the notation [t n ]f (t) to denote the coefficient of t n in an analytical function f (t), we get Recall that This integral can be easily performed. We make use of the identity where a > 0. Using this identity repeatedly, we can show that where α = 1/(1 + 2σ 2 ) and By writing the exponential in F as a product of four exponentials, and using the Taylor series expansion for each, we have By extracting the coefficients, we get for α = 1/(1 + 2σ 2 ). Note that (C18) Making appropriate substitutions then completes the proof. The key result that we rely on is the result from Lemma 4 which gives an exact form for I a,b,i,j in terms of y = 1/(2σ 2 ) and x = 2σ 2 1+2σ 2 . Now let b = a + k for k ≥ 0. Then observe that I a,b,i,j = 0 unless j = i + k. Hence we restrict our attention to this case. Then we have I a,a+k,i,i+k = 1 1 + 2σ 2 i2=0,...,min(a,i) To see this, Lemma 4. Recall that the subscripts for the summation in Eq (C6) must satisfy the equalities We can then get Hence whenever j = i + k, there will be nothing in the summation of (C6) to sum over, and the summation in that case evaluates to zero. Before we proceed, we provide the proofs of several simple but useful technical lemmas. The first technical lemma we need is the following combinatorial identity.
Lemma 5. Let 0 < x < 1, and let k be a non-negative integer. Then a≥k x a a k = Proof. First note that by relabeling the index for the summation, the sum in the lemma is equal to 1 k! a≥0 x a+k (a + k) . . . (a+1) = x k k! d k dx k a≥0 x a+k . By use the generating function 1/(1−x) which holds because |x| < 1, the summation becomes x k k! d k dx k x k 1−x . Simplifying this using the fact that 1 − x k = (1 − x)(1 + · · · + x k+1 ) yields the result.
The next technical lemma we need also involves binomial coefficients.
Note the trivial fact that k≥0 x k = 1 + 2σ 2 . Let us consider the case of k = 0 first, which corresponds to i = j. Hence we consider the non-zero matrix elements ofρ i , which are a|ρ i |a for a = 0, 1, . . . ,. Notice then that we have a|ρ i |a = I a,a,i,i = 1 1 + 2σ 2 i2=0,...,min(a,i) We are then in a position to bound the trace distance betweenρ i+1 andρ i for every integer i. In the lemma that follows, we only consider positive integer i, because the case of i = 0 has already been shown earlier.
Lemma 7. Let i and a be any non-negative integer. Let x = (2σ 2 )/(1 + 2σ 2 ) and y = 1/(2σ 2 ) for σ > 0. Then Proof. To prove this, we consider two scenarios. In one scenario, a is small in the sense that a ≤ i. In the other scenario, a > i. When a ≤ i, using Lemma 6, we have the following Using the expansion for a|ρ i |a , we then get Now we proceed to consider the case when a > i. Then we can use Lemma 6 again to get Hence we get and the result follows from (D10) and (D11).
The trace distance betweenρ i+1 andρ i is suppressed with increasing σ, as we shall now show.
Lemma 8. The trace distance betweenρ i+1 andρ i is Proof. Sinceρ i+1 andρ i are diagonal matrices in the number basis, we have Using Lemma 7 for the exact form of a|ρ i+1 |a − a|ρ i |a , we get where a k = 0 for all k > a. The first summation above is trivial to bound because the trace of a density matrix must be one, so one must have a≥0 a|ρ i |a = 1. For the second summation, we can use Lemma 5 to get Since x/(1 − x) = 2σ 2 = y −1 and 1/(1 − x) = 2σ 2 + 1 for x = (2σ 2 )/(1 + 2σ 2 ), we get i k y k = y(1 + y) i . Thus using the fact that x ≤ 1, 1 2σ 2 +1 ≤ 1 2σ 2 and y = 1/(2σ 2 ), we get and the result follows.
Clearly then by the telescoping sum, the trace distance between any pair of encrypted diagonal states can be easily bounded.
Lemma 9. Let n be any positive integer, and let i and j be non-negative integers such that i < j ≤ n. Then for σ > 0, the trace distance betweenρ i andρ j is at most (D17) Proof. One just needs to write (ρ i −ρ i+1 ) + · · · + (ρ j−1 −ρ j ). There are at most n such bracketed terms, so using the triangle inequality with Lemma 8 gives This proves the result.
