I Introduction
Whether quantum computing is classically verifiable or not is one of the most important open problems in quantum information Gottesman ; AharonovVazirani ; Andru_review . There have been many partial solutions to the open problem. These results are categorized into the following six types of approaches.

Multiple provers: If more than two provers who are entangled but not allowed to communicate with each other are available, a classical verifier can verify quantum computing MattMBQC ; Ji ; RUV ; Grilo ; Coladangelo .

Computational soundness: If the LWE problem Regev is hard for polynomialtime quantum computing, quantum computing is classically verifiable with the soundness against a quantum polynomialtime prover Mahadev ; AndruVidick ; Alagic ; Yamakawa .

Sumcheck: BQP is in IP, and therefore quantum computing is classically verifiable with the computationallyunbounded prover. If we could modify the sumcheck protocol for BQP problems in such a way that the honest prover’s computational power is in quantum polynomialtime, the open problem is solved. There are two results in this direction AharonovGreen ; Yupan .

Specific problems: Several specific problems in BQP, such as the recursive Fourier sampling, problems related to circuits in the second level of the Fourier hierarchy, and calculating orders of solvable groups, are classically verifiable MattFourier ; Tommaso ; FH2 ; LeGall .

Rational prover: For any BQP problem, it is possible to construct a rational proof system AM where a classical verifier sends a reward to the prover in such a way that the prover who wants to maximize its profit has to send a correct solution to the verifier rational ; rationalTakeuchi .
The simplest protocol in the first approach is socalled the posthoc verification posthoc . (A detailed explanation of the posthoc verification is given in Sec. II.) In this protocol, any BQP problem can be verified in a noninteractive way with a verifier who can do only singlequbit measurements: the prover sends a quantum state to the verifier, and the verifier measures each qubit of the state. The prover can send each qubit of the state one by one, and the verifier has only to measure each qubit sequentially, i.e., the verifier does not need any quantum memory. The idea of the posthoc verification is based on the observations that the local Hamiltonian problem is QMAcomplete Kitaev ; KKR , BQP is in QMA with a trivial witness state (such as the all zero state), and the ground state of the local Hamiltonian (i.e., the history state) can be constructed in quantum polynomialtime if the corresponding problem is in BQP posthoc . Because the 2local Hamiltonian problem is QMAcomplete BL08 ; CM16 , the verifier has only to measure randomly chosen two qubits in the computational or the Hadamard basis.
A disadvantage of the posthoc protocol is, however, that the verifier has to do the quantum measurements, and the quantum channel from the prover to the verifier is required. The Mahadev’s breakthrough protocol Mahadev removes them by using the cryptographic technique, but the soundness becomes the computational one, i.e., the protocol is an argument system.
In this paper, we show that if a trusted center is introduced, an informationtheoreticallysound noninteractive verification of quantum computing is possible for a classical verifier. The trusted center sends random BB84 states to the prover, and their classical descriptions to the verifier. (Because the BB84 states are uniformly random, center’s messages are independent of the instance.) Introducing a trusted center that distributes BB84 states is somehow an artificial assumption, but it is not unrealistic (for example, it is a foreseeable future that the NIST distributes BB84 states among quantum computing companies like Google, IBM, etc.), and the introduction of the trusted center gives us huge advantages, namely, the classical verifier, the noninteractiveness, and the informationtheoretical soundness.
More precisely, for each instance of any promise problem in BQP, we consider the protocol of Fig. 1, and show its completeness and soundness. (A proof is given in Sec. III.)
Theorem 1
For any promise problem in BQP, the protocol of Fig. 1 satisfies both of the following with and such that :

If
, there exists a quantum polynomialtime prover such that the acceptance probability of the verifier is at least
. 
If , the verifier’s acceptance probability is at most for any prover (even for computationallyunbounded prover).
Our classical verification protocol can also be modified to construct a noninteractive statistical zeroknowledge proof system for QMA with the trusted center (Fig. 2). We show its completeness, soundness, and statistical zeroknowledge property. (A proof is given in Sec. IV.)
Theorem 2
For any promise problem in QMA, the protocol of Fig. 2 satisfies all of the following with and such that :

If , there exists a quantum polynomialtime prover (that receives a witness state of QMA as input) such that the acceptance probability of the verifier is at least .

If , the verifier’s acceptance probability is at most for any prover (even for computationallyunbounded prover).

It is statistical zeroknowledge.
The idea is based on the recent elegant construction of zeroknowledge systems for QMA in Ref. BroadbentGrilo
. In their construction, the prover sends the verifier the onetimepadded ground state of the Hamiltonian that corresponds to the encoded version of the verification circuit, and a classical commitment of the onetimepad key. After receiving a challenge from the verifier, the prover opens only a small part of the ground state, which is enough to measure energy but not enough to get any information about the witness due to the local simulatability
BroadbentGrilo ; GSY . A zeroknowledge system for QMA was first constructed in Ref. BJSW , and improvements have been obtained recently CVZ ; Alagic ; BroadbentGrilo .Ii Preliminaries
Let be a promise problem in BQP. For any instance , we can construct an qubit local Hamiltonian
with such that if then the ground energy is less than , and if then the ground energy is larger than with . Here, , , and . The posthoc protocol posthoc runs as in Fig. 3. Note that in this protocol, the verifier does not need any quantum memory, because the verifier has only to measure each qubit sequentially. The verifier’s acceptance probability is Therefore, if , for an honest prover, and if , for any (computationallyunbounded) prover. The completenesssoundness gap is . It is easy to see that this protocol can be done in the parallel way to amplify the completenesssoundness gap.
There is a remark: In the original posthoc protocol posthoc , the verifier first samples with probability and measures th and th qubits. The protocol explained in Fig. 3 is slightly modified from the original posthoc protocol in such a way that the verifier’s measurement is independent of the instance . Such a modification was already done in Refs. Alagic ; BroadbentGrilo ; Vidick_review , and in fact the modification is crucial for our purpose, because the trusted center’s message should be independent of the instance .
Iii Proof of Theorem 1
In this section, we show Theorem 1. Let us first consider the protocol of Fig. 4 that we call the virtual protocol 1. It is easy to see that the virtual protocol 1 has the same completeness and soundness as those of the posthoc protocol (Fig. 3). Next let us consider the protocol of Fig. 5 that we call the virtual protocol 2. The difference from the virtual protocol 1 is that the verifier first measures halves of Bell pairs before sending other halves to the prover. Because the verifier’s measurement and the prover’s measurement commute with each other, verifier’s acceptance probability of the virtual protocol 2 is the same as that of the virtual protocol 1. Finally, let us consider the protocol of Fig. 6, which is our final protocol. The difference from the virtual protocol 2 is that the verifier’s quantum task is done by the trusted center. It is clear that the verifier’s acceptance probability of this protocol is the same as that of the virtual protocol 2. In conclusion, our protocol (Fig. 6) has the same completeness and soundness as those of the posthoc protocol (Fig. 3).
Iv Proof of Theorem 2
Our noninteractive statistical zeroknowledge proof system for QMA with the trusted center is shown in Fig. 7. To show its completeness, soundness, and zeroknowledge property, let us consider the protocol of Fig. 8, which we call the virtual zeroknowledge protocol. It is easy to verify that protocols of Fig. 7 and Fig. 8 are the same. The verifier’s acceptance probability in the virtual zeroknowledge protocol is and therefore the completenesssoundness gap is . The zeroknowledge property is also clear, because in the virtual zeroknowledge protocol, what the verifier gets under the honest prover are the uniformly randomly chosen , and the measurement results on the th and th qubits of the onetime padded history state in the base that is simulatable in classical polynomialtime due to the local simulatability of the history state BroadbentGrilo ; GSY . In Fig. 9, we show the simulator. It is clear that the output of the simulator and verifier’s view are negligibly close.
