Formal Analysis of Quantum Systems using Process Calculus^{†}^{†}thanks: Partially supported by the UK EPSRC: Network on Semantics of Quantum Computation (EP/E00623X/1) and Quantum Computation: Foundations, Security, Cryptography and Group Theory (EP/F020813/1). and the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography).
Abstract
Quantum communication and cryptographic protocols are well on the way to becoming an important practical technology. Although a large amount of successful research has been done on proving their correctness, most of this work does not make use of familiar techniques from formal methods such as formal logics for specification, formal modelling languages, separation of levels of abstraction, and compositional analysis. We argue that these techniques will be necessary for the analysis of largescale systems that combine quantum and classical components, and summarize the results of initial investigation using behavioural equivalence in process calculus. This paper is a summary of Simon Gay’s invited talk at ICE’11.
Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. Formal Analysis of Quantum Systems using Process Calculus^{†}^{†}thanks: Partially supported by the UK EPSRC: Network on Semantics of Quantum Computation (EP/E00623X/1) and Quantum Computation: Foundations, Security, Cryptography and Group Theory (EP/F020813/1). and the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography).–LABEL:LastPage, doi:10.4204/EPTCS.59.9 © T. A. S. Davidson, S. J. Gay and R. Nagarajan
Formal Analysis of Quantum Systems using Process Calculus^{†}^{†}thanks: Partially supported by the UK EPSRC: Network on Semantics of Quantum Computation (EP/E00623X/1) and Quantum Computation: Foundations, Security, Cryptography and Group Theory (EP/F020813/1). and the EU Sixth Framework Programme (Project SecoQC: Development of a Global Network for Secure Communication based on Quantum Cryptography).
Timothy A. S. Davidson \IfArrayPackageLoaded  




T.Davidson@warwick.ac.uk and Simon J. Gay \IfArrayPackageLoaded  




Simon.Gay@glasgow.ac.uk and Rajagopal Nagarajan \IfArrayPackageLoaded  




R.Nagarajan@warwick.ac.uk 
1 Introduction
Quantum computing and quantum communication (more generally, quantum information processing) appear in the media from time to time, usually with misleading statements about the principles of quantum mechanics, the nature of quantum information processing, and the power of quantum algorithms. In this article, we begin by clarifying the fundamental concepts of quantum information and discussing what quantum computing systems are and are not capable of. We then outline several reasons for being interested in quantum information processing. Moving on to the main theme, we motivate the application of formal methods, including process calculus and modelchecking, to quantum systems. Finally, we focus on a particular quantum process calculus called Communicating Quantum Processes (CQP), illustrate it by defining a quantum teleportation protocol, and describe recent results about behavioural equivalence.
2 What is quantum information processing?
The idea of quantum information processing (QIP) is to represent information by means of physical systems whose behaviour must be described by the laws of quantum physics. Typically this means very small systems, such as a single atom (in which the spin state, up or down, gives the basic binary distinction necessary for digital information representation) or a single photon (in which polarization directions are used). Information is then processed by means of operations that arise from quantum physics. Quantum mechanics leads to several fundamental properties of quantum information, which between them lead to various counterintuitive effects and the possiblity of behaviour that cannot occur in classical systems.
2.1 Superposition
The state of a classical bit is either or . The state of a quantum bit (qubit) is , where and are the basis states. In general, and are complex numbers, and if both of them are nonzero then the state is a superposition, for example . It is not correct to say, as often stated in the media, that a qubit can be in two states at once. It is in one state, but that state may be a superposition of the basis states.
2.2 Measurement
It is not possible to inspect the contents of a quantum state. The most we can do is a measurement. Measuring a qubit that is in state has a random result: with probability the result is , and with probability the result is . After the measurement, the qubit is in the basis state corresponding to the result.
2.3 Operations on a superposition
An operation acts on every basis state in a superposition. For example, starting with the threequbit state and applying the operation “invert the second bit” produces the state . This is sometimes known as quantum parallelism and in the media it is often described as carrying out an operation simultaneously on a large number of values. However, it is not possible to discover the results of these simultaneous operations. A measurement would produce just one of the basis states. This is absolutely not a straightforward route to “parallelism for free”.
2.4 No cloning
It is not possible to define an operation that reliably makes a perfect copy of an unknown quantum state. This is known as the no cloning theorem. It contrasts sharply with the classical situation, where the existence of uniform copying procedures is one of the main advantages of digital information. Every word in the statement of the no cloning theorem is significant. For example, with the knowledge that a given qubit is either or , it is possible to discover its state (by means of a simple measurement) and then set another qubit to the same state, thus creating a copy. It is also possible in general to create approximate copies, or to copy with a certain probability of perfect success but a certain probability of complete failure. It is possible to transfer an unknown quantum state from one physical carrier to another, but the process destroys the original state. This is known as quantum teleportation, and we will return to it later.
2.5 Entanglement
The states of two or more qubits can be correlated in a way that is stronger than any possible classical correlation. An example is the twoqubit state . Measuring either qubit produces, with equal probability, the state or . Measuring the other qubit is then guaranteed to produce the same result as the first measurement. This correlation is preserved by quantum operations on the state, in a way that cannot be reproduced classically. This phenomenon is called entanglement and it is a key resource for quantum algorithms and communication protocols.
3 Quantum algorithms and protocols
We will now summarize a few algorithms and protocols in which quantum information processing has a clear advantage over classical information processing. This list is not complete; in particular, there are many more cryptographic protocols than we mention here. Teleportation is not included here as we will discuss it in more detail later.
3.1 The DeutschJozsa algorithm
Suppose an unknown function , is given as a black box, together with information that is either constant or balanced (meaning that its value is for exactly half of its inputs). The DeutschJozsa algorithm [7] works out whether is constant or balanced, with only one evaluation of . Classically, evaluations would be required in the worst case.
3.2 Shor’s algorithm
Shor’s algorithm [19] is for integer factorization. Its complexity is , whereas the best known classical algorithm has complexity . The RSA cryptosystem relies on the unproven assumption that factorization is intractable, so a practical implementation of Shor’s algorithm would threaten current information security technology. Note, however, that there is no proved nonpolynomial lower bound for classical factorization algorithms, and factorization is not believed to be an NPcomplete problem. Media reports about quantum computing often give the impression that quantum computers can solve NPcomplete problems efficiently, but there is no evidence for this statement.
3.3 Grover’s algorithm
Grover’s algorithm [13] finds an item in an unstructured list of length , taking time . Classically, every item must be inspected, requiring time on average.
3.4 Quantum key distribution
Quantum key distribution (QKD) protocols, such as the BB84 [2] protocol of Bennett and Brassard, generate shared cryptographic keys which can then be used with a classical encryption technique such as a onetime pad. QKD is secure against any attack allowed by the laws of quantum mechanics, including any future developments in quantum computing. Essentially, secrecy of the key is guaranteed by the no cloning theorem: an attacker cannot make a perfect copy of any information that she intercepts while the protocol is running, and therefore either receives negligible information or reveals her presence.
4 Why is QIP interesting, and will it become practically significant?
There are several reasons to be interested in quantum information processing. First, the subject is really about understanding the informationprocessing power permitted by the laws of physics, and this is a fundamental scientific question. Second, quantum algorithms might help to solve certain classes of problem more efficiently; if, however, NPcomplete problems cannot be solved efficiently even by a quantum computer, then understanding why not is also a question of fundamental interest. Third, quantum cryptography provides a neat answer, in advance, to any threat that quantum computing might pose to classical cryptography. Fourth, as integrated circuit components become smaller, quantum effects become more difficult to avoid. Quantum computing might be necessary in order to continue the historical trend of miniaturization, even if it offers no complexitytheoretic improvement. Finally, Feynman suggested that quantum computers could be used to simulate complex (quantum) physical systems whose behaviour is hard to analyze classically.
Will QIP become practically significant? Some aspects are already practical: there are companies selling QKD systems today. Whether or not there is a real demand for quantum cryptography remains to be seen, but it seems likely that the promise of absolute security will attract organizations that feel they cannot take any chances. Quantum computing seems to be feasible in principle, although there are still formidable scientific and engineering challenges. But many experimental groups are working hard, and physicists and engineers are very clever. Remember that in 1949 the statement “In the future, computers may weigh no more than 1.5 tonnes” was a very speculative prediction.
5 Formal methods for QIP
There is no doubt about the correctness of quantum algorithms and protocols. Simple protocols such as teleportation can be checked with a few lines of algebra, Shor’s and Grover’s algorithms have been extensively studied, and Mayers [16] and others have proved the security of quantum key distribution. But what about systems, which are constructed from separate components and combine quantum and classical computation and communication? Experience in classical computing science has shown that correctness of a complete implemented system is a very different question from correctness of the idealized mathematical protocol that it claims to implement. This is the raison d’être of the field of formal methods.
Nagarajan and Gay [17] suggested applying formal methods to quantum systems, with the same motivation as for classical systems:

