DeepAI

# Lattice-Based Quantum Advantage from Rotated Measurements

Trapdoor claw-free functions (TCFs) are immensely valuable in cryptographic interactions between a classical client and a quantum server. Typically, a protocol has the quantum server prepare a superposition of two-bit strings of a claw and then measure it using Pauli-X or Z measurements. In this paper, we demonstrate a new technique that uses the entire range of qubit measurements from the XY-plane. We show the advantage of this approach in two applications. First, building on (Brakerski et al. 2018, Kalai et al. 2022), we show an optimized two-round proof of quantumness whose security can be expressed directly in terms of the hardness of the LWE (learning with errors) problem. Second, we construct a one-round protocol for blind remote preparation of an arbitrary state on the XY-plane up to a Pauli-Z correction.

• 1 publication
• 3 publications
• 2 publications
• 6 publications
07/03/2020

### Security Limitations of Classical-Client Delegated Quantum Computing

Secure delegated quantum computing allows a computationally weak client ...
12/11/2022

### Parallel remote state preparation for fully device-independent verifiable blind quantum computation

We introduce a device-independent two-prover scheme in which a classical...
12/10/2018

### Impossibility of blind quantum sampling for classical client

Blind quantum computing enables a client, who can only generate or measu...
02/02/2020

### Full-Blind Delegating Private Quantum Computation

The delegating private quantum computation (DQC) protocol with the unive...
04/12/2019

### Computationally-secure and composable remote state preparation

We introduce a protocol between a classical polynomial-time verifier and...
08/11/2020

### The Polynomial Learning With Errors Problem and the Smearing Condition

As quantum computing advances rapidly, guaranteeing the security of cryp...
04/12/2019

### QFactory: classically-instructed remote secret qubits preparation

The functionality of classically-instructed remotely prepared random sec...

## 1 Introduction

The field of quantum cryptography has its origins [BB14, Wie83] in the idea that quantum states can be transmitted between two parties (e.g., through free space or through an optical fiber) to perform cryptographic tasks. Properties of the transmitted states, including no-cloning and entanglement, are the basis for interactive protocols that enable a new and qualitatively different type of security. However, a recent trend in the field has shown that quantum cryptography can be done even when quantum communication is not available. If one or more parties involved in a protocol possess a sufficiently powerful quantum computer, then certain cryptographic tasks can be performed — while still taking advantage of uniquely quantum properties — using strictly classical communication. This approach relieves the users of the difficulties associated with reliable quantum communication, and puts the focus instead on the problem of building a more powerful quantum computer, a goal that has seen tremendous investments during the past several years [Nat19].

At the center of this new type of quantum cryptography are cryptographic hardness assumptions. Certain problems, such as factoring numbers, are believed to be difficult for classical computers but not for quantum computers. Other problems, such as finding the shortest vector in a lattice, are believed to be hard for both types of computers. These hardness assumptions are used to prove soundness claims for quantum interactive protocols.

Two of the seminal papers in quantum cryptography with classical communication [Mah18, BCM21] used trapdoor claw-free functions [GMR84] as the basis for their protocol designs, and created a model that has been followed by many other authors. A trapdoor claw-free function (TCF), roughly speaking, is a family of triples , where and are injective functions with the same domain and same range, and is a trapdoor that allows efficient inversion of either function. To say that this family is claw-free means that without the trapdoor , it is believed to be hard for any (quantum or classical) adversary to find values and such that .

The TCF construction illustrates how a cryptographic hardness assumption that is made for both quantum and classical computers can nonetheless permit a quantum computer to show its unique capabilities. A quantum computer can perform an efficient process that will output a random element in the range of together with a claw state of the form

 |ψ⟩=1√2(|x0⟩|0⟩+|x1⟩|1⟩), (1)

where (see section 2 of [Mah18]). If this state is measured in the -basis, one obtains a pair such that . Alternatively, assuming that and are expressed as bit strings of length , and thus is an -qubit state, one can measure in the -basis to obtain a bit string that must satisfy

 d⋅(x0⊕x1||1)=0. (2)

(Here, denotes string concatenation.) This equation is significant because we have used a quantum process to obtain information about both and , even though we have assumed that it would be impossible for any efficient computer to recover and entirely. This fact is the basis for using TCFs to verify that a server that one is interacting with is able to perform quantum computation [BCM21, KMCVY22]. The same concept was also used in cryptographic constructions that delegate the preparation of a quantum state to a server without revealing its classical description [CCKW19, GV19] and in other cryptographic protocols [MV21, Mah18].

The majority of papers utilizing TCFs in their cryptographic constructions have applied only Pauli measurements and classical operations to the state .111Two exceptions are as [GV19] and [CCKW21]. In [GV19]

, the server applies Fourier transforms to the quantum state

. In [CCKW21], the server applies measurements from a small set in the -plane and the protocol only provides security against honest-but-curious adversaries. See Section 1.2 for a comparison. What would happen if we considered the full range of single-qubit measurements on the state ? We note that since single-qubit rotation gates are physically native in some platforms (for example, ion traps [NC10, DLF16, Mas17]), realizing a continuous single-qubit rotation is not much more difficult than realizing a single-qubit Clifford gate, and so this direction is a natural one to study.

In this work, we use an infinite family of qubit measurements to prove new performance and security claims for quantum server protocols. We discuss two applications: proofs of quantumness and blind remote state preparation.

### 1.1 Our Contribution

#### Proof of Quantumness.

With increasing efforts in recent years towards building quantum computers, the task of verifying the quantum behavior of such computers is particularly important. Integer factorization, one of the oldest theoretical examples of a quantum advantage [Sho94], is one possible approach to this kind of verification. However, building quantum computers that are able to surpass classical computers in factoring is experimentally difficult and a far-off task. Hence, it is desirable to find alternative proofs of quantumness222By proof of quantumness, we mean a specific test, administered by a classical verifier, which an efficient quantum device can pass at a noticeably higher rate than any efficient classical device. that are easier for a quantum computer to perform.

The authors of [BCM21] did groundbreaking work in this direction by offering an interactive proof of quantumness based on the hardness of LWE (learning with errors). Follow-up work [BKVV20, KMCVY22, KLVY22] used their technical ideas to optimize some aspects or provide trade-offs under different assumptions. In this work we provide a proof of quantumness that utilizes rotated measurements on claw states (Eq. 1) to achieve some new tradeoffs. The advantage achieved in our protocol by a quantum device is described in the following theorem.

###### Theorem 1.1 (Informal).

Let denote the security parameter. Suppose that are functions of that satisfy the constraints given in Fig. 1 from Section 3, and suppose that the problem is hard. Then, there exists a two round interactive protocol between a verifier and a prover such that the following holds:

• For any efficient classical prover, the verifier accepts with probability at most

.

• For any quantum prover that follows the protocol honestly, the verifier accepts with probability at least .

The protocol for this theorem is referred to as Protocol  and is given in Fig. 4. Noting that , we deduce that as long as the error term vanishes as , a constant gap is achieved between the best possible quantum winning probability and the best possible classical winning probability. In Section 3.3, we show that this vanishing condition can be achieved while taking the modulus to be only slightly asymptotically larger than (where the parameter is the dimension of the LWE problem, and is the noise parameter). Our approach thus allows us to base the security of our protocol on the LWE problem for a broad range of parameters, including parameters that are comparable to those used in post-quantum lattice-based cryptography. (For example, in the public-key cryptosystem in [Reg09], the modulus is taken to be on the order of .) Previous works on interactive lattice-based proofs of quantumness have tended to use a modulus that is either very large or not explicitly given.

Our proof builds on recent previous work, and most directly builds on [KLVY22]. In comparison to [KLVY22], our protocol involves preparing and measuring only one TCF claw state at each iteration, whereas [KLVY22] requires preparing and measuring three TCF claw states (while maintaining quantum memory throughout). Additionally, whereas [KLVY22] requires the use of quantum homomorphic encryption schemes proved by other authors, our proof is self-contained and directly relates the security of our protocol to the hardness of the underlying LWE problem. At the same time, our approach inherits the following merits from [KLVY22]: our protocol involves only rounds of interaction, it requires only one qubit to be stored in memory in between rounds, and it does not require any cryptographic assumptions beyond LWE.

As far as we are aware, the combination of features in our work has not been achieved before (see Section 1.2), and our results thus bring the community closer to establishing the minimal requirements for a lattice-based proof of quantumness. As experimental progress continues [ZKML21], there is good reason to think that these proofs of quantumness may be realizable in the near future.

#### Remote State Preparation.

Remote state preparation (RSP) is a protocol where a computationally weak client delegates the preparation of a quantum state to a remote server. An RSP protocol is blind if the server does not learn a classical description of the state in the process of preparing it [DKL12]. Recently, [CCKW19] and [GV19] introduced blind RSP with a completely classical client, based on the conjectured quantum hardness of the LWE problem. Blind RSP has become an essential subroutine to dequantize the quantum channel in various quantum cryptographic applications including blind and verifiable quantum computations [BFK09, GV19, BCC20], quantum money [Rad19], unclonable quantum encryption [GMP22], quantum copy protection [GMP22], and proofs of quantumness [MY22].

All previous RSP protocols prepare a single-qubit state , where belongs to some fixed set . However, a common feature among all the schemes is that either the size of must be small, or the basis determined by is not fixed a priori. Therefore, a natural question in this context is:

Can a completely classical client delegate the preparation of arbitrary single-qubit states to a quantum server while keeping the basis fixed?

Ideally, we would like to achieve this task in a single round of interaction. Note that the previous RSP protocols along with computing on encrypted data protocols such as [BFK09, FBS14] can realize this task in two rounds of interaction. In this work, we provide a simple scheme for deterministic blind RSP that achieves this task without incurring any additional cost compared to previous randomized RSP schemes. Our protocol only requires one round of interaction to prepare any single qubit state in the -plane (modulo a phase flip). This is particularly helpful for applications which require a client to delegate an encrypted quantum input, as it gives the client more control over the state being prepared. The correctness and blindness of the protocol are summarized in the theorem below.

###### Theorem 1.2 (Informal).

Let denote the security parameter. Suppose that are functions of the security parameter that satisfy the constraints given in Fig. 1 from Section 3 and , and suppose that the problem is hard. Then there exists a one-round client-server remote state preparation protocol such that for any , the client can delegate the preparation of the state with the following guarantees:

• (Correctness) If the server follows the protocol honestly, then they prepare a state such that

 ∥∥|α⟩⟨−|Zb|β⟩⟨Z|b∥∥1≤4πmσq,

where denotes the trace norm and is a random bit that the client can compute after receiving the server’s response.

• (Blindness) The server gains no knowledge of from interacting with the client.

### 1.2 Related Works

#### Proof of quantumness.

The study of proofs of quantumness based on LWE was initiated by Brakerski et al. [BCM21] who proposed a four-message (two-round) interactive protocol between a classical verifier and a prover. Their protocol also involves constructing only a single TCF claw state (like in our protocol), although it requires holding the entire claw state in memory between rounds, and it uses an exponentially large modulus.333One effect of using an exponentially large modulus is on hardness assumptions. If we phrase our hardness asssumptions in terms of the shortest vector problem in a lattice, then [BCM21] assumes the hardness of sub-exponential approximation of the shortest vector, while in the current work we only assume that polynomial approximation is hard. See Section 3.3. Later, [BKVV20] gave a two-message (one-round) proof of quantumness with a simpler and more general security proof, but at the cost of requiring the random oracle assumption. More recently, [KMCVY22] introduced a proof of quantummness with some of the same features as [BKVV20] without the random oracle assumption, but they require up to messages in their protocol ( rounds of interaction). Both [AGKZ20] and [YZ22] present constructions of publicly verifiable proofs of quantumness, albeit with different assumptions or models. More recently, [KLVY22] presented a generic compiler that turns any non-local game into a proof of quantumness and gave an explicit scheme that only requires messages ( rounds of interaction). Our proof of quantumness builds on [KLVY22] — see Section 2. Further works have based proofs of quantumness on different assumptions [MY22], optimized the depth required for implementing TCFs [LG22, HLG21], and even achieved prototype experimental realization [ZKML21].

#### Blind RSP.

Remote state preparation over a classical channel comes in two security flavors — blind RSP and blind-verifiable RSP (in this work, we give a protocol for the former). Such a primitive was first introduced in [CCKW21] for honest-but-curious adversaries. This was later extended to fully malicious adversaries in [CCKW19], where the authors present two blind RSP protocols, one of which allows the client to delegate the preparation of a BB84 state and the other allows the client to delegate the preparation of one of states in the -plane. The former protocol has the advantage of allowing the client to choose if the server is preparing a computational or a Hadamard basis state. However, it is not clear how to generalize the scheme to prepare quantum states from a large set while maintaining control over the choice of basis. Independently, [GV19] gives a blind-verifiable RSP scheme that generalizes [BCM21], where the blindness is based on the adaptive hardcore bit property. The protocol in [GV19] can prepare one of states: in the -plane and the two computational basis states. There is a natural way to generalize [GV19] to prepare states of the form with . However, the naturally generalized protocol requires an honest quantum server to apply a Fourier transform over on the claw state, whereas we only require the server to perform single-qubit gates on the claw state for any . Moreover, the quantity in the prepared state is randomly chosen in [GV19] whereas our protocol allows the client to choose . More recently,  [MY22] constructs an RSP protocol from different cryptographic assumptions (full domain trapdoor permutations); however, the blindness is only shown against classical adversaries.

Previous RSP protocols have proven to be immensely useful in several cryptographic applications, ranging from proofs of quantumness [MY22] and verification of quantum computation [GV19, Zha22] to computing on encrypted data [BCC20, GMP22], secure two-party quantum computation [CCKM20] and more. Finally, RSP protocols have been extended to self-testing protocols  [MV21, MTH22, FWZ22]. A self-testing protocol characterizes not only the state prepared but also the measurements made upon them.

### 1.3 Further Directions

In our results on RSP, we have focused on qubit states in the -plane. It would be interesting to explore whether other continuous families of encrypted states could be prepared using our technique.

In general, blind remote state preparation can be done via quantum fully homomorphic encryption (QFHE) schemes [Mah18, Bra18]. An area where QFHE-based remote state preparation has been helpful is quantum money over classical channels [Shm22a, Shm22b]. It would be interesting to see if quantum money schemes can be made more efficient when one uses our RSP protocol to delegate the state preparation.

The integration of rotated qubit measurements with [KLVY22] invites some further development. In particular, one could see if the optimization carried out in this paper could be applied to other non-local games besides the CHSH game, thus allowing a broader range of protocols and more flexibility in implementation.

## 2 Technical Overview

Our protocol involves performing rotated measurements on the claw states put forward by [BCM21] to steer the final qubit of the claw state into a specific form, while keeping this form secret by hiding it using LWE. Suppose that are positive integers. The Learning With Errors (LWE) hardness assumption implies that if a classical client chooses a uniformly random vector

and a uniformly random matrix

, and computes where is a small noise vector, then a quantum server cannot recover from . Following [BCM21] the server can (for certain parameters) nonetheless approximately prepare a superposed claw state of the form

 |γ⟩=1√2(|x1⟩|1⟩+|x0⟩|0⟩), (3)

where and , along with a vector which is close to both and . We will assume that and are written out in base- using little-endian order.

At this point, rather than having the server measure in the -basis, we can go in a different direction: suppose that the client instructs the server to measure the qubit of in the basis where are real numbers for , and report the result as a binary vector

 u=(u1,…,un⌈logq⌉). (4)

Once this is done, the state of the final remaining qubit will be , where

 ϕ\coloneqq⟨θ,[x0]⟩−⟨θ,[x1]⟩+⟨u,[x0]⊕[x1]⟩⋅π.

Here denotes the dot product, and and denote the base- representations of and . Since the quantum server cannot know both and , they cannot compute from this formula. However, if the client possesses a trapdoor to the original matrix , then they can recover and from and compute .

We can go further: if the client chooses a vector and sets by the formula for and , then

 ϕ = ⟨t,x0−x1⟩⋅(2π/q)+⟨u,[x0]⊕[x1]⟩⋅π = −⟨t,s⟩⋅(2π/q)+⟨u,[x0]⊕[x1]⟩⋅π.

The server thus computes a qubit that encodes a prescribed linear function of , modulo a possible phase flip that is known to the client – see Section 4. At the same time, LWE-hardness guarantees that the vector remains unknown to the server. (This can be seen an enhancement of the approach described in subsection 1.4 in [CCKW21]. We have used a different measurement strategy in order to gain more control over the prepared qubit.)

We summarize our two applications of this idea, starting with blind remote state preparation (blind RSP).

#### Blind RSP.

We will denote the state that the client wants the server to prepare (modulo a phase flip) as for some of the client’s choice. The way we will ensure blindness with respect to is by encrypting it using Regev’s encryption scheme, described in Section 3.4, and having the server use the ciphertext to prepare the state. To encrypt as such the client requires, in addition to an LWE instance, a uniformly sampled random vector . The client then computes and sends and to the server.

The server uses to create a claw state, which also yields the image of the claw, and then measures the claw state using the vector as described above. Then the server rotates the final qubit around the -axis of the Bloch sphere by . From the discussion above we see that the resulting state will be where

 β\coloneqq −⟨a,s⟩⋅(2π/q)+⟨u,[x0]⊕[x1]⟩⋅π+2πw/q = −2πf⊤As/q+2π(f⊤(As+e)+α)/q+⟨u,[x0]⊕[x1]⟩⋅π ≈ 2πα/q+b⋅π,

by denoting and letting be small (a more explicit calculation is provided in Section 6.1). The final state held by the server is , as desired. Finally, the server sends the measurements and to the client who can use them along with the trapdoor of to learn . Note that while the client has control over , they do not have control over the bit as it is a function of the server’s measurements.

The blindness property of the protocol is derived from the security of Regev’s encryption scheme, which is based on the hardness of LWE. The information that the server receives during the protocol is and . The first pair is the public key in Regev’s encryption scheme and the second pair is the ciphertext encrypting the message . Hence, if an adversary can guess in our RSP protocol then they can break Regev’s encryption scheme.

#### Proof of Quantumness.

Our proof of quantumness is based on the CHSH game [CHSH69], which is a game played with a referee and two players (Charlie and David) who cannot communicate with each other. The referee sends bits and chosen uniformly at random to Charlie and David respectively. Charlie and David are required to return bits and to the referee, who decides that they win if and only if .

Recent work [KLVY22] has proposed a version of the nonlocal CHSH game that a single server (Bob) can play with a classical client (Alice) to prove the quantumness of the server. However, the protocol in [KLVY22] requires the server to evaluate a controlled-Hadamard gate under a homomorphic encryption scheme, which requires preparing and measuring three claw-states while maintaining qubits in quantum memory. By combining the ideas in [KLVY22] with our RSP protocol, we obtain the following proof of quantumness protocol that only requires preparing and measuring one claw-state.

Our central protocol (Fig. 4 and Fig. 5) is roughly the following. Alice begins by choosing bits and uniformly at random. Then, Alice uses our RSP protocol to delegate to Bob the preparation of a state of the form (if ) or of the form (if ). From the RSP process, Bob obtains an encryption of the bit which he sends back to Alice for her to decrypt. Alice then sends to Bob, and he measures his state in the eigenbasis of and returns the outcome bit to Alice. Alice considers Bob to have won the game if and only if .

It can be seen that the distribution over in the procedure described above is approximately the same as the distribution in the nonlocal CHSH game when the two players implement the optimal quantum strategy. Therefore, a quantum Bob can win with probability approximately (Theorem 5.1). On the other hand, by adapting reasoning from [KLVY22], we show that an efficient classical Bob cannot do much better than the optimal classical winning probability for the CHSH game, which is (Theorem 5.2). Therefore, with appropriate parameter choices (see Section 3.3), a constant gap is achieved between the best possible classical and quantum winning probabilities.

## 3 Preliminaries

Let denote, respectively, the field of complex numbers, the ring of integers, and the set of nonnegative integers. For any , let denote the set with multiplication and addition defined modulo . If , then denotes the quantity

 |x|\coloneqqmin{x,c−x}. (5)

If is a vector with entries from any of , or , we write for the infinity norm of , defined by

 \normv∞\coloneqqmaxi|vi|. (6)

We denote by the set of all finite-length bit strings. For and , let denote repeated times. The symbol denotes string concatenation. We write MAJ for the function defined by if and only if the Hamming weight of is at least half its length. If are vectors of the same length, we may write either or for the dot product of and .

For a finite set , we write to mean is sampled uniformly at random from . If is a distribution on , we write to mean is sampled from according to . The expression denotes the distribution of -length sequences of independent samples of .

The expression always denotes the logarithm in base . If (viewed as ), then denotes the binary representation of in little-endian order (i.e., with the least significant bits first). If , then denotes the concatenation of .

For any finite set , the expression denotes the Hilbert space of functions from to . Let denote the set of linear maps from to itself. A quantum state on is an element of that is trace- and positive semidefinite (i.e., a density operator on ). A pure quantum state on is a rank- quantum state. Any pure quantum state on can be written as , where is a unit vector in , and we may also refer to as a pure quantum state. The trace distance between two quantum states and on is defined by , where denotes the trace norm. When and are pure, we have . If is another finite set, then a quantum operation from to is a completely positive trace-preserving map from to .

### 3.1 Models of Computation

We define terms related to quantum algorithms. A standard way to define a quantum circuit is as a composition of gates drawn from some specified finite set of primitive gates. Since we are concerned here with protocols that involve general single-qubit rotations, we will use a larger set of primitive gates. Let , , and denote the Pauli operators

 X=[0110],Y=[0−ii0],andZ=[100−1]. (7)

A quantum circuit is then a composition of the following primitive operations:

1. Any single qubit gate of the form , where , , and .

2. The Toffoli gate , given by .

3. The gate which creates a single qubit in state .

4. The gate which measures a single qubit in the computational basis.

If a quantum circuit has input qubits, and output qubits, and intermediate primitive operations, then the size of is . Such a circuit determines a function from

to the set of probability distributions on

.

Throughout this work, denotes the security parameter. A function of is negligible if it is for all . For any , a register of size is a finite set with a fixed injection . A variable-sized register (or simply a register) is an indexed family of registers of sizes , where is a function. For a set , denotes the set of probability distributions on .

Let be a family of functions between registers. We say that is computable by a uniform deterministic polynomial-time algorithm if there exists a

-time classical Turing machine that on input

, where , outputs the description of a classical circuit (with a fixed gate set) such that for all . Let be a family of functions. We say that is computable by a uniform probabilistic polynomial-time algorithm if there exists a -time classical Turing machine that on input , where , outputs the description of a classical circuit with uniformly random bits as auxiliary input such that for all , , and . We say that is computable by a uniform quantum polynomial-time algorithm if there exists a -time classical Turing machine that on input , where , outputs the description of a quantum circuit such that for all , , and . We also define computability by non-uniform -polynomial time algorithms in exactly the same way as their uniform counterparts, except we replace the requirement that the circuits be computable by a -time Turing machine by the requirement that is -sized. Note that we will often drop the index for simplicity — i.e., the expression will be used to refer to the family of maps .

### 3.2 Learning With Errors

For any real number , let denote the discrete Gaussian probability distribution on , defined as follows: if

is a random variable distributed according to

, and , then

 P(X=x)=e−x2/(2s2)∑y∈Ze−y2/(2s2). (8)

If , let denote the distribution obtained from by conditioning on the event

(that is, the Gaussian distribution with standard deviation

truncated at ). To be explicit, if is a random variable distributed according to , and , then

 P(X=x)=⎧⎪ ⎪⎨⎪ ⎪⎩e−x2/(2s2)∑y∈Z:\absy≤te−y2/(2s2)if \absx≤t,0if \absx>t. (9)

We will need the following lemma which gives some properties of .

###### Lemma 1 (Corollary 9 of [Cks20]).

Let be distributed according to . Then and . If is a nonnegative real number, then .

In the following, denotes a probability distribution on (which in this paper will always be a Gaussian or truncated Gaussian distribution).

The Problem: Let denote the probability distribution of , where , , and . Let denote the probability distribution of , where and . Given oracle access to , where , determine the value of .

### 3.3 Parameters and assumptions

Throughout this paper, we will assume are real-valued functions of the security parameter which satisfy all of the conditions in Fig. 1.

The rationale for the conditions in Fig. 1 is the following.

• The quantity , which specifies the number of rows in the LWE matrix that we will use, needs to be sufficiently large so that the single-bit encryption algorithm in Section 3.4 will be secure and that can accommodate a trapdoor (Section 3.5). The formula accomplishes both purposes.

• The truncation factor is chosen sufficiently small to allow LWE samples involving the matrix to be inverted, using a trapdoor, with probability .

We discuss more specific parameter choices in Section 5.3.

If we say that we assume that the problem is hard for particular parameter functions , we mean that we assume that any non-uniform quantum polynomial-time algorithm will solve the problem with probability at most . Note that if , then the distribution of is negligibly different from by Lemma 1, and so the hardness of is equivalent to the hardness of .

As shown in [Reg09]444Strictly speaking, the next statement does not immediately follow from [Reg09] because the error distributions and defined there do not exactly correspond to discrete Gaussians. However, it does follow after we first apply [Pei10, Theorem 1] to reduce to , where ., we can assume that the problem is hard for with and if we assume that no non-uniform quantum polynomial-time algorithm can solve the Shortest Independent Vectors Problem (SIVP) in worst-case lattices of dimension to within an approximation factor of .

### 3.4 A Simple Encryption Algorithm

In Section 5 we will make use of a single-bit encryption algorithm which is very similar to the original lattice-based encryption algorithm proposed by Regev in [Reg09]. This algorithm is shown in Fig. 2, and consists of three algorithms: Gen (key generation), Encrypt, and Decrypt. Essentially, the public key is an LWE matrix , where is a secret vector and is a Gaussian noise vector. Given a random bit , a ciphertext is computed by summing up a random subset of the rows of and then adding a quantity (dependent on ) to the last coordinate of the sum. There is one important and unique feature of Protocol : rather than adding to the final coordinate of the ciphertext (which would optimize decoding) we add instead, which will aid us in Section 5.

The following result asserts the IND-CPA security (that is, security against chosen-plaintext attacks) for Protocol . The proof is standard and is given in Appendix 0.B.

###### Proposition 1.

If the problem is hard, then for any non-uniform quantum polynomial-time algorithm , we have

 Pr[b′=b∣pk←GenK(),b←{0,1},ct←EncryptK(pk,b),b′←B(pk,ct)]≤12+negl(λ).

### 3.5 Trapdoors for LWE matrices

Both of the applications in this paper will rely on trapdoors for LWE samples. The following is a slightly modified version of Theorem 2 from [MP12]. (The main difference is that we bound the noise vector using the infinity-norm rather than the Euclidean norm.)

###### Proposition 2.

There is a probabilistic polynomial-time algorithm and a deterministic polynomial-time algorithm satisfying the following.

1. accepts no input and returns a pair , where is an matrix with entries in . The matrix is within statistical distance from a uniformly random matrix.

2. Given a pair obtained from and vectors and satisfying , the algorithm returns the value .

###### Proof.

See Appendix 0.C. ∎

We make note of the following, which is an easy consequence of Proposition 2.

###### Proposition 3.

If is a sample obtained from , then for any nonzero vector , we must have .

###### Proof.

Suppose that were such that . Then, we can find vectors of infinity norm less than or equal to such that . We have

 0=Invert(A,0+e,t)=Invert(A,Av−e′,t)=v, (10)

For the results in Section 5, it will be important to have a version of the encryption algorithm from Fig. 2 that has a trapdoor for the encoding matrix . See Fig. 3. (Only the algorithm is different. The trapdoor is not used for encryption or decryption.) The following proposition follows directly from Propositions 2 and 1.

###### Proposition 4.

If the problem is hard, then for any non-uniform quantum polynomial-time algorithm , we have

 Pr[b′=b∣pk←GenJ(),b←{0,1},ct←EncryptJ(pk,b),b′←B(pk,ct)]≤12+negl(λ).

## 4 Rotated Measurements on Generalized GHZ States

The purpose of this section is to prove Proposition 5, which shows how rotated measurements behave when applied to states that generalize GHZ states [GHZ89], defined below.

###### Definition 1 (Generalized GHZ state).

Let be a positive integer. A generalized GHZ state on qubits is a state of the form

 1√2(|x⟩|1⟩+|y⟩|0⟩), (11)

where .

Given any sequence of real numbers , we make use of an associated sequence of real numbers defined by

 r1=θ1r2=2θ1r3=4θ1…rQ=2Q−1θ1rQ+1=θ2rQ+2=2θ2rQ+3=4θ2…r2Q=2Q−1θ2⋮⋮⋮⋱⋮rnQ−Q+1=θnrnQ−Q+2=2θnrnQ−Q+3=4θn…rnQ=2Q−1θn. (12)
###### Proposition 5.

Let , let denote the -qubit generalized GHZ state

 |ψ⟩\coloneqq1√2(|[x]⟩⊗|1⟩+|[y]⟩⊗|0⟩), (13)

and let . Let be the sequence defined in Eq. 12. Suppose that for each , the qubit of is measured in the eigenbasis of

 (cosri)X+(sinri)Y (14)

and that the outcome is . Then the state of the remaining qubit is

 1√2(|0⟩+eiθ|1⟩), (15)

where

 θ\coloneqqn∑i=1(yi−xi)θi+πn∑i=1Q∑j=1([yi]j−[xi]j)u(i−1)Q+j. (16)
###### Proof.

The eigenvectors of the matrix in

Eq. 14 are given by

 |+ri⟩\coloneqq1√2(|0⟩+eiri|1⟩)and|−ri⟩\coloneqq1√2(|0⟩−eiri|1⟩), (17)

where is the eigenvector and is the eigenvector. For a string and , let denote the suffix of starting at index (when , denotes the empty string). Define by

 ϕt\coloneqq{∑t−1j=1([y]j−[x]j)(rj+πuj)if t>1,0if t=1. (18)

We want to show that measuring the first qubit of the qubit state

 |ψt⟩\coloneqq1√2(eiϕt|[x]≥t⟩|1⟩+|[y]≥t⟩|0⟩)

in the eigenbasis of yields the state . The description of the post-measurement state is given by

 1√2⟨±rt|1(eiϕt|[x]≥t⟩|1⟩+|[y]≥t⟩|0⟩) = (19) = 1√2(e−i[y]t(rt+πut)|[y]≥t+1⟩|0⟩+eiϕte−i[x]t(rt+πut)|[x]≥t+1⟩|1⟩) (20) = 1√2(|[y]≥t+1⟩|0⟩+ei(ϕt+([y]t−[x]t)(rt+πut))|[x]≥t+1⟩|1⟩) (21) = 1√2(|[y]≥t+1⟩|0⟩+eiϕt+1|[x]≥t+1⟩|1⟩). (22)

Since , then after performing all of the measurements described in the proposition statement we are left with the state . It remains to show that :

 ϕnQ+1= nQ∑j=1([y]j−[x]j)(rj+πuj) (23) = n∑i=1Q∑j=1([yi]j−[xi]j)(r(i−1)Q+j+πu(i−1)Q+j) (24) = (n∑i=1Q∑j=1([yi]j−[xi]j)2j−1θi)+(πn∑i=1Q∑j=1([yi]j−[xi]j)u(i−1)Q+j) (25) = (n∑i=1(yi−xi)θi)+(πn∑i=1Q∑j=1([yi]j−[xi]j)u(i−1)Q+j)=θ. (26)

This completes the proof. ∎

## 5 An Optimized Proof of Quantumness

This section constructs a proof of quantumness based on the assumed hardness of the LWE problem. Our central protocol in this section, Protocol in Fig. 4, follows the form of the CHSH protocol from [KLVY22], although [KLVY22] uses a quantum homomomorphic encryption scheme and we instead use the encryption scheme from Fig. 3. First the single prover is given an encrypted version of the first input bit , and returns an encrypted version of the first output bit (steps 1–2). Then, the prover is given the second input bit as plaintext and returns (steps 3–4). Finally, the verifier decrypts (step 5) and scores the result (step 6).