V Discussion
In this paper, we have constructed an informationtheoreticallysound noninteractive classical verification protocol for quantum computing with a trusted center. The trusted center sends randomly chosen BB84 states to the prover, and their classical descriptions to the verifier.
One might ask whether the quantum message from the center to the prover can be replaced with a classical one. It will be impossible, because if it was possible, then BQP is in AM, which is unlikely. To see it, assume that the trusted center sends some random classical messages to the prover. Then, the message can be sent from the verifier instead of the center, and it is a twomessage AM protocol.
The combination of the trusted center considerd in this paper and the FitzsimonsKashefi protocol FK also realizes the informationtheoreticallysound classical verification of quantum computing, but in that case, the protocol is interactive: polynomiallymany rounds are necessary between the prover and the verifier. Furthermore, the messages sent from the trusted center do depend on the instance.
The trusted center’s task considered in this paper can be done by the “remote state preparation” protocol. In the remote state preparation, the classical verifier can remotely prepare random quantum states in the prover’s place with only a classical communication in such a way that only the verifier knows which states are prepared. It is well known that if the remote state preparation is possible, a classical verification of quantum computing is possible. It is open whether an informationtheoreticallysound remote state preparation is possible or not, but it was shown recently that computationallysound remote state preparations are possible under the LWE assumption Vazirani ; AndruVidick ; MetgerVidick ; Cojocaru . If we combine these remote state preparation protocols with our protocol, we would obtain a computationallysound noninteractive classical verification protocol for quantum computing with preprocessing.
Acknowledgements.
TM is supported by MEXT QLEAP, JST PRESTO No.JPMJPR176A, and the GrantinAid for Young Scientists (B) No.JP17K12637 of JSPS.References
 (1) D. Gottesman, 2004. http://www.scottaaronson.com/blog/?p=284
 (2) D. Aharonov and U. Vazirani, Is quantum mechanics falsifiable? A computational perspective on the foundations of quantum mechanics. arXiv:1206.3686
 (3) A. Gheorghiu, T. Kapourniotis, and E. Kashefi, Verification of quantum computation: an overview of existing approaches. Theory of Computing Systems 63, 715808 (2019); arXiv:1709.06984
 (4) J. F. Fitzsimons and E. Kashefi, Unconditionally verifiable blind computation. Phys. Rev. A 96, 012303 (2017).
 (5) D. Aharonov, M. BenOr, E. Eban, and U. Mahadev, Interactive proofs for quantum computations. arXiv:1704.04487
 (6) M. Hayashi and T. Morimae, Verifiable measurementonly blind quantum computing with stabilizer testing. Phys. Rev. Lett. 115, 220502 (2015).
 (7) T. Morimae, D. Nagaj, and N. Schuch, Quantum proofs can be verified using only singlequbit measurements. Phys. Rev. A 93, 022326 (2016).
 (8) J. F. Fitzsimons, M. Hajdušek, and T. Morimae, Post hoc verification of quantum computation. Phys. Rev. Lett. 120, 040501 (2018).
 (9) S. Barz, J. F. Fitzsimons, E. Kashefi, and P. Walther, Experimental verification of quantum computation. Nat. Phys. 9, 727 (2013).
 (10) C. Greganti, M. C. Roehsner, S. Barz, T. Morimae, and P. Walther, Demonstration of measurementonly blind quantum computing. New J. Phys. 18, 013020 (2016).
 (11) A. Gheorghiu, E. Kashefi, and P. Wallden, Robustness and device independence of verifiable blind quantum computing. New J. Phys. 17, 083040 (2015).
 (12) Y. Takeuchi and T. Morimae, Verification of manyqubit states. Phys. Rev. X 8, 021060 (2018).

(13)
M. McKague, Interactive proofs for BQP via selftested graph states. Theory of Computing
12, 1 (2016).  (14) Z. Ji, Classical verification of quantum proofs. Proceedings of the 48th annual ACM symposium on Theory of Computing (STOC 2016) p.885 (2016).
 (15) B. W. Reichardt, F. Unger, and U. Vazirani, Classical command of quantum systems. Nature 496, 456 (2013).
 (16) A. B. Grilo, A simple protocol for verifiable delegation of quantum computation in one round. 46th International Colloquium on Automata, Languages, and Programming (ICALP 2019).
 (17) A. Coladangelo, A. B. Grilo, S. Jeffery, and T. Vidick, VerifieronaLeash: new schemes for verifiable delegated quantum computation, with quasilinear resources. arXiv:1708.07359; EUROCRYPT 2019.
 (18) O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34134:40, 2009.
 (19) U. Mahadev, Classical verification of quantum computations. IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, 2018, pp.259267; arXiv:1804.01082
 (20) A. Gheorghiu and T. Vidick, Computationallysecure and composable remote state preparation. IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), Baltimore, MD, USA, 2019, pp. 10241033; arXiv:1904.06320
 (21) G. Alagic, A. M. Childs, A. B. Grilo, and SH. Hung, Noninteractive classical verification of quantum computation. arXiv:1911.08101
 (22) NH. Chia, KM. Chung, and T. Yamakawa, Classical verification of quantum computations with efficient verifier. arXiv:1912.00990
 (23) D. Aharonov and A. Green, A quantum inspired proof of . arXiv:1710.09078
 (24) A. Green, Y. Liu, and G. Kindler, Towards a quantuminspired proof for IP=PSPACE. arXiv:1912.11611
 (25) M. McKague, Interactive proofs with efficient quantum prover for recursive Fourier sampling. Chicago Journal of Theoretical Computer Science 6, 1 (2012).
 (26) T. F. Demarie, Y. Ouyang, and J. F. Fitzsimons, Classical verification of quantum circuits containing few basis changes. Phys. Rev. A 97, 042319 (2018).
 (27) T. Morimae, Y. Takeuchi, and H. Nishimura, MerlinArthur with efficient quantum Merlin and quantum supremacy for the second level of the Fourier hierarchy. Quantum 2, 106 (2018).
 (28) F. Le Gall, T. Morimae, H. Nishimura, and Y. Takeuchi, Interactive proofs with polynomialtime quantum prover for computing the order of solvable groups. 43rd International Symposium on Mathematical Foundations of Computer Science (MFCS 2018); arXiv:1805.03385
 (29) P. D. Azar and S. Micali, Rational proofs. Proceedings of the 44th symposium on Theory of Computing (STOC’12), 1017 (2012).
 (30) T. Morimae and H. Nishimura, Rational proofs for quantum computing. Quant. Inf. Comput. 20, 01810193 (2020); arXiv:1804.08868
 (31) Y. Takeuchi, T. Morimae, and S. Tani, Sumcheckbased delegation of quantum computing to rational server. arXiv:1911.04734
 (32) A. Y. Kitaev, A. H. Shen, and M. N. Vyalyi, Classical and Quantum Computation (American Mathematical Society, Boston, MA, USA (2002))
 (33) J. Kempe, A. Kitaev, and O. Regev, The complexity of the local Hamiltonian problem. SIAM Journal of Computing 35, pp.10701097 (2006).
 (34) J. D. Biamonte and P. J. Love, Realizable Hamiltonians for universal adiabatic quantum computers. Physical Review A 78, 012352 (2008).
 (35) T. Cubitt and A. Montanaro, Complexity classification of local Hamiltonian problems. SIAM Journal on Computing 45, 268316 (2016).
 (36) A. Broadbent and A. B. Grilo, Zeroknowledge for QMA from locally simulatable proofs, arXiv:1911.07782
 (37) A. B. Grilo, W. Slofstra, and H. Yuen, Perfect zero knowledge for quantum multiprover interactive proofs, FOCS 2019; arXiv:1905.11280
 (38) A. Broadbent, Z. Ji, F. Song, and J. Watrous, Zeroknowledge proof systems for QMA. In 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS), pages 3140. (2016); SIAM J. Comput. 49(2), 245283 (2020).
 (39) A. Coladangelo, T. Vidick, and T. Zhang, Noninteractive zeroknowledge arguments for QMA, with preprocessing. arXiv:1911.07546
 (40) T. Vidick, Verifying quantum computations at scale: a cryptographic leash on quantum devices. Bull. Amer. Math. Soc. 57, 3976 (2020).
 (41) Z. Brakerski, P. Christiano, U. Mahadev, U. Vazirani, and T. Vidick, A Cryptographic Test of Quantumness and Certifiable Randomness from a Single Quantum Device, IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, 2018, pp. 320331; arXiv:1804.00640
 (42) T. Metger and T. Vidick, Selftesting of a single quantum device under computational assumptions. arXiv:2001.09161
 (43) A. Cojocaru, L. Colisson, E. Kashefi, and P. Wallden, QFactory: classicallyinstructed remote secret qubits preparation. ASIACRYPT 2019; arXiv:1904.06303
Comments
There are no comments yet.