I Introduction
Whether quantum computing is classically verifiable or not is one of the most important open problems in quantum information Gottesman ; AharonovVazirani ; Andru_review . There have been many partial solutions to the open problem. These results are categorized into the following six types of approaches.
-
Multiple provers: If more than two provers who are entangled but not allowed to communicate with each other are available, a classical verifier can verify quantum computing MattMBQC ; Ji ; RUV ; Grilo ; Coladangelo .
-
Computational soundness: If the LWE problem Regev is hard for polynomial-time quantum computing, quantum computing is classically verifiable with the soundness against a quantum polynomial-time prover Mahadev ; AndruVidick ; Alagic ; Yamakawa .
-
Sum-check: BQP is in IP, and therefore quantum computing is classically verifiable with the computationally-unbounded prover. If we could modify the sum-check protocol for BQP problems in such a way that the honest prover’s computational power is in quantum polynomial-time, the open problem is solved. There are two results in this direction AharonovGreen ; Yupan .
-
Specific problems: Several specific problems in BQP, such as the recursive Fourier sampling, problems related to circuits in the second level of the Fourier hierarchy, and calculating orders of solvable groups, are classically verifiable MattFourier ; Tommaso ; FH2 ; LeGall .
-
Rational prover: For any BQP problem, it is possible to construct a rational proof system AM where a classical verifier sends a reward to the prover in such a way that the prover who wants to maximize its profit has to send a correct solution to the verifier rational ; rationalTakeuchi .
The simplest protocol in the first approach is so-called the posthoc verification posthoc . (A detailed explanation of the posthoc verification is given in Sec. II.) In this protocol, any BQP problem can be verified in a non-interactive way with a verifier who can do only single-qubit measurements: the prover sends a quantum state to the verifier, and the verifier measures each qubit of the state. The prover can send each qubit of the state one by one, and the verifier has only to measure each qubit sequentially, i.e., the verifier does not need any quantum memory. The idea of the posthoc verification is based on the observations that the local Hamiltonian problem is QMA-complete Kitaev ; KKR , BQP is in QMA with a trivial witness state (such as the all zero state), and the ground state of the local Hamiltonian (i.e., the history state) can be constructed in quantum polynomial-time if the corresponding problem is in BQP posthoc . Because the 2-local -Hamiltonian problem is QMA-complete BL08 ; CM16 , the verifier has only to measure randomly chosen two qubits in the computational or the Hadamard basis.
A disadvantage of the posthoc protocol is, however, that the verifier has to do the quantum measurements, and the quantum channel from the prover to the verifier is required. The Mahadev’s breakthrough protocol Mahadev removes them by using the cryptographic technique, but the soundness becomes the computational one, i.e., the protocol is an argument system.
In this paper, we show that if a trusted center is introduced, an information-theoretically-sound non-interactive verification of quantum computing is possible for a classical verifier. The trusted center sends random BB84 states to the prover, and their classical descriptions to the verifier. (Because the BB84 states are uniformly random, center’s messages are independent of the instance.) Introducing a trusted center that distributes BB84 states is somehow an artificial assumption, but it is not unrealistic (for example, it is a foreseeable future that the NIST distributes BB84 states among quantum computing companies like Google, IBM, etc.), and the introduction of the trusted center gives us huge advantages, namely, the classical verifier, the non-interactiveness, and the information-theoretical soundness.
More precisely, for each instance of any promise problem in BQP, we consider the protocol of Fig. 1, and show its completeness and soundness. (A proof is given in Sec. III.)
Theorem 1
For any promise problem in BQP, the protocol of Fig. 1 satisfies both of the following with and such that :
-
If
, there exists a quantum polynomial-time prover such that the acceptance probability of the verifier is at least
. -
If , the verifier’s acceptance probability is at most for any prover (even for computationally-unbounded prover).
-
The trusted center uniformly randomly chooses , where . The trusted center sends to the prover. The trusted center sends to the verifier. Note that because is uniformly randomly chosen, the messages from the trusted center to the prover and the verifier are independent of the instance .
-
The prover does a POVM measurement, which can be done in quantum polynomial-time if the prover is honest, on the received state, and sends the measurement result (a -bit classical bit string) to the verifier.
