When the most powerful models are in the cloud, even an “innocent” question to an AI can expose information we did not intend to share. In this post we present a security solution for distributed computing that uses pulses of light, such that any attempt to extract information beyond the permitted scope leaves a physical footprint, thanks to a fundamental quantum principle we will elaborate on later—the no-cloning theorem [1]. The method's practical advantage is that it relies on standard optical communication components, making it immediately relevant for applications in which privacy is a prerequisite, such as medicine and sensitive organizational services.
Advertisement
Have you ever asked an AI system such as GPT, Claude, or Gemini a personal question, something you would rather not reveal? Today the server side promises not to misuse your data, but we would like a mathematical guarantee that the information is protected. You are not alone in this problem. Hospitals also want to use advanced models for medical diagnosis, like the ones offered by the Israeli company Aidoc [2], yet regulations restrict sending private information to the cloud [3].
This gap stems from the way most artificial intelligence actually works. The best models are also computationally expensive, so they run on powerful cloud servers. To get an answer, the client sends input to the server, and it is sometimes sensitive input.
In such a scenario there are two secrets. On one side stands the client, a private individual or a hospital that wants an answer without exposing its data. On the other side stands the server that holds the model. It wants to protect its “recipe”: the internal numbers called weights [4]. The weights are what the model “learned” after long training and are highly valuable.
Mathematically, this is a variation of a known problem: secure multiparty computation. We want to compute a function of several private inputs but reveal only the output. Here the function is “run the model on the input,” and the private inputs are both the client’s data and the server’s parameters.
There are cryptographic solutions that allow computation on encrypted data, but their computational cost is usually high, so they are not yet practical. Sometimes they also rely on the assumption that no one can solve a hard mathematical problem in reasonable time [6]. In our paper we wanted something stronger: cybersecurity based on the laws of physics.
Our tool is light [7]—not as an analogy, but as a computing medium. We encode numbers into weak laser pulses that travel through optical fibers, exactly the infrastructure upon which the internet already relies. The encoding uses two properties of a light wave: intensity and phase. Phase is the “position” of the wave within its cycle. In this way, light carries the information.
In computer science it is convenient to treat information as abstract. In reality, information is always “stored” in the physical state of a system: a voltage level in a transistor, or in our case the intensity and phase of light. In the quantum world one cannot perfectly copy an unknown state. This is the no-cloning principle [1]. This means that an attempt to extract information through measurements changes the signal and thus adds noise. In ordinary electronic systems, these quantum effects are negligible compared with other noise sources, so it is hard to harness them for security. In weak light, however, quantum noise is a significant part of the story and can be used to detect an attempt to “measure too much.”
Our innovative tool is a “coherent linear-algebra engine.” It is designed for the most common operation in AI systems: the weighted sum of numbers. In our model, the client does not send its data to the server; on the contrary, the server sends its weights to the client, who must perform the computation without learning anything about the weights and then prove this to the server. The server transmits the weights to the client encoded in weak light pulses called “coherent states” [7]. Without measuring the weights’ values, the client routes them through optical components that mix the weights with the desired input in such a way that the result of the computation is concentrated in a single pulse (or “mode”). The client isolates and measures that single mode to obtain the result. All the other modes are sent back to the server as proof that the client did not “touch” the weights beyond what was necessary. The computing on the client side is enabled by shifting from digital computation to light-based computation. Such optical processing can allow faster computation at a lower energy cost and serve as a practical stepping-stone toward quantum computing. The novelty of the present work lies in the information-security aspect.
Security here is two-sided. The client measures only the light needed for the computation, while the remaining light is returned to the server for security checks. If extra measurements were taken along the way to learn the weights, this shows up as higher noise in the light that returns to the server. The server can measure this noise and thus derive a mathematical bound on how much information could have leaked.
We tested the idea on the MNIST task: Classification of images of handwritten digits [5]. It is a relatively simple task, but it allows a clean measurement of the trade-off between computational accuracy and security. We found that one can achieve accuracy above 95 percent, while simultaneously obtaining a very low quantitative bound on information leakage: Less than a tenth of a bit on average per weight and per input component.
Another advantage is engineering accessibility. Our protocol relies on well-known components from optical communications: lasers, fibers, amplifiers, and detectors, such as homodyne detection, a standard technique in optical communication. It does not require a quantum computer or changes to infrastructure—just smart use of what is already inside communication racks.
The security mechanism is based on the fact that additional measurements leave a footprint that can be detected and quantified. Such a mechanism mainly provides an after-the-fact alert about cheating attempts, but we would like to guarantee in advance that no side can extract more information than allowed. To move toward this goal, in the paper we propose an encoding method that combines deliberate randomness to hide the secret information and methods that limit the accumulation of information leakage when the model is used repeatedly.
The next step is to extend the method to multi-party scenarios such as federated learning, where several organizations train a model together without sharing raw data, and to build a laboratory prototype. Thus, tools from quantum physics connect directly to the classical cryptographic problem: Computing together without relinquishing privacy.
The research described in this article was conducted by Kfir Sulimany together with Sri Krishna Vadlamani, Ryan Hamerly, Prahlad Iyengar, and Dirk Englund, focusing on how photonic quantum technology can be combined with deep learning to enable two-sided secure cloud computation. The original paper on which this article is based can be found in [9].
Hebrew editing: Shir Rosenblum-Man
English editing: Elee Shimshoni
References:
Postdoc at MIT and incoming faculty member at the Faculty of Electrical & Computer Engineering, Technion
Faculty member at the School of Electrical Engineering, Faculty of Engineering, Tel Aviv University
