Robustness and device independence of
verifiable blind quantum computing
Abstract
Recent advances in theoretical and experimental quantum computing bring us closer to scalable quantum computing devices. This makes the need for protocols that verify the correct functionality of quantum operations timely and has led to the field of quantum verification. In this paper we address key challenges to make quantum verification protocols applicable to experimental implementations. We prove the robustness of the single server verifiable universal blind quantum computing protocol of Fitzsimons and Kashefi fk in the most general scenario. This includes the case where the purification of the deviated input state is in the hands of an adversarial server. The proved robustness property allows the composition of this protocol with a deviceindependent state tomography protocol that we give, which is based on the rigidity of CHSH games as proposed by Reichardt, Unger and Vazirani ruv2. The resulting composite protocol has lower round complexity for the verification of entangled quantum servers with a classical verifier and, as we show, can be made fault tolerant.
Keywords: Delegated Quantum Computation, Quantum Verification, Device Independence, Composition, Fault Tolerance
1 Introduction
While the prospect of commercially available universal quantum computing is still distant, a number of experiments involving multiqubit systems have recently been developed. Irrespective of their applications, these technologies require methods and tools for verifying the correctness of their operations. Assuming that quantum computing is more powerful than classical computing, a simulationbased approach for quantum verification of devices with sufficiently large number of qubits, becomes practically impossible. Aaronson and Arkhipov showed in aaronson that even a rudimentary quantum computer constructed with linearoptical elements cannot be efficiently simulated. Similarly, verifying the correct preparation of a general qubit state via state tomography also involves exponential overhead since it requires collecting statistics from separate observables nielsenchuang.
The verification of quantum devices becomes more complicated when the functionality involves cryptographic primitives. In these cases, incorrect operations could be the result of actions of an adversary. Thus it becomes necessary to guarantee the security of the application under certain assumptions about the devices. Ideally a protocol should remain secure even if the devices are faulty and partially controlled by adversaries. This would lead to a solution that is deviceindependent and robust. However, generating such protocols has proven difficult. Even in quantum key distribution, a complete proof of security for a deviceindependent protocol, in the presence of noise, has been achieved only recently deviceindependentqkd.
The issue of verification needs to be resolved to be able to exploit successfully any future quantum computers. Moreover, one expects that the first large scale quantum devices are unlikely to be personal computers. Instead, they will probably function as servers to which clients can connect and request the computation of some difficult problem. The client may also require his computation to be private, i.e. require that the server does not learn anything about it. We should therefore construct protocols that verify an arbitrary delegated quantum computation and prove the security and correctness of this verification technique.
The approaches that have been so far successful are those based on interactive proof systems ip; qip, where a trusted, computationally limited verifier (also known as client, in a cryptographic setting) exchanges messages with an untrusted, powerful quantum prover, or multiple provers (also known as servers). The verifier attempts to certify that, with high probability, the provers are performing the correct quantum operations. Because we are dealing with a new form of computation, the verification protocols, while based on established techniques are fundamentally different from their classical counterparts. A number of quantum verification protocols have been developed, for different functionalities of devices and using a variety of different strategies to achieve verification fk; ruv2; bfk; eleni; abe; bosonsampling; mckague; KKD14; twopartyeval; cryptoquantumw; BGS13; efk. The assumptions made depend on the specific target and desired properties of the protocol. For example, if the emphasis is on creating an immediate practical implementation, then this should be reflected in the technological requirements leading to a testable application with current technology efk. Alternatively, if the motivation is to prove a theoretical result, we may relax some requirements such as efficient scaling ruv2. An important open problem in the field of quantum verification, is whether a scheme with a fully classical verifier is possible falsifiable; openproblem. We know, however, that verification is possible in the following two scenarios:

A verifier with minimal quantum capacity (ability to prepare random single qubits) and a single quantum prover fk. This is the Fitzsimons and Kashefi (FK) protocol.

A fully classical verifier and two noncommunicating quantum provers that share entanglement ruv. This is the Reichardt, Unger and Vazirani (RUV) protocol.
One of our objectives is to obtain a device independent (allowing untrusted quantum devices) version of the FK protocol, by composing it with the RUV protocol. The additional properties we aim to achieve from this composition are fault tolerance (allowing noisy devices) and reduced round complexity. Composing protocols can indeed be fruitful since it could lead to new protocols that inherit the advantages of both constituents. The universal composabillity framework, allowing for secure compositions, has been successfully extended to the quantum realm compos1; compos2; compos3. Recently, the security of single server verifiable universal blind quantum computing protocols has been demonstrated in an abstract cryptographic framework DFPR13 that is also known to be equivalent to the simulationbased composability framework. However this setting does not fulfil the necessary requirements for our composition. This is because, when combining a single server verification scheme (FK) with an entangled server scheme (RUV), there exists the possibility of correlated attacks, which are not explicitly treated in the composability framework. Such attacks can occur when an untrusted server’s strategy is correlated with deviations in the protocol’s input state. Our robustness result resolves this issue in the stand alone composition setting and the same technique could potentially be extended to the composable framework of DFPR13, thus resolving the problem of correlated attacks.
The type of composition that we require is sequential. We take the output of the first protocol and use it as input for the second. However, in general, the output of the first protocol is not necessarily an acceptable input for the second protocol. In particular, since the verification protocols are probabilistic, their outputs typically deviate by a small amount from the ideal one. Thus, it is necessary that the second protocol remain secure even if the input is slightly deviated from the ideal one. Moreover, we make sure that adversaries cannot exploit any correlations between the deviated input and their strategy to compromise the security of the protocol. Therefore to securely compose the protocols, we need to address these new type of attacks. The main results of this paper can be summarised as follows:

We prove that the FK protocol is strongly robust, see Theorem 1. First, we show that FK can tolerate inputs which deviate from their ideal values by a small amount, see Lemma 7. However, for composition with other protocols a stronger property is needed. We therefore proceed to show that the FK protocol is robust even when the deviated input is correlated with an external system possessed by an adversary (for example the provers’ private systems in the RUV protocol), see Lemma 8.

An immediate consequence of the robustness theorem is that we can construct a composite protocol combining RUV with FK. The required input states for the FK protocol are prepared via the state tomography subprotocol of RUV. Our composite protocol inherits the device independence property of RUV, see Theorem 3. Additionally, since we do not require the full RUV protocol, the composite protocol also has an improved round complexity.

Lastly, we address the distinction between robustness and fault tolerance and show how the FK protocol can be made fault tolerant, thereby making our proposed composite approach fault tolerant as well.
In Section 1.1 we give some preliminaries. In Section 2 we present the main results, that we summarised above, and outline their proofs. In particular we give robustness in Subsection 2.1, composition in Subsection 2.2 and fault tolerance in Subsection 2.3. Further details of the proofs are given in Section 3 for robustness, in Section 4 for composition and in Section 5 for fault tolerance. We conclude in Section 6.
1.1 Preliminaries
We first introduce the relevant concepts used in describing verification protocols and then briefly present the two protocols we will built on (FK and RUV).
1.1.1 Interactive Proof Systems
As explained in ip; abe, a language is said to admit an interactive proof system if there exists a computationally unbounded prover and a verifier , such that for any , convinces that with probability . Additionally, when , convinces that with probability . Mathematically, we have the following two conditions^{2}^{2}2 Note that completeness can be viewed as the probability of the verifier accepting when the prover is honest. Similarly, soundness is the probability of accepting, when the prover is dishonest.:

Completeness: accepts

Soundness: accepts
The set of languages which admit such an interactive proof system define the complexity class IP. We are interested in the case when the prover is a polynomialtime quantum computer (i.e. a machine). In abe, the first definition of such a quantum interactive proof system was given, which we use here:
Definition 1.
abe Quantum Prover Interactive Proof (QPIP) is an interactive proof system with the following properties:

The prover is computationally restricted to .

The verifier is a hybrid quantumclassical machine. Its classical part is a machine. The quantum part is a register of c qubits (for some constant c), on which the prover can perform arbitrary quantum operations. At any given time, the verifier is not allowed to possess more than c qubits. The interaction between the quantum and classical parts is the usual one: the classical part controls which operations are to be performed on the quantum register, and outcomes of measurements of the quantum register can be used as input to the classical machine.

