Can we verify quantum computations by a classical computer? This problem has been a major open problem in the field until Mahadev [Mah18] finally gave an affirmative solution. Specifically, she constructed an interactive protocol between an efficient classical verifier (a BPP machine) and an efficient quantum prover (a BQP machine) where the verifier can verify the result of the BQP computation. (In the following, we call such a protocol a CVQC protocol.111“CVQC” stands for “Classical Verification of Quantum Computations”) Soundness of her protocol relies on a computational assumption that the learning with error (LWE) problem [Reg09] is hard for an efficient quantum algorithm, which has been widely used in the field of cryptography. We refer to the extensive survey by Peikert [Pei16] for details about LWE and its cryptographic applications.
Though her result is a significant breakthrough, there are still several drawbacks. First, her protocol has soundness error
, which means that a cheating prover may convince the verifier even if it does not correctly computes the BQP computation with probability at most. Though we can exponentially reduce the soundness error by sequential repetition, we need super-constant rounds to reduce the soundness error to be negligible. If parallel repetition works to reduce the soundness error, then we need not increase the number of round. However, parallel repetition may not reduce soundness error for computationally sound protocol in general [BIN97, PW07]. Thus, it is still open to construct constant round protocol with negligible soundness error.
Another issue is about verifier’s efficiency. In her protocol, for verifying a computation that is done by a quantum computer in time , the verifier’s running time is as large as . Considering a situation where a device with weak classical computational power outsources computations to untrusted quantum server, we may want to make the verifier’s running time as small as possible. Such a problem has been studied well in the setting where the prover is classical and we know solutions where verifier’s running time only logarithmically depends on [Kil92, Mic00, KRR13, KRR14, GKR15, RRR16, BHK17, BKK18, HR18, CCH19, KPY19]. Hopefully, we want to obtain a CVQC protocol for classical where the verifier runs in logarithmic time.
1.1 Our Results
In this paper, we solve the above drawbacks of the Mahadev’s protocol. Our contribution is divided into three parts:
We show that parallel repetition version of Mahadev’s protocol has negligible soundness error. This gives the first constant round CVQC protocol with negligible soundness error.
We construct a two-round CVQC protocol in the quantum random oracle model (QROM) [BDF11] where a cryptographic hash function is idealized to be a random function that is only accessible as a quantum oracle. This is obtained by applying the Fiat-Shamir transform [FS87, LZ19, DFMS19] to the parallel repetition version of the Mahadev’s protocol.
We construct a two-round CVQC protocol with logarithmic-time verifier in the CRS+QRO model where both prover and verifier can access to a (classical) common reference string generated by a trusted third party in addition to quantum access to QRO. For proving soundness, we assume that a standard model instantiation of our two-round protocol with a concrete hash function (say, SHA-3) is sound and the existence of post-quantum indistinguishability obfuscation [BGI12, GGH16] and (post-quantum) fully homomorphic encryption (FHE) [Gen09] in addition to the quantum hardness of the LWE problem.
1.2 Related Works
Verification of Quantum Computation.
There are long line of researches on verification of quantum computation. Except for solutions relying on computational assumptions, there are two type of settings where verification of quantum computation is known to be possible. In the first setting, instead of considering purely classical verifier, we assume that a verifier can perform a certain kind of weak quantum computations [BFK09, FK17, ABOEM17, MF18]. In the second setting, we assume that a prover is splitted into two remote servers that share entanglement but do not communicate [RUV13]. Though these works do not give a CVQC protocol in our sense, the advantage is that we need not assume any computational assumption for the proof of soundness, and thus they are incomparable to Mahadev’s result and ours.
Subsequent to Mahadev’s breakthrough result, Gheorghiu and Vidick [GV19] gave a CVQC protocol that also satisfies blindness, which ensures that a prover cannot learn what computation is delegated. We note that their protocol requires polynomial number of rounds.
In a concurrent and independent work, Alagic et al. [ACH19] also shows similar results to our first and second results, parallel repetition theorem for the Madadev’s protocol and a two-round CVQC protocol by the Fiat-Shamir transform. We note that our third result, a two-round CVQC protocol with efficient verification, is unique in this paper.
For a finite set , means that is uniformly chosen from . For finite sets and , denotes the set of all functions with domain and range . A function is said to be negligible if for all polynomial and sufficiently large , we have and said to be overwhelming if is negligible. We denote by an unspecified polynomial and by an unspecified negligible function. We say that a classical (resp. quantum) algorithm is efficient if it runs in probabilistic polynomial-time (resp. quantum polynominal time). For a quantum or randomized algorithm , means that is run on input and outputs and means that is run on input and randomness and outputs . For an interactive protocol between a “prover” and “verifier” , means an interaction between them with prover’s private input verifier’s private input , and common input outputs . We denote by a class of languages decided by a quantum algorithm whose running time is at most . We use to denote the security parameter throughout the paper.
2.1 Learning with Error Problem
Roughly speaking, the learning with error (LWE) is a problem to solve system of noisy linear equations. Regev [Reg09] proved that the hardness of LWE can be reduced to hardness of certain worst-case lattice problems via quantum reductions. We do not give a definition of LWE in this paper since we use the hardness of LWE only for ensuring the soundness of the Mahadev’s protocol (Lemma 3.1), which is used as a black-box manner in the rest of the paper. Therefore, we use exactly the same assumption as that used in [Mah18], to which we refer for detailed definitions and parameter settings for LWE.
2.2 Quantum Random Oracle Model
The quantum random oracle model (QROM) [BDF11] is an idealized model where a real-world hash function is modeled as a quantum oracle that computes a random function. More precisely, in the QROM, a random function of a certain domain and range is uniformly chosen from at the beginning, and every party (including an adversary) can access to a quantum oracle that maps to . We often abuse notation to denote to mean a quantum algorithm is given oracle .
2.3 Cryptographic Primitives
Here, we give definitions of cryptographic primitives that are used in this paper. We note that they are only used in Sec 5 where we construct an efficient verifier variant.
2.3.1 Pseudorandom Generator
A post-quantum pseudorandom generator (PRG) is an efficient deterministic classical algorithm such that for any efficient quantum algorithm , we have
2.3.2 Fully Homomorphic Encryption
A post-quantum fully homomorphic encryption consists of four efficient classical algorithm .
The key generation algorithm takes the security parameter as input and outputs a public key and a secret key .
The encryption algorithm takes a public key and a message as input, and outputs a ciphertext .
The evaluation algorithm takes a public key , a classical circuit , and a ciphertext , and outputs a evaluated ciphertext .
The decryption algorithm takes secret key and a ciphertext as input and outputs a message or .
For all , , and , we have
For any efficient quantum adversary , we have
FHE is usually constructed by first constructing leveled FHE, where we have to upper bound the depth of a circuit to evaluate at the setup, and then converting it to FHE by the technique called bootstrapping [Gen09]. There have been many constructions of leveled FHE whose (post-quantum) security can be reduced to the (quantum) hardness of LWE [BV11, BGV12, Bra12, GSW13]. FHE can be obtained assuming that any of these schemes is circular secure [CL01] so that it can be upgraded into FHE via bootstrapping. We note that Canetti et al. [CLTV15] gave an alternative transformation from leveled FHE to FHE based on subexponentially secure iO.
2.3.3 Strong Output-Compressing Randomized Encoding
A strong output-compressing randomized encoding [BFK19] consists of three efficient classical algorithms .
: It takes the security parameter , output-bound , and a common reference string and outputs a encoding key .
It takes an encoding key, an input , and a time-bound (in binary) as input and outputs an encoding .
It takes a common reference string and an encoding as input and outputs .
For any , , , Turing machine and input such that halts in at most steps and returns a string whose length is at most , we have
There exists polynomials such that for all , , :
If , .
For every Turing machine , time bound , input , if , then ,
The running time of is at most
There exists a simulator such that for any and such that halts in steps and and efficient quantum adversary ,
Badrinarayanan et al. [BFK19] gave a construction of strong output-compressing randomized encoding based on iO and the LWE assumption.
2.3.4 SNARK in the QROM
Let be a quantum random oracle. A SNARK for an language associated with a relation in the QROM consists of two efficient oracle-aided classical algorithms and .
It is an instance and a witness as input and outputs a proof .
It is an instance and a proof as input and outputs indicating acceptance or indicating rejection.
We require SNARK to satisfy the following properties:
Completeness. For any , we have
Extractability. There exists an efficient quantum extractor such that for any and a malicious quantum prover making at most queries, if
is non-negligible in , then
is non-negligible in .
Efficient Verification. If we can verify that in classical time , then for any , runs in classical time .
Chiesa et al. [CMS19] showed that there exists SNARK in the QROM that satisfies the above properties.
3 Parallel Repetition of Mahadev’s Protocol
3.1 Overview of Mahadev’s Protocol
Here, we recall the Mahadev’s protocol [Mah18]. We only give a high-level description of the protocol and properties of it and omit the details since they are not needed to show our result.
The protocol is run between a quantum prover and a classical verifier on a common input . The aim of the protocol is to enable a verifier to classically verify for a BQP language with the help of interactions with a quantum prover. The protocol is a 4-round protocol where the first message is sent from to . We denote the -th message generation algorithm by for or for and denote the verifier’s final decision algorithm by . Then a high-level description of the protocol is given below.
On input the security parameter and , it generates a pair of a“key” and “trapdoor”, sends to , and keeps as its internal state.
On input and , it generates a classical “commitment” along with a quantum state , sends to , and keeps as its internal state.
It randomly picks and sends to .222The third message is just a public-coin, and does not depend on the transcript so far or . For a knowledgeable reader, the case of corresponds to the “test round” and the case of corresponds to the “Hadamard round” in the terminology in [Mah18].
On input and , it generates a classical string and sends to .
On input , , , , and , it returns indicating acceptance or indicating rejection. In case , the verification can be done publicly, that is, need not take as input.
For the protocol, we have the following properties:
Completeness: For all , we have .
Soundness: If the LWE problem is hard for quantum polynomial-time algorithms, then for any and a quantum polynomial-time cheating prover , we have .
We need a slightly different form of soundness implicitly shown in [Mah18], which roughly says that if a cheating prover can pass the “test round” (i.e., the case of ) with overwhelming probability, then it can pass the “Hadamard round” (i.e., the case of ) only with a negligible probability.
Lemma 3.1 (implicit in [Mah18]).
If the LWE problem is hard for quantum polynomial-time algorithms, then for any and a quantum polynomial-time cheating prover such that , we have .
We will also use the following simple fact:
There exists an efficient prover that passes the test round with probability (but passes the Hadamard round with probability ) even if .
3.2 Parallel Repetition
Here, we prove that the parallel repetition of the Mahadev’s protocol decrease the soundness bound to be negligible. Let and be -parallel repetitions of the honest prover and verifier in the Mahadev’s protocol. Then we have the following:
Theorem 3.2 (Completeness).
For all , for all , we have .
Theorem 3.3 (Soundness).
For all , if the LWE problem is hard for quantum polynomial-time algorithms, then for any and a quantum polynomial-time cheating prover , we have .
3.3 Proof of Soundness
We prove the soundness by showing that for all noticeable error , there exists a number such that by parallelly repeating the protocol times, the error can be reduced to less than .
Characterization of cheating prover. Any cheating prover can be characterized by a tuple of unitaries over Hilbert space . A prover characterized by works as follows.333Here, we hardwire into the cheating prover the instance on which it will cheat instead of giving it as an input.
- Second Message:
Upon receiving , it applies to the state , and then measures the register to obtain . Then it sends to and keeps the resulting state over .
- Forth Message:
Upon receiving , it applies to and then measures the register in computational basis to obtain . We denote the designated register for by . Then, we can view the verifier’s verification procedure on th trial as a unitary .
In the following, we first introduced the Jordan’s lemma, which we will use to prove Lemma 3.5.
Lemma 3.4 (Jordan’s lemma).
Given any two projectors and . There exists a decomposition of the Hilbert space into one-dimensional and two-dimensional subspaces, which satisfy the following properties:
All subspaces are orthogonal to each other.
For any two-dimensional subspace , for all , and .
For any two-dimensional subspace , and
are rank-one projectors, i.e., there exist two vectorsand in such that for all , and .
Fix and the function . Let , we consider two projectors
where can be any prover’s strategy. , and means applying Hadamard operators to registers . By using Jordan’s lemma, we can decompose the space in the two-dimensional subspaces and one-dimensional subspaces which are vectors on either or . Furthermore, and on are rank-one projectors and . For , we let the angles between and as . Then, we define projectors
Let be any prover’s strategy. Let . Let where . Let , where and . Let be sampled uniformly randomly from and . Then, there exists an efficient quantum algorithm such that for any efficiently generated quantum state ,
Furthermore, the following properties are satisfied.
If we define , then we have .
, where is the standard-basis measurement in the register , and
is the number of qubits in. Furthermore,
. This implies that there exists an polynomial-time cheating prover with that can be accepted in the test round with probability.
To prove Theorem 3.3, we only need to be at most . Hence, and can be .
Proof of Lemma 3.5.
[style=figstyle,innerleftmargin=10pt,innerrightmargin=10pt] We define , , and .
Do quantum phase estimationon with input state and -bit precision for parameter which will be specified later, i.e.,
such that .
Sample from and then apply , where if .
Apply , where if .
Here, operates on register , , , and additional registers , , and .
We let and for
, which are eigenvectors of. For each one-dimensional subspace, it is either a vector in or . We only consider vectors in , and denote them as . Obviously, they are also eigenvectors of
(with eigenvalues equal to zero). The eigenvalues corresponding toare and are .
Now, we can decompose any input state as
We suppose that are on the two-dimensional subspaces without loss of generality. Then, since each for can be represented as , we rewrite the state in the basis of eigenvectors as
where and .
We define a function
In the following, we apply and to the state in Eq. 1 to estimate the eigenvalues of each .
Here, and for the best bit approximation to which is less than for .
To successfully obtain with accuracy with probability for be negligible, we can choose . Note that simply applying phase estimation with -bit precision can not guarantee to be negligible. However, by parallelly applying phase estimation polynomially times and taking the most commonly occurring outcome, one can reduce to be negligible as shown by Watrous in [Wat06].
By applying , the state above will be