formal modelling languages, for unambiguous definitions;

analysis of systems, rather than idealized situations;

systematic verification methodologies, rather than ad hoc reasoning;

the possibility of tool support.
We have been working on two strands: quantum process calculus [9, 10], most recently in collaboration with Davidson [6], and modelchecking, in collaboration with Papanikolaou [11, 12, 18]. In general these approaches are not mutually exclusive. However, our work on process calculus has focussed on the development of basic theory, leading up to the definition of behavioural equivalence; our work on modelchecking uses a different style of specification language, more closely related to Promela. Some recent work [5] makes connections between the two themes.
6 Quantum teleportation in CQP
Teleportation [3] is a protocol for transferring an unknown qubit state from one participant, Alice, to another, Bob. The protocol uses classical communication — in fact, communication of just two classical bits — to achieve the transfer of a quantum state which is specified by two complex numbers. The trick is that there must be some preexisting entanglement, shared by Alice and Bob.
Let and refer to two qubits that, together, are in the entangled state . Let be a qubit in an unknown state, that is given to Alice. The protocol consists of the following steps.

Alice applies the controlled not operator to and . This is a twoqubit operator whose effect on each basis state is to invert the second bit if and only if the first bit is .

Alice applies the Hadamard operator to . This operator is a change of basis from to .

Alice measures and , obtaining a twobit classical result.

Alice sends this twobit classical value to Bob.

Bob uses this classical value to determine which of four operators should be applied to .

The state of is now the original state of (and has lost its original state and is in a basis state).
Although the measurement in step 3 has a probabilistic result, the use of the classical value to determine a compensating operation in step 5 means that the complete protocol is deterministic in its effect on the state of Bob’s qubit.
The following definitions in the process calculus CQP (Communicating Quantum Processes) [9, 10] model the teleportation protocol. , and are processes; is a formal parameter representing a qubit; , , and are formal parameters representing channels; is a private channel; , are local names for freshly allocated qubits, which will be instantiated with the names of actual qubits during execution. The language is based on picalculus and most of the syntax should be familiar.
In , the actions before put the qubits and into the necessary entangled state. In order to help with writing a specification, is given the qubit to be teleported as a message on channel , and at the end of the protocol, outputs the final qubit on .
CQP has an operational semantics defined by labelled transition rules; it also has a type system in which the no cloning theorem is represented by linear typing. The example above, for simplicity, does not include type declarations.
The desired behaviour of teleportation is that a qubit (quantum state) is received on and the same quantum state is sent on ; the protocol should behave like an identity operation:
We can now write a specification of teleportation:
where is a behavioural equivalence. Equivalent processes cannot be distinguished by any observer: they output the same values in the same circumstances, they produce the same probability distributions of measurement results, and in general interact in the same way with their environment.
As usual, we would like behavioural equivalence to be a congruence:
where is a process context. Congruence supports equational reasoning, and the universal composability properties defined by Canetti [4] in a different setting. Developing a congruence for a quantum process calculus was an open problem for several years [15], but very recently we have defined a congruence for CQP [6] and Feng et al. have independently defined one for qCCS [8]. Our equivalence is a form of probabilistic branching bisimulation [20], with appropriate extensions to deal with the quantum state. We have proved that the specification of teleportation is satisfied.
7 Conclusion
We have outlined the principles of quantum information processing, and argued that formal methods will be necessary in order to guarantee the correctness of practical quantum systems. We have illustrated a particular approach — specification and verification via behavioural equivalence in quantum process calculus — with reference to quantum teleportation.
Future work on the theoretical side will include the development of equational axiomatizations of behavioural equivalence in CQP, and the automation of equivalence checking. On the practical side, we intend to work on more substantial examples including cryptographic systems.
References
 [1]
 [2] C. H. Bennett & G. Brassard (1984): Quantum Cryptography: Publickey Distribution and Coin Tossing. In: IEEE Conf. on Comp., Sys. and Sig. Proc.
 [3] C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres & W. K. Wootters (1993): Teleporting an unknown quantum state via dual classical and EinsteinPodolskyRosen channels. Phys. Rev. Lett. 70, pp. 1895–1899, doi:10.1103/PhysRevLett.70.1895.
 [4] R. Canetti (2001): Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd IEEE Symp. Found. Comp. Sci., doi:10.1109/SFCS.2001.959888.
 [5] T. Davidson, S. J. Gay, H. Mlnařík, R. Nagarajan & N. Papanikolaou (2011): Model Checking for Communicating Quantum Processes. International Journal of Unconventional Computing (to appear).
 [6] T. A. S. Davidson (2011): Formal Verification Techniques using Quantum Process Calculus. Ph.D. thesis, University of Warwick.
 [7] D. Deutsch & R. Jozsa (1992): Rapid solutions of problems by quantum computation. Proceedings of the Royal Society of London A 439(1907), pp. 553–558, doi:10.1098/rspa.1992.0167.
 [8] Y. Feng, R. Duan & M. Ying (2011): Bisimulation for quantum processes. In: 38th ACM Symp. on Principles of Prog. Langs., doi:10.1145/1926385.1926446.
 [9] S. J. Gay & R. Nagarajan (2005): Communicating Quantum Processes. In: 32nd ACM Symp. on Principles of Prog. Langs., doi:10.1145/1040305.1040318. Also arXiv:quantph/0409052.
 [10] S. J. Gay & R. Nagarajan (2006): Types and typechecking for Communicating Quantum Processes. Mathematical Structures in Computer Science 16(3), pp. 375–406, doi:10.1017/S0960129506005263.
 [11] S. J. Gay, N. Papanikolaou & R. Nagarajan (2008): QMC: a modelchecker for quantum systems. In: Proceedings of the 20th International Conference on Computer Aided Verification (CAV), Springer LNCS 5123, pp. 543–547, doi:10.1007/9783540705451_51.
 [12] S. J. Gay, N. Papanikolaou & R. Nagarajan (2010): Specification and verification of quantum protocols. In: Semantic Techniques in Quantum Computation, Cambridge University Press.
 [13] L. Grover (1996): A Fast Quantum Mechanical Algorithm for Database Search. In: Proc. 28th Annual ACM Symposium on the Theory of Computation, ACM Press, pp. 212–219, doi:10.1145/237814.237866.
 [14] P. Jorrand & M. Lalire (2004): Toward a Quantum Process Algebra. In: 1st ACM Conf. on Computing Frontiers, doi:10.1145/977091.977108.
 [15] M. Lalire (2006): Relations among quantum processes: bisimilarity and congruence. Math. Struct. Comp. Sci. 16(3), pp. 407–428, doi:10.1017/S096012950600524X.
 [16] D. Mayers (2001): Unconditional Security in Quantum Cryptography. J. ACM 48(3), pp. 351–406, doi:10.1145/382780.382781.
 [17] R. Nagarajan & S. J. Gay (2002): Formal Verification of Quantum Protocols. arXiv:quantph/0203086.
 [18] N. K. Papanikolaou (2009): Model Checking Quantum Protocols. Ph.D. thesis, University of Warwick.
 [19] P. W. Shor (1994): Algorithms for quantum computation: discrete logarithms and factoring. In: 35th IEEE Symp. Found. Comp. Sci., doi:10.1109/SFCS.1994.365700.
 [20] N. Trčka & S. Georgievska (2008): Branching bisimulation congruence for probabilistic systems. Electronic Notes in Theoretical Computer Science 220(3), pp. 129–143, doi:10.1016/j.entcs.2008.11.023.
 [21] M. Ying, Y. Feng, R. Duan & Z. Ji (2009): An algebra of quantum processes. ACM Trans. Comp. Logic 10(3), p. 19, doi:10.1145/1507244.1507249.