First-generation quantum computers will be implemented in the “cloud” style, since only few groups, such as governments or huge companies, will be able to possess such expensive and high-maintenance machines. In fact, IBM has recently opened their 16-qubit machine for a cloud service. In a future when many companies provide their own quantum cloud computing services, a malicious company might emerge who is trying to palm a user off with a wrong result forged from their fake quantum computer. In addition, even if a fortunate user is interacting with a honest server, some noises in the server’s gate operations might change the result. How can a user verify the correctness of the server’s quantum computation? If the user has his/her own quantum computer, the user can of course check the server’s result, but in this case the user may not need the cloud service in the first place. If the solution of the problem is easily verifiable (e.g., integer factoring), the user can naturally verify the correctness of the server’s result, but many problems considered in quantum computing are not believed to have this property. Verifying classically and efficiently a server’s quantum computation is indeed in general highly nontrivial.
It is known that if at least two servers, who are entangled but not communicating with each other, are allowed, then any problem solvable in quantum polynomial time can be verified by a classical polynomial-time user who exchanges classical messages with the servers [20, 24, 27]. However, the assumption that servers are not communicating with each other is somehow unrealistic: how can the user guarantee that remote servers are not communicating with each other?
Whether the number of the servers can be reduced to one is a well-known open problem . For certain computational problems solvable in quantum polynomial time, it is known that this can be done. Simon’s problem  and factoring  are trivial examples, since the answer can be directly checked in classical polynomial time. It is known that recursive Fourier sampling , which was the first problem that separates efficient quantum and classical computing, can be verified by a polynomial number of message exchanges with a single quantum server . Moreover, it was shown that certain promise problems related to quantum circuits in the second level of the Fourier hierarchy  are verifiable by a classical polynomial-time user interacting with a single quantum server who sends only a single message to the user [12, 26].
Our results. In this paper we consider the problem of computing the order, i.e., the number of elements, of a finite group given as a black-box group (the concept of black-box groups is defined in Section 2). This problem is central in computational group theory, especially since the ability of computing the order makes possible to decide membership in subgroups. This problem has also been the subject of several investigations in computational complexity [1, 6, 7, 9, 32, 33]. The seminal result by Babai , especially, which put this problem in the complexity class AM, has been one of the fundamental motivations behind the concept of interactive proofs. Note that this is clearly a hard problem for classical computation: it is easy to show that no polynomial-time classical algorithm exists in the black-box setting, even if the input is an abelian group .
Most of the known quantum algorithms that achieve exponential speedups with respect to the best known classical algorithms are for group-theoretic problems, and especially problems over abelian groups. Shor’s algorithm for factoring , for instance, actually computes the order of a cyclic black-box group. Watrous has shown that the group order problem can be solved in quantum polynomial time when the input group is solvable . Since the class of solvable groups, defined in Section 2, is a large111It is known (see for instance ) that
In this paper we show that the group order problem over solvable groups is also verifiable with a single server. More formally, in Section 2, where we introduce the relevant model of interactive protocols, we will introduce the notation to denote the class of computational problems that are verifiable by a classical polynomial-time user interacting in messages with a server who works in quantum polynomial time. Our main result is as follows. The solvable group order problem is in the complexity class . Moreover, if the set of prime factors of the order is also given as input, then the solvable group order problem is in . This result shows that for this important computational problem, the number of servers can be reduced to one as well, using a small number of messages. Note that assuming, in the second part of Theorem 1, that the set of prime factors of the order is known corresponds to several practical situations. An important example is computing the order of -groups222A (finite) -group, where is a prime, is a group of order for some integer . A basic result from group theory shows that any -group is solvable. with known, which cannot be done in polynomial time in the classical setting . The main open question is whether the number of messages can also be reduced to 2 without any assumption on the prime factors.
Other related works. In addition to the introduction of multiple servers mentioned above, there are other approaches considered in the literature for constructing verification systems for quantum computation.
First, if the user is allowed to be “slightly quantum”, any problem solvable in quantum polynomial time can be efficiently verified with a single quantum server. For example, Refs. [2, 14] assume that the user can generate randomly-rotated single-qubit states, and Refs. [13, 16, 25] assume that the user can measure single-qubit states.
