1 Introduction
Background.
A very active research area in quantum computing is proving the superiority of “weak” models of quantum computation, such as smalldepth quantum circuits, over classical computation. The main motivation is that such models are expected to be much easier to implement than universal quantum computation (e.g., polynomialsize quantum circuits) — Indeed in the past years we have been witnessing the development of several smallscale quantum computers (see, e.g., [1] for information about current quantum computers).
Under assumptions such as the noncollapse of the polynomial hierarchy or the hardness of (appropriate versions of) the permanent, strong evidence of the superiority of weak classes of quantum circuits has been obtained from the 2000s [2, 3, 4, 6, 12, 13, 14, 18, 19, 20, 33, 39]. A recent breakthrough by Bravyi, Gosset and König [10], further strengthened by subsequent works [5, 11, 17, 21], showed an unconditional separation between the computational powers of quantum and classical smalldepth circuits by exhibiting a computational task that can be solved by constantdepth quantum circuits but requires logarithmic depth for classical circuits. A major shortcoming, however, is that logarithmicdepth classical computation is a relatively weak complexity class. Due to the notorious difficulty of proving superlogarithmic lower bounds on the depth of classical circuits, showing significantly stronger unconditional separations seems completely out of reach of current techniques.
Progress has nevertheless been achieved recently by modifying the concept of computational problem, and considering interactive problems (problems consisting of several rounds of interaction between the computational device and a verifier). Grier and Schaeffer [23], in particular, showed that there exists an interactive problem that can be solved by constantdepth quantum circuits but such that any classical device solving it would solve problems. This is a stronger evidence of the superiority of constantdepth quantum circuits since the complexity class is expected to be significantly larger than logarithmicdepth classical computation. On the other hand, problems in are still tractable classically since they can be solved in polynomial time.^{1}^{1}1More precisely, we have the inclusions .
Another significant development was achieved by Brakerski, Christiano, Mahadev, Vazirani and Vidick [7] who proposed, using some techniques from [29], a test of quantumness based on the Learning with Errors () assumption, which states that the learning with error problem (informally, inverting a “noisy” system of equations) cannot be solved in polynomial time. (See also [8, 27]
for variants of this test.) They showed that this test can be passed with high probability using a polynomialtime quantum device but cannot be solved by any polynomialtime classical device under the
assumption, which is a compelling evidence of the superiority of quantum computing.^{2}^{2}2We stress that the quantum protocol that passes the test does not solve the learning with error problem. A crucial property of this test is that checking if the computational device passes the test (which thus means checking if the computational device is quantum) can be done efficiently — this property is not known to be true for many other tests from prior works in quantum supremacy (e.g., [2, 3, 4, 6, 12, 13, 14, 18, 19, 20, 33, 39].) Finally, the test of quantumness from [7] has another fundamental property: it can be shown that the only way for a computationally bounded quantum prover to pass the test is to prepare precisely the expected quantum state.^{3}^{3}3The proof of this statement relies on the (standard) assumption that the learning with error problem is hard for computationally bounded quantum computation as well. This property makes it possible to control a computationally bounded quantum prover, and has already lead to many cryptographic applications: producing certifiable randomness from a single untrusted (computationally bounded) quantum device [7], selftesting of a single quantum device [31] and deviceindependent key distribution [30].Our results.
In this paper we investigate complexitytheoretic aspects of quantum protocols passing the above test of quantumness based on . While the quantum protocol from [7]
can clearly be implemented in polynomial time, and while prior works discussed its practical realization and gave some promising numerical estimates on the number of qubits needed for its implementation (for instance, Ref.
[7] mentioned 2000 qubits for a protocol providing 50 bits of security), to our knowledge several theoretical aspects, and in particular depth complexity, have not been investigated so far.We first isolate the main computational task solved by a quantum protocol passing the test. This computational problem, which we denote , is presented in Section 3
. Informally, it asks to prepare a quantum superposition of an arbitrary vector
and its shift , where denotes the solution of the “noisy” system of linear equations used in the assumption. Our main technical contribution (the formal statement is in Section 3) shows that this problem can be solved by a constantdepth quantum circuit combined with efficient (lowcomplexity) classical computation:[Informal version] The computational task can be solved by a constantdepth quantum circuit combined with logarithmicdepth classical computation.
