Constant-Round Blind Classical Verification of Quantum Sampling

arXiv:2012.04848v1 [quant-ph] 9 Dec 2020 rn o 31,adMS CpoetudrGatn.MS 108- MOST no. Grant under project QC MOST and 23-17, no. Grant elwhpfo h SDprmn fDefense. of Department US the from Fellowship 869,adCF1487(CAREER). CCF-1942837 and 1816695, osatrudBidCasclVrfiaino unu Sam Quantum of Verification Classical Blind Constant-round 4 etrfrQatmIfrainadCmue cec,Universit Science, Computer and Information Quantum for Center ∗ † ‡ § eateto optrSine nttt o dacdCompu Advanced for Institute Science, Computer of Department [email protected] okwsdn npr hl the while part in done was work This [email protected]. [email protected] ato hswr a oewiesupp while done was work this of Part [email protected]. w@sudeu atal upre yteUS ainlS National U.S. the by supported Partially [email protected]. [email protected] h 20 the by supported Partially [email protected]. rpry ecnrbt ffimtv ouin obt sfollows. as both to solutions affirmative contribute general We more property. the with work, CVQC this of In ity assumptions. computational under prover quantum in(VC rtclfracasclcin odlgt eiinprob decision delegate to client classical a for protocol (CVQC) tion VCpooo for protocol CVQC u apigproblems sampling tum pro CVQC Mahadev’s of) repetition parallel (a to compiler our Applying Keywords: SampBQP • • 3 narcn ratruh aae osrce lsia ver classical a constructed Mahadev breakthrough, recent a In eateto optrSine ainlTigHaUiest,T University, Hua Tsing National Science, Computer of Department o ahn erigadqatmspeaytss,w ntaethe initiate we tasks), problems supremacy sampling quantum quantum and learning (e.g., applications machine quantum many for of nature sampling the by Motivated o a for hthsbe nesvl tde o h eeaino unu com quantum of highly delegation powerful a the yet is for It simple studied a input. intensively client’s been the about has blind, that is hence and nothing, learns ae ntequantum the on based hl rsrigiscmltns n onns rosa ela t as well as errors soundness and completeness its preserving while The eosrt t esblt ycntutn ormsaeCQ p CVQC four-message a constructing by feasibility its demonstrate output circuit quantum a a-i Chung Kai-Min blindness epciey ihngiil opeeesadsudeserrors. soundness and completeness negligible with respectively, SampBQP ,2 1, z lsia eeaino unu optto,bidqatmcomput quantum blind computation, quantum of delegation classical nttt fIfrainSine cdmaSnc,Taiwan Sinica, Academia Science, Information of Institute ← C SampBQP ( fCQ rtcl eest rpryo h rtclweeth where protocol the of property a to refers protocols CVQC of x pt ml ro,fo t neato iha nrse prover untrusted an with interaction its from error, small a to up ) rbe,tepoe n h eie r ie ninput an given are verifier the and prover the problem, C n h olo h lsia leti olanasml rmthe from sample a learn to is client classical the of goal the and , generic ∗ erigWt Error With Learning 1 ilstefirst the yields iLee Yi , dntdby (denoted oplrta rnfrsayCQ rtclt ln one blind a to protocol CVQC any transforms that compiler sampling † 2 a-sa Lin Han-Hsuan , Abstract constant-round rbesi Q n ihtedesirable the with and BQP in problems SampBQP 1 assumption. 9Aaei iiaCre eeomn wr under Award Development Career Sinica Academia 19 uhrwsalae oNtoa awnUniversity. Taiwan National to affiliated was author re ySotArno’ anvrBs Faculty Bush Vannevar Aaronson’s Scott by orted .Mr rcsl,i VCprotocol CVQC a in precisely, More ). ineFudto rn C-750,CCF- CCF-1755800, grant Foundation cience 2627-E-002-001. ln VCpooo for protocol CVQC blind ‡ 3 n ioiWu Xiaodi and , eepoefrhrtefeasibil- the further explore we fiaino unu computa- quantum of ification esin lems enme frounds. of number he oo for tocol ooo for rotocol uain eprovide We putation. e tde,adJoint and Studies, ter BQP fMrln,USA Maryland, of y unu algorithms quantum td fCQ for CVQC of study eial property desirable x oa untrusted an to { ∈ BQP to,quan- ation, § 4 0 aiwan SampBQP , BQP blindness prover e 1 n our and } n We . and and pling 1 Introduction

Can quantum computation, with potential computational advantages that are intractable for classical computers, be efficiently verified by classical means? This seeming paradox has been one of the central problems in quantum complexity theory and delegation of quantum computation [1]. From a philosophical point of view, this question is also known to have a fascinating connection to the falsifiability of quantum mechanics in the high complexity regime [8]. A complexity-theoretic formulation of this problem by Gottesman in 2004 [1] asks about the possibility for an efficient classical verifier (a BPP machine) to verify the output of an efficient quantum prover (a BQP machine). In the absence of techniques for directly tackling this question, earlier feasibility results on this problem have been focusing on two weaker formulations. The first type of feasibility results (e.g., [6, 15,21,22]) considers the case where the BPP verifier is equipped with limited quantum power. The second type of feasibility results (e.g, [19, 23, 26, 39]) considers a BPP verifier interacting with at least two entangled, non-communicating quantum provers. In a recent breakthrough, Mahadev [33] proposed the first protocol of Classical Verification of Quantum Computation (CVQC) whose soundness is based on a widely recognized computational assumption that the learning with error (LWE) problem [38] is hard for BQP machines. The technique invented therein has inspired many subsequent developments of CVQC protocols with improved parameters and functionality (e.g., [9,17,24]). On the other side, there are known complexity-theoretic limitations on the feasibility of blind CVQC in the information-theoretical setting (e.g. [4]). With the newly developed techniques, we revisit the classical verification of quantum computation problems from both a philosophical and a practical point of view. We first observe that the sampling version of BQP (e.g., the class SampBQP formulated by Aaronson [2]) might be a more appropriate notion to serve the purpose of the original problem. Philosophically, the outcomes of quantum mechanical experiments are usually samples or statistical information, which is well demonstrated in the famous double-slit experiment. Moreover, a lot of quantum algorithms from Shor’s [42] and Grover’s [25] algorithms to some recent developments in machine learning and optimization (e.g. [14, 30, 43]) contain a significant quantum sampling component. The fact that almost all quantum supremacy tasks (e.g., [3,10,40]) are sampling ones also suggests the relevance of delegation for quantum sampling problems. It is worthwhile noting that there is a simple reduction of the delegation of classical sampling problems to decision ones: for example, the verifier can fix a seed for pseudo-randomness, send it to the prover, and then the sampling outcome can be computed bit-by-bit under this pseudo-random seed in a deterministic way. As such, classical literature of delegation of computation primarily focuses on the delegation of decision problems. Unfortunately, it is unclear how to make this de- randomization trick work for the delegation of SampBQP, as randomness in quantum computation inherently comes from quantum mechanics rather than classical probability theory. Thus, it seems that the delegation of SampBQP needs to take a different technical route. The first and important step in the case of SampBQP is to identify an appropriate definition of corresponding CVQC protocols. In contrast to the single-bit Accept/Reject information for the decision BQP, any SampBQP problem needs to always output a sample of the desired distribution. In the context of CVQC protocols, it means that the protocol should allow the verifier to generate the desired output sample whenever the protocol accepts. Of course, when the prover cheats, the verifier will reject and no further output is required in that case. Intuitively, the soundness should require that the verifier V should never be “cheated” to accept and output an incorrect sample even when interacting with a malicious prover. A natural attempt is to directly apply Mahadev’s CVQC protocol [33] for SampBQP. Note that Mahadev’s protocol consists of the so-called testing round, where the prover’s behavior is tested,

2 and the Hadamard round, where measurement outcomes are generated. Indeed, some nice features of the Hadamard round, e.g., allowing X-Z measurements on any qubit, suggest the feasibility of generating multi-bit measurement outcomes with the protocol. However, the requirement that the verifier needs to output a sample whenever accepting also exposes one drawback of Mahadev’s protocol: while it is possible, as we will show, to generate desired output samples in the Hadamard round, it is however unclear how to generate such a sample when the protocol accepts in the testing round, since the sampling information stored in the quantum state will be disturbed by the testing step. Note that this difficulty is essentially due to the different requirements between the definitions of CVQC protocols for the decision and the sampling problems. Another desirable property of CVQC protocols is the blindness where the prover cannot distinguish the particular computation in the protocol from another one of the same size, and hence is blind about the client’s input. Historically, blindness has been achieved in the weaker formulations of CVQC based on various techniques: e.g., the measurement-based quantum computation exploited in [15], the quantum authentication scheme exploited in [6], and the self-testing technique exploited in [39]. Moreover, the blindness property is known to be helpful to establish the verifiability of CVQC protocols. However, this is never an easy task. See for example the significant amount of effort to add verifiability to blind computation protocol in [22]. It is also known that another important primitive called the Quantum Fully Homomorphic Encryption (QFHE) [16,20,29,31,35,36] should be helpful for establishing blindness: this is intuitive since QFHE allows fully homomorphic operations on encrypted quantum data. Indeed, in another paper [31], Mahadev constructed the first leveled QFHE based on similar techniques and computational assumptions from [33]. The constructed QFHE automatically implies a blind CVQC protocol, however, without verifiability. Extending this protocol with verifiability seems challenging as hinted by failed attempts in Section 2.2.2 of Mahadev’s Ph.D. thesis [32]. In fact, most existing blind and/or verifiable protocols for delegation of quantum computation require a notable amount of effort in achieving each property respectively. The only successful CVQC protocol [24] of achieving both so far applies Mahadev’s technique [33] to the measurement- based quantum computation, whereas the analysis is still very specific to the construction. Could there be a generic way to achieve blindness and verifiability for CVQC protocols at the same time, say by leveraging the state-of-the-art CVQC [33] and QFHE [31] protocols? Contribution. We provide affirmative solutions to both of our questions. In particular, we demonstrate the feasibility of the classical verification of quantum sampling by constructing a constant-round CVQC protocol for SampBQP, based on the quantum LWE (QLWE) assumption that the learning-with-error problem is hard for BQP machines. SampBQP is the sampling version of BQP formulated by Aaronson [2]. Formally, SampBQP consists of sampling problems (Dx)x 0,1 ∗ that can be approximately sampled by a BQP machine with an inverse polynomial accuracy.∈{ See} Section 3 for further discussions on SampBQP and the precise definition of CVQC for SampBQP.

Theorem 1.1 (informal). Assuming the QLWE assumption, there exists a four-message CVQC protocol for all sampling problems in SampBQP with negligible completeness error and computational soundness.

Our second contribution is a simple yet powerful generic compiler that transforms any CVQC protocol to a blind one while preserving verifiability, building on top of QFHE. Precisely, we leverage QFHE (especially the one from [31]) to transform any CVQC protocol to a blind one with the same number of round communication, while preserving completeness and soundness properties. As a result, one can upgrade every verifiable CVQC protocol with blindness almost for free with the help of QFHE. Conceptually, we take a very different approach from previous ones (e.g., [22] as well

3 as failed attempts in [32]) which use the blindness as the start point and then work to extend it with verifiability. Instead, our strategy is to simulate a (verifiable) CVQC protocol under QFHE per each message. To that end, we do require a special property of QFHE that the classical part of the ciphertext can be operated on separately from the quantum part, which is satisfied by the construction from [31]. Our construction makes a modular use of QFHE and only requires a minor technicality in the analysis, which will be explained below.

Theorem 1.2 (informal). Assuming the QLWE assumption, there exists a protocol compiler that transforms any CVQC protocol Π to a CVQC protocol Πblind that achieves blindness while preserves its round complexity, completeness, and soundness.

As a simple corollary of combining both results above, we achieve a constant-round blind CVQC protocol for SampBQP.

Theorem 1.3 (informal). Assuming the QLWE assumption, there exists a blind, four-message CVQC protocol for all sampling problems in SampBQP with negligible completeness error and computational soundness.

We also construct the ﬁrst blind and constant-round CVQC protocol for BQP by applying our compiler to the parallel repetition of Mahadev’s protocol for BQP from [9,17].

Theorem 1.4 (informal). Assuming the QLWE assumption, there exists a blind, four-message CVQC protocol for all languages in BQP with negligible completeness and soundness errors.

To the authors’ best knowledge, we are the first to study CVQC protocols for SampBQP and establish a generic compiler to upgrade CVQC protocols with blindness. Our result also entails a constant-round blind and verifiable CVQC protocol for BQP. The closest result to ours is by Gheorghiu and Vidick [24] which shows such a CVQC protocol for BQP, however, with a polynomial number of rounds. Their protocol was obtained by first constructing a remote state preparation primitive and then combining it with an existing blind and verifiable protocol [22] where the verifier has some limited quantum power. Our technical approach is quite different and seems incomparable. Techniques. Let us revisit Mahadev’s CVQC protocol [33] first for some technical background. Following [33], we formally define QPIPτ as classes of CVQC protocols where τ refers to the size of (local) quantum memory in the possession of the classical verifier, or equivalently, the limited quantum power of the verifier1. A precise definition is given in Section 2.2. It is known that BQP can be efficiently verified by a classical verifier that can perform a single qubit X or Z measurement [21, 34], by reducing any BQP problem to a local Hamiltonian problem where each term consists of X and Z only. This leads to a QPIP1 protocol for BQP. The main contribution of Mahadev [33] can hence be deemed as a way to compile this QPIP1 protocol into a QPIP0 protocol (i.e., with a fully classical verifier). Precisely, to leverage Mahadev’s construction, one needs to start with a QPIP1 protocol with very small completeness and soundness errors, which will then be compiled into a QPIP0 protocol with a small completeness error, but a close-to-1/2 soundness error under the QLWE assumption2. This large soundness error is due to the current structure of Mahadev’s protocol that consists of the testing round and the Hadamard round, each of which happens with a half chance. At a high

1Intuitively, the size of local quantum memory limits the size of qubits that a general (entangled) quantum operation can be operated on at the same time. However, the veriﬁer is still able to operate on all the qubits in a streaming fashion: i.e., receive the qubits sent from the prover and discard some local qubits in the case of overﬂow. 2Mahadev only proved soundness error close-to-3/4 for her protocol, but it was later proved [9,17] that her protocol actually achieves close-to-1/2 soundness error.

