Interactive Proofs For Quantum Computations
Abstract
The widely held belief that BQP strictly contains BPP raises fundamental questions: Upcoming generations of quantum computers might already be too large to be simulated classically. Is it possible to experimentally test that these systems perform as they should, if we cannot efficiently compute predictions for their behavior? Vazirani has asked [Vaz07]: If computing predictions for Quantum Mechanics requires exponential resources, is Quantum Mechanics a falsifiable theory? In cryptographic settings, an untrusted future company wants to sell a quantum computer or perform a delegated quantum computation. Can the customer be convinced of correctness without the ability to compare results to predictions?
To provide answers to these questions, we define Quantum Prover Interactive Proofs (QPIP). Whereas in standard Interactive Proofs [GMR85] the prover is computationally unbounded, here our prover is in BQP, representing a quantum computer. The verifier models our current computational capabilities: it is a BPP machine, with access to few qubits. Our main theorem can be roughly stated as: ”Any language in BQP has a QPIP, and moreover, a fault tolerant one”. We provide two proofs. The simpler one uses a new (possibly of independent interest) quantum authentication scheme (QAS) based on random Clifford elements. This QPIP however, is not fault tolerant. Our second protocol uses polynomial codes QAS due to BenOr, Crépeau, Gottesman, Hassidim, and Smith [BOCG06], combined with quantum fault tolerance and secure multiparty quantum computation techniques. A slight modification of our constructions makes the protocol “blind”: the quantum computation and input remain unknown to the prover.
After we have derived the results, we have learnt that Broadbent, Fitzsimons, and Kashefi [BFK08] have independently derived ”universal blind quantum computation” using completely different methods (measurement based quantum computation). Their construction implicitly implies similar implications.
1 Introduction
1.1 Motivation
As far as we know today, the quantum mechanical description of manyparticle systems requires exponential resources to simulate. This has the following fundamental implication: the results of an experiment conducted on a manyparticle physical system described by quantum mechanics, cannot be predicted (in general) by classical computational devices, in any reasonable amount of time. This important realization (or belief), which stands at the heart of the interest in quantum computation, led Vazirani to ask [Vaz07]: Is quantum mechanics a falsifiable physical theory? Assuming that small quantum systems obey quantum mechanics to an extremely high accuracy, it is still possible that the physical description of large systems deviates significantly from quantum mechanics. Since there is no efficient way to make the predictions of the experimental outcomes for most large quantum systems, there is no way to test or falsify this possibility experimentally, using the usual scientific paradigm, as described by Popper.
This question has practical implications. Experimentalists who attempt to realize quantum computers would like to know how to test that their systems indeed perform the way they should. But most tests cannot be compared to any predictions! The tests whose predictions can in fact be computed, do not actually test the more interesting aspects of quantum mechanics, namely those which cannot be simulated efficiently classically.
The problem arises in cryptographic situations as well. Consider for example, a company called QWave which is trying to convince a certain potential customer that the system it had managed to build is in fact a quantum computer of qubits. How can the customer, who cannot make predictions of the outcomes of the computations made by the machine, test that the machine is indeed a quantum computer which does what it is claimed to do? Given the amounts of grant money and prestige involved, the possibility of dishonesty of experimentalists and experimentalists’ bias inside the academia should not be ignored either [Roo03, Wik08].
There is another related question that stems from cryptography. It is natural to expect that the first generations of quantum computers will be extremely expensive, and thus quantum computations would be delegated to untrusted companies. Is there any way for the costumer to trust the outcome, without the need to trust the company which performed the computation, even though the costumer cannot verify the outcome of the computation (since he cannot simulate it)? And even if the company is honest, can the costumer detect innocent errors in such a computation?
Vazirani points out [Vaz07] that in fact, an answer to these questions is already given in the form of Shor’s algorithm. Indeed, quantum mechanics does not seem to be falsifiable using the usual scientific paradigm, assuming that BQP is strictly lager than BPP. However, Shor’s algorithm does provide a way for falsification, by means of an experiment which lies outside of the scientific paradigm: though its result cannot be predicted and then compared to the experimental outcome, it can be verified once the outcome of the experiment is known (by simply taking the product of the factors and checking that this gives the input integer).
This, however, does not fully address the issues raised above. Let us take for example the case of the company trying to convince a costumer that the system it is trying to sell is indeed a quantum computer of qubits. Such a system is already too big to simulate classically; However, any factoring algorithm that is run on a system of a qubits can be easily performed by today’s classical technology. For delegated quantum computations, how can Shor’s algorithm help in convincing a costumer of correctness of, say, the computation of the BQP complete problem of approximating the Jones polynomial [AJL06, AA06]? As for experimental results, it is difficult to rigorously state what is exactly falsified or verified by the possibility to apply Shor’s algorithm. Finally, from a fundamental point of view, there is a fundamental difference between being convinced of the ability to factor, and testing universal quantum evolution.