There are two communication channels: one quantum and one classical.
The completeness and soundness conditions are identical to the IP conditions.
We are also interested in interactive protocols that use more than one prover. There are only two differences, first that the verifier can interact with multiple provers instead of just one, and second that the provers are not allowed to communicate. The conditions for completeness and soundness remain unchanged. The analogous complexity class that involves multiple provers is called MultiProver Interactive Proof System and denoted mip. It is defined as the set of all languages which admit an interactive proof system with one or more noncommunicating provers. If the number of provers is fixed to be , the corresponding complexity class is MIP[]. A closely related class is MIP* where the multiple noncommunicating provers share entangled states.
In all of these cases, the verifier is essentially delegating a difficult computation to the prover(s). This computation can be universal with respect to the computation model of the prover(s). In our case, this means universal for polynomialtime quantum computations. The number of classical messages exchanged between the verifier and the prover, throughout the run of the protocol, as a function of the input size is known as the round complexity of the protocol.
1.1.2 Quantum Protocols
Throughout this subsection, we assume the reader is familiar with the teleportationbased and more generally measurementbased quantum computing (MBQC) models, described in detail in onewaycomputer; mbqc.
We first summarise the FK protocol fk which is a QPIP protocol. It is also known as unconditionally secure, verifiable, universal blind quantum computing. The protocol is “blind” which means that no information about the computation is leaked to the prover, apart from its size. This property can be exploited by allowing the verifier to insert hidden “traps” within the computation. The traps are deterministic tests which the verifier can perform in order to verify that the prover is not deviating from the protocol. Blindness ensures that the traps are indistinguishable from the computation.
The basic idea of this protocol is that the verifier prepares and sends qubits to the prover. The prover entangles these qubits and then performs adaptive measurements (sending the measurement outcomes to the verifier) that will overall implement a certain unitary operation, as in the MBQC model of computation. The traps are single isolated qubits, disentangled from the rest of the computation, and when measured in suitable bases give deterministic outcomes that are known to the verifier (but not to the prover). Since the prover is completely blind and does not know which qubits are traps and which are part of the actual computation, any attempt to cheat has some probability to affect the trap and thus be detected.
The FK protocol is based on a universal resource state for the MBQC model, known as the dottedcomplete graph state. The details of this resource state are not crucial for understanding this paper, apart from the fact that, as part of the FK protocol, the appropriate operators are performed by the untrusted server to prepare this generic state. In particular, a series of controlled operators are performed by the server, according to the dottedcomplete graph structure, for entangling the individual qubits prepared in advance by the verifier. These initial qubits, that are sometimes referred to as the input of the FK protocol, are sent to the server at the first stage of the protocol. This fact is used to prove some basic properties needed for our main robustness result, see Theorem 2. Therefore, for the purpose of completeness, we state here the definition of the dottedcomplete graph state, taken from fk, see also Figure 1.
Definition 2.
fk Let denote the complete graph of vertices. Define the dottedcomplete graph, denoted as , to be a graph where every edge in is replaced with a new vertex connected to the two vertices originally joined by that edge. We call the quantum state corresponding to the dottedcomplete graph state. This multipartite entangled state is prepared by replacing every vertex with a qubit in the state and applying a controlled operator for every edge in the graph.
The family of dottedcomplete graph states is universal for quantum computation. Moreover, any other graph state could be obtained from a large enough dottedcomplete graph state by applying the appropriate Pauli measurements over some of the vertices (the ones shown in white, in Figure 1).
Concretely, in order to construct any desired graph of vertices from a dottedcomplete graph , Pauli measurements are performed in order to keep a specific edge, and Pauli measurements in order to remove it (alternatively, one could use the states , for the edges which should be removed, instead of performing a Pauli measurement). This can be done blindly in order to hide the target graph.
The detailed construction is not important for the rest of this paper and hence omitted (see Section 5 in fk). We give a brief description of FK, shown here as Protocol 1.
According to Definition 1 the quantum channel between verifier and prover is oneway (from the verifier to the prover). Moreover, the constant , representing the number of qubits that the verifier can possess at any given time, is exactly one. We refer the reader to fk for a more in depth description of the protocol and its associated concepts. However, we recall the key properties of the protocol in the following lemma.
Lemma 1.
Assuming the verifier wants to delegate the computation of a circuit of size , the FK protocol has round complexity and uses qubits with completeness being exactly 1 while the soundness is upper bounded by , where is the security parameter.
Proof.
It is clear from Protocol 1 that the total number of qubits used in the protocol is , where is the number of qubits for the encoded graph . Additionally, we have the same number of rounds of classical communication, corresponding to the measurements of qubits in the dottedcomplete graph (each measurement requires classical bits to specify the measurement angle and bit to specify the outcome). Both the overall round complexity and the required quantum resources are thus .
As described in Protocol 1, the verifier accepts if and only if all trap measurements succeed. This is always the case if the prover is honest and follows the instructions, since the trap measurements are deterministic. Therefore, the probability that the verifier accepts when the prover is honest is exactly (completeness). On the other hand, it is shown in fk that in the case of classical output, the protocol is verifiable, meaning the soundness is upper bounded by . ∎
Next we summarise the RUV protocol ruv2 which is a MIP* protocol. It relies on the rigidity of CHSH games CHSH69; ruv to test the honesty of the provers (c.f. traps at the FK protocol), and on gate teleportation to perform the computation. In particular, the verifier directs the provers to perform a series of local measurements of their parts of the shared entangled states. The purpose of this is to check for statistical violations of Bell’s inequality. At the same time, the verifier makes the provers teleport quantum states into gates in order to perform his desired quantum computation ruv. Importantly, the verifier alternates between these strategies in such a way that the provers are not aware (they are blind) in which strategy their measurement belongs. Moreover, the two provers cannot use previous results in order to deviate from the protocol (i.e. there is no adaptive cheating strategy). This is summarised as Protocol 2. Due to the rigidity of the CHSH games, as proved in ruv2, the verifier can determine if the two provers are being honest or not from the statistical outcomes. To ensure the verification of universal computations, the resource preparation stage of the protocol will prepare multiple copies of the states:
Here, denotes the Bell state which is shared among the two provers. In fact the provers share multiple copies of , each prover having one qubit from each Bell pair. Without loss of generality, we can assume that prover has the first qubit and prover has the second qubit. The Hadamard, Phase and controlledNot gates (denoted as ) constitute a universal gate set for quantum computation. The subscript indices indicate on which qubits the gate acts. An arbitrary quantum circuit is thus simulated by repeatedly doing gate teleportations, while keeping the computation blind from the two provers the entire time.
Lemma 2.
Assuming the verifier wants to delegate the computation of a circuit of size , the round complexity of the RUV protocol is , where there exists some constant , such that .
Proof.
To determine an upper bound for the round complexity we only need to inspect the number of rounds of CHSH games, since the protocol randomly alternates between this and the other three subprotocols. As shown in Protocol 2, the verifier plays sets of CHSH games with the two provers. Each set consists of games and . Additionally, it is required that , where , so . These conditions are necessary for the correctness of the state tomography and process tomography subprotocols ruv. We then have that , where is a constant of the form . This is the number of sets of CHSH games and hence the number of required games is lower bounded by . It follows that the number of rounds is , where . Note that by “lower bounded” we refer to the case when all of the CHSH statistics are consistent and the verifier does not reject. In the case of inconsistent statistics, the verifier can reject before playing games. ∎
The subprotocols of the RUV protocol are themselves verification protocols as proved in ruv. The subprotocol that we will use is the state tomography protocol. As part of the RUV protocol, it is used to prepare resource states which are XZdetermined, i.e. states that are uniquely determined by their traces against and operators. To compose the RUV with the FK protocol we will use a modified version of the state tomography subprotocol, so that we can prepare all states that are allowed inputs for the FK protocol. We will give the modified protocol in the next section.
Assumptions
The verifier delegates a quantum circuit of size to two quantum provers.
Let , , , and .
The two provers share Bell states.
Protocol
The verifier alternates randomly between four subprotocols. He chooses the first three with probability and the last one
with probability .

CHSH games. The verifier referees sets of sequential CHSH games, each consisting of games between the provers. He rejects if they win less than:
of the games.

State tomography. The verifier chooses uniformly at random and referees sets of CHSH games. He sends the questions from the th set to prover , while running a state tomography protocol with prover . In this protocol prover is asked to prepare qubit resource states by measuring his halves of the shared Bell states. This will collapse prover ’s states to the same qubit resource states up to corrections. The verifier checks this using the CHSH measurement outcomes from prover . These outcomes tomographically determine the states that are being prepared. He rejects if the tomography statistics are inconsistent.

Process tomography. The verifier chooses uniformly at random and referees sets of CHSH games. He sends the questions from the th set to prover , while running a process tomography protocol with prover . In this protocol prover is asked to perform Bell measurements on his halves of the shared Bell states. The verifier checks this using the CHSH measurement outcomes from prover . He rejects if the tomography statistics are inconsistent.

Computation. The verifier chooses uniformly at random and refereed sets of CHSH games. In the th game he runs a state tomography protocol with prover and a process tomography protocol with prover . The combination of these two achieves computation via gate teleportation.
2 Main Results
2.1 Robustness
The first result we prove is that the FK protocol is robust with respect to small variations in the input. Throughout this paper, by “input” we are referring to the quantum states that the verifier sends to the prover and not the computation input. Without loss of generality we can assume that the desired computation that will be delegated to the server has the fixed classical input . Dealing with arbitrary classical or quantum input is straightforward, as explained in fk, and makes no difference for our result. Hence, for the rest of this paper we define the input state of the FK protocol to be the tensor product of the individual qubits prepared by the verifier, comprising the dottedcomplete graph before the prover applies controlled to entangle them (these include the computation, trap and dummy qubits).
The fact that FK is robust means that the protocol’s input state can be deviated from its ideal value by some small amount and the protocol will continue to function. In particular, this input state could be the output of some other protocol, provided that this state was close to its ideal value. As we will see in the next subsection, the RUV protocol is capable of such a preparation. We start by formally defining robustness in this context.
Definition 3 (Robustness).
A verification protocol with quantum input is robust if, given that the protocol input is close in trace distance to the ideal input, in the limit where the completeness and soundness bounds remain unchanged.
Mathematically, if we denote the multiqubit input state as , and the pure states comprising the ideal input as , where goes from to the number of qubits, we have that:
(1) 
Note that is of the same dimension as as it does not contain any ancilla qubits from the environment. Given the definition of robustness, we prove that:
Theorem 1.
The FK protocol is robust and given an input which is close to its ideal value, the completeness is lower bounded by and the soundness bound changes by at most .
Because we are tracing out the environment, which could be controlled by an adversary, the security of the protocol, with a deviated input state, needs to be reestablished. We highlight this in the following proof sketch of Theorem 1:
Proof sketch.
We first examine soundness which considers the case of a dishonest prover. Intuitively, when the prover is malevolent, he will try to convince the verifier to accept an incorrect outcome and thus deviate from the correct protocol. However, as shown in fk, no matter how much the prover deviates, the probability for the verifier to accept a wrong outcome is bounded. If the input to the protocol is already deviated from the ideal, one could expect that the soundness bound remains unchanged. The effect of a deviated input could be incorporated in the deviated actions of the prover. This is indeed the case when the input is uncorrelated with any external system and we can express the deviation as a CPTP map (see Lemma 7 for detailed proof).
In the general case, however, the deviated input could be correlated with subsystems controlled by adversaries. This deviation could be used by the prover to improve his cheating probability. Mathematically this is manifested by the fact that the prover’s action in the presence of initial correlations is not in general a trace preserving map. It can be expressed as a linear combination of a CPTP deviation and an inhomogeneous term which could be either positive or negative as shown in the correlations. In this case, we use the closeness of the input state to derive a bound of order for the norm of the inhomogeneous term. From linearity, and using the previous argument it follows that in the general case the soundness bound changes by at most (see Lemma 8 for detailed proof).
In the case of completeness, we are assuming the prover is honest. If we start with an close input state, because of the linearity of the operators involved, we will end up with an output state that is close to the ideal output (see Lemma 9 for detailed proof). ∎
A similar approach to Lemma 7 was used in vfk for defining approximate blindness, and in DFPR13 to prove universal composability for blind quantum computing protocols. However, to our knowledge, these results are not strong enough to cover the requirements for the composition with the RUV protocol. In vfk only the blindness property was examined while verifying the computation was not considered. In DFPR13 they considered localverifiability which does not take into account for example, the possibility of correlated attacks such as those that are possible when the two provers have a prearranged correlated strategy.
2.2 Composition
One of our main objectives is to construct a device independent version of the FK protocol. The first step, was to show that FK is robust. This property guarantees that if we have an input state that is only approximately the ideal one, the protocol continues to work. We can now break the task of achieving device independent FK into two parts, which we need to compose sequentially.

State Preparation  use a device independent protocol to prepare on the prover’s side a state which is close to the FK input.

Verified Delegated Computation  run the FK protocol with the prover that has the close input state (since robustness allows this).
The advantage of this technique is that we are free to use any protocol for state preparation as long as we have the guarantee of closeness. This is due to our strong robustness result, which shows that FK will work even if the deviation in the prepared state is correlated with the prover’s cheating strategy in the delegated computation stage. In this paper, we achieve state preparation using the deviceindependent state tomography subprotocol of RUV. This subprotocol has the closeness property that we require, as explained in ruv. The resulting composite protocol will have a better round complexity than the full RUV protocol for the verification of quantum computations. The complexity can be improved further if a more efficient state preparation protocol is used. Recently, in an independent work that simultaneously appeared with our arxiv version, a more efficient scheme for state preparation is proposed that is based on a selftesting approach joe rather than the rigidity of CHSH games ruv.
We first clarify some details of the RUV protocol, which are essential in understanding how our composite protocol will work. RUV uses the rigidity property of CHSH games to determine that the provers share multiple copies of the Bell state , which is determined. They can then use state tomography to verify the preparation of any other determined state. In particular, they use it to tomographically verify the preparation of a set of states which can be used to perform universal computation. They also describe how it is possible to extend the protocol in order to have full tomography with the operator as well ruv. However, because they are using the Bell state, it is only possible to fix the operator up to a sign change. That is, the provers can always choose to measure in either the or bases without being detected (this corresponds to complex conjugating the states with respect to their representations in the computational basis). In fact this problem has been noticed by others as well mckague; MM11. As explained in ruv, it is possible to force the provers to consistently choose either or for their measurements. This makes the resulting state prepared by state tomography close to either the ideal state or the complex conjugate of the ideal state.
At first glance it would seem that this could be problematic for the FK protocol. We would have to show that running the FK protocol with an input state that is close to the complex conjugated version of the ideal input would be detected by the verifier. Intuitively this is the case, since trap qubits are in the plane and complex conjugating them would lead to different measurement outcomes. We will not prove this and instead provide a simpler solution.
The problem stems from the fact that we are using the determined state. Let us instead consider the state . Using Theorem 2 from ruv, and the fact that has stabilizer generator set which belongs to we have that this state is determined.
Theorem 2.
ruv A stabilizer state is determined by any of its sets of stabilizer generators.
In principle it is possible to run a form of the RUV protocol in which we choose the CHSH games such that we rigidly determine that the provers share multiple copies of the Bell state instead of . Analogous to the previous case, the extended form of the protocol would then fix the operator up to a sign change (instead of the operator). This means that the provers can always perform a reflection about the plane with no noticeable changes. However, the plane states are invariant under such a reflection. We can therefore use this to prepare the input which will be used by the FK protocol. The only problem we encounter is that we also require the preparation of and states which act as dummy qubits in the FK protocol fk. As described in Protocol 1 these dummy qubits are measured in order to “break” the dottedcomplete graph into the computation graph and the two trap graphs. The problem is that the plane reflection has the effect of flipping the computational basis states (state becomes and state becomes ). However this deviation (flip) has to be applied globally otherwise it affects the statistics of the CHSH game and thus the verifier rejects ruv. Such a global flip is detected by the FK protocol. A formal proof is given in Lemma 10, Section 4, while below we give a sketch of the proof.
In the honest scenario for the FK protocol, the measurement of a dummy qubit in state introduces an additional correction to its neighbouring qubits (this is because we are using the controlled operation for entangling qubits). Hence in a malicious setting the effect that a flip has on a trap qubit with an odd number of neighbouring dummy qubits, leads to an extra operation. Such a flip changes a state to . Thus, the measurement of this trap qubit will deterministically fail and the verifier will detect this. On the other hand, since the verifier chooses the input, he can always pad the computation such that the overall graph has trap qubits with an odd number of neighbour dummy qubits. This is due to the fact that in a dottedcomplete graphs (Definition 2), some of the traps will have neighbouring dummy qubits. Therefore, if the size of the input computation is odd, the verifier need only pad the computation size to become .
Now we are in a position to construct the composite protocol which composes RUV with FK. We give a modified version of the state tomography protocol of RUV (see Protocol 3). Proof that Protocol 3 is valid verification protocol is given in Section 4. The purpose of this modification is to verifiably prepare the minimal resource states which are subsequently used as inputs for the FK protocol.
Assumptions
Let .
Let be a outcome projective measurement defined by the projectors:
and .
Let the tuple denote the measurements for prover and for prover that they need to perform on their halves on an entangled state when instructed by the verifier.
Sets of such tuples define CHSH games. For example the set defines the CHSH game.
Given , there are six such sets of CHSH games (two , two and two ) ruv.
For a suitable numbering of these games, let be the th CHSH game, .
Protocol
The verifier alternates uniformly at random between the following subprotocols:

CHSH games. Verifier referees sets of sequential CHSH games, such that each group of sets is one of the six possible CHSH types of games. Each set consists of games between prover and prover . For each group of CHSH games the verifier rejects if the two provers win less than:
of the games.

State tomography. Verifier chooses uniformly at random and also randomly chooses as one of the six possible CHSH games. Then he referees sets of games, sending the questions from the th set to prover , while running a state tomography protocol with prover . In this protocol prover is asked to prepare resource states by measuring his halves of the shared Bell states. This will collapse prover ’s states to the same resource states up to corrections. In the context of composition, these resource states will constitute the FK input. The verifier uses the measurement outcomes of prover to tomographically check this preparation. He rejects if the tomography statistics are inconsistent. In the end, if the verifier accepts, he concludes that with high probability prover has a state which is close in trace distance to the tensor product of resource states. The formal statement of this fact is given in Theorem 5, taken from ruv, and more precisely in Equation 42 from Lemma 12.
The composite protocol, given as Protocol 4, is the sequential composition of the modified state tomography of Protocol 3 with both provers followed by the FK protocol with prover . Note that since prover is involved in both state tomography as well as the FK protocol, the strong version of the robustness property is required. This is to address the effect of any potential correlated attacks where provers and have agreed in advance on a strategy. The deviations of prover , in the preparation stage, could be correlated with the deviations of prover during the computation stage (FK). This is the first rigorous proof of a protocol that involves lifting the FK protocol to the entangled provers setting. We give here the correctness and soundness of this protocol and show that it is more efficient than the RUV protocol (Theorem 3) while in Section 4 we give the proof of this theorem.
Theorem 3.
Assuming the verifier wants to delegate the computation of a quantum circuit of size , Protocol 4 is a MIP* verification protocol having completeness lower bounded by , soundness upper bounded by , where is the security parameter of the FK protocol, and round complexity , where there exists some constant such that .
While the obtained round complexity is an improvement over RUV (Lemma 2) it is still far from practical. However, we believe our approach serves as a proof of principle, that this type of composition can be beneficial. It also highlights where improvements could be made. It is the state tomography subprotocol that increases the round complexity, while the FK protocol has a relatively low complexity^{3}^{3}3Note that the round complexity of FK could be further reduced to linear, if one is willing to admit a higher upper bound for soundness.. The detailed proofs are given in Section 4.
2.3 Fault Tolerance
In constructing our composite verification protocol, we used the robustness of the FK protocol. Our last result is to characterise the difference between robustness and fault tolerance and to show that the FK protocol can be made fault tolerant using a topological error correcting code. Consequently, our composite protocol can also be made fault tolerant provided that the state tomography part is run on top of an error correcting code.
As mentioned before robustness is a protocol’s ability to continue to function given a deviated input. Fault tolerance is when a protocol functions correctly in the presence of error prone devices. The essential assumption for robustness is that the actual (multiqubit) input is close to its ideal value. Fault tolerant protocols, on the other hand, assume that errors can occur at each individual qubit. The faulty devices are usually represented by the action of a partially depolarizing channel: . Here is the probability of error, and the square brackets indicate the action of an operator. This leads to the following observation:
Lemma 3.
Let be a system of qubits. Assume each qubit goes through a partially depolarizing channel having probability of error . Let the state of the system, after all qubits have passed through the channel, be . We have that and there exist states for which .
This means that the deviation of an qubit system from the ideal input is not bounded by some constant amount. This is intuitively clear, since by adding more qubits, we introduce more errors and the state of the composite system is further from its intended value. In contrast to this, when considering robustness, the distance between the actual and ideal state is bounded by an arbitrarily small quantity. We will now address how can we do verification in an error prone setting.
Lemma 4.
Assume we run the FK protocol with traps and each qubit is subject to the action of a partially depolarizing channel having probability of error . Given the simplifying assumption that if a qubit is changed (through the action of an , or operator) it will produce an incorrect measurement outcome, the completeness of this protocol is upper bounded by .
Assumptions
The verifier wants to compute the execution of a measurement graph having qubits.
Both the verifier and prover’s devices are subject to noise modelled as a partially depolarizing channel
acting on the preparation of the qubits and the application of the quantum gates.
For single qubits the channel is described by:
(2) 
And for two qubit states by:
(3) 
Additionally assume , where is a threshold such that depolarizing noise bellow this threshold is corrected by the
topologically protected code from rhg.
Let denote a brickwork state encoding the graph and containing one trap qubit, as explained in fk.
Let denote a fault tolerant encoding of the graph using the topologically protected code from
rhg. The encoding is done as explained in topo, hence will be decorated lattices (see Figures 1, 2 in topo).
The index denotes the randomness in the angles for the encoding as chosen by the verifier.
Let , where
,
for some constants , and .
We will refer to as a sequence of encodings.
Protocol

The verifier chooses and constructs the random set .

The verifier prepares the qubits for the sequence and sends them to the prover along with instructions on how to construct .

The verifier sends measurement instructions to the prover in order to compute the executions of the encoded graphs.

The prover sends the measurement outcomes to the verifier.

Steps 3 and 4 repeat until the verifier either accepts or rejects.
The verifier rejects if any of the traps fail. He takes the outcome of the computation to be the majority outcome over all computations (graphs ).
It is evident that assuming faulty devices where each qubit behaves as if it crossed a partially depolarizing channel, the completeness of the protocol becomes exponentially small (as function of the number of traps). This is clearly unsatisfactory. The arguably simplest solution would be to alter the acceptance condition of the protocol. Since it is unlikely that all trap measurements succeed, even for honest prover, the verifier should accept a result if the traps that succeed are above some fixed fraction.
Lemma 5.
Assume we run a modified FK protocol with traps and each qubit is subject to the action of a partially depolarizing channel having probability of error . The modification is that the verifier accepts if there are fewer than mistakes at trap measurements, where is a suitably chosen small number. The completeness of this protocol is lower bounded by .
The above modification resolves the issue raised regarding the completeness bound. However, if we were to make such modification, we have the following consequence for the soundness of the protocol:
Lemma 6.
Assume we run a modified FK protocol with traps, qubits in total and each qubit is subject to the action of a partially depolarizing channel having probability of error . The modification is that the verifier accepts if there are fewer than mistakes at trap measurements, where is a suitably chosen small number. The soundness of this protocol is upper bounded by .
We can see that introducing a threshold of acceptance leads to an increased bound on soundness. Again, expected, since we allow the prover to tamper with some of the traps (and, by extension, with the computation as well) without rejecting the output. To solve these problems we need to use a fault tolerant code. The FK protocol already uses a fault tolerant code to encode the computation graph. However this is done in order to boost the value of the soundness parameter. The trap qubits are not encoded with the code (only the computation is). Thus we propose a modified FK protocol. This is described in Protocol 5. In this protocol we encode both computations and traps in a fault tolerant code and use sequential repetitions (also used in efk). This leads to our final main result:
Theorem 4.
Under the assumption of a faulty setting where qubit preparation and quantum gates are subject to partially depolarizing noise having bounded probability , Protocol 5 is a valid verification protocol having completeness , soundness upper bounded by , where is a constant such that . The protocol has round complexity .
The proof of this theorem (and previous lemmas) are given in Section 5. An important point to make is that the composite protocol we constructed can also be made fault tolerant. To achieve this the state tomography protocol should be run on top of a fault tolerant code. As mentioned in ruv, in principle, this is straightforward for blind, verified computation, since the provers can work on top of a quantum errorcorrecting code and entanglement can be distilled with the help of the verifier Sheng2015; distillation.
3 Proof of Robustness
In this section we prove the robustness of the FK protocol. We start by first proving a simpler result, namely the robustness of the protocol under the assumption that the input is uncorrelated with any external system. We then remove this assumption and use our results to prove the main theorem, necessary for the composition with the RUV protocol.
Lemma 7.
If the initial input state of the FK protocol is close to the ideal input state and uncorrelated with any external system, the soundness bound does not change.
Proof.
We will follow the same proof technique as in fk and show that the soundness bound does not change. This is done by incorporating the assumption of a deviated input into that proof. The outcome density operator of the protocol is denoted , where denotes the verifier’s choices of input variables and ranges over the prover’s choices of possible actions ( is the correct/honest action). If the outcome is incorrect it means that all of the traps have passed, but the computation is not correct. This is associated with the following projection operator fk:
(4) 
Here, is the ideal output state, and is the state associated with the trap qubits. Notice that we are projecting to a state in which the output is orthogonal to its ideal value, and the traps are correct. This expresses the fact that the verifier will accept an incorrect computation. The associated probability for that event is and can be expressed as:
(5) 
Which is a weighted average of the incorrect outcome probabilities (expressed by the trace operator) over all possible input states. The outcome density operator can be written as:
(6) 
Notice the following, as explained in fk:

We are tracing over the prover’s qubits;

We have denoted the joint state, comprised of the input and the prover’s qubits, as ;

ranges over the prover’s possible strategies ( is the honest strategy);

indicates the possible branches of computation parametrised by the measurement results sent by the prover to the verifier;

indicates corrections that need to be performed on the final, classical output due to the MBQC computation together with the random phase introduced by the verifier;

is the computation that we want the prover to do;

is the prover’s deviation from the desired computation;

are the corrections the prover applies to its quantum output depending on the measurement outcomes (as in the measurementbased model);
We now need to incorporate the approximate input state into this operator. We will not use the closeness of the deviated state to the ideal one, and prove a stronger result, that the soundness bound does not change regardless of the input state. Concretely, assume the deviated input is:
(7) 
Where is a CPTP map which represents any deviation from the ideal input state either from incorrect preparation, a malicious prover or faulty devices. This is equivalent to applying some unitary to the input state tensored with some environment qubits that are traced out. We can express this mathematically as:
(8) 
The joint system state becomes^{4}^{4}4Here and in the following expressions we’ve used the fact that the partial trace is linear and can therefore be moved outside.:
(9) 
Let us consider a new unitary . This allows us to rewrite the joint system state as:
(10) 
Since , the computation, is a unitary operator, there must exists some unitary such that . Substituting this into the previous expression gives us:
(11) 
Incorporating Equation 11 into the expression for in Equation 6 we obtain:
(12) 
The assumption of the lemma is that the input state is not correlated with any external system. Hence, the spaces and are independent. This means that the prover’s deviation, , is not acting on and therefore we can “push” the inner trace operator to the beginning of the equation. Also using the fact that , we obtain:
(13) 
We can now include the input deviation given by into the prover deviation , by considering . This is possible because we are bounding the probability over all possible deviations, , of the prover in the computation and all possible deviations, , from the preparation part. Thus, we can consider this to be a single, global, deviation given by .
(14) 
As a result, the above equation has the same form as the undeviated input scenario of Equation 6. This makes sense since all we have done is to incorporate the deviation of the input into the prover’s cheating strategy. The original proof continues as it is in fk, and the bound remains unchanged
(15) 
∎
The type of robustness guaranteed by this lemma is not sufficient to prove the security of any protocol that composes RUV with FK. For example if we use prover of RUV to prepare the input of the FK protocol for prover , this input is in general correlated with prover ’s system. To address this issue, we use from ruv the following corollary of the gentle measurement lemma and the special Kraus representation in the presence of initial correlations given in correlations.
Corollary 1.
ruv Let be a state on , and let be a pure state on . If for some , , then
(16) 
Lemma 8.
If the initial input state of the FK protocol is close to the ideal input state the soundness bound changes by at most .
Proof.
Consider a composite correlated state where systems and are not communicating and let and . If is used as input for the FK protocol, the existence of correlations (not present in the previous lemma) can be exploited by an adversarial prover. Hence the deviation can no longer be expressed as a CPTP map over this subsystem. As it is shown in correlations, in presence of initial correlations defined as:
(17) 
the evolution of the subsystem is the following:
(18) 
Here is a CPTP map and is an inhomogeneous term which is added to the CPTP evolution due to the presence of initial correlations. In addition we have the following property:
(19) 
We can see that substituting in the outcome density operator of the FK protocol gives different soundness bound than the one in Lemma 7. The difference stems from the extra term. However we can use the fact that is close to the ideal state (lemma assumption) to show that the norm of is at most of order . To prove this we first find a bound for the norm of , and since is just a CPTP map applied to it follows that the norm of has the same bound. Moreover, the action of the FK protocol can be modelled as a CPTP map, therefore acting on will not increase the norm. It follows that the overall soundness bound changes by at most .
If we denote the ideal state as , we know that:
(20) 
It is also known, from the relationship between fidelity and trace distance, that:
(21) 
Combining these two yields:
(22) 
Recall that , using Equation 22 and Corollary 1 (where is substituted with and with ) we have:
(23) 
The trace norm of is simply the trace distance between and as can be seen from the definition. Using the triangle inequality, we have:
(24) 
For the last term, using the additivity of trace distance with respect to tensor product, we get:
(25) 
Combining these last three inequalities we obtain:
(26) 
Since , the bound is of order . We have therefore bounded the norm of and thus the norm of .
We can now take our expression for the deviated input from Equation 18 and substitute it into Equation 8, from Lemma 7. Since trace is a linear operation, it will result in the addition of an inhomogeneous term to each equation that involves the outcome density operator. But since the inhomogeneous term has bounded trace norm, and the action of the outcome density operator is trace preserving, it follows that we obtain the same bound as in Lemma 7 with the addition of an extra term of order . This concludes the proof. ∎
Lemma 9.
If the initial input state of the FK protocol is close to the ideal input state, the completeness is lower bounded by .
Proof.
In the simplest sense, the FK protocol can be abstractly thought of as a CPTP map , that takes some input state to an output state. Since we are assuming the prover is honest, the output state will be . However, this is in the case where the input is assumed to be ideal. We are dealing with a deviated input, hence our output state will be . Writing these out explicitly we have:
(27) 
(28) 
Where, is the deviated input, and by assumption
(29) 
Note that in the following we do not need to consider non CPTP map evolution since the provers are assumed to behave honestly. Hence even in the presence of initial correlation, the subsystem will evolve according to the desired CPTP map of the protocol. However CPTP maps cannot increase the trace distance, which leads to:
(30) 
This also applies for projection operators and if in particular we consider , the projection onto the correct output state, we also have that:
(31) 
Next we use the reverse triangle inequality, which gives us:
(32) 
And since we are dealing with positive definite operators, we know that:
(33) 
(34) 
But (the completeness when we have ideal input), so:
(35) 
Lastly, because , we get:
(36) 
Thus, the probability of accepting a correct outcome, under the assumption that the input state is close to the ideal input, is greater than . ∎
It is now easy to see that the Proof of Theorem 1 follows directly from Definition 3 and Lemmas 8 and 9. Having the robustness property, the FK protocol can receive an input, which is close to its ideal value, from another protocol. As we have shown, even if this input is correlated with an external system, we can still perform the verification as long as we have closeness.
4 Proof of Compositionality
To prove the security of the composite protocol (Theorem 3), we first need to prove that the FK protocol rejects with high probability a state close to a reflection about the plane (Lemma 10). Then we prove that the modified state tomography protocol (Protocol 3), satisfies the closeness property required by the (robust) FK. This is achieved by showing Lemmas 11 and 12. Finally we give the proof of Theorem 3.
Lemma 10.
If the initial input state of the FK protocol is close to a reflection about the plane of the ideal input state, the protocol will reject it with high probability.
Proof.
First we note that the input to the FK protocol consists of plane states and dummy qubits which are either or . The plane states are invariant under the reflection, while the dummy states will be flipped. Assume that there is a trap that has an odd number of (dummy) neighbours. The verifier knows that he sent the state and expects to make a correction if the number of neighbours is odd. However, if instead of what the verifier expects, there is an overall reflection with respect to the plane, then for each of the neighbours of the trap there will be a new correction (the will become inducing a , while the will become undoing the previous correction, which is equivalent with another correction since ). Therefore, if the neighbours of a trap are odd in number, he will expect the exact opposite result and will deterministically detect the deviation. For this to happen it suffices that the verifier makes sure that at least one trap has odd number of neighbours, something that can be easily achieved. Therefore, the FK protocol will always reject the reflected ideal input state. Given that the input is close to this, we have shown in Lemma 8 that the outcome density operator changes by at most from its ideal value. Thus, the output state is close to the reflected ideal input state. It follows that the protocol will reject this state with at most probability . ∎
In proving the correctness of our protocol we first need to show the correctness of the modified state tomography protocol. Here we focus on the main results that we use for showing the correctness and security of this protocol. We start with a theorem from ruv:
Theorem 5.
ruv Fix a complete, orthonormal set of qubit determined pure states. For a sufficiently large constant and for sufficiently large , let and . Let be a list of distinct indices. Consider a combination of the following two protocols between the verifier, Eve, and the provers, Alice and Bob:

CHSH games: In the first protocol, Eve referees sequential CHSH games. She accepts if
(37) 
State tomography: In the second protocol, Eve chooses uniformly at random. She referees CHSH games. For the th set, she referees a state tomography protocol with parameters , , , and . She accepts if the following criteria are satisfied:
(38a) (38b)
The combined protocol satisfies the following completeness and soundness conditions:
 Completeness:

If Alice and Bob use shared EPR states to play the CHSH games according to an ideal strategy, and if Bob uses an ideal strategy with respect to the projections on the th set of EPR states in the state tomography protocol, then in both protocols,
(39)  Soundness:

Assume that for both protocols, . Let be Alice’s state in the second protocol after games and conditioned on Bob’s messages
. Then there exists an isometry such that letting be reduced to Alice’s qubits ,(40) Here, the probability is over , the first games and .
We give the following corollary to this theorem:
Corollary 2.
By changing the measurement operators accordingly, a state tomography protocol for qubit determined (determined) states exists, and achieves the same completeness and soundness bound as the one from Theorem 5.
Proof.
As mentioned, if we consider the extended CHSH game (comprising of CHSH games) and try to rigidly determine the existence of a tensor product of states, we can fix the strategies of the provers up to an plane reflection. In particular, the results of an state tomography in the original setting hold here for () tomography. Therefore, it is possible to certify the preparation of qubit determined (determined) states. ∎
We can now present the main lemma proving that Protocol 3 is a verification protocol.
Lemma 11.
Protocol 3 has completeness lower bounded by and soundness upper bounded by .
Proof.
According to corollary 2, the six state tomography protocols that constitute Protocol 3 are valid verification protocols achieving the same bounds for completeness and soundness as the original protocol from Theorem 5. We will ignore the case of plane reflections since, as we have shown in Lemma 10, these are detected with overwhelming probability by the FK protocol. These protocols can be “stitched” together in the same way the subprotocols of the RUV protocol are stitched together. In fact, our case requires a much simpler analysis since the six state tomography protocols are independent of each other. This means that in each subprotocol, the verifier is not basing his questions on the results of any previous subprotocol. This nonadaptive technique contrasts the RUV protocol in which the questions were adaptive. In the case of honest provers, the verifier accepts if all subprotocols succeed. For each one, we know from Theorem 5 that the probability of acceptance is , hence for the whole protocol the probability of acceptance is . Thus, we see that the completeness bound remains unchanged. For soundness, assuming the provers are dishonest we know, again from Theorem 5, that the probability of accepting an incorrect outcome is . In our protocol, the provers can be dishonest in any of the six subprotocols, therefore, by a union bound the probability of accepting an incorrect outcome is . Therefore, we can say that the soundness of our protocol is upper bounded by . ∎
We are now able to give the proof of our main result (Theorem 3) which concerns the properties of the composite protocol (Protocol 4). To do this, we require an additional property.
Lemma 12.
Assume the verifier wants to prepare a state consisting of tensor products of qubits which are all determined in either the , or bases. A successful run of Protocol 3 certifies that, prover has a state such that and are close in trace distance.
Proof.
The proof is partially given in ruv. In the state tomography protocol, a prover prepares multiple copies of a resource state. In ruv it is stated that if the verifier accepts, then, with high probability, a subset of states of the prover are close in trace distance to copies of the resource state.
The soundness condition of Theorem 5 states that:
(41) 
It is shown in ruv that this condition translates to the fact that with probability at least we have:
(42) 
Where is uniformly random subset of size . If we denote as , as , as and as then the state , that prover has, is:
(43) 
We can see that, for sufficiently large , the values of and tend to . Consequently, approaches and approaches the ideal state, . Computing the trace distance between and , we obtain:
(44) 
And using inequality 42, we have: