Verification Logics for Quantum Programs

by   Robert Rand, et al.
University of Pennsylvania

We survey the landscape of Hoare logics for quantum programs. We review three papers: "Reasoning about imperative quantum programs" by Chadha, Mateus and Sernadas; "A logic for formal verification of quantum programs" by Yoshihiko Kakutani; and "Floyd-hoare logic for quantum programs" by Mingsheng Ying. We compare the mathematical foundations of the logics, their underlying languages, and the expressivity of their assertions. We also use the languages to verify the Deutsch-Jozsa Algorithm, and discuss their relative usability in practice.




A Logic for Recursive Quantum Programs

Most modern (classical) programming languages support recursion. Recursi...

Verified Optimization in a Quantum Intermediate Representation

We present sqire, a low-level language for quantum computing and verific...

Reasoning about Recursive Quantum Programs

Most modern (classical) programming languages support recursion. Recursi...

Defeasible Reasoning via Datalog^

We address the problem of compiling defeasible theories to Datalog^ prog...

A Deductive Verification Framework for Circuit-building Quantum Programs

While recent progress in quantum hardware open the door for significant ...

Quantum Look at two Common Logics: the Logic of Primitive Thinking and the Logic of Everyday Human Reasoning

Based on ideas of quantum theory of open systems and psychological dual ...

Beyond z=0. The Deutsch-Jozsa decided monochromatic languages

The present work points out that the Deutsch-Jozsa algorithm was the fir...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Substantial effort has gone into laying the foundations for quantum computing well in advance of the production of scalable quantum computers. This progress is most significant in the areas of quantum complexity and quantum algorithms: Quantum complexity has studied BQP and BQNP, quantum analogues of P and NP, as well as number of more complex classes like QIP (Vazirani, 2002). A number of quantum algorithms have been developed, including the celebrated Shor’s Algorithm (Shor, 1994), which efficiently solves the factorization problem, paving the way for the field of post-quantum cryptography (Bernstein et al., 2008).

Considerable contributions have also been made towards the development of quantum programming languages. This began with Peter Knill’s Conventions for Quantum Pseudocode (1996), which developed the quantum random access machine (QRAM) model for quantum computation, and Selinger’s Towards a Quantum Programming Language (2004), which gave semantics for a simple quantum language. Following this, more advanced languages like QML (Altenkirch and Grattage, 2005) and Quipper (Green et al., 2013) were developed for real world quantum programming. With these languages in hand, researchers began to study the formal verification of quantum programs, beginning with the quantum guarded command language (Sanders and Zuliani, 2000) and Quantum Dynamic Logic (Baltag and Smets, 2006).

In this survey we focus on quantum Hoare logics, logics for reasoning about quantum programs in the natural deduction style developed by C.A.R. Hoare (1969). We survey three papers: Chadha, Mateus and Sernadas’ Reasoning about imperative quantum programs (2006a), Kakutani’s A logic for formal verification of quantum programs (2009), and Ying’s Floyd–hoare logic for quantum programs (2011). We look at a number of qualities of the logics focusing on the following four:

  • How expressive is the programming language being analyzed?

  • What are the predicates of the logic capable of expressing?

  • Is the logic mathematically sound and/or complete?

  • How usable is the logic for practical verification?

The structure of the paper is as follows: In Section 2 we introduce the basic notions from quantum mechanics and linear algebra necessary to understand the paper, as well as the notations being used. We try to keep the mathematical notation and exposition to the minimum necessary to understand the logical systems presented. In Section 3 we introduce the basic concepts from Hoare logic, and the papers on Hoare logic for probabilistic programs that directly influenced the logics under discussion: Den Hartog and de Vink’s Verifying probabilistic programs using a Hoare like logic (2002) and Chadha et al.’s Reasoning about states of probabilistic sequential programs (2006b).

In Sections 4 through 6 we introduce the three Hoare logics of interest, focusing on the underlying languages, the forms of the assertions and the deductive systems themselves. We then apply the three logics towards verifying the Deutsch–Jozsa algorithm (Deutsch and Jozsa, 1992) in Section 7. In Section 8 we review the logics in light of this comparison, to understand the core differences between these three logics. We end with a summary of our conclusions and a discussion of the further work needed to make quantum verification useful in practice.

