Arxiv:2102.00329V1 [Cs.LO] 30 Jan 2021 Interfering Effects

A Quantum Interpretation of Bunched Logic for Quantum Separation Logic

Li Zhou Gilles Barthe Max Planck Institute for Security and Privacy Max Planck Institute for Security and Privacy; IMDEA Software Institute

Justin Hsu Mingsheng Ying University of Wisconsin–Madison University of Technology Sydney; Institute of Software, Chinese Academy of Sciences; Tsinghua University

Nengkun Yu University of Technology Sydney

Abstract—We propose a model of the substructural logic of Quantum computation is another domain where the ideas Bunched Implications (BI) that is suitable for reasoning about of separation logic seem relevant. Recent work [10], [11] quantum states. In our model, the separating conjunction of suggests that reasoning about resources (in particular, entan- BI describes separable quantum states. We develop a program glement – a resource unique in the quantum world) can bring logic where pre- and post-conditions are BI formulas describing similar benefits to quantum computing and communications. quantum states—the program logic can be seen as a counter- Motivated by this broad perspective, we propose a quan- part of separation logic for imperative quantum programs. We tum model of BI and develop a novel separation logic for exercise the logic for proving the security of quantum one-time quantum programs. Our development is guided by concrete pad and secret sharing, and we show how the program logic examples of quantum algorithms and security protocols. can be used to discover a flaw in Google Cirq’s tutorial on the Motivating Local Reasoning for Quantum Programs: Variational Quantum Algorithm (VQA). Quantum Machine Learning [12], [13] and VQAs (Vari- ational Quantum Algorithms) [14], [15] are new classes 1. Introduction of quantum algorithms that emerged in recent years as a leading application of quantum computing. These algo- The logic of Bunched Implications (BI) of O’Hearn rithms solve problems by training parameterized quantum and Pym [1], [2], [3] is a substructural logic that fea- circuits. The trained circuits are usually very large in terms tures resource-aware connectives. One such connective is ∗, of both their size and the required quantum resources, known as separating conjunction: informally, an assertion i.e., the number of involved quantum bits (qubits). This φ ∗ ψ holds with respect to a resource R if the resource makes them particularly challenging to verify with exist- R can be split into resources R0 and R00 such that φ ing techniques such as quantum Hoare logic [16], [17] holds with respect to R0 and ψ holds with respect to R00. and verification based on operational semantics [18], since This interpretation is particularly well suited for reasoning the dimension of the matrices used to represent assertions about programs in settings where computations can have increases exponentially w.r.t. the number of qubits. Fortu- arXiv:2102.00329v1 [cs.LO] 30 Jan 2021 interfering effects. In particular, BI has found success as an nately, these algorithms can benefit from local reasoning, assertion language for Separation Logic [4], [5], [6], a pro- since each of their operations is performed locally on a gram logic for reasoning about programs with mutable state, small number of qubits. Consider for instance the quantum and Concurrent Separation Logic [7], [8], a program logic circuit shown in Figure 1, that implements a VQA circuit for reasoning about shared-memory concurrent processes. with 2 × 2 grid qubits. Instead of reasoning about the Recent works seek to extend the separation logic frame- circuit as a whole, we would like to reason about sub- work beyond memory-manipulating programs by consider- circuits ProcC(1), ProcC(2), Proc(R)(1), ProcR(2) sepa- ing other notions of resources and other models of com- rately, and then combine the results to establish the correct- putation. Broadly speaking, separation logics are a good fit ness of the whole program. This is precisely the kind of whenever programs manipulate resources in a local fashion: reasoning enabled by Quantum Separation Logic (QSL for that is, there is a natural notion of two resources being short). separate, and a program can operate on the first resource without affecting the second. This idea underlies recent sep- Technical Challenges and Contributions: QSL will be aration logics for probabilistic programs, where separation developed by first developing a model of BI, where formulas is probabilistic independence [9]. describe quantum states and then building a separation logic

1 Reynolds [19] in the context of standard separation logic. This extra bit of freedom seems to be particular to the quantum setting, and we crucially use this feature when using the frame rule to establish uniformity. The soundness proof of our quantum frame rule requires a nontrivial calculation based on purification, a fundamental technique used in quantum information for transforming mixed states to pure states by introducing reference systems [20]. Figure 1: VQA(2) with parameters taken in Sec. 5.3. 3) Reasoning about entangled predicates:1 The structural rules FRAME and CONST enable us to lift local reasoning to global correctness of quantum algorithms using these assertions as pre- and post-conditions, introduc- only when no entanglement occur in the pre- and ing proof rules to reason about quantum programs. post-conditions. However, entangled predicates play an BI and Its Quantum Interpretation: To characterize the essential role in revealing the non-local (global) proper- properties of quantum systems, we first identify a quantum ties of a composite quantum system; for instance, some interpretation of BI appropriate for our target applications. entangled predicates are used when reasoning about the We choose to interpret our separating conjunction ∗ as (in)correctness of VQA (see Sec. 5.3). With the help separability of quantum states. Roughly speaking, φ1 ∗ φ2 of auxiliary variables, we set up a new rule UNCR holds in a quantum state ρ if ρ can be factored into two which enables us to prove the correctness of large quantum states ρ1 and ρ2 over disjoint registers satisfying quantum algorithms with respect to entangled pre- and φ1 and φ2, respectively. post-conditions. Intuitively, when the program (as the Proof System for Program Logic: next, we define principal system) combined with auxiliary variables (as a program logic for a quantum while-language [16] (for ancillary systems), modification can be used to create simplicity, we do not consider classical variables). Our (mathematically rather than physically) entanglement language follows the “classical control and quantum data” and rule UNCR is used to preserve correctness under paradigm. We develop a set of proof rules that are effective the modification on the auxiliary variables in the pre- for verifying quantum programs over a large set of qubits. and post-conditions (but not in the program). The key Our proof system has several novel ingredients: idea behind was first proposed in [21] for reasoning 1) Modification on BI formulas. The basic rule for assign- about parallel quantum programs; UNCR is its gener- ments in classical program logics is defined using the alization tailored for our purpose. syntactic notion of substitution. Due to the non-cloning Applications: To demonstrate the breadth of the applica- law of quantum information, the role of assignments tion range of our logic QSL, we present several case studies has to be played by initialization q := |0i and unitary from two very different areas: transformations q := U[q], and inference rules for these operations involve a quantum operation (e.g., • Our first example given in Section 5 is formal verifi- [16], [17]). Unfortunately, the rules for initialization cation of Variational Quantum Algorithm (VQA) [14], and unitary transformations are not simple adaptations [15] for finding the ground state of a quantum system, of the rule for assignment, because a quantum gen- which has potential applications in quantum chemistry eralization of substitution is not straightforward. For for designing new materials and drugs. A typical VQA atomic predicates, substitutions are not always defined. can be split into different subprograms that are suited For composite formulas, a straightforward definition of to locally reasoning. Then the frame rules together substitution is too weak for applications. We overcome with UNCR are used to derive global correctness with this hurdle by introducing a modification operation for entangled pre- and post-conditions. In particular, an atomic formulas (see Definition 3.4), which is essen- analysis based on QSL reveals that the VQA presented tially a quantum version of substitution. Extending this in the tutorial of Google’s Cirq [22] is incorrect. operation to composite formulas requires some care • In Section 6, we use QSL to verify the security of (see Definition 3.5). quantum one-time pad (QOTP) [23], [24] and quantum 2) Frame rule: The frame rule is one of the most char- secret sharing (QSS) [25], [26]. Unlike previous work, acteristic structural rules in separation logic. QSL also the QSL verification of QOTP and QSS is scalable: in- enjoys a frame rule FRAME that is similar in spirit creasing the number of registers that algorithms employ to frame rules from standard separation logics, but does not complicate the verification. In particular, rule our new interpretation of separating conjunction means FRAME with the supported assertion (SP) enables us to that the meaning of the rule is different. Furthermore, avoid the very complicated mathematical calculations the frame rule can be generalized slightly: even if used in earlier verifications of QOTP [27]. the standard side condition for frame rules does not hold, the frame rule still applies if the post-condition 1. Here, entangled predicates refer to the projections that cannot be is a supported assertion—a concept first proposed by factored as a product of projections of its local constituents.

2 2. Preliminaries subsystem p is in state |0i and subsystem q is in state |1i. Due to the superposition principle, there exist states like For the convenience of the reader, we briefly review 1 |Φipq = √ (|0ip|0iq + |1ip|1iq) basic notions of quantum information and programming as 2 well as the logic of bunched implication. that cannot be written in the simple tensor form |φip|ψiq, which are called entangled states. These states play a crucial 2.1. Basics of Quantum Information role in applications of quantum computation and quantum communication. The state space of a quantum system is a Hilbert The state of a composite system fully determines the space H, which is essentially a vector space in the finite- state of each subsystem. Formally, given composite system dimensional case. A pure state of the system is a unit column pq in state ρ, subsystem q is then in state trp(ρ), where the vector |ψi ∈ H. For example, the state space of a quantum partial trace trp(·) over p is a mapping from operators on bit (aka qubit) is a two-dimensional Hilbert space with basis Hp ⊗ Hq to operators on Hq defined by: 1 0 states |0i = and |1i = , and any pure state of 0 1 trp(|φpiphψp| ⊗ |φqiqhψq|) = hψp|φpi · · · |φqiqhψq| α a qubit can be described in the form α|0i + β|1i = for all |φpi, |ψpi ∈ Hp and |φqi, |ψqi ∈ Hq together with β linearity. The state trq(ρ) of subsystem q can be defined satisfying normalization condition |α|2 + |β|2 = 1. When symmetrically. We often use the notations ρ|p , trp(ρ) and the state is not completely known but could be in one of ρ|q , trq(ρ) in order to explicitly indicate that ρ|p and ρ|q some pure states |ψii with respective probabilities pi, we are states of p, q, respectively. call {(pi, |ψii)} an ensemble of pure states or a mixed state, and the system is fully described by the density operator Summary of Notations. Let V be the set of all quantum P variables. A quantum register is a list of distinct variables ρ = i pi|ψiihψi|. For example, the completely mixed state of a qubit can be seen as ensemble {(0.5, |0i), (0.5, |1i)} q = q1, . . . , qn. Each quantum variable q has a type Hq, (i.e. the state is either |0i or |1i with the same probability which is the state Hilbert space of quantum system denoted 0.5 0 by q. For a set of quantum variables S = {q1, . . . , qn} ⊆ V 0.5) or density matrix 1 (|0ih0| + |1ih1|) = . 2 0 0.5 (or a quantum register q = q1, . . . , qn), we fix following The evolution of a quantum system is modelled by a notations: † † n • N unitary operator U; i.e. a complex matrix with UU = U U HS = i=1 Hqi : the Hilbert space of S. being the identity operator, where † is conjugate transpose. • dim(S): the dimension of HS. In quantum computing, operators are often called quantum • D(S): the set of all (mixed) quantum states (i.e. density 1 1 matrices) of S. In particular, for any ρ ∈ D(S), gates. For example, the Hadamard gate H = √1 2 1 −1 its domain is defined as dom(ρ) , S; we write maps |0i, |1i to their superpositions |±i = √1 (|0i ± |1i). D S D(S) for the set of all states. 2 , S⊆V Unlike a classical system which can be observed directly • P(S): the set of projections on HS. In particular, for without changing its state, we need to perform a quan- any P ∈ P(S), its domain is defined as free (P ) , tum measurement to extract information from a quantum S. Since there is a one-to-one correspondence between state which inevitably leads to state collapse. Formally, a projections and closed subspaces, we sometimes called projective quantum measurement consists of a set of pro- closed subspaces of HS projections. We write P , 2 S jections, i.e., self-adjoint and idempotent linear operators, S⊆V P(S) for the set of all projections. M ,M ,...,M . When such a measurement is applied to 0 1 n • ρ|S , trdom(ρ)\S(ρ): the restriction of state ρ on S, a quantum state ρ, we obtain one of the classical outcome defined as a reduced density operator over S ∩dom(ρ). i ∈ {0, 1, . . . , n} with probability pi = tr(Miρ), and the post-measurement state of the system is then MiρMi . pi 2.2. Quantum Programs: Syntax and Semantics We use variables p, q, r, ... to denote quantum systems. Operations in quantum computing are often performed on a For simplicity of presentation, we consider a purely composite system consisting of multiple qubits. To indicate quantum extension of while-language, namely the quantum which system a state describes or an operation acts on, we while-language [16]—that is, we do not allow classical use subscripts; for example, Hp is the state space of system variables. p, |0ip is the pure state |0i of the system p and |1iqh1| is the density matrix of the system q. The composite system Definition 2.1 (Syntax [16]). The quantum while-programs is described by the tensor product of its subsystems; for are defined by the grammar: example, a composite system pq has the state space Hp⊗Hq, C ::= skip | C1; C2 | q := |0i | q := U[q] and |0ip⊗|1iq (or, |0ip|1iq for short) is a pure state in which | if (m · M[q] = m → Cm) fi 2. That is, P : H → H is a projection over H iff P = P † = P 2. | while M[q] = 1 do C od

3 The program constructs defined above are explained as Proposition 2.1 (Proposition 3.3.5 in [29]). For any pro- follows. First, q := |0i initializes the quantum variable gram C and any set V ⊇ var(C) of variables, the semantic q in a basis state |0i, and q := U[q] applies a unitary function of domain V is a cylindric extension of the se- transformation U to a sequence q of quantum variables. The mantic function of domain var(C): C V = C var(C) ⊗ case statement if ··· fi performs the projective measurement IV\var(C), where IV\var(C) is the identityJ K quantumJ K opera- M = {Mm} on q, and then chooses a subprogram Cm to tion in HV\var(C). execute according to measurement outcome m. In the loop while ··· od, the projective measurement M = {M0,M1} 2.3. Brief review of BI-Logic in the guard has only two possible outcomes 0, 1: if the outcome is 0 the loop terminates, and if the outcome is Next, we briefly review the logic of Bunched Impli- 1 it executes the loop body C and enters the loop again. cations (BI) [1], [2]. BI is a sub-structural logic with the For simplicity of presentation, we will use the following following syntax: abbreviation: for i = 1, ··· ,N do Ci od , C1; ··· ; CN . For each program C, we write var(C) for the set of φ, ψ ::= p ∈ AP | > | ⊥ | φ∧ψ | φ∨ψ | φ → ψ | φ∗ψ| φ −∗ ψ all quantum variables in C. If V ⊇ var(C) is a set of where p ranges over a set AP of atomic propositions. quantum variables, and ρ ∈ D(V), then hC, ρi is called Besides standard propositional logic, BI contains a substruc- a configuration (of domain V). tural fragment – the separating conjunction ∗ and separating Definition 2.2 (Operational Semantics [16]). The oper- implication −∗ (“magic wand”). A distinction between ∗ and ational semantics of quantum programs is defined as a ∧ is that ∗ is not idempotent, i.e., P ∗P 6= P . For example, in transition relation → by the following transition rules: the standard heap model of separation logic, the separating conjunction P ∗ Q is true of a heap if it can be split into (Sk) hskip, ρi → hE, ρi (In) hq := |0i, ρi → hE, ρqi 0 two heaplets, one of which makes P true and the other of (UT) hq := U[q], ρi → hE, UρU †i which makes Q true. The implication −∗ is adjoint to ∗. For 0 0 hC1, ρi → hC1, ρ i example, P −∗ Q holds in some heap if adding a separate (SC) 0 0 heap satisfying P leads to a combined heap satisfying Q. hC1; C2, ρi → hC1; C2, ρ i † The most general semantics of BI is given in terms of (IF) hif (m · M[q] = m → Cm) fi, ρi → hCm,MmρMmi a kind of Kripke structures, called BI frames. Standard BI † (L0) hwhile M[q] = 1 do C od, ρi → hE,M0ρM0 i frame is based on a pre-ordered commutative monoid: (L1) hwhile M[q] = 1 do C od, ρi Definition 2.4 (BI frame [1]). A BI frame is a tuple X = † (X, ◦, , e), where X is a set equipped with a preorder , → hC; while M[q] = 1 do C od,M1ρM1 i and ◦ : X × X → X is a partial binary operation with an q P E is the empty program. In (In), ρ0 = n |0iqhn|ρ|niqh0|. unit element e and satisfying the following conditions: In (SC), we use the convention E; C2 = C2. In (IF), m 1) (Unit Existence) for all x, x = x ◦ e = e ◦ x; ranges over every possible outcome of measurement M = 2) (Commutativity) x ◦ y = y ◦ x; {Mm}. 3) (Associativity) x ◦ (y ◦ z) = (x ◦ y) ◦ z; Transitions in rules (IF), (L0) and (L1) are essentially 4) (Compatible with ) x x0 and y y0 and both x◦x0 probabilistic; but we adopt a convention from [28] to and y ◦ y0 are defined, then x ◦ x0 y ◦ y0. present them as non-probabilistic transitions. For example, Above, equalities state that either both sides are defined and for each m, the transition in (IF) happens with probability equal, or both sides are undefined. † pm = tr(MmMmρ) and the program state ρ is changed to ρ = M ρM † /p . We can combine probability p Intuitively, if we choose the collections of resources as m m m m m possible worlds, then ◦ can be interpreted as a commutative and density operator ρm into a partial density operator † combination of resources. The identity e is an empty re- MmρMm = pmρm. This convention significantly simplifies the presentation. source or lack of resource, and combine any resource x and empty resource e yields x itself. Based on the combination, Definition 2.3 (Denotational Semantics [16]). Let V be a a preorder is defined: if x is a combination of resources y set of variables. Then for any quantum program C with and z, it should be “larger” than y since it contains y. var(C) ⊆ V, its semantic function of domain V is the The semantics of formulas depends on the semantics mapping C V : D(V) → D(V) defined by C V(ρ) = of atomic propositions. A valuation is a mapping V : P{|ρ0 : hJC,K ρi →∗ hE, ρ0i|} for every ρ ∈ DJ(VK), where AP → ℘(X), and it is monotonic if x ∈ V(p) and y x →∗ is the reflexive and transitive closure of →, and {|· |} implies y ∈ V(p). A BI frame X together with a monotonic denotes a multi-set. valuation V gives a BI model M. Note that auxiliary variables in V \ var(C) are allowed Definition 2.5 (Satisfaction in BI models [1]). Given a BI in the above definition of semantic function C V. The formula φ and a BI model M = (X, ◦, , e, V). For each following proposition shows that the denotationalJ semanticsK x ∈ X, the relation x |= φ is defined by induction on φ: of a program C is independent of these auxiliary variables. x |=M p iff x ∈ V(p)

4 x |=M > : always x |=M ⊥ : never 3.2. Atomic Propositions about Quantum States x |=M φ1 ∧ φ2 iff x |=M φ1 and x |=M φ2 To complete our description of the quantum BI logic, x |= φ ∨ φ x |= φ or x |= φ M 1 2 iff M 1 M 2 we introduce three atomic propositions and interpret them in 0 0 0 x |=M φ1 → φ2 iff ∀x x, x |=M φ1 implies x |=M φ2 quantum states. In general, we have a great deal of freedom x |=M φ1 ∗ φ2 iff ∃y, z s.t. y ◦ z is defined and x y ◦ z, in selecting these atomic propositions; the only requirement is that their interpretation must be monotone with respect to y |=M φ1 and z |=M φ2 the pre-order . Our atomic propositions are fairly general, x |=M φ1 −∗ φ2 iff ∀y s.t. x ◦ y is defined, but motivated by applications of our separation logic. y |= φ implies x ◦ y |= φ . M 1 M 2 Propositions denoting free variables. We first introduce a set of atomic propositions D[S] for each variable set S ∈ V Following [2] (see also [11]), a sound and complete with domain defined by free (D[S]) , S, and interpret it as Hilbert-style proof system of BI is presented in Supplemen- the state with domain at least S: tary Material B.1. D[S] , {ρ ∈ D : S ⊆ dom(ρ)} . (1) J K 3. Quantum Interpretation of BI Logic Propositions for qualitative analysis. For qualitative analysis of quantum programs, we often use projection operators Now, we are ready to present our quantum model of as atomic propositions. For a projection P ∈ P as an atomic BI, using the resource semantics of BI. After defining the proposition, its semantics P is defined as the following set J K model, we introduce some atomic propositions. To lay the of quantum states: groundwork for the separation logic, we explore a technical n o P , ρ ∈ D : free (P ) ⊆ dom(ρ) & supp ρ|free(P ) ⊆ P . property called restriction—which will be important for the J K frame rule—and we define a modification operation, an (2) analog of substitution that we will use for reasoning about where the support of a state ρ ∈ D is the (topological) initialization and unitary transformations. closure of the subspace spanned by its eigenvectors with nonzero eigenvalues, or equivalently, supp(ρ) = {|φi ∈ ⊥ 3 3.1. BI Frame of Quantum States Hdom(ρ) : hφ|ρ|φi = 0} . Let us carefully explain the definition of P . In the case that ρ has the same domain of P , it is naturalJ toK define ρ ∈ P if its support supp(ρ) lies The basic idea of our model is to consider quantum states in P , or equivalently, ρ is invariantJ K under projection operator over specific registers as resources. Then, the separating con- P . In the case where dom(ρ) and free (P ) are not the junction is introduced to model independent combinations same, in order to make P upward-closed (i.e., monotonic): of spatially separate quantum resources (quantum states over ρ ∈ P and ρ ρ0 implyJ K ρ0 ∈ P , it is appropriate to disjoint registers). Formally, we define: requireJ K that ρ ∈ P iff (i) dom(ρ)J⊇Kfree (P ); and (ii) the J K Definition 3.1. The partial binary functions ◦ : D×D → D restricted state of ρ on free (P ) is in P . J K on quantum states is defined by: Atomic propositions expressing uniformity in quantum security. As is well-known, probabilistic uniformity is a ( basic property in verification of security protocols. To de- ρ1 ⊗ ρ2 : if dom(ρ1) ∩ dom(ρ2) = ∅ ρ1 ◦ ρ2 scribe uniformity in quantum protocols, we introduce an , undefined : otherwise. atomic proposition U[S] for each S ⊆ V denoting finite- dimensional quantum systems. Its domain is free (U[S]) , Essentially, ◦ takes the tensor product of two quantum S. The semantics of U[S] is defined as the following set of states with disjoint domains. Note that in our setting, the quantum states: tensor product ⊗ is commutative since every quantum state ρ ∈ D is tagged with its domain. For example, |1iph1| ⊗ IS U[S] , ρ ∈ D : S ⊆ dom(ρ) & ρ|S = , |0iqh0| = |0iqh0| ⊗ |1iph1| denote the same state in pq. For J K dim(S) the partial order over quantum states, we take the following: (3) where IS is the identity density on the quantum system over Definition 3.2. Let be the partial order over D: ρ registers S. The intuition behind defining equation (3) is 0 0 0 ρ iff dom(ρ) ⊆ dom(ρ ) and ρ = ρ |dom(ρ). quite simple: for a state ρ in U[S] such that S ⊆ dom(ρ), S J K Intuitively, ρ ρ0 means that ρ describes a subsys- its restriction on should be the completely mixed state, IS , which means “uniformly distributed” over all or- tem of ρ0; more precisely, if we discard the subsystem dim(S) dom(ρ0)\dom(ρ) of ρ0, then the remaining subsystem is in thonormal bases of the system denoted by S. state ρ. Combining all of the ingredients defined, we have: Axiom schema for atomic formulas. With the interpretation of atomic propositions, we have: Proposition 3.1. (D, ◦, , 1) forms a BI frame, where scalar number 1 is understood as the state over the empty register. 3. ⊥ stands for ortho-complement.

5 Proposition 3.2. 3.4. Quantum Modification of BI Formulas 1) For all S ⊆ V and identity operator IS over HS, we have: |= D[S] ↔ IS. In classical program logic, substitution is used in the 2) For all P,Q ∈ P with disjoint domains, we have: |= inference rule about assignment statements. In the quan- P ∧ Q ↔ (P ⊗ Q); tum setting, due to no-cloning of quantum data, the role 3) If S1 ⊆ S2, then |= U[S2] → U[S1]. of assignment is played by two basic constructs: unitary 4) If S1,S2 are disjoint, then: transformation and initialization. We conclude this section by defining a technique of modifying BI formulas, which |= (U[S1] ∗ U[S2]) ↔ U[S1 ∪ S2]. we will need reasoning about these operations. Note that ⊗ is not a connective in BI: instead, it stands for Definition 3.4 (Modification of atomic propositions). Let C the mathematical tensor product. Thus, P ⊗Q is a projection be a unitary transformation q := U[q] or an initialisation and can be considered as atomic formula. q := |0i. For any p ∈ AP, we write p[C] for the C- modification of p. For the three classes of atomic propo- 3.3. Restriction Property sitions defined in Sec. 3.2, p[C] is defined as follows: 1) For an atomic proposition D[S] defined in Eq. (1), After choosing (the interpretation of) atomic proposi- D[S][C] , D[S]; tions in the quantum frame (D, ◦, , 1), the semantics of 2) For an atomic proposition P ∈ P as a projection all BI formulas can be defined using Definitions 2.5. As is defined in Eq. (2), well-known, the frame rule plays an essential role in sepa-  ration logic, and in turn it heavily relies on the restriction  PU[q] if q ⊆ free (P ); property that satisfaction only depends on the free variables P [q := U[q]] , P q ∩ free (P ) = ∅; appearing in a BI formula φ. The restriction property was  undefined otherwise; also identified and generalized in prior work on probabilistic D[q] ∧ dP e if q ∈ free (P ); P [q := |0i] q separation logic [9]. However, the restriction property: , P otherwise; ρ |= φ ⇒ ρ| |= φ free(φ) where projections PU[q] and dP eq are given as follows: where free (φ) stands for the free variables occurring in P = (U q† ⊗ I )P (U q ⊗ I ), φ, does not hold for our quantum setting, even for the U[q] free(P )\q free(P )\q F ordinary implication φ = φ1 → φ2 (see Definition 2.5 and dP eq = { closed subspaces T : |0iqh0| ⊗ T ⊆ for its semantics). Essentially, the validity of the restriction P } ∈ P(free (P )\q). Here, t is the disjunction of property in the probabilistic setting can be attributed to projections in quantum logic, that is, for projections a fundamental fact in probability theory—the existence of P,Q with the same domain, P t Q = span(P ∪ Q) extensions.4 Unfortunately, this does not always hold for with “ · ” standing for (topological) closure. quantum systems. Indeed, it is violated by the well-known 3) For any atomic proposition U[S] ∈ U for uniformity phenomenon of “Monogamy” – one of the most fundamental defined in Eq.(3), 5 properties of entanglement. a) If q ⊆ S or q∩S = ∅, then U[S][q := U[q]] , U[S]; Since we wish to have a frame rule in QSL, we need to otherwise, U[S][q := U[q]] is undefined; recover the restriction property to a certain extent. While not b) If q∈ / S, then U[S][q := |0i] , U[S]; all formulas satisfy this property, we can identify a subset otherwise, U[S][q := |0i] is undefined. of them that do satisfy it. The modification of some atomic propositions/BI formu- Definition 3.3. The formulas generated by following gram- las may not exist; we write φ[C]↓ whenever φ[C] is defined. mar are denoted by Res. The notion of modification can be easily extended to all BI φ, ψ ::= p ∈ AP | > | ⊥ | φ ∧ ψ | φ ∨ ψ | φ ∗ ψ formulae: Proposition 3.3. Any formula φ ∈ Res is restrictive; that Definition 3.5 (Modification of BI formulas). Let C be uni- is, for any ρ |= φ, ρ| |= φ. tary transformation q := U[q] or initialisation q := |0i. The free(φ) modification φ[C] of BI formula φ is defined by induction The above simple treatment of restriction property is on the structure of φ: sufficient for the purpose of this paper. A more intrinsic 1) if φ ≡ > or ⊥, then φ[C] , φ; way for recovering this property in the quantum setting will 2) if φ ≡ p ∈ AP, then φ[C] is defined according to be discussed in Section 7. Definition 3.4; 3) if φ ≡ φ1 4 φ2 where 4 ∈ {∧, ∨} and φ1[C]↓ and 4. For two joint-distributions µAB and µBC over sets A, B and B,C respectively, if they are consistent on B (with the same marginal on B) φ2[C]↓, then φ[C] , φ1[C] 4 φ2[C]; then there exists joint-distribution µABC over A, B, C which takes µAB 4) if φ ≡ φ1 ∗ φ2, φi[C]↓ and q ⊆ free (φi) or and µ as marginals. BC q ∩ free (φi) = ∅ for i = 1, 2, then 5. If two qubits A and B is maximally correlated, then they cannot be correlated at all with a third qubit C; more precisely, if A and B are in a a) if C ≡ q := U[q], then φ[C] , φ1[C] ∗ φ2[C]; maximally entangled state, then A and C cannot be in any entangled state. b) if C ≡ q := |0i, then

6 • if q∈ / free (φ )∪free (φ ), φ[C] φ [C]∗φ [C]; 1 2 , 1 2 φ[q := |0i]↓ • if only one of q ∈ free (φ1), q ∈ free (φ2) SKIP INIT {φ}skip{φ} {φ[q := |0i]} q := |0i{φ} is satisfied, then φ[C] , (φ1[C] ∧ φ2[C]) ∧ (D[free (φ1)\q] ∗ D[free (φ2)\q]); φ[q := U[q]]↓ UNIT The reason for the complexity of this case will be {φ[q := U[q]]}q := U [q] {φ} seen in the program logic; roughly speaking, initial- {φ}C1{ψ}{ψ}C2{µ} ization on q is special because it can introduce inde- SEQ pendence: it makes q independent from all variables. {φ}C1; C2{µ} 5) otherwise, φ[C] is undefined. {φ ∗ Mm} Cm{ψ} for all m ψ ∈ CM RIF A close connection between the semantics of a BI for- {φ ∗ D(q)}if ··· fi{ψ} mula φ and its modification φ[C] is shown in the following: {φ ∗ M1}C{φ ∗ D(q)} φ ∈ CM RLOOP Proposition 3.4. Let C be unitary transformation q := U[q] {φ ∗ D(q)}while{φ ∧ M0} or initialisation q := |0i, and φ be any BI formula. If its modification φ[C] is defined, then: Figure 2: Inference Rules for Program Constructs. In INIT and UNIT, ↓ means the existence of modification. In RIF and 1) φ and φ[C] have the same domain: free (φ) = RLOOP, if ··· fi and while are abbreviations of if ( m · free (φ[C]); M[q] = m → C ) fi and while M[q] = 1 do C od 2) for all ρ ∈ D(free (φ) ∪ var(C)), if ρ |= φ[C], then m respectively, and M ,M ,M in assertions are regarded as C (ρ) |= φ. 0 1 m J K projective predicates acting on q. In PERM, Perm(q 7→ q0)[q] stands for the unitary transformation which permutes 4. Separation Logic for Quantum Programs the variables from q to q0 (see Section 2.1 for details).