We now proceed to obtain a bound on the off-diagonal matrix elements ρ i,j . Without loss of generality, assume that j = i + k for k ≥ 0. To analyze this case, we first consider the following technical lemma that is easy to verify.
Lemma 10. Let a, i, i 2 and k be non-negative integers, and let i 2 ≤ a, i. Then Proof. It is easy to see that a k i k = a+k k i+k k . Next observe that since i 2 ≤ a and i 2 ≤ i, we have Using Lemma 10 we can arrive derive bounds for the off-diagonal matrix elementsρ i,j .
Lemma 11. Let i, k be non-negative integers and let j = i + k. Then for σ > 0, Proof. Using the exact form for the matrix element a|ρ i,j |a + k as given in Lemma 4 and Lemma 10 to bound the binomial coefficients therein, we get where y = 1/(2σ 2 ) and x = (2σ 2 )/(1 + 2σ 2 ). Using Lemma 4 again, we get Using the fact thatρ i+k has unit trace, we easily get a≥0 | a|ρ i,j |a We are now ready to prove the main result.
Proof of Theorem 2. First we prove that without loss of generality, we can let the any two input states to our scheme ρ and ρ be pure states. Now consider the case where ρ and ρ are mixed states. Then both of these states can always be written as such that p j = p j for every j ≥ 1. In this decomposition, the states |φ j and |φ k need not be distinct even when j = k. Similarly, |φ j and |φ k need not be distinct even when j = k. Here, we must have p j to be non-negative and j≥1 p j = 1. Then we use the linearity of the quantum channel E to see that Applying the triangle inequality for the trace norm, we get It hence follows that From (D26), we can see that we can maximize over the trace distance between encrypted pure states to maximize E(ρ) − E(ρ ) 1 . It thus suffices to consider ρ = |φ φ| and ρ = |φ φ | to be pure states in this security proof, where |φ = i≥0 λ i |i and |φ = i≥0 µ i |i . We make this assumption with loss of generality in the remainder of this proof.
Consider the matrix λ i λ * j − µ i µ * j I a,a,i,j |a b|.
Since ω and ω are mixed states that are diagonal in the Fock basis, we can use (D26) to see that Using Lemma 9, For the off-diagonal elements we can use the Gersgorin Circle Theorem (GCT). First, note that for any i and j, |λ i λ * j − µ i µ * j | ≤ 2. From the GCT the 1-norm of O is at most the sum of the absolute values of all of its matrix elements. Notice that O = a≥0,k≥1 n i=0 n j=0 λ i λ * j − µ i µ * j I a,a+k,i,j |a a + k| + a≥0,k≥1 n i=0 n j=0 λ i λ * j − µ i µ * j I a+k,a,i,j |a + k a| (D34) Hence we obtain from the GCT that (|I a,a+k,i,j | + |I a+k,a,i,j |) , where we have used the triangle inequality in the second inequality above. Using the fact that I a,a+k,i,j is only non-zero when j − i = k, and similarly for I a+k,a,i,j , we get (|I a,a+k,i,i+k | + |I a+k,a,i+k,i |) .
where E j denotes an encryption operator on the jth mode. Now let I denote the identity channel on a single mode. Then for any two m-mode states ρ = ρ 1 ⊗ · · · ⊗ ρ m and τ 1 ⊗ · · · ⊗ τ m with a tensor product structure, we can write (E 1 ⊗ · · · ⊗ E m )(ρ) − (E 1 ⊗ · · · ⊗ E m )(τ ) E 1 (ρ 1 ) ⊗ · · · ⊗ E m (ρ m ) − E 1 (τ 1 ) ⊗ · · · ⊗ E m (τ m ) =A 1 ⊗ · · · ⊗ A m − B 1 ⊗ · · · ⊗ B m (E1) where A j = E j (ρ j ) and B j = E j (τ j ). Using the telescoping sum, we have By applying the triangle inequality for the trace norm of each of the above bracketed terms, then we get Using the multiplicativity of the trace norm under the tensor product and the fact that every quantum state has a trace norm equal to one so that A j 1 = B j 1 , we find that If every single mode state ρ j and τ j have at most n photons, and every mode is randomly displaced independently with displacement vector taken from a complex Gaussian distribution of standard deviation σ and mean 0, using the above inequality, we can see that the trace distance between the encrypted states A 1 ⊗ · · · ⊗ A m and B 1 ⊗ · · · ⊗ B m is simply at most m times of the trace distance between arbitrary displacement-encrypted single mode states with at most n photons.