Information-theoretically-sound non-interactive classical verification of quantum computing with trusted center

03/24/2020
by   Tomoyuki Morimae, et al.
Kyoto University
0

The posthoc verification protocol [J. F. Fitzsimons, M. Hajdušek, and T. Morimae, Physical Review Letters 120, 040501 (2018)] enables an information-theoretically-sound non-interactive verification of quantum computing, but the message from the prover to the verifier is quantum and the verifier has to do single-qubit measurements. The Mahadev protocol removes these quantum parts, but the soundness becomes the computational one. In this paper, we construct an information-theoretically-sound non-interactive classical verification protocol for quantum computing with a trusted center. The trusted center sends random BB84 states to the prover, and the classical descriptions of these BB84 states to the verifier. The messages from the center to the prover and the verifier are independent of the instance. By slightly modifying our protocol, we also construct a non-interactive statistical zero-knowledge proof system for QMA with the trusted center.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

02/18/2021

Classically Verifiable (Dual-Mode) NIZK for QMA with Preprocessing

We propose three constructions of classically verifiable non-interactive...
11/19/2019

Non-interactive classical verification of quantum computation

In a recent breakthrough, Mahadev constructed an interactive protocol th...
11/18/2019

Non-interactive zero-knowledge arguments for QMA, with preprocessing

A non-interactive zero-knowledge (NIZK) proof system for a language L∈NP...
08/23/2019

Semi-Quantum Money

Private quantum money allows a bank to mint quantum money states that it...
07/25/2020

Multi-theorem (Malicious) Designated-Verifier NIZK for QMA

We present the first non-interactive zero-knowledge argument system for ...
02/09/2022

Unconditionally secure digital signatures implemented in an 8-user quantum network

The ability to know and verifiably demonstrate the origins of messages c...
03/18/2019

Securely Trading Unverifiable Information without Trust

In future, information may become one of the most important assets in ec...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Whether quantum computing is classically verifiable or not is one of the most important open problems in quantum information Gottesman ; AharonovVazirani ; Andru_review . There have been many partial solutions to the open problem. These results are categorized into the following six types of approaches.

  • Slightly quantum verifier: If the verifier can do some minimum quantum operations, such as single-qubit generations or measurements, quantum computing can be verified FK ; Aharonov ; HM ; MNS ; posthoc ; Barz ; Chiara ; Andru ; TakeuchiMorimae .

  • Multiple provers: If more than two provers who are entangled but not allowed to communicate with each other are available, a classical verifier can verify quantum computing MattMBQC ; Ji ; RUV ; Grilo ; Coladangelo .

  • Computational soundness: If the LWE problem Regev is hard for polynomial-time quantum computing, quantum computing is classically verifiable with the soundness against a quantum polynomial-time prover Mahadev ; AndruVidick ; Alagic ; Yamakawa .

  • Sum-check: BQP is in IP, and therefore quantum computing is classically verifiable with the computationally-unbounded prover. If we could modify the sum-check protocol for BQP problems in such a way that the honest prover’s computational power is in quantum polynomial-time, the open problem is solved. There are two results in this direction AharonovGreen ; Yupan .

  • Specific problems: Several specific problems in BQP, such as the recursive Fourier sampling, problems related to circuits in the second level of the Fourier hierarchy, and calculating orders of solvable groups, are classically verifiable MattFourier ; Tommaso ; FH2 ; LeGall .

  • Rational prover: For any BQP problem, it is possible to construct a rational proof system AM where a classical verifier sends a reward to the prover in such a way that the prover who wants to maximize its profit has to send a correct solution to the verifier rational ; rationalTakeuchi .

The simplest protocol in the first approach is so-called the posthoc verification posthoc . (A detailed explanation of the posthoc verification is given in Sec. II.) In this protocol, any BQP problem can be verified in a non-interactive way with a verifier who can do only single-qubit measurements: the prover sends a quantum state to the verifier, and the verifier measures each qubit of the state. The prover can send each qubit of the state one by one, and the verifier has only to measure each qubit sequentially, i.e., the verifier does not need any quantum memory. The idea of the posthoc verification is based on the observations that the local Hamiltonian problem is QMA-complete Kitaev ; KKR , BQP is in QMA with a trivial witness state (such as the all zero state), and the ground state of the local Hamiltonian (i.e., the history state) can be constructed in quantum polynomial-time if the corresponding problem is in BQP posthoc . Because the 2-local -Hamiltonian problem is QMA-complete BL08 ; CM16 , the verifier has only to measure randomly chosen two qubits in the computational or the Hadamard basis.

A disadvantage of the posthoc protocol is, however, that the verifier has to do the quantum measurements, and the quantum channel from the prover to the verifier is required. The Mahadev’s breakthrough protocol Mahadev removes them by using the cryptographic technique, but the soundness becomes the computational one, i.e., the protocol is an argument system.

In this paper, we show that if a trusted center is introduced, an information-theoretically-sound non-interactive verification of quantum computing is possible for a classical verifier. The trusted center sends random BB84 states to the prover, and their classical descriptions to the verifier. (Because the BB84 states are uniformly random, center’s messages are independent of the instance.) Introducing a trusted center that distributes BB84 states is somehow an artificial assumption, but it is not unrealistic (for example, it is a foreseeable future that the NIST distributes BB84 states among quantum computing companies like Google, IBM, etc.), and the introduction of the trusted center gives us huge advantages, namely, the classical verifier, the non-interactiveness, and the information-theoretical soundness.

More precisely, for each instance of any promise problem in BQP, we consider the protocol of Fig. 1, and show its completeness and soundness. (A proof is given in Sec. III.)

Theorem 1

For any promise problem in BQP, the protocol of Fig. 1 satisfies both of the following with and such that :

  • If

    , there exists a quantum polynomial-time prover such that the acceptance probability of the verifier is at least

    .

  • If , the verifier’s acceptance probability is at most for any prover (even for computationally-unbounded prover).

 

  • The trusted center uniformly randomly chooses , where . The trusted center sends to the prover. The trusted center sends to the verifier. Note that because is uniformly randomly chosen, the messages from the trusted center to the prover and the verifier are independent of the instance .

  • The prover does a POVM measurement, which can be done in quantum polynomial-time if the prover is honest, on the received state, and sends the measurement result (a -bit classical bit string) to the verifier.

  • The verifier does a certain polynomial-time classical computation to make the decision, accept/reject.

 

Figure 1: A high-level description of our verification protocol.

Our classical verification protocol can also be modified to construct a non-interactive statistical zero-knowledge proof system for QMA with the trusted center (Fig. 2). We show its completeness, soundness, and statistical zero-knowledge property. (A proof is given in Sec. IV.)

Theorem 2

For any promise problem in QMA, the protocol of Fig. 2 satisfies all of the following with and such that :

  • If , there exists a quantum polynomial-time prover (that receives a witness state of QMA as input) such that the acceptance probability of the verifier is at least .

  • If , the verifier’s acceptance probability is at most for any prover (even for computationally-unbounded prover).

  • It is statistical zero-knowledge.

 

  • The trusted center uniformly randomly chooses , where . The trusted center sends to the prover. The trusted center uniformly randomly chooses such that . The trusted center sends to the verifier.

  • The prover does a POVM measurement, which can be done in quantum polynomial-time (given the witness state) if the prover is honest, on the received state, and sends the measurement result (a -bit classical bit string) to the verifier.

  • The verifier does a certain polynomial-time classical computation to make the decision, accept/reject.

 

Figure 2: A high-level description of our zero-knowledge protocol.

The idea is based on the recent elegant construction of zero-knowledge systems for QMA in Ref. BroadbentGrilo

. In their construction, the prover sends the verifier the one-time-padded ground state of the Hamiltonian that corresponds to the encoded version of the verification circuit, and a classical commitment of the one-time-pad key. After receiving a challenge from the verifier, the prover opens only a small part of the ground state, which is enough to measure energy but not enough to get any information about the witness due to the local simulatability 

BroadbentGrilo ; GSY . A zero-knowledge system for QMA was first constructed in Ref. BJSW , and improvements have been obtained recently CVZ ; Alagic ; BroadbentGrilo .