Now we are ready to present our separation logic for quantum programs, using quantum BI formulas as the as- 4.2. Inference Rules for Program Constructs sertion language. The first set of our inference rules are designed for 4.1. Judgments and Validity reasoning about basic quantum program constructs and dis- played in Fig. 2. Some of them deserve careful explanations: Let us first define judgments (correctness formulas) in quantum separation logic. A judgment is a Hoare triple of • Rules INIT and UNIT: With the definition of modification the form {φ}C{ψ} with both precondition φ and postcon- of BI formulas and Proposition 3.4 in mind, the rules INIT dition ψ being restrictive BI formulas (cf. Definition 3.3). and UNIT are similar to the (backwards) inference rule {φ[e/x]}x := e{φ} for assignment in classical program Definition 4.1 (Validity). Let V be a set of quantum logics. variables with free (φ), free (ψ), var(C) ⊆ V. Then a correctness formula {φ}C{ψ} is true in the sense of partial • Rules RIF and RLOOP: These two rules use the sep- correctness with respect to V, written V |= {φ}C{ψ}, if arating conjunction to perform reasoning about different we have: execution paths. Note that condition φ ∈ CM is imposed in the premises of the rules RIF and RLOOP. ∀ρ ∈ D(V), ρ |= φ ⇒ C V(ρ) |= ψ. The set CM of assertions is formally defined as follows: J K Here, satisfaction relation ρ |= φ and C V(ρ) |= ψ are Definition 4.2. A formula φ is closed under mixtures (CM), defined according to the quantum interpretationJ K of BI logic written φ ∈ CM, if for any ρ, ρ0, whenever dom(ρ) = given in Section 3. dom(ρ0), ρ |= φ and ρ0 |= φ, we have: ∀ λ ∈ [0, 1], λρ + 0 The following theorem indicates that satisfaction does (1 − λ)ρ |= φ. not depends on auxiliary variables. Example 4.1. For two projections P0 = |0ih0| and P1 = Theorem 4.1. For any two sets V and V0 containing all |1ih1|, P0 ∧ P1 is CM, but P0 ∨ P1 is not CM (both free variables of φ, ψ and C, states |0ih0| and |1ih1| satisfies P0 ∨ P1, but their affine I |0ih0|+|1ih1| combination = does not satisfy P0 nor P1 0 2 2 V |= {φ}C{ψ} if and only if V |= {φ}C{ψ}. and thus does not satisfy P0 ∨ P1). As a consequence, we can drop V from V |= {φ}C{ψ} To see why the condition φ ∈ CM necessary, we and simply write |= {φ}C{ψ}. note that a quantum program can be executed in different In the remainder of this section, we gradually develop paths with non-zero probabilities, and its semantic function the proof system for our quantum separation logic. For better maps the input to a weighted summation of the outputs readability, this proof system is organised as several sets of from different execution paths. The condition φ ∈ CM is inference rules. introduced so that satisfaction relation is preserved under

7 • Rules WEAK: This rule is also similar to its counterpart φ →G φ0 {φ0}C{ψ0} ψ0 →G ψ WEAK in classical program logics, but there is a subtle difference {φ}C{ψ} between them. Since only global states (i.e. the states whose {φ1}C{ψ1}{φ2}C{ψ2} domain contains all free variables appearing in the assertions CONJ {φ1 ∧ φ2}C{ψ1 ∧ ψ2} and programs) are considered in defining the validity of the Hoare triple, we use →G in the premise of the WEAK rule {φ1}C{ψ1}{φ2}C{ψ2} DISJ for comparing assertions. It is easy to see that the rule is {φ1 ∨ φ2}C{ψ1 ∨ ψ2} also sound when using →, but the WEAK rule with →G is {φ}C{ψ} free (µ) ∩ var(C) = ∅ stronger. CONST {φ ∧ µ}C{ψ ∧ µ} • Rules CONST: This rule states that if any variable appear- {φ}C{ψ} free (µ) ∩ var(C) = ∅ ing in program C is not free in µ, then µ is preserved and free (ψ) ∪ var(C) ⊆ free (φ) or ψ ∈ SP thus can be conjoined to the pre- and post-conditions. The FRAME principle behind is that µ is restrictive, i.e., the satisfaction {φ ∗ µ}C{ψ ∗ µ} of µ depends only on the reduced state over subsystem free (µ), which trivially remains unchanged after executing →G Figure 3: Structural Rules. Since is strictly weaker than C. An interesting application of this rule is proving product → EAK ,W is stronger than ordinary weak rule. predicates from local reasoning using Proposition 3.2. • Rules FRAME: The condition free (µ)∩var(C) = ∅ in the affine combination. The following proposition identifies a premise ensures that µ can be conjoined with the pre- and class of formulas closed under mixture. post-conditions. The condition free (ψ) ∪ var(C) ⊆ free (φ) guarantees that, if the input satisfies φ∗µ, which asserts that The formulas generated by following Proposition 4.1. subsystems free (φ) and free (µ) are uncorrelated, then after grammar are CM: executing C, these two subsystems are still independent φ, ψ ::= p ∈ AP | > | ⊥ | φ ∧ ψ | U[S] ∗ φ since var(C) ⊆ free (φ), and furthermore, by the downward closed property of independence, subsystems free (ψ) and We need to pay special attention on the application of free (µ) are uncorrelated as free (ψ) ⊆ free (φ). It is par- separating conjunctions ∗ in RIF and RLOOP. Since the ticularly interesting to note that the latter condition can be quantum measurement in the guards of if-statements and altered by ψ ∈ SP defined in the following: while loops may change the quantum state, we hereby Definition 4.4 (Supported Assertion, c.f. [19]). A formula consider a special kind of inputs that satisfying φ ∗ Iq. ψ is called supported, written ψ ∈ SP, if ψ is nonempty Thus the subsystem being measured is uncorrelated to the then it has a least element, or equivalently,J K there exists a part of the state described by φ, which ensures that the S ⊆ V such that 1. at most one ρ ∈ D(S) satisfies ψ and post-measurement state still satisfies φ. In RLOOP, although 2. if σ |= ψ, σ ρ. φ∗M0 is satisfied for each path, it does not belong to CM in Trivially, any uniformity proposition U[S] and any general. Thus, only a weaker postcondition φ ∧ M0 ∈ CM can be achieved. atomic proposition defined by a projection of rank 1 are in SP; more examples of SP are given in the Supplementary Material C.4. The frame rule with SP condition is non- 4.3. Structural rules trivial and it will be very useful in our later case studies on verification of quantum information-theoretic security; The second set of rules consists of the structural rules, indeed, this application uncovered the condition ψ ∈ SP. presented in Fig. 3. The rules CONJ and DISJ are similar Note that under this condition, the frame rule is sound even to their counterparts in classical program logics. To explain without any restriction on free (ψ), free (φ) and var(C). This the other rules, let us fist define the global implication: seems counter-intuitive; but in fact, the premise {φ}C{ψ} Definition 4.3 (Global implication). For any BI formulas is much stronger than it looks at first sight, given that the φ, ψ, the global implication φ →G ψ is defined as the abbre- postcondition ψ ∈ SP. If the input satisfies precondition viation of D[free (φ) ∪ free (ψ)] → (φ → ψ). φ, then an execution of C is almost equivalent to first erasing any information on subsystem free (ψ) (of course, Trivially, →G is strictly weaker than →. The difference it is now uncorrelated with the rest part of the whole is that, φ →G ψ is already enough to ensure that for any state system), and then regenerating the singleton that satisfies ρ with dom(ρ) ⊇ free (φ) ∪ free (ψ), ρ |= φ implies ρ |= ψ. the postcondition ψ. For example, we have following proposition: Proposition 4.2. For all φ ∈ Res and S ⊆ V, it holds that 4.4. Reasoning about Entangled Predicates |= φ ↔G φ ∧ D[S]. Many quantum algorithms are designed following the Now we are ready to carefully examine the remaining same pattern: start from a large entangled state, and then rules in Fig. 3. operate on various subsystems. Inevitably, entanglements

8 often appear in the preconditions and/or postconditions of {φ}C{ψ} q ∩ var(C) = ∅ φ[E[q]]↓ ψ[E[q]]↓ Hoare triples appropriate for specifying the correctness of UNCR these algorithms. But the frame rule itself is not strong {φ[E[q]]}C{ψ[E[q]]} enough to verify them. To see this more clearly, let us consider the following simple example: Figure 4: Proof rule for dealing with entangled predicates. ↓ means the existence of modification. Example 4.2. Let |Φ±i = √1 (|00i±|11i) be two Bell states 2 ± ± ± (entanglement).√ Define√ projections Φ = |Φ ihΦ |. The program C ≡ Z[q1]; Z[q2] transforms one Bell states We divide VQA into several pieces and reason locally, but to the other; that is, both {Φ+}C{Φ−} and {Φ−}C{Φ+} the global predicate we desired is an entangled predicate that are true. However, they cannot be proved√ by using F√RAME cannot be constructed using FRAME.UNCR is the bridge or CONST to lift local correctness of Z[q1] and Z[q2] for structural reasoning from local to global predicates. In to global predicates Φ±, since Φ± cannot be written in the addition, a formal verification of Example 4.2 using UNCR ± ± form of Φ 6≡ φq1 ∗ ψq2 or Φ 6≡ φq1 ∧ ψq2 . can be found in Supplementary Material C.9. Fortunately, our frame rule can be combined with a technique for reasoning about entangled predicates proposed 4.5. Soundness in [21] to handle this problem. Originally, this technique was introduced for parallel quantum programs. Here, we need to To conclude this section, we show that quantum sepa- reformulate it in a way convenient for our purpose. A combi- ration logic QSL consisting of all the proof rules listed in nation of this technique with the frame rule can significantly Figure 2–4 are sound. The detailed proof can be found in broaden the range of applications of our quantum separation the Supplementary Material C.6. logic. To this end, we need to generalise Definition 3.4 from Theorem 4.2 (Soundness of QSL). A program C is al- modification by a unitary transformation, and initialisation 6 most surely terminating if for all inputs ρ, tr( C (ρ)) = to modification by a general quantum operation. tr(ρ). If C is a most surely terminating program,J K then Definition 4.5 (E-Modification). Let E be quantum opera- ` {φ}C{ψ} implies |= {φ}C{ψ}. tion on q. The E-Modification φ[E[q]] acting on register q of a BI formula φ is defined inductively: 5. Local Reasoning: Analysis of Variational 1) (Atomic Proposition) For any P ∈ P, we have:7 Quantum Algorithms a) if q ⊆ free (P ),

∗ ⊥ ⊥ From now on we present a couple of examples to P [E[q]] , Eq ⊗ Ifree(P )\q (P ) ; demonstrate applicability of our quantum separation logic. Variational quantum algorithms (VQA) are a class of hybrid b) if q ∩ free (P ) = ∅, P [E[q]] , P ; c) otherwise, P [E[q]] is undefined; quantum/classical algorithms solving a fundamental problem in quantum chemistry – determine the ground state of 2) (Composite) Write φ[E[q]]↓ if φ[E[q]] is defined. a quantum system [14], [15]. It has been identified as one a) if φ ≡ > or ⊥, then φ[E[q]] , φ; of the first practical applications of near-term Noisy Inter- b) if φ ≡ p ∈ AP, then φ[E[q]] is defined according to mediate Scale Quantum (NISQ) computers [30], and thus Clause (1); were chosen as an example in the tutorials of several quan- c) if φ ≡ φ1 4 φ2 where 4 ∈ {∧, ∨} and tum programming platforms including Google’s Cirq [22]. both φ1[E[q]]↓ and φ2[E[q]]↓, then φ[E[q]] , Surprisingly, using the inference rules presented in the last φ1[E[q]] 4 φ2[E[q]] section, we are able to show that the implementation of d) otherwise, φ[E[q]] is undefined. VQA in the tutorial of Cirq is actually incorrect; that is, the Intuitively, if φ[E[q]]↓, then for any state ρ, E(ρ) |= φ if approximation of ground energy computed by the quantum and only if ρ |= φ[E[q]]. circuit given there is sometimes far from the real one. Now we can introduce a new inference rule UNCR (stands for “uncorrelated”) in Fig. 4. This rule plays an 5.1. Variational Quantum Algorithm (VQA) essential role in the verification of VQA (see Section 5). A typical VQA uses a hybrid computing system consist- 6. Quantum operation is used to describe the evolution of a (open) quantum system and can be characterized by an superoperator E, namely a ing of a QPU (quantum processing unit) and CPU to find a completely-positive and trace-non-increasing linear map from D to D. For good approximation of the ground energy and ground state every superoperator E, there exists a set of Kraus operators {Ei}i (linear of a given Hamiltonian of the form: operators that satisfy completeness condition P E†E = I) such that i i i X X E(ρ) = P E ρE† ρ i i ij i j i i i for any input . H = hασα + hαβσασβ + ··· 7. Here ⊥ stands for the ortho-complement, for not only the projections i,α i,j,α,β ⊥ but Hermitian operators, in the sense that A = span{|ψi ∈ Hfree(A) : ∗ ∗ P † A|ψi = 0}. E is dual of E; in detail, E (A) = i Ei AEi if E has the where h’s are real numbers, and superscripts i, j, ··· identify P † operator-sum representation E(ρ) = i EiρEi . the subsystem and subscripts α, β, · · · ∈ {x, y, z} indicate

9 the appropriate Pauli operators. The algorithm can be de- with corresponding eigenspaces (projections) Q0,Q1.... If scribed in four steps: for each i ≤ n, we can find a precondition Pi ∈ P such Pi 1) Define a set of ansatz states |f(θ)i, which are char- that |= {Pi}VQA(N){1 − k=0 Qi} (i = 0, 1, ..., n), then acterized by parameters θ = (θ1, θ2, ··· , θn) and can by showing that |0i (the initial state of quantum circuit) is be efficiently prepared by a quantum circuit C(θ). The close to Pi; that is, h0|Pi|0i ≥ δi, we can conclude that goal of the algorithm is to find the optimal parameters the approximate ground energy computed by VQA(N) is θmin which minimize the energy hf(θ)|H|f(θ)i. Then at least: n hf(θmin)|H|f(θmin)i and |f(θmin)i can be set as an X E0 + (Ei+1 − Ei)δi. (4) approximation of the ground energy and ground state, i=1 respectively. 2) Use the QPU to execute the quantum computation Therefore, whenever the quantity in (4) is far away from the represented as quantum circuit C(θ) in order to gen- real ground energy E0, then VQA(N) is incorrect. erate state |f(θ)i and compute the expectations of To illustrate our idea more explicitly, let us consider the i i j simplest case of 2 × 2 grid (N = 2) with parameters: σα, σασβ , ··· in all the terms of H; 3) Use the CPU to sum up the expectations of all the −1 −1 −1 −1 1 terms of H with the weights h’s and thus evaluate h = 1 1 , Jc = −1 , Jr = hf(θ)|H|f(θ)i; 4) Feed hf(θ)|H|f(θ)i to an classical minimization al- and Jij;(i+1)j = Jrij and Jij;i(j+1) = Jcij; see Fig. 1 for gorithm. If the optimization is not completed, prepare its circuit model. The eigenvalues of the Hamiltonian H in the parameters θ for the next round and go to step (2); this case are E0, ··· ,E5 = −6, −4, −2, 0, 2, 4 with corre- otherwise, terminate and return θ as output. sponding eigenspaces Q0,Q1, ··· ,Q5, respectively. Using QSL, we are able to prove: ( i ) 5.2. VQA in the Tutorial of Cirq X ` {Pi}VQA(N) 1 − Qi (i = 0, 1) The VQA presented in the tutorial of Google’s Cirq 8 k=0 deals with a 2D +/− Ising model of size N × N with where objective Hamiltonian (observable) 1 15 h0|P |0i = 1 − sin(απ)4 ≥ X X 0 16 16 H = hijZij + Jij;i0j0 ZijZi0j0 , 1 2 13 (i,j) (i,j;i0,j0)∈S h0|P |0i = 1 − (7 + cos(2απ)) sin (απ) ≥ , 1 32 16 where each index pair (i, j) is associated with a vertex in a by first reasoning about each subprogram ProcC(1), the N × N grid, S is the set of all neighboring vertices in ProcC(2), Proc(R)(1), ProcR(2) and then using CONST the grid, and all hij and Jij;i0j0 are either +1 or −1. The and UNCR to lift these local reasoning to global correctness algorithm for preparing the ansatz state with real parameters above (details can be found in Supplementary Material D.3). (α, β, γ) given in the tutorial of Cirq can be rewritten in Then it follows from (4) that the approximate ground energy the quantum-while language with N × N grid of qubits as of VQA is at least −2.5, which is much higher than the real follows: ground energy E0 = −6. VQA(N) ≡ for j = 1, ··· ,N do ProcC(j) od; Our quantum separation logic can also apply to higher dimensionional versions of this program. In general, since for i = 1, ··· ,N do ProcR(i) od. 1 the number of qubits in each subprogram of VQA is N of Here, subprogram ProcC(j) acts on the jth column of that of the entire system, there is no extra cost for local qubits and ProcR(i) acts on the ith row of qubits; each of reasoning no matter how large N is. Besides revealing the them is a sequential composition of unitary transformations incorrectness of ground energy, we can prove that parameters β, γ are helpless for finding the ground energy in (see the Supplementary Material D.1 for detailed subpro- 9 grams). the sense that the expectation of measurement outcome is independent of β, γ. 5.3. Specifying and Proving Incorrectness in Quan- 6. Scalable Reasoning: Verification of Security tum Separation Logic A major distinction between classical and quantum in- As pointed out at the beginning of this section, we can formation can be stated as the no-cloning theorem that it use our quantum separation logic to show that algorithm is impossible to create an identical copy of an arbitrary VQA(N) is indeed incorrect. Let us first describe its incor- unknown quantum state. Exploiting this fundamental prop- rectness in our logical language. Suppose the Hamiltonian erty among others, many quantum cryptographic protocols H has eigenvalues E0,E1, ... ranged in increasing order, 9. The QPU executes VQA(N) and then measures each qubit in com- 8. https://quantumai.google/cirq/tutorials/variational algorithm putational basis and feed the outcome to CPU.

10 with information-theoretical security have been proposed, 6.1.2. Multi-Qubit Case – Scaling Up. Now we show how including quantum key distribution, quantum one-time pad can the verification for single-qubit be easily scaled up to [23], [24] and quantum secret sharing [25], [26]. the multi-qubit case using the frame rule in our quantum In this section, we show how quantum separation logic separation logic. The protocol for protecting n-qubit data developed in this paper can be used to verify the security stored in register q = q1, ··· , qn can be written as: of quantum one-time pad and quantum secret sharing. In QOTP(n) ≡ for i = 1, ··· , n do QOTP[a , b , q ] od particular, such verification is scalable in the sense that i i i only a constant computational resource is required in the where a1, b1, ··· , an, bn are secret key of size 2n. Its secu- verification as the length of protocols and the involved qubits rity can be stated as the following uniformity: increase. Uniformity is essential in proving the information- ` {>}QOTP(n){U[q1, ··· , qn]}, (7) theoretical security of many quantum cryptographic proto- which shows that, no matter what is the plain text initialised cols. For convenience, let us first present a useful rule: on q, after encryption, the cipher text is always uniform and the eavesdropper cannot release any useful information. This {>}C{U[S1]} S2 ∩ (var(C) ∪ S1) = ∅ FRAMEU . judgment is proved as follows. First, it follows from (6) that {U[S2]}C{U[S1,S2]} (5) ` {>}QOTP[ai, bi, qi]{U[qi]} (i = 1, ..., n). This rule is derived by instantiating φ ≡ >, ψ ≡ U[S1] Using FRAMEU we obtain for all i = 1, ..., n: and µ ≡ U[S2] in the frame rule FRAME and using axiom scheme (see Proposition 3.2 (4)). ` {U[q1, ··· , qi−1]}QOTP[ai, bi, qi]{U[q1, ··· , qi]} 6.1. Security of Quantum One-Time Pad Then (7) is derived by repeatedly using rule SEQ.

Let us first verify the security of quantum one-time pad 6.1.3. Discussion. A comparison between the security ver- (QOTP) [23], [24], one of the basic quantum encryption ification of QOTP in quantum Hoare logic [27], [31] and schemes in quantum cryptography. Similar to the classical in quantum separation logic presented above is interesting. one-time pad, a one-time pre-shared secret key is employed Only the single-qubit case was considered in [31]. A crucial to encrypt and decrypt the quantum data. step in the verification for the multi-qubit case given in [27] is based on a complicated transformation of quantum 6.1.1. Single-Qubit Case. To warm up, we consider the predicates, which cannot be proved by the logic itself, but is simplest case for protecting one-qubit data. The QOTP derived from a mathematical result proved by quite involved scheme consists of three parts: key generation KeyGen, calculations in the previous literature [24]. In contrast, the encryption Enc and decryption Dec, which can be written verification in quantum separation logic avoids such com- as programs: plicated calculations by using the frame rule FRAMEU. KeyGen[a, b] ≡ a := |0i; b := |0i; a := H[a]; b := H[b]; 6.2. Security of Quantum Secret Sharing if M[a, b] = 00 → skip 01 → skip 10 → skip 11 → skip fi Now we turn to verify the security of another quantum Enc[a, b, q] ≡ if M[a, b] = 00 → skip 01 → q = Z[q] cryptographic protocol: quantum security sharing. Similar to 10 → q = X[q] 11 → q = Z[q]; q = X[q] fi classical secret sharing [32], [33], quantum secret sharing QOTP[a, b, q] ≡ KeyGen[a, b]; Enc[a, b, q] addresses the problem of how to distribute a secret amongst a group of participants so that the secret can be reconstructed Here, registers a and b are used as the secret key, and by a sufficient number of participants while any individual measurement has no information about it [25], [26]. For concreteness, let M = {M00 = |00iabh00|,M01 = |01iabh01|, us focus on a typical scheme. M = |10i h10|,M = |11i h11|} 10 ab 11 ab 6.2.1. Quantum (2, 3) Threshold Scheme. The (2, 3) is introduced to generate and detect the value of secret key, threshold scheme for sharing a single secret qutrit p (a 3- which returns a two-bit classical outcome with a certain dimensional quantum state) takes p as the input and outputs probability. Register q is the input quantum data which we three qutrits p0, q0, r0 so that each of them has no information want to protect. H is the Hadamard gate and X,Z are Pauli about the input secret while any two of them can recover the gates as usual. input. Formally, it can be written as the following program: Security of QOTP for the single-qubit case can be spec- Enc[p, q, r] ≡ q := |0i; r := |0i; p, q, r := U [p, q, r] ified as the following uniformity: enc where unitary transformation U maps |ii|0i|0i to |e i for ` {>}QOTP[a, b, q]{U[q]}. (6) enc i i = 0, 1, 2, where |eii are three orthonormal states: This fact has been formally verified using quantum Hoare 2 logic with ghost variables [31] and relational quantum Hoare 1 X |eii = √ |ki|k ⊕3 ii|k ⊕3 2ii logic in [27]. 3 k=0

11 where ⊕3 stands for the addition modulo 3. For secretly assumption guarantees that the restriction property is true sharing information of multiple qutrits p = p1, ··· , pn, this even when the extension of joint quantum states does not scheme can simply be generalised to: exist (see Sec. 3.3). In this way, BI is upgraded to BID (BI with domain), and all BID formulas can be safely used as QSS(n) ≡ for i = 1, ··· , n do Enc[pi, qi, ri] od. assertions in QSL. Details of this approach can be found in the Supplementary Material F. 6.2.2. Security as Uniformity. Quantum secret sharing is designed for against both dishonest agents and eavesdroppers [25], [26], [34]. Let us first consider the case without 7.2. Related work any eavesdropper during transmission. In this case, the security of QSS(n) can be specified as the following judgment: Quantum programming has become an active research field in recent years after two decades of development ` {>}QSS(n){U[q1, ··· , qn]}. (8) [35]. Various analysis, verification, testing and debugging methodologies and techniques for quantum programs have The above judgment can be easily proved in our quantum been developed [29], [36], [37], [38], [39], [40], [41], [42], separation logic. First, using rules UNIT,INIT and SEQ [43], [44], [45]. In particular, several quantum program directly we obtain: logics have been established, including quantum Hoare ` {>}Enc[p, q, r]{PS[p, q, r]}, (9) logic [16], [17], [31] for verifying correctness of one quantum program and relational quantum Hoare logic [27], [46], where projection PS = |e0ihe0| + |e1ihe1| + |e2ihe2|. It is [47] for verifying equivalence of two quantum programs. easy to check that |= PS[p, q, r] → (U[p] ∧ U[q] ∧ U[r]). The frame rule plays a key role in our QSL. We should Based on this we can conclude: mention that a frame rule was also introduced in relational ` {>}Enc[p, q, r]{U[α]} quantum Hoare logic [27], [46], [47]. But it was defined using the ordinary conjunction ∧ and thus is similar to our for α ∈ {p, q, r}. This proves the security for the case of a CONST. The frame rule in QSL is given using the separating single qutrit. To generalise it to the case of multiple qutrits, conjunction ∗. Of course, the intuitions behind them are we can use FRAMEU to derive: the same—an assertion is preserved by a program if it is independent of the program. ` {U[q1, ··· , qi−1]}Enc[pi, qi, ri]{U[q1, ··· , qi]} The target applications of our SQL is verification of large-scale quantum programs, where the size of the rep- from ` {>}Enc[pi, qi, ri]{U[qi]}. Then by setting for- resentation of assertions and the complexity of the involved mulas φi = U[q1, ··· , qi−1] and φ1 = >, we have calculations can increase exponentially w.r.t the number of ` {φi}Enc[pi, qi, ri]{φi+1} for all 1 ≤ i ≤ n, and (8) is obtained by repeatedly using rule SEQ. qubits. Two different approaches to this issue were proposed in [18] and [48], essentially based on the operational semantics. They have achieved obvious success, in 7. Discussion and Related Work particular for those large-scale quantum programs with a good algebraic structure that can be inductively defined. It In this section, we briefly discuss an issue about restric- seems that sometimes our QSL can be used in combination tion property left open in Subsection 3.3 as well as some with them; for example, some larger VQAs (Variational previous work on verification of quantum programs. Quantum Algorithms) can be divided into several blocks, each of which has a good algebraic structure and thus can 7.1. Restriction property and BI with domain be verified using the tools developed in [18], [48]. Then our QSL can be employed to lift these local reasoning to the Our quantum interpretation of standard BI logic is suffi- global correctness of VQAs. cient for the applications discussed in this paper. However, it has a drawback: the restriction property does not hold for all BI formulas, and thus the assertions in our QSL (Quantum 8. Conclusion Separation Logic) are confined in a special class of BI formulas (see Def. 3.3), which do not include implication In this paper, we have developed a quantum separation and separating implication. One possible solution to this logic QSL that enables local reasoning for scalable verifi- issue is to redefine the BI logic so that the restriction cation of quantum programs written in a simple quantum property becomes intrinsic – similar to the monotonicity. programming language, namely the quantum extension of We can introduce a notion of domain into BI: the domain while-language. The applicability of QSL has been demon- dom(x) of a state x is the set of variables specified by strated in the formal verification and analysis of several the state. Then a basic idea in classical separation logic practical quantum algorithms and cryptographic protocols, [5], [6], [7], [8], called the domain assumption for stack, including a VQA (Variational Quantum Algorithm), quan- can be adopted in defining satisfaction relation: x |= φ is tum one-time pad, and quantum secret sharing. defined only when dom(x) ⊇ free (φ), where free (φ) is There are several interesting topics for future research the set of free variables in a BI-formula φ. The domain along this line:

