Post hoc verification of quantum computation
Abstract
With recent progress on experimental quantum information processing, an important question has arisen as to whether it is possible to verify arbitrary computation performed on a quantum processor. A number of protocols have been proposed to achieve this goal, however all are interactive in nature, requiring that the computation be performed in an interactive manner with back and forth communication between the verifier and one or more provers. Here we propose two methods for verifying quantum computation in a noninteractive manner based on recent progress in the understanding of the local Hamiltonian problem. Provided that the provers compute certain witnesses for the computation, this allows the result of a quantum computation to be verified after the fact, a property not seen in current verification protocols.
Quantum computers offer the potential to dramatically increase our ability to efficiently solve otherwise intractable computational problems, spanning a range of applications, from computational number theory Shor (1994) to the simulation of physical systems Lloyd et al. (1996). While for most of its history the experimental side of the field has been restricted to performing experiments on systems with very few degrees of freedom, which could be simulated using conventional computers with modest effort, recent advances have begun to push against this bound Trotzky et al. (2012). As the complexity of controlled quantum systems has grown, it has begun to exceed our ability to convincingly answer questions as to whether observed behaviour is consistent with quantum mechanics. This question has already arisen in relation to several recent experiments, leading to sometimes heated debate Boixo et al. (2013); Smolin and Smith (2013); Wang et al. (2013); Boixo et al. (2014); Rønnow et al. (2014); Shin et al. (2014a); Vinci et al. (2014); Shin et al. (2014b); Albash et al. (2015).
Fortunately, recent years have also seen the emergence of interactive methods for verifying quantum dynamics, in the form of protocols for verified quantum computation Aharonov et al. (2010); Fitzsimons and Kashefi (2012); Barz et al. (2013); Reichardt et al. (2013a); McKague (2013); Morimae (2014). Such protocols can be divided broadly into two classes. The first class are protocols which use a small, well characterized, quantum device to verify a computation carried out on a larger quantum system Aharonov et al. (2010); Fitzsimons and Kashefi (2012); Barz et al. (2013); Morimae (2014); Hayashi and Morimae (2015). Protocols in this class generally exhibit low overhead, but this comes at the cost of an assumption that there is no malicious conspiracy involving both the verifier’s device and the quantum system being probed. The second class of protocols make use of queries to multiple noncommunicating quantum provers which share entanglement to verify the computation using selftesting techniques Reichardt et al. (2013a, b); McKague (2013). Such protocols offer security conditioned under the assumption that the provers do not communicate during the protocols. This type of security comes at the price of astronomical overhead, and enforcing a ban on communication between provers can become problematic in multiround protocols where spacelike separation becomes infeasible. Recently attempts have been made to unify the two approaches, making use of selftesting protocols to replace the quantum operations of the verifier in verifiable blind computation protocols Gheorghiu et al. (2015); Hajdušek et al. (2015), which has shown some success in lowering the overheads associated with multiprover schemes.
Despite their differences, several common features remain between all known protocols from both classes. Current protocols require continuous interaction during the computation in order to verify correctness ^{1}^{1}1In the case of schemes derived from the blind quantum computing approach of Morimae and Fujii Morimae and Fujii (2013), this amounts to the prover pacing the rate at which they send qubits to the verifier, even though communication is only in one direction.. This fundamentally links the task of verification to the specific implementation of the computation, making it impossible to verify the correctness of a computation after the fact. Furthermore, all known verification schemes, whether intentional in the design or not, exhibit some form of blind quantum computation Broadbent et al. (2009); Barz et al. (2012), allowing them to hide the computation being performed from the processor performing the computation.
Here we introduce a new approach to the problem of verifying quantum computation, based on recent progress on short interactive proofs of the local Hamiltonian problem Fitzsimons and Vidick (2015); Ji (2015). This gives rise to a pair of verification protocols that can be used to verify a quantum computation with only a single round of communication. This verification can occur arbitrarily long after the computation has been completed, provided that a suitable witness state has been prepared. Furthermore, these post hoc verification protocols do not inherently exhibit blindness, and hence their existence serves to introduce a separation between the notions of blindness and verifiability.
The class of decision problems answerable by a quantum computer in polynomial time (BQP) is contained within a larger class known as QMA. This larger class corresponds to the class of problems for which the solution can be verified by a quantum computer in polynomial time given a suitable quantum state to act as a witness Kitaev (1999); Aharonov and Naveh (2002). QMA can be though of as the quantum analogue of the classical complexity class NP. Of the problems known to be complete for QMA, meaning that any problem within QMA can be reduced to an instance of that problem with modest computational overhead, perhaps the most studied is the problem of deciding whether the ground state energy of some local Hamiltonian is bounded below some threshold Kempe and Regev (2003); Kempe et al. (2006a). Specifically, given constants and , with , and a Hamiltonian , where each acts nontrivially on at most qubits, with the promise that for constants either for some or for all , the local Hamiltonian problem is to decide between these two cases.
The fact that BQP is contained in QMA does not immediately imply a nontrivial method to verify a quantum computation, since several conditions must be met in order for a verification protocol to be useful:

Not every computation we may wish to perform with a quantum computer is a decision problem, and so in order to exploit membership of QMA in constructing a verification procedure, it is first necessary to cast the verification as a decision problem.

The definition of QMA allows for the verification to require polynomialsized quantum circuits, and hence it is not clear a priori that verification can be any more efficient than the original computation.

It must be possible to efficiently generate a witness state for a given quantum computation. In general, participation as a prover in interactive proofs may require significantly greater computational power than that required to decide the particular statement to be proved.
We now show that each of these criteria can be satisfied by casting the problem of verifying the output of a quantum circuit as an instance of the local Hamiltonian problem.
Our first step is to formalize the verification of a quantum circuit as a decision problem. There are a number of ways in which this problem can be posed. A strong definition of this problem was introduced in Dunjko et al. (2014) based on trace distance between the output state at the end of the protocol and the ideal output of the computation to be verified. This definition is effectively impossible to decide retrospectively given a finite number of runs of the computation, due to the lack of any observable to compare probability distributions. Instead, we consider a formulation motivated by operational concerns, which sidesteps the problem of comparing two probability distributions: Given a quantum circuit composed of initial input in the state followed by a polynomial number of one and twoqubit gates chosen from some standard gate set, let be a string obtained by sampling the output of in the computational basis. Given a string , and the promise that either the probability with which is at least or at most for some positive , the probability verification problem is to decide which of these is the case.
Intuitively, this problem captures the task of deciding whether is indeed a likely outcome of the chosen computation described by or not. We will restrict attention to the case where is bounded from below by some inverse polynomial in the number of qubits strictly greater than zero, since in the case where the gap can be arbitrarily small this problem becomes PPhard Aaronson (2005). The problem of verifying that was produced according to some particular probability distribution is removed. A simple quantum circuit for this decision problem is shown in Fig. 1. Measuring the output qubit in the computational basis results in with probability precisely equal to . Provided that is at most polynomially small, this decision problem is then contained within BQP. This procedure can be extended to amplify the probability of accepting only when is above as shown in Fig. 2. We shall refer to this latter circuit as the verification circuit for for output .
We now turn attention to the task of casting the verification problem described above as an instance of the local Hamiltonian problem. As part of the proof that the local Hamiltonian problem is QMAcomplete, Kitaev showed how one can encode a quantum computation as the ground state of a 5local Hamiltonian Kitaev (1999). Specifically, he showed that a 5local Hamiltonian could be constructed such that its ground state has energy below some threshold if and only if a chosen quantum circuit, from which Hamiltonian is constructed, results in a specific output qubit being in state with high probability. Here we make use of a subsequent improvement by Kempe, Kitaev and Regev which reduces the required locality for Hamiltonian to 2local Kempe et al. (2006b). Given a quantum circuit composed of one and twoqubit gates acting on some initial state which can be taken to be , with a designated output qubit used to decide whether the circuit accepts or rejects, this is accomplished by making use of a clockstate,
where is the state of the computation after the first gates have been applied. The state is simply a superposition of states of a clock register comprising the first qubits of the system concatenated with the state of the logical computation after the number of steps indicated by the clock. In the original 5local construction, the guiding intuition is that Hamiltonian terms of fixed locality can be used to separately verify that the clock state is of an appropriate form by ensuring that a never appears to the immediate left of a , ensuring that neighbouring values of the clock register differ by the corresponding gate on the computational register, and ensuring that input bits and output bits are in the desired state when the clock begins with or ends with respectively.
The 2local construction is somewhat more involved, and makes use of perturbation theory to reduce the locality of the operators required to verify that the state is of the required form. Specifically, the Hamiltonian corresponding to is given by
where . The definitions of the individual Hamiltonians , , , and are relatively complicated, and the reader is referred to Ref. Kempe et al. (2006b) for a full definition, however their role is straightforward. is used to ensure that the output qubit is in state when the right most qubit of the clock register is in state , by applying an energy penalty when the clock register ends in but the output qubit is . similarly ensures that the computational register is in state when the clock register begins with . ensures that the clock register is restricted to states of the form for . Finally, and ensure that the computational register differs by an appropriate logic gate for branches of the wavefunction corresponding to neighbouring clock states. Importantly for the sake of our verification approach, provided that the gate set is well chosen, each Hamiltonian contains products of only Pauli and operators. Furthermore, the ground state of the Hamiltonian can be prepared efficiently by simply preparing an ancillary register in a superposition of states to and then performing the computation in a controlled manner up to the gate indicated by this register.
Kempe, Kitaev and Regev proved that if accepts with probability more than , then has an eigenvalue smaller than , whereas if accepts with probability less than , then all eigenvalues of are larger than . As such, if circuit encoded in the Hamiltonian is taken to be the verification circuit for a particular quantum computation and output , as depicted in Fig. 2, then deciding the local Hamiltonian problem for , with constants and is equivalent to verifying the original computation.
The above construction alone does not suffice to provide a means to verify a quantum computation without making use of a comparably powerful device, since the task of estimating the energy of the witness state may well be comparable in complexity to independently implementing the circuit to be evaluated. However, if the number of provers is expanded, the complexity of verifying the ground state drops. Specifically, it was shown recently in Ref. Fitzsimons and Vidick (2015), that there existed a oneround multiprover interactive proof for the local Hamiltonian problem where the verifier sends a classical message of length logarithmic in the number of local terms in the Hamiltonian to each of each of 5 provers each of whom respond with at most qubits. The interactive proof takes the form of a simple game, which can be won by honest provers if they share the ground state to the Hamiltonian encoded in a specific fivequbit quantum error correction code, with each prover holding one of the physical qubits comprising each logical qubit ^{2}^{2}2The number of provers can trivially be reduced to four by instead making use of an errordetection code..
The game proceeds as follows for a local Hamiltonian on qubits. The verifier decides with equal probability either to test or to test the encoding. If the verifier decides to test , then they choose a uniformly at random between and , and ask each prover for their share of the qubits corresponding to the set of qubits acted upon by . The verifier then decodes the returned qubits, and performs a measurement on the decoded qubits with POVM elements and , rejecting if the outcome corresponds to and accepting otherwise. If instead the verifier decides to test the encoding, they then choose uniformly randomly between each of two subtests. In the first, they choose an uniformly at random between and , and ask each prover for their share of qubit . They then accept if the returned qubits lie within the code space, and reject if not. In the second subtest, they choose both an uniformly at random between and , and an as a uniformly random tuple of three distinct integers between and such that contains . They then ask a random prover for their share of qubits indexed by , and the remaining provers for their share of qubit . As in the other subtest, the verifier accepts if the shares of qubit lie within the codespace, and reject otherwise.
Intuitively, the second test is used to ensure that the provers must always respond with distinct qubits associated with the indices requested, so that their response when a particular qubit is requested does not depend on which subset of qubits containing they have been asked for. The first test then simply ensures that these (now fixed) qubits correspond to a valid witness for the specific instance of the local Hamiltonian problem being tested. It was proved in Fitzsimons and Vidick (2015) that the probability of accepting is at least if has an eigenvalue less than or equal to , while this probability is at most , for nonnegative constants and , in the case where has no eigenvalues below .
This leads directly to our first protocol for post hoc verification of a quantum computation :

The prover performs obtaining an output string and sends this to the verifier.

The prover constructs a witness state for the local Hamiltonian problem for , for suitably large .

Once the verifier chooses to initiate verification, the prover encodes in the 5qubit code and distributes a share of each logical qubit among each of 5 spatially separated locations (effectively 5 provers) which can be queried in a spacelike separated manner by the verifier.

The verifier then engages in the local Hamiltonian game described above. The verifier accepts as the output of the computation if and only if the provers win the game.