-
The verifier does a certain polynomial-time classical computation to make the decision, accept/reject.
Our classical verification protocol can also be modified to construct a non-interactive statistical zero-knowledge proof system for QMA with the trusted center (Fig. 2). We show its completeness, soundness, and statistical zero-knowledge property. (A proof is given in Sec. IV.)
Theorem 2
For any promise problem in QMA, the protocol of Fig. 2 satisfies all of the following with and such that :
-
If , there exists a quantum polynomial-time prover (that receives a witness state of QMA as input) such that the acceptance probability of the verifier is at least .
-
If , the verifier’s acceptance probability is at most for any prover (even for computationally-unbounded prover).
-
It is statistical zero-knowledge.
-
The trusted center uniformly randomly chooses , where . The trusted center sends to the prover. The trusted center uniformly randomly chooses such that . The trusted center sends to the verifier.
-
The prover does a POVM measurement, which can be done in quantum polynomial-time (given the witness state) if the prover is honest, on the received state, and sends the measurement result (a -bit classical bit string) to the verifier.
-
The verifier does a certain polynomial-time classical computation to make the decision, accept/reject.
The idea is based on the recent elegant construction of zero-knowledge systems for QMA in Ref. BroadbentGrilo
. In their construction, the prover sends the verifier the one-time-padded ground state of the Hamiltonian that corresponds to the encoded version of the verification circuit, and a classical commitment of the one-time-pad key. After receiving a challenge from the verifier, the prover opens only a small part of the ground state, which is enough to measure energy but not enough to get any information about the witness due to the local simulatability
BroadbentGrilo ; GSY . A zero-knowledge system for QMA was first constructed in Ref. BJSW , and improvements have been obtained recently CVZ ; Alagic ; BroadbentGrilo .Ii Preliminaries
Let be a promise problem in BQP. For any instance , we can construct an -qubit local Hamiltonian
with such that if then the ground energy is less than , and if then the ground energy is larger than with . Here, , , and . The posthoc protocol posthoc runs as in Fig. 3. Note that in this protocol, the verifier does not need any quantum memory, because the verifier has only to measure each qubit sequentially. The verifier’s acceptance probability is Therefore, if , for an honest prover, and if , for any (computationally-unbounded) prover. The completeness-soundness gap is . It is easy to see that this protocol can be done in the parallel way to amplify the completeness-soundness gap.
-
The prover sends an -qubit state to the verifier. (If the prover is honest, it is the ground state of .)
-
The verifier uniformly randomly chooses .
-
If (), the verifier measures all qubits of in the computational (Hadamard) basis. Let be the measurement result on the th qubit.
-
The verifier samples with probability .
-
If , the verifier accepts. Otherwise, reject.
There is a remark: In the original posthoc protocol posthoc , the verifier first samples with probability and measures th and th qubits. The protocol explained in Fig. 3 is slightly modified from the original posthoc protocol in such a way that the verifier’s measurement is independent of the instance . Such a modification was already done in Refs. Alagic ; BroadbentGrilo ; Vidick_review , and in fact the modification is crucial for our purpose, because the trusted center’s message should be independent of the instance .
Iii Proof of Theorem 1
In this section, we show Theorem 1. Let us first consider the protocol of Fig. 4 that we call the virtual protocol 1. It is easy to see that the virtual protocol 1 has the same completeness and soundness as those of the posthoc protocol (Fig. 3). Next let us consider the protocol of Fig. 5 that we call the virtual protocol 2. The difference from the virtual protocol 1 is that the verifier first measures halves of Bell pairs before sending other halves to the prover. Because the verifier’s measurement and the prover’s measurement commute with each other, verifier’s acceptance probability of the virtual protocol 2 is the same as that of the virtual protocol 1. Finally, let us consider the protocol of Fig. 6, which is our final protocol. The difference from the virtual protocol 2 is that the verifier’s quantum task is done by the trusted center. It is clear that the verifier’s acceptance probability of this protocol is the same as that of the virtual protocol 2. In conclusion, our protocol (Fig. 6) has the same completeness and soundness as those of the posthoc protocol (Fig. 3).