12 (1) We would like to explore more applications of our [9] G. Barthe, J. Hsu, and K. Liao, “A probabilistic separation logic,” logic QSL in the verification of those algorithms identified Proc. ACM Program. Lang., vol. 4, no. POPL, Dec. 2019. [Online]. as practical applications of near-term Noisy Intermediate Available: https://doi.org/10.1145/3371123 Scale Quantum (NISQ) computers [30]; for example, quan- [10] B. Coecke, T. Fritz, and R. W. Spekkens, “A mathematical theory of resources,” Inf. Comput., vol. 250, pp. 59–86, 2016. [Online]. tum machine learning from quantum data. We will also try Available: https://doi.org/10.1016/j.ic.2016.02.008 to apply QSL in the security analysis of more quantum [11] S. R. Docherty, “Bunched logics: a uniform approach,” Ph.D. cryptographic protocols rather than those considered in this dissertation, UCL (University College London), 2019. [Online]. paper, in particular QKD (Quantum Key Distribution). Available: https://discovery.ucl.ac.uk/id/eprint/10073115/ (2) Currently, QSL can only be used to quantum while- [12] J. Biamonte, P. Wittek, N. Pancotti, P. Rebentrost, N. Wiebe, programs without indexed variables, like arrays. However, and S. Lloyd, “Quantum machine learning,” Nature, vol. 549, indexed variables has already been frequently used in writ- no. 7671, pp. 195–202, Sep 2017. [Online]. Available: https: ing large quantum algorithms. We would like to extend our //doi.org/10.1038/nature23474 logic for a more sophisticated quantum program language [13] M. Broughton, G. Verdon, T. McCourt, A. J. Martinez, J. H. Yoo, with indexing. S. V. Isakov, P. Massey, M. Y. Niu, R. Halavati, E. Peters, M. Leib, A. Skolik, M. Streif, D. V. Dollen, J. R. McClean, S. Boixo, D. Bacon, (3) Resource theory has been emerging as a subarea A. K. Ho, H. Neven, and M. Mohseni, “Tensorflow quantum: A of quantum information theory in recent years. Roughly software framework for quantum machine learning,” 2020. speaking, it aims at understanding how the resources with [14] A. Peruzzo, J. McClean, P. Shadbolt, M.-H. Yung, X.-Q. Zhou, quantum advantage in computing and communication can P. J. Love, A. Aspuru-Guzik, and J. L. O’Brien, “A variational be generated and transformed (e.g. only using LOCC (local eigenvalue solver on a photonic quantum processor,” Nature Communications, vol. 5, no. 1, p. 4213, Jul 2014. [Online]. operations and classical communication)) [49], [50], [51]. Available: https://doi.org/10.1038/ncomms5213 As briefly mentioned in the Introduction, some connections [15] J. R. McClean, J. Romero, R. Babbush, and A. Aspuru-Guzik, between resource theory and the resource semantics of BI “The theory of variational hybrid quantum-classical algorithms,” were already noticed in [10], [11], [52]. We would like to New Journal of Physics, vol. 18, no. 2, p. 023023, feb 2016. see how quantum separation logic can be used to reason [Online]. Available: https://doi.org/10.1088%2F1367-2630%2F18% about these quantum resources. 2F2%2F023023 [16] M. Ying, “Floyd–hoare logic for quantum programs,” ACM Transac- tions on Programming Languages and Systems (TOPLAS), vol. 33, References no. 6, pp. 19:1–19:49, 2011. [17] L. Zhou, N. Yu, and M. Ying, “An applied quantum hoare [1] P. W. O’Hearn and D. J. Pym, “The logic of bunched implications,” logic,” in Proceedings of the 40th ACM SIGPLAN Conference The Bulletin of Symbolic Logic, vol. 5, no. 2, pp. 215–244, 1999. on Programming Language Design and Implementation, ser. PLDI [Online]. Available: http://www.jstor.org/stable/421090 2019. New York, NY, USA: Association for Computing Machinery, 2019, p. 1149–1162. [Online]. Available: https://doi.org/10.1145/ [2] D. J. Pym, The semantics and proof theory of the logic of bunched im- 3314221.3314584 plications, ser. Applied Logic Series. Kluwer Academic Publishers, 2002, vol. 26. [18] K. Hietala, R. Rand, S.-H. Hung, L. Li, and M. Hicks, “Proving quantum programs correct,” 2020. [3] D. J. Pym, P. W. O’Hearn, and H. Yang, “Possible worlds [19] J. C. Reynolds, “An introduction to separation logic (preliminary and resources: the semantics of bi,” Theoretical Computer draft),” Course notes, October, 2008. Science, vol. 315, no. 1, pp. 257 – 305, 2004, mathematical Foundations of Programming Semantics. [Online]. Available: http: [20] M. A. Nielsen and I. Chuang, Quantum computation and quantum //www.sciencedirect.com/science/article/pii/S0304397503006248 information. Cambridge University Press, 2002. [4] J. C. Reynolds, “Separation logic: a logic for shared mutable data [21] M. Ying, L. Zhou, and Y. Li, “Reasoning about parallel quantum structures,” in Proceedings 17th Annual IEEE Symposium on Logic programs,” 2018. in Computer Science, 2002, pp. 55–74. [22] The Cirq Developers, “quantumlib/cirq: A python framework for [5] P. O’Hearn, J. Reynolds, and H. Yang, “Local reasoning about creating, editing, and invoking noisy intermediate scale quantum programs that alter data structures,” in Computer Science Logic, (nisq) circuits,” 2018, https://github.com/quantumlib/Cirq. L. Fribourg, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, [23] P. O. Boykin and V. Roychowdhury, “Optimal encryption of 2001, pp. 1–19. quantum bits,” Phys. Rev. A, vol. 67, p. 042317, Apr 2003. [Online]. Available: https://link.aps.org/doi/10.1103/PhysRevA.67.042317 [6] S. S. Ishtiaq and P. W. O’Hearn, “Bi as an assertion language for mutable data structures,” in Proceedings of the 28th ACM SIGPLAN- [24] M. Mosca, A. Tapp, and R. de Wolf, “Private quantum channels SIGACT Symposium on Principles of Programming Languages, ser. and the cost of randomizing quantum information,” arXiv preprint POPL ’01. New York, NY, USA: ACM, 2001, pp. 14–26. [Online]. quant-ph/0003101, 2000. [Online]. Available: https://arxiv.org/abs/ Available: http://doi.acm.org/10.1145/360204.375719 quant-ph/0003101 [7] P. W. O’Hearn, “Resources, concurrency, and local reasoning,” [25] R. Cleve, D. Gottesman, and H.-K. Lo, “How to share a quantum Theoretical Computer Science, vol. 375, no. 1, pp. 271 – secret,” Phys. Rev. Lett., vol. 83, pp. 648–651, Jul 1999. [Online]. 307, 2007, festschrift for John C. Reynolds’s 70th birthday. Available: https://link.aps.org/doi/10.1103/PhysRevLett.83.648 [Online]. Available: http://www.sciencedirect.com/science/article/pii/ [26] M. Hillery, V. Buzek,ˇ and A. Berthiaume, “Quantum secret sharing,” S030439750600925X Phys. Rev. A, vol. 59, pp. 1829–1834, Mar 1999. [Online]. Available: [8] S. Brookes, “A semantics for concurrent separation logic,” Theoretical https://link.aps.org/doi/10.1103/PhysRevA.59.1829 Computer Science, vol. 375, no. 1, pp. 227 – 270, 2007, festschrift [27] G. Barthe, J. Hsu, M. Ying, N. Yu, and L. Zhou, “Relational proofs for for John C. Reynolds’s 70th birthday. [Online]. Available: http: quantum programs,” Proc. ACM Program. Lang., vol. 4, no. POPL, //www.sciencedirect.com/science/article/pii/S0304397506009248 Dec. 2019. [Online]. Available: https://doi.org/10.1145/3371089

13 [28] P. Selinger, “Towards a quantum programming language,” Mathemat- [47] Y. Li and D. Unruh, “Quantum relational hoare logic with expecta- ical Structures in Computer Science, vol. 14, no. 4, pp. 527–586, tions,” 2019. 2004. [48] A. Bordg, H. Lachnitt, and Y. He, “Certified quantum computation in [29] M. Ying, Foundations of Quantum Programming. Morgan Kauf- isabelle/hol,” Journal of Automated Reasoning, Dec 2020. [Online]. mann, 2016. Available: https://doi.org/10.1007/s10817-020-09584-7 [30] J. Preskill, “Quantum Computing in the NISQ era and beyond,” [49] M. HORODECKI and J. OPPENHEIM, “(quantumness in the Quantum, vol. 2, p. 79, Aug. 2018. [Online]. Available: https: context of) resource theories,” International Journal of Modern //doi.org/10.22331/q-2018-08-06-79 Physics B, vol. 27, no. 01n03, p. 1345019, 2013. [Online]. Available: [31] D. Unruh, “Quantum hoare logic with ghost variables,” in 2019 34th https://doi.org/10.1142/S0217979213450197 Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), [50] M. B. Plenio and S. S. Virmani, An Introduction to Entanglement 2019, pp. 1–13. Theory. Cham: Springer International Publishing, 2014, pp. 173–209. [32] G. R. Blakley, “Safeguarding cryptographic keys,” in Managing [Online]. Available: https://doi.org/10.1007/978-3-319-04063-9 8 Requirements Knowledge, International Workshop on. Los Alamitos, [51] V. Veitch, S. A. H. Mousavian, D. Gottesman, and J. Emerson, “The CA, USA: IEEE Computer Society, jun 1979, p. 313. [Online]. Avail- resource theory of stabilizer quantum computation,” New Journal of able: https://doi.ieeecomputersociety.org/10.1109/AFIPS.1979.98 Physics, vol. 16, no. 1, p. 013009, jan 2014. [Online]. Available: [33] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, https://doi.org/10.1088/1367-2630/16/1/013009 no. 11, p. 612–613, Nov. 1979. [Online]. Available: https: [52] T. FRITZ, “Resource convertibility and ordered commutative //doi.org/10.1145/359168.359176 monoids,” Mathematical Structures in Computer Science, vol. 27, [34] A. Karlsson, M. Koashi, and N. Imoto, “Quantum entanglement no. 6, p. 850–938, 2017. for secret sharing and secret splitting,” Phys. Rev. A, vol. 59, pp. [53] M. Y. Siraichi, V. F. d. Santos, S. Collange, and F. M. Q. 162–168, Jan 1999. [Online]. Available: https://link.aps.org/doi/10. Pereira, “Qubit allocation,” in Proceedings of the 2018 International 1103/PhysRevA.59.162 Symposium on Code Generation and Optimization, ser. CGO 2018. [35] B. Heim, M. Soeken, S. Marshall, C. Granade, M. Roet- New York, NY, USA: Association for Computing Machinery, 2018, teler, A. Geller, M. Troyer, and K. Svore, “Quantum p. 113–125. [Online]. Available: https://doi.org/10.1145/3168822 programming languages,” Nature Reviews Physics, vol. 2, [54] G. Birkhoff and J. Von Neumann, “The logic of quantum mechanics,” no. 12, pp. 709–722, Dec 2020. [Online]. Available: Annals of Mathematics, vol. 37, no. 4, pp. 823–843, 1936. https://doi.org/10.1038/s42254-020-00245-7 [55] G. Kalmbach, Orthomodular lattices. Academic Press, 1983, vol. 18. [36] D. Akatov, “The logic of quantum program verification,” Master’s thesis, Oxford University Computing Laboratory, 2005. [Online]. [56] N. Yu, C.-Y. Lai, and L. Zhou, “Protocols for packet quantum network Available: http://www.academia.edu/download/7563948/thesis-1.1.ps intercommunication,” 2019. [37] E. D’hondt and P. Panangaden, “Quantum weakest preconditions,” [57] Q. Cao, S. Cuellar, and A. W. Appel, “Bringing order to the separation Mathematical Structures in Computer Science, vol. 16, no. 3, pp. logic jungle,” in Programming Languages and Systems, B.-Y. E. 429–451, 2006. Chang, Ed. Cham: Springer International Publishing, 2017, pp. 190– [38] A. Baltag and S. Smets, “The logic of quantum programs,” 211. in Proceedings of the 2nd International Workshop on Quantum Programming Languages (QPL 2004), P. Selinger, Ed., 2004, pp. 39–56. [Online]. Available: https://www.mathstat.dal.ca/∼selinger/ qpl2004/PDFS/04Baltag-Smets.pdf [39] ——, “Lqp: the dynamic logic of quantum information,” Mathemat- ical Structures in Computer Science, vol. 16, no. 3, pp. 491–525, 2006. [40] O. Brunet and P. Jorrand, “Dynamic quantum logic for quantum programs,” International Journal of Quantum Information, vol. 02, no. 01, pp. 45–54, 2004. [Online]. Available: https://doi.org/10.1142/ S0219749904000067 [41] R. Chadha, P. Mateus, and A. Sernadas, “Reasoning about imperative quantum programs,” Electronic Notes in Theoretical Computer Science, vol. 158, pp. 19–39, 2006. [42] Y. Kakutani, “A logic for formal verification of quantum programs,” in Proceedings of the 13th Asian conference on Advances in Computer Science: information Security and Privacy (ASIAN 2009), A. Datta, Ed., Springer. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 79–93. [43] R. Rand, “Verification logics for quantum programs,” 2016. [Online]. Available: http://www.cs.umd.edu/∼rrand/wpe.pdf [44] Y. Feng, R. Duan, Z. Ji, and M. Ying, “Proof rules for the correctness of quantum programs,” Theoretical Computer Science, vol. 386, no. 1-2, pp. 151–166, 2007. [45] M. Ying, R. Duan, Y. Feng, and Z. Ji, “Predicate transformer semantics of quantum programs,” Semantic Techniques in Quantum Computation, no. 8, pp. 311–360, 2010. [46] D. Unruh, “Quantum relational hoare logic,” Proc. ACM Program. Lang., vol. 3, no. POPL, Jan. 2019. [Online]. Available: https: //doi.org/10.1145/3290346

14 Supplementary material and deferred proofs

Appendix A. Preliminary

In the main text we give a brief introduction of quantum information (see Section 2.1). A extended introduction is given here for the convenience of reader. Quantum Information is built on the linear algebra. We ﬁrst give the mathematical preliminary needed for understanding quantum information/computation.

A.1. Mathematical Preliminary

We write C for the set of complex numbers. For each complex number λ ∈ C, λ∗ stands for the conjugate of λ.A (complex) vector space is a nonempty set H together with two operations: vector addition + : H × H → H and scalar multiplication · : C × H → H, satisfying the following conditions: 1) (H, +) is an Abelian group, its zero element 0 is called the zero vector; 2) 1|ϕi = |ϕi; 3) λ(µ|ϕi) = λµ|ϕi; 4) (λ + µ)|ϕi = λ|ϕi + µ|ϕi; and 5) λ(|ϕi + |ψi) = λ|ϕi + λ|ψi for any λ, µ ∈ C and |ϕi, |ψi ∈ H. An inner product over a vector space H is a mapping h·|·i : H × H → C satisfying the following properties: 1) hϕ|ϕi ≥ 0 with equality if and only if |ϕi = 0; 2) hϕ|ψi = hψ|ϕi∗; and 3) hϕ|(λ1|ψ1i + λ2|ψ2i) = λ1hϕ|ψ1i + λ2hϕ|ψ2i for any |ϕi, |ψi, |ψ1i, |ψ2i ∈ H and for any λ1, λ2 ∈ C. Sometimes, we also write (|ϕi, |ψi) for the inner product hϕ|ψi of |ϕi and |ψi. For any vector |ψi in H, its length ||ψ|| is deﬁned to be phψ|ψi. A vector |ψi is called a unit vector if ||ψ|| = 1.A family {|ψii}i∈I of unit vectors is called an orthonormal basis of H if 1) |ψii ⊥ |ψji for any i, j ∈ I with i 6= j; and P 2) |ψi = i∈I hψi|ψi|ψii for each |ψi ∈ H. In this case, the cardinality of I is called the dimension of H. We use dim(H) to denote the dimension of H. A Hilbert space is deﬁned to be a complete inner product space; that is, an inner product space in which each Cauchy sequence of vectors has a limit. According to a basic postulate of quantum mechanics, the state space of an isolated quantum system is represented by a Hilbert space, and a pure state of the system is described by a unit vector in its state space. Example A.1. 1) The state space of qubits is the 2−dimensional Hilbert space:

H2 = {α|0i + β|1i : α, β ∈ C}.

The inner product in H2 is deﬁned by (α|0i + β|1i, α0|0i + β0|1i) = α∗α0 + β∗β0

0 0 for all α, α , β, β ∈ C. Then {|0i, |1i} is an orthonormal basis of H2, called the computational basis. 2) The space l2 of square summable sequences is ∞ ∞ n X X 2 o H∞ = αn|ni : αn ∈ C for all n ∈ Z and |αn| < ∞ , n=−∞ n=−∞

where Z is the set of integers. The inner product in H∞ is deﬁned by ∞ ∞ ∞ X X 0 X ∗ 0 αn|ni, αn|ni = αnαn n=−∞ n=−∞ n=−∞ 0 for all αn, αn ∈ C, −∞ < n < ∞. Then {|ni : n ∈ Z} is an orthonormal basis of H∞, called the computational basis. A (linear) operator on a Hilbert space H is a mapping A : H → H satisfying the following conditions:

15 1) A(|ϕi + |ψi) = A|ϕi + A|ψi; 2) A(λ|ψi) = λA|ψi for all |ϕi, |ψ ∈ H and λ ∈ C. If {|ψii} is an orthonormal basis of H, then an operator A is uniquely determined by the images {A|ψii} of basis vectors {|ψii} under A. In particular, A can be represented by matrix

A = (hψi|A|ψji)ij when H is finite-dimensional. An operator A on H is said to be bounded if there is a constant c ≥ 0 such that kA|ψik ≤ c·kψk for all |ψi ∈ H. In the paper, only bounded operators are considered and for simplicity, we omit “bounded”. The identity operator on H is denoted IH, and the zero operator on H that maps every vector in H to the zero vector is denoted 0H. For any operator A on H, there exists a unique linear operator A† on H such that (|ϕi,A|ψi) = (A†|ψi, |ϕi) for all |ϕi, |ψi ∈ H. The operator A† is called the adjoint of A. Given the matrix form of A, A† is the conjugate transpose of A. Following are frequently used sets of operators: 1) Hermitian operator: An operator M on H is said to be Hermitian if M † = M. 2) Positive semi-definite operator: An Hermitian operator A on H is said to be positive semi-definite if hψ|A|ψi ≥ 0 for all states |ψi ∈ H. 3) Projection: An Hermitian operator P on H is a projection if P 2 = P . There is a one-to-one correspondence between the closed subspaces and projections: given projection P , its corresponding closed subspace is {|φi ∈ H : P |φi = |φi}; P and given closed subspace V ⊆ H, its corresponding projection is i |φiihφi| where {|φii} is an orthonormal basis of V . 4) Unitary operator: An operator U on H is unitary if UU † = U †U = I where I is the identity operator on H. 5) Density operator: An positive semi-definite operator with trace one. Following are frequently used concepts of operators: 1) Trace: The trace of an operator A on H is given by X tr(A) = hψi|A|ψii i

where {|ψii} is an orthonormal basis of H. In particular, trace is independent of the choice of the orthonormal basis. Given the matric form of A, tr(A) is exactly the summation of diagonal entries of A. 2) Support: The support of a Hermitian operator M on H is the (topological) closure of subspace spanned by its eigenvectors with nonzero eigenvalues. One can show that: supp(M) = {|φi ∈ H : hφ|ρ|φi = 0}⊥, where ⊥ stands for ortho-complement. 3) Lowner¨ Order: Given two Hermitian operator A, B on H, we use the Lowner¨ order to compare them which is defined as follows: A v B if and only if B − A is positive semi-definite; that is, for any |φi ∈ H, hφ|A|φi ≤ hφ|B|φi. Whenever both A, B are projections, their Lowner¨ order is consistent with the inclusion relation between the subspaces corresponding to A, B. 4) eigenspaces of eigenvalue 1: For a Hermitian operator A on H, we define proj(A) as the eigenspaces of eigenvalue 1: proj(A) = {|φi ∈ H : A|φi = |φi}.

A.2. Basics of Quantum Information, Extended Version

The state space of a quantum system is a Hilbert space H, which is essentially a vector space in the ﬁnite-dimensional case. A pure state of the system is a unit column vector |ψi ∈ H. For example, the state space of a quantum bit (aka qubit) is a two-dimensional Hilbert space H2 with basis states 1 0 |0i = and |1i = , 0 1 and any pure state of a qubit can be described in the form α α|0i + β|1i = β

16 satisfying normalization condition |α|2 + |β|2 = 1. The orthonormal basis is not unique, for example, the states |+i = √1 (|0i + |1i) and |−i = √1 (|0i − |1i) is another orthonormal basis of H . 2 2 2 When the state is not completely known but could be in one of some pure states |ψii with respective probabilities pi, we call {(pi, |ψii)} an ensemble of pure states or a mixed state, and the system is fully described by the density operator P ρ = i pi|ψiihψi|, which mathematically, the positive semi-definite operator with unit trace. For example, the completely mixed state of a qubit can be seen as ensemble {(0.5, |0i), (0.5, |1i)} (i.e. the state is either |0i or |1i with the same probability 0.5) or density matrix 1 0.5 0 (|0ih0| + |1ih1|) = ; 2 0 0.5 2 1 if a state is in |0i with probability 3 and in |+i with probability 3 , then it can be described by density operator 2 1 1 5 1 ρ = |0ih0| + |+ih+| = . (10) 3 3 6 1 1 The evolution of a quantum system is modelled by a unitary operator U; i.e. a complex matrix with UU † = U †U being the identity operator, where † is conjugate transpose. In quantum computing, operators are often called quantum gates. For 1 1 example, the Hadamard gate H = √1 maps |0i, |1i to their superpositions |+i and |−i respectively: 2 1 −1 1 1 1 1 1 1 H|0i = √ · = √ = |+i, 2 1 −1 0 2 1 1 1 1 0 1 1 H|1i = √ · = √ = |−i. 2 1 −1 1 2 −1 Unlike a classical system which can be observed directly without changing its state, we need to perform a quantum measurement to extract information from a quantum state which inevitably leads to state collapse. Formally, a projective quantum measurement consists of a set of projections, M0,M1,...,Mn that satisfies the completeness condition: n n X † X Mi Mi = Mi = I i=0 i=0 where I is the identity operator. When such a measurement is applied to a quantum state ρ, we obtain one of the classical MiρMi outcome i ∈ {0, 1, . . . , n} with probability pi = tr(Miρ), and the post-measurement state of the system is then . For pi instance, consider the measurement defined by M = {M0 = |+ih+|,M1 = |−ih−|}, and if we perform M on a qubit in (mixed) state ρ given in equation (10), then the probability that we get outcome “1” is 1 1 −1 1 5 1 1 4 0 1 p = tr(M ρ) = tr · = · tr = 1 1 2 −1 1 6 1 1 12 −4 0 3 and after that, the qubit’s state will change to |−ih−|: 1 1 −1 1 5 1 1 1 −1 1 1 1 −1 M ρM /p = · · ÷ = = |−ih−|. 1 1 1 2 −1 1 6 1 1 2 −1 1 3 2 −1 1 2 Similarly, the probability of outcome “0” is p0 = 3 , and then the state changes to |+ih+|. We use variables p, q, r, ... to denote quantum systems. Operations in quantum computing are often performed on a composite system consisting of multiple qubits. To indicate which system a state describes or an operation acts on, we use subscripts; for example, Hp is the state space of system p, |0ip is the pure state |0i of the system p and |1iqh1| is the density matrix of the system q. The composite system is described by the tensor product of its subsystems; for example, a composite system pq with p, q being single qubit systems has the state space Hp ⊗ Hq, and  0  1 0 1 |0i ⊗ |1i = ⊗ =   p q 0 1  0  p q 0 pq

(or, |0ip|1iq for short) is a pure state in which subsystem p is in state |0i and subsystem q is in state |1i. Due to the superposition principle, there exist states like  1  1 1 0 |Φipq = √ (|0ip|0iq + |1ip|1iq) = √   (11) 2 2  0  1 pq

17 that cannot be written in the simple tensor form |φip|ψiq, which are called entangled states. These states play a crucial role in applications of quantum computation and quantum communication. The state of a composite system fully determines the state of each subsystem. Formally, given composite system pq in state ρ, subsystem q is then in state trp(ρ), where the partial trace trp(·) over p is a mapping from operators on Hp ⊗ Hq to operators on Hq deﬁned by:

trp(|φpiphψp| ⊗ |φqiqhψq|) = hψp|φpi · · · |φqiqhψq| for all |φpi, |ψpi ∈ Hp and |φqi, |ψqi ∈ Hq together with linearity. The state trq(ρ) of subsystem q can be defined symmetrically. We often use the notations ρ|p , trp(ρ) and ρ|q , trq(ρ) in order to explicitly indicate that ρ|p and ρ|q are states of p, q, respectively. For example, if the composite system pq is in state |Φipq defined in Eqn. 11 or equivalently represented by density operator Φpq  1 1  1 1 0 Φ = |Φi hΦ| = (|0i h0|⊗|0i h0|+|0i h1|⊗|0i h1|+|1i h0|⊗|1i h0|+|1i h1|⊗|1i h1|) =   (12) pq pq 2 p q p q p q p q 2  0  1 1 pq 1 1 then the partial traces Φpq|q = trp(|ΦipqhΦ|) = 2 (|0iqh0| + |1iqh1|) and Φpq|p = trq(|ΦipqhΦ|) = 2 (|0iph0| + |1iph1|) describe states of q and p, respectively. Summary of Notations. Let V be the set of all quantum variables. A quantum register is a list of distinct variables q = q1, . . . , qn. Each quantum variable q has a type Hq, which is the state Hilbert space of quantum system denoted by q. For a set of quantum variables S = {q1, . . . , qn} ⊆ V (or a quantum register q = q1, . . . , qn), we fix following notations: n • N HS = i=1 Hqi : the Hilbert space of S. • dim(S): the dimension of HS. • D(S): the set of all mixed quantum states (i.e. density matrices) of S. In particular, for any ρ ∈ D(S), its domain is S defined as dom(ρ) , S; we write D , S⊆V D(S) for the set of all states. • P(S): the set of projections on HS. In particular, for any P ∈ P(S), its domain is defined as free (P ) , S. Since there is a one-to-one correspondence between projections and closed subspaces, we sometimes called closed subspaces S of HS projections. We write P , S⊆V P(S) for the set of all projections. • ρ|S , trdom(ρ)\S(ρ): the restriction of state ρ on S, defined as a reduced density operator over S ∩ dom(ρ). Permutations of variables are frequently used in quantum computing, e.g., in qubit allocation [53]. We use Perm(q 7→ q0) 0 to denote the operator that permutes a list q := q1, q2, ··· , qn of quantum variables to q = qi1 , qi2 , ··· , qin . For example, if q1 and q2 are two different variables with same type and {|ii} is an arbitrary orthonormal basis of Hq1 (and Hq2 ), then P 0 the swap gate SWAP[q1, q2] , i,j |iiq1 hj| ⊗ |jiq2 hi| is the simplest permutation from q = q1, q2 to q = q2, q1, that is, for any m, n: X SWAP[q1, q2](|miq1 |niq2 ) = |iiq1 hj| ⊗ |jiq2 hi|(|miq1 |niq2 ) = |niq1 |miq2 . i,j Indeed, any permutation can be decomposed into a sequence of swap gates. Meet and Join of Projections: There is a one-to-one correspondence between the closed subspaces of a Hilbert space and projections in it, and moreover, the inclusion between closed subspaces is coincident with the Lowner¨ order between their projections. So, we do not distinguish a closed subspace from the projection onto it. Furthermore, let ⊥ stands for the orthocomplement, and for any P,Q ∈ P(S), we define the meet u and join t: P u Q = P ∩ Q, P t Q = span(P ∪ Q) where T stands for the closure of T and span(T ) for the subspace spanned by T . It is well-known that (P(S), u, t,⊥ ) is an orthomodular lattice (or quantum logic) [54], [55], with inclusion ⊆ as its order.

Appendix B. BI and its quantum interpretation, Deferred Proofs for Section 3

B.1. Hilbert-style rules for BI.

Hilbert-style rules for BI is shown in Fig. 5.

18 µ ` φ µ ` ψ 1. 2. 3. 4. φ ` φ φ ` > ⊥ ` φ µ ` φ ∧ ψ φ ` ψ ∧ ψ φ ` ψ µ ` ψ φ ` ψ φ ` ψ 5. 1 2 6. 7. 8. i φ ` ψi µ ∧ φ ` ψ µ ∨ φ ` ψ φ ` ψ1 ∨ ψ2 µ ` φ → ψ µ ` φ µ ∧ φ ` ψ ξ ` φ µ ` ψ µ ∗ φ ` ψ 9. 10. 11. 12. µ ` ψ µ ` φ → ψ ξ ∗ µ ` φ ∗ ψ µ ` φ −∗ ψ ξ ` φ −∗ ψ µ ` φ 13. 14. 15. 16. ξ ∗ µ ` ψ φ ∗ ψ ` ψ ∗ φ (φ ∗ ψ) ∗ ξ ` φ ∗ (ψ ∗ ξ) φ ∗ > a` φ

Figure 5: Hilbert-style rules for BI [2], [11]. i = 1 or 2 for rules 5 and 8.

B.2. Proposition B.1

Proposition B.1 (Properties of Partial Trace). 1) ∀ S1,S2 ⊆ V and ρ ∈ D :(ρ| ) = (ρ| ) = ρ| ; S2 S1 S1 S2 S1∩S2 2) ∀ S ⊆ V, ρ1, ρ2 ∈ D with dom(ρ1) ∩ dom(ρ2) = ∅: (ρ1 ⊗ ρ2)|S = ρ1|S ⊗ ρ2|S. Proof. Trivial.