Second, since the class BQP (the class of decision problems that can be solved in quantum polynomial-time) is trivially in PSPACE and [21, 28], any problem in BQP can be classically verified using generic interactive proof protocols for PSPACE. In such protocols, however, the server has unbounded computational power. A tempting approach is to try to specialize these generic protocols to the class BQP, with the hope that the server’s necessary computational power may be reduced. Ref.  made an significant first step in this direction.
Finally, it has been shown very recently that assuming that the learning with errors problem is intractable for polynomial-time quantum computation, any problem solvable in quantum polynomial time can be efficiently verified with a single quantum server and a single classical user .
In this paper we assume that the reader is familiar with the standard notions of group theory (we refer to, e.g.,  for a good introduction). All the groups considered will be finite. Given a group , we use to denote its order (i.e., the number of elements in ), and use to denote its identity element. Given elements , we denote the subgroup of generated by .
Black-box groups. We now describe the model of black-box groups. This concept, in which each group element is represented by a string and each group operation is implemented using an oracle, was first introduced by Babai and Szemerédi  to describe group-theoretic algorithms in the most general way, without having to concretely specify how the elements are represented and how groups operations are implemented. Indeed, any efficient algorithm in the black-box group model gives rise to an efficient concrete algorithm whenever the oracle operations can be replaced by efficient procedures. Especially, performing group operations can be done directly on the elements in polynomial time for many natural groups, including permutation groups and matrix groups where the group elements are represented by permutations and matrices, respectively. In the quantum setting, black-box groups have first been considered by Ivanyos et al.  and Watrous [32, 33].
A black-box group is a representation of a group where each element of is uniquely encoded by a binary string of a fixed length , which is called the encoding length. The encoding length is known. In order to be able to express the complexity of black-box group algorithms in terms of the group order , and not in terms of the encoding length, we make the standard assumption that . Oracles are available to perform group operations. More precisely, two oracles are available. A first oracle performs the group product: given two strings representing two group elements and , the oracle outputs the string representing . The second oracle performs inversion: given a string representing an element , the oracle outputs the string representing the element . Note that the two oracles may behave arbitrarily on strings not corresponding to elements in ; this is not a problem since our protocols will never use the oracles on such strings. We say that a group is input as a black-box if a set of strings representing generators of with is given as input and queries to the oracles can be done at cost 1.333The assumption is standard. Indeed, every group has a generating set of size . Additionally, a set of generators of any size can be converted efficiently into a set of generators of size by taking random products of elements . The input length is thus .
To be able to take advantage of the power of quantum computation when dealing with black-box groups, the oracles performing the group operations have to be able to deal with quantum superpositions. Concretely, this is done as follows (see [19, 32, 33]). Let denote the encoding of elements as binary strings. We assume that a quantum oracle is available, such that for any two elements , and behaving in an arbitrary way on other inputs (i.e., strings not in ). Another quantum oracle is also available, such that for any and again behaving in an arbitrary way on other inputs.
Approximate sampling in black-box groups. Babai  proved the following result for general groups, which shows that elements of a black-box group can be efficiently sampled nearly uniformly. () Let be a black-box group. For any , there exists a classical randomized algorithm running in time polynomial in and that outputs an element of such that each
is output with probability in range.
Solvable groups. Before discussing solvable groups, let us introduce the following concept of polycyclic generating sequences (see  for details). Let be a group. A polycyclic generating sequence of is a sequence of elements from , for some integer , such that:
for each , the subgroup is normal in .
There are many equivalent definitions of solvable groups in the literature (see, e.g.,  for a thorough discussion). In this paper we will use the following characterization: a finite group is solvable if and only if it has a polycyclic generating sequence. This characterization, which was already used by Watrous , is the most convenient for our purpose. As discussed in , for any finite solvable group given as a black box, a polycyclic generating sequence with can be computed classically in polynomial time with high probability using for instance the randomized algorithm by Babai et al. .
Watrous showed that the order of a solvable black-box group can be computed in polynomial time in the quantum setting. We state this result in the following theorem.
() Let be a solvable group given as a black-box group. There exists a quantum algorithm running in time that outputs with probability at least .
Let be a solvable group and be a polycyclic generating sequence of . In the following we will write for each , and for convenience write . Since is obtained from by adding one generator, the factor group is cyclic. Let us write its order . Note that the order of is thus the product . A fundamental (and easy to show) property of polycyclic generating sequences is the following: For any , any element can be written, in a unique way, as with integers for . We call this sequence the decomposition of over . Watrous  showed that the decomposition of any element can be computed efficiently in the quantum setting, which immediately leads to an efficient algorithm for membership testing in the subgroups . We state these two results, separately, in the following theorem.
() Let be a solvable group given as a black-box group and let be a polycyclic generating sequence of with . There exist two quantum algorithms and running in time polynomial in as follows.
Algorithm receives an integer and an element , and outputs with probability at least the decomposition of over .
Algorithm receives an integer and an element , and decides whether or not. The decision is correct with probability at least .
Interactive proofs with efficient quantum prover. Interactive proof systems are typically described as protocols for decision problems. In this paper it will be more convenient to consider interactive proofs for computing functions, since we are interesting in computing the order of the input group.444In order to be completely rigorous, we should actually define this concept for functional problems where the input is represented using oracles (since we are dealing with black-box groups where the group operation is represented by oracles). We nevertheless omit this purely technical point in the exposition. The definition we give below is inspired by .
Let be a function, where is a finite set. We consider protocols between a prover and a verifier, who both receives as input an element and can exchange classical messages of polynomial length. At the end of the protocol, the verifier outputs either some or one special element . We say that the function has a -message polynomial-time interactive proof if there exists a -message protocol in which the verifier works in classical polynomial time, such that the following properties hold:
(completeness) there is a prover such that the verifier’s output satisfies with probability at least when interacting with ;
(soundness) for any prover , the verifier’s output satisfies with probability at least when interacting with .
The prover in the completeness condition is called the honest prover.
The above definition makes no assumption on the computational powers of the provers. Our main definition is obtained by restricting the computational power of the honest prover, i.e., the prover in the completeness condition. A function is in the class if it has a -message polynomial-time interactive proof where the honest prover works in quantum polynomial time. The notation comes from its definition as a -message interactive protocol with a prover working in quantum polynomial time (when honest). We stress that in Definition 2 there is no assumption on the computational power of for the soundness.
3 2-Message Protocol with Known Prime Factors
In this section we assume that the prime factors of the order of the black-box group are known. We present a 2-message protocol in this case, which proves the second part of Theorem 1.
We will need the following result in our protocol.
Let be a solvable group given as a black-box group. Let denote the prime factors of and assume that the set is also given as input. There exists a classical algorithm running in time polynomial in that outputs elements , with , and prime numbers such that, with probability at least , the following conditions hold:
is a polycyclic generating sequence of ;
the order of is either 1 or for each , where we denote for and .
Before proving Theorem 3.1, let us discuss the main idea of the algorithm in this theorem. The approach is to start with an arbitrary polycyclic generating sequence and refine it by replacing each element by decreasing powers of it. Consider for instance the cyclic group of order 12, for which we have , , and . Assume that we start with the polycyclic generating sequence consisting of a unique element of order 12. We refine this sequence as with , and . This is a polycyclic generating sequence with , and . The difficulty is that naturally we do not know the order . Remember nevertheless that we know the encoding length of the black-box group, which is an upper bound on . This means that the quantity is a multiple of the order , and thus we can use the same approach, working with instead of when refining the original polycyclic generating sequence.
Proof of Theorem 3.1.
Let us consider the function such that
for any . Now consider the sequence
consisting of integers (the integers in the sequence are strictly decreasing). Define the function such that is the -th integer in Sequence (1). Note that for any .
We now describe our algorithm that computes the claimed generating sequence.
We first compute a polycyclic generating sequence of with using the randomized polynomial-time algorithm from , already mentioned in Section 2, which succeeds with probability at least . Let us write for each , and .
We now show how to refine the polycyclic generating sequence. For each , we replace by the sequence of elements , which gives a new sequence
of elements. Sequence (2) is a polycyclic generating sequence of since is a polycyclic generating sequence of and . For any , observe that
for any . Similarly for any we have
Let us rename the elements of Sequence (2) as , with . Note that . Let us write for and . For each , the order of is either 1 or , where can be determined from Equations (3) and (4). More concretely, is of the form for some (which can be immediately computed from ) when corresponds to the case of Equation (3), and when corresponds to the case of Equation (4). Note that in both cases we have , from the property mentioned before. ∎
3.2 The protocol
Let denote the set of prime factors of , which is given as an additional input. The protocol is given in Figure 1. The main idea is that the verifier can, using Theorem 3.1, compute by itself a polycyclic generating sequence and prime numbers such that for each . This is done at Step 1 of the protocol. Note that . The purpose of Steps 2-5 is to decide whether or , for each , by interacting with the prover. More precisely, the verifier interacts with the prover to test, for each , whether or . This requires testing non-membership in a solvable group with a polynomial-time quantum prover, which is achieved by sending (at Step 3) to the prover the element for a random bit and a random element , and asking the prover to find the chosen bit . These tests enable the verifier to decide which of the two cases holds (at Steps 5.1 and 5.2), and then to compute at Step 6, or to detect cheating (at Step 5.3).
3.3 Analysis of the protocol
We now analyze the protocol of Figure 1. Let be the group elements and be the prime numbers computed at Step 1. The analysis below is done under the assumption that is a polycyclic generating sequence of and for all , which is true with probability at least from Theorem 3.1.
Let us first consider the correctness, i.e., showing that there exists a prover (working in quantum polynomial time) who makes the verifier able to compute with high probability. This prover acts as follows. For each , the prover checks if the element received at Step 3 is in the subgroup , using Algorithm of Theorem 2. If the prover learns that this element is in then the prover applies Algorithm of Theorem 2 to obtain a decomposition of over , and sends to the verifier the bit and these values . If the prover learns that this element is not in , then the prover sends to the verifier the bit and arbitrary values .
Let us analyze the verifier’s output when interacting with the above prover. If then we have and thus whatever the value of is. With probability at least , the prover’s message is thus and corresponding to the decomposition of over , and then the verifier sets . If then we have and thus if and only if . With probability at least , the bit sent by the prover satisfies , and thus the verifier sets (since the second part of the message cannot correspond to the decomposition of over ). In conclusion, with probability at least the output at Step 6 is
Let us now consider the soundness, i.e., showing that for any prover the verifier outputs either or with high probability. It is clear that if , then the prover cannot convince the verifier to set , since there is no set of integers such that . On the other hand, if then the prover cannot convince the verifier to set unless the prover is able to decide whether or from the element received, which cannot be done with probability larger than , where
represents the variational distance between the two probability distributionsand (seen as distributions over ). We have
where the second inequality follows from Theorem 2 and the third inequality follows from our choice of and the upper bound . Thus, for any fixed such that , the prover cannot convince the verifier to set with probability greater than . Let us now bound the probability that the verifier’s output is either or . This corresponds to the probability that the verifier does not output an integer different from the order of . Note that the verifier can output an integer not equal to the order only if the prover forces the verifier to set for at least one index . From the above analysis, we know that this can happen with probability at most , i.e., such a cheating is detected by the verifier at Step 5.3 with probability at least , in which case the verifier immediately aborts the protocol and outputs . Thus the overall probability that the verifier’s output is either or is at least . Note finally that this probability can be amplified to reach the soundness threshold of used in Definition 2 by repeating the protocol of Figure 1 a constant number of times in parallel and deciding the output based on a standard threshold argument.
4 General 3-Message Protocol
In this section we show that when the prime factors of the order of are not known, we can design a 3-message protocol, which proves the first part of Theorem 1.
4.1 The protocol
Our 3-message protocol, described in Figure 2, is obtained by modifying the protocol of the previous section. More precisely, Step 1 in the protocol of the previous section is replaced by two steps (Steps 0 and 1 in Figure 2): instead of having the verifier compute a polycyclic generating sequence using Theorem 3.1, which requires the knowledge of the set of factors of , in the new protocol the prover computes by itself this sequence and sends it at Step 0 to the verifier, who then checks that the sequence is really correct at Step 1. All the other steps 2-6 are exactly the same as for the protocol in Figure 1 (one small exception is Step 3, which is slightly rewritten since the polycyclic generating sequence does not need to be sent to the prover anymore).
4.2 Analysis of the protocol
Let us consider the correctness. In that case the prover first uses the algorithm of Theorem 2 to compute the order , then factorizes it using Shor’s algorithm  and collects the prime factors in a set . The prover then uses the algorithm of Theorem 3.1 using the set as input to obtain group elements and a list of integers such that with probability at least the following two conditions hold:
is a polycyclic generating sequence of , with ,
the order of is either 1 or for each ,
where as usual we use the notation for any and the convention . These two conditions are equivalent to the following:
, i.e., for each ;
for each ;
is normal in for any , i.e., for any .
Thus, with probability at least , the prover can compute the following decompositions in quantum polynomial time using Algorithm of Theorem 2:
a decomposition of over , for each ;
a decomposition of over , for each ;
a decomposition of over , for each and each .
At Step 0, the prover sends all these integers, along with the elements and the primes . All the tests performed by the verifier at Step 1 then pass. The analysis of the second part of the protocol (Steps 2-6) is then exactly the same as the analysis of the protocol of Section 3.
The soundness follows by observing that passing the tests performed by the verifier at Step 1 guarantees that Conditions (a)-(c) of the previous paragraph hold. This guarantees that Conditions (i)-(ii) hold as well, and thus the soundness analysis for the second part of the protocol (Steps 2-6) is exactly the same as the analysis of the protocol of Section 3.
FLG was partially supported by the JSPS KAKENHI grants No. 15H01677, No. 16H01705 and No. 16H05853. TM is supported by JST PRESTO No. JPMJPR176A, and the Grant-in-Aid for Young Scientists (B) No. JP17K12637 of JSPS. HN was partially supported by the JSPS KAKENHI grants No. 26247016, No. 16H01705 and No. 16K00015. YT is supported by the Program for Leading Graduate Schools: Interactive Materials Science Cadet Program.
-  Scott Aaronson and Greg Kuperberg. Quantum versus classical proofs and advice. Theory of Computing, 3:129–157, 2007. doi:10.4086/toc.2007.v003a007.
-  Dorit Aharonov, Michael Ben-Or, Elad Eban, and Urmila Mahadev. Interactive proofs for quantum computations. arXiv:1704.04487, 2017.
-  Dorit Aharonov and Ayal Green. A quantum inspired proof of . arXiv:1710.09078, 2017.
-  Dorit Aharonov and Umesh Vazirani. Is quantum mechanics falsifiable? A computational perspective on the foundations of quantum mechanics. arXiv:1206.3686, 2012.
-  László Babai. Local expansion of vertex-transitive graphs and random generation in finite groups. In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pages 164–174, 1991. doi:10.1145/103418.103440.
-  László Babai. Bounded round interactive proofs in finite groups. SIAM Journal on Discrete Mathematics, 5(1):88–111, 1992. doi:10.1137/0405008.
-  László Babai, Robert Beals, and Ákos Seress. Polynomial-time theory of matrix groups. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pages 55–64, 2009. doi:10.1145/1536414.1536425.
-  László Babai, Gene Cooperman, Larry Finkelstein, Eugene M. Luks, and Ákos Seress. Fast monte carlo algorithms for permutation groups. Journal of Computer and System Sciences, 50(2):296–308, 1995. doi:10.1006/jcss.1995.1024.
-  László Babai and Endre Szemerédi. On the complexity of matrix group problems I. In Proceedings of the 25th Annual Symposium on Foundations of Computer Science, pages 229–240, 1984. doi:10.1109/SFCS.1984.715919.
-  Ethan Bernstein and Umesh Vazirani. Quantum complexity theory. SIAM Journal on Computing, 26:1411–1473, 1997. doi:10.1137/S0097539796300921.
-  Simon R. Blackburn, Peter M. Neumann, and Geetha Venkataraman. Enumeration of Finite Groups. Cambridge University Press, 2017. doi:10.1017/CBO9780511542756.
-  Tommaso F. Demarie, Yungkai Ouyang, and Joseph F. Fitzsimons. Classical verification of quantum circuits containing few basis changes. arXiv:1612.04914, 2016.
-  Joseph F. Fitzsimons, Michael Hajdušek, and Tomoyuki Morimae. Post hoc verification of quantum computation. Physical Review Letters, 120:040501, 2018. doi:10.1103/PhysRevLett.120.040501.
-  Joseph F. Fitzsimons and Elham Kashefi. Unconditionally verifiable blind computation. Phys. Rev. A, 96:012303, 2017. doi:10.1103/PhysRevA.96.012303.
-  Shafi Goldwasser, Ofer Grossman, and Dhiraj Holden. Pseudo-deterministic proofs. In Proceedings of the 9th Innovations in Theoretical Computer Science Conference, pages 17:1–17:18, 2018. doi:10.4230/LIPIcs.ITCS.2018.17.
-  Masahito Hayashi and Tomoyuki Morimae. Verifiable measurement-only blind quantum computing with stabilizer testing. Physical Review Letters, 115:220502, 2015. doi:10.1103/PhysRevLett.115.220502.
-  Derek F. Holt, Bettina Eick, and Eamonn A. O’Brien. Handbook of computational group theory. Chapman & Hall/CRC, 2005. doi:10.1201/9781420035216.
-  I. Martin Isaacs. Finite group theory. American Mathematical Society, 2008.
-  Gábor Ivanyos, Frédéric Magniez, and Miklos Santha. Efficient quantum algorithms for some instances of the non-abelian hidden subgroup problem. International Journal of Foundations of Computer Science, 14(5):723–740, 2003. doi:10.1142/S0129054103001996.
-  Zhengfeng Ji. Classical verification of quantum proofs. In Proceedings of the 48th Annual ACM symposium on Theory of Computing, pages 885–898, 2016. doi:10.1145/2897518.2897634.
-  Carsten Lund, Lance Fortnow, Howard J. Karloff, and Noam Nisan. Algebraic methods for interactive proof systems. Journal of the ACM, 39(4):859–868, 1992. doi:10.1145/146585.146605.
-  Urmila Mahadev. Classical verification of quantum computations. arXiv:1804.01082, 2018.
-  Mathew McKague. Interactive proofs with efficient quantum prover for recursive fourier sampling. Chicago Journal of Theoretical Computer Science, 2012(6), 2012. doi:10.4086/cjtcs.2012.006.
-  Mathew McKague. Interactive proofs for BQP via self-tested graph states. Theory of Computing, 12(3):1–42, 2016. doi:10.4086/toc.2016.v012a003.
-  Tomoyuki Morimae, Daniel Nagaj, and Norbert Schuch. Quantum proofs can be verified using only single-qubit measurements. Physical Review A, 93:022326, 2016. doi:10.1103/PhysRevA.93.022326.
-  Tomoyuki Morimae, Yuki Takeuchi, and Harumichi Nishimura. Merlin-Arthur with efficient quantum Merlin and quantum supremacy for the second level of the fourier hierarchy. arXiv:1711.10605, 2017.
-  Ben W. Reichardt, Falk Unger, and Umesh Vazirani. Classical command of quantum systems. Nature, 496:456–460, 2013. doi:10.1038/nature12035.
-  Adi Shamir. IP = PSPACE. Journal of the ACM, 39(4):869–877, 1992. doi:10.1145/146585.146609.
-  Yaoyun Shi. Quantum and classical tradeoffs. Theoretical Computer Science, 344:335–343, 2005. doi:10.1016/j.tcs.2005.03.053.
-  Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509, 1997. doi:10.1137/S0097539795293172.
-  Daniel R. Simon. On the power of quantum computation. SIAM Journal on Computing, 26(5):1474–1483, 1997. doi:10.1137/S0097539796298637.
-  John Watrous. Succinct quantum proofs for properties of finite groups. In Proceedings of the 41st Annual Symposium on Foundations of Computer Science, pages 537–546, 2000. doi:10.1109/SFCS.2000.892141.
-  John Watrous. Quantum algorithms for solvable groups. In Proceedings of the 33rd Annual ACM Symposium on Theory of Computing, pages 60–67, 2001. doi:10.1145/380752.380759.
-  https://www-03.ibm.com/press/us/en/pressrelease/52403.wss.