-
The verifier uniformly randomly chooses . The verifier generates Bell pairs, and sends halves to the prover.
-
If the prover is honest, the prover teleports the ground state of to the verifier by using the Bell pairs, and sends the verifier the information about the byproduct caused by the teleportation. If the prover is malicious, the prover does any POVM measurement on the received states, and sends the result of the POVM measurement to the verifier.
-
If (), the verifier measures all qubits of the teleported state in the computational (Hadamard) basis. Let be the measurement result of the th qubit.
-
Let us define for , which are the measurement results that take into account the effects of the teleportation byproducts. The verifier samples with probability . The verifier accepts if and only if .
-
The verifier uniformly randomly chooses . The verifier generates Bell pairs.
-
The verifier measures halves of the Bell pairs in the computational (Hadamard) basis if (). Let be the measurement result for the th Bell pair. The verifier sends unmeasured halves of the Bell pairs to the prover.
-
The prover does a POVM measurement , which corresponds to the teleportation of the ground state when the prover is honest, on the received states, and sends the result of the POVM measurement to the verifier.
-
The same as the step 4 of the virtual protocol 1.
-
The trusted center uniformly randomly chooses . The trusted center sends to the prover. The trusted center sends to the verifier.
-
The same as the steps 3 and 4 of the virtual protocol 2.
Iv Proof of Theorem 2
Our non-interactive statistical zero-knowledge proof system for QMA with the trusted center is shown in Fig. 7. To show its completeness, soundness, and zero-knowledge property, let us consider the protocol of Fig. 8, which we call the virtual zero-knowledge protocol. It is easy to verify that protocols of Fig. 7 and Fig. 8 are the same. The verifier’s acceptance probability in the virtual zero-knowledge protocol is and therefore the completeness-soundness gap is . The zero-knowledge property is also clear, because in the virtual zero-knowledge protocol, what the verifier gets under the honest prover are the uniformly randomly chosen , and the measurement results on the th and th qubits of the one-time padded history state in the base that is simulatable in classical polynomial-time due to the local simulatability of the history state BroadbentGrilo ; GSY . In Fig. 9, we show the simulator. It is clear that the output of the simulator and verifier’s view are negligibly close.
-
The trusted center uniformly randomly chooses . The trusted center sends to the prover. The trusted center uniformly randomly chooses such that . The trusted center sends to the verifier.
-
The same as the step 3 of the virtual protocol 2.
-
Let us define for . The verifier samples with probability . If , the verifier accepts. If , the verifier accepts. If and , the verifier accepts if and only if .
-
The trusted center uniformly randomly chooses . The trusted center generates Bell pairs, and sends halves to the prover.
-
The prover does a POVM measurement, , which corresponds to the teleportation of the ground state when the prover is honest, on the received states.
-
The trusted center measures the halves of the Bell pairs in the computational (Hadamard) basis if (). Let be the measurement result for the th Bell pair.
-
The trusted center randomly chooses such that , and sends to the verifier.
-
The prover sends the result of the POVM measurement to the verifier.
-
The same as the step 3 of the zero-knowledge protocol Fig.7.
-
The simulator uniformly randomly generates .
-
The simulator uniformly randomly generates .
-
The simulator uniformly randomly generates such that .
-
The simulator computes the classical description of , where is the ground state of the Hamiltonian.
-
The simulator samples the measurement results in the basis on .
-
The simulator outputs .
V Discussion
In this paper, we have constructed an information-theoretically-sound non-interactive classical verification protocol for quantum computing with a trusted center. The trusted center sends randomly chosen BB84 states to the prover, and their classical descriptions to the verifier.
One might ask whether the quantum message from the center to the prover can be replaced with a classical one. It will be impossible, because if it was possible, then BQP is in AM, which is unlikely. To see it, assume that the trusted center sends some random classical messages to the prover. Then, the message can be sent from the verifier instead of the center, and it is a two-message AM protocol.
The combination of the trusted center considerd in this paper and the Fitzsimons-Kashefi protocol FK also realizes the information-theoretically-sound classical verification of quantum computing, but in that case, the protocol is interactive: polynomially-many rounds are necessary between the prover and the verifier. Furthermore, the messages sent from the trusted center do depend on the instance.
The trusted center’s task considered in this paper can be done by the “remote state preparation” protocol. In the remote state preparation, the classical verifier can remotely prepare random quantum states in the prover’s place with only a classical communication in such a way that only the verifier knows which states are prepared. It is well known that if the remote state preparation is possible, a classical verification of quantum computing is possible. It is open whether an information-theoretically-sound remote state preparation is possible or not, but it was shown recently that computationally-sound remote state preparations are possible under the LWE assumption Vazirani ; AndruVidick ; MetgerVidick ; Cojocaru . If we combine these remote state preparation protocols with our protocol, we would obtain a computationally-sound non-interactive classical verification protocol for quantum computing with preprocessing.
Acknowledgements.
TM is supported by MEXT Q-LEAP, JST PRESTO No.JPMJPR176A, and the Grant-in-Aid for Young Scientists (B) No.JP17K12637 of JSPS.References
- (1) D. Gottesman, 2004. http://www.scottaaronson.com/blog/?p=284
- (2) D. Aharonov and U. Vazirani, Is quantum mechanics falsifiable? A computational perspective on the foundations of quantum mechanics. arXiv:1206.3686
- (3) A. Gheorghiu, T. Kapourniotis, and E. Kashefi, Verification of quantum computation: an overview of existing approaches. Theory of Computing Systems 63, 715-808 (2019); arXiv:1709.06984
- (4) J. F. Fitzsimons and E. Kashefi, Unconditionally verifiable blind computation. Phys. Rev. A 96, 012303 (2017).
- (5) D. Aharonov, M. Ben-Or, E. Eban, and U. Mahadev, Interactive proofs for quantum computations. arXiv:1704.04487
- (6) M. Hayashi and T. Morimae, Verifiable measurement-only blind quantum computing with stabilizer testing. Phys. Rev. Lett. 115, 220502 (2015).
- (7) T. Morimae, D. Nagaj, and N. Schuch, Quantum proofs can be verified using only single-qubit measurements. Phys. Rev. A 93, 022326 (2016).
- (8) J. F. Fitzsimons, M. Hajdušek, and T. Morimae, Post hoc verification of quantum computation. Phys. Rev. Lett. 120, 040501 (2018).
- (9) S. Barz, J. F. Fitzsimons, E. Kashefi, and P. Walther, Experimental verification of quantum computation. Nat. Phys. 9, 727 (2013).
- (10) C. Greganti, M. C. Roehsner, S. Barz, T. Morimae, and P. Walther, Demonstration of measurement-only blind quantum computing. New J. Phys. 18, 013020 (2016).
- (11) A. Gheorghiu, E. Kashefi, and P. Wallden, Robustness and device independence of verifiable blind quantum computing. New J. Phys. 17, 083040 (2015).
- (12) Y. Takeuchi and T. Morimae, Verification of many-qubit states. Phys. Rev. X 8, 021060 (2018).
-
(13)
M. McKague, Interactive proofs for BQP via self-tested graph states. Theory of Computing
12, 1 (2016). - (14) Z. Ji, Classical verification of quantum proofs. Proceedings of the 48th annual ACM symposium on Theory of Computing (STOC 2016) p.885 (2016).
- (15) B. W. Reichardt, F. Unger, and U. Vazirani, Classical command of quantum systems. Nature 496, 456 (2013).
- (16) A. B. Grilo, A simple protocol for verifiable delegation of quantum computation in one round. 46th International Colloquium on Automata, Languages, and Programming (ICALP 2019).
- (17) A. Coladangelo, A. B. Grilo, S. Jeffery, and T. Vidick, Verifier-on-a-Leash: new schemes for verifiable delegated quantum computation, with quasilinear resources. arXiv:1708.07359; EUROCRYPT 2019.
- (18) O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34-134:40, 2009.