4 level, the protocol verifies the behavior of the prover in the testing round, while assumes that the prover behaves honestly and all the X-Z measurements are correct in the Hadamard round. The soundness is obtained by observing that the dishonest prover cannot cheat in both rounds, while cheating in one round alone is possible which leads to a large soundness error. This less desirable soundness error, as well as other parameters, has been subsequently improved in [9,17] by a parallel repetition of Mahadev’s original CVQC protocol in the computational setting. As we mentioned earlier that an appropriate definition of CVQC for SampBQP is needed to capture the intuition that the verifier should always output the desired sample whenever accepts, but should never be ”cheated” to accept and output an incorrect sample when interacting with a malicious prover. We formalize this by a strong simulation-based definition (Section 3), where we require that the joint distribution of the decision bit d Acc, Rej and the output z (which is ∈ { } when d = Rej) is ǫ-close (in either statistical or computational sense) to an “ideal distribution” ⊥ (d, z ), where z is sampled from D when d = Acc and set to when d = Rej. ideal ideal x ⊥ To the best of our knowledge, we are the first to formally define the delegation of quantum sampling problems. We also note that while several constructions in the relaxed models (e.g., verifiable blind computation [22]) can be naturally generalized to delegate quantum sampling problems and allow the verifier to learn multi-bit outputs, it seems non-trivial to show that these constructions achieve the simulation-based soundness property we defined. Proving the soundness of these constructions for delegating SampBQP is an interesting open question. The requirement that the verifier needs to output a sample when accepts makes a direct application of Mahadev’s protocol infeasible for SampBQP. As a result, in order to construct a QPIP0 protocol for SampBQP, one needs to (1) construct a QPIP1 protocol for SampBQP with very small completeness and soundness errors, and (2) amend Mahadev’s construction so that the protocol will generate the desired sample whenever it accepts. Our contribution is a solution to address the above two technical challenges.

Construction of a QPIP0 protocol for SampBQP. Following the aforementioned outline, our construction can be divided into three key technical steps. Reducing SampBQP to the local Hamiltonian problem: We will continue to employ the local ⋄ Hamiltonian technique [28] and its ground state (known as the history state) as a key technical ingredient to certify the SampBQP circuits. Recall that the QPIP1 protocol for BQP in Mahadev’s construction also comes from a reduction of BQP to a X-Z-only local Hamiltonian problem. However, there are important differences between the cases for BQP and SampBQP. Recall that the original construction of local Hamiltonian H for BQP (or QMA) contains two parts H = Hcircuit + Hout. Roughly speaking, Hcircuit helps guarantee its ground space only contains valid history states with the correct input and circuit evolution, while Hout’s energy encodes the 0/1 output for BQP circuits. Thus, the outcome of a BQP instance can be encoded by the ground energy of H. In the case of SampBQP, one needs to output both Accept/Reject information as well as a sample from the desired distribution if the protocol accepts. To that end, one hopes to certify the validity of the entire history state which is the ground state of Hcircuit, rather than the ground energy of Hcircuit only. Namely, we want to rule out the existence of any state that is far from the history state but its energy (respect to Hcircuit) is very close to the ground one. One nature approach, also ours, is to make the unique valid history state lie in the ground space of a slightly different local Hamiltonian Hcircuit′ that has a large spectral gap between its ground energy and excited ones. It is hence guaranteed that any state with a close-to-ground energy must also be close to the history state. In other words, a certification of the energy Hcircuit′ could lead to a certification of the history state, which in turn helps us generate the desired sample. We construct

5 such Hcircuit′ from Hcircuit by using the perturbation technique (e.g., [27]) with a further restriction to X/Z terms. (Section 4.1.) A QPIP protocol for SampBQP: A certification protocol for the history state, however, is in- ⋄ 1 sufficient to imply a QPIP1 protocol for SampBQP directly. Intuitively, we face a similar dilemma as we described above about Mahadev’s protocol: we can either employ the certification protocol on Hcircuit′ to do the test, or to measure the history state to generate the desired outcome, but not both at the same time since the testing protocol would disturb the measurement outcome. To resolve that, we design a cut-and-choose protocol on multiple copies of the history state so as to separate the testing and the outputting parts on separate copies of history states. The prover in the real protocol, of course, won’t necessarily send copies of history states. Thus, to leverage the aforementioned intuition, one needs to avoid entanglement among these copies to obtain some sort of independence. We employ the quantum de Finetti theorem to address this technical challenge. Specifically, given any permutation-invariant k-register state (where each register could contain many qubits), it is known that the reduced state on many subsets of k-register will be close to a separable state. Typically, for favorable error bounds, the parameter k could be as large as the dimension of a single register, which is exponential in our context and hence undesirable. Fortunately, since there is no entangled operation in the protocol to perform on two copies of history states, one can employ an efficient variant of the quantum de Finetti theorem [13] whose error bound depends poly-logarithmically on the dimension of the register, which leads to an efficient QPIP1 protocol for SampBQP. We can further achieve very small completeness and soundness errors in this way to satisfy the premise of Mahadev’s compilation. Note that the established QPIP1 protocol is information-theoretically sound without any computational assumption. (Section 4.2.) Compile QPIP into QPIP after parallel repetition: We now discuss how to use Mahadev’s ⋄ 1 0 measurement protocol to compile the above QPIP1 protocol for SampBQP to a QPIP0 protocol. As mentioned, a major issue we need to address in Mahadev’s original construction is that when the verifier V chooses to run a testing round, V does not learn an output sample when it accepts. Specifically, let Πint be an “intermediate” QPIP0 protocol obtained by applying Mahadev’s compilation to the above QPIP1 protocol. Namely, when V chooses to run the Hadamard round, it could learn a measurement outcome from the measurement protocol and be able to run the QPIP1 verifier to generate a decision and an output sample when accepts. However, when V chooses to run the testing round, it only decides to accept/reject without being able to output a sample. Similar to the above cut-and-choose idea for QPIP1, a natural idea to fix the issue is to execute 3 multiple copies of Πint in parallel , and to choose a random copy to run the Hadamard round to generate an output sample and use all the remaining copies to run the testing round. The verifier accepts only when all executions accept and outputs the sample from the Hadamard round. Let us call this protocol ΠFinal. Clearly from the construction, the verifier now can output a sample when it decides to accept, and output a correct sample when interacting with an honest prover (completeness). The challenge is to show that ΠFinal is computationally sound. Note that now we are in the computational setting, we cannot use the quantum de Finetti theorem as above since it only holds in the information-theoretical setting. Furthermore, parallel repetition for computationally sound protocols are typically difficult to analyze, and known to not always work for protocols with four or more messages [11, 37]. Fortunately, parallel repetition of Mahadev’s protocol for BQP has been analyzed before in

3It is also reasonable to consider sequential repetition, but we consider parallel repetition for its advantage of preserving the round complexity.

6 [9,17] with interestingly different proofs. Both works showed that m-fold parallel repetition reduces m the soundness error to 2− for BQP by relying on special properties of Mahadev’s protocol. It is worth comparing the parallel repetition of Mahadev’s protocol for BQP and SampBQP. For BQP, the verifier simply chooses to run the Hadamard and testing rounds independently for each repetition. In contrast, our ΠFinal runs the Hadamard round in one repetition and run the testing round in the rest. The reason is that in SampBQP, as well as generically in sampling problems, there is no known approach to combine two samples learned from two Hadamard-round executions to generate one sample with much better parameters, i.e., no generic error reduction method for the sampling problem. In contrast, the error reduction for decision problems can be done with the majority vote. As a result, while the soundness error decreases exponentially for BQP, as we see below (and also in the above QPIP1 protocols), for SampBQP, m-fold repetition only decreases the error to poly(1/m). We rely on the technique developed in [17] to analyze the soundness of ΠFinal. Intuitively, Mahadev’s protocol has the property that if a malicious prover P ∗ knows the answer to pass the testing round, then it must be “committed” to a state ρ in the sense that the verifier V learns the X/Z measurement outcome of ρ in the Hadamard round (in a computational sense). Thus, the soundness of the underlying QPIP1 protocol ensures that V learns a correct sample when it accepts. In short, when P ∗ knows the testing round answer, P ∗ cannot “cheat” in the Hadamard round. The work of [17] formalizes this intuition by a partition lemma, which roughly says that there is an efficient projection that partitions the prover’s internal quantum space into a “known-answer” subspace S1 where P ∗ knows the answer to the testing round, and a “not-known-answer” subspace S where P does not know the answer to the testing round. For (efficient) prover’s states ψ S , 0 ∗ | i∈ 1 the verifier V can produce a sound output in the Hadamard round. For (efficient) prover’s states ψ S , the verifier V rejects in the testing round with high probability. The work of [17] used | i ∈ 0 this partition lemma iteratively to each instance of the repetition to show that for a no instance x for any (efficient) prover’s state ψ , the probability that V accepts is at most roughly 2 m. | i − We apply the partition lemma iteratively to the prover’s state similarly to [17], but with significant differences to show the soundness of ΠFinal for SampBQP. In particular, extra care is required to reason about the computational indistinguishability of the verifier’s output sample from the correct distribution Dx. To gain some intuition, let us apply the partition lemma to the prover’s state ψ with respect to the first coordinate, which decompose ψ = ψ + ψ with ψ S | i | i | 0i | 1i | 0i ∈ 0 and ψ S , respectively. Intuitively, the ψ component will be rejected whenever the first co- | 1i∈ 1 | 0i ordinate runs the testing round, but the verifier may be “cheated” to accepted incorrectly when the first coordinate runs the Hadamard round, which happens with probability 1/m and is where the error come from. For the ψ component, V will produce a sound output if it runs the Hadamard | 1i round at the first coordinate. For the case that V chooses to run the testing round at the first coordinate, we can analyze it by further applying the partition lemma to ψ with respect to the | 1i second coordinate, and repeat the analysis, and so on. The intuitive analysis outlined above grosses over many technical details, and we substantiate this outline with full details in Section 5. It is worthwhile mentioning that we came to notice some online discussion4 on the possibility of a CVQC protocol for SampBQP after we developed our own result. These comments suggested a possible reduction of SampBQP to the local Hamiltonian problem following a similar high-level idea as our solution, however, with no detail and a seemingly different technical route. More importantly, the issue that the verifier does not generate outputs in the testing round seems to be overlooked and not discussed there.

A generic compiler to upgrade QPIP0 protocols with blindness. At a high-level, the idea is

4https://www.scottaaronson.com/blog/?p=3697, e.g., comment #25, #26, #42, #48.

7 simple: we run the original protocol under a QFHE with the verifier’s key. Intuitively, this allows the prover to compute his next message under encryption without learning the underlying verifier’s message, and hence achieves blindness while preserving the properties of the original protocol. One subtlety with this approach is the fact that the verifier is classical while the QFHE cipher text could depend on both quantum and classical data. In order to make the classical verifier work in this construction, the ciphertext and the encryption/decryption algorithm need to be classical when the underlying message is classical, which is fortunately satisfied by [31]. A more subtle issue is to preserve the soundness. In particular, compiled protocols with a single application of QFHE might (1) leak information about the circuit evaluated by the verifier through its outputted QFHE ciphertexts (i.e., no circuit privacy); or (2) fail to simulate original protocols upon receiving invalid ciphertexts from the prover. We address these issues by letting the verifier switch to a fresh new key for each round of the protocol. Details are given in Section 6. Open Questions. Our main focus is on the feasibility of the desired functionality and properties, which nevertheless leaves room for the improvement of parameter dependence. Some of our parameter dependence inherits from previous works (e.g. [33]), whereas some is due to our own construction where we didn’t mean to identify the best possible parameter dependence. It will be extremely interesting to improve the parameter dependence with potentially new techniques. Organization. We provide preliminaries on technical background in Section 2. Our simulation- based definition of CVQC for SampBQP is discussed in Section 3. Our main technical contributions are explained in details in Section 4 (a construction of QPIP1 protocol for SampBQP), Section 5 (the construction of QPIP0 protocol for SampBQP based on the above QPIP1 protocol), and Section 6 (a generic compiler to upgrade QPIP0 protocols with blindness).

2 Preliminaries

2.1 Notations Let be the Hilbert space corresponding to one qubit. Let H : n n be Hermitian matrices. B B⊗ →B⊗ We use H 0 to denote H being positive semideﬁnite. Let λ(H) be the smallest eigenvalue of H. ≥ The ground states of H are the eigenvectors corresponding to λ(H). For matrix H and subspace $ S, let H = Π HΠ , where Π is the projector onto the subspace S. We write x X when x is S S S S ←− sampled uniformly at random from the set X.

The phase gate and Pauli matrices are the following matrices.

1 0 0 1 0 i 1 0 Deﬁnition 2.1. P (i)= , X = , Y = − , Z = . 0 i 1 0 i 0  0 1 −         For n-qubit states ρ , ρ n, let ρ ρ = 1 ρ ρ denote the trace distance between 1 2 ∈B⊗ k 1 − 2ktr 2 k 1 − 2k1 ρ and ρ . We say ρ and ρ are ǫ-close if ρ ρ ǫ. For two distributions f and f over 1 2 1 2 k 1 − 2ktr ≤ 1 2 the same ﬁnite domain X, let f f = 1 f (x) f (x) denote their total variation k 1 − 2kTV 2 x X | 1 − 2 | distance, and we say f and f are ǫ-close if f f ∈ ǫ. We additionally denote the following 1 2 k 1 −P2kTV ≤ for states that are only computationally indistinguishable (but might be statistically far):

Deﬁnition 2.2. Two ensemble of states ρ and ρ are ǫ-computationally indistin- { 1,λ }λ N { 2,λ }λ N guishable if for all BQP distinguishers D and λ ∈ N, ∈ ∈ Pr [D(ρ ) = 1] Pr [D(ρ ) = 1] ǫ(λ). | 1,λ − 2,λ |≤

8 We drop the ǫ parameter when it is negligible. We extend computational indistinguishability to subnormalized states by interpreting a subnormalized state ρ as sending out with probability ⊥ 1 tr(ρ) and having the distinguisher D output whenever he receives . We also extend it to − ⊥ ⊥ classical random variables by treating them as mixed states. We denote measurement as follows: Deﬁnition 2.3 (quantum-classical channels). A quantum measurement is given by a set of matrices M such that M 0 and M = id. We associate to any measurement a map Λ(ρ) = { k } k ≥ k k tr(M ρ) k k with k an orthonormal basis. This map is also called a quantum-classical k k | ih | {| i} P channel. P Furthermore, we associate measurement outcomes in X or Z basis with a corresponding random variable as follows:

Definition 2.4 (MXZ (ρ, h)). For any natural number n, n-bit string h, and n-qubit quantum state ρ, consider the following measurement procedure: measure the first qubit of ρ in X basis if h1 = 0; measure the first qubit of ρ in Z basis if h1 = 1. Measure the second qubit of ρ in X basis if h2 = 0; measure the second qubit of ρ in Z basis if h2 = 1. Continue qubit-by-qubit until all n-qubits of ρ are measured, where i-th qubit is measured in X basis if hi = 0 and i-th qubit is measured in the Z basis if hi = 1. We denote the n-bit random variable corresponding to the measurement results as MXZ (ρ, h).

2.2 Quantum Prover Interactive Protocols (QPIP) Following [33], we model the interaction between an almost classical client with quantum memory of size τ (veriﬁer) and a quantum server (prover) in the following deﬁnition. When the client has limited quantum memories (i.e., τ > 0), it becomes a “streaming” model. Namely, the server can send qubits one-by-one to let the client measure them sequentially, even if the client cannot hold the entire quantum message. When the client is fully classical (i.e., τ = 0), this model specializes to the standard interactive protocols.

Definition 2.5. A protocol Π = (P,V ) is said to be in QPIPτ if it satisfies the following properties: • P is a BQP machine, which also has access to a quantum channel that can transmit τ qubits to the verifier per use. • V is a hybrid machine of a classical part and a limited quantum part. The classical part is a BPP machine. The quantum part is a register of τ qubits, on which the verifier can perform arbitrary quantum operations and which has access to a quantum channel that can transmit τ qubits. At any given time, the verifier is not allowed to possess more than τ qubits. The interaction between the quantum and classical parts of the verifier is the usual one: the classical part controls which operations are to be performed on the quantum register, and outcomes of measurements of the quantum register can be used as input to the classical part. • There is also a classical communication channel between the prover and the verifier, which can transmit polynomially many bits to either direction.

It is straightforward to deﬁne what it means for a QPIPτ protocol to decide a BQP language.

Deﬁnition 2.6. Let Π = (P,V ) be a QPIPτ protocol. We say it is a protocol for a BQP language L with completeness error c( ) and soundness error s( ) if the following holds: · ·

9 • On public input 1λ and x 0, 1 , the veriﬁer outputs either Acc or Rej. ∈ { }∗ • (Completeness): For all security parameter λ N and x 0, 1 poly(λ), if x L then ∈ ∈ { } ∈ Pr (P,V )(x, 1λ)= Rej < c(λ).

• (Soundness): For all cheating BQP prover P , suﬃciently large security parameter λ N, ∗ ∈ and x 0, 1 poly(λ), if x / L then Pr (P,V )(x, 1λ)= Rej

Deﬁnition 2.7 (Blindness). Let Π = (P,V ) be an interactive protocol with common inputs 1λ and veriﬁer’s private input x 0, 1 . We say Π is blind if for all cheating BQP prover P the ∈ { }∗ ∗ following ensembles are computationally indistinguishable over λ:

• ∗ λ ViewP (P ∗,V (x))(1 ) λ N,ǫ (0,1),x 0,1 ∗ , { } ∈ ∈ ∈{ }

• ∗ λ ViewP (P ∗,V (0))(1 ) λ N,ǫ (0,1),x 0,1 ∗ . { } ∈ ∈ ∈{ } 2.3 Quantum Homomorphic Encryption Schemes We use the quantum fully homomorphic encryption scheme given in [31] which is compatible with our use of a classical client.

Deﬁnition 2.8. A quantum leveled homomorphic (public-key) encryption scheme QHE = (QHE.Keygen, QHE.Enc, QHE.Eval, QHE.Dec) is quadruple of quantum polynomial-time algorithms which operate as follows:

• Key generation. The algorithm (pk,sk) QHE.Keygen(1λ, 1L) takes a unary representation ← of the security parameter and a unary representation of the level parameter as inputs and outputs a public key pk and a secret key sk.

• Encryption. The algorithm c QHE.Enc(pk,µ) takes the public key pk and a single bit ← message µ 0, 1 as inputs and outputs a ciphertext c. ∈ { } • Decryption. The algorithm µ QHE.Dec(sk,c) takes the secret key sk and a ciphertext c ∗ ← as inputs and outputs a message µ 0, 1 . It must be the case that ∗ ∈ { } QHE.Dec(sk, QHE.Enc(pk,µ)) = µ

with overwhelming probability in λ.

• Homomorphic Evaluation. The algorithm c QHE.Eval(pk,f,c ,...,c ) takes the public f ← 1 l key pk, a quantum circuit f of depth at most L, and a set of l ciphertexts c , , c as inputs 1 · · · l and outputs a ciphertext cf . It must be the case that

QHE.Dec(sk, QHE.Eval(pk,f,c1,...,cl)) = f(QHE.Dec(sk,c1),..., QHE.Dec(sk,cl))

with overwhelming probability in λ.

10 Deﬁnition 2.9 (Compactness and Full Homomorphism). A quantum homomorphic encryption scheme QHE is compact if there exists a polynomial s in λ such that the output length of QHE.Eval is at most s bits long (regardless of f or the number of inputs). A compact scheme is (pure) fully homomorphic if it can evaluate any eﬃciently computable Boolean function.

We also recall the security deﬁnition for a FHE scheme.

Deﬁnition 2.10. A scheme QHE is IND-CPA secure if, for any polynomial time adversary , A there exists a negligible function µ( ) such that · P r[ (pk, HE.Enc (0)) = 1] P r[ (pk, HE.Enc (1)) = 1] µ(λ), | A pk − A pk |≤ where (pk,sk) QHE.Keygen(1λ). ← The quantum homomorphic encryption scheme QHE from [31] has additional properties that facilitate the use of classical clients.

Deﬁnition 2.11. we call a quantum homomorphic encryption scheme classical-friendly if it has the following properties:

• QHE.Keygen is a classical algorithm

• In the case where the plaintext is classical, QHE.Enc can be done classically.

• When the underlying message is classical, the corresponding ciphertext is also classical and can be decrypted classically.

Theorem 2.1 (Theorem 1.1 in [31]). Under the assumption that the learning with errors problem with superpolynomial noise ratio is computationally intractable for an eﬃcient quantum machine, there exists a classical-friendly compact quantum leveled homomorphic encryption scheme.

3 Delegation of Quantum Sampling Problems

In this section, we formally introduce the task of delegation for quantum sampling problems. We start by recalling the complexity class SampBQP deﬁned by Aaronson [2,3], which captures the class of sampling problems that are approximately solvable by polynomial-time quantum algorithms.

Deﬁnition 3.1 (Sampling Problem). A sampling problem is a collection of probability distributions n m(n) (Dx)x 0,1 ∗ , one for each input string x 0, 1 , where Dx is a distribution over 0, 1 for ∈{ } ∈ { } { } some ﬁxed polynomial m.

Deﬁnition 3.2 (SampBQP). SampBQP is the class of sampling problems (Dx)x 0,1 ∗ that can be (approximately) sampled by polynomial-size uniform quantum circuits. Namely,∈{ there} exists a Turing machine M such that for every n N and ǫ (0, 1), M(1n, 11/ǫ) outputs a quantum circuit ∈ ∈ C in poly(n, 1/ǫ) time such that for every x 0, 1 n, the output of C(x) (measured in standard ∈ { } basis) is ǫ-close to Dx in the total variation distance. Note that in the above deﬁnition, there is an accuracy parameter ǫ and the quantum sampling algorithm only requires to output a sample that is ǫ-close to the correct distribution in time poly(n, 1/ǫ), instead of the stringent requirement of outputting a perfect sample. There are multiple reasons for allowing an inverse polynomial error. For example, conceivable physical realizations

11 of quantum computer may consist of inherent noise. We refer the readers to [2,3] for the discussion therein on why this better captures the sampling problem solvable by realistic quantum computers.

We next define what it means for a QPIPτ protocol to solve a SampBQP problem (Dx)x 0,1 ∗ . Since sampling problems come with an accuracy parameter ǫ, we let the prover P and the∈{ verifier} V receive the input x and 11/ǫ as common inputs. Completeness is straightforward to define, which requires that when the prover P is honest, the verifier V should accept with high probability and output a sample z distributed close to Dx on input x. Defining soundness is more subtle. Intuitively, it requires that the verifier V should never be “cheated” to accept and output an incorrect sample even when interacting with a malicious prover. We formalize this by a strong simulation-based definition, where we require that the joint distribution of the decision bit d Acc, Rej and the ∈ { } output z (which is when d = Rej) is ǫ-close (in either statistical or computational sense) to an ⊥ “ideal distribution” (d, z ), where z is sampled from D when d = Acc and set to when ideal ideal x ⊥ d = Rej. Since the protocol receives the accuracy parameter 11/ǫ as input to specify the allowed error, we do not need to introduce an additional soundness error parameter in the definition.

Definition 3.3. Let Π = (P,V ) be a QPIPτ protocol. We say it is a protocol for the SampBQP instance (Dx)x 0,1 ∗ with completeness error c( ) and statistical (resp., computational) soundness ∈{ } · if the following holds: • On public inputs 1λ, 11/ǫ, and x 0, 1 poly(λ), V outputs (d, z) where d Acc, Rej . If ∈ { } ∈ { } d = Acc then z 0, 1 m( x ) where m is given in Definition 3.1, otherwise z = . ∈ { } | | ⊥ • (Completeness): For all accuracy parameter ǫ(λ) = 1 , security parameter λ N, and poly(λ) ∈ x 0, 1 poly(λ), let (d, z) (P,V )(1λ, 11/ǫ,x), then d = Rej with probability at most c(λ). ∈ { } ← • 1 (Statistical soundness): For all cheating prover P ∗, accuracy parameter ǫ(λ)= poly(λ) , sufficiently large λ N, and x 0, 1 poly(λ), consider the following experiment: ∈ ∈ { } – Let (d, z) (P ,V )(1λ, 11/ǫ,x). ← ∗ – Define zideal by z = if d = Rej ideal ⊥ (zideal Dx if d = Acc . ←

It holds that (d, z) (d, z ) ǫ. k − ideal kTV ≤ • (Computational soundness): For all cheating BQP prover P ∗, BQP distinguisher D, accuracy parameter ǫ(λ) = 1 , sufficiently large λ N, and all x 0, 1 poly(λ), let us define poly(λ) ∈ ∈ { } d, z, zideal by the same experiment as above. It holds that (d, z) is ǫ-computationally indistinguishable to (d, zideal) over λ. As in the case of BQP, we are particularly interested in the case that τ = 0, i.e., when the verifier V is classical. In this case, we say that Π is a CVQC protocol for the SampBQP problem (Dx)x 0,1 ∗ . To∈{ the} best of our knowledge, we are the first to formally define delegation of quantum sampling problems. We also note that while several constructions in the relaxed models (e.g., verifiable blind computation [22]) can be naturally generalized to delegate quantum sampling problem and allow the verifier to learn multi-bit outputs, it seems non-trivial to show that these constructions achieve the soundness property we just defined. Proving the soundness of these constructions for delegating SampBQP is an interesting open question.

12 4 Construction of the QPIP1 Protocol for SampBQP 4.1 Reducing SampBQP to the X-Z Local Hamiltonian As we mentioned in this introduction, we will employ the circuit history state in the original construction of the Local Hamiltonian problem [28] to encode the circuit information for SampBQP. However, there are distinct requirements between certifying the computation for BQP and SampBQP based on the history state. For any quantum circuit C on input x, the original construction for cer- 5 tifying BQP consists of local Hamiltonian Hin,Hclock,Hprop, Hout where Hin is used to certify the initial input x, Hclock to certify the validness of the clock register, Hprop to certify the gate-by-gate evolution according to the circuit description, and Hout to certify the final output. In particular, the corresponding history state is in the ground space of Hin, Hclock, and Hprop. Note that BQP is a decision problem and its outcome (0/1) can be easily encoded into the energy Hout on the single output qubit. As a result, the outcome of BQP can simply be encoded by the ground energy of Hin + Hclock + Hprop + Hout. To deal with SampBQP, we will still employ Hin,Hclock, and Hprop to certify the circuit’s input, the clock register, and gate-by-gate evolution. However, in SampBQP, we care about the entire final state of the circuit, rather than the energy on the output qubit. Our approach to certify the entire final state (which is encoded inside the history state) is to make sure that the history state is the unique ground state of Hin + Hclock + Hprop and all other orthogonal states will have much higher energies. Namely, we need to construct some Hin′ + Hclock′ + Hprop′ with the history state as the unique ground state and with a large spectral gap between the ground energy and excited energies. It is hence guaranteed that any state with close-to-ground energy must also be close to the history state. We remark that this is a different requirement from most local Hamiltonian constructions that focus on the ground energy. We achieve so by using the perturbation technique developed in [27] for reducing the locality of Hamiltonian. Another example of local Hamiltonian construction with a focus on the spectral gap can be found in [7], where the purpose is to simulate quantum circuits by adiabatic quantum computation. We need two more twists for our purpose. First, as we will eventually measure the final state in order to obtain classical samples, we need that the final state occupies a large fraction of the history state. We can simply add dummy identity gates. Second, as we are only able to perform X or Z measurement by techniques from [33], we need to construct X-Z only local Hamiltonians. Indeed, this has been shown possible in, e.g., [12], which serves as the starting point of our construction. Recall the definition of the history state which serves as a transcript of the circuit evolution [28]:

Definition 4.1 (History-state). Given any quantum circuit C = UT ...U1 of T elementary gates and input x 0, 1 n, the history-state ψhist is defined by ∈ { } | C(x)i T 1 hist 1 − ψ Ut ...U1 x, 0 tˆ , (4.1) | C(x)i≡ √T | i ⊗ | i Xt=0 where the first register of n-qubit refers to the input, the second of m-qubit refers to the work space (poly(n), w.l.o.g, T size) which is initialized to 0 , and the last refers to the clock space which ≤ | i encodes the time information. Note that tˆ could be some representation of t=0,..., T 1. − We define the X-Z local Hamiltonian of interest as follows: 5The original construction is for the purpose of certifying problems in QMA. We consider its simple restriction to problems inside BQP.

13 Deﬁnition 4.2 (k-local X-Z Hamiltonian). For any n-qubit system, the set of k-local X-Z terms, k denoted by LHXZ, contains Hermitian matrices that apply non-trivially on at most k qubits as a product of Pauli X and Z terms. Namely,

LHk = h h . . . h : i [n], h I,X,Z , and, i : h = X or Z k. . (4.2) XZ { 1 ⊗ 2 ⊗ ⊗ n ∀ ∈ i ∈ { } |{ i }| ≤ } k A k-local X-Z Hamiltonian H is a linear combination of terms from LHXZ. Namely, H = α H , i, α R,H LHk . (4.3) i i ∀ i ∈ i ∈ XZ Xi As our starting point, we will include the existing result of constructing X-Z local Hamitonians for general BQP computation. First, we note the fact Toﬀoli and Hadamard gates form a universal gate set for quantum computation [5, 41]. It is easy to see that both Toﬀoli and Hadamard gates can be represented as linear combinations of terms from LHXZ. For example,

1 1 1 1 (Hadamard) H = (X + Z) . (4.4) ≡ √2 1 1 √2 −   The Toﬀoli gate maps bits (a, b, c) to (a, b, c (a and b)), which can be decomposed as 11 11 ⊕ | i h |⊗ X + (I 11 11 ) I where 11 11 = 1 (I I + Z Z I Z Z I). − | i h | ⊗ | i h | 4 ⊗ ⊗ − ⊗ − ⊗ We will follow the unary clock register design from Kitaev’s original 5-local Hamiltonian construction [28]. Namely, valid unary clock states (T -qubit) are 00 . . . 0 , 10 . . . 0 , 110 . . . 0 , etc, | i | i | i which span the ground energy space of the following local Hamiltonian:

T 1 − H = 01 01 , (4.5) clock | ih |t,t+1 t=1 X where 01 01 stands for a projection on the tth and (t + 1)th qubit in the clock register. It | ih |t,t+1 is observed in [12] that Hclock can be reformulated as a linear combination of terms from LHXZ as follows, T 1 1 1 − H = (Z Z )+ (I Z Z ), (4.6) clock 4 1 − T 4 − t ⊗ t+1 t=1 X where Zt refers to Pauli Z operated on the tth qubit in the clock register. One can achieve so similarly for Hin and Hprop. For the input condition, we want to make sure x = (x ,...,x ) 0, 1 n is in the input space and the workspace is initialized to 0 for all qubits 1 n ∈ { } | i at the time 0. Namely, one can set Hin to be n m H = (I x x ) 0 0 + 1 1 0 0 , (4.7) in − | iih i|i ⊗ | ih |1 | ih |n+i ⊗ | ih |1 Xi=1 Xi=1 where the last part 0 0 applies on to the ﬁrst qubit in the clock register. One can rewrite H as | ih |1 in n m 1 1 H = (I ( 1)xi Z ) (I + Z )+ (I Z ) (I + Z ). (4.8) in 4 − − i ⊗ 1 4 − n+i ⊗ 1 Xi=1 Xi=1 For the propagation of the quantum state through the circuit, one uses the Hprop as follows:

T t Hprop = Hprop, Xt=1 14 where

t 1 1 [ [ 1 [ 1 [ H = I t t + I t 1 t 1 U t t 1 U † t 1 t . (4.9) prop 2 ⊗ | ih | 2 ⊗ | − ih − |− 2 t ⊗ | i h − |− 2 t ⊗ | − i h | [ [ Note that t t 1 = 110b b 100 and similarly forb t 1 t . Note that U †b= U , since | i h − | | i h |(t 1,t,t+1) | − i h | t t our gates are either Hadamard or Toﬀoli.− It is observed in [12] that b b t I Ut Hprop = (I Zt 1) (I + Zt+1) (I Zt 1) Xt (I + Zt+1), t = 2,...,T 1, (4.10) 4 ⊗ − − ⊗ − 4 ⊗ − − ⊗ ⊗ ∀ − and 1 1 H1 = (I + Z ) U (X + X Z ), (4.11) prop 2 2 − 1 ⊗ 2 1 1 ⊗ 2 T 1 1 Hprop = (I Zt 1) UT (XT ZT 1 XT ). (4.12) 2 − − − ⊗ 2 − − ⊗

Combining with the fact that each Ut can be written as a linear combination of terms from LHXZ, we conclude that Hclock, Hin, Hprop are 6-local X-Z Hamiltonian. We will employ the perturbation technique to amplify the spectral gap of Hclock + Hin + Hprop. Let λ (H) denote the ground energy of any Hamiltonian H. The projection lemma from [27] approximates λ (H + H ) in terms of λ H , where ker H denotes the kernel space of H . 1 2 1 ker H2 2 2 Lemma 4.1 (Lemma 1 in [27]). Let H = H1 + H2 be the sum of two Hamiltonians operating on Hilbert space = + . The Hamiltonian H is such that is a zero eigenspace and the H S S⊥ 2 S eigenvectors in have eigenvalues at least J > 2 H . Then, S⊥ k 1k H 2 λ H k 1k λ(H) λ H . 1 − J 2 H ≤ ≤ 1 S − k 1k S We will use the following simple reformulation instead.

Lemma 4.2. Let H ,H be local Hamiltonians where H 0. Let K = ker H and 1 2 2 ≥ 2 8 H 2 + 2 H J = k 1k k 1k, λ H2 K⊥ then we have 1 λ(H + JH ) λ H . 1 2 ≥ 1 K − 8 Proof. Apply Lemma 4.1 to H = H1 + JH2. Note that the least non zero eigenvalue of JH2 is greater than 2 H . k 1k Theorem 4.1. Given any quantum circuit C = U ...U of T elementary gates and input x T 1 ∈ 0, 1 n, one can construct a 6-local X-Z Hamiltonian H in polynomial time such that { } C(x) (1) H = α H where each H LH6 and α O(T 9). Moreover, there are at most C(x) i i i i ∈ XZ | i| ∈ O(T ) non-zero terms. P (2) H has ψhist as the unique ground state with eigenvalue 0 and has a spectral gap at least C(x) | C(x)i 3 . Namely, for any state φ that is orthogonal to ψhist , we have φ H φ 3 . 4 | i | C(x)i h | C(x)| i≥ 4

15 Proof. We will use the above construction Hclock (eq. (4.6)), Hin (eq. (4.8)), Hprop (section 4.1) as our starting point, which are already 6-local X-Z Hamiltonian constructable in polynomial time. However, Hold = Hin + Hclock + Hprop does not have the desired spectral gap. To that end, our construction will be a weighted sum of Hin, Hclock, and Hprop as follows,

Hnew = Hin + JclockHclock + JpropHprop, (4.13) where Jclock and Jprop will be obtained using Lemma 4.2. Let Kin = ker Hin, Kclock = ker Hclock, and Kprop = ker Hprop. It is known from e.g., [28], that K K K = span ψhist . in ∩ clock ∩ prop { | C(x)i } Thus ψhist remains in the ground space of H . Let S denote its orthogonal space. Namely, | C(x)i new S = (span ψ ) . Denote by H the restriction of H on space S and similarly for others. { | C(x)i } ⊥ in S in Consider H + J H ﬁrst. According to lemma 4.2, by choosing in clock clock 2 8 Hin S + 2 Hin S 2 Jclock = = O(T ), λ H clock S K ⊥ ∩ clock where we use the fact Hin S T and λ Hclock S K⊥ λ Hclock K⊥ = 1, we have k | k≤ ∩ clock ≥ clock 1 λ Hin + JclockHclock λ Hin . S S S Kclock ≥ ∩ − 8 Consider further adding JpropH prop term. By choosing

2 O( Hin S + JclockHclock S ) 8 Jprop = = O(T ), λ Hprop S K⊥ ∩ prop 2 where we use the fact λ Hprop S K⊥ λ Hprop K⊥ = Ω(T − ) [28], we have ∩ prop ≥ prop 1 λ Hin + JclockHclock + JpropHprop λ Hin . S S S S Kclock Kprop ≥ ∩ ∩ − 4 A simple observation here is that S Kclock Kprop is the span of history states with different ∩ ∩ inputs or different initialization of the work space. Namely, λ Hin 1. Thus, S Kclock Kprop ∩ ∩ ≥ 1 3 λ (H + J H + J H ) 1 = . in clock clock prop prop S ≥ − 4 4 Given that ψhist is the ground state of H with eigenvalue 0, and any orthogonal state to | C(x)i new ψhist has eigenvalue at least λ (H ) 3/4, the spectral gap of H at at least 3/4. | C(x)i new ≥ new Note that Hnew is a 6-local X-Z Hamiltonian by construction. It suffices to check the bound t of αi and the number of terms. The former is one more than the order of Jprop since each Hprop | | 1 contributes 4 to the I term, creating an extra factor of T . The latter is by counting the number of terms from Hin,Hclock,Hprop, each of which is bounded by O(T ). Remark. We believe that the specific parameter dependence above can be tightened by a more careful analysis. However, as our focus is on the feasibility, we keep the above slightly loose analysis which might be more intuitive.

16 4.2 Delegation Protocol for QPIP1 client

In this subsection, we construct a one-message QPIP1 delegation protocol for SampBQP. By definition of QPIP1, we assume the client has limited quantum power, e.g., performing single qubit X or Z measurement one by one. Intuitively, one should expect the one-message from the server to the client is something like the history state so that the client can measure to sample. At a high-level, the design of such protocols should consist of at least two components: (1) the first component should test whether the message is indeed a valid history state; (2) the second component should simulate the last step of any SampBQP computation by measuring the final state in the computational basis. Our construction of X-Z local Hamiltonian H from Theorem 4.1 will help serve the first purpose. In particular, we adopt a variant of the energy verification protocol for local Hamiltonian (e.g., [21,34]) to certify the energy of H with only X or Z measurements. Moreover, because of the large spectral gap, when the energy is small, the underlying state must also be close to the history state. Precisely, consider the following protocol Ham: V

Protocol 1 Energy veriﬁcation for X-Z local Hamiltonian Ham V Given a k-local X-Z Hamiltonian H = α H (i.e., i, H LHk ) and any state φ . i i i ∀ i ∈ XZ | i

• Let p = α / α for each i. SampleP i according to p ∗ . i | i| i| i| ∗ i • Pick H ∗ whichP acts non-trivially on at most k qubits of φ . Measure the corresponding i | i single-qubit Pauli X or Z operator. Record the list of the results x = 1 for j = 1,...k. j ± • Let r = x x x . The protocol accepts if r and α ∗ have diﬀerent signs, i.e., sgn(α ∗ )r = 1. 1 2 · · · k i i − Otherwise, the protocol rejects.

Lemma 4.3 ( [34]). For any k-local X-Z Hamiltonian H = α H and any state φ , the protocol i i i | i Ham in Protocol 1 accepts with probability V P 1 1 Prob[ Ham accepts ψ ]= φ H φ . (4.14) V | i 2 − 2 α h | | i i| i|

Theorem 4.2. Given any quantum circuit C and input xP, consider using HC(x) from Theorem 4.1 in Protocol 1 ( Ham). For any state ρ, and 0 <ǫ< 1, if Ham accepts ρ with probability, V V 1 ǫ Prob[ Ham accepts ρ] , V ≥ 2 − 2 α i| i| then the trace distance between ρ and ψhist is at most 2 √Pǫ. | C(x)i √3 Proof. Consider the pure state case ρ = φ φ ﬁrst. By Lemma 4.3 and our assumption, we have | ih | φ H φ ǫ. Decompose φ = α ψhist + β ψhist ⊥. Note that ψhist is an eigenvector H of h | | i≤ | i | C(x)i | C(x)i | C(x)i C(x) eigenvalue 0 and all other eigenvalues are at least 3/4. Thus, we have α 2 1 4 ǫ. Thus, | | ≥ − 3

hist hist hist 2 2 ψC(x) ψC(x) φ φ = 1 ψ φ √ǫ. | ih | − | ih | tr − | h C(x)| i | ≤ √3 q

17 For any mixed state ρ = p φ φ , by the triangle inequality, we have i i| iih i|

hist hist P hist hist 2 2 ψC(x) ψC(x) ρ pi ψC(x) ψC(x) φi φi pi √ǫ = √ǫ. | ih |− tr ≤ | ih | − | ih | tr ≤ √3 √3 i i X X

To serve the second purpose, one needs to combine the test and the output on multiple copies of the history states, where we construct the following cut-and-choose protocol. The challenge comes from the fact that a cheating prover might send something rather than copies of the history state. In particular, the prover can entangle between different copies in order to cheat. In the case of certifying a BQP computation, the goal is to verify the ground energy of any local Hamiltonian. A cheating strategy with potential entanglement won’t create any witness state with an energy lower than the actual ground energy. Thus, this kind of attack won’t work for BQP computation. However, in the context of SampBQP, one needs to certify the ground energy (known to be zero in this case) and to output a good copy. While the statistical test as before can be used to certify the ground energy, it has less control on the shape of the output copy. In fact, the prover can always prepare a bad copy among with many good copies as a plain attack. This attack will succeed when the bad copy is chosen to output, the probability of which is non-negligible in terms of the total number of copies assuming some symmetry of the protocol. The potential entanglement among different copies could further complicate the analysis. We employ the quantum de Finetti’s theorem to address this technical challenge. Specifically, given any permutation-invariant k-register state, it is known that the reduced state on many subsets of k-register will be close to a separable state. This helps establish some sort of independence between different copies in the analysis. To serve our purpose, we adopt the following version of quantum de Finetti’s theorem from [13] where the error depends nicely on the number of qubits, rather than the dimension of quantum systems.

A1...Ak Theorem 4.3 ( [13]). Let ρ be a permutation-invariant state on registers A1,...,Ak where each register contains s qubits. For any 0 l k, there exists states ρ and p R such that ≤ ≤ { i } { i }⊂ 2 A1...Al A1 Al 2l s max (Λ1 . . . Λl) ρ piρi . . . ρi Λ1,...,Λl ⊗ ⊗ − ⊗ ⊗ ! ≤ k l i 1 r − X where Λi are quantum-classical channels.

Protocol 2 QPIP1 protocol ΠSamp = (PSamp,VSamp) for the SampBQP problem (Dx)x 0,1 ∗ ∈{ }

Inputs:

• Security parameter 1λ where λ N ∈ • Accuracy parameter 11/ǫ where ǫ (0, 1) ∈ • Classical input x 0, 1 n to the SampBQP instance ∈ { } Ingredients:

• Let C be a quantum circuit consisting of only Hadamard and Toﬀoli gates, which on input x samples from some C such that C D ǫ. x k x − xkTV ≤

18 • Let T be the number of gates in C. • 6T Let C′ be C padded with ǫ identity gates at the end. • Let HC′(x) = i αiHi be the X-Z local Hamiltonian instance associated with the computation of C (x) from Theorem 4.1. ′ P hist • Let ψ ′ be the ground state of H ′ . | C (x)i C (x) 6T hist • Let s 3T + be the number of qubits in ψ ′ . ≤ ǫ | C (x)i • Let Ham be the veriﬁcation algorithm for H ′ as deﬁned in Protocol 1. V C (x) Protocol:

T 41λ2 hist 1. The honest prover prepares M = 649 copies of ψ ′ and sends all of it to the veriﬁer ǫ51 | C (x)i qubit-by-qubit.

20 2. The veriﬁer samples I [M] s.t. I = m where m = T λ , and k $ [M] I. For i from 1 to ⊂ | | ǫ24 ←− \ M, it chooses what to do to the i-th copy, ρi, as follows:

(a) If i I, run y Ham(ρ ). ∈ i ←V i (b) Else if i = k, measure the data register of ρi under the computational (i.e., Z) basis and save the outcome as z.

m 1 ǫ2 Let Y = i I yi. If Y > 2 κm where κ = 192 P α , then the veriﬁer outputs (Acc, z). ∈ − i i Else, it outputs (Rej, ). | | P ⊥

Note that VSamp only needs to apply X and Z measurements, and is classical otherwise. It is 1 simple to check that VSamp runs in poly(n, λ, ǫ ) time. We now show its completeness and soundness.

Theorem 4.4. ΠSamp is a QPIP1 protocol for the SampBQP problem (Dx)x 0,1 ∗ with negligible ∈{ } completeness error and is statistically sound.6

1 Proof. For completeness, notice yi are i.i.d. Bernoulli trials with success probability 2 . So we can apply Chernoff bound to get m Pr Y > ǫm negl(λ). 2 − ≤ h i So VSamp has negligible probability to reject. 1/ǫ λ Now we show soundness. Suppose PSamp∗ is a cheating prover that, on inputs x, 1 , 1 , sends some σ to the verifier. The first step of our analysis is to use de Finetti’s theorem. Randomly picking m +1 out of M registers is equivalent to first applying a random permutation then taking the first m + 1 registers. A random permutation, in turn, is a classical mix over all possible permutations: 1 σ′ = ΠσΠ†. Sym(M) Π Sym(M) | | ∈ X 6The soundness and completeness of a SampBQP protocol is defined in Definition 3.3.

19 It is simple to check that σ is permutation-invariant: fix Π˜ Sym(M), then ′ ∈ 1 1 Π˜ σ′Π˜ † = ΠΠ˜ σΠ†Π˜ † = Πˆ σΠˆ † = σ′, Sym(M) Sym(M) | | Π Sym(M) | | Πˆ Sym(M) ∈ X ∈ X where the second equality is by relabeling ΠΠ˜ = Π.ˆ Now we apply de Finetti’s theorem (Theorem 4.3) to approximate our measurement result on σ with that of a classical mix over (m + 1)-fold tensor products of identical copies of some states τj. m+1 That is, there exists some ρ = j wjτj⊗ such that for all quantum-classical channels Λi acting on registers of size s: P 2m2s ǫ Λ1 . . . Λm+1(σ′ m+1 ρ) 1 , ⊗ ⊗ ≤ − ≤ rM m ≤ 6 − where σ′ m+1 is the first m + 1 registers of σ′. In our context, for 1 i m, Λi corresponds to ≤ ≤ ≤ measurements chosen by Ham. Λm+1 measures the data register under the standard basis. V m+1 We now analyze the verifier’s output for each τj in ρ = j wjτj⊗ . Let (dj , zj) be the verifier’s output corresponding to τj, and define zj,ideal accordingly. We claim that (dj, zj ) (dj, zj,ideal) TV < 2ǫ P k − k . Let p be the probability that Ham(τ )= Acc, and consider the following two cases. 6 j V j First suppose p < 1 2κ, then a standard Chernoff bound argument can be applied show that j 2 − this case has negligible acceptance probabilities. As a result, (d , z ) (d , z ) = negl(λ). k j j − j j,ideal kTV Now suppose p 1 2κ. By Theorem 4.2 we have j ≥ 2 −

hist hist 2 ǫ τj ψC′(x) ψC′(x) 2κ 2 αi = . − | i h | tr ≤ √3 · | | 6 s i X ǫ Observe that when dj = Acc, zj is the measurement results on τj’s data register, which is 6 -close to that of ψC′(x) . As the clock register is traced out from ψC′(x) , the data register has at least ǫ | i | 2iǫ 1 6 probability to contain C(x) due to the padding. So zj is 6 -close to zideal when d = Acc, − 2ǫ which implies that (dj, zj) is 6 -close to (dj, zj,ideal). m+1 Finally, let (dρ, zρ) denote the veriﬁer’s output distribution corresponding to ρ = j wjτj⊗ , and deﬁne z accordingly. We have (d , z ) (d, z ) < 2ǫ since the same is true for ρ,ideal k ρ ρ − ρ,ideal kTV 6 P all components τj. ǫ As (d, z) is 6 -close to (dρ, zρ) by the data processing inequality, using the triangle inequality we have (d, z) (d , z ) ǫ . Hence d d ǫ , which implies (d , z ) (d, z ) k − ρ ρ,ideal kTV ≤ 2 k − ρkTV ≤ 2 k ρ ρ,ideal − ideal kTV ǫ . It then follows from the triangle inequality that (d, z) (d, z ) ǫ. ≤ 2 k − ideal kTV ≤ 5 SampBQP Delegation Protocol for Fully Classical Client

In this section, we create a delegation protocol for SampBQP with fully classical clients by adapting the approach taken in [33]. In [33], Mahadev designed a protocol ΠMeasure (Protocol 3) that allows a BQP prover to “commit a state” for a classical veriﬁer to choose a X or Z measurement and obtain corresponding measurement results. Composing it with the QPIP1 protocol for BQP from [21] results in a QPIP0 protocol for BQP. In this work, we will compose ΠMeasure with our QPIP1 protocol ΠSamp (Protocol 2) for SampBQP in order to obtain a QPIP0 protocol for SampBQP. A direct composition of ΠSamp and ΠMeasure, however, results in Πint (Protocol 4) which does not provide reasonable completeness or accuracy guarantees. As we will see, this is due to ΠMeasure itself having peculiar and weak guarantees: the client doesn’t always obtain measurement outcomes

20 even if the server were honest. When that happens under the BQP context, the veriﬁer can simply accept the prover at the cost of some soundness error; under our SampBQP context, however, we must run many copies of Πint in parallel so the veriﬁer can generate its outputs from some copy. We will spend the majority of this section analyzing the soundness of this parallel repetition.

5.1 Mahadev’s measurement protocol

ΠMeasure is a 4-round protocol between a verifier (which corresponds to our client) and a prover (which corresponds to our server). The verifier (secretly) chooses a string h specifying the measurements he wants to make, and generates keys pk,sk from h. It sends pk to the prover. The prover “commits” to a state ρ of its choice using pk and replies with its commitment y. The verifier must then choose between two options: do a testing round or a Hadamard round. In a testing round the verifier can catch cheating provers, and in a Hadamard round the verifier receives some measurement outcome. He sends his choice to the prover, and the prover replies accordingly. If the verifier chose testing round, he checks the prover’s reply against the previous commitment, and rejects if he sees an inconsistency. If the verifier chose Hadamard round, he calculates MXZ (ρ, h) based on the reply. We now formally describe the interface of ΠMeasure while omitting the implementation details.

Protocol 3 Mahadev’s measurement protocol ΠMeasure = (PMeasure,VMeasure)

Inputs: • Common input: Security parameter 1λ where λ N. ∈ • Prover’s input: a state ρ n for the verifier to measure. ∈B⊗ • Verifier’s input: the measurement basis choice h 0, 1 n ∈ { } Protocol: λ 1. The verifier generates a public and secret key pair (pk,sk) Measure (1 , h). It sends pk to ←V ,1 the prover.

2. The prover generates (y,σ) Measure (pk, ρ). y is a classical “commitment”, and σ is some ← P ,2 internal state. He sends y to the veriﬁer.

$ 3. The veriﬁer samples c 0, 1 uniformly at random and sends it to the prover. c = 0 ←−{ } indicates a testing round, while c = 1 indicates a Hadamard round.

4. The prover generates a classical string a Measure (pk,c,σ) and sends it back to the verifier. ← P ,4 5. If it is a testing round (c = 0), then the verifier generates and outputs o Measure (pk, y, a) ←V ,T where o Acc, Rej . If it is a Hadamard round (c = 1), then the verifier generates and ∈ { } outputs v Measure (sk, h, y, a). ←V ,H

ΠMeasure has negligible completeness errors, i.e. if both the prover and verifier are honest, the verifier accepts with overwhelming probability and his output on Hadamard round is computationally indistinguishable from MXZ (ρ, h). As for soundness, it gives the following binding property against cheating provers: if a prover would always succeed on the testing round, then there exists some ρ so that for any h the verifier obtains MXZ (ρ, h) if he had chosen the Hadamard round.

21 Lemma 5.1 (binding property of ΠMeasure; special case of Claim 7.1 in [33]). Let PMeasure∗ be a BQP cheating prover for ΠMeasure and λ be the security parameter. Let 1 ph,T be the probability that the 7 − verifier accepts PMeasure∗ in the testing round on basis choice h. Under the QLWE assumption, there exists some ρ so that for all verifier’s input h 0, 1 n, the verifier’s outputs on the Hadamard ∗ ∈ { } round is √ph,T + negl(n)-computationally indistinguishable from MXZ (ρ∗, h).

We now combine ΠMeasure with our QPIP1 Protocol for SampBQP, ΠSamp = (PSamp,VSamp) (Protocol 2), to get a corresponding QPIP0 protocol Πint. Recall that in ΠSamp the veriﬁer takes X and Z measurements on the prover’s message. In Πint we let the veriﬁer use ΠMeasure to learn those measurement outcomes instead.

Protocol 4 Intermediate QPIP0 protocol Πint for the SampBQP problem (Dx)x 0,1 ∗ ∈{ }

Inputs:

• Security parameter 1λ where λ N ∈ • Error parameter ǫ (0, 1) ∈ • Classical input x 0, 1 n to the SampBQP instance ∈ { } Protocol:

1. The veriﬁer chooses a XZ-measurement h from the distribution speciﬁed in Step 2 of ΠSamp.

2. The prover prepares ρ by running Step 1 of ΠSamp.

λ 3. The veriﬁer and prover run (PMeasure(ρ),VMeasure(h))(1 ).

λ (a) The verifier samples (pk,sk) int (1 , h) and sends pk to the prover, where int is ← V ,1 V ,1 the same as Measure of Protocol 3. V ,1 (b) The prover runs (y,σ) int (pk, ρ) and sends y to the verifier, where int is the ← P ,2 P ,2 same as Measure . Here we allow the prover to abort by sending y = , which does not P ,2 ⊥ benefit cheating provers but simplifies our analysis of parallel repetition later. (c) The verifier samples c $ 0, 1 and sends it to the prover. ←−{ } (d) The prover replies a int (pk,c,σ). ← P ,4 (e) If it is a testing round, the verifier accepts or rejects based on the outcome of ΠMeasure. If it is a Hadamard round, the verifier obtains v.

4. If it’s a Hadamard round, the verifier finishes the verification step of Protocol 2 by generating and outputting (d, z)

There are several problems with using Πint as a SampBQP protocol. First, since the veriﬁer doesn’t get a sample if he had chosen the testing round in Step 3c, the protocol has completeness error at least 1/2. Moreover, since ΠMeasure does not check anything on the Hadamard round, a

7 Compared to Claim 7.1 of [33], we don’t have a ph,H term here. This is because on rejecting a Hadamard round, the veriﬁer can output a uniformly random string, and that is same as the result of measuring h on the totally mixed state.

22 cheating prover can give up passing the testing round and breaks the commitment on the Hadamard round, with only a constant 1/2 probability of being caught. However, we can show that Πint has a binding property similar to ΠMeasure: if a cheating prover Pint∗ passes the testing round with overwhelming probability whenever it doesn’t abort on the second message, then the corresponding output (d, z) (P ,Vint) is close to (d, z ). Recall the ideal output is ← int∗ ideal z = if d = Rej ideal ⊥ (zideal Dx if d = Acc. ← This binding property is formalized in Theorem 5.1. Intuitively, the proof of Theorem 5.1 combines the binding property of Protocol 4 (Lemma 5.1) and ΠSamp’s soundness (Theorem 4.4). There is a technical issue that Protocol 4 allows the prover to abort while Protocol 3 does not. This issue is solved by constructing another BQP prover P ∗ for every cheating prover Pint∗ . Speciﬁcally, P ∗ uses Pint∗ ’s strategy when it doesn’t abort, otherwise honestly chooses the totally mixed state for the veriﬁer to measure.

Theorem 5.1 (binding property of Πint). Let Pint∗ be a cheating BQP prover for Πint and λ be the security parameter. Suppose that Pr [d = Acc y = , c = 0] is overwhelming, under the QLWE | 6 ⊥ assumption, then the verifier’s output in the Hadamard round is O(ǫ)-computationally indistinguishable from (d, zideal). Proof. We first introduce the dummy strategy for Protocol 3, where the prover chooses ρ as the maximally mixed state and executes the rest of the protocol honestly. It is straightforward to verify that this prover would be accepted in the testing round with probability 1 negl(λ), but has − negligible probability passing the verification after the Hadamard round. Now we construct a cheating BQP prover for Protocol 4, P ∗, that does the same thing as Pint∗ except at Step 3, where the prover and verifier runs Protocol 3. P ∗ does the following in Step 3: for the second message, run (y,σ) (pk, ρ). If y = , then reply y; else, run the corresponding ← Pint∗ ,2 6 ⊥ step of the dummy strategy and reply with its results. For the fourth message, if y = , run and 6 ⊥ reply with a (pk,c,σ); else, continue the dummy strategy. ← Pint∗ ,4 In the following we fix an x. Let the distribution on h specified in Step 1 of the protocol be px(h). Define Psub∗ (x) as P ∗’s responds in Step 3. Note that we can view Psub∗ (x) as a prover strategy for Protocol 3. By construction Psub∗ (x) passes testing round with overwhelming probability over px(h), i.e. h px(h)ph,T = negl(λ), where ph,T is P ∗’s probability of getting accepted by the prover on the testing round on basis choice h. By Lemma 5.1 and Cauchy’s inequality, there exists P some ρ such that p (h) v M (ρ, h) = negl(λ), where we use A B = α to denote h x k h − XZ kc k − kc that A is α-computational indistinguishable to B. Therefore v = p (h)v is computationally P h x h indistinguishable to h px(h)MXZ (ρ, h). Combining it with ΠSamp’s soundness (Theorem 4.4), we λ 1/ǫ P see that (d , z ) (P ,Vint)(1 , 1 ,x) is ǫ-computationally indistinguishable to (d , z ). ′ ′ ← P∗ ′ ideal′ Now we relate (d′, z′) back to (d, z). First, conditioned on that Pint∗ aborts, since dummy strategy will be rejected with overwhelming probability in Hadamard round, we have (d′, z′) is computationally indistinguishable to (Rej, ) = (d, z). On the other hand, conditioned on P not ⊥ int∗ aborting, clearly (d, z) = (d′, z′). So (d, z) is computationally indistinguishable to (d′, z′), which in turn is O(ǫ)-computationally indistinguishable to (d , z ). Since d d = O(ǫ), (d, z ) ′ ideal′ k − ′ktr ideal is O(ǫ)-computationally indistinguishable to (d′, zideal′ ). Combining everything, we conclude that (d, z) is O(ǫ)-computationally indistinguishable to (d, zideal).

23 5.2 QPIP0 protocol for SampBQP

We now introduce our QPIP0 protocol ΠFinal for SampBQP. It is essentially a m-fold parallel repetition of Πint, from which we uniformly randomly pick one copy to run Hadamard round to get our samples and run testing round on all other m 1 copies. Intuitively, if the server wants − to cheat by sending something not binding on some copy, he will be caught when that copy is a testing round, which is with probability 1 1/m. This over-simpliﬁed analysis does not take − into account that the server might create entanglement between the copies. Therefore, a more technically involved analysis is required. In the description of our protocol below, we describe Πint and ΠMeasure in details in order to introduce notations that we need in our analysis.

Protocol 5 QPIP0 protocol ΠFinal for the SampBQP problem (Dx)x 0,1 ∗ ∈{ }

Inputs:

• Security parameter 1λ for λ N. ∈ • Accuracy parameter 11/ǫ for the SampBQP problem.

• Input x 0, 1 poly(λ) for the SampBQP instance. ∈ { } Ingredient: Let m = O(1/ǫ2) be the number of parallel repetitions to run.

Protocol:

1. The veriﬁer generates m independent copies of basis choices ~h = (h1,...,hm), where each copy is generated as in Step 1 of Πint.

m 2. The prover prepares ρ⊗ ; each copy of ρ is prepared as in Step 2 of Πint.

3. The veriﬁer generates m key pairs for ΠMeasure, pk~ = (pk1,...,pkm) and sk~ = (sk1,...,skm), as in Step 1 of ΠMeasure. It sends pk~ to the prover.

4. The prover generates ~y = (y1,...,ym) and σ as in Step 2 of ΠMeasure. It sends ~y to the veriﬁer.

5. The veriﬁer samples r $ [m] which is the copy to run Hadamard round for. For 1 i m, ←− ≤ ≤ if i = r then set c 0, else set c 1. It sends ~c = (c ,...,c ) to the prover. 6 i ← i ← 1 m 6. The prover generates ~a as in Step 4 of ΠMeasure, and sends it back to the veriﬁer.

7. The veriﬁer computes the outcome for each round as in Step 4 of Πint. If any of the testing round copies are rejected, the veriﬁer outputs (Rej, ). Else, it outputs the result from the ⊥ Hadamard round copy.

By inspection, ΠFinal is a QPIP0 protocol for SampBQP with negligible completeness error. To show that it is computationally sound, we ﬁrst use the partition lemma from [17]. Intuitively, the partition lemma says that for any cheating prover and for each copy i [m], there ∈ exist two eﬃcient “projectors” 8 G and G in the prover’s internal space with G + G Id. 0,i 1,i 0,i 1,i ≈ 8Actually they are not projectors, but for the simplicity of this discussion let’s assume they are.

24 G0,i and G1,i splits up the prover’s residual internal state after sending back his first message. G0,i intuitively represents the subspace where the prover does not knows the answer to the testing round on the i-th copy, while G1,i represents the subspace where the prover does. Note that the prover is using a single internal space for all copies, and every G0,i and every G1,i is acting on this single internal space. By using this partition lemma iteratively, we can decompose the prover’s internal state ψ into sum of subnormalized states. First we apply it to the first copy, writing | i ψ = G ψ + G ψ ψ + ψ . The component ψ would then get rejected as long as the | i 0,1 | i 1,1 | i ≡ | 0i | 1i | 0i first copy is chosen as a testing round, which occurs with pretty high probability. More precisely, the output corresponding to ψ is 1/m-close to the ideal distribution that just rejects all the time. | 0i On the other hand, ψ is now binding on the first copy; we now similarly apply the partition | 1i lemma of the second copy to ψ . We write ψ = G ψ + G ψ ψ + ψ , and apply | 1i | 1i 0,2 | 1i 1,2 | 1i ≡ | 10i | 11i the same argument about ψ and ψ . We then continue to decompose ψ = ψ + ψ | 10i | 11i | 11i | 110i | 111i and so on, until we reach the last copy and obtain ψ m . Intuitively, the ψ m term represents | 1 i | 1 i the “good” component where the prover knows the answer to every testing round and therefore has high accept probability. Therefore, ψ m also satisfies some binding property, so the verifier | 1 i should obtain a measurement result of some state on the Hadamard round copy, and the analysis from the QPIP1 protocol ΠSamp follows. However, the intuition that ψ m is binding to every Hadamard round is incorrect. As G | 1 i 1,i does not commute with G , ψ m is unfortunately only binding for the m-th copy. To solve this 1,j | 1 i problem, we start with a pointwise argument and fix the Hadamard round on the i-th copy where ψ i is binding, and show that the corresponding output is O( ψ i−1 )-close to ideal. We can | 1 i k| 1 0ik later average out this error over the different choices of i, since not all ψ i−1 can be large at the k| 1 0ik same time. Another way to see this issue is to notice that we are partitioning a quantum state, not probability events, so there are some inconsistencies between our intuition and calculation. Indeed, the error we get in the end is O( 1/m) instead of the O(1/m) we expected. Also a careful reader might have noticed that the prover’s space don’t always decompose cleanly p into parts that the verifier either rejects or accepts with high probability, as there might be some states that a accepted with mediocre probability. In [17], this is solved by splitting the space into parts that are accepted with probability higher or lower than a small threshold γ and applying amplitude amplification to boost the accept probability if it is bigger than γ. However, states with accept probability really close to the threshold γ can not be classified, so they need to average over randomly chosen γ to have G + G Id. Now we give a formal description of the partition 0,i 1,i ≈ lemma.

Lemma 5.2 (partition lemma; revision of Lemma 3.5 of [17]9). Let λ be the security parameter, and γ0 [0, 1] and T N be parameters that will be related to the randomly-chosen threshold γ. Let ∈ ∈ 10 (U0,U) be a prover’s strategy in a m-fold parallel repetition of ΠMeasure , where U0 is how the prover generates ~y on the second message, and U is how the prover generates ~a on the fourth message. Let HX Z be the Hilberspace of the prover’s internal calculation. Denote the string 0i 110m i 0, 1 m , − − ∈ { } as ei, which corresponds to doing Hadamard round on the i-th copy and testing round on all others. For all i [m], γ γ0 , 2γ0 ,..., T γ0 , there exist two poly(1/γ , T, λ)-time quantum circuit ∈ ∈ T T T 0 9 n o t G0 and G1 of this version are created from doing G of [17] and post-select on the ph, th, in register being 0 01 or 0t11 then discard ph, th, in. Property 1 corresponds to Property 1. Property 2 corresponds to Property 4, with 2m−1 changes to m − 1 because we only have m possible choices of ~c. Property 3 corresponds to Property 5. Property 4 comes from the fact that G0 and G1 are post-selections of orthogonal results of the same G. 10 A m-fold parallel repetition of ΠMeasure is running step 3 4 5 6 of Protocol 5 with veriﬁer input ~h and prover input ρ⊗n, followed by an output step where the veriﬁer rejects if any of the m − 1 testing round copies is rejected, otherwise outputs the result of the Hadamard round copy.

25 11 with post selection G0,i,γ and G1,i,γ such that for all (possibly sub-normalized) quantum state ψ X Z HX Z, properties 1 2 3 4, to be described later, are satisﬁed. Before we describe the | i , ∈ , properties, we introduce the following notations:

G ψ X Z := ψ , (5.1) 0,i,γ | i , | 0,i,γ iX,Z G ψ X Z := ψ , (5.2) 1,i,γ | i , | 1,i,γ iX,Z ψ X Z ψ ψ := ψ . (5.3) | i , − | 0,i,γiX,Z − | 1,i,γ iX,Z | err,i,γiX,Z Note that G and G has failure probabilities, and this is reﬂected by the fact that ψ 0,i,γ 1,i,γ | 0,i,γiX,Z and ψ are sub-normalized. G and G depend on (U ,U) and pk,~ ~y. | 1,i,γiX,Z 0,i,γ 1,i,γ 0 The following properties are satisﬁed for all i [m]: ∈ 1. 2 6 E ψerr,i,γ X Z + negl(λ), γ k | i , k ≤ T where the averaged is over uniformly sampled γ. This also implies

E 6 ψerr,i,γ X,Z + negl(λ) (5.4) γ k | i k≤ rT by Cauchy’s inequality.

2. For all pk~ , ~y, γ, and j = i, we have 6 2 ej C ψ0,i,γ X,Z Pacc,i U | i | i (m 1)γ0 + negl(λ), (5.5) ◦ ψ0 X,Z ≤ − k | i k

where Pacc,i are projector to the states that i-th testing round accepts with pki,yi, including the last measurement the prover did before sending ~a. This means that ψ is rejected by | 0,i,γi the i-th testing round with high probability.

3. For all pk~ , ~y, γ, and j = i, there exists an eﬃcient quantum algorithm Ext such that 6 i 2 ej C ψ1,i,γ X,Z Pacc,i Exti | i | i = 1 negl(λ). (5.6) ◦ ψ1 X,Z ! − k | i k

This will imply that ψ is binding to the i-th Hadamard round. | 1,i,γi 4. For all γ,

2 2 2 ψ + ψ ψ X Z . (5.7) | 0,i,γiX,Z | 1,i,γiX,Z ≤ | i , 11 A quantum circuit with post selection is composed of unitary gates followed by a post selection on some measurement outcome on ancilla qubits, so it produces a subnorm alized state, where the amplitude square of the output state is the probability of post selection.

26 Note that in property 3, we are using Exti instead of U because we are doing some amplitude amplification to boost the success probability. We now decompose the prover’s internal state by using Lemma 5.2 iteratively. Let ψ be the | i state the prover holds before he receives ~c; we denote the corresponding Hilbert space as HX,Z. γ 2γ T γ For all k [m], d 0, 1 k, γ = (γ , . . . , γ ) where each γ 0 , 0 ,..., 0 , and ψ HX Z, ∈ ∈ { } 1 k j ∈ { T T T } | i ∈ , define ψ := G ...G G ψ . | d,γ i dk,k,γk d2,2,γ2 d1,1,γ1 | i For all i [m], we then decompose ψ into ∈ | i i 1 i − ψ = ψ j + ψ i + ψ (5.8) | i | 1 0,γi | 1 ,γi | err,j,γi Xj=0 Xj=1 by using Equations (5.1) to (5.3) repeatedly, where ψ denotes the error state from decom- | err,i,γi posing ψ i−1 . | 1 ,γi We denote the projector in HX,Z corresponding to outputting string z when doing Hadamard on i-th copy as Pacc,i,z. Note that Pacc,i,z also depends on pk,~ ~y, and (ski, hi) since it includes the measurement the prover did before sending ~a, verifier’s checking on (m 1) copies of testing − rounds, and the verifier’s final computation from (ski, hi,yi, ai). Pacc,i,z is a projector because it only involves the projective measurements to get a and classical post-processing of the verifiers. Also note that P P ′ = 0 for all z = z , and P Id. acc,i,z acc,i,z 6 ′ z acc,i,z ≤ We denote the string 0i 110m i 0, 1 m as e . The output string corresponding to ψ HX Z − − ∈ { } i P | i∈ , when c = ei is then 2 zi := E Pacc,i,zU ei, ψ z z , (5.9) pk,y k | ik | ih | z X where e , ψ = e C ψ X Z and U is the unitary the prover applies on the last round. Note that | i i | ii | i , we have averaged over pk,~ ~y where as previously everything has fixed pk~ and ~y. By Property 2 of Lemma 5.2, it clearly follows that

Claim 5.1. For all γ γ0 , 2γ0 ,..., T γ0 , and all i, j [m] such that j < i 1, we have ∈ { T T T } ∈ − 2 P U e , ψ j (m 1)γ + negl(n). acc,i,z | i 1 0,γi ≤ − 0

Now we deﬁne E 2 zgood,i = Pacc,i,zU ei, ψ1i−11,γ z z (5.10) γ,pk,y | i | ih | z X as the output corresponding to a component that would pass the i-th testing rounds. We will show that it is O( ψ i−1 )-close to z . Before doing so, we present a technical lemma. k| 1 0ik i Lemma 5.3. For any state ψ , φ and projectors P such that P Id and P P ′ = 0 for | i | i { z} z z ≤ z z all z = z , we have 6 ′ P ψ P φ ψ φ . |h | z | i| ≤ k k k k z X

27 Proof.

ψ P φ = ψ P P φ |h | z| i| |h | z z| i| z z X X ψ P P φ ≤ kh | zk k z | ik z X P ψ 2 P φ 2 ≤ k z | ik k z | ik z z sX sX 2 2

Pz ψ Pz φ ≤v | i v | i u z u z u X u X tψ φ , t (5.11) ≤ k| ik k| ik where we used Cauchy’s inequality on the second and third line and PzPz′ = 0 on the fourth line.

Now we can estimate z using z , with errors on the orders of ψ i−1 . This error might i good,i k| 1 0ik not be small in general, but we can average it out later by considering uniformly random i [m]. ∈ The analysis is tedious but straightforward; we simply expand zi and bound the terms that are not zgood,i. Lemma 5.4.

2 E 2 m tr zi zgood,i ψ1i−10,γ + 2 ψ1i−10,γ + O + m (m 1)γ0 . | − |≤ pk,y,γ | i | i √ − T h i p Proof. We take expectation of Equation (5.8) over γ

i 1 i − ψ = E ψ j + ψ i + ψerr,j,γ , | i γ  | 1 0,γi | 1 ,γ i | i Xj=0 Xj=1   and expand zi from Equation (5.9) as

28 where we omitted writing out ei. Therefore we have

2 by the triangle inequality. The last three error terms sum to O m by Lemma 5.3 and property 1 √T of Lemma 5.2. As for the ﬁrst two terms, by Lemma 5.3 and Claim 5.1, we see that

i 1 − ψ k U †P U ψ i |h 1 0,γ| acc,i,z | 1 ,γi| z X Xk=0 ψ i−1 U †P U ψ i + O m (m 1)γ ≤ |h 1 0,γ| acc,i,z | 1 ,γi| − 0 z X p ψ i + O m (m 1)γ . ≤ | 1 ,γi − 0 p

Now let ztrue, as a mixed state, be the correct sample of the SampBQP instance Dx, and let zideal,i = tr(zgood,i)ztrue. We show that zideal,i is close to zgood,i. Lemma 5.5. z is O(ǫ)-computationally indistinguishable to z , where ǫ R is the accuracy good,i ideal,i ∈ parameter picked earlier in ΠFinal.

Proof. For every i [m] and every prover strategy (U ,U) for ΠFinal, consider the following com- ∈ 0 posite strategy, Πcomp,i, as a prover for Πint. Note that a prover only interacts with the verifier in Step 3 of Πint where ΠMeasure is run, so we describe a prover’s action in terms of the four rounds of communication in ΠMeasure. Πcomp,i tries to run U0 by taking the verifier’s input as the input to the i-th copy of ΠMeasure in ΠFinal and simulating other m 1 copies by himself. The prover then picks a uniformly random − γ and tries to generate ψ1i−11,γ by applying Gi,1,γ Gi 1,1,γ G2,1,γG1,1,γ . This can be efficiently | i − · · · done because of Lemma 5.2 and our choice of γ0 and T in Theorem 5.2. If the prover fails to generate ψ i−1 , he throws out everything and aborts by sending back. On the fourth round, | 1 1,γi ⊥

29 ej ψ1,i,γ If it’s a testing round the prover reply with the i-th register of Ext | iC| iX,Z , where Ext is i ψ1 X Z i k| i , k specified in property 3 of Lemma 5.2. If it’s the Hadamard round the prover runs U and checks whether every copy except the i-th copy would be accepted. If all m 1 copies are accepted, he − replies with the i-th copy, otherwise reply . ⊥ Denote the result we would get in the Hadamard round by zcomposite,i. By construction, when Gi,1,γ ...G1,1,γ succeeded, the corresponding output would be zgood,i. Also note that this is the only case where the verifier won’t reject, so zcomposite,i = zgood,i. In the testing round, by property 3 of Lemma 5.2, the above strategy is accepted with probability 1 negl(n) when the prover didn’t abort. Since the prover’s strategy is also efficient, by − Theorem 5.1, zcomposite,i is O(ǫ)-computationally indistinguishable to zideal,i. Now we try to put together all i [m]. First let ∈ 1 1 z = z = z z e , ψ U †P U e , ψ , m i m | ih | · h i | acc,i,z | i i z Xi Xi X which is the output distribution of ΠFinal. We also define the following accordingly: 1 z := z good m good,i, Xi 1 z := z . ideal m ideal,i Xi Notice that zideal is some ideal output distribution, which might not have the same accept probability as z.

Theorem 5.2. Under the QLWE assumption, ΠFinal is a protocol for the SampBQP problem 12 (Dx)x 0,1 ∗ with negligible completeness error and is computationally sound. ∈{ } Proof. Completeness is trivial. In the following we prove the soundness. By Property 4 of Lemma 5.2, we have

30 We have

1 tr z zgood = tr (zi zgood,i) | − | m − Xi 1 tr (z z ) ≤m | i − good,i | i X 2 1 E 2 m ψ1i−10,γ + 2 ψ1i−10,γ + O + m (m 1)γ0 ≤m pk,y,γ | i | i √T − i X h i p 1 1 m2 + 2 + O + m (m 1)γ ≤m √m √ − 0 T 1 m2 p =O + + m (m 1)γ , (5.13) √m √ − 0 T p where we used triangle inequality on the second line, Lemma 5.4 on the third line, Equation 5.12 2 2 8 and Cauchy’s inequality on the fourth line. Set m = O(1/ǫ ), T = O(1/ǫ ), γ0 = ǫ . Combining Lemma 5.5 and Equation (5.13) by triangle inequality, we have z is O(ǫ)-computationally indistinguishable to zideal. Therefore, (d, z) O(ǫ)-computationally indistinguishable to (d, zideal). Theorem 1.1 follows as a corollary.

6 Generic Blindness Protocol Compiler for QPIP0

In this section, we present a generic protocol compiler that compiles any QPIP0 protocol Π = (P,V ) (with an arbitrarily number of rounds) to a protocol Πblind = (Pblind,Vblind) that achieve blindness while preserving the completeness, soundness, and round complexity. At a high-level, the idea is simple: we simply run the original protocol under a quantum homomorphic encryption QHE with the verifier’s key. Intuitively, this allows the prover to compute his next message under encryption without learning the underlying verifier’s message, and hence achieves blindness while preserving the properties of the original protocol. However, several issues need to be taking care to make the idea work. First, since the verifier is classical, we need the quantum homomorphic encryption scheme QHE to be classical friendly as defined in Definition 2.11. Namely, the key generation algorithm and the encryption algorithm for classical messages should be classical, and when the underlying message is classical, the ciphertext (potentially from homomorphic evaluation) and the decryption algorithm should be classical as well. Fortunately, the quantum homomorphic encryption scheme of Mahadev [31] is classical friendly. A more subtle issue is to preserve the soundness. Intuitively, the soundness holds since the execution of Πblind simulates the execution of Π, and hence the soundness of Π implies the soundness of Πblind. However, to see the subtle issue, let us consider the following naive compiler that uses a single key: In Πblind, the verifier V initially generates a pair QHE key (pk,sk), sends pk and encrypted input QHE.Enc(pk,x) to P . Then they run Π under encryption with this key, where both of them use homomorphic evaluation to compute their next message. There are two reasons that the compiled protocol Πblind may not be sound (or even not blind). First, in general, the QHE scheme may not have circuit privacy; namely, the homomorphic evaluation may leak information about the circuit being evaluated. Since the verifier computes his next message using homomorphic evaluation, a cheating prover Pblind∗ seeing the homomorphically evaluated ciphertext of the verifier’s message may learn information about the verifier’s next message circuit, which may contain information about the secret input x or help Pblind∗ to break the

31 soundness. Second, Pblind∗ may send invalid ciphertexts to V , so the execution of Πblind may not simulate a valid execution of Π. To resolve the issue, we let the verifier switch to a fresh new key for each round of the protocol. For example, when the prover Pblind returns the ciphertext of his first message, the verifier Vblind decrypts the ciphertext, computes his next message (in the clear), and then encrypt it using a fresh key pk′ and sends it to Pblind. Since the verifier Vblind only sends fresh ciphertexts to Pblind, this avoids the issue of circuit privacy. Additionally, to allow Pblind to homomorphically evaluate its next message, Vblind needs to encrypt the previous secret key sk under the new public key pk′ and send it to Pblind. This allows the prover to homomorphically convert ciphertexts under key pk to ciphertexts under key pk′. By doing so, we show that for any cheating prover Pblind∗ , the interaction (Pblind∗ ,Vblind) indeed simulates a valid interaction of (P ∗,V ) for some cheating P ∗, and hence the soundness of Π implies the soundness of the compiled protocol. Finally, for the issue of the prover sending invalid ciphertexts, we note that this is not an issue if the decryption never fails, which can be achieved by simply let the decryption algorithm output a default dummy message (e.g., 0) when it fails. We note that the idea of running the protocol under homomorphic encryptions is used in [18] in a classical setting, but for a different purpose of making the protocol “computationally simulatable” in their context. We proceed to present our compiler. We start by introducing the notation of a QPIP0 protocol Π as follows.

Protocol 6 QPIP0 protocol Π = (P,V )(x) where only the veriﬁer receives outputs

Common inputs13:

• Security parameter 1λ where λ N ∈ • A classical input x 0, 1 poly(λ) ∈ { } Protocol:

1. V generates (v ,st ) (1λ,x) and sends v to the prover. 1 V,1 ←V1 1 2. P generates (p ,st ) (1λ, v ,x) and sends p to the veriﬁer. 1 P,1 ← P1 1 1 3. for t = 2,...,T :

(a) V generates (vt,stV,t) t(pt 1,stV,t 1) and sends vt to the prover. ←V − − (b) P generates (pt,stP,t) t(vt,stP,t 1) and sends pt to the veriﬁer. ← P − 4. V computes its output o (p ,st ). ←Vout T V,T We compile the above protocol to achieve blindness as follows. For notation, when there are (i) many sets of QHE keys in play at the same time, we use x to denote x encrypted under pki.

b Protocol 7 Blind QPIP0 protocol Πblind = (Pblind,Vblind(x)) corresponding to Π0

Inputs:

13For the sake of simplicity, we omit accuracy parameter ǫ where it exists

32 • Common input: Security parameter 1λ where λ N ∈ • Veriﬁer’s input: x 0, 1 poly(λ) ∈ { } Ingredients:

• Let L be the maximum circuit depth of . Pt Protocol:

λ λ L 1. Vblind generates (v1,stV,1) 1(1 ,x). Then it generates (pk1, sk1) QHE.Keygen(1 , 1 ), (1) ← V (1) ← (1) and encrypts x QHE.Enc(pk1,x) and v1 QHE.Enc(pk1, v1). It sends pk1, x , and (1) ← ← v1 to the prover. b b b (1) (1) λ (1) (1) (1) (1) 2. Pblind generates (p , st ) blind (1 , v , x ) by evaluating (p , st ) QHE.Eval(pk, , b 1 P,1 ← P ,1 1 1 P,1 ← P1 λ (1) (1) (1) QHE.Enc(pk1, 1 ), v1 , x ). It sends p1 to the verifier. b b b b b b 3. for t = 2,...,T : b b b (t 1) (a) Vblind decrypts the prover’s last message by pt 1 QHE.Dec(skt 1, pt −1 ), then gener- − ← − − λ L ates (vt,stV,t) t(pt 1,stV,t 1). Then it generates (pkt, skt) QHE.Keygen(1 , 1 ), ← V − − ← (t) (t) b and produces encryptions vt QHE.Enc(pkt, vt) and skt 1 QHE.Enc(pkt, skt 1). It ← − ← − (t) (t) sends pkt, vt , and skt 1 to the prover. − b c (t) (t) (t) (t) (t 1) (b) Pblind generates (pt c, stP,t) blind,t(vt , skt 1, stP,t− 1) by first switching its encryption b ← P − − (t 1,t) (t 1) key; that is, it encrypts its state under the new key by stP,t− 1 QHE.Enc(pkt, stP,t− 1)), b b b c b (t) − ← − then homomorphically decrypts the old encryption by stP,t 1 QHE.Eval(pkt, QHE.Dec, (t) (t 1,t) b − ← b skt 1, stP,t− 1 ). Then it applies the next-message function homomorphically, generating (t−) (t) − (t) (t) b(t) (pt , stP,t) QHE.Eval(pkt, t, vt , stP,t 1). It sends pt back to the verifier. c b ← P − (T ) 4. Vblind decryptsb the prover’s final messageb by pT QHE.Dec(skT , p ). It then computes its b b ← b T output o (p ,st ). ←Vout T V,T b By the correctness of QHE, the completeness error of Πblind is negligibly close to that of Π. For the soundness property, we show the following lemma, which implies that Πblind preserves the soundness of Π0.

Theorem 6.1. For all cheating BQP prover Pblind∗ , there exists a cheating BQP prover P ∗ s.t. for poly(λ) all λ and input x 0, 1 , the output distributions of (P ,Vblind(x)) and (P ,V )(x) are ∈ { } blind∗ ∗ identical.

Proof. We define P ∗ as follows. λ L For the first rounds, it generates (pk1, sk1) QHE.Keygen(1 , 1 ), then produces the en- ← (1) cryptions x(1) QHE.Enc(pk ,x) and v(1) QHE.Enc(pk , v ). It then runs (p(1), st ) ← 1 1 ← 1 1 1 P,1 ← λ (1) (1) (1) blind,1(1 , v1 , x ). Finally, it decrypts p1 QHE.Dec(sk1, p1 ) and sends it back to the verifier, P b (1) b ← b b and keeps stP,1 and sk1. For theb otherb rounds, it generates (pk , sk ) QHE.Keygenb (1λ, 1L), and produces ciphertexts t t ← (t) b (t) (t) (t) (t) vt QHE.Enc(pkt, vt)) and skt 1 QHE.Enc(pkt, skt 1). It then runs (pt , stP,t) blind,t(vt , ← − ← − ← P b c 33 b b b (t) (t 1) (1) skt 1, stP,t− 1). Finally, it decrypts pt QHE.Dec(skt, pt ) and sends it back to the verifier, and − (t) − ← keeps stP,t and skt. c b b By construction, the experiments (Pblind∗ ,Vblind(x)) and (P ∗,V )(x) are identical. b Finally, we show the blindness of Πblind through a standard hybrid argument:

Theorem 6.2. Assuming the QLWE assumption, Πblind is blind.

n Proof. We show that for all cheating BQP prover P ∗, λ N, x 0, 1 , P ∗ cannot distinguish λ n λ ∈ ∈ { } (P ∗,Vblind(x))(1 ) from (P ∗,Vblind(0 ))(1 ) with noticeable probability in λ. We use a hybrid ar- x λ 0 n λ gument; let Hyb = (P ,Vblind(x))(1 ) and Hyb = (P ,Vblind(0 ))(1 ). For 2 t < T + 1, T +1 ∗ T +1 ∗ ≤ x x (t) (t) define Hybt to be the same as Hybt+1, except when Vblind should send vt and skt 1, it instead x x − sends encryptions of 0 under pkt. We define Hyb1 to be the same as Hyb2 except the verifier sends (1) (1) 0 c x encryptions of 0 under pk1 in place of x and v1 . We define Hybt similarly.b Note that Hyb1 and 0 Hyb1 are identical. x For all t, from the perspective ofb the prover,b as it receives no information on skt, Hybt+1 is x computationally indistinguishable from Hybt due to the CPA security of QHE under pkt. By a x x standard hybrid argument, we observe that Hyb1 is computationally indistinguishable with HybT +1. 0 0 We use the same argument for the computational indistinguishability between Hyb1 and HybT +1. x 0 We conclude that P ∗ cannot distinguish between HybT +1 and HybT +1, therefore Πblind is blind. Applying our compiler to the parallel repetition of Mahadev’s protocol for BQP from [9, 17] and our QPIP0 protocol ΠFinal from Protocol 5 for SampBQP yields the first constant-round blind QPIP0 protocol for BQP and SampBQP, respectively.

Theorem 6.3. Assuming the QLWE assumption, there exists a blind, four-message QPIP0 protocol for all languages in BQP with negligible completeness and soundness errors.

Theorem 6.4. Assuming the QLWE assumption, there exists a blind, four-message QPIP0 protocol for all sampling problems in SampBQP with negligible completeness error and computational soundness.

References

[1] Scott Aaronson. The aaronson $25.00 prize. http://www.scottaaronson.com/blog/?p=284 .

[2] Scott Aaronson. The equivalence of sampling and searching. Theory of Computing Systems, 55(2):281–298, 2013.

[3] Scott Aaronson and Alex Arkhipov. The computational complexity of linear optics. In Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing,STOC ’11, page 333–342, New York, NY, USA, 2011. Association for Computing Machinery.

[4] Scott Aaronson, Alexandru Cojocaru, Alexandru Gheorghiu, and Elham Kasheﬁ. Complexity-Theoretic Limitations on Blind Delegated Quantum Computation. In Christel Baier, Ioannis Chatzigiannakis, Paola Flocchini, and Stefano Leonardi, editors, 46th International Colloquium on Automata, Languages, and Programming (ICALP 2019), volume 132 of Leibniz International Proceedings in Informatics (LIPIcs), pages 6:1–6:13, Dagstuhl, Germany, 2019. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.

34 [5] Dorit Aharonov. A simple proof that toﬀoli and hadamard are quantum universal, 2003.

[6] Dorit Aharonov, Michael Ben-Or, Elad Eban, and Urmila Mahadev. Interactive proofs for quantum computations. arXiv, 1704.04487, 2017.

[7] Dorit Aharonov, Wim Van Dam, Julia Kempe, Zeph Landau, Seth Lloyd, and Oded Regev. Adiabatic quantum computation is equivalent to standard quantum computation. SIAM Review, 50(4):755–787, 2008.

[8] Dorit Aharonov and Umesh Vazirani. Is quantum mechanics falsiﬁable? a computational perspective on the foundations of quantum mechanics. ”Computability: Godel, Turing, Church, and beyond”, Editors: Copeland, Posy, Shagrir, MIT press, 2012.

[9] Gorjan Alagic, Andrew M. Childs, and Shih-Han Hung. Two-message veriﬁcation of quantum computation. arXiv, 1911.08101, 2019.

[10] Frank Arute, Kunal Arya, Ryan Babbush, Dave Bacon, Joseph C. Bardin, Rami Barends, Rupak Biswas, Sergio Boixo, Fernando G. S. L. Brandao, David A. Buell, Brian Burkett, Yu Chen, Zijun Chen, Ben Chiaro, Roberto Collins, William Courtney, Andrew Dunsworth, Edward Farhi, Brooks Foxen, Austin Fowler, Craig Gidney, Marissa Giustina, Rob Graff, Keith Guerin, Steve Habegger, Matthew P. Harrigan, Michael J. Hartmann, Alan Ho, Markus Hoffmann, Trent Huang, Travis S. Humble, Sergei V. Isakov, Evan Jeffrey, Zhang Jiang, Dvir Kafri, Kostyantyn Kechedzhi, Julian Kelly, Paul V. Klimov, Sergey Knysh, Alexander Korotkov, Fedor Kostritsa, David Landhuis, Mike Lindmark, Erik Lucero, Dmitry Lyakh, Salvatore Mandrà, Jarrod R. McClean, Matthew McEwen, Anthony Megrant, Xiao Mi, Kristel Michielsen, Masoud Mohseni, Josh Mutus, Ofer Naaman, Matthew Neeley, Charles Neill, Murphy Yuezhen Niu, Eric Ostby, Andre Petukhov, John C. Platt, Chris Quintana, Eleanor G. Rieffel, Pedram Roushan, Nicholas C. Rubin, Daniel Sank, Kevin J. Satzinger, Vadim Smelyanskiy, Kevin J. Sung, Matthew D. Trevithick, Amit Vainsencher, Benjamin Villalonga, Theodore White, Z. Jamie Yao, Ping Yeh, Adam Zalcman, Hartmut Neven, and John M. Martinis. Quantum supremacy using a programmable superconducting processor. Nature, 574(7779):505–510, 2019.

[11] Mihir Bellare, Russell Impagliazzo, and Moni Naor. Does parallel repetition lower the error in computationally sound protocols? In 38th Annual Symposium on Foundations of Computer Science, FOCS ’97, Miami Beach, Florida, USA, October 19-22, 1997, pages 374–383, 1997.

[12] Jacob D. Biamonte and Peter J. Love. Realizable hamiltonians for universal adiabatic quantum computers. Phys. Rev. A, 78:012352, Jul 2008.

[13] Fernando G. S. L. Brand˜ao and Aram W. Harrow. Quantum de ﬁnetti theorems under local measurements with applications. Communications in Mathematical Physics, 353(2):469–506, Jul 2017.

[14] Fernando G. S. L. Brand˜ao, Amir Kalev, Tongyang Li, Cedric Yen-Yu Lin, Krysta M. Svore, and Xiaodi Wu. Quantum SDP Solvers: Large Speed-Ups, Optimality, and Applications to Quantum Learning. In Christel Baier, Ioannis Chatzigiannakis, Paola Flocchini, and Stefano Leonardi, editors, 46th International Colloquium on Automata, Languages, and Programming (ICALP 2019), volume 132 of Leibniz International Proceedings in Informatics (LIPIcs), pages 27:1–27:14, Dagstuhl, Germany, 2019. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.

35 [15] A. Broadbent, J. Fitzsimons, and E. Kasheﬁ. Universal blind quantum computation. In 2009 50th Annual IEEE Symposium on Foundations of Computer Science, pages 517–526, 2009.

[16] Anne Broadbent and Stacey Jeﬀery. Quantum homomorphic encryption for circuits of low t-gate complexity. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology – CRYPTO 2015, pages 609–629, Berlin, Heidelberg, 2015. Springer Berlin Heidelberg.

[17] Nai-Hui Chia, Kai-Min Chung, and Takashi Yamakawa. Classical verification of quantum computations with efficient verifier. arXiv, 1912.00990, 2019.

[18] Kai-Min Chung. Eﬃcient Parallel Repetition Theorems with Applications to Security Ampliﬁcation. PhD thesis, Harvard University, 2011.

[19] Andrea Coladangelo, Alex B. Grilo, Stacey Jeffery, and Thomas Vidick. Verifier-on-a-leash: New schemes for verifiable delegated quantum computation, with quasilinear resources. In Yuval Ishai and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2019, pages 247–277, Cham, 2019. Springer International Publishing.

[20] Yfke Dulek, Christian Schaﬀner, and Florian Speelman. Quantum homomorphic encryption for polynomial-sized circuits. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, pages 3–32, Berlin, Heidelberg, 2016. Springer Berlin Heidelberg.

[21] Joseph F. Fitzsimons, Michal Hajduˇsek, and Tomoyuki Morimae. Post hoc veriﬁcation of quantum computation. Phys. Rev. Lett., 120:040501, Jan 2018.

[22] Joseph F. Fitzsimons and Elham Kasheﬁ. Unconditionally veriﬁable blind quantum computation. Phys. Rev. A, 96:012303, Jul 2017.

[23] Alexandru Gheorghiu, Elham Kasheﬁ, and Petros Wallden. Robustness and device independence of veriﬁable blind quantum computing. New Journal of Physics, 17(8):083040, aug 2015.

[24] Alexandru Gheorghiu and Thomas Vidick. Computationally-secure and composable remote state preparation. In FOCS, pages 1024–1033, 2019.

[25] Lov K. Grover. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC ’96, page 212–219, New York, NY, USA, 1996. Association for Computing Machinery.

[26] Michal Hajduˇsek, Carlos A. P´erez-Delgado, and Joseph F. Fitzsimons. Device-Independent Veriﬁable Blind Quantum Computation. arXiv e-prints, page arXiv:1502.02563, February 2015.

[27] Julia Kempe, Alexei Kitaev, and Oded Regev. The complexity of the local hamiltonian problem. SIAM Journal on Computing, 35(5):1070–1097, 2006.

[28] A.Y. Kitaev, A. Shen, and M.N. Vyalyi. Classical and Quantum Computation. Graduate studies in mathematics. American Mathematical Society, 2002.

[29] Ching-Yi Lai and Kai-Min Chung. On statistically-secure quantum homomorphic encryption. Quantum Info. Comput., 18(9–10):785–794, August 2018.

36 [30] Tongyang Li, Shouvanik Chakrabarti, and Xiaodi Wu. Sublinear quantum algorithms for training linear and kernel-based classiﬁers. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 3815–3824, Long Beach, California, USA, 09–15 Jun 2019. PMLR.

[31] Urmila Mahadev. Classical homomorphic encryption for quantum circuits. 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), 2018.

[32] Urmila Mahadev. Classical Veriﬁcation and Blind Delegation of Quantum Computations. PhD thesis, 2018.

[33] Urmila Mahadev. Classical veriﬁcation of quantum computations. 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), 2018.

[34] Tomoyuki Morimae, Daniel Nagaj, and Norbert Schuch. Quantum proofs can be veriﬁed using only single-qubit measurements. Phys. Rev. A, 93:022326, Feb 2016.

[35] Michael Newman and Yaoyun Shi. Limitations on transversal computation through quantum homomorphic encryption. Quantum Info. Comput., 18(11–12):927–948, September 2018.

[36] Yingkai Ouyang, Si-Hui Tan, and Joseph F. Fitzsimons. Quantum homomorphic encryption from quantum codes. Phys. Rev. A, 98:042334, Oct 2018.

[37] Krzysztof Pietrzak and Douglas Wikstr¨om. Parallel repetition of computationally sound protocols revisited. J. Cryptol., 25(1):116–135, 2012.

[38] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34:1–34:40, 2009.

[39] Ben W Reichardt, Falk Unger, and Umesh Vazirani. Classical command of quantum systems. Nature, 496(7746):456, 2013.

[40] Dan Shepherd and Michael J. Bremner. Temporally unstructured quantum computation. In Proc. R. Soc. A., volume 465, pages 1413–1439, 2009.

[41] Yaoyun Shi. Both toﬀoli and controlled-not need little help to do universal quantum computing. Quantum Info. Comput., 3(1):84–92, January 2003.

[42] P. W. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th Annual Symposium on Foundations of Computer Science, pages 124–134, 1994.

[43] J. Van Apeldoorn, A. Gily´en, S. Gribling, and R. de Wolf. Quantum sdp-solvers: Better upper and lower bounds. In 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), pages 403–414, 2017.