The rest of the paper is organized as follows. In the next section, we give preliminaries: we review the posthoc verification protocol. In Sec. III, we show Theorem 1. In Sec. IV, we show Theorem 2. Finally, we give discussions in Sec. V.

Ii Preliminaries

Let be a promise problem in BQP. For any instance , we can construct an -qubit local Hamiltonian

with such that if then the ground energy is less than , and if then the ground energy is larger than with . Here, , , and . The posthoc protocol posthoc runs as in Fig. 3. Note that in this protocol, the verifier does not need any quantum memory, because the verifier has only to measure each qubit sequentially. The verifier’s acceptance probability is Therefore, if , for an honest prover, and if , for any (computationally-unbounded) prover. The completeness-soundness gap is . It is easy to see that this protocol can be done in the parallel way to amplify the completeness-soundness gap.

 

  • The prover sends an -qubit state to the verifier. (If the prover is honest, it is the ground state of .)

  • The verifier uniformly randomly chooses .

  • If (), the verifier measures all qubits of in the computational (Hadamard) basis. Let be the measurement result on the th qubit.

  • The verifier samples with probability .

  • If , the verifier accepts. Otherwise, reject.

 

Figure 3: The posthoc protocol posthoc .

There is a remark: In the original posthoc protocol posthoc , the verifier first samples with probability and measures th and th qubits. The protocol explained in Fig. 3 is slightly modified from the original posthoc protocol in such a way that the verifier’s measurement is independent of the instance . Such a modification was already done in Refs. Alagic ; BroadbentGrilo ; Vidick_review , and in fact the modification is crucial for our purpose, because the trusted center’s message should be independent of the instance .

Iii Proof of Theorem 1

In this section, we show Theorem 1. Let us first consider the protocol of Fig. 4 that we call the virtual protocol 1. It is easy to see that the virtual protocol 1 has the same completeness and soundness as those of the posthoc protocol (Fig. 3). Next let us consider the protocol of Fig. 5 that we call the virtual protocol 2. The difference from the virtual protocol 1 is that the verifier first measures halves of Bell pairs before sending other halves to the prover. Because the verifier’s measurement and the prover’s measurement commute with each other, verifier’s acceptance probability of the virtual protocol 2 is the same as that of the virtual protocol 1. Finally, let us consider the protocol of Fig. 6, which is our final protocol. The difference from the virtual protocol 2 is that the verifier’s quantum task is done by the trusted center. It is clear that the verifier’s acceptance probability of this protocol is the same as that of the virtual protocol 2. In conclusion, our protocol (Fig. 6) has the same completeness and soundness as those of the posthoc protocol (Fig. 3).

 

  • The verifier uniformly randomly chooses . The verifier generates Bell pairs, and sends halves to the prover.

  • If the prover is honest, the prover teleports the ground state of to the verifier by using the Bell pairs, and sends the verifier the information about the byproduct caused by the teleportation. If the prover is malicious, the prover does any POVM measurement on the received states, and sends the result of the POVM measurement to the verifier.

  • If (), the verifier measures all qubits of the teleported state in the computational (Hadamard) basis. Let be the measurement result of the th qubit.

  • Let us define for , which are the measurement results that take into account the effects of the teleportation byproducts. The verifier samples with probability . The verifier accepts if and only if .

 

Figure 4: The virtual protocol 1.

 

  • The verifier uniformly randomly chooses . The verifier generates Bell pairs.

  • The verifier measures halves of the Bell pairs in the computational (Hadamard) basis if (). Let be the measurement result for the th Bell pair. The verifier sends unmeasured halves of the Bell pairs to the prover.

  • The prover does a POVM measurement , which corresponds to the teleportation of the ground state when the prover is honest, on the received states, and sends the result of the POVM measurement to the verifier.

  • The same as the step 4 of the virtual protocol 1.

 

Figure 5: The virtual protocol 2.

 

  • The trusted center uniformly randomly chooses . The trusted center sends to the prover. The trusted center sends to the verifier.

  • The same as the steps 3 and 4 of the virtual protocol 2.

 

Figure 6: Our protocol.

Iv Proof of Theorem 2

Our non-interactive statistical zero-knowledge proof system for QMA with the trusted center is shown in Fig. 7. To show its completeness, soundness, and zero-knowledge property, let us consider the protocol of Fig. 8, which we call the virtual zero-knowledge protocol. It is easy to verify that protocols of Fig. 7 and Fig. 8 are the same. The verifier’s acceptance probability in the virtual zero-knowledge protocol is and therefore the completeness-soundness gap is . The zero-knowledge property is also clear, because in the virtual zero-knowledge protocol, what the verifier gets under the honest prover are the uniformly randomly chosen , and the measurement results on the th and th qubits of the one-time padded history state in the base that is simulatable in classical polynomial-time due to the local simulatability of the history state BroadbentGrilo ; GSY . In Fig. 9, we show the simulator. It is clear that the output of the simulator and verifier’s view are negligibly close.

 

  • The trusted center uniformly randomly chooses . The trusted center sends to the prover. The trusted center uniformly randomly chooses such that . The trusted center sends to the verifier.

  • The same as the step 3 of the virtual protocol 2.

  • Let us define for . The verifier samples with probability . If , the verifier accepts. If , the verifier accepts. If and , the verifier accepts if and only if .

 

Figure 7: The zero-knowledge protocol.

 

  • The trusted center uniformly randomly chooses . The trusted center generates Bell pairs, and sends halves to the prover.

  • The prover does a POVM measurement, , which corresponds to the teleportation of the ground state when the prover is honest, on the received states.

  • The trusted center measures the halves of the Bell pairs in the computational (Hadamard) basis if (). Let be the measurement result for the th Bell pair.

  • The trusted center randomly chooses such that , and sends to the verifier.

  • The prover sends the result of the POVM measurement to the verifier.

  • The same as the step 3 of the zero-knowledge protocol Fig.7.

 

Figure 8: The virtual zero-knowledge protocol.

 

  • The simulator uniformly randomly generates .

  • The simulator uniformly randomly generates .

  • The simulator uniformly randomly generates such that .

  • The simulator computes the classical description of , where is the ground state of the Hamiltonian.

  • The simulator samples the measurement results in the basis on .

  • The simulator outputs .

 

Figure 9: The simulator.

V Discussion

In this paper, we have constructed an information-theoretically-sound non-interactive classical verification protocol for quantum computing with a trusted center. The trusted center sends randomly chosen BB84 states to the prover, and their classical descriptions to the verifier.

One might ask whether the quantum message from the center to the prover can be replaced with a classical one. It will be impossible, because if it was possible, then BQP is in AM, which is unlikely. To see it, assume that the trusted center sends some random classical messages to the prover. Then, the message can be sent from the verifier instead of the center, and it is a two-message AM protocol.

The combination of the trusted center considerd in this paper and the Fitzsimons-Kashefi protocol FK also realizes the information-theoretically-sound classical verification of quantum computing, but in that case, the protocol is interactive: polynomially-many rounds are necessary between the prover and the verifier. Furthermore, the messages sent from the trusted center do depend on the instance.

The trusted center’s task considered in this paper can be done by the “remote state preparation” protocol. In the remote state preparation, the classical verifier can remotely prepare random quantum states in the prover’s place with only a classical communication in such a way that only the verifier knows which states are prepared. It is well known that if the remote state preparation is possible, a classical verification of quantum computing is possible. It is open whether an information-theoretically-sound remote state preparation is possible or not, but it was shown recently that computationally-sound remote state preparations are possible under the LWE assumption Vazirani ; AndruVidick ; MetgerVidick ; Cojocaru . If we combine these remote state preparation protocols with our protocol, we would obtain a computationally-sound non-interactive classical verification protocol for quantum computing with preprocessing.

Acknowledgements.
TM is supported by MEXT Q-LEAP, JST PRESTO No.JPMJPR176A, and the Grant-in-Aid for Young Scientists (B) No.JP17K12637 of JSPS.

References