- (19) U. Mahadev, Classical verification of quantum computations. IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, 2018, pp.259-267; arXiv:1804.01082
- (20) A. Gheorghiu and T. Vidick, Computationally-secure and composable remote state preparation. IEEE 60th Annual Symposium on Foundations of Computer Science (FOCS), Baltimore, MD, USA, 2019, pp. 1024-1033; arXiv:1904.06320
- (21) G. Alagic, A. M. Childs, A. B. Grilo, and S-H. Hung, Non-interactive classical verification of quantum computation. arXiv:1911.08101
- (22) N-H. Chia, K-M. Chung, and T. Yamakawa, Classical verification of quantum computations with efficient verifier. arXiv:1912.00990
- (23) D. Aharonov and A. Green, A quantum inspired proof of . arXiv:1710.09078
- (24) A. Green, Y. Liu, and G. Kindler, Towards a quantum-inspired proof for IP=PSPACE. arXiv:1912.11611
- (25) M. McKague, Interactive proofs with efficient quantum prover for recursive Fourier sampling. Chicago Journal of Theoretical Computer Science 6, 1 (2012).
- (26) T. F. Demarie, Y. Ouyang, and J. F. Fitzsimons, Classical verification of quantum circuits containing few basis changes. Phys. Rev. A 97, 042319 (2018).
- (27) T. Morimae, Y. Takeuchi, and H. Nishimura, Merlin-Arthur with efficient quantum Merlin and quantum supremacy for the second level of the Fourier hierarchy. Quantum 2, 106 (2018).
- (28) F. Le Gall, T. Morimae, H. Nishimura, and Y. Takeuchi, Interactive proofs with polynomial-time quantum prover for computing the order of solvable groups. 43rd International Symposium on Mathematical Foundations of Computer Science (MFCS 2018); arXiv:1805.03385
- (29) P. D. Azar and S. Micali, Rational proofs. Proceedings of the 44th symposium on Theory of Computing (STOC’12), 1017 (2012).
- (30) T. Morimae and H. Nishimura, Rational proofs for quantum computing. Quant. Inf. Comput. 20, 0181-0193 (2020); arXiv:1804.08868
- (31) Y. Takeuchi, T. Morimae, and S. Tani, Sumcheck-based delegation of quantum computing to rational server. arXiv:1911.04734
- (32) A. Y. Kitaev, A. H. Shen, and M. N. Vyalyi, Classical and Quantum Computation (American Mathematical Society, Boston, MA, USA (2002))
- (33) J. Kempe, A. Kitaev, and O. Regev, The complexity of the local Hamiltonian problem. SIAM Journal of Computing 35, pp.1070-1097 (2006).
- (34) J. D. Biamonte and P. J. Love, Realizable Hamiltonians for universal adiabatic quantum computers. Physical Review A 78, 012352 (2008).
- (35) T. Cubitt and A. Montanaro, Complexity classification of local Hamiltonian problems. SIAM Journal on Computing 45, 268-316 (2016).
- (36) A. Broadbent and A. B. Grilo, Zero-knowledge for QMA from locally simulatable proofs, arXiv:1911.07782
- (37) A. B. Grilo, W. Slofstra, and H. Yuen, Perfect zero knowledge for quantum multi-prover interactive proofs, FOCS 2019; arXiv:1905.11280
- (38) A. Broadbent, Z. Ji, F. Song, and J. Watrous, Zero-knowledge proof systems for QMA. In 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS), pages 31-40. (2016); SIAM J. Comput. 49(2), 245-283 (2020).
- (39) A. Coladangelo, T. Vidick, and T. Zhang, Non-interactive zero-knowledge arguments for QMA, with preprocessing. arXiv:1911.07546
- (40) T. Vidick, Verifying quantum computations at scale: a cryptographic leash on quantum devices. Bull. Amer. Math. Soc. 57, 39-76 (2020).
- (41) Z. Brakerski, P. Christiano, U. Mahadev, U. Vazirani, and T. Vidick, A Cryptographic Test of Quantumness and Certifiable Randomness from a Single Quantum Device, IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), Paris, 2018, pp. 320-331; arXiv:1804.00640
- (42) T. Metger and T. Vidick, Self-testing of a single quantum device under computational assumptions. arXiv:2001.09161
- (43) A. Cojocaru, L. Colisson, E. Kashefi, and P. Wallden, QFactory: classically-instructed remote secret qubits preparation. ASIACRYPT 2019; arXiv:1904.06303
Comments
There are no comments yet.