B.3. Proof of Proposition 3.1

Proposition B.2. (D, ◦, , 1) forms a BI frame, where scalar number 1 is understood as a state over the empty register. Proof. It is straightforward to check all the properties defined in Definition 2.4. • (Unit Existence): for all ρ ∈ D, note that scalar 1 is of domain ∅, so ρ ◦ 1 = ρ ⊗ 1 = ρ, and 1 ◦ ρ = 1 ⊗ ρ = ρ. • (Commutativity): for all ρ, σ ∈ D, if their domains are overlap, i.e., dom(ρ) ∩ dom(σ) 6= ∅, then neither ρ ◦ σ nor σ ◦ ρ is defined; if their domains are disjoint, i.e., dom(ρ) ∩ dom(σ) = ∅, then ρ ◦ σ = σ ◦ ρ since both of them denote the tensor product state over system dom(ρ) ∪ dom(σ) with reduced state ρ over subsystem dom(ρ) and σ over subsystem dom(σ). • (Associativity): for all ρ, σ, δ ∈ D, if their domains are pairwise disjoint, then ρ ◦ (σ ◦ δ) = (σ ◦ ρ) ◦ δ since standard tensor product are associative; otherwise, neither ρ ◦ (σ ◦ δ) nor (σ ◦ ρ) ◦ δ is defined. 0 0 • (Compatible with ): it follows from the property of partial trace. Formally, for any ρ1 ρ1 and ρ2 ρ2 and both 0 0 ρ ◦ ρ2 and ρ1 ◦ ρ2 are defined, then we know: 0 0 0 0 – dom(ρ1) ⊆ dom(ρ1), dom(ρ2) ⊆ dom(ρ2), dom(ρ1) ∩ dom(ρ2) = ∅; 0 0 0 0 let us use notations: S1 , dom(ρ1), S1 , dom(ρ1)\S1, S2 , dom(ρ2), S2 , dom(ρ2)\S2; 0 0 0 0 – ρ1 = tr 0 (ρ1) = trS0 (ρ1) and ρ2 = tr 0 (ρ2) = trS0 (ρ2); dom(ρ1)\dom(ρ1) 1 dom(ρ2)\dom(ρ2) 2 0 0 Rewrite ρ1 and ρ2 in the explicit forms: 0 X 0 0 0 X 0 0 ρ = λ 0 0 |ii hi | ⊗ |ji 0 hj |, ρ = γ 0 0 |mi hm | ⊗ |ni 0 hn | 1 ii jj S1 S1 2 mm nn S2 S2 ii0jj0 mm0nn0 0 0 where {|ii}, {|ji}, {|mi}, {|ni} are orthonormal basis of system S1, S1, S2 and S2 respectively, and λii0jj0 , γmm0nn0 are complex numbers. By the definition of partial trace, we have:   0 X 0 0 X 0 0 X 0 ρ = tr 0 (ρ ) = tr 0 λ 0 0 |ii hi | ⊗ |ji 0 hj | = λ 0 0 |ii hi | · hj |ji = λ 0 |ii hi | 1 S1 1 S1  ii jj S1 S1  ii jj S1 ii jj S1 ii0jj0 ii0jj0 ii0j ! 0 X 0 0 X 0 ρ = tr 0 (ρ ) = tr 0 γ 0 0 |mi hm | ⊗ |ni 0 hn | = γ 0 |mi hm | 2 S2 2 S2 mm nn S2 S2 mm nn S2 mm0nn0 mm0n 0 0 and we can calculate tr 0 0 (ρ ◦ ρ ) directly: S1∪S2 1 2   0 0 X 0 0 X 0 0 tr 0 0 (ρ ◦ ρ ) = tr 0 0 λ 0 0 |ii hi | ⊗ |ji 0 hj | ⊗ γ 0 0 |mi hm | ⊗ |ni 0 hn | S1∪S2 1 2 S1∪S2  ii jj S1 S1 mm nn S2 S2  ii0jj0 mm0nn0 X X 0 0 0 0 0 0 0 0 = λii jj γmm nn |iiS1 hi | ⊗ |miS2 hm | · (hj |jihn |ni) ii0jj0 mm0nn0

19 X X 0 0 0 0 = λii jjγmm nn|iiS1 hi | ⊗ |miS2 hm | ii0j mm0n

= ρ1 ⊗ ρ2 = ρ1 ◦ ρ2 0 0 which leads to ρ1 ◦ ρ2 ρ1 ◦ ρ2.

B.4. Proposition B.3

Proposition B.3 (Monotonicity and restriction of atomic proposition). For any p ∈ AP (atomic propositions defined in Sec. 3.2) and ρ, σ ∈ D such that ρ σ and free(p) ⊆ dom(ρ), ρ |= p if and only if σ |= p. Proof. Trivial by the definition and interpretation of atomic propositions defined in Sec. 3.2.

B.5. Proof of Proposition 3.2

Proposition B.4 (Proposition 3.2, Extended Version). 1) For all S ⊆ V and identity operator IS over HS,

|= D[S] ↔ IS. 2) For all P,Q ∈ P with same domain, |= P → Q if and only if P v Q; 3) For all P,Q ∈ P with disjoint domains, then |= P ∧ Q ↔ (P ⊗ Q) ; 4) If S1 ⊆ S2, then |= U[S2] → U[S1]. 5) If S1,S2 are disjoint, then: |= (U[S1] ∗ U[S2]) ↔ U[S1 ∪ S2]. 6) For all P ∈ P, S1 ⊆ free (P ) and S2 ∩ free (P ) = ∅, if |= P → U[S1], then |= (P ∧ U[S2]) → U[S1 ∪ S2].

Proof. • By deﬁnition, D[S] , {ρ ∈ D : S ⊆ dom(ρ)}. On the other hand, free (IS) = S and for any ρ with dom(ρ) ⊇ J K S, supp(ρ|S) ⊆ IS, so IS = {ρ ∈ D : S ⊆ dom(ρ)}. Therefore, |= D[S] ↔ IS. • Suppose free (P ) = freeJ(QK) = S. Then we have: |= P → Q iff ∀ ρ ∈ D(S), ρ |= P implies ρ |= Q iff ∀ ρ ∈ D(S), supp(ρ) ⊆ P implies supp(ρ) ⊆ Q (regarded as subspaces) iff subspaces P and Q have inclusion relation P ⊆ Q iff P v Q (regarded as projections). • Suppose ρ |= P ⊗ Q, then dom(ρ) ⊇ free (P ) ∪ free (Q) and supp(ρ|free(P )∪free(Q)) ⊆ P ⊗ Q. Note that free (P ) ∩ free (Q) = ∅, so supp(ρ|free(P )) ⊆ P and supp(ρ|free(Q)) ⊆ Q; that is, ρ|free(P ) |= P and ρ|free(Q) |= Q, and thus ρ |= P ∧ Q. Suppose ρ |= P ∧Q, then ρ|free(P ) |= P and ρ|free(Q) |= Q. As free (P )∩free (Q) = ∅, supp(ρ|free(P )∪free(Q)) ⊆ P ⊗Q, or equivalently, ρ |= P ⊗ Q. IS2 • For any ρ |= U[S2], we must have: dom(ρ) ⊇ S2 ⊇ S1, and ρ| = . Take the partial trace over S1, we obtain S2 dim(S2) IS1 ρ| = and thus ρ |= U[S1]. S1 dim(S1) • For any ρ |= (U[S ] ∗ U[S ]), dom(ρ) ⊇ S ∪ S and by Proposition B.3, ρ| |= (U[S ] ∗ U[S ]). Therefore, 1 2 1 2 S1∪S2 1 2 ρ| |= U[S ] and ρ| |= U[S ] and ρ| = ρ| ⊗ ρ| , and thus S1 1 S2 2 S1∪S2 S1 S2 I I I ρ| = S1 ⊗ S2 = S1∪S2 S1∪S2 dim(S1) dim(S2) dim(S1 ∪ S2)

which leads to ρ |= U[S1 ∪ S2]. If ρ |= U[S1,S2], then I I I ρ| = S1∪S2 = S1 ⊗ S2 |= U[S ] ∗ U[S ] S1∪S2 1 2 dim(S1 ∪ S2) dim(S1) dim(S2)

and so ρ |= U[S1] ∗ U[S2].

• Suppose |= P → U[S1]. Assume {|eii} is an orthonormal basis of P , {|ki} an orthonormal basis of Hfree(P )\S1 . First, it is trivial to realize for any i, |eiihei| |= P , so it must satisfy U[S1], that is,

X IS |e ihe || = hk|e ihe |ki = 1 . i i S1 i i dim(S1) k 0 1 1 Next, for any i 6= i , choose two states √ (|e i + |e 0 i) and √ (|e i + i|e 0 i) which also satisfy P and so U[S ], then 2 i i 2 i i 1 1 X 1 X hk|e ihe 0 |ki + hk|e 0 ihe |ki = 0 2 i i 2 i i k k

B.6. Nonexistence of Extension

As is well-known, the frame rule plays an essential role in separation logic, and in turn it heavily relies on the restriction property that satisfaction only depends on the free variables appearing in a BI formula φ. The restriction property and frame rule were successfully generalised into probabilistic separation logic in [9]. Essentially, the validity of the restriction property in the probabilistic setting can be attributed to a fundamental fact in probabilistic theory – existence of extension: for any three random variables x, y, z, if joint distributions µxy and µyz coincide on y, then there exists a joint distribution µxyz with µxy and µyz as its marginals. Unfortunately, existence of extension is not true for quantum systems as shown in the following:

Example B.1 (Non-existence of Extension). Consider three qubits q1, q2, q3 and states ρ12 ∈ D(q1q2), ρ23 ∈ D(q2q3):  0.5   0.25 0.25  0 0.25 −0.25 ρ =  , ρ =  . 12  0  23  0.25 0.25  0.5 −0.25 0.25

It is easy to see that trq1 (ρ12) = trq3 (ρ23). But by SDP (Semi-deﬁnite Programming), we can prove that there is no

ρ123 ∈ D(q1q2q3) such that trq3 (ρ123) = ρ12 and trq1 (ρ123) = ρ23. This shows that existence of extension does not hold even for separable states ρ12 and/or ρ23.

B.7. Failure of the Restriction Property

As a consequence, the restriction property: ρ |= φ ⇒ ρ|free(φ) |= φ where free(φ) stands for the free variables occurring in φ, does not hold, even for the ordinary implication φ = φ1 → φ2 (see Deﬁnition 2.5 for its semantics).

Example B.2 (Failure of the Restriction Property). Consider three qubits q1, q2, q3 and maximally entanglement (Bell states) |Ψ±i = √1 (|0i |0i ± |1i |1i ) between q and q for 1 ≤ i 6= j ≤ 3. Their density matrices are Ψ± = |Ψ±ihΨ±|. Set ij 2 qi qj qi qj i j ij ij ij + + − ρ = Ψ12 ∈ D(q1, q2). Let φ1 = Ψ23 ∈ P(q2, q3), φ2 = Ψ23 ∈ P(q2, q3). Then: 0 0 + + • ρ |= φ1 → φ2 is valid because there does not exist ρ ρ such that ρ |= φ1; that is, no extension of Ψ12 and Ψ23 exists. Iq 00 + 00 • It is easy to see that ρ| = 2 ∈ D(q ). Choose ρ = Ψ ∈ D(q , q ). It holds that ρ ρ| . free(φ1→φ2) 2 2 23 2 3 free(φ1→φ2) Note that ρ00 |= φ , but ρ00 |= φ is not true. Therefore, ρ| 6|= φ → φ . 1 2 free(φ1→φ2) 1 2

Problem in Program logic without Restriction The following example shows that, without the domain assumption and restriction property, local reasoning is not sound in program logic.

21 Problem B.1. For classical assignment rule {φ[e/x]}x := e{φ}, if φ do not contain free variable x, then {φ}x := e{φ}. However, such simple rule doesn’t hold for quantum case. ± ± ± ± Here is a simple example. Consider a three qubits system q1, q2, q3, and let |Φ i = |00i ± |11i, Φ = |Φ ihΦ |. + + − + + Now, the state Φ12 indeed satisﬁes the formula Φ23 → Φ23 because for any ρ Φ12, ρ 6|= Φ23. However, if we do an + − + initialization on q1, which is disjoint of the domain of Φ23 → Φ23 (its domain is {q2, q3}). Now the state Φ12 is changed + − + + + + − to |0i1h0| ⊗ I2, which violate Φ23 → Φ23 (|0i1h0| ⊗ Φ23 |0i1h0| ⊗ I2, |0i1h0| ⊗ Φ23 |= Φ23 but |0i1h0| ⊗ Φ23 6|= Φ23)!

B.8. Proof of Proposition 3.3

B.9. Proposition B.6

Proposition B.6. For any φ ∈ Res and ρ, σ ∈ D such that ρ σ and free(φ) ⊆ dom(ρ), ρ |= φ if and only if σ |= φ. Proof. By monotonicity and Proposition 3.3.

B.10. Proof of Proposition 3.4

Proposition B.7. Let C be unitary transformation q := U[q] or initialisation q := |0i, and φ be any BI formula. If its modiﬁcation φ[C] is deﬁned, then: 1) φ and φ[C] have the same domain: free (φ) = free (φ[C]); 2) for all ρ ∈ D(free (φ) ∪ var(C)), if ρ |= φ[C], then C (ρ) |= φ. J K Proof. (1). Induction on the structure of φ. (2). We will introduce following lemmas which can be realized easily, and set variable set V = D(free (φ) ∪ var(C)). Lemma B.1. For any ρ ∈ D(V) and terminating program C, for any variable set S ⊆ V:

= |0iqh0| ⊗ ρ|free(P )\q.

ρ|free(P ) = q := |0i (ρ)|free(P ). J K Thus, ρ |= P [q := |0i] iff ρ|free(P ) |= P iff q := |0i (ρ)|free(P ) |= P iff q := |0i (ρ) |= P . 3) φ ≡ U[S]. The only case U[S][q := |0i] beingJ deﬁnedK is that q∈ / SJ and U[KS][q := |0i] = U[S]. For any ρ ∈ D(V), since S ∩ var(q := |0i) = ∅, so ρ|S = q := |0i (ρ)|S. Therefore, ρ |= U[S][q := |0i] iff ρ|S |= U[S] iff J K q := |0i (ρ)|S |= U[S] iff q := |0i (ρ) |= U[S]. 4) φJ ≡ > orK⊥. Trivial. J K 5) φ ≡ φ1 ∧(∨) φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇒ q := |0i (ρ) |= φi for i = 1, 2. Thus, J K

ρ |= φ[q := |0i] ≡ φ1[q := |0i] ∧(∨) φ2[q := |0i]

=⇒ ρ |= φ1[q := |0i] and(or) ρ |= φ2[q := |0i]

=⇒ q := |0i (ρ) |= φ1 and(or) q := |0i (ρ) |= φ2 J K J K =⇒ q := |0i (ρ) |= φ1 ∧(∨) φ2. J K 6) φ ≡ φ1 ∗ φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇒ q := |0i (ρ) |= φi for i = 1, 2. · Case 1: q∈ / free (φ ) ∪ free (φ ), and φ[q := |0i] ≡ φ [q := |0i] ∗ φ [q J:= |0i].K So, ρ| = 1 2 1 2 free(φ1)∪free(φ2) q := |0i (ρ)|free(φ )∪free(φ ), then using induction hypothesis and Proposition 3.3 we have: J K 1 2 ρ |= φ1[q := |0i] ∗ φ2[q := |0i]

=⇒ free (φ1[q := |0i]) ∩ free (φ2[q := |0i]) = ∅, ρ |= φ1[q := |0i], ρ |= φ2[q := |0i] and ρ ρ| ⊗ ρ| free(φ1) free(φ2) =⇒ free (φ1) ∩ free (φ2) = ∅, q := |0i (ρ) |= φ1, q := |0i (ρ) |= φ2 and J K J K q := |0i (ρ) q := |0i (ρ)|free(φ ) ⊗ q := |0i (ρ)|free(φ ) J K J K 1 J K 2 =⇒ q := |0i (ρ) |= φ1 ∗ φ2. J K · Case 2: q ∈ free (φ1) and q∈ / free (φ2), and φ[q := |0i] ≡ (φ1[q := |0i] ∧ φ2[q := |0i]) ∧ (D(free (φ1)\q) ∗ D(free (φ2)). Following by Lemma B.3, we have :

ρ |= (φ1[q := |0i] ∧ φ2[q := |0i]) ∧ (D(free (φ1)\q) ∗ D(free (φ2))

=⇒ (free (φ1)\q) ∩ free (φ2) = ∅, ρ |= φ1[q := |0i], ρ |= φ2[q := |0i] and ρ ρ| ⊗ ρ| free(φ1)\q free(φ2) =⇒ free (φ1) ∩ free (φ2) = ∅, q := |0i (ρ) |= φ1, q := |0i (ρ) |= φ2 and J K J K q := |0i (ρ) q := |0i (ρ)|free(φ ) ⊗ q := |0i (ρ)|free(φ ) J K J K 1 J K 2 =⇒ q := |0i (ρ) |= φ1 ∗ φ2. J K Statement 2: For any ρ ∈ D(V), if ρ |= φ[q := U[q]], then q := U[q] (ρ) |= φ. 1) φ ≡ D[S]. Similar to Statement 1 (1). J K 2) φ ≡ P ∈ P. There are two cases: q† q Case 1: q ⊆ free (P ), P [q := U[q]] = (U ⊗ Ifree(P )\q)P (U ⊗ Ifree(P )\q). First observe that for any ρ ∈ D(V), q := U[q] (ρ)|free(P ) = (Eq:=U[q] ⊗ IV\var(q:=U[q]))(ρ) J K free(P ) = (Eq:=U[q] ⊗ Ifree(P )\q))(ρ|free(P ))

23 q q† = (U ⊗ Ifree(P )\q)(ρ|free(P ))(U ⊗ Ifree(P )\q) Therefore, we have q† q ρ |= (U ⊗ Ifree(P )\q)P (U ⊗ Ifree(P )\q) q† q =⇒ ρ|free(P ) |= (U ⊗ Ifree(P )\q)P (U ⊗ Ifree(P )\q) q† q =⇒ supp(ρ|free(P )) ⊆ (U ⊗ Ifree(P )\q)P (U ⊗ Ifree(P )\q) q q† =⇒ supp (U ⊗ Ifree(P )\q)(ρ|free(P ))(U ⊗ Ifree(P )\q) ⊆ P

=⇒ q := U[q] (ρ)|free(P ) |= P J K =⇒ q := U[q] (ρ) |= P J K Case 2: q ∩ free (P ) = ∅, P [q := U[q]] = P . For any ρ ∈ D(V), note that q := U[q] is trace preserving and var(q := U[q]) = q, so free (P ) ∩ var(q := U[q]) = ∅ and therefore, J K

ρ |= φ1[q := U[q]] ∗ φ2[q := U[q]]

Appendix C. Separation Logic for Quantum Programs, Deferred Proofs for Section 4

C.1. Proof of Theorem 4.1

Theorem C.1 (Theorem 4.1). For any two sets V and V0 containing all free variables of φ, ψ and C, V |= {φ}C{ψ} if and only if V0 |= {φ}C{ψ}. Proof. Suppose V ⊆ V0.

24 0 (Extension, ⇒ part): For any ρ ∈ D(V ), if ρ |= φ, then by Proposition B.6, ρ|V |= φ as free (φ) ⊆ V. Note that ρ|V ∈ D(V), so by assumption, C (ρ|V) |= ψ. Observe that: J K C (ρ|V) = (EC ⊗ IV\var(C))(ρ|V) J K 0 = (EC ⊗ IV\var(C) ⊗ IV \V)(ρ) V 0 = (EC ⊗ IV \var(C))(ρ) V = C (ρ)|V J K by using Proposition 2.1, therefore C (ρ|V) C (ρ) and C (ρ) |= ψ by Kripke monotonicity. J K J K 0 J K 0 0 0 0 (Restriction, ⇐ part): For any ρ ∈ D(V), choose a ρ ∈ D(V ) such that ρ ρ (so ρ = ρ |V). If ρ |= φ, then ρ |= φ, and by assumption, C (ρ0) |= ψ. Observe that: J K 0 C (ρ) = (EC ⊗ IV\var(C))(ρ |V) J K 0 0 = (EC ⊗ IV\var(C) ⊗ IV \V)(ρ ) V 0 0 = (EC ⊗ IV \var(C))(ρ ) V 0 = C (ρ )|V J K by using Proposition 2.1, therefore C (ρ) C (ρ0). As free (ψ) ⊆ V, and C (ρ) |= ψ by Proposition B.6. J K J K J K C.2. Proof of Proposition 4.1

Proposition C.1 (Proposition 4.1, Extended Version). The formulas generated by following grammar are CM. φ, ψ ::= p ∈ AP | > | ⊥ | φ ∧ ψ | φ ∈ SP | µ ∗ φ where µ ∈ SP. Proof. 1) p ≡ D[S]. Trivial. 2) p ≡ P ∈ P. Suppose ρ, ρ0 ∈ D with same domain and ρ |= P and ρ0 |= P , then

0 supp ρ|free(P ) ⊆ P, supp ρ |free(P ) ⊆ P then for any λ ∈ [0, 1], we have:

C.3. Proof of Proposition 4.2

Proposition C.2 (extended version). 1) For all φ ∈ Res and S ⊆ V, |= φ ↔G φ ∧ D[S]. 2) For all φ, ψ, |= φ → ψ implies |= φ →G ψ. Proof. 1) By definition, it is sufficient to prove that for all ρ with dom(ρ) ⊇ free (φ)∪S, ρ |= φ if and only if ρ |= φ∧D[S]. This is trivial since ρ |= D[S]. 2) Trivial by definition of global implication →G .

C.4. Proof of Proposition C.3

Proposition C.3. The formulas generated by following grammar are SP: φ, ψ ::= U[S] | p ∈ P of rank 1 | > | ⊥ | φ ∗ ψ where P of rank 1 consists all rank 1 projections.

C.5. Proposition C.4

Proposition C.4. 1) If φ[E[q]]↓, free (φ[E[q]]) = free (φ); 2) If φ[E[q]]↓, then for any state ρ ∈ D(free (φ) ⊇ q), E(ρ) |= φ if and only if ρ |= φ[E[q]]. Proof. (1). Induction on the structure of φ. (2). We prove it by induction on the structure of φ. (a) φ ≡ > or ⊥. Trivial. (b) φ ≡ P ∈ P, there are two cases. Case 1. q ∩ free (P ) = ∅. For any ρ ∈ D(q ∪ free (P )), ρ|free(P ) = E(ρ)|free(P ) and thus, E(ρ) |= φ if and only if ρ |= φ[E[q]] since P [E[q]] = P . Case 2. q ⊆ free (P ). For any ρ ∈ D(free (P )), we observe: ρ |= P [E[q]] ∗ ⊥ ⊥ ⇐⇒ ρ |= Eq ⊗ Ifree(P )\q (P ) ∗ ⊥ ⇐⇒ tr ρ Eq ⊗ Ifree(P )\q (P ) = 0 ⊥ ⇐⇒ tr Eq ⊗ Ifree(P )\q (ρ)P = 0 ⇐⇒ tr(E(ρ)P ) = 1 ⇐⇒ E(ρ) |= P. (c) φ ∧ ψ. By induction hypothesis, for any state ρ ∈ D(free (φ ∧ ψ) ∪ q), E(ρ) |= φ ∧ ψ iff E(ρ) |= φ and E(ρ) |= ψ iff ρ |= φ[E[q]] and ρ |= ψ[E[q]] iff ρ |= φ[E[q]] ∧ ψ[E[q]] iff ρ |= (φ ∧ ψ)[E[q]]. (d) φ ∨ ψ. Similar to (c).

26 C.6. Proof of Theorem 4.2

The global variable set is denoted by V, which contains all variables of programs and formulas. We first introduce following lemma for quantum measurement: q Lemma C.1. For any ρ ∈ D(V) and projective measurement M = {Mm}, if ρ |= Mm, then performing the measurement M[q] will not change the state, and the outcome is m with certainty. As a consequence, for any if statement C ≡ if (m · q M[q] = m → Cm) fi, if the global state ρ |= Mm, then C (ρ) = Cm (ρ). J K J K Proof of Theorem 4.2. It is sufficient to show that each of the rules shown in Figure 2, 3 and 4 is sound.

φ[q := |0i]↓ φ[q := U[q]]↓ SKIP INIT UNIT {φ}skip{φ} {φ[q := |0i]} q := |0i{φ} {φ[q := U[q]]}q := U [q] {φ}

{φ}C1{ψ}{ψ}C2{µ} PERM 0 0 SEQ {φ[q 7→ q]}q := Perm(q 7→ q )[q]{φ} {φ}C1; C2{µ}

{φm} Cm{ψ} for all m {φ}C{(M0 ∧ ψ) ∨ (M1 ∧ φ)} DIF W DLOOP m(Mm ∧ φm) if ··· ﬁ{ψ} {(M0 ∧ ψ) ∨ (M1 ∧ φ)}while{ψ}

{φ ∗ Mm} Cm{ψ} for all m ψ ∈ CM {φ ∗ M1}C{φ ∗ Iq} φ ∈ CM RIF RLOOP {φ ∗ Iq}if ··· ﬁ{ψ} {φ ∗ Iq}while{φ ∧ M0}

Figure 6: Proof System QSL. In DIF,DLOOP,RIF and RLOOP, if ··· ﬁ and while are abbreviations of if (m · M[q] = m → Cm) ﬁ and while M[q] = 1 do C od respectively, and M0,M1,Mm in assertions are regarded as projective predicates acting on q. In PERM, Perm(q 7→ q0)[q] stands for the unitary transformation which permutes the variables from q to q0 (see Section 2.1 for details).

–SKIP. Trivial as the state of quantum variables are unchanged when applying skip.

–INIT. By Proposition 3.4.

–UNIT. By Proposition 3.4.

–PERM. For any input ρ ∈ D(V) with matrix form ρ[q, qr] (qr = V\q; i.e., ρ is a purely matrix and [q, qr] denotes the order 0 of basis; that is, ρ[q, qr] is interpreted as a matrix over Hq ⊗ Hq ), the output state after performing the Perm[q 7→ q ]: 0 0 r 0 q := Perm[q 7→ q ] has the matrix form ρ[q , qr]. Then it is not difﬁcult to show ρ[q, qr] |= φ[q 7→ q] if and only if 0 ρ[q , qr] |= φ.

if (m · M[q] = m → Cm) ﬁ (ρ) = Cn (ρ), J K J K and by assumption {φn}Cn{ψ}, so Cn (ρ) |= ψ, or equivalently, J K if (m · M[q] = m → Cm) ﬁ (ρ) |= ψ. J K

q q q q –DLOOP. For any input ρ that satisﬁes (M0 ∧ ψ) ∨ (M1 ∧ φ), with the premise {φ}C{(M0 ∧ ψ) ∨ (M1 ∧ φ)}, it is indeed a deterministic loop and the measurement M in guard never changes the current state (see Lemma C.1), i.e., the number of iterations N(ρ) is deterministic and moreover, while M[q] = 1 do C od = CN(ρ) (ρ) J K J K k where C , C; ··· ; C is the k-fold sequential composition of C. Soundness follows by repeatedly using the induction hypothesis.

27 –RIF. For any input ρ ∈ D(V) such that ρ |= φ ∗ Iq, it must have:

ρ|free(φ)∪q = ρ|free(φ) ⊗ ρ|q. q q After the measurement M, with probability pm = tr(MmρMm) the outcome is m and the state changes to q q MmρMm ρm = . pm q q Observe that pm = tr(Mm ρ|qMm) and q q Mm ρ|free(φ)∪qMm ρm|free(φ)∪q = pm q q Mm ρ| ⊗ ρ| Mm = q free(φ) pm q q Mm ρ|qMm = ⊗ ρ|free(φ). pm q q Mm ρ|q Mm q q Realizing that |= M and ρ| |= φ, we have ρm |= φ ∗ M . By premise, Cm (ρm) |= ψ. Back to the pm m free(φ) m semantics of if statement, we know that J K X if (m · M[q] = m → Cm) fi (ρ) = pm Cm (ρm) J K m J K and by promise ψ ∈ CM, so if (m · M[q] = m → Cm) fi (ρ) |= ψ. J K –RLOOP. We here use the notations similar to [29], Section 3.3. Set quantum operation (and its cylinder extension) † Ei(·) = Mi(·)Mi for i = 0, 1. We first claim:

G 0 0 0 0 G φ → φ {φ }C{ψ } ψ → ψ {φ1}C{ψ1}{φ2}C{ψ2} WEAK CONJ {φ}C{ψ} {φ1 ∧ φ2}C{ψ1 ∧ ψ2}

{φ1}C{ψ1}{φ2}C{ψ2} {φ}C{ψ} free (µ) ∩ var(C) = ∅ DISJ CONST {φ1 ∨ φ2}C{ψ1 ∨ ψ2} {φ ∧ µ}C{ψ ∧ µ} {φ}C{ψ} free (µ) ∩ var(C) = ∅ free (ψ) ∪ var(C) ⊆ free (φ) or ψ ∈ SP FRAME {φ ∗ µ}C{ψ ∗ µ}

Figure 7: Proof System QSL. SP: supported assertion, i.e., there is at most one element ρ ∈ D(free (ψ)) that satisﬁes ψ.

G 0 0 0 –WEAK. By premise φ → φ , D[free (φ) ∪ free (φ )] → (φ → φ ), we know that for any input ρ ∈ D(V) that satisﬁes φ, it must also satisfy φ0. By another premise {φ0}C{ψ0}, then C (ρ) |= ψ0, and thus C (ρ) |= ψ by ψ →G ψ0. The trick here is that dom(ρ) = dom( C (ρ)) ⊇ free (φ) ∪ free (φ0) ∪ free J(ψ)K∪ free (ψ0). J K J K –CONJ. For any input ρ ∈ D(V) such that ρ |= φ1 ∧ φ2, then it must have ρ |= φ1 and ρ |= φ2. By premise and induction hypothesis, we obtain C (ρ) |= ψ1 and C (ρ) |= ψ2 and thus C (ρ) |= ψ1 ∧ ψ2. J K J K J K

= (EC ⊗ Ifree(φ)\var(C))(ρ|free(φ)) ⊗ ρ|free(µ)

–FRAME(2), with premise ψ ∈ SP. Unlