# Test of Quantumness with Small-Depth Quantum Circuits

Recently Brakerski, Christiano, Mahadev, Vazirani and Vidick (FOCS 2018) have shown how to construct a test of quantumness based on the learning with errors (LWE) assumption: a test that can be solved efficiently by a quantum computer but cannot be solved by a classical polynomial-time computer under the LWE assumption. This test has lead to several cryptographic applications. In particular, it has been applied to producing certifiable randomness from a single untrusted quantum device, self-testing a single quantum device and device-independent quantum key distribution. In this paper, we show that this test of quantumness, and essentially all the above applications, can actually be implemented by a very weak class of quantum circuits: constant-depth quantum circuits combined with logarithmic-depth classical computation. This reveals novel complexity-theoretic properties of this fundamental test of quantumness and gives new concrete evidence of the superiority of small-depth quantum circuits over classical computation.

Comments

There are no comments yet.

## Authors

• 3 publications
• 21 publications
05/03/2021

### Quantum Advantage with Shallow Circuits under Arbitrary Corruption

Recent works by Bravyi, Gosset and König (Science 2018), Bene Watts et a...
05/09/2021

### Practical Parallel Self-testing of Bell States via Magic Rectangles

Self-testing is a method to verify that one has a particular quantum sta...
10/30/2018

### Average-Case Quantum Advantage with Shallow Circuits

Recently Bravyi, Gosset and König (Science 2018) proved an unconditional...
03/07/2019

### Quantum hardness of learning shallow classical circuits

In this paper we study the quantum learnability of constant-depth classi...
06/16/2020

### Circuits: An abstract viewpoint

Our primary purpose is to isolate the abstract, mathematical properties ...
02/22/2020

### Optimality Study of Existing Quantum Computing Layout Synthesis Tools

Layout synthesis, an important step in quantum computing, processes quan...
04/01/2021

### Classically-Verifiable Quantum Advantage from a Computational Bell Test

We propose and analyze a novel interactive protocol for demonstrating qu...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

#### Background.

A very active research area in quantum computing is proving the superiority of “weak” models of quantum computation, such as small-depth quantum circuits, over classical computation. The main motivation is that such models are expected to be much easier to implement than universal quantum computation (e.g., polynomial-size quantum circuits) — Indeed in the past years we have been witnessing the development of several small-scale quantum computers (see, e.g., [1] for information about current quantum computers).

Under assumptions such as the non-collapse of the polynomial hierarchy or the hardness of (appropriate versions of) the permanent, strong evidence of the superiority of weak classes of quantum circuits has been obtained from the 2000s [2, 3, 4, 6, 12, 13, 14, 18, 19, 20, 33, 39]. A recent breakthrough by Bravyi, Gosset and König [10], further strengthened by subsequent works [5, 11, 17, 21], showed an unconditional separation between the computational powers of quantum and classical small-depth circuits by exhibiting a computational task that can be solved by constant-depth quantum circuits but requires logarithmic depth for classical circuits. A major shortcoming, however, is that logarithmic-depth classical computation is a relatively weak complexity class. Due to the notorious difficulty of proving superlogarithmic lower bounds on the depth of classical circuits, showing significantly stronger unconditional separations seems completely out of reach of current techniques.

Progress has nevertheless been achieved recently by modifying the concept of computational problem, and considering interactive problems (problems consisting of several rounds of interaction between the computational device and a verifier). Grier and Schaeffer [23], in particular, showed that there exists an interactive problem that can be solved by constant-depth quantum circuits but such that any classical device solving it would solve -problems. This is a stronger evidence of the superiority of constant-depth quantum circuits since the complexity class is expected to be significantly larger than logarithmic-depth classical computation. On the other hand, problems in are still tractable classically since they can be solved in polynomial time.111More precisely, we have the inclusions .

Another significant development was achieved by Brakerski, Christiano, Mahadev, Vazirani and Vidick [7] who proposed, using some techniques from [29], a test of quantumness based on the Learning with Errors () assumption, which states that the learning with error problem (informally, inverting a “noisy” system of equations) cannot be solved in polynomial time. (See also [8, 27]

for variants of this test.) They showed that this test can be passed with high probability using a polynomial-time quantum device but cannot be solved by any polynomial-time classical device under the

assumption, which is a compelling evidence of the superiority of quantum computing.222We stress that the quantum protocol that passes the test does not solve the learning with error problem. A crucial property of this test is that checking if the computational device passes the test (which thus means checking if the computational device is quantum) can be done efficiently — this property is not known to be true for many other tests from prior works in quantum supremacy (e.g., [2, 3, 4, 6, 12, 13, 14, 18, 19, 20, 33, 39].) Finally, the test of quantumness from [7] has another fundamental property: it can be shown that the only way for a computationally bounded quantum prover to pass the test is to prepare precisely the expected quantum state.333The proof of this statement relies on the (standard) assumption that the learning with error problem is hard for computationally bounded quantum computation as well. This property makes it possible to control a computationally bounded quantum prover, and has already lead to many cryptographic applications: producing certifiable randomness from a single untrusted (computationally bounded) quantum device [7], self-testing of a single quantum device [31] and device-independent key distribution [30].

#### Our results.

In this paper we investigate complexity-theoretic aspects of quantum protocols passing the above test of quantumness based on . While the quantum protocol from [7]

can clearly be implemented in polynomial time, and while prior works discussed its practical realization and gave some promising numerical estimates on the number of qubits needed for its implementation (for instance, Ref.

[7] mentioned 2000 qubits for a protocol providing 50 bits of security), to our knowledge several theoretical aspects, and in particular depth complexity, have not been investigated so far.

We first isolate the main computational task solved by a quantum protocol passing the test. This computational problem, which we denote , is presented in Section 3

. Informally, it asks to prepare a quantum superposition of an arbitrary vector

and its shift , where denotes the solution of the “noisy” system of linear equations used in the assumption. Our main technical contribution (the formal statement is in Section 3) shows that this problem can be solved by a constant-depth quantum circuit combined with efficient (low-complexity) classical computation:

[Informal version] The computational task can be solved by a constant-depth quantum circuit combined with logarithmic-depth classical computation.

The model of quantum circuits we consider in Theorem 1 is described formally in Section 2.4 and is reminiscent of some models used in prior works on measurement-based quantum computing (in particular Refs. [15, 16]). The primary motivation for considering this model is as follows: compared with the practical cost of implementing quantum computation, classical computation (and especially low-complexity computation such as logarithmic-depth classical computation) can be considered as a free resource and thus may not be included in the depth complexity. One possible criticism of our model is that the quantum states created by our constant-depth quantum circuits need to be kept coherent while the logarithmic-depth classical computation is performed, which may be an issue since in terms of decoherence waiting is essentially as difficult as performing quantum computation. We can however argue that classical logarithmic-depth classical computation should be implementable significantly faster than logarithmic-depth quantum computation, thus limiting the impact of decoherence.

As mentioned above, is the main computational task used in the test of quantumness based on and its applications given in [7, 8, 30, 31] (the other quantum steps indeed only consist in measuring the state generated in an appropriate basis). As a consequence of Theorem 1, the whole test of quantumness and its applications to producing certifiable randomness, self-testing and device-independent key distribution can thus immediately be implemented by constant-depth quantum circuits combined with logarithmic-depth classical computation. For completeness, we describe in detail how to apply our construction with the whole test of quantumness from [7], which was actually only sketched in prior works (since those works focused on applications of the test), in Section 4.

#### Overview of our techniques.

Our main technical contribution is Theorem 1, which shows how to solve using constant-depth quantum circuits (in our model allowing some low-complexity classical pre/processing). This is done by modifying the construction of prior works in two major ways.

Our first contribution is to show how to construct in constant depth a quantum state robust against small “noise”. In [7]

the construction was done by considering a state with amplitudes taken from a wide-enough Gaussian distribution, and creating this state using the approach from the seminal paper by Regev

[36], which itself relied on a technique by Grover and Rudolph [24]. To our knowledge, the resulting construction, while definitely implementable with quantum circuits of polynomial size, does not seem to be implementable in constant depth. Instead, our main idea (see Theorem 3.3 in Section 3

) is to use a quantum state with amplitudes taken from a much simpler distribution (a wide-enough truncated uniform distribution) that can be implemented in constant depth.

The second contribution (Theorem 3.2 in Section 3) is analyzing carefully how to implement in the quantum setting the map used in the learning with error problem (note that in the quantum setting the map needs to be applied in superposition, which requires a quantum circuit). We observe that when given as input a state robust against small noise, the remaining computational task involves only algebraic operations modulo , for some large integer . We then show that prior works by Høyer and Spalek [25] and Takahashi and Tani [38] imply that implementing arithmetic operations modulo  exactly and generating a good approximation of the uniform superposition of all elements of can be done using constant-depth quantum circuits if unbounded fanout gates are allowed. We finally show that unbounded fanout gates can be implemented in our model using a technique called gate teleportation [22, 28, 34].

## 2 Preliminaries

### 2.1 General notations

In this paper the notation represents the logarithm in basis 2. For any integer , we write . As usual in lattice-based cryptography, we will often identify with the set of integers . For any , we write its binary representation, as in [7]. Given a vector , we write and , and write its binary representation. Given a matrix , we define the distance of  as the minimum over all the non-zero vectors , of the quantity .

### 2.2 Lattice-based cryptography

For a security parameter , let be integer functions of . Let be a distribution over . The problem is to distinguish between the distributions and , where , and are uniformly random and . The corresponding hardness assumption is that no polynomial-time algorithm can solve this problem with non-negligible advantage in . As in [7], we write the task of solving for any function that is at most a polynomial in .

The most usual distribution used in lattice-based cryptography is the truncated discrete Gaussian distribution, which we now introduce. For any positive integer and any positive real number , the truncated discrete Gaussian distribution over with parameter , which we denote , is defined as if and otherwise, for any , where is the normalization factor defined as .

As in [7], we will use the following theorem to generate instances of the learning with error problem. [Theorem 2.6 in [7] and Theorem 5.1 in [32]] Let and be such that . There is an efficient randomized algorithm that returns a matrix and a trapdoor such that the distribution of is negligibly (in ) close to the uniform distribution. Moreover, there is an efficient algorithm that, on input , and where is arbitrary, and is a universal constant, returns with overwhelming probability over .

The matrix generated by has distance at least with overwhelming probability. Also note that if , then the inequality holds. These two observations motivate the following definition: we define as the set of 5-tuples such that , and are positive integers, is a matrix of distance at least , where is the constant from Theorem 2.2, and is a vector that can be written as for some and some with . Informally, the set represents the set of good parameters for the version of we will consider. For technical reasons, we also define the following variant, which enables us to set a stronger upper bound on . For any , we define as the set of 5-tuples such that the following two conditions hold:

• ,

• can be written as for some and some with .

### 2.3 Quantum states: bounded and robust states

We assume that the reader is familiar with the basics of quantum computing and refer to, e.g., [35] for a good reference.

For any positive integer , we write the complex Hilbert space of dimension with basis . Quantum states in are (implicitly) implemented using qubits, via the binary encoding of these basis vectors. For any integer , we also consider the Hilbert space and associate to it the basis . A quantum state in can thus be written as for complex numbers such that . We write its support We say that has real amplitudes if for each . For any vector , we write where the addition is performed modulo .

We now introduce two crucial definitions on which our approach will be based.444We stress that these two definitions (as well as several definitions of the previous paragraph) are basis-dependent — we always refer to the canonical basis . Also note that while Definition 2.3 can easily be written without the requirement that the state has real amplitude (by replacing by , for instance), requiring that the state has real amplitudes will be enough for our purpose and will simplify later calculations.

Let be a positive real number. A quantum state is -bounded if for any element .

Let , be two positive real numbers. A quantum state is -robust if has real amplitudes and, for any vector such that , the inequality holds.

Finally, given two states and in , and any positive real number , we say that and are -close if . We also define the notion of -closeness to a subspace as follows. Let be a subspace of and be a positive real number. We say that a state is -close to if there exists a quantum state such that .

### 2.4 Quantum circuits

#### Universal sets of quantum gates.

As in the standard model of quantum circuits (see, e.g., [35]), in this paper we work with qubits. We consider two sets of elementary gates. We first consider the set where is the Hadamard gate, is the -phase operation and is the controlled-not gate. This is an universal set consisting of a finite number of gates that can approximate any quantum gate with good precision (see Section 4.5.3 of [35] for details). The second set we consider, which we denote , contains all the gates acting on 1 qubit and the operator. Note that this set contains an infinite number of gates.

#### Our model.

We now introduce the class of quantum circuits considered in this paper. Let and be two positive integers, and be a set of elementary quantum gates (e.g., or ).

A circuit in the class acts on qubits. These qubits are initialized to the state . The circuit consists of successive layers. Each layer consists of a constant-depth quantum circuit over the basis acting on these qubits, which does not contains any measurement, followed by measurements in the computational basis of all the first qubits. Consider the -th layer. Let denote the outcome of measuring the first qubits at the end of this layer. Then some classical function is applied to the , and the value is given as input to the first qubits of the next layer, i.e., the qubits are reinitialized to the state . We refer to Figure 1 for an illustration.

The complexity of a circuit in the class defined above depends on the number of qubits , the number of layers and the classical complexity of computing function ’s. We are mainly interested in circuits that have a constant number of layers and such that all functions can be computed efficiently classically. We formally define this class below.

We define the class of families of circuits such that the following conditions hold:

• for each , we have for some integers such that ;

• for each , the number of layers in is constant (i.e., independent of );

• for each , all the functions ’s of can be computed by a -depth classical circuit.

We require that the family is logarithmic-space uniform, i.e., there exists a classical Turing machine that on input

outputs a classical description of (as well as descriptions of the circuits computing the functions ’s) in space.

### 2.5 Clifford circuits and quantum arithmetic

#### Clifford circuits.

Let us consider the Pauli gates and and the phase gate . A quantum circuit consisting only of gates from the set  is called a Clifford circuit.555Since and , the two Pauli gates can actually be removed from this gate set. Such a circuit can be implemented by a quantum circuit of class acting on qubits, where is the number of gates in the original circuit, via a technique called gate teleportation first introduced by Gottesman and Chuang [22] and then developed into a computational model by Leung [28] and Nielsen [34] (see also, e.g., [9, 26] for good presentations of this technique).

A concrete example, which we will actually heavily use, is the unbounded fanout gate over . This unitary gate maps the basis state to , for any . This gate can easily be written as a circuit consisting of successive CNOT gates (the depth of such a circuit implementation is thus linear in ). Using the above approach, this gate can be implemented by a quantum circuit of class acting on qubits. A concrete decomposition, which uses only two layers, is presented in Section 6 of [15].

#### Modular arithmetics.

Let us consider the following unitary operations (where the arithmetic operations are performed modulo and is a -th root of unity):

• the quantum Fourier transform

over , such that for any ;

• the unitary operation over that maps to for any ;

• the unitary operation over that maps to for any .

We now discuss how to obtain exact implementations for and , and also for arbitrary linear maps over (exact implementation of these gates will be crucial for implementing our test of quantumness in constant depth). Takahashi and Tani [38] showed how to implement exactly and in constant depth by circuits that use gates in  and unbounded fanout gates acting on qubits, by showing that quantum threshold gates, which are enough to implement all these operations (as first pointed out by Høyer and Spalek [25], based on prior works on classical threshold gates [37]), can be implemented in constant depth by such circuits. Since each unbounded fanout gate can be implemented by a quantum circuit of class acting on qubits, as discussed above, these arithmetic operations can be exactly implemented by quantum circuits of class acting on qubits. As discussed in [25, 38], the same approach can be applied to implement iterated addition, and more generally any linear map , since such maps can be computed in constant depth using classical threshold gates as well. This can easily be further generalized to give implementation of any linear map by a quantum circuit of class acting on qubits.

Unfortunately, it is still unknown if the operator can be implemented exactly in constant depth with a circuit using only elementary gates in and unbounded fanout gates (see Section 6 of [38]). For the protocol constructed in this paper, however, we will only need to apply to the state , i.e., we only need to prepare the state . Lemma 4.18 in [25] shows that this task can be implemented in constant depth with exponential precision (which will be enough for our purpose): there exists a constant-depth circuit of size using gates in and unbounded fanout gates that computes a state which is at distance at most of the state . By converting each unbounded fanout gate, this circuit can immediately be converted into a circuit in the class acting on qubits.

## 3 Quantum State Generation using Small-Depth Circuits

In this section we describe the main computational task solved by a quantum prover in the test of quantumness based on we present in Section 4 (as well as in prior works [7, 8, 30, 31]), and show how to solve it using a quantum circuit of small depth.

### 3.1 Statement of the problem

For any and any , where is the set of parameters defined in Section 2.2, let denote the set of vectors such that there exists a vector for which . Note that such is necessarily unique, since has distance at least . Let us write this vector . Note that using the notations of Section 2.2, i.e., defining as the (unique) vector in such that can be written as for with . For any , define the quantum state

 |Ψy⟩=1√2(|0⟩|xy⟩+|1⟩|xy−xu⟩).

Let be the subspace of generated by the states .

The computational problem we consider in this section, which we denote , has two parameters , and is defined as follows. This is the main task solved by the quantum protocols passing our test of quantumness, as well as in the tests used in prior works [7, 8, 30, 31].

Given , create a quantum state -close to .

Here is our main theorem, which shows that the problem can be solved by a small-depth quantum circuit when is large enough.

[Formal version]For any , the problem can be solved, for all inputs such that , by a quantum circuit of class acting on qubits. Theorem 1 follows from Theorems 3.2 and 3.3 proved in Subsections 3.2 and 3.3.

### 3.2 Preparation procedure

In this subsection we present and analyze a quantum procedure that outputs a state close to when given as additional input an appropriate quantum state . This procedure can be implemented by a small-depth quantum circuit. In subsection 3.3 we will show how to create efficiently such an appropriate state .

The following theorem is the main contribution of this subsection. Let and be any positive parameters. For any with , there exists a quantum circuit of class acting on qubits that receives a quantum state , outputs a quantum state , and satisfies the following condition: if is -bounded and -robust, then is -close to .

###### Proof.

We first describe the procedure. Let us write the input state, where for all (remember that the definition of a robust state implies that the amplitudes are real). The procedure first prepares the state and applies the unitary operator to this state to obtain

 1√2qn∑b∈{0,1}∑x∈Znq|b⟩|x⟩|φ⟩=∑b∈{0,1}∑x∈Znq∑z∈Zmqαz√2qn|b⟩|x⟩|z⟩.

Using the approach discussed in Section 2.5, this can be done by a quantum circuit of class acting on qubits with approximation error . Below we assume that this state has been done exactly — we will add the approximation error at the very end of the calculation. The procedure then converts this state to the state

 |Φ⟩=∑b∈{0,1}∑x∈Znq∑z∈Zmqαz√2qn|b⟩|x⟩|z+fk(b,x)⟩,

where is the function defined as for any (all the operations are performed modulo ). This operation can be implemented by a quantum circuit of class acting on qubits using the approach of Section 2.5 since  can be written as a linear map over as follows: define the matrix obtained by appending the vector to the left of the matrix and write

We now analyze this procedure. Let us write the output state in the following form:

 |Φ⟩ =1√2qn∑x∈Znq(|0⟩|x⟩|Φ0,x⟩+|1⟩|x⟩|Φ1,x⟩),

where

Define the quantum state

 |Φ′⟩ =1√2qn∑x∈Znq(|0⟩|x⟩|Φ′0,x⟩+|1⟩|x⟩|Φ′1,x⟩),

where and We first show that the states and are close. .

###### Proof.

We have for some and some vector such that . Since the state is -robust, we thus have for any . We thus obtain as claimed. ∎

We now show that the state is in . The crucial property we will use is that the equality holds for any .

Let us decompose as follows:

 |Φ′⟩ =∑y∈Zmqγy|Φ′y⟩|y⟩,

for quantum states and amplitudes such that We now show the following claim. For any such that , we have and .

###### Proof.

Assume that . Observe that in this case for some . Since the state is -bounded, we have and thus .

We show below that for any distinct we have which implies that .

Indeed, assume that and take an element in the intersection. Since the state is -bounded, we have and , and thus . This is impossible, since by construction the matrix has distance at least . ∎

Claim 3.2 implies that the state is in . Since we have from Claim 3.2, this concludes the proof of the theorem (the additional term comes from the approximation error in the application of ). ∎

### 3.3 Creating the initial state

Brakerski et al. [7] have shown how to construct a quantum state that is -bounded and -robust, for appropriate parameters , using Gaussian distributions. In this subsection we present another quantum state that has similar properties, but can be created by a small-depth quantum circuit.

For any , any integer and any , there exists a quantum circuit of class acting on qubits that generates a quantum state that is -bounded and -robust.

###### Proof.

Let us write and .

We describe the construction. Starting with the quantum state , apply (in parallel) a Hadamard gate on the first qubits of each copy of , in order to get the state

 (1√2r∑x∈{0,…,2r−1}|x⟩)⊗m.

Then apply on each of the copies the unitary operator over that maps to for any (the subtraction is done modulo ). As described in Section 2.5, these arithmetic operations can be implemented by a quantum circuit of class acting on qubits. This gives the state

 (1√2r∑x∈I|x⟩)⊗m=1√2mr∑(x1,…,xm)∈Im|x1,…,xm⟩.

For any vector , consider the state

 |φ+e⟩=1√2mr∑(x1,…,xm)∈Im|x1+e1,…,xm+em⟩.

The inner product of and is where is the set of vectors such that . If , then and thus

 ⟨φ|φ+e⟩≥(2r−2BV2r)m =(1−BV2r−1)m≥1−mBV2r−1≥1−4mBVC√mnlogqq≥1−ε/2,

as claimed. ∎

## 4 Application: Test of Quantumness

In this section we describe and analyze the test of quantumness based on the assumption that has been implicitly presented in [7], and show how to use the results from Section 3 to pass this test with small-depth quantum circuits.

We first define some sets exactly as in [7]. The definition is fairly technical and can actually be skipped on a first reading, since we will later only use the property that these sets are dense enough. For any and any , let be the map such that for any , each coordinate of is obtained by taking the inner product modulo 2 of the corresponding block of coordinates of and of , where denotes the vector in  where each coordinate is . We define the set

 Gb,x={d∈{0,1}n⌈logq⌉|∃i∈{bn2,…,bn2+n2}:(Ib,x(d))i≠0}}.

For any , we then define and Note that these sets are dense: for any and any , we have

Our test of quantumness is described in Figure 2. In Subsection 4.1 we explain how to pass the test when is large enough using a quantum prover that can be implemented in constant depth. In Subsection 4.2 we then show that no classical computationally-bounded prover can pass this test with high probability under the assumption, for a large range of parameters. A concrete test of quantumness can be obtained, for instance, by fixing , setting , , choosing superpolynomial in and taking . Theorem 4.1 shows that a small-depth quantum prover can pass the corresponding test of quantumness with probability close to , while Theorem 4.2 shows that no polynomial-time classical prover can pass the test with probability significantly larger than , under the assumption (the gap between the success probabilities of classical and quantum provers can easily be further amplified using parallel repetitions).

### 4.1 Quantum protocol

Here is the main result of this subsection. Let and be any positive parameters. There exists a quantum prover, which can be implemented by a circuit of class acting on qubits, that passes the test of Figure 2 with probability at least for all values such that , where is some negligible function of the parameters.

###### Proof.

The 5-tuple is in with overwhelming probability (see the discussion after Theorem 2.2 in Section 2.2). We describe the quantum protocol under this assumption. After receiving the key at Step 1, the prover creates a state that is -bounded and -robust using Theorem 3.3. Then the prover applies Theorem 3.2 using the state as input, which gives a state that is -close to some state in .

Let us first describe and analyze the remaining of the protocol under the assumption that is in (instead of being only close to ). The prover measures the rightmost register of . Let