2 Preliminaries

2.1 Quantum Computing

We outline the main ideas in quantum computing and linear algebra needed to understand the papers presented111The material in this section draws substantially from John Watrous’s excellent lecture notes on quantum computing (Watrous, 2006) as well as the developments in the papers studied and their major influences: Selinger (2004); D’Hondt and Panangaden (2006); Chadha et al. (2006a); Kakutani (2009); Ying (2011)..

The main subject of interest for the logics we will be presenting is the quantum bit or qubit

. A qubit may be in one of two states, labeled

and with amplitudes and such that

. The square of the amplitudes here correspond to probabilities. We represent such a qubit with one of the following notations (matrix and

ket notation):

More precisely, we will be interested in groups or superpositions of entangled qubits, which we represent as follows in the case of qubits:


Assuming that our qubits are independent of one another (called uncorrelated), we can also write this superposition as

where is called the tensor product (or Kronecker product) and is defined as follows:

This product is associative and distributes over addition and will be useful throughout this survey. It also has the useful property that . The tensor product is implicit when multiplying kets, hence .

Note that we will often represent a complete quantum state by even though it doesn’t correspond to a single configuration . Corresponding to a ket there is a bra , with representing the conjugate transpose (the transpose with numbers replaced by their complex conjugates) or adjoint of a matrix. written is normal matrix multiplication, equal to the inner or dot product in context.

Generally, we modify qubits by multiplying them by unitary matrices, matrices where and which therefore preserve the amplitudes summing to one. The following unitary matrices will appear frequently in this survey:

where is called the Hadamard matrix, the phase matrix, and and , the Pauli matrices. ( will frequently be used without explanation to flip a qubit or rows of a matrix.) We can also define expanded Hadamard matrices .

In the second and third papers under discussion, we will be interested in a more general form for discussing quantum states known as the density matrix. We can represent the state in density matrix form as . That is,

So far, we’ve been interested in pure states, states that could be represented in either of the two earlier notations. However, this new notation is substantially more general. For example, if the states are probabilistically chosen with the corresponding probabilities , we obtain the following mixed state:

In general, a density matrix has two important properties:

  1. For any vector v of the appropriate length,

    is a real number.

The converse is also true: Any matrix satisfying the properties above represents some probabilistic combination of kets. In this survey, we are interested in a broader class of density matrices where the trace may be less than one, used to represent sub-distributions following Selinger (2004).

We represent a unitary operation applied to a density matrix via . More generally the set of maps

that can be applied to density matrices yielding density matrices (even when tensored with the identity matrix) are called

completely positive and have the following property: For any density matrix ,

for some set of matrices such that . If , the operation preserves the trace of the original density matrix and is called admissible. Complete positivity also implies that the map can be represented as a Hermitian matrix , a matrix for which and that for any , .

Note that measurement and discarding qubits can also be represented as admissible operations on density matrices. For instance, measuring a qubit and forgetting the result can be represented as yielding the following (as expected):

Admissible operations may also expand or contract the matrix. Consider the following operation for initializing a new qubit to zero from Kakutani’s semantics for the QPL programming language: . This can be rewritten (in the case) as:

where and are the matrices in the middle and

2.2 Notation

We’ve tried to use a uniform notation for the diverse systems studied whenever doing so didn’t meaningfully impact the interpretation of the language. Hence, we’ve replaced the and of Kakutani’s paper with their ket equivalents and . On the other hand, we’ve retained both Kakutani’s notation , which involves permuting the context so q appears first then applying , and Ying’s notation which is equivalent to such that lines up with the location of the qubit q in its density matrix. Note that we use the identity matrix without specifying its size, which should be assumed to be the necessary size to enable the desired multiplication.

Throughout the paper and qn will be used as variables for booleans and numbers and their quantum analogues, or (in Chadha et al’s case) as registers for the given type. will refer to a sequence of qubits . We adopt Kakutani’s notation

to represent applying the unitary matrix

to the given qubits. (Note that is equivalent to – the matrix always appears on the left.) and will be used to represent predicates on probabilistic states, and to represent the probability of these predicates.

3 Probabilistic Hoare Logics

Hoare logic (Hoare, 1969) (sometimes Floyd-Hoare Logic, after the contributions of Robert Floyd (1967)) is a logical system for reasoning about imperative programs. The atomic propositions of Hoare logic consist of Hoare triples of the form , where and are assertions about program states. The triple says that for any program state if is true of and terminates from in the state , then holds of . We call this type of assertion, where the triple is true for non-terminating programs, a partial correctness assertion. Hoare logic can also be modified to ensure total correctness, in which the program is guaranteed to terminate, by modifying the rule for while loops (Harel, 1979). We show the natural deduction-style rules of classical Hoare logic in Figure 1.

Skip    Assignment





Figure 1: The Classical Hoare Logic Rules

Generalizing Hoare logic to a probabilistic or quantum setting involves, among other considerations, refining the notion of partial correctness. Unlike classical program, probabilistic programs may never terminate, probabilistically terminate (i.e. terminate with some probability between and ), terminate almost surely (with probability one but with non-terminating traces) or deterministically terminate. How the logic treats non-termination determines the kind of Hoare rule that can be applied for while statements. Additionally, the meaning of Hoare triples must change in a probabilistic setting, from deterministic assertions about a program state to either probabilistic assertions about a distribution over states or deterministic assertions that hold of some portion of the possible outcome states.

Lyle Ramshaw first addressed Hoare logics for probabilistic programs in his 1979 PhD thesis (Ramshaw, 1979). The proposed logic reasoned about both distributions and frequencies, sub-distributions obtained by conditioning on a given event. Ramshaw’s logic was limited in that it could only express a limited set of assertions of the form and used a restrictive loop rule that required proving feasibility and closedness of assertions. It also had little impact on subsequent work: Den Hartog and de Vink (2002) seemed to be unaware of it, and it didn’t significantly influence Chadha et al.’s subsequent logic (Chadha et al., 2006b, 2007). These two systems will primarily concern us in this survey as they directly influenced Kakutani (2009) and Chadha et al’s (2006a) Hoare logics for quantum programs.

3.1 Den Hartog and De Vink’s pH

In 2002, Jerry den Hartog and Eric de Vink’s introduced their probabilistic Hoare Logic pH. In the language being analyzed, , commands are transformers between (sub)distributions over states, represented using s. is a modest extension of the simple imperative language of Hoare (Hoare, 1969), with the addition of probabilistic choice between two commands:

where n ranges over arithmetic variables, over arithmetic expressions, over boolean expressions and over the rational open interval . runs command with probability , and with probability .

The operator is overloaded to also combine (sub)distributions. For example combines two subdistributions, scaling the first by and the second by . The operator restricts a (sub)distribution to only the states satisfying , throwing out the rest of the probability mass.

We can now introduce the deterministic and probabilistic predicates (or assertions) that are used in the Hoare logic pH itself:

where is a proposition over the real numbers which may include , that is, the probability of a given predicate being true. is once again shorthand for which is true of whenever such that satisfies and satisfies . Similarly, means that there exists some such that which in turn satisfies .

(Note that can be thought of as a boolean expression, lifted to the status of deterministic proposition. In the original paper, is written and doesn’t explicitly include the booleans – however, the logic often puts booleans inside probability terms, as in the While rule. We will use throughout this presentation for the boolean terms that appear inside probabilities.)

Logic: pH

invariant for While

Figure 2: Den Hartog and De Vink’s pH

With these probabilistic assertions defined, we can address the Hoare logic pH, summarized in Figure 2.

The Skip, Assign, Seq and Cons rules are all standard Hoare Logic rules. The Toss rule follows directly from the doubly lifted operator: splits the distribution into two subdistributions satisfying and . The If rule is somewhat more troublesome: It requires us to show that for any that can be split by into , that satisfies (and likewise for ).

The While rule is a simple generalization of the conventional While rule, using a notion of -closedness for its invariant. The -closedness of can be interpreted as a requirement that the probability of termination for any state satisfying is lower bounded by some constant, hence the program terminates almost surely (with probability one). If is an invariant for the loop and is -closed then we say is invariant for and the While rule follows pretty easily.

pH also has to introduce a number of additional rules (Linearity, And, Or, Exists and Forall) for the sake of expressivity. In the absence of the Or rule, for example, we would be unable to prove . Using the Prob rule we only obtain the post-condition of which doesn’t guarantee . Instead, we can combine and to achieve the desired result.

Soundness and Completeness

Den Hartog and de Vink demonstrate that the pH logic is sound in the partial correctness sense, that is, for any derived triple , if initially holds in and terminates almost surely in , then holds of . pH is also complete for the fragment of that excludes the While rule, when two further restrictions are applied:

  1. can only appear in predicates in the form for some real number .

  2. cannot appear in any predicate.

The first restriction is shown not to decrease the expressivity of the logic. The same isn’t shown for the second condition, and since appears in the form of the If rule, this restriction would seem to confine us to programs without branching.

Completeness isn’t shown for the general form of the logic, including While rules. Den Hartog’s thesis (den Hartog, 2002) claims to present a completeness proof for the entire pH, but this proof contains flaws acknowledged by the author.

3.2 Chadha, (Cruz-Filipe,) Mateus and Sernadas’s EPPL

Chadha, Mateus and Sernadas followed up on Den Hartog’s logic pH with their own state assertion logic EPPL and associated Hoare logic, with the aim of producing a complete logic for probabilistic programs at the cost of abandoning iteration (and therefore Turing-completeness). There are actually two versions of this logic: the one set out in Reasoning About States of Probabilistic Sequential Programs (Chadha et al., 2006b) and (with Luis Cruz-Felipe) the logic of Reasoning About Probabilistic Sequential Programs (Chadha et al., 2007) which achieves the desired completeness result. Here we will focus on first paper, since it forms the basis for Chadha, Mateus and Sernadas’ Reasoning About Imperative Quantum Programs (Chadha et al., 2006a), and subsequently discuss the differences between the two.

Chadha et al.’s language should look familiar:

where the registers n and b are restricted to come from some finite set and the arithmetic expressions are real numbers from some finite range. Den Hartog’s probabilistic choice is also replaced by a -biased coin toss – we can recover via for some fresh registers and . Note the boolean register attached to the if statement: This register is set to true if the then branch is taken and otherwise set to false. This provides a somewhat inelegant way of ensuring that the two branches can be reasoned about separately.

The assertions of the language also look similar to those of pH with the operator removed and a conditional operator added:

where is again a deterministic predicate (this time without quantification) and is again a proposition over the reals that may contain terms of the form . (The paper’s propositions also contain terms of the form – meaning is true throughout the distribution – but to simplify the presentation we can replace with . The followup paper by the same authors makes this explicit.)

The interesting addition here is which we can read as “ conditioned on ” – removing the measure of the distribution in which is false.

Logic: EPPL




Figure 3: Chadha, Mateus and Sernadas’s EPPL Hoare Logic

We present the Hoare logic in Figure 3. The toss rule here is somewhat difficult to read and to use in practice, but takes a deliberate weakest precondition form, pushing the expression to the precondition rather than explicitly including it in the postcondition. For example, to derive we first weaken to and then apply the Toss rule.

The If rule simply says that if is initially true of the scaled subdistribution satisfying and we know that then holds of the same subdistribution, with the extra variable b now taking the role of (and similarly for , and ). This dramatically simplifies the reasoning process.

Note that this logic has substantially fewer additional rules added for reasoning: The linearity rules from pH and the Forall and Exist rules don’t belong in light of the absence of universal or existential quantification.

Soundness and Completeness

The Hoare logic of Figure 3 is shown to be sound via the Exogenous Probabilistic Propositional Logic (EPPL) introduced in the paper. However, completeness is left for a subsequent work (Chadha et al., 2007). Interestingly, that paper is able to remove some of the crutches used in this one, particularly the requirement that if statements be tagged with a boolean variable. However, the new logic (Figure 4) deviates in surprisingly ways from the old one.

contains no probabilities Pr-Free



Figure 4: The Revised EPPL Hoare Logic

At first glance, the If rule is only a simplified version of that in the previous paper. However, the presentation is misleading. The syntax from the previous paper has been repurposed: (and the related syntax used in both papers) is simply defined as , that is adding the truth of inside every probability term. Now if the part of the distribution in which is true is sufficient to guarantee and the other part guarantees then the outcome of the branching statement is that . Unfortunately, this greatly restrict the form of the postcondition. We require two new rules – Pr-Free (which states that any assertion without probabilities and hence variables is preserved by any command) and ElimV (which allows us to eliminate equalities) to combine multiple derivations and regain full expressivity. The new logic is shown to be complete and decidable by showing that for any and the Hoare logic can derive the weakest precondition that guarantees . Moreover, these weakest preconditions and their deductions in the logic can be computed algorithmically.

3.3 Other Hoare-like Systems

Substantial additional work has been done in the area of Hoare logic for probabilistic programs. In 1996, Morgan (Morgan, 1996) introduced a Hoare while rule for probabilistic programs. More recently, Rand and Zdancewic (Rand and Zdancewic, 2015) introduced a verified Hoare logic for probabilistic programs that treats partial termination like non-termination and demonstrates multiple equivalent If rules. The Easycrypt cryptographic tool is built upon both a probabilistic Hoare logic (Barthe et al., 2014) and a probabilistic relational Hoare logic (Barthe et al., 2011), inspired by the relational Hoare logic of Benton (Benton, 2004).

In 2004, Vásquez et al. (2004) compared Den Hartog’s PHL with Morgan and McIver’s PGCL (1999), a probabilistic variant of Dijkstra’s Guarded Command Language (1975). There has been substantial recent interest in PGCL and its variants (McIver and Morgan, 2006; Hurd et al., 2005; Cock, 2012; Jansen et al., 2015; Olmedo et al., 2016), including a Quantum Guarded Command Language (Sanders and Zuliani, 2000), but these lie outside the scope of this survey.

4 Chadha, Mateus and Sernadas’ EEQPL

Shortly after the publication of the first EPPL paper, the authors wrote an extension to the realm of quantum programs Chadha et al. (2006a). Their quantum programming language features four kinds of data: booleans, natural numbers, qubits and qunits. Qunits generalize natural number numbers in the same way qubits generalize bits: Instead of being unit vectors in the two dimensional Hilbert space , a qunit is a unit vector in . here is for some fixed , which serves as a bound on both qunits and natural numbers – the arithmetic of the language is modular arithmetic. The language further assumes that there are a fixed number of indexed registers ( and ) for each type of data.

Instead of states, the commands of the programming language are defined over ensembles. An ensemble is a discrete sub-probability measure with finite support over classical valuations and quantum pure states. Classical valuations are simply mappings from registers to values and pure states are as defined in the preliminaries. Note that these ensembles are sufficient to express mixed states as well.

The commands of the language can be split up into the quantum commands and the classical commands , with being callable from . The following quantum commands can all be thought of as unitary transformations:

Here , and refer to the Hadamard, Pauli X, and phase shift operators discussed in the preliminaries, where the phase shift takes two arguments. Each of these can be applied to qubits or bits. The qif and qcase constructs can be represented as controlled versions of their arguments (and hence unitary operations).

The classical commands of the language are as follows:

where denotes measuring and storing the outcome in . Note that, like in the previous papers by the same authors, the language lacks a loop construct so all programs terminate. Moreover, distinct Hoare logic rules are not given for case or repeat (they are treated as shorthand) so we can effectively exclude them from the language.

The propositions of the logic take a similar form as those in the authors’ EPPL, but in this case we’ll make the subexpressions explicit. We first have to introduce quantum valuation terms, represented by , which assign boolean and natural number values to all of the qubit and qunit registers. The amplitude of these valuations is denoted . We can now introduce the components of assertions and assertions themselves:

and and the real and imaginary components of the complex number . is the argument of the given complex number – the angle in radians of drawn in the complex plane. As in the first paper by these authors, removes the measure in which is false. Note that in this paper the terms includes expectations over real expressions of the form (rather than probabilities). We again exclude necessity operators: As the paper acknowledges, they aren’t needed.

Logic: EEQPL




Figure 5: Chadha, Mateus and Sernadas’ EEQPL

Most of the Hoare logic rules (Figure 5) should be familiar from their use in EPPL. The two new ones echo classical rules: Unit essentially substitutes the unitary transformation in the precondition just like assignment does. MeasB echoes Toss with some added complications. To begin with, for it scales all of the expectation terms by the probability of evaluating to , obtained by summing over the satisfying amplitudes. This is the same as in Toss. However, measuring also modifies the state so removes all valuations where the qubit is assigned to and scales the remaining ones. Finally, it replaces all instances of with to reflect the assignment. As elsewhere, this is all put into the precondition.

As in the paper’s presentation, the rules for numerical expressions and qunits have been elided – they are all slightly more complex versions of the rules presented above.

This logic is shown to be sound (though not complete) in the paper. It also presents a proof of the Deutsch Algorithm in the Hoare logic. We will extend this proof to the Deutsch-Jozsa Algorithm in Section 7 and further discuss EEQPL in the Section 8.

5 Yoshihiko Kakutani’s QHL

Kakutani’s Hoare logic, QHL, has the desirable property of being based on an existing quantum programming language, Peter Selinger’s QPL (Selinger, 2004). QPL is a simple programming language with a well defined denotational semantics, both via a flow chart language defined in that paper and directly through interpreting typing judgments as Scott-continuous functions between density matrices. Noticeably, QPL is a functional language, where all commands are functions and no global state exists.

QHL deals with a restricted version of QPL without recursive procedure calls but with measurement and while loops. Kakutani spells out the implicit denotational semantics of QPL as functions between matrices. The matrices take the place of the global state of classical Hoare logic or the distribution over states in probabilistic Hoare logic and can be reasoned about in a similar fashion. In fact, QHL draws heavily upon den Hartog and de Vink’s pH, as we shall see.

The subset of QPL used in the paper is as follows:

In this case, we can think of b and q as simply variables (rather than registers) referring to a single bit or qubit. Note that b and q do not come from separate namespaces: The type system guarantees that the variables that appear in the If and While terms are bits and those that appear in Measure are qubits. In fact, bits and qubits even share a representation in QPL’s matrices, with the restriction that only certain operations apply to each guaranteed by the type checker.

We won’t show the complete type system, but it takes the expected form: bit b and qbit q add a bit and qubit, respectively, to the typing context and discard q removes a bit/qubit. If/While and Measure require the guard b to be of type bit and qubit respectively and end with the same context as the commands they run - preserving b in the While case.

The denotational semantics, on the other hand, are worth spelling out in full. These semantics are defined on derivations of typing judgments, rather than commands alone.

Figure 6: QPL Semantics

The commands bit b and qbit q add a bit or qubit to the density matrix in the initial state and respectively. Discard requires the bit/qubit to be discarded to be first in the context, and hence in in the first position in the matrix, it then shrinks down the matrix to remove the bit/qubit. Assigning a bit to adds together the half of the matrix in which the bit was zero with the flipped half in which it was . (Note that b doesn’t need to have a deterministic value, as it may be probabilistically in each state based on the outcome of a measurement.) Unitary transformation has the expected result when the acted upon qubits are ordered first. If and Measure are identical for our purposes, performing the relevant operations on the two projected matrices, and While can be interpreted as an infinite sum of matrices (with decreasing traces in the terminating case).

We can now introduce the assertions of the language:

where stands for an arbitrary predicate that potentially includes quantified over variables . Similarly, here is an arbitrary function on real numbers, and is a matrix where n is its number of arguments. here is a predicate stating that is an integer.

Note the substantial similarity to Den Hartog and De Vink’s logic of Section 3.1. The addition and multiplication notation are borrowed from pH (though Kakutani employs in place of in his presentation) and say that the distribution can be split into parts satisfying the two predicates, or that when scaled to the given size they satisfy the predicate.

But what do these assertions say? To look at a simple case of interest, we say that a triple of typing context, matrix and valuation satisfies if , where the q’s are ordered by the context . (Note that the s are included simply to deal with quantification). That is, the statement is true whenever the total density of the states satisfying equals .

We say that a matrix satisfies if satisfies where