The model of quantum circuits we consider in Theorem 1 is described formally in Section 2.4 and is reminiscent of some models used in prior works on measurementbased quantum computing (in particular Refs. [15, 16]). The primary motivation for considering this model is as follows: compared with the practical cost of implementing quantum computation, classical computation (and especially lowcomplexity computation such as logarithmicdepth classical computation) can be considered as a free resource and thus may not be included in the depth complexity. One possible criticism of our model is that the quantum states created by our constantdepth quantum circuits need to be kept coherent while the logarithmicdepth classical computation is performed, which may be an issue since in terms of decoherence waiting is essentially as difficult as performing quantum computation. We can however argue that classical logarithmicdepth classical computation should be implementable significantly faster than logarithmicdepth quantum computation, thus limiting the impact of decoherence.
As mentioned above, is the main computational task used in the test of quantumness based on and its applications given in [7, 8, 30, 31] (the other quantum steps indeed only consist in measuring the state generated in an appropriate basis). As a consequence of Theorem 1, the whole test of quantumness and its applications to producing certifiable randomness, selftesting and deviceindependent key distribution can thus immediately be implemented by constantdepth quantum circuits combined with logarithmicdepth classical computation. For completeness, we describe in detail how to apply our construction with the whole test of quantumness from [7], which was actually only sketched in prior works (since those works focused on applications of the test), in Section 4.
Overview of our techniques.
Our main technical contribution is Theorem 1, which shows how to solve using constantdepth quantum circuits (in our model allowing some lowcomplexity classical pre/processing). This is done by modifying the construction of prior works in two major ways.
Our first contribution is to show how to construct in constant depth a quantum state robust against small “noise”. In [7]
the construction was done by considering a state with amplitudes taken from a wideenough Gaussian distribution, and creating this state using the approach from the seminal paper by Regev
[36], which itself relied on a technique by Grover and Rudolph [24]. To our knowledge, the resulting construction, while definitely implementable with quantum circuits of polynomial size, does not seem to be implementable in constant depth. Instead, our main idea (see Theorem 3.3 in Section 3) is to use a quantum state with amplitudes taken from a much simpler distribution (a wideenough truncated uniform distribution) that can be implemented in constant depth.
The second contribution (Theorem 3.2 in Section 3) is analyzing carefully how to implement in the quantum setting the map used in the learning with error problem (note that in the quantum setting the map needs to be applied in superposition, which requires a quantum circuit). We observe that when given as input a state robust against small noise, the remaining computational task involves only algebraic operations modulo , for some large integer . We then show that prior works by Høyer and Spalek [25] and Takahashi and Tani [38] imply that implementing arithmetic operations modulo exactly and generating a good approximation of the uniform superposition of all elements of can be done using constantdepth quantum circuits if unbounded fanout gates are allowed. We finally show that unbounded fanout gates can be implemented in our model using a technique called gate teleportation [22, 28, 34].
2 Preliminaries
2.1 General notations
In this paper the notation represents the logarithm in basis 2. For any integer , we write . As usual in latticebased cryptography, we will often identify with the set of integers . For any , we write its binary representation, as in [7]. Given a vector , we write and , and write its binary representation. Given a matrix , we define the distance of as the minimum over all the nonzero vectors , of the quantity .
2.2 Latticebased cryptography
For a security parameter , let be integer functions of . Let be a distribution over . The problem is to distinguish between the distributions and , where , and are uniformly random and . The corresponding hardness assumption is that no polynomialtime algorithm can solve this problem with nonnegligible advantage in . As in [7], we write the task of solving for any function that is at most a polynomial in .
The most usual distribution used in latticebased cryptography is the truncated discrete Gaussian distribution, which we now introduce. For any positive integer and any positive real number , the truncated discrete Gaussian distribution over with parameter , which we denote , is defined as if and otherwise, for any , where is the normalization factor defined as .
As in [7], we will use the following theorem to generate instances of the learning with error problem. [Theorem 2.6 in [7] and Theorem 5.1 in [32]] Let and be such that . There is an efficient randomized algorithm that returns a matrix and a trapdoor such that the distribution of is negligibly (in ) close to the uniform distribution. Moreover, there is an efficient algorithm that, on input , and where is arbitrary, and is a universal constant, returns with overwhelming probability over .
The matrix generated by has distance at least with overwhelming probability. Also note that if , then the inequality holds. These two observations motivate the following definition: we define as the set of 5tuples such that , and are positive integers, is a matrix of distance at least , where is the constant from Theorem 2.2, and is a vector that can be written as for some and some with . Informally, the set represents the set of good parameters for the version of we will consider. For technical reasons, we also define the following variant, which enables us to set a stronger upper bound on . For any , we define as the set of 5tuples such that the following two conditions hold:

,

can be written as for some and some with .
2.3 Quantum states: bounded and robust states
We assume that the reader is familiar with the basics of quantum computing and refer to, e.g., [35] for a good reference.
For any positive integer , we write the complex Hilbert space of dimension with basis . Quantum states in are (implicitly) implemented using qubits, via the binary encoding of these basis vectors. For any integer , we also consider the Hilbert space and associate to it the basis . A quantum state in can thus be written as for complex numbers such that . We write its support We say that has real amplitudes if for each . For any vector , we write where the addition is performed modulo .
We now introduce two crucial definitions on which our approach will be based.^{4}^{4}4We stress that these two definitions (as well as several definitions of the previous paragraph) are basisdependent — we always refer to the canonical basis . Also note that while Definition 2.3 can easily be written without the requirement that the state has real amplitude (by replacing by , for instance), requiring that the state has real amplitudes will be enough for our purpose and will simplify later calculations.
Let be a positive real number. A quantum state is bounded if for any element .
Let , be two positive real numbers. A quantum state is robust if has real amplitudes and, for any vector such that , the inequality holds.
Finally, given two states and in , and any positive real number , we say that and are close if . We also define the notion of closeness to a subspace as follows. Let be a subspace of and be a positive real number. We say that a state is close to if there exists a quantum state such that .
2.4 Quantum circuits
Universal sets of quantum gates.
As in the standard model of quantum circuits (see, e.g., [35]), in this paper we work with qubits. We consider two sets of elementary gates. We first consider the set where is the Hadamard gate, is the phase operation and is the controllednot gate. This is an universal set consisting of a finite number of gates that can approximate any quantum gate with good precision (see Section 4.5.3 of [35] for details). The second set we consider, which we denote , contains all the gates acting on 1 qubit and the operator. Note that this set contains an infinite number of gates.
Our model.
We now introduce the class of quantum circuits considered in this paper. Let and be two positive integers, and be a set of elementary quantum gates (e.g., or ).
A circuit in the class acts on qubits. These qubits are initialized to the state . The circuit consists of successive layers. Each layer consists of a constantdepth quantum circuit over the basis acting on these qubits, which does not contains any measurement, followed by measurements in the computational basis of all the first qubits. Consider the th layer. Let denote the outcome of measuring the first qubits at the end of this layer. Then some classical function is applied to the , and the value is given as input to the first qubits of the next layer, i.e., the qubits are reinitialized to the state . We refer to Figure 1 for an illustration.
The complexity of a circuit in the class defined above depends on the number of qubits , the number of layers and the classical complexity of computing function ’s. We are mainly interested in circuits that have a constant number of layers and such that all functions can be computed efficiently classically. We formally define this class below.
We define the class of families of circuits such that the following conditions hold:

for each , we have for some integers such that ;

for each , the number of layers in is constant (i.e., independent of );

for each , all the functions ’s of can be computed by a depth classical circuit.
We require that the family is logarithmicspace uniform, i.e., there exists a classical Turing machine that on input
outputs a classical description of (as well as descriptions of the circuits computing the functions ’s) in space.2.5 Clifford circuits and quantum arithmetic
Clifford circuits.
Let us consider the Pauli gates and and the phase gate . A quantum circuit consisting only of gates from the set is called a Clifford circuit.^{5}^{5}5Since and , the two Pauli gates can actually be removed from this gate set. Such a circuit can be implemented by a quantum circuit of class acting on qubits, where is the number of gates in the original circuit, via a technique called gate teleportation first introduced by Gottesman and Chuang [22] and then developed into a computational model by Leung [28] and Nielsen [34] (see also, e.g., [9, 26] for good presentations of this technique).
A concrete example, which we will actually heavily use, is the unbounded fanout gate over . This unitary gate maps the basis state to , for any . This gate can easily be written as a circuit consisting of successive CNOT gates (the depth of such a circuit implementation is thus linear in ). Using the above approach, this gate can be implemented by a quantum circuit of class acting on qubits. A concrete decomposition, which uses only two layers, is presented in Section 6 of [15].
Modular arithmetics.
Let us consider the following unitary operations (where the arithmetic operations are performed modulo and is a th root of unity):

the unitary operation over that maps to for any ;

the unitary operation over that maps to for any .
We now discuss how to obtain exact implementations for and , and also for arbitrary linear maps over (exact implementation of these gates will be crucial for implementing our test of quantumness in constant depth). Takahashi and Tani [38] showed how to implement exactly and in constant depth by circuits that use gates in and unbounded fanout gates acting on qubits, by showing that quantum threshold gates, which are enough to implement all these operations (as first pointed out by Høyer and Spalek [25], based on prior works on classical threshold gates [37]), can be implemented in constant depth by such circuits. Since each unbounded fanout gate can be implemented by a quantum circuit of class acting on qubits, as discussed above, these arithmetic operations can be exactly implemented by quantum circuits of class acting on qubits. As discussed in [25, 38], the same approach can be applied to implement iterated addition, and more generally any linear map , since such maps can be computed in constant depth using classical threshold gates as well. This can easily be further generalized to give implementation of any linear map by a quantum circuit of class acting on qubits.
Unfortunately, it is still unknown if the operator can be implemented exactly in constant depth with a circuit using only elementary gates in and unbounded fanout gates (see Section 6 of [38]). For the protocol constructed in this paper, however, we will only need to apply to the state , i.e., we only need to prepare the state . Lemma 4.18 in [25] shows that this task can be implemented in constant depth with exponential precision (which will be enough for our purpose): there exists a constantdepth circuit of size using gates in and unbounded fanout gates that computes a state which is at distance at most of the state . By converting each unbounded fanout gate, this circuit can immediately be converted into a circuit in the class acting on qubits.
3 Quantum State Generation using SmallDepth Circuits
In this section we describe the main computational task solved by a quantum prover in the test of quantumness based on we present in Section 4 (as well as in prior works [7, 8, 30, 31]), and show how to solve it using a quantum circuit of small depth.
3.1 Statement of the problem
For any and any , where is the set of parameters defined in Section 2.2, let denote the set of vectors such that there exists a vector for which . Note that such is necessarily unique, since has distance at least . Let us write this vector . Note that using the notations of Section 2.2, i.e., defining as the (unique) vector in such that can be written as for with . For any , define the quantum state
Let be the subspace of generated by the states .
The computational problem we consider in this section, which we denote , has two parameters , and is defined as follows. This is the main task solved by the quantum protocols passing our test of quantumness, as well as in the tests used in prior works [7, 8, 30, 31].
Given , create a quantum state close to .
Here is our main theorem, which shows that the problem can be solved by a smalldepth quantum circuit when is large enough.
3.2 Preparation procedure
In this subsection we present and analyze a quantum procedure that outputs a state close to when given as additional input an appropriate quantum state . This procedure can be implemented by a smalldepth quantum circuit. In subsection 3.3 we will show how to create efficiently such an appropriate state .
The following theorem is the main contribution of this subsection. Let and be any positive parameters. For any with , there exists a quantum circuit of class acting on qubits that receives a quantum state , outputs a quantum state , and satisfies the following condition: if is bounded and robust, then is close to .
Proof.
We first describe the procedure. Let us write the input state, where for all (remember that the definition of a robust state implies that the amplitudes are real). The procedure first prepares the state and applies the unitary operator to this state to obtain
Using the approach discussed in Section 2.5, this can be done by a quantum circuit of class acting on qubits with approximation error . Below we assume that this state has been done exactly — we will add the approximation error at the very end of the calculation. The procedure then converts this state to the state
where is the function defined as for any (all the operations are performed modulo ). This operation can be implemented by a quantum circuit of class acting on qubits using the approach of Section 2.5 since can be written as a linear map over as follows: define the matrix obtained by appending the vector to the left of the matrix and write
We now analyze this procedure. Let us write the output state in the following form:
where
Define the quantum state
where and We first show that the states and are close. .
Proof.
We have for some and some vector such that . Since the state is robust, we thus have for any . We thus obtain as claimed. ∎
We now show that the state is in . The crucial property we will use is that the equality holds for any .
Let us decompose as follows:
for quantum states and amplitudes such that We now show the following claim. For any such that , we have and .
Proof.
Assume that . Observe that in this case for some . Since the state is bounded, we have and thus .
We show below that for any distinct we have which implies that .
Indeed, assume that and take an element in the intersection. Since the state is bounded, we have and , and thus . This is impossible, since by construction the matrix has distance at least . ∎
3.3 Creating the initial state
Brakerski et al. [7] have shown how to construct a quantum state that is bounded and robust, for appropriate parameters , using Gaussian distributions. In this subsection we present another quantum state that has similar properties, but can be created by a smalldepth quantum circuit.
For any , any integer and any , there exists a quantum circuit of class acting on qubits that generates a quantum state that is bounded and robust.
Proof.
Let us write and .
We describe the construction. Starting with the quantum state , apply (in parallel) a Hadamard gate on the first qubits of each copy of , in order to get the state
Then apply on each of the copies the unitary operator over that maps to for any (the subtraction is done modulo ). As described in Section 2.5, these arithmetic operations can be implemented by a quantum circuit of class acting on qubits. This gives the state
For any vector , consider the state
The inner product of and is where is the set of vectors such that . If , then and thus
as claimed. ∎
4 Application: Test of Quantumness
In this section we describe and analyze the test of quantumness based on the assumption that has been implicitly presented in [7], and show how to use the results from Section 3 to pass this test with smalldepth quantum circuits.
We first define some sets exactly as in [7]. The definition is fairly technical and can actually be skipped on a first reading, since we will later only use the property that these sets are dense enough. For any and any , let be the map such that for any , each coordinate of is obtained by taking the inner product modulo 2 of the corresponding block of coordinates of and of , where denotes the vector in where each coordinate is . We define the set
For any , we then define and Note that these sets are dense: for any and any , we have
Our test of quantumness is described in Figure 2. In Subsection 4.1 we explain how to pass the test when is large enough using a quantum prover that can be implemented in constant depth. In Subsection 4.2 we then show that no classical computationallybounded prover can pass this test with high probability under the assumption, for a large range of parameters. A concrete test of quantumness can be obtained, for instance, by fixing , setting , , choosing superpolynomial in and taking . Theorem 4.1 shows that a smalldepth quantum prover can pass the corresponding test of quantumness with probability close to , while Theorem 4.2 shows that no polynomialtime classical prover can pass the test with probability significantly larger than , under the assumption (the gap between the success probabilities of classical and quantum provers can easily be further amplified using parallel repetitions).
4.1 Quantum protocol
Here is the main result of this subsection. Let and be any positive parameters. There exists a quantum prover, which can be implemented by a circuit of class acting on qubits, that passes the test of Figure 2 with probability at least for all values such that , where is some negligible function of the parameters.
Proof.
The 5tuple is in with overwhelming probability (see the discussion after Theorem 2.2 in Section 2.2). We describe the quantum protocol under this assumption. After receiving the key at Step 1, the prover creates a state that is bounded and robust using Theorem 3.3. Then the prover applies Theorem 3.2 using the state as input, which gives a state that is close to some state in .
Let us first describe and analyze the remaining of the protocol under the assumption that is in (instead of being only close to ). The prover measures the rightmost register of . Let denote the measurement outcome. The state after the measurement is