We thus pose the following main question: Can one be convinced of the correctness of the computation of any polynomial quantum circuit? Does a similar statement to the one above, regarding Shor’s algorithm, apply for universal quantum computation? Alternatively, can one be convinced of the “correctness” of the quantum mechanical description of any quantum experiment that can be conducted in the laboratory, even though one cannot compute any predictions for the outcomes of this experiment? In this paper we address the above fundamental question in a rigorous way. We do this by taking a computational point of view on the interaction between the supposed quantum computer, and the entity which attempts to verify that it indeed computes what it should.
1.2 Quantum Prover Interactive Proofs (Qpip)
Interactive proof systems, defined by Goldwasser, Micali and Rackoff [GMR85], play a crucial role in the theory of computer science. Roughly, a language is said to have an interactive proof if there exists a computationally unbounded prover (denoted ) and a BPP verifier () such that for any , convinces of the fact that with probability (completeness). Otherwise, when any prover fails to convince with probability higher than (soundness).
Shor’s factoring algorithm [Sho97] can be viewed as an interactive proof of a very different kind: one between a classical BPP verifier, and a quantum polynomial time (BQP) prover, in which the prover convinces the verifier of the factors of a given number (this can be easily converted to the usual IP formalism of membership in a language). This is a quantum interactive proof of a very different kind than quantum interactive proofs previously studied in the literature [Wat03], in which the prover is an unbounded quantum computer, and the verifier is a BQP machine.
Clearly, such an interactive proof between a BQP prover and a BPP verifier exists for any problem inside NP BQP. However, it is widely believed that BQP is not contained in NP ( and in fact not even in the polynomial hierarchy). The main idea of the paper is to generalize the above interactive point of view of Shor’s’s algorithm, and show that with this generalization, a verifier can be convinced of the result of any polynomial quantum circuit, using interaction with the prover  the quantum computer.
To this end we define a new model of quantum interactive proofs which we call quantum prover interactive proofs (QPIP). The simplest definition would be an interactive proof in which the prover is a BQP machine and the verifier a BPP classical machine. In some sense, this model captures the possible interaction between the quantum world (for instance, quantum systems in the lab) and the classical world. However, this model does not suffice for our purposes. We therefore modify it a little, and allow the verifier additional access to a constant number of qubits. The verifier can be viewed as modeling our current computational abilities, and so in some sense, the verifier in the following system represents “us”.
Definition 1.1
Quantum Prover Interactive Proof (QPIP) is an interactive proof system with the following properties:

The prover is computationally restricted to BQP.

The verifier is a hybrid quantumclassical machine. Its classical part is a BPP machine. The quantum part is a register of qubits (for some constant ), on which the prover can perform arbitrary quantum operations. At any given time, the verifier is not allowed to possess more than qubits. The interaction between the quantum and classical parts is the usual one: the classical part controls which operations are to be performed on the quantum register, and outcomes of measurements of the quantum register can be used as input to the classical machine.

There are two communication channels: one quantum and one classical.
The completeness and soundness conditions are identical to the IP conditions.
Abusing notation, we denote the class of languages for which such a proof exists also by QPIP.
1.3 Main Results
Definition 1.2
The promise problem QCIRCUIT consists of a quantum circuit made of a sequence of gates, , acting on input bits. The task is to distinguish between two cases:
QCIRCUIT is a BQP complete problem, and moreover, this remains true for other soundness and completeness parameters , if . Our main result is:
Theorem 1.1
The language QCIRCUIT has a QPIP.
Since QCIRCUIT is BQP complete, and QPIP is trivially inside BQP, we have:
Theorem 1.2
.
Thus, a BQP the prover can convince the verifier of any language he can compute. We remark that our definition of QPIP is asymmetric  the verifier is “convinced” only if the quantum circuit outputs . This asymmetry seems irrelevant in our context of verifying correctness of quantum computations. Indeed, it is possible to define a symmetric version of QPIP, (we denote it by ) in which the verifier is convinced of correctness of the prover’s outcome (in both and cases) rather than of membership of the input in the language, namely in the case only. That follows quite easily from the fact that is closed under complement (see Appendix H).
Moreover, the above results apply in a realistic setting, namely with noise:
Theorem 1.3
Theorem 1.1 holds also when the quantum communication and computation devices are subjected to the usual local noise model assumed in quantum fault tolerance settings.
In the works [Chi01, AS06] a related question was raised: in our cryptographic setting, if we distrust the company performing the delegated quantum computation, we might want to keep both the input and the function which is being computed secret. Can this be done while maintaining the confidence in the outcome? A simple modification of our protocols gives
Theorem 1.4
Theorem 1.3 holds also in a blind setting, namely, the prover does not get any information regarding the function being computed and its input.
We note that an analogous result for NPhard problems was shown already in the late ’s to be impossible unless the polynomial hierarchy collapses [AFK87].
1.4 Proofs Overview (and More Results About Quantum Authentication Schemes)
Our main tool is quantum authentication schemes (QAS) [BCG02]. Roughly, a QAS allows two parties to communicate in the following way: Alice sends an encoded quantum state to Bob. The scheme is secure if upon decoding, Bob gets the same state as Alice had sent unless it was altered, whereas if the state had been altered, then Bob’s chances of declaring valid a wrong state are small. The basic idea is that similar security can be achieved, even if the state needs to be rotated by unitary gates, as long as the verifier can control how the unitary gates affect the authenticated states. Implementing this simple idea in the context of fault tolerance encounters several complications, which we explain later.
We start with a simple QAS and QPIP, which we do not know how to make fault tolerant, but which demonstrates some of the ideas and might be of interest on its own due to its simplicity.
Clifford QAS based QPIP. We present a new, simple and efficient QAS, based on random Clifford group operations (it is reminiscent of Clifford based quantum designs [AE07, ABW08]). To encode a state of qubits, tensor the state with qubits in the state , and apply a random Clifford operator on the qubits. The security proof of this QAS uses a combination of known ideas. We first prove that any attack of Eve is mapped by the random Clifford operator to random Pauli operators. We then show that those are detected with high probability. This QAS might be interesting on its own right due to its simplicity.
To construct a QPIP using this QAS, we simply use the prover as an untrusted storage device: the verifier asks the prover for the authenticated qubits on which he would like to apply the next gate, decodes them, applies the gate, encodes them back and sends them to the prover. The proof of security is quite straight forward given the security of the QAS.
Due to the lack of structure of the authenticated states, we do not know how to make the prover apply gates on the states without revealing the key. This seems to be necessary for fault tolerance. The resulting QPIP protocol also requires many rounds of quantum communication.
Polynomial codes based QAS and its QPIP Our second type of QPIP uses a QAS due to BenOr, Crépeau, Gottesman, Hassidim and Smith [BOCG06]. This QAS is based on signed quantum polynomial codes, which are quantum polynomial codes [ABO97] of degree at most multiplied by some random sign ( or ) at every coordinate (this is called the sign key) and a random Pauli at every coordinate (the pauli key).
We present here a security proof which was missing from the original paper [BOCG06]. The proof requires some care, due to a subtle point, which was not addressed in [BOCG06]. We first prove that no Pauli attack can fool more than a small fraction of the sign keys, and thus the sign key suffices in order to protect the code from any Pauli attack. Next, we need to show that the scheme is secure against general attacks. This, surprisingly, does not follow by linearity from the security against pauli attacks (as is the case in quantum error correcting codes): if we omit the Pauli key we get an authentication scheme which is secure against Pauli attacks but not against general attacks. We proceed by showing, (with some similarity to the Clifford based QAS), that the random Pauli key effectively translates Eve’s attack to a mixture (not necessarily uniform like in the Clifford case) of Pauli operators acting on a state encoded by a random signed polynomial code.
Due to its algebraic structure, the signed polynomial code QAS allows applying gates without knowing the key. This was used in [BOCG06] for secure multiparty quantum computation; here we use it to allow the prover to perform gates without knowing the authentication key.
The QPIP protocol goes as follows. The prover receives all authenticated qubits in the beginning. Those include the inputs to the circuit, as well as authenticated magic states required to perform Toffoli gates, as described in [BOCG06, NCG00]. With those at hand, the prover can perform universal computation using only Clifford group operations and measurements (universality was proved for qubits in [BK05], and the extension to higher dimensions was used in [BOCG06]). The prover sends the verifier results of measurements and the verifier sends information given those results, which enables the prover to continue the computation. The communication is thus classical except for the first round.
Fault Tolerance Using the polynomial codes QAS enables applying known fault tolerance techniques based on polynomial quantum codes [ABO97, BOCG06] to achieve robustness to local noise. However, a problem arises when attempting to apply those directly: in such a scheme, the verifier needs to send the prover polynomially many authenticated qubits every time step, so that the prover can perform error corrections on all qubits simultaneously. However, the verifier’s quantum register contains only a constant number of qubits, and so the rate at which he can send authenticated qubits (a constant number at every time step) seems to cause a bottleneck in this approach.
We bypass this problem is as follows. At the first stage of the protocol, authenticated qubits are sent from the verifier to the prover, one by one. As soon as the prover receives an authenticated qubit, he protects his qubits using his own concatenated error correcting codes so that the effective error in the encoded authenticated qubit is constant. This constant accuracy can be maintained for a long time by the prover, by performing error correction with respect to his error correcting code. Thus, polynomially many such authenticated states can be passed to the prover in sequence. A constant effective error is not good enough, but can be amplified to an arbitrary inverse polynomial by purification. Indeed, the prover cannot perform purification on his own since the purification compares authenticated qubits and the prover does not know the authentication code; However, the verifier can help in the prover’s using classical communication. This way the prover can reduce the effective error on his encoded authenticated qubits to inverse polynomial, and perform the usual fault tolerant construction of the given circuit, with the help of the prover in performing the gates.
Blind Quantum Computation To achieve Theorem 1.4, we modify our construction so that the circuit that the prover performs is a universal quantum circuit, i.e., a fixed sequence of gates which gets as input a description of a quantum circuit, plus an input string to that circuit, and applies the input quantum circuit to the input string. Since the universal quantum circuit is fixed, it reveals nothing about the input quantum circuit or the input string to it.
1.5 Interpretations of the Results
The corollaries below clarify the connection between the results and the motivating questions, and show that one can use the QPIP protocols designed here, to address the various issues raised in Sec. 1.1.
We start with some basic question. Conditioned that the verifier does not abort, does he know that the final state of the machine is very close to the correct state that was supposed to be the outcome of the computation? This unfortunately is not the case. It may be that the prover can make sure that the verifier abort with very high probability, but when he does not abort, the computation is wrong. However a weaker form of the above result holds: if we know that the probability of not to abort is high, then we can deduce something about correctness.
Corollary 1.5
For a QPIP protocol with security parameter , if the verifier does not abort with probability then the trace distance between the final density matrix and that of the correct state is at most
The proof is simple and is given in Appendix G.
Further interpreting Theorem 1.2, we show that under a somewhat stronger assumption than BQP BPP, but still a widely believed assumption, it is possible to lower bound the computational power of a successful prover and show that it is not within BPP. Assuming that there is a language BQP and there is a polynomial time samplable distribution on which any BPP machine errs with non negligible probability (e.g. the standard cryptographic assumptions about the hardness of Factoring or Discrete Log), we have
Corollary 1.6
For such a language , if the verifier interacts with a given prover for the language , and does not abort with high probability, then the prover’s computational power cannot be simulated by a BPP machine.
This corollary follows immediately from Corollary 1.5.
One might wonder whether it is possible to somehow get convinced not only of the fact that the computation that was performed by the prover is indeed the desired one, but also that the prover must have had access to some quantum computer. We prove:
Corollary 1.7
There exists a language such that even if the prover in our QPIP is replaced by one with unbounded classical computational power, but only a constant number of qubits, the prover will not be able to convince the verifier to accept: in this case aborts the computation with high probability.
This means that our protocols suggests yet another example in which quantum mechanics cannot be simulated by classical systems, regardless of how computationally powerful they are. This property appears already in bounded storage models [Wat99], and of course (in a different setting) in the EPR experiment.
Finally, we remark that in the study of the classical notion of IP, a natural question is to ask how powerful the prover must be, to prove certain classes of languages. It is known that a PSPACE prover is capable of proving any language in PSPACE, and similarly, it is known that NP or #P restricted provers can prove any language which they can compute. This is not known for coNP, SZK or PH [AB]. It is natural to ask what is the power of a BQP prover; our results imply that such a prover can prove the entire class of BQP (albeit to a verifier who is not entirely classical). Thus, we provide a characterization of the power of a BQP prover.
1.6 Related Work and Open Questions
The two questions regarding the cryptographic angle were asked by Childs in [Chi01], and by Arrighi and Salvail in [AS06], who proposed schemes to deal with such scenarios. However [Chi01] do not deal with a cheating prover, and [AS06] deals with a restricted set of functions that are classically verifiable.
After deriving the results of this work, we have learned that Broadbent, Fitzsimons, and Kashefi [BFK08] have proven related results. Using measurement based quantum computation, they construct a protocol for universal blind quantum computation. In their case, it suffices that the verifier’s register consists of a single qubit. Their results imply similar implications to ours, though these are implicit in [BFK08].
An important and intriguing open question is whether it is possible to remove the necessity for even a small quantum register, and achieve similar results in the more natural QPIP model in which the verifier is entirely classical. This would have interesting fundamental implications regarding the ability of a classical system to learn and test a quantum system.
Another interesting (perhaps related?) open question is to study the model we have presented here of QPIP, with more than one prover. Possibly, multiprover QPIP might be strong enough even when restricted to classical communication.
This work also raises some questions in the philosophy of science. In particular, it suggests the possibility of formalizing, based on computational complexity notions, the interaction between physicists and Nature; perhaps the evolution of physical theories.. Following discussions with us at preliminary stages of this work, Jonathan Yaari is currently studying “interactive proofs with Nature” from the philosophy of science aspect [Yaa08].
Paper Organization We start by some notations and background in Sec. 2. In Sec. 3 we present both our QAS and prove their security. In Sec. 4 we present our QPIP protocols together some aspects of their security proofs. Other proofs are delayed to the appendices due to lack of space: Fault tolerance is explained in Appendix E. Blind delegated quantum computation is proved in Appendix F. The corollaries related to the interpretations of the results are proven in Appendix G.
2 Background
2.1 Pauli and Clifford Group
Let denote the qubits Pauli group. were .
Definition 2.1
Generalized Pauli operator over : where is the primitive qroot of the unity.
We note that . We use the same notation, , for the standard and generalized Pauli groups, as it will be clear by context which one is being used.
Definition 2.2
For vectors in , we denote a the Pauli operator .
We denote the set of all unitary matrices over a vector space as . The Pauli group is a basis to the matrices acting on nqubits. In particular, we can write any matrix for the space of qubits, as with some matrix on .
Let denote the qubit Clifford group. Recall that it is a finite subgroup of generated by the Hadamard matrixH, by , and by controlledNOT. The Clifford group is characterized by the property that it maps the Pauli group to itself, up to a phase . That is:
Fact 2.1
A random element from the Clifford group on qubits can be sampled efficiently by choosing a string of length uniformly at random. The map from to the group element represented as a product of Clifford group generators can be computed in classical polynomial time.
2.2 Signed Polynomial Codes
For background on polynomial quantum codes see Appendix A.
Definition 2.3
([BOCG06]) The signed polynomial code with respect to a string (denoted ) is defined by:
(1) 
We use . In this case, the code can detect errors. Also, is self dual [BOCG06], namely, the code subspace is equal to the dual code subspace.
3 Quantum Authentication
3.1 Definitions
Definition 3.1
(adapted from Barnum et. al. [BCG02]). A quantum authentication scheme (QAS) is a pair of polynomial time quantum algorithms and together with a set of classical keys such that:

takes as input an mqubit message system M and a key and outputs a transmitted system of qubits.

takes as input the (possibly altered) transmitted system and a classical key and outputs two systems: a qubit message state , and a single qubit which indicate whether the state is considered valid or erroneous. The basis states of are called . For a fixed we denote the corresponding superoperators by and .
Given a pure state , consider the following test on the joint system : output a if the first qubits are in state or if the last qubit is in state , otherwise, output . The corresponding projections are:
(2)  
(3) 
The scheme is secure if for all possible input states and for all possible interventions by the adversary, the expected fidelity of ’s output to the space defined by is high:
Definition 3.2
A QAS is secure with error if for every state it holds:

Completeness: For all keys :

Soundness: For any superoperator (representing a possible intervention by the adversary), if is defined by defined by , then: .
3.2 Clifford Authentication Scheme
Protocol 3.1
Clifford based QAS : Given is a state on qubits and a security parameter. We denote . The set of keys consists of succinct descriptions of Clifford operations on qubits (following Fact 2.1). We denote by the operator specified by a key .

Encoding  : Alice applies on the state .

Decoding  : Bob applies to the received state. Bob measures the auxiliary registers and declares the state valid if they are all , otherwise Bob aborts.
Theorem 3.1
The Clifford scheme applied to qubits is a QAS with security . Where is the number of qubits added to a message on qubits.
Proof: Sketch.(The full proof is given in Appendix B.1). We show that when Eve applies a non trivial Pauli operator, then averaging over the random Clifford operators, the effective transformation on the original state is as an application of a random Pauli. Hence, any Pauli attack is detected with high probability. We then show that any attack of Eve is reduced to a very specific form:
(4) 
(for some ). It is not hard to see, using linearity, that this type of attack is detected with high probability.
Given blocks of qubits each, we can apply the QAS separately on each one of the blocks. declares the state valid if all of the registers are valid according to the original Clifford QAS . We call this the concatenated Clifford protocol. The completeness of the concatenated protocol is trivial, reasoning as in the original QAS. For soundness we have the following theorem, whose proof is given in Appendix B.2.
Theorem 3.2
The concatenated Clifford protocol has the security of the individual Clifford with security parameter , QAS, that is . This holds regardless of the number of blocks () that are authenticated.
3.3 Polynomial Authentication Scheme
Protocol 3.2
Polynomial Authentication protocol : Alice wishes to send the state of dimension . She chooses a security parameter , and a code length .

Encoding: Alice randomly selects a pair of keys: a sign key and a Pauli key with . She encodes using the signed quantum polynomial code of polynomial degree (see Definition 2.3). She then applies the Pauli (i.e., for she applies on the ’th qubit).

Decoding Bob applies the inverse of , and performs the error detection procedure of the code . He aborts if any error is found and declares the message valid otherwise.
The completeness of this protocol is trivial. We proceed to prove the security of the protocol.
Theorem 3.3
The polynomial authentication scheme is secure against general attacks with security
Proof: A sketch was given in the introduction; the full proof is given in Appendix C.1.
We notice that in this scheme a dimensional system is encoded into a system of dimension . The same security is achieved in the Clifford QAS by encoding into dimensions. The polynomial scheme is somewhat worse in parameters, but still with an exponentially good security.
To encode several registers, one can independently authenticate each register as in the Clifford case, (Theorem 3.2) but in fact we can use the same sign key for all registers, while still maintaining security. This fact will be extremely useful in Sec. 4. The following theorem is proved in Appendix C.2.
Theorem 3.4
The concatenated polynomial based QAS (with the same sign key for all registers), and with degree polynomial, has the same security as the individual QAS, that is: .
4 Interactive Proof For Quantumness
4.1 Clifford Authentication Based Protocol
Protocol 4.1
Clifford based Interactive Proof for QCIRCUIT: Fix a security parameter . Given is a quantum circuit consisting of twoqubit gates, , with error probability reduced to . The verifier authenticates the input qubits of the circuit one by one using the (concatenated) Clifford QAS with security parameter , that is every qubit is authenticated by qubits, and sends them to . For each to , the verifier asks the prover for the authenticated qubits on which he would like to apply the gate , decodes them, aborts if any error is found, applies the gate, authenticates the resulting qubits using a new pair of authentication keys, and sends the encoded qubits back to . Finally, the verifier asks to send the output authenticated qubit, decodes and aborts if any error is found; otherwise, measures the decoded qubit and accepts or rejects accordingly. In any case that does not get the correct number of qubits he aborts.
Proof: If the prover is honest, the verifier will declare valid with certainty. Since the error in the circuit is , completeness follows. For soundness, we observe that for the verifier to accept if is not in the language, means that he has not aborted, and also, answers YES. Let us denote by the projection on this subspace (Valid on the first qubit, Accept on the second). To bound the probability of this event, we observe that the correct state at any given step is a state which is authenticated by the concatenated Clifford QAS. We can thus use the decomposition of Eve’s attacks to Paulis, namely Eq. 33. Observing that a Pauli attack in our scheme is either declared valid or leads to abort, implies that the final density matrix can be written as
(5) 
where is the correct state. To bound we observe that the left term in bounded by the security parameter of the QAS, namely , the second term is bounded by the error caused by the quantum circuit, namely , and the third term vanishes.
The classical communication is linear in the number of gates. For , we get , and so the verifier uses a register of qubits. In fact is enough, since each of the authenticated qubits can be decoded (or encoded and sent) on its own before a new authenticated qubit is handled.
4.2 Polynomial Authentication Based Protocol
We start by describing how the prover performs a set of universal gates on authenticated qubits, using classical communication with the verifier, and special states called Toffoli states. This set of operations, namely Clifford group operations augmented with the Toffoli gate, form a universal set of gates [BOCG06].
Application of Quantum Gates We denote encoded gates (logical operators) with a tilde. For the full description of how to apply each of these logical gates see Appendix D.1. Briefly, for Pauli operators, the verifier merely updates his Pauli key. For the controlSUM, and the Fourier transform, the prover applies the gates transversally as if the code was the standard polynomial codes, and the verifier updates his sign and Pauli keys. For the measurement, the prover measures the register, sends the result to the verifier, who returns its interpretation which he computes using his keys. The Toffoli gate is applied using the above, on the relevant authenticated qubits plus an authenticated Toffoli state [BOCG06].
Protocol 4.2
Polynomial based Interactive Proof for QCIRCUIT Fix a security parameter . Given is a quantum circuit on qubits consisting gates from the above universal set, . We assume the circuit has error probability . The verifier sets and uses registers of qudits each, where each qudit is of dimensionality . The verifier uses concatenated polynomial QAS with security parameter to authenticate input qudits and the necessary number of Toffoli states. This is done sequentially using qudits at a time. Then, the prover and verifier perform the gates of the circuit as described above. Finally, if the final measurement does not yield an authenticated answer, the verifieraborts, otherwise, he accepts or rejects according to the measurement outcome.
Theorem 4.1
Protocol 4.2 is a QPIP protocol with completeness and soundness for QCIRCUIT.
This theorem implies a second proof for Theorem 1.1. The size of the verifier’s register is naively , but using the same idea as in the Clifford case, suffice. With , this gives a register of qutrits.
Proof: (Sketch. The full proof can be found in Appendix D.2) The completeness is trivial, similarly to the Clifford case. To prove the soundness of the protocol we first prove the following lemma.
Lemma 4.2
At any stage of the protocol the verifier’s set of keys, and are distributed uniformly and independently.
This implies that the correct state in an encoded states according to the concatenated QAS. The rest of the argument follows closely that of the proof of Theorem 1.1.
5 Acknowledgements
D.A. thanks Oded Goldreich, Madhu sudan and Guy Rothblum for exciting and inspiring conversations that eventually led to this work. E.E. thanks Avinatan Hassidim for stimulating and refining ideas, particularly about fault tolerance. We also thank Gil Kalai, David DiVincenzo and Ari Mizel, for stimulating questions and clarifications, and Daniel Gottesman for many helpful ideas and remarks, and in particular, for his help in proving Theorem 3.1.
References
 [AA06] D. Aharonov and I. Arad. The BQPhardness of approximating the Jones Polynomial. Arxiv preprint quantph/0605181, 2006.
 [AB] S. Arora and B. Barak. Computational Complexity: A Modern Approach. to appear: http://www.cs.princeton.edu/theory/complexity.
 [ABO97] D. Aharonov and M. BenOr. Faulttolerant quantum computation with constant error. Proceedings of the twentyninth annual ACM symposium on Theory of computing, pages 176–188, 1997.
 [ABW08] A. Ambainis, J. Bouda, and A. Winter. Tamperresistant encryption of quantum information. Arxiv preprint arXiv:0808.0353, 2008.
 [AE07] A. Ambainis and J. Emerson. Quantum tdesigns: twise independence in the quantum world. Arxiv preprint quantph/0701126, 2007.
 [AFK87] M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from an oracle. In Proceedings of the nineteenth annual ACM conference on Theory of computing, pages 195–203. ACM New York, NY, USA, 1987.
 [AJL06] D. Aharonov, V. Jones, and Z. Landau. A polynomial quantum algorithm for approximating the Jones polynomial. In Proceedings of the thirtyeighth annual ACM symposium on Theory of computing, pages 427–436. ACM New York, NY, USA, 2006.
 [AS06] P. Arrighi and L. Salvail. Blind Quantum Computation. International Journal of Quantum Information, 4(5):883–898, 2006.
 [BCG02] H. Barnum, C. Crépeau, D. Gottesman, A. Smith, and A. Tapp. Authentication of Quantum Messages. Proceedings of the 43rd Symposium on Foundations of Computer Science, pages 449–458, 2002.
 [BFK08] A. Broadbent, J. Fitzsimons, and E. Kashefi. Universal blind quantum computation. Arxiv preprint arXiv:0807.4154, 2008.
 [BK05] S. Bravyi and A. Kitaev. Universal quantum computation with ideal Clifford gates and noisy ancillas. Physical Review A, 71(2):22316, 2005.
 [BOCG06] M. BenOr, C. Crépeau, D. Gottesman, A. Hassidim, and A. Smith. Secure Multiparty Quantum Computation with (Only) a Strict Honest Majority. Foundations of Computer Science, 2006. FOCS’05. 47th Annual IEEE Symposium on, pages 249–260, 2006.
 [Chi01] A.M. Childs. Secure assisted quantum computation. Arxiv preprint quantph/0111046, 2001.
 [GMR85] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proofsystems. In Proceedings of the seventeenth annual ACM symposium on Theory of computing, pages 291–304. ACM New York, NY, USA, 1985.
 [KLZ98] E. Knill, R. Laflamme, and W.H. Zurek. Resilient Quantum Computation. Science, 279(5349):342, 1998.
 [NCG00] M.A. Nielsen, I. Chuang, and L.K. Grover. Quantum Computation and Quantum Information. Cambridge Univ. Press, 2000.
 [Roo03] A. Roodman. Blind Analysis in Particle Physics. In Statistical Problems in Particle Physics, Astrophysics, and Cosmology, Proceedings of the PHYSTAT 2003 Conference held 811 September, 2003 at the Stanford Linear Accelerator Center. SLAC eConf C030908. http://www.slac.stanford.edu/econf/C030908., p. 166, 2003.
 [Sho97] PW Shor. Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM journal on computing(Print), 26(5):1484–1509, 1997.
 [Vaz07] U. Vazirani. Computational constraints on scientific theories: insights from quantum computing. http://www.cs.caltech.edu/~schulman/Workshops/CSLens2/cslens2.html, 2007.
 [Wat99] J. Watrous. SpaceBounded Quantum Complexity. Journal of Computer and System Sciences, 59(2):281–326, 1999.
 [Wat03] J. Watrous. PSPACE has constantround quantum interactive proof systems. Theoretical Computer Science, 292(3):575–588, 2003.
 [Wik08] Wikipedia. Blind experiment — Wikipedia, the free encyclopedia, 2008. [Online; accessed 20Oct2008].
 [Yaa08] Jonathan Yaari. Preprint: Interactive Proofs as a Theory of Confirmation. PhD thesis, The Hebrew University of Jerusalem, 2008.
Appendix A Polynomial Quantum Error Correction Codes
Definition A.1
Polynomial error correction code [ABO97]. Given and where are distinct non zero values from , the encoding of is
(6) 
We use here , in which case the code subspace is its own dual. It is easy to see that this code can detect up to errors [ABO97]. It will be useful to explicitly state the logical gates of SUM, Fourier () and Pauli operators (). We will see that it is possible to apply the logical operations of the Pauli operators or the controlledsum by a simple transitive operation. We can easily verify that applying is the logical operation:
(7) 
setting
(8) 
Similarly for logical SUM , we consider the transitive application of controlledsum, that is a SUM operations applied between the ’th register of and .
(9) 
We set
(10) 
Showing what is the logical Fourier transform on the polynomial code requires more work. We first recall the definition of the Fourier transform in :
(11) 
We consider an variant of the Fourier transform which we denote
(12) 
In addition we need the following claim:
Lemma A.1
For any distinct numbers there exists such that
(13) 
For any polynomial of degree .
Proof: A polynomial of degree is completely determined by it’s values in the points . We write as in the form of the Lagrange interpolation polynomial: . Therefore, we set and notice that it is independent of , and the claim follows.
We are now ready to define the logical Fourier transform.
Claim A.2
The logical Fourier operator obeys the following identity:
(14) 
Where is the encoding of in a polynomial code of degree on registers.
Proof of : We denote
(15)  
(16) 
We think of the ’s as defining a polynomial of degree that is and split the sum according to :
(17) 
We temporally restrict our view to polynomials with degree at most and therefore the polynomial has degree at most . We use Lemma A.1 on :
(18) 
Going back to Eq. 17:
(19) 
Where the summation is over all such that and while the degrees of and are at most and respectively.
The sum does not depend on and there are exactly polynomials in the sum, therefore, we can write the expression as :
(20) 
Since the above expression has norm 1, if follows that the coefficients that we temporally ignored at Eq. 17 all vanish.
Corollary A.3
If then it follows from Claim A.2 that the code is self dual.
Claim A.4
The logical Pauli operator is .
The proof of this claim is omitted since it is extremely similar to the proof of Claim A.2.
Appendix B Clifford Authentication Scheme
b.1 Security Proof of Clifford Qas
Proof of : We denote the space of the message sent from Alice to Bob as . Without loss of generality, we can assume that Eve adds to the message a system (of arbitrary dimension) and performs a unitary transformation on the joint system. We note that there is a unique representation of since the Pauli matrices form a basis for the matrix vector space. We first characterize the effect that Eve’s attack has on the unencoded message: .
Claim B.1
Let be the state of Alice before the application of the Clifford operator. For any attack by Eve, Bob’s state after decoding is , where .
We proceed with the proof of the theorem. From the above claim we know what Bob’s state after Eve’s intervention is and we would like to bound its projection on :
(21) 
By definition of we see that . On the other hand: when does not flips any auxiliary qubit, and vanishes otherwise. The Pauli operators that do not flip auxiliary qubits can be written as where and . It follows that the number of such operator is exactly . Omitting the identity we are left with operators which are undetected by our scheme. We return to Eq. 21:
(22)  
(23)  
(24) 
The security follows from the fact that , and hence the projection is bounded by .
We remark that the above proof in fact implies a stronger theorem: interventions that are very close to are even more likely to keep the state in the space defined by .
What remains to prove is Claim B.1 which is stated above. To this end we need three simple lemmata:
Lemma B.2
Fix a nonidentity Pauli operator. Applying a random Clifford operator (by conjugation) maps it to a Pauli operator chosen uniformly over all nonidentity Pauli operators. More formally, for every it holds that : .
Lemma B.3
Let be Pauli operators. For any it holds that: .
Lemma B.4
Let be a unitary operator. For any density matrix :
(25) 
Assuming these lemmata we are ready to prove the claim:
Proof of : Let be the operator applied by Eve. We denote the state of Alice prior to encoding. Let us now write the state of Bob’s system after decoding and before measuring the auxiliary qubits. For clarity of reading we omit the normalization factor and denote the Clifford operation applied by Alice (Bob) ():
(26)  
(27) 
Regrouping elements operating on and on we have:
(28) 
We use Lemma B.3 and are left only with
(29) 
We first consider the case were , then:
(30) 
On the other hand when, by Lemma B.2:
(31) 
Plugging the above two equations in Eq. 29:
(32) 
We use Lemma B.4 and so Bob’s state after renormalization can be written as:
(33) 
For , which concludes the proof.
Finally, we prove the lemmata stated above:
Proof of : We first claim that or every there exists such that . We will prove this claim by induction. Specifically, we show that starting form any non identity Pauli operator one can, using conjunction by Clifford group operator reach the Pauli operator .
We first notice that the swap operation is in since it holds that:
(34) 
Furthermore, we recall that and . Therefore, any Pauli can be transformed using and to the form: (up to a phase). To conclude we use:
(35) 
which reduces the number of operations at hand. Applying this sufficiently many times results in reaching the desired form. Since this holds for any nonidentity Pauli operators: we know there are such that:
(36)  
(37) 
therefore is the operator we looked for. We return to the proof of the Lemma, let us first fix some , it will suffice to prove that for any the set is of a fixed size. We set such that then it holds that: therefore , and follows trivially.
We use the fact that the sets is a partition of , and that all have the same size:
(38) 
Which concludes the proof.
Proof of : Since we know there exists an index such that that is:
(39) 
where . let us define . We notice that and furthermore any operator in can be written in this form. We write instead of for simplicity.
(40)  
(41) 
It is easy to check that commutes with either or and anticommutes with the other. Therefore:
(42)  
(43)  
(44) 
This concludes the proof since the sum must vanish.
Proof of : We analyze the action of on the density matrix . We first notice that since is a trace preserving operator, that is: . On the other hand it holds that:
(45)  
(46)  
(47) 
If then , and therefore:
(48) 
It follows that , which concludes the proof.
b.2 Concatenated Clifford Qas
Proof of : From Claim B.1, we know that any attack by Eve on an authenticated register is equivalent to an effect of the mixing operator , on the unencoded message space. We notice that any attack on the concatenated protocol is in fact equivalent to separate attacks on the different registers. This fact follows from the fact any individual attack can be broken down to attacks of the form , specifically for :
(49) 
We denote , and use Lemma B.2: it holds that: