# Sumcheck-based delegation of quantum computing to rational server

Delegated quantum computing enables a client with a weak computational power to delegate quantum computing to a remote quantum server in such a way that the integrity of the server is efficiently verified by the client. Recently, a new model of delegated quantum computing has been proposed, namely, rational delegated quantum computing. In this model, after the client interacts with the server, the client pays a reward to the server. The rational server sends messages that maximize the expected value of the reward. It is known that the classical client can delegate universal quantum computing to the rational quantum server in one round. In this paper, we propose novel one-round rational delegated quantum computing protocols by generalizing the classical rational sumcheck protocol. The construction of the previous rational protocols depends on gate sets, while our sumcheck technique can be easily realized with any local gate set. Furthermore, as with the previous protocols, our reward function satisfies natural requirements. We also discuss the reward gap. Simply speaking, the reward gap is a minimum loss on the expected value of the server's reward incurred by the server's behavior that makes the client accept an incorrect answer. Although our sumcheck-based protocols have only exponentially small reward gaps as with the previous protocols, we show that a constant reward gap can be achieved if two non-communicating but entangled rational servers are allowed. We also discuss that a single rational server is sufficient under the (widely-believed) assumption that the learning-with-errors problem is hard for polynomial-time quantum computing. Apart from these results, we show, under a certain condition, the equivalence between rational and ordinary delegated quantum computing protocols. Based on this equivalence, we give a reward-gap amplification method.

## Authors

• 6 publications
• 14 publications
• 7 publications
04/24/2018

### Rational proofs for quantum computing

It is an open problem whether a classical client (verifier) can delegate...
12/10/2018

### Impossibility of blind quantum sampling for classical client

Blind quantum computing enables a client, who can only generate or measu...
11/27/2017

### Relativistic verifiable delegation of quantum computation

The importance of being able to verify quantum computation delegated to ...
02/28/2022

### Classical Verification of Quantum Computations in Linear Time

In the quantum computation verification problem, a quantum server wants ...
04/27/2020

### Succinct Blind Quantum Computation Using a Random Oracle

In the universal blind quantum computation problem, a client wants to ma...
07/03/2018

### Efficient Rational Proofs with Strong Utility-Gap Guarantees

As modern computing moves towards smaller devices and powerful cloud pla...
08/01/2017

### Rational Proofs with Non-Cooperative Provers

Interactive-proof-based approaches are widely used in verifiable computa...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

### i.1 Background

Quantum computing is believed to outperform classical computing in several tasks such as integer factorization S97 , approximations of Jones Polynomials FKW02 ; FLW02 ; AAEL07 , and simulations of quantum systems L96 ; GAN14

. Due to the superiority of quantum computing, huge experimental efforts have been made to realize larger quantum devices. Nowadays, devices capable of controlling 12–53 qubits have already been realized

LLLKPFXLLBBZL17 ; FMMHHJPHRBL18 ; WLHCSLCLFJZLLLP18 ; WLYZ18 ; google . As the size of realizable quantum devices becomes large, the importance of efficiently verifying whether a constructed quantum device correctly works increases. The verification of quantum computing also plays an important role in delegated quantum computing. Delegated quantum computing enables a client with a weak computational power to delegate quantum computing to a remote (potentially malicious) server in such a way that the client efficiently verifies whether the server faithfully computes the delegated problem (i.e., the integrity of the server).

One of the most important open problems in the field of quantum computing is whether a classical client can efficiently delegate universal quantum computing to a quantum server while efficiently verifying the integrity of the server. In delegated quantum computing, the server may be malicious and may make the client accept an incorrect answer. The client has to efficiently verify the integrity of the server using only classical computation and communication. Furthermore, the honest server’s computational power should be bounded by polynomial-time quantum computing, because delegated quantum computing with a server having an unbounded computational power is unrealistic. This limitation is a large difference between delegated quantum computing and interactive proof systems for BQP. In interactive proof systems, the computational power of the prover (i.e., the server) is unbounded. Indeed, the known construction of an interactive proof system for BQP requires the honest prover to have the PP computational power AG17 , and it is not known whether the honest prover’s power can be reduced to BQP. Therefore, the open problem cannot be straightforwardly solved from the well-known containment, BQPPSPACEIP S90 .

So far, several partial solutions to the open problem have been obtained. For example, if small quantum memories, single-qubit state preparations, or single-qubit measurements are allowed for the classical client, the client can efficiently delegate verifiable universal quantum computing to the quantum server FK17 ; ABEM17 ; HM15 ; MTH17 ; FHM18 ; TM18 ; TMMMF19 . As another example, the completely classical client can efficiently delegate it to multiple quantum servers who share entangled states but cannot communicate with each other FHM18 ; RUV13 ; M16 ; GKW15 ; HPF15 ; CGJV17 ; NV17 ; NV18 ; G19 . It is also known that some problems in BQP can be efficiently verified by interactions between the classical client and the quantum server M12 ; DOF18 ; MTN18 ; FMNT18 . Examples of such verifiable problems are integer factorization, the recursive Fourier sampling M12

, promise problems related to output probability distributions of quantum circuits in the second level of the Fourier hierarchy

DOF18 ; MTN18 , and the calculation of the order of solvable groups FMNT18 . Furthermore, it has recently been shown that if the learning-with-errors (LWE) problem is hard for polynomial-time quantum computing, the classical client can delegate verifiable universal quantum computing to the single quantum server whose computational power is bounded by BQP111In this paper, for simplicity, we sometimes use complexity classes (e.g., BQP and BPP) to represent computational powers. For example, we say that a server (a client) is a BQP server (a BPP client) when he/she is a polynomial-time quantum server (classical client), i.e., he/she can perform polynomial-time quantum (probabilistic classical) computing. even in the malicious case M18 ; GV19 ; CCKW19 .

In this paper, we take a different approach to construct protocols for classical-client delegated quantum computing. We consider delegating quantum computing to a rational server. This model has been first proposed by Morimae and Nishimura MN18 based on the concept of (classical) rational interactive proof systems AM12 . We note again that the computational power of the server is bounded by BQP in rational delegated quantum computing, while it is unbounded in the rational interactive proof systems. In rational delegated quantum computing, after the client interacts with the server, the client pays a reward to the server depending on the server’s messages and the client’s random bits. As stated above, in ordinary delegated quantum computing FK17 ; ABEM17 ; HM15 ; MTH17 ; FHM18 ; TM18 ; TMMMF19 ; RUV13 ; M16 ; GKW15 ; HPF15 ; CGJV17 ; NV17 ; NV18 ; G19 ; M12 ; DOF18 ; MTN18 ; FMNT18 ; M18 ; GV19 ; CCKW19 , the server may be malicious. On the other hand, in rational delegated quantum computing, the server is always rational, i.e., tries to maximize the expected value of the reward (see Fig. 1). In the real world, there are several situations where service providers want to maximize their profits. Since rational delegated quantum computing reflects such situations, this model can be considered as another possible situation for delegated quantum computing. In Ref. MN18 , it has been shown that the classical client can delegate universal quantum computing to the rational quantum server in one round in such a way that the server can maximize the expected value of the reward when the client obtains the correct answer.

### i.2 Our contribution

We propose novel one-round delegated quantum computing protocols with a classical client and a rational quantum server. More precisely, we construct protocols where the classical client can efficiently delegate to the rational quantum server the estimation of output probabilities of

-qubit quantum circuits. Specifically, we consider two classes of quantum circuits: (i) any -qubit polynomial-size quantum circuit with -qubit output measurements, where , and (ii) approximately -sparse -qubit polynomial-size quantum circuits with -qubit output measurements, where is a polynomial in . Here, -sparse means that at most output probabilities are non-zero (for the formal definition, see Sec. II.3). Since the goal of our rational protocols is to delegate the estimation of the output probabilities, we call, for clarity, our protocols delegated quantum estimating protocols. Based on one of our delegated quantum estimating protocols, we can also construct a one-round rational delegated quantum computing protocol for any decision problem in BQP.

Our protocols can be applied to a broader class of universal gate sets than the previous protocols MN18 . Our protocols work for any universal gate set each of whose elementary gates acts on at most qubits, while the previous protocols are tailored for Clifford gates plus , or classical gates plus the Hadamard gate. Note that we only consider gate sets each of whose elementary gates can be specified with a polynomial number of bits. As another difference from Ref. MN18 , we show that our protocol can be applied to approximately sparse quantum circuits.

There are four conditions that should be satisfied by practical rational delegated quantum computing protocols:

• The reward is upper-bounded by a constant.

• The reward is always non-negative if the BQP server takes an optimal strategy that maximizes the expected value of the reward222More precisely, the server takes an optimal strategy that can be realized in quantum polynomial time because we assume that the computational power of the server is bounded by BQP. Through this paper, the server’s optimization is limited to one that can be performed in quantum polynomial time unless explicitly noted..

• The maximum of the expected value of the reward is lower-bounded by a constant.

• The reward gap GHRV14 is larger than a constant (or at least larger than the inverse of a polynomial). Here, simply speaking, the reward gap is a minimum loss on the expected value of the server’s reward incurred by the server’s behavior that makes the client accept an incorrect answer. Note that such server’s malicious behavior may require the computational power beyond BQP, while we limit the optimal strategy maximizing the expected value to one that can be realized in quantum polynomial time.

The first condition is natural because the client’s budget is limited. The second condition is also natural because a negative reward means that the server pays the reward to the client. Indeed, in the original paper of the rational interactive proof systems AM12 , reward is required to be non-negative and be upper-bounded by a constant. Furthermore, in Ref. AM13 , the non-negativity of the reward (namely, ex-post individual rationality) is listed as one of crucial properties of reward functions. The third condition guarantees that the server can obtain at least a constant reward on the average if the server is rational. The fourth condition means that the reward gap should be sufficiently large to incentivize the server to take an optimal strategy that maximizes the expected value of the reward.

The protocols of Ref. MN18 and our protocols satisfy only the first three conditions 1–3. It is an open problem whether the above four conditions are satisfied simultaneously. In Ref. MN18 , it is shown that if the reward gap is larger than with a polynomial , a super-polynomial increase of the reward (i.e., the violation of the first condition) is unavoidable in one-round protocols with a single server unless BQP. Since this inclusion is considered unlikely given the oracle separation between BQP and PH RT19 , this statement implies that it may be impossible to satisfy the above four conditions simultaneously in one-round protocols with a single server. Indeed, all existing rational delegated quantum computing protocols including ours are one round and have only exponentially small gaps under the first three conditions 1–3.

Another result shown in this paper is that a constant reward gap can be achieved under certain additional conditions: we show that a constant reward gap can be achieved if two non-communicating but entangled servers are allowed. More precisely, for BQP problems, we construct a multi-rational-server delegated quantum computing protocol that satisfies all of above four conditions 1–4 simultaneously. We also discuss that the single server is sufficient under the (widely-believed) assumption that the LWE problem is hard for polynomial-time quantum computation. It is still open whether a constant reward gap can be achieved unconditionally.

Apart from these results, we also give, under the certain condition introduced in Ref. CMS18 , a relation between rational and ordinary delegated quantum computing protocols. More precisely, we show that under the certain condition, these two types of delegated quantum computing protocols can be converted each other. This equivalence may give a new approach to tackle the open problem of whether a classical client can efficiently delegate universal quantum computing to a (non-rational) quantum server while efficiently verifying the integrity of the server. Based on this equivalence, we give an amplification method for the reward gap. Under the certain condition, we can amplify the reward gap from the inverse of an exponential to a constant.

### i.3 Overview of techniques

To construct our delegated quantum estimating protocols, we utilize the rational sumcheck protocol GHRV16 . The rational sumcheck protocol has been proposed to show that the calculation of with integers can be verified by an -time classical verifier in a one-round rational interactive proof system. To apply the rational sumcheck protocol to our protocols, we generalize it so that it works for complex numbers. Then, by combining the generalized rational sumcheck protocol with the Feynman path integral, we construct one-round rational delegated quantum estimating protocols for two types of quantum circuits including one that can solve any BQP problem.

Our sumcheck-based protocols work for a broader class of universal gate sets than that used in the previous protocols MN18 . This difference is due to the decomposition method of output probabilities of the delegated quantum circuit. In the previous protocols, the output probability is decomposed using tree structures that are tailored for two specific gate sets, Clifford gates plus gate or classical gates plus the Hadamard gate. On the other hand, in our protocol, the output probability is decomposed using the Feynman path integral.

Furthermore, one of our sumcheck-based protocols can be used to delegate the estimation of output probabilities of approximately sparse quantum circuits. The intuitive reason why we can do so is that the maximum of the expected value of the reward monotonically increases as an output probability of the delegated quantum circuit increases. This implies that the rational server has to send high output probabilities to maximize the expected value of the reward as much as possible. Since output probabilities of approximately sparse quantum circuits can be approximated by the set of such high output probabilities as shown in Ref. SN13 , our rational protocol works.

To construct other rational delegated quantum computing protocols with a constant reward gap, we utilize multiprover interactive proof systems with a constant number of provers and a constant completeness-soundness gap FHM18 ; RUV13 ; GKW15 ; CGJV17 ; NV17 ; NV18 ; G19 . By following a construction used in Ref. AM12 , we incorporate the multiprover interactive proof systems into a multi-rational-server delegated quantum computing protocol. As a result of this construction, the completeness-soundness gap is converted to the reward gap without changing its value333More precisely, when the server’s computational power is bounded by BQP, the obtained reward gap is decreased by the inverse of an exponential from the original completeness-soundness gap. In order to achieve the conversion without changing the value, an unbounded computational power is required.. The same argument can also be applied to Mahadev’s single-prover interactive argument system M18 , which relies on the hardness assumption of LWE problems.

Finally, we show, under the certain condition introduced in Ref. CMS18 , that rational and ordinary delegated quantum computing protocols can be converted each other. To convert ordinary delegated quantum computing protocols to rational ones, we show that the construction in the previous paragraph can be used even under the condition. As a reverse conversion, we utilize the construction in Ref. CMS18 . By combining these two constructions, we convert the two types of delegated quantum computing protocols each other. By using our conversion between rational and ordinary delegated quantum computing protocols, we show that the amplification of the reward gap can be replaced with that of the soundness-completeness gap under the condition. This means that the traditional amplification method for the soundness-completeness gap can be used to amplify the reward gap to a constant. By virtue of the condition, we also show that this reward-gap amplification method works even when the original reward gap is exponentially small444Note that this statement does not mean that the traditional amplification method for the soundness-completeness gap works for an exponentially small gap..

## Ii Preliminaries

In this section, we give some preliminaries. In Sec. II.1, we give a definition of rational delegated quantum computing. In Sec. II.2, we give a definition of the reward gap. In Sec. II.3, we give a definition of approximately sparse quantum circuits. In Sec. II.4, we introduce a BQP-complete problem that is used in this paper.

### ii.1 Rational delegated quantum computing

In this subsection, we give the definition of rational delegated quantum computing. This definition (Definition 3) will be used in Secs. II.2 and V. For Sec. III, it could be possible to skip this subsection. Following the original definition of rational interactive proof systems AM12 , we first define the transcript , the server’s view , and the client’s view as follows:

###### Definition 1

We assume that

is odd. Given an instance

and a round , we define the th transcript , the th server’s view , and the th client’s view as follows :

• .

• When is odd, , where is the th server’s message. On the other hand, when is even, , where is the th client’s message.

• For odd , , where is a quantum circuit used to compute . Note that and are not defined for even because the even-numbered round is a communication from the client to the server.

• For even , , where is a random bit string used to compute . Note that is not defined for odd because the odd-numbered round is a communication from the server to the client.

For all , the messages and are polynomial lengths. Particularly, is generated from in classical polynomial time. The quantum circuit is decided from .

Based on Definition 1, we define the following -round interaction between a BPP client and a server:

###### Definition 2

Let be odd. This means that the protocol begins with the server’s step. When is even, the following definition can be adopted by adding a communication from the server to the client at the beginning of the protocol. Let us consider the following -round interaction:

1. A BPP client interacts with a server times. In the th round for odd , the server sends to the client. In the th round for even , the client sends to the server.

2. The client efficiently calculates a predicate on the instance and the th transcript . If the predicate evaluates to , the client answers YES. On the other hand, if , the client answers NO.

3. The client efficiently calculates the reward and pays it to the server, where is a positive constant. Note that the value of is not necessary to be known to the client and the server. The reward function depends on the instance , the th transcript , and the client’s random bits .

Rational delegated quantum computing for decision problems is defined as follows:

###### Definition 3

The -round interaction defined in Definition 2 is called a -round rational delegated quantum computing protocol for decision problems if and only if the following conditions hold: let denote the expectation value of a function . Let be a distribution that the th transcript follows. For a language in BQP, if , there exists a classical polynomial-time predicate and a distribution that can be generated in quantum polynomial time, such that

 (1)

and

 ETk∼DYES,rk+1[R(x,Tk,rk+1)]≥cYES (2)

with some positive constant .

On the other hand, if , there exists a classical polynomial-time predicate and a distribution that can be generated in quantum polynomial time, such that

 Pr[o=0 | Dk=DNO]≥23 (3)

and

 ETk∼DNO,rk+1[R(x,Tk,rk+1)]≥cNO (4)

with some positive constant .

To generate distributions and , the server decides the th message following a distribution that can be generated in quantum polynomial time and satisfies

 Di=argmaxDiEDk,Tk ∼Dk,rk+1[R(x,Tk,rk+1)|Di,Si], (5)

where the expectation is taken over all possible distributions that are compatible with the current server’s view . Here, we consider only the maximizations that can be performed in quantum polynomial time.

Since the server’s computational power is bounded by BQP, it is in general hard for the server to select an optimal message that satisfies Eqs. (1) and (2). Therefore, the server’s message should be probabilistically generated. That is why we consider the distribution . The same argument holds for the NO case.

The value in Eqs. (1) and (3) can be amplified to , where is any polynomial in , using the standard amplification method (i.e., repeating steps 1 and 2, and then taking the majority vote among outputs in step 2). We here mention that the above rational delegated quantum computing protocol satisfies the first three conditions 1–3 in Sec. I. This is straightforward from and Eqs. (2) and (4).

All our rational protocols except for those in Secs. III.1 and III.3 are in accordance with Definition 3. Our rational protocols in Secs. III.1 and III.3 are rational delegated quantum computing protocols for function problems, which can be defined in a similar way.

For convenience, we define a strategy as a set of the server’s messages , which may be adaptively decided according to the previous client’s messages. When we focus on the dependence on the server’s messages, we write by for short.

### ii.2 Reward gap

Guo et al. have introduced the reward gap GHRV14 , which is also called the utility gap CMS16 ; CMS18 . For decision problems, the reward gap is defined as follows:

###### Definition 4

Let a strategy be defined as a set of the server’s messages. Let be a distribution where the server’s strategy follows. Let be the distribution , where each message follows the distribution in Eq. (5). We say that a rational delegated quantum computing protocol has a -reward gap if for any input ,

 Es∼Dmax[R(x,s)]−maxs∈SincorrectE[R(x,s)]≥1γ(|x|),

where is any function of , and is the set of the server’s strategies that make the client output an incorrect answer. Here, the expectation is also taken over the client’s random bits, and the server’s strategy may be adaptively decided according to the client’s messages. Note that may include strategies that cannot be realized in quantum polynomial time.

From Definition 3, if the server’s strategy follows the distribution , the client outputs a correct answer with high probability. is the maximum expected value of the reward paid to the rational BQP server. On the other hand, is the maximum expected value of the reward paid to the malicious computationally-unbounded server if the server wants to maximize the expected value as much as possible while deceiving the client. This is because the client outputs an incorrect answer when the server takes the strategy . As a result, the reward gap represents how much benefit the rational server can obtain compared with the malicious one.

For function problems, we can define the reward gap in a similar way.

### ii.3 Approximately sparse quantum circuits

An -qubit quantum circuit consists of elementary gates in a universal gate set. In this paper, the quantum circuit is denoted as , where is an elementary gate in the universal gate set for all , and is a polynomial in . For instance, when we consider as a universal gate set, is the controlled-NOT gate , the Hadamard gate , or the T gate . Our argument can be applied to any universal gate set each of whose elementary gates acts on at most qubits. Note that each elementary gate is assumed to be specified with a polynomial number of bits.

By using the above notation, -approximately -sparse polynomial-size quantum circuits are defined as follows:

###### Definition 5 (ϵ-approximately t-sparse polynomial-size quantum circuit Sn13 )

Consider an -qubit quantum circuit with input , where is a polynomial in , and each of is chosen from a certain universal gate set each of whose elementary gates can be specified with a polynomial number of bits. Let be the probability of the quantum circuit outputting . The quantum circuit is called -approximately -sparse if there exists a

-sparse vector

such that , where a vector is called -sparse if at most of its coordinates are non-zero.

Note that in this paper, we assume that and for any polynomials and .

### ii.4 Bqp-complete problem

Among several BQP-complete problems KL01 ; FKW02 ; FLW02 ; AAEL07 ; JW06 ; AJKR10 ; MFI14 ; ABEM17 ; MTN18 , in this paper, we use the following promise problem:

###### Definition 6 (Q-Circuit Abem17 )

The input is a classical description of an -qubit quantum circuit , where is chosen from a certain universal gate set each of whose elementary gates can be specified with a polynomial number of bits, and is a polynomial in . If

 ⟨0n|U†(|1⟩⟨1|⊗I⊗n−1)U|0n⟩≥23, (6)

output YES. On the other hand, if

 ⟨0n|U†(|1⟩⟨1|⊗I⊗n−1)U|0n⟩≤13, (7)

output NO. It is promised that the input unitary always satisfies either Eq. (6) or (7).

## Iii Sumcheck-based rational delegated quantum computing

In this section, we construct two rational delegated quantum computing protocols for estimating output probabilities of -qubit quantum circuits, which we call the rational delegated quantum estimating protocols. In Sec. III.1, we consider any -qubit polynomial-size quantum circuit with -qubit output measurements. We also show that our protocol satisfies the first three conditions 1–3 mentioned in Sec. I. In Sec. III.2, we show that our protocol proposed in Sec. III.1 can be applied to classically delegate any decision problem in BQP. In Sec. III.3, we construct another protocol for approximately -sparse -qubit polynomial-size quantum circuits with -qubit output measurements, where is a polynomial in .

### iii.1 Estimating output probabilities of quantum circuits with a logarithmic number of output qubits

In this subsection, we consider an -qubit polynomial-size quantum circuit with output qubits. Let be the output probability distribution of the quantum circuit , where

 qz≡⟨0n|U†(|z⟩⟨z|⊗I⊗n−k)U|0n⟩

and is the two-dimensional identity operator. We show that if the quantum server is rational, the classical client can efficiently obtain the estimated values with high probability such that for any and any polynomial . Therefore, for example, the classical client can approximately sample with high probability in polynomial time from the output probability distribution of the quantum circuit . Before proposing our rational delegated quantum estimating protocol, we calculate using the Feynman path integral. Let , where is an elementary gate in a universal gate set for all , and is a polynomial in . The probability is calculated as follows:

 qz = ⟨0n|U†(|z⟩⟨z|⊗I⊗n−k)U|0n⟩ (8) = ⟨0n|(1∏j=Luj)†(|z⟩⟨z|⊗I⊗n−k)(1∏i=Lui)|0n⟩ = ⟨0n|u†1⎡⎢⎣2∏j=Luj⎛⎜⎝∑s(j−1)∈{0,1}n|s(j−1)⟩⟨s(j−1)|⎞⎟⎠⎤⎥⎦†⎡⎢⎣|z⟩⟨z|⊗⎛⎜⎝∑s(L)∈{0,1}n−k|s(L)⟩⟨s(L)|⎞⎟⎠⎤⎥⎦ ⎡⎢⎣2∏i=Lui⎛⎜⎝∑s(L+i−1)∈{0,1}n|s(L+i−1)⟩⟨s(L+i−1)|⎞⎟⎠⎤⎥⎦u1|0n⟩.

Here, we define

 (9)

where is a shorthand notation of the bit string . From Eqs. (8) and (9),

 qz=∑s∈{0,1}(2L−1)n−kg(z,s). (10)

As an important point, given and , the function can be calculated in classical polynomial time. This is because each elementary gate acts on at most qubits. Note that since there are exponentially many terms in Eq. (10), this fact does not contradict with the P-hardness of calculating output probabilities of quantum circuits FGHP99 . Furthermore, from Eq. (9), the absolute value is upper-bounded by . Therefore, , where is the real part of .

To construct our rational delegated quantum estimating protocol, we use the rational sumcheck protocol GHRV16 . The rational sumcheck protocol enables the client to efficiently delegate to the rational server the calculation (or approximation) of , where is an integer for any . To fit the rational sumcheck protocol to our case, we generalize it for the case of the complex number . As a result, we can set and to be a certain fixed value. Our protocol runs as follows:
[Protocol 1]

1. For all , the rational server and the client perform following steps:

1. The rational server sends to the client a real non-negative number , which is explained later. (Note that is represented by a logarithmic-length bit string, and therefore the message size from the server to the client is logarithmic.)

2. The client samples uniformly at random from .

3. The client flips the coin that lands heads with probability . If the coin lands heads, the client sets ; otherwise, .

4. The client calculates the reward

 R(yz,bz)≡12k[ 2yz+2(2L−1)n−(k+1)2(2L−1)n−kbz+2(1−yz+2(2L−1)n−(k+1)2(2L−1)n−k)(1−bz) −(yz+2(2L−1)n−(k+1)2(2L−1)n−k)2−(1−yz+2(2L−1)n−(k+1)2(2L−1)n−k)2+1],

which is the (slightly modified) Brier’s scoring rule B50 . Then the client pays the reward to the rational server.

2. The client calculates

 pz≡yz∑z∈{0,1}kyz (11)

for all .

Since the sampling in step (c) can be approximately performed in classical polynomial time as shown in Appendix A, what the client has to do is only efficient classical computing. Furthermore, since the repetitions in step 1 can be performed in parallel, this is a one-round protocol. Note that except for the communication required to pay the reward to the server, Protocol 1 only requires the one-way communication from the server to the client.

We show that satisfies for any fixed polynomial with high probability. This means that is an approximated value of for each with high probability. More precisely, we show the following theorem:

###### Theorem 1

Let and be any polynomials in . Let , and be the probability given in Eq. (11). Then, for any and , there exists Protocol 1 such that

 ∑z∈{0,1}k|pz−qz|≤1f(n)

with probability at least .

Proof. First, we derive the value of that maximizes the expected value of the reward over . In this proof, for simplicity, we assume that the sampling of in step (c) can be exactly performed using the method in Appendix A (for the approximation case, see Appendix B). Let . The expected reward when the server sends is

 Ebz[R(yz,bz)] (12) = 12k∑s∈{0,1}(2L−1)n−k12(2L−1)n−k{1+Re[g(z,s)]2[2Yz−Y2z−(1−Yz)2+1] +1−Re[g(z,s)]2[2(1−Yz)−Y2z−(1−Yz)2+1]} = 12k[qzYz2(2L−1)n−k−1+1−qz2(2L−1)n−k−Y2z−(1−Yz)2+1] = 12k⎡⎣−2(Yz−qz2(2L−1)n−k+1−12)2+2(qz2(2L−1)n−k+1+12)2−qz2(2L−1)n−k+1⎤⎦ = 12k⎡⎣−222[(2L−1)n−k](yz−qz2)2+32+2q2z22[(2L−1)n−k+1]⎤⎦,

where in the second equality, we have used . Therefore, the expected reward is uniquely maximized when

 yz=qz2.

The BQP server cannot derive the exact value of , which is P-hard in the worst case FGHP99 . However, the BQP server can efficiently estimate with polynomial accuracy. More precisely, for all , the BQP server can efficiently obtain such that

 Pr[|ηz−qz|≥ϵ′]≤2e−2Tϵ′2

by sampling from times (for the completeness of the paper, we give the concrete estimation method for in Appendix C)555It is unknown whether this estimation method is optimal among all methods that can be performed in quantum polynomial time. However, we can say that an optimal method works at least as well as this estimation method. This is sufficient for our purpose.. Therefore, for all with probability at least

 (1−2e−2Tϵ′2)2k≥1−2k+1e−2Tϵ′2≥1−ek+1−2Tϵ′2.

If we set and , the total repetition number becomes a polynomial in , and the lower-bound on the probability becomes

 1−ek+1−2Tϵ′2=1−e−h(n).

Therefore, the rational server sends to maximize the expected value of the reward as much as possible.

Finally, we show that when and for all , . From Eq. (11),

and

 pz≥qz−ϵ′1+2kϵ′=qz−qz2kϵ′+ϵ′1+2kϵ′.

Therefore,

 |pz−qz|≤qz2kϵ′+ϵ′1−2kϵ′≤(2k+1)ϵ′1−2kϵ′=12kf(n).

In conclusion, .
From Theorem 1, by approximately sampling from , the client can approximately sample from with high probability. Given the values of , the approximate sampling from can be classically performed in polynomial time as shown in Appendix A. Therefore, as an application of Protocol 1, the classical client can efficiently sample from probability distributions generated by quantum circuits.

In the above proof, we assume that can be exactly represented using a polynomial number of bits. If this is not the case, the classical client has to approximate . As a result, as shown in Appendix B, the expected value of the reward is maximized when , where the real number satisfies for a polynomial . Therefore, even in the approximation case, the classical client can efficiently obtain the estimated values of the output probabilities of quantum circuits.

Next, we show the following theorem:

###### Theorem 2

In Protocol 1, the total reward is between and for and any real values . Furthermore, the maximum of the expectation value of the total reward is lower-bounded by .

Proof. Let . When and , the total rewards are and , respectively. Since the client considers the half of the acceptance probability, we can assume that . Therefore, the server should set in the range from to . In this range with and , the total reward is between and .

Here, we again assume that can be exactly represented using a polynomial number of bits. Note that even if this is not the case, the similar argument holds as shown in Appendix B. From Eq. (12), the maximum expected value of the total reward is

 12k∑z∈{0,1}k(32+2q2z22[(2L−1)n−k+1])≥32+O(122(2L−1)n−k).

Note that even when is an estimated value of , the expected value of the total reward is lower-bounded by a constant because .
From this theorem, Protocol 1 satisfies the first three conditions 1–3 in Sec. I.

### iii.2 Decision problems in Bqp

In this subsection, by applying Protocol 1 in Sec. III.1, we propose a rational delegated quantum computing protocol for decision problems in BQP. To this end, we consider the delegation of the Q-CIRCUIT problem ABEM17 . Since the Q-CIRCUIT problem is a BQP-complete problem, any decision problem in BQP can be reduced to the Q-CIRCUIT problem.

We set in Protocol 1 in Sec. III.1. Then by performing Protocol 1 only for , the classical client can obtain such that with probability for any polynomials and . If , the client answers YES. On the other hand, if , the client answers NO. Otherwise, the client answers YES or NO uniformly at random. This procedure works because the gap between and is at least some constant for sufficiently large . The client mistakenly answers only when does not satisfy . Therefore, the probability of the client getting a wrong answer is at most . This means that the classical client can efficiently solve the Q-CIRCUIT problem with the help of the rational quantum server.

### iii.3 Estimating output probabilities of approximately sparse quantum circuits with a polynomial number of output qubits

In Sec. III.1, we have considered the output probability estimation for any -qubit polynomial-size quantum circuit with output qubits. In this subsection, we consider the same task for a restricted class of with output qubits. More formally, we consider -approximately -sparse polynomial-size quantum circuits defined in Sec. II.3.

To construct our rational delegated quantum estimating protocol, we show the following theorem666The list in Theorem 3 is different from that obtained in Theorem 10 in Ref. SN13 . The list in Ref. SN13 satisfies the property such that for all elements in the list, holds, while this property is not required for our list. Since it is difficult to efficiently check whether a given list satisfies this property without failing, their list is not appropriate for our purpose, while their construction of the list is useful to construct our list. Furthermore, due to the difference, the size of our list is fixed, while that in Ref. SN13 is not fixed. The fixed size is necessary to construct our rational delegated quantum estimating protocol.:

###### Theorem 3

Let be the inverse of any exponential in . For an -approximately -sparse polynomial-size -qubit quantum circuit, there exists a polynomial-time quantum algorithm that always outputs an list , where and each is an -bit string, such that every -bit string satisfying belongs to the list with probability at least . Here, is the floor function.

Proof. Using the method in Theorem 10 in Ref. SN13 , the quantum server can efficiently obtain the list with such that with probability at least , every -bit string satisfying belongs to the list . If , the server sets . On the other hand, if , the server selects -bit strings from in an arbitrary way, and incorporates them into to define the set .

We construct a rational protocol that forces the server to send estimated values of . Note that since and are polynomials of , the size is bounded by a polynomial. Therefore, the estimated values can be represented using at most polynomial number of bits. Furthermore, by using the list , the estimated values can be obtained in quantum polynomial time. This is straightforward from Appendix C. The rational protocol can be straightforwardly constructed from Protocol 1 in Sec. III.1. We replace step 1 with

1. The rational server selects -bit strings. Let be the set of the -bit strings. For all , the rational server and the client perform following steps:

1. This step is the same as that of Protocol 1 in Sec. III.1.

2. The client samples uniformly at random from .

3. This step is the same as that of Protocol 1 in Sec. III.1.

4. The client calculates the reward

 R(yz,bz)≡1⌊2t/ϵ⌋[ 2yz+22(L−1)n−122(L−1)nbz+2(1−yz+22(L−1)n−122(L−1)n)(1−bz) (13) −(yz+22(L−1)n−122(L−1)n)2−(1−yz+22(L−1)n−122(L−1)n)2+1].

Then the client pays the reward to the rational server.

Since we assume that and are polynomials in , the number of repetitions of steps (a)–(d) is bounded by a polynomial. From Eq. (13), in this case, the expected value of the total reward is

 1⌊2t/ϵ⌋∑z∈~L⎡⎣−2(yz22(L−1)n−qz22(L−1)n+1)2+32+2q2z22[2(L−1)n+1]⎤⎦. (14)

When , Eq. (14) is maximized and is a monotonically increasing function of . Therefore, in order to increase the expected value of the total reward, the rational server has to include all bit strings whose probabilities are larger than into the list . Therefore, from Theorem 3 and Appendix C, the rational quantum server can efficiently generate such list and .

It is worth mentioning that we can obtain the same conclusion as above even when is an estimated value of , i.e., with probability at least , where and are the inverses of a polynomial and an exponential in . When is the estimated value, the server may be able to increase the expectation value of the reward by including a bit string whose probability is small. Consider the following situations: when the true value is , the estimated value can become with a non-zero probability. In this case, the expected value is . On the other hand, when the true value is , the estimated value can become with a non-zero probability. In this case, the expected value is larger than . This example implies that we have to appropriately take the case where the estimation fails into account.

We show that even if is an estimated value of , all bit strings whose probabilities are larger than