From the completeness and soundness properties of the local Hamiltonian game, and from the bounds on the eigenvalues of imposed by the results of Kempe, Kitaev and Regev, it follows that the verifier will accept with polynomially higher probability when than when provided that , where and are the constants from the local Hamiltonian game in Fitzsimons and Vidick (2015).
Recently, Ji introduced a modification of the local Hamiltonian game considered above which removed the need for limited quantum computation on the part of the verifier Ji (2015). This approach mirrors that of Fitzsimons and Vidick (2015), replacing the codespace and energy tests with versions that can be verified by a purely classical prover.
The codespace test is accomplished using a clever application of CHSH rigidity. Consider the 5qubit quantum error correction code with generators and let be a state from the 2dimensional stabilised subspace, that is for all . The structure of the stabiliser generators is such that one of the subsystems, labelled , always has either a Pauli or a Pauli operator acting on it. Furthermore, due to translational invariance of the 5qubit error correction code, we have freedom of choosing the subsystem and then fixing the remaining Pauli operators in appropriately while preserving the 2dimensional code space. By a repeated use of a reflection operator on the special subsystem , we can obtain set of eight operators satisfying and that are related to the original generators by . Bipartitioning the 5 provers into nonspecial provers, labelled as system , and the special prover , labelled as , we obtain the familiar CHSH expressions,
where and . The Pauli operators and are defined as the generators containing where we replace with the identity operator . Similarly and are defined as the generators whose are replaced with . For example when , we have , , and . Via the rigidity of CHSH games, it can then be shown that if the probability of winning the corresponding CHSH game is close to ideal, then the shared state must be close to a state in the codespace.
The energy test is also replaced, making use of the fact that measurements of the logical and operators of the code can be performed transversally by making an appropriate Pauli measurement on each share of the logical qubit. By expanding out the Hamiltonian as a sequence of Pauli terms polynomial in . By choosing randomly to either measure a Pauli term from the Hamiltonian, or make Pauli measurements corresponding to a CHSH game to test the code space, it is possible to achieve an interactive proof for the local Hamiltonian problem where the verifier is entirely classical, with a polynomial gap between completeness and soundness, similar to that in Fitzsimons and Vidick (2015).
It is thus possible to replace Step 4 in our initial protocol with a protocol that requires only a purely classical prover, using Ji’s protocol. This removes the need for any quantum capabilities on the part of the prover while still retaining the post hoc verification characteristics of our first protocol, and requiring only one round of communication between verifier and provers. Recent modifications of this approach due to Natarajan and Vidick Natarajan and Vidick (2015) could also be incorporated, potentially leading to improved performance.
Acknowledgements
The authors acknowledge support from Singapore’s National Research Foundation and Ministry of Education. JFF acknowldeges support from the Air Force Office of Scientific Research under grant FA23861514082. This material is based on research funded by the Singapore National Research Foundation under NRF Award NRFNRFF201301.
References
 Shor (1994) P. W. Shor, in Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on (IEEE, 1994), pp. 124–134.
 Lloyd et al. (1996) S. Lloyd et al., Science pp. 1073–1077 (1996).
 Trotzky et al. (2012) S. Trotzky, Y.A. Chen, A. Flesch, I. P. McCulloch, U. Schollwöck, J. Eisert, and I. Bloch, Nature Physics 8, 325 (2012).
 Boixo et al. (2013) S. Boixo, T. Albash, F. M. Spedalieri, N. Chancellor, and D. A. Lidar, Nature communications 4 (2013).
 Smolin and Smith (2013) J. A. Smolin and G. Smith, arXiv preprint arXiv:1305.4904 (2013).
 Wang et al. (2013) L. Wang, T. F. Rønnow, S. Boixo, S. V. Isakov, Z. Wang, D. Wecker, D. A. Lidar, J. M. Martinis, and M. Troyer, arXiv preprint arXiv:1305.5837 (2013).
 Boixo et al. (2014) S. Boixo, T. F. Rønnow, S. V. Isakov, Z. Wang, D. Wecker, D. A. Lidar, J. M. Martinis, and M. Troyer, Nature Physics 10, 218 (2014).
 Rønnow et al. (2014) T. F. Rønnow, Z. Wang, J. Job, S. Boixo, S. V. Isakov, D. Wecker, J. M. Martinis, D. A. Lidar, and M. Troyer, Science 345, 420 (2014).
 Shin et al. (2014a) S. W. Shin, G. Smith, J. A. Smolin, and U. Vazirani, arXiv preprint arXiv:1401.7087 (2014a).
 Vinci et al. (2014) W. Vinci, T. Albash, A. Mishra, P. A. Warburton, and D. A. Lidar, arXiv preprint arXiv:1403.4228 (2014).
 Shin et al. (2014b) S. W. Shin, G. Smith, J. A. Smolin, and U. Vazirani, arXiv preprint arXiv:1404.6499 (2014b).
 Albash et al. (2015) T. Albash, T. F. Rønnow, M. Troyer, and D. A. Lidar, The European Physical Journal Special Topics 224, 111 (2015).
 Aharonov et al. (2010) D. Aharonov, M. BenOr, and E. Eban, in Proceedings of Innovation in Computer Science (Tsinghua University Press, 2010), p. 543.
 Fitzsimons and Kashefi (2012) J. F. Fitzsimons and E. Kashefi (2012), eprint quantph/1203.5217.
 Barz et al. (2013) S. Barz, J. F. Fitzsimons, E. Kashefi, and P. Walther, Nature Physics 9, 727 (2013).
 Reichardt et al. (2013a) B. W. Reichardt, F. Unger, and U. Vazirani, Nature (London) 496, 456 (2013a).
 McKague (2013) M. McKague (2013), eprint quantph/1309.5675.
 Morimae (2014) T. Morimae, Phys. Rev. A 89, 060302 (2014).
 Hayashi and Morimae (2015) M. Hayashi and T. Morimae, arXiv preprint arXiv:1505.07535 (2015).
 Reichardt et al. (2013b) B. W. Reichardt, F. Unger, and U. Vazirani, in Proceedings of the 4th conference on Innovations in Theoretical Computer Science (ACM, 2013b), pp. 321–322.
 Gheorghiu et al. (2015) A. Gheorghiu, E. Kashefi, and P. Wallden, arXiv preprint arXiv:1502.02571 (2015).
 Hajdušek et al. (2015) M. Hajdušek, C. A. PérezDelgado, and J. F. Fitzsimons, arXiv preprint arXiv:1502.02563 (2015).
 Broadbent et al. (2009) A. Broadbent, J. F. Fitzsimons, and E. Kashefi, in Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on (IEEE, 2009), pp. 517–526.
 Barz et al. (2012) S. Barz, E. Kashefi, A. Broadbent, J. F. Fitzsimons, A. Zeilinger, and P. Walther, Science 335, 303 (2012).
 Fitzsimons and Vidick (2015) J. Fitzsimons and T. Vidick, in Proceedings of the 2015 Conference on Innovations in Theoretical Computer Science (ACM, 2015), pp. 103–112.
 Ji (2015) Z. Ji, arXiv preprint arXiv:1505.07432 (2015).
 Kitaev (1999) A. Kitaev, Talk at AQIP 99 (1999).
 Aharonov and Naveh (2002) D. Aharonov and T. Naveh, arXiv preprint quantph/0210077 (2002).
 Kempe and Regev (2003) J. Kempe and O. Regev, Quantum Information & Computation 3, 258 (2003).
 Kempe et al. (2006a) J. Kempe, A. Kitaev, and O. Regev, SIAM Journal on Computing 35, 1070 (2006a).
 Dunjko et al. (2014) V. Dunjko, J. F. Fitzsimons, C. Portmann, and R. Renner, in Advances in Cryptology–ASIACRYPT 2014 (Springer, 2014), pp. 406–425.
 Aaronson (2005) S. Aaronson, in Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences (The Royal Society, 2005), vol. 461, pp. 3473–3482.
 Hoeffding (1963) W. Hoeffding, Journal of the American statistical association 58, 13 (1963).
 Kempe et al. (2006b) J. Kempe, A. Kitaev, and O. Regev, SIAM Journal on Computing 35, 1070 (2006b).
 Natarajan and Vidick (2015) A. Natarajan and T. Vidick, arXiv preprint arXiv:1512.02090 (2015).
 Morimae and Fujii (2013) T. Morimae and K. Fujii, Phys. Rev. A 87, 050301 (2013).