Programming is error-prone. Programming a quantum computer and designing quantum communication protocols are even worse due to the weird nature of quantum systems [Yin16]. Therefore, verification techniques and automatic tools for quantum programs and quantum protocols will be indispensable whence commercial quantum computers and quantum communication systems are available. In the last 10 years, various verification techniques for classical programs have been extended to deal with quantum programs; in particular, several quantum program logics have been proposed:
Brunet and Jorrand [BJ04] proposed to apply Birkhoff-von Neumann quantum logic in reasoning about quantum programs. In the Birkhoff-von Neumann logic, closed subspaces of the state Hilbert space of a quantum system are used to represent the properties of the system, and logical connectives (negation), (and), (or) are interpreted as the operations: ortho-complement, meet and join, respectively, in the orthomodular lattice of all closed subspaces of the Hilbert space. The idea of [BJ04] is to add quantum operations (e.g. unitary transformations and quantum measurements) into the language of quantum logic so that it can be employed to describe and reason about the dynamics (evolution) of a quantum system (e.g. a quantum program).
Chadha, Mateus and Sernadas [CMS06] presented one of the first attempts to develop a Hoare-like logic for quantum programs. The quantum programs considered in [CMS06] can have both classical and quantum variables (memories). But only bounded iterations are allowed in these quantum programs. The logic given in [CMS06] is an extension of exogenous quantum logic [MS06], which has terms representing amplitudes of quantum states, obtained by introducing the axioms for unitary transformations and quantum measurements. Roughly speaking, the assertions (preconditions and postconditions) in this logic are properties of the real and imaginary components of the amplitudes.
Baltag and Smets [BS06] chose to develop a quantum generalisation of Propositional Dynamic Logic (PDL), which is an extension of Hoare logic for verification of classical programs. The approach of [BS06] is different from [BJ04], [CMS06], and it can be essentially seen as a reinterpretation of the language of PDL where a quantum action is interpreted as a (classical) relation between quantum states and models the input-output relation of a quantum program. In particular, by introducing some axioms to handle separation and locality, their proof system can be used to reason about the behaviours (e.g. entanglement) of compound quantum systems.
Kakutani [Ka09] proposed a quantum extension of Den Hartog and De Vink’s probabilistic Hoare logic [KV02]. The quantum programming language used in [Ka09] is Selinger’s QPL [Sel04] without recursive calls but with while loops. The assertions in this logic are probabilistic predicates (or assertions) used in [KV02]returns to upon the measurement in the computational basis is ).
Some useful proof rules for reasoning about quantum programs were introduced by Feng et al. [FDJY07]. The programming language employed in [FDJY07] is a natural quantum extension of the while-language. For simplicity of presentation, only purely quantum programs without classical variables were considered there. The assertions in these proof rules are physical observables (mathematically modelled by Hermitian operators), or quantum predicates as called in [DP06]. Furthermore, a Hoare-like logic for both partial and total correctness of quantum programs with (relative) completeness was established in [Yin11].
The mathematic foundations, the programming languages and the expressivity of the assertions of the quantum program logics presented in [CMS06], [Ka09], [Yin11] are carefully compared in a recent survey [Rand17].
Except program logics, model-checking techniques have also been developed for verification of quantum communication protocols and quantum programs. For example, Gay, Papanikolaou and Nagarajan [GPN08] developed a model-checker for verifying properties of the quantum systems that can be modelled in the stabiliser formalism. Feng et al. [FYY13]
presented an algorithm for model-checking quantum systems described as super-operator valued Markov chains, and the algorithm was implemented by Feng et al. in[FHTZ15]. The problem of checking linear-time properties of quantum systems was studied in [YLYF14], where linear-time properties are defined to be infinite sequences of sets of atomic propositions modelled as closed subspaces of the state Hilbert spaces, as in the Birkhoff-von Neumann quantum logic.
The main purpose of this paper is to summarise the results obtained by the author and his collaborators in a program logic approach to the verification of quantum programs. The paper is an extension of an invited talk at SETTA’2016 [Yin16a], but the results presented in Sections IV and V as well as the examples given in Section III are new and have not been published elsewhere.
The paper is organised as follows: The syntax and semantics of a quantum extension of the while-language is defined and a logic of Hoare-style for reasoning about quantum programs is presented in Section II. As is well-known, correctness specification of classical programs can be very tricky. Indeed, correctness specification of quantum programs can be even much trickier. In Section III, we present several simple examples through which the reader can better understand the difference between classical and quantum correctness specifications. The notion of proof outline is introduced and a strong soundness theorem is proved for quantum programs in Section IV. Several auxiliary axioms and inference rules are given in Section V, which can help to simplify verifications of quantum programs. Some basic ideas for mechanising quantum program verification based on the quantum Hoare logic are described in Section VI. The algorithms for generating invariants and termination analysis of quantum programs are summarised in Sections VII and VIII, respectively. Some topics for future studies are pointed out in the concluding section. For convenience of the reader, several basic properties of operators in Hilbert spaces needed in this paper are listed in Appendix A
. Several simple quantum relations (i.e. quantum predicates in a tensor product of state Hilbert spaces) were employed in SectionIII, a brief discussion on composition of quantum relations that can be used to generate more sophisticated quantum relations from these simple ones is given in Appendix B. For readability, the proofs of the results in Sections IV and V are deferred to Appendix C.
Ii Hoare Logic for Quantum Programs
Hoare logic is a cornerstone in verification of classical programs. As mentioned in Section I, several attempts [BJ04], [CMS06], [BS06], [FDJY07], [Ka09], [Yin11] have been made to build a Hoare-like logic for quantum programs. In this section, we focus on the one presented in [Yin11] because it is the only quantum Hoare logic with (relative) completeness in the existing literature.
Ii-a Syntax and Semantics
Let us first briefly recall the syntax of a quantum extension of the while-language. It is assumed that the reader is familiar with the basic notions of quantum computing. (A reader not familiar with them can have a quick look at Section 2 of [Yin11] or Section 1.1 of [YYW17]; for more details, we refer to [NC00] or [Yin16].) We assume a countably infinite set of quantum variables. For each , we write for its state Hilbert space.
The quantum while-programs are defined by the grammar:
The command “” is an initialisation that sets quantum variable to a basis state . The statement “” means that unitary transformation is performed on quantum register , leaving the states of the variables not in unchanged. The construct “” is a quantum generalisation of case or switch statement. In executing it, measurement is performed on , and then a subprogram is selected to be executed next according to the outcomes of measurement. The statement “” is a quantum generalisation of while-loop. The measurement in it has only two possible outcomes , . If the outcome is observed, then the program terminates, and if the outcome occurs, the program executes the loop body and continues the loop.
To further illustrate these program constructs, let us see two simple examples, both of which are quantum generalisations of certain probabilistic programs. The first is taken from [YYW17], and it is the quantum version of the example of three dials in [KMMM10].
Example II.1 (Three Quantum Dials)
Consider a slot machine that has three dials and two suits and . It spins the dials independently so that they come to rest on each of the suits with equal probability. This machine can be modelled as a probabilistic program:
where stands for a probabilistic choice which chooses to execute with probability and to execute with probability .
We can define a quantum variant of as follows:
where is the Hadamard gate in the -dimensional Hilbert space with as an orthonormal basis. The program also spins the dials, but does it in a quantum way modelled by the Hadamard “coin-tossing” operator .
It is worth pointing out an interesting difference between the probabilistic and quantum setting: spinning the dials with equal probability can be implemented in many different ways in the quantum world; e.g. a quantum gate different from the Hadamard gate.
The second example is a quantum generalisation of random walk that every one working on probabilistic algorithms or programming must be familiar with. Here is a simplified version (taken from [YYFD13]) of the one-dimensional quantum walks defined in [ABNVW01].
Example II.2 (Quantum Walk)
Let be the -dimensional Hilbert space with orthonormal basis states and , indicating directions Left and Right, respectively. It is the state space of a quantum coin. Let be the -dimensional Hilbert space with orthonormal basis states , where vector
, where vectordenotes position for each . The state space of the walk is . The initial state is . Each step of the walk consists of:
Measure the position of the system to see whether it is . If the outcome is “yes”, then the walk terminates, otherwise, it continues. The measurement is mathematically modelled by , where
and is the identity operator in the position space ;
The Hadamard “coin-tossing” operator is applied in the coin space ;
The shift operator defined by
for is performed on the space . Intuitively, the system walks one step left or right according to the direction state. Here, and stand for addition and subtraction modulo , respectively. The operator can be equivalently written as
This walk can be written as the quantum while-loop:
It is worth noticing an essential difference between the quantum walk and a classical random walk: the coin (or direction) variable can be in a superposition of and like , and thus the walker is moving left and right “simultaneously”; for example,
This means that if the walker is currently at position , then after one step she/he will be at both position and .
Similar to the case of classical while-programs, the operational semantics of quantum programs can be defined as a transition relation between configurations. For each quantum program , we write for the set of quantum variables occurring in . Let
be the state Hilbert space of . A partial density operator is defined as a positive operator with trace . We write for the set of partial density operators in . A configuration is a pair where is a program or the termination symbol , and denotes the state of quantum variables.
The operational semantics of quantum programs is defined by the transition rules in Figure 1.
It is worth pointing out that the transition rules (In), (UT), (IF), (L0) and (L1) are decreed by the basic postulates of quantum mechanics. A major difference between the operational semantics of classical and quantum programs should be noticed. During the execution of a classical case statement or a while-loop, checking its guard does not change the state of program variables. In contrast, checking the guard of a quantum case statement or a quantum loop requires to perform a measurement on (the system denoted by) the program variables, which, again decreed by a basic postulate of quantum mechanics, changes the state of these variables. From the operational semantics, we see that the control flow of a quantum program is determined by the outcomes of the quantum measurements occurring in the case statements or loops. Note that the outcomes of quantum measurements are classical information, so the control flows of quantum programs considered in this paper are classical. Quantum programs with quantum control flows were studied in [vT04], [AG05], [Zu05], [BP15], [SVV18] and Chapters 6 and 7 of [Yin16].
For any program , its semantic function is the mapping:
for every , where is the reflexive and transitive closure of , and denotes a multi-set.
The defining equation of deserves an explanation. It is clear from rules (IF), (L0) and (L1) that transition relation is usually not deterministic; that is, may have more than one element. This is different from the case of classical while-programs. The summation in the right-hand side of the equation comes from the essential linearity of quantum mechanics. It is proved that is a quantum operation (or a super-operator) (for the definition of quantum operation, see [NC00], Chapter 8 or [Yin16], Chapter 2).
To illustrate the above two definitions, let reconsider the three quantum dials in Example II.1.
Example II.3 (Semantics of Three Quantum Dials)
— A Continuation of Example II.1. A state of probabilistic program is a configuration of the slot machine, i.e. a mapping from dials to suits. The semantics of is a function that maps each initial state to a uniform distribution of states in which every configurations has probability
is a function that maps each initial state to a uniform distribution of states in which every configurations has probability.
In contrast, the state Hilbert space of quantum program is then . For instance, if we write:
for the equal superpositions of and , then:
if we write:
for the Werner state, a typical entangled state of three qubits, then
The Löwner order between operators in the state Hilbert space of a quantum program is defined as follows:
This order can be naturally lifted to an order between quantum operations (or super-operators). It can be shown that the set of partial density operators in with the Löwner order is a complete partial order (CPO), and all quantum operations in form a CPO too. Then a fixed point characterisation for the denotational semantics of quantum while-loops can be derived (see Proposition 5.1(6) and Corollary 5.1 in [Yin11], or Proposition 3.3.2 and Corollary 3.3.1 in [Yin16]).
Ii-B Partial Correctness and Total Correctness
Now we review the notions of partial and total correctness for quantum programs. Recall from [MM05]
that probabilistic predicates (or assertions, e.g. preconditions and postconditions) are defined to be bounded real-valued functions interpreted as the expectations of random variables. As introduced in[DP06], a quantum predicate in a Hilbert space is an observable (a Hermitian operator) in with , where and are the zero operator and the identity operator in , respectively, and stands for the Löwner order. In the quantum foundations literature, a quantum predicate is called an effect (see, for example, [Kr83]).
A correctness formula (or a Hoare triple) is a statement of the form
where is a quantum program, and both are quantum predicates in , called the precondition and postcondition, respectively.
The appearance of a quantum Hoare triple is exactly the same as that of its classical counterpart. But in a classical Hoare triple, precondition and postcondition stands for (first-order) logical formulas, and in a quantum Hoare triple, and are two operators that are interpreted as observables in physics.
— Partial and Total.
The correctness formula is true in the sense of total correctness, written if for all input states we have:
The correctness formula is true in the sense of partial correctness, written if for all input states we have:
A key to understanding the above definition is the observation that is the expected (average) value of observable when the system is in state . The following lemma shows that the defining inequalities (4) and (5) for total and partial correctness can be restated in a form of Löwner order, which is often easier to manipulate because the universal quantifier over density operator is eliminated.
Example II.4 (Correctness of Three Quantum Dials)
for the GHZ (Greenberger-Horne-Zeilinger) state, another typical entangled state of three qubits,
and . Then , and are all quantum predicates. It is easy to check that
This means that if the input is state , then program will certainly output the GHZ state; and if the input is state , it will output a state that is similar to the GHZ state in the sense:
Note that partial and total correctness are the same for because it does not contain any loop.
The quantum predicates in the above example are very simple and defined by a particular input/output state. More examples of correctness specifications will be given in Section III.
The above lemma will be extensively used in the proofs of the results in Section V.
Ii-C Quantum Hoare Logic
A Hoare-like logic for quantum programs is established in [Yin11]. It consists of:
A proof system qPD for partial correctness: The axioms and inference rules of qPD are presented in Figure 2.
Fig. 2: Proof System qPD for Quantum while-Programs. In (Ax.In.B), . In (Ax.In.I), .
A proof system qTD for total correctness: qTD is obtained from qPD by replacing rule (R.LP) with the rule (R.LT) given in Figure 3.
Fig. 3: Proof System qTD for Quantum while-Programs.
The notion of ranking function used in rule (R.LT) is defined in the following:
It is interesting to carefully compare the Hoare rule for partial correctness of classical loops:
and its variant for total correctness with the corresponding rules (R.LP) and (R.LT) for quantum loops, respectively. At the first glance, the rules for classical loops and those for quantum loops are very different. But actually there is a certain similarity between them: in the rules for classical loops, (resp. ) can be thought of as the restriction of under (resp. ). If we set:
then can be seen as the restriction of under and the restriction of under , and can be considered as the negation of . Furthermore, as we will see at the end of Section VII, rules (R.LP) and (R.LT) can also be understood in the context of inductive assertion.
Iii Examples of Quantum Correctness Specification
In this section, let us see several simple examples, which shows some interesting and tricky differences between specifying correctness of classical programs and that of quantum programs.
Iii-a Unary Quantum Predicates
A quantum predicate about a single quantum system ; i.e. an observable (between the zero and identity operators) in state Hilbert space can be understood as a unary quantum predicate.
An equality like with being a variable and a constant often appears in precondition or postcondition of a classical program correctness formula, e.g.
Let be a quantum variable and a given (constant) state in . Then equality “” can be expressed as quantum predicate in , and we have:
for any unitary operator in . The precondition in (6) and the postcondition in (7) express equalities “”, “”, respectively. More generally, for any closed subspace of , Membership “” can be expressed as quantum predicate (the projection onto ) and we have:
Iii-B Quantum Relations
A quantum predicate about multiple quantum systems ; i.e. an observable (between the zero and identity operators) in the tensor product:
can be understood as a quantum relation among . In particular, a quantum predicate in can be seen as a quantum (binary) relation between and . The following are two examples showing some quantum relations used in preconditions and postconditions. A further discussion about quantum relation is given in Appendix B.
An equality like between two variables also often appears in precondition or postcondition of a classical program correctness formula, e.g.
Let be two quantum variables with the same state Hilbert space . Then equality “” can be expressed as the symmetrisation operator:
where is the identity operator in , and operator in is defined by
for all , together with linearity. It is easy to see that Furthermore, for any unitary operator in , it holds that:
It is interesting to note that a similar conclusion holds for the anti-symmetrisation operator:
that is, we have and
Equality “” can also be expressed in a different way; that is, as the operator
in , where and is the maximally entangled state defined by an orthonormal basis of . This equality has an intuitive explanation. The Hilbert-Schmidt inner product of two operators in :
is often used to measure the similarity between and . For two (mixed) states in , it follows immediately from equation (9.73) in [NC00] that
The quantity can be interpreted as the degree that satisfies relation . Obviously, we have:
where , are the equalities defined by orthonormal bases and , respectively.
Consider the following correctness formula for classical programs:
It means that after executing the program, the values of variables and are exchanged. To properly specify the precondition and postcondition, auxiliary (ghost) variables are introduced. In quantum computing, statements and cannot be directly realised as prohibited by the no-cloning theorem [WZ82]. But we can consider the following modification: let be three quantum variables with the same state Hilbert space . Then we have:
for any quantum predicate in , where the first, second and third are the state Hilbert spaces of respectively, and is the identity operator in . Note that we do not use any auxiliary (ghost) variable in correctness formula (10). In particular, if
where , and is the identity operator in , then it holds that
Intuitively, the precondition and postcondition of (11) means “ and ”, “ and ”, respectively. Here, auxiliary variables are employed.
Iii-C Logical Connectives
Logical connectives are widely used in specifying (the preconditions and postconditions of) classical programs. Here, we show that several quantum counterparts of them can be used in specifying correctness of quantum programs. However, it is not the case that every logical connective has an appropriate quantum counterpart.
The predicate “True” and “False” are described by the identity and zero operators and , respectively, in the state Hilbert space of the program under consideration.
means that for any density operator ,
that is, the probability that postcondition is satisfied by the output is equal to the probability that the program terminates.
always holds, because implies that for any partial density operator ,
means that for any density operator ,
Since , we have and thus ; that is, program always terminates, and output satisfies postcondition .
means that for any density operator, ; intuitively, if precondition is satisfied by input to , then terminates.
Negation in classical logic has a quantum counterpart: for each quantum predicate in Hilbert space , can be used as the negation of . In fact, for any density operator in ,
Conjunction in classical logic does not always have an appropriate quantum counterpart; some difficulties caused by this fact in reasoning about quantum programs were discussed in [YCFD07]. But if and are quantum predicates in , , respectively, then can be used as the conjunction (in ) of and because for any density operator in and in , it holds that
for example, see equation (11).
In a sense, quantum predicate in rule (R.IF) in Figure 2 can be understood as the disjunction of (the conjunction of) “the outcome of measurement is ” and quantum predicate .
Iv Proof Outlines
The notion of proof outline can be introduced to structure a correctness proof of a classical while-program, according to the structure of the program itself, so that the proof is easier to follow (see [ABO09], Section 3.4). It is also a basis for defining non-interference in reasoning about parallel programs with shared variables. In this section, we generalise this notion to the quantum case.
Let be a quantum while-programs.
A proof outline for partial correctness of is a formula formed by the formation axioms and rules in Figure 4, where results from by interspersing quantum predicates.