Experimental Demonstration of Quantum Fully Homomorphic Encryption with Application in a Two-Party Secure Protocol

A fully homomorphic encryption system hides data from unauthorized parties, while still allowing them to perform computations on the encrypted data. Aside from the straightforward benefit of allowing users to delegate computations to a more powerful server without revealing their inputs, a fully homomorphic cryptosystem can be used as a building block in the construction of a number of cryptographic functionalities. Designing such a scheme remained an open problem until 2009, decades after the idea was first conceived, and the past few years have seen the generalization of this functionality to the world of quantum machines. Quantum schemes prior to the one implemented here were able to replicate some features in particular use-cases often associated with homomorphic encryption but lacked other crucial properties, for example, relying on continual interaction to perform a computation or leaking information about the encrypted data. We present the first experimental realisation of a quantum fully homomorphic encryption scheme. We further present a toy two-party secure computation task enabled by our scheme. Finally, as part of our implementation, we also demonstrate a post-selective two-qubit linear optical controlled-phase gate with a much higher post-selection success probability (1/2) when compared to alternate implementations, e.g. with post-selective controlled-$Z$ or controlled-$X$ gates (1/9).

A fully homomorphic encryption system hides data from unauthorized parties, while still allowing them to perform computations on the encrypted data. Aside from the straightforward benefit of allowing users to delegate computations to a more powerful server without revealing their inputs, a fully homomorphic cryptosystem can be used as a building block in the construction of a number of cryptographic functionalities. Designing such a scheme remained an open problem until 2009, decades after the idea was first conceived, and the past few years have seen the generalization of this functionality to the world of quantum machines. Quantum schemes prior to the one implemented here were able to replicate some features in particular use-cases often associated with homomorphic encryption but lacked other crucial properties, for example, relying on continual interaction to perform a computation or leaking information about the encrypted data. We present the first experimental realisation of a quantum fully homomorphic encryption scheme. We further present a toy two-party secure computation task enabled by our scheme. Finally, as part of our implementation, we also demonstrate a post-selective two-qubit linear optical controlled-phase gate with a much higher post-selection success probability (1/2) when compared to alternate implementations, e.g. with post-selective controlled-Z or controlled-X gates (1/9).

I. INTRODUCTION
In 1978, Rivest, Adleman, and Dertouzos first imagined constructing a cryptosystem with the property that a party without a valid secret key required for decryption can nevertheless correctly evaluate a function f directly on a ciphertext x, without learning anything about either f (x) or x [1]. In addition to the obvious benefit of being able to delegate computation to a party that is otherwise not trusted with private data, cryptographers have observed that elegant cryptographic solutions to particularly interesting tasks can be constructed on top of a fully homomorphic encryption scheme-secure multiparty computation, non-interactive zero-knowledge proofs, one-time programs, to name a few [2][3][4][5][6]. Despite the apparent utility of such an encryption scheme, the question of whether it was possible to efficiently construct one remained open until 2009 when the first fully homomorphic encryption (FHE) scheme was constructed for classical machines [7].
In quantum computing, a range of works have addressed the closely related problem of secure delegated computing [8][9][10][11][12][13][14][15] wherein Alice (whose quantum com-puter may be of limited power) can implement a quantum computation with the help of Bob (who possesses a more powerful quantum computer), without revealing her computation (or equivalently, her input). In these secure delegated quantum computing schemes, interaction between Alice and Bob can occur repeatedly as they collaborate to perform the desired computation. By contrast, in a fully homomorphic setting Bob is allowed to apply any quantum computation of his choice without further assistance from Alice. A secure delegated computing scheme therefore is not amenable to the wider gamut of cryptographic uses that a true FHE scheme should be, even if they are similar in spirit insofar as both allow delegation of computation on private data.
The question of quantum fully homomorphic encryption was studied more recently. The first proposals treated the problem in an information-theoretic security setting, where QFHE was subsequently shown to be impossible unless severe compromises to universality or security were made [16]. Schemes that were proposed under this model [17,18], and subsequently demonstrated experimentally [19], leaked parts of the input and therefore do not satisfy mainstream notions of cryptographic security. Under standard cryptographic security, analogous to classical FHE where security necessarily requires computational assumptions, two QFHE schemes were theoretically proposed for tasks with a limited number of T gates [20]. This work left open the question of QFHE for arbitrary quantum circuits, but could be seen as the first QFHE scheme for circuits with a small number of T gates. A theoretical extension later removed this limitation to enable QFHE on circuits with an arbitrary number of T gates [21].
In this work, we implement and experimentally demonstrate for the first time a QFHE scheme proposed in [20]. In addition to the core scheme, we also experimentally demonstrate a small two-party task enabled by QFHE that cannot otherwise be performed. In this task Alice and Bob are to compare and compute the inner product between their qubit states, without being able to learn any additional information (e.g. tomographically complete statistics) about the other party's state. Various two-and three-qubit circuits in these demonstrations are implemented optically in a four-photon setup, with each qubit encoded in photon polarisation and one photon serving as herald. Our experiment includes a novel realisation of a phase-add gate, a two-photon operation with post-selection success probability of 1/4; far higher than 1/9 for an equivalent implementation with a more typical post-selective two-qubit gate in photon polarisation.
The rest of this paper is structured as follows. In section II we lay out various attributes required in a QFHE scheme followed by a detailed description of the protocol that we implemented. Section III describes our experimental apparatus and then proceeds to discuss data showing the core QFHE scheme at work. Finally, section IV details the two-party computation task and discusses experimental data pertaining to it.

II. THEORY BACKGROUND
A. What makes an encryption scheme homomorphic?
A public key encryption scheme describes a procedure E pk for encrypting a plaintext φ using a public key, pk, to get a ciphertext E pk (φ); as well as a procedure D sk for decrypting a ciphertext ψ = E pk (φ) to recover the plaintext φ = D sk (ψ) using the secret key sk.
A homomorphic encryption scheme derives its name from the fact that, operationally, it behaves like a homomorphism between plaintext and ciphertext (call these φ and ψ respectively). Loosely speaking, each valid operation (e.g. modular addition/multiplication) on φ maps to a well-defined operation on the corresponding ψ, called an 'evaluation map'. If we write an operation between plaintext as , and the corresponding operation (or evaluation map) between ciphertext as •, we want: E pk (φ 1 φ 2 ) ≡ E pk (φ 1 ) • E pk (φ 2 ) = ψ 1 • ψ 2 for any φ 1 and φ 2 .
While the description above serves as a useful template, no fully homomorphic cryptosystem in practice actually works by leveraging homomorphisms in E pk and D sk in the strict sense. Instead, the evaluation map for an operation takes, as input, ciphertext ψ 1 and ψ 2 and outputs a ciphertext that would decrypt to φ 1 φ 2not necessarily the same ciphertext you would get from encrypting φ 1 φ 2 directly. On a quantum machine, |φ and |ψ are states in a Hilbert space acted upon by quantum channels, for example, a unitary gate, or sequence of gates, U . By analogy, for quantum homomorphic encryption, the evaluation map for U is a quantum channel U with the property: D sk U E pk |φ = U |φ .
To be considered fully homomorphic, we require an encryption scheme to satisfy certain properties: • There must be an efficiently computable evaluation map for any valid operation on the plaintext. In a gate-based quantum computing model this means every gate in a universal gateset (e.g. Clifford + T). A scheme that is only partially homomorphic (RSA cryptosystem [22], famously homomorphic only in multiplication modulo N ) doesn't lend itself to many use-cases often associated with FHE.
• A party (say Bob) in possession of ψ ought be able to perform the evaluation map for an arbitrary sequence of gates U of his choice without further assistance from other parties (say Alice). In practice, we augment this by allowing Alice to supply a combination of specially prepared qubits and classical data collectively called the 'evaluation key'. Crucially, these should be generated at the same time as Alice prepares ψ, and must not themselves depend on U .
• The scheme should be compact, meaning that the difficulty of decrypting the output of the evaluation map for U should not depend on the difficulty of computing U . At the very least, decryption should not be as difficult as computing U , otherwise homomorphic evaluation becomes trivial: simply append a description of U to a ciphertext, and leave Alice to apply it as part of the decryption procedure.
B. An almost-homomorphic scheme To construct a QFHE scheme, we begin with the secure delegated computation scheme in [15], which we briefly describe here. Alice generates random classical bits a, b ∈ {0, 1} and encrypts her qubit by applying corresponding Pauli operators: |ψ = Z a X b |φ . If a and b are drawn from a uniform distribution and used as one-time-pads, |ψ looks like the maximally mixed state to everyone but Alice. Bob then proceeds to compute on this ciphertext with some unitary U to produce U |ψ .
If U consists only of a sequence of Clifford gates then Alice can decrypt and obtain the correct (computed) plaintext again by applying the correct Pauli operators: Z a X b U |ψ = U |φ . As long as Bob's gate sequence U is known to Alice, she can deduce the correct decryption keys (a and b ) from her encryption keys (a and b) (see Table I).
A non-Clifford element, like the T gate (T = |0 0| + e iπ/4 |1 1|), must be added to the Clifford set for quantum computation to be universal. However, as soon as Bob performs a T gate, decryption requires more than just Pauli operators. As shown in Fig. 1 a phase gate that isn't otherwise part of U may need to be applied, depending on encryption key b and all Clifford operators that precede the T gate.
Performing the phase correction without requiring Alice to divulge encryption key b to Bob can be done with an ancilla qubit containing the correct phase. Each time Bob performs a T gate, he communicates to Alice all operations performed prior to that T gate. Alice prepares an ancilla with an appropriate phase. Bob uses this ancilla in the simple teleportation circuit in Fig. 2, which allows that phase (modulo π) to be 'kicked back' onto |ψ thereby performing the desired post-T -gate phase correction.
A non-Clifford gate, like T , potentially requires additional π/2 phase correction here written as a P gate. Shortcomings in this almost-homomorphic protocol are clear. Primarily, it is an interactive one: every time Bob performs a T gate, he must communicate with Alice. Both quantum (ancilla qubit) and classical (Bob's description of U ) data must be exchanged during each interaction. More critically, preparation of ancilla and decryption of ciphertext can only be done if Alice knows Bob's computation, U . Neither of these attributes is desired in a QFHE scheme.

C. A QFHE scheme
The scheme implemented in this paper, which was first proposed and theoretically analysed in [20], makes the following crucial modifications to the protocol just described above to make it homomorphic: • First, we 'front-load' preparation of all ancilla qubits. During encryption Alice prepares two ancilla qubits: |ξ a = Z q P a |+ and |ξ b = Z r P b |+ where q, r ∈ {0, 1} is another set of random bits.
Observe from Table I that single-qubit Clifford gates can transform each decryption key into just three possible values: they become either a, b, or a + b. If the Clifford sequence preceding a T gate implies b = a or b = b, Bob uses |ξ a or |ξ b respectively in a teleportation circuit ( Fig. 2) to apply the require phase correction. But if b = a+b, Bob first applies that teleportation between the ancillas to obtain: Z s P a+b |+ , which has the correct phase. This resulting qubit is then used as before to correct the phase on |ψ (see Table II). If additional T gates are anticipated in the gate sequence, Alice simply prepares more ancillas correspondingly.
• Second, we leverage a classical FHE scheme to make our quantum protocol truly homomorphic. As she prepares ciphertext |ψ , Alice also homomorphically encrypts her encryption keys: a → Enc (a) and b → Enc (b), and sends them to Bob. During evaluation, as he computes U |ψ , Bob also transforms these encrypted classical keys correspondingly: Enc (a, b) → Enc (a , b ). We stress that Bob can do this only because the (classical) encryption on a and b is fully homomorphic.
These modifications together address shortcomings in the almost-homomorphic scheme that we've described. The first modification makes the protocol noninteractive. All resources that Bob needs to evaluate his circuit correctly, including ancilla qubits, are prepared and sent at the beginning of the protocol. Combining the protocol with classical FHE negates the need for Alice to be cognizant of Bob's circuit -the homomorphically encrypted secret key, suitably modified by Bob during computation, allows her (and only her) to correctly decrypt |ψ . In section IV we discuss a use-case in which these features are important.
No protocol is without caveats however. Briefly, the reader should be aware that the QFHE protocol we demonstrate here: a) assumes the existence of a classical FHE that is secure against a quantum adversary and b) requires an evaluation key (i.e. ancilla qubits) whose size grows doubly exponentially with the T -depth (i.e. number of layers of T gates sequentially applied). A clever way to modify evaluation of T gates in order to solve (b) was proposed in [21]. However, if Bob's circuit is known to have a fixed T -depth, as in our implementation, then this is not an issue. With regards to (a), known classical FHE schemes are believed to be resistant to quantum attacks [23].

III. EXPERIMENTAL REALISATION
We implemented the core QFHE protocol described above in section II C in an optical setup. Our implementation accommodates a total of three (1 data + 2 ancilla) logical qubits and is capable of performing arbitrary single-qubit rotations, but is limited to a single twoqubit gate per pair of qubits and to circuits of T -depth one (i.e. no cascaded T gates). These latter restrictions are simply due to the limited scale of the specific setup we constructed in our laboratory, and do not imply any fundamental limitation of the protocol in general.  Table II. Each incoming rail from the left is a separate photon from an SPDC event (see Figure 4 for source schematic). Liquid-crystal retarders allow us to modulate the phase of a qubit much more quickly and precisely than a motorised waveplate mount. Two-qubit gates shown here in dashed boxes can be bypassed as necessary, either by swapping a photon onto another rail or by translating "CNOT 1" out of the optical path.
A key distinguishing feature of our protocol is its handling of encryption/decryption by Alice as well as T gates performed by Bob. The reader will recall that Clifford gates preceding a T gate modify the secret key in just one of three ways, each of which necessitates a different usage of the ancilla qubits. We sought to demonstrate our protocol is both correct and secure when handling each of these three canonical cases involving a T gate. To this end, we realised the three corresponding circuits shown in Table II in our optical implementation.
Qubits in our implementation are encoded in the polarisation degree-of-freedom of photons. Single-qubit gates are realised using standard birefringent polarisation optics. Two-qubit gates, specifically controlled-X and controlled-Z gates, are implemented post-selectively by leveraging bosonic bunching or the Hong-Ou-Mandel (HOM) effect [24][25][26][27]. Fig. 3 shows a schematic of our optical apparatus.
Photons in our experiment are produced in a type-1 spontaneous parametric down conversion (SPDC) source. The source is a 2mm thick BBO crystal pumped with 404nm blue light produced via second harmonic generation (SHG). The SHG setup is in turn pumped with a Ti:Sapphire laser (Coherent Chameleon Ultra) configured to pulse with a repetition rate of 80MHz, center wavelength of 808nm and transform-limited pulse duration of 150fs. Fig. 4 shows a schematic of our source. During use, photons from this source are spectrally narrowband-filtered (3nm FWHM, Edmund Optics). When power for the blue (404nm) pump is set to The classical FHE that we have selected for encrypting all classical keys is the "Brakerski-Gentry-Vaikuntanathan" scheme [28] as implemented in the 'HElib' library [29], lightly modified for easy integration with the experiment. The library was called with a plaintext base p = 2, security parameter k = 80 and number of plaintext slots l = 150.

A. A novel optical gate architecture for adding phases
General two-qubit gates in our experiment are implemented via second order interference of indistinguishable photons at a beamsplitter. If the beamsplitter is carefully designed to fully transmit and not reflect horizontal polarised photons (T H = 1, R H = 0), while partially reflecting vertical polarised photons (T V = 1/3, R V = 2/3), one can easily show that the effective operation upon postselection in the coincident basis is a controlled-Z gate in polarisation [26]. In Fig. 3 we refer to such an optical element as a partially polarising beamsplitter (PPBS). We note that the post-selection success probability here is 1/9.
Observe, however, that it is not always necessary to implement a general controlled-X. The controlled-X between ancillas in case 3 of Table II, for example, merely serves as a means of accomplishing phase addition (modulo π) between |ξ b and |ξ a . That is, we want a channel such that: However, since both ancillas are confined to states on the equator of the Bloch sphere, it turns out we can be more efficient by replacing the PPBS with a fully polarising beamsplitter (PBS, i.e., T V = 0, R V = 1). Consider the mode transformation of the PBS followed by a Hadamard gate (i.e., halfwave plate at 22.5 deg) on one output arm, acting on ancilla states |0 + e iα |1 and |0 + e iβ |1 (in our convention, a photon in H or V polarisation encodes |0 or |1 respectively): whereâ † andb † are bosonic creation operators in the two input/output modes of the PBS. Subscripts on these operators label polarisation. The Hadamard gate following the PBS acts on mode b. In the last line, we've omitted terms that do not contribute to coincidence events between modes a and b. Now post-selecting on finding a photon in either H or V (i.e. |0 or |1 ) in mode b, we find the photon in mode a is left in state |ζ : Note that |ζ , when post-selection onb † V succeeds, is exactly the qubit state that we expect on the middle rail in case 3 of Table II, when classical bit k 1 = 0. If postselection onb † H succeeds on the other hand, |ζ does not quite correspond to k 1 = 1. Nevertheless, |ζ carries the correct phase modulo π so all that is required is that we update the key transformation rule indicated in Table II. That rule should now read: where we now define k 1 = 0 when post-selection onb † V succeeds and k 1 = 1 whenb † H succeeds. We also note that the success probability for postselection of each polarisation on the b mode photon is 1/4, so that the total post-selection success probability is 1/2. This is far more efficient than 1/9, which we expect from a general controlled-X.

B. Data and results
With the optical apparatus shown in Fig. 3 we implemented the circuits in Table II. These were designed to highlight our protocol's novel aspects under three canonical secret key transformations (discussed in section II C) due to Cliffords preceding a T gate; T |ψ , T H |ψ , T HP |ψ being the simplest of these.
Alice prepares and encrypts her data qubit in the photon on the top-left rail. She also prepares two appropriate ancillas encoded in photons on the two bottom-most rails. When implementing cases 1 and 2 (i.e. when Bob evaluates T |ψ or T H |ψ ), the phase-add gate is not required so we swap the appropriate ancilla up into the second rail, where it is then allowed to interact with the ciphertext qubit at "CNOT 1". When implementing case 3 (i.e. when Bob evaluates T HP |ψ ), phases on both ancillas are first summed at the phase-add gate. Meanwhile, the ciphertext qubit is allowed to bypass "CNOT 1" (relevant optical components are moved out of that photon's path). The ciphertext qubit that began as the top-left photon now propagates directly to "CNOT 2", where it is entangled with the remaining ancilla (the other now serves as a herald for successful operation of the phase-add gate).
All (classical) bits resulting from measurement that Bob performs while evaluating T |ψ , T H |ψ , or T HP |ψ are sent back to Alice in order that she be able to perform decryption correctly. To verify that the protocol works as advertised, Alice prepares a variety of plaintext states and measures in a variety of bases after decryption so as to be able to infer the process map for Bob's evaluation. If indeed the protocol is correct, Alice's tomographic reconstruction of Bob's process should closely match the ideal T , T H, or T HP unitary.
We further repeat the experiment, this time with Alice's secret keys purged and replaced with a set of erroneous keys before she has a chance to decrypt ciphertexts returned by Bob. In this case, we expect the tomographically reconstructed process to be the completely depolarising channel instead. Decryption with erroneous keys is accomplished by asking HElib to generate two sets of keys, sk 1 and sk 2 , and programming Alice to compute Dec sk2 (Enc sk1 (a, b, i, j)), thereby simulating what an attacker with no access to the correct key sk 1 might observe. Figures 5, 6, and 7 show plots of how a unit (Bloch) sphere transforms under each canonical gate sequence enumerated in Table II We compare our experimentally reconstructed channels with an ideal desired channel by calculating the average process fidelity [30]. When decryption is done correctly, these process fidelities are 96.1%, 96.2%, and 83% with respect to the ideal T , T H, and T HP unitary respectively. When decryption is not done correctly, the corresponding process fidelites are 51.7%, 47.4%, and 50.2% (the fully depolarising channel has process fidelity of 50% with respect to any unitary). We also compare these latter channels directly with the ideal fully depolarising channel, yielding process fidelities of 99.8%, 99.7%, and 99.4% respectively, suggesting that any attempt to decrypt the ciphertext with an erroneous key will only result in noise.
In the case of correct decryption, the primary limiting factor for these experimental process fidelities is the quality of our two-qubit gates. In turn, the dominant source of error in these gates is imperfect two-photon interference visibility. Photons from the same SPDC event (i.e., "intra-pair") exhibited HOM interference contrast of 97.0 ± 0.5% at a 50/50 BS (∼ 77% at a PPBS, where 80% is expected) whereas photons from different SPDC events (i.e., "inter-pair") had a contrast of 90.0 ± 1.5% (∼ 72% at a PPBS). Experimental fidelity for the T HP unitary is significantly worse than the other two because of the need to cascade two two-qubit gates, thereby compounding errors. Specifically, the phase-add gate is followed by "CNOT 2" as described above and shown in Fig. 3, the latter operating by HOM interference between photons from different SPDC events. Recall that our experimental two-qubit gates yield the correct processes when second-order interference between two single-mode bosonic creation operators occurs at a beamsplitter followed by post-selection on exactly one boson in each output mode. Practical limitations in construction of the apparatus (e.g. imperfect alignment of collection modes, defects in collection optics, and variances in spectral profile of narrowband filters) contribute to finite interference contrasts. Furthermore, inter-pair photons may not have the same (coherent) spectral correlations that exist in intra-pair ones, thereby partially invalidating the single-mode assumption.
A less obvious but equally important effect is the contribution of parasitic processes that lead to unwanted coincidence events. For instance, higher-order SPDC events that yield more than one photon per output mode can contribute to successful post-selection (i.e., coincidence) events that do not yield the desired output states. Similarly, because our coincidence windows while small are nevertheless finite, two uncorrelated photons or detector noise can nevertheless register erroneously but positively on our coincidence circuit.
Practical limitations imposed by equipment or procedural imperfections cannot be remedied easily. And while background processes due to higher-order SPDC events can be mitigated by reducing pump power, doing so results in impractically small signals. However, since our apparatus is sufficiently well characterised, we can calculate the expected prevalence of background processes described above and subtract them from our signal in post-processing. Background-subtracted experimental data for the T HP unitary is shown in Fig. 8. With background subtraction, process fidelity for the tomographic reconstruction of the THP unitary with correct decryp-tion increases from 83% to 94%.
In the interest of thoroughness, we have also presented the same data in bar-chart form in Figs. 9 through 11. Those figures show the magnitude of elements of the process matrix. In the Kraus representation of a qubit map ρ out = j K j ρ in K † j , the matrix M jk = χ jk + iξ jk succinctly defines Kraus operators K i in terms of a standard Pauli basis: K j = k (χ jk + iξ jk ) σ k . Here χ, ξ ∈ R and σ k is to be interpreted as a Pauli matrix with the following labelling: σ 0 = I, σ 1 = X, σ 2 = Y , and σ 3 = Z. Reconstructions were performed using standard maximum likelihood estimation (MLE) [31]. In this section, we describe a protocol we developed in order to demonstrate a use-case for QFHE that is otherwise difficult to accomplish. Imagine Alice and Bob each possesses a qubit state, ρ α and ρ β respectively. They are tasked with finding the inner product or fidelity between their states D αβ = Tr ρ 1/2 However, they wish to do this without sharing any more information about their qubit state than strictly necessary. Here we describe a protocol that accomplishes this in the so-called 'honest-but-curious' setting -i.e., we merely seek to secure data from curious prying eyes, but we assume that Alice and Bob are honest at carrying out their tasks and therefore make no attempt at verifying computation to guard against erroneous results. A simple solution to learning D αβ for pure states is the comparator circuit shown in Fig. 12. It is easy to show (see Appendix) that under this circuit, the projector Π 1,1 = |1 1| ⊗ |1 1| has an expectation value that directly yields infidelity Π 1,1 = 1 2 1 − D 2 αβ . If ρ α or ρ β is mixed, we must replace D 2 αβ in the last equation with D . Note, for consistency, that this reduces back to | α|β | 2 = D 2 αβ for pure states. We build our protocol on this simple comparator circuit with these slight additions.
As prescribed by our QFHE scheme, Alice encrypts all n copies of her qubit by preparing σ Z a X b ρ ⊗n α X b Z a and sends them all at once to Bob along with classically homomorphically encrypted keys Enc ( a) and Enc b . Here, a, b ∈ {0, 1} ⊗n and X a is to be interpreted as X a1 ⊗ · · · ⊗ X an . Bob in turn performs the comparator circuit between each of Alice's qubit σ (i) α and his own ρ β . Figure 13 illustrates this. After measuring the i-th pair of qubits, Bob homomorphically adds classical outcomes k . Referring to key transformation rules in Table I, note that once Alice decrypts these and computes , she correctly obtains Π 1,1 . Addition & multiplication in the summands are modulo 2, whereas the top-level summation is on the full set of integers. An essential step in our protocol is for Bob to scramble the order of Enc a i + k where s (i) is a random permutation on the set {1, ..., n}. This is important in order to ensure the security of Bob's qubit which, unlike Alice's qubit, is not encrypted. Absent this scrambling, Alice can prepare and keep track of the inner product between Bob's qubit and a variety of states of her choosing, thereby effectively doing tomography on Bob's state. This completes the description of our protocol.

B. Experimental Demonstration
We implement this protocol by using a subset of our full setup, with minimal modifications. Figure 14 illustrates this. Computer-controlled waveplates representing Alice and Bob were programmed to randomly select and prepare qubits from a predefined set of logical/plaintext states (determined by range and precision of motion of our motorised actuators). In Alice's case, these waveplate settings take into account randomly generated one-timepads. The infidelity between Alice's and Bob's states is then measured as described above and plotted against its actual value in Fig. 15. As we have done in previous sections, we also ran the protocol for the same set of logical input states but with an intentionally erroneous decryption key. The result is shown in Fig. 16. Every point in each of these plots contains ∼ 960 photons or qubits.
Observe in Fig. 15 that in the case of correct decryption 2 Π 1,1 shows good agreement with theoretically expected values (dashed line), indicating the protocol indeed allows Alice retrieve the infidelity between her state and Bob's. By comparison, in Fig. 16 where decryption is done incorrectly, 2 Π 1,1 hovers near a constant 0.5 (i.e., the infidelity w.r.t. the maximally mixed state), suggesting that anyone without the secret key gains no information about that infidelity.

V. DISCUSSION AND CONCLUSION
In this work we constructed, implemented, and demonstrated a fully homomorphic encryption scheme for universal gate-based quantum computers first proposed in [20] and extended in [21]. With this scheme, any party in possession of encrypted qubits may evaluate a quan-tum circuit of their choice. This is accomplished with the aid of ancillas and classical bits prepared at the time of encryption and transmitted along with the ciphertext. Multiple use of a communication channel, quantum or classical, is not required. Explicit knowledge of the circuit(s) evaluated is not necessary for correct decryption. Furthermore, we make no concessions on security apart from assumptions that underlie the classical homomorphic cryptosystem that we use to construct our scheme. Previously demonstrated schemes compromise on one or more of these attributes.
We also solve the simple task of computing the innerproduct of two qubit states securely; that is, without allowing either party to tomographically characterise the other's qubit. Our encryption scheme provides for an elegant solution to this task, which is otherwise difficult to accomplish.
While our scheme is secure in theory, we note that our optical implementation relies on post-selections that do not always succeed. This, along with practical experimental losses, implies that a significant number of photons that carry the same qubit state will fail to register on our detectors. Keys that in theory ought to be one-time-pads may no longer actually be used exactly once in practice, and a would-be attacker could siphon off these otherwise 'lost' photons to gain information about plaintexts. Nevertheless, we stress that these are technical shortcomings that can be remedied in a production setting, for example by greatly increasing key-switching rate (impractical in our setup) or simply using a different physical platform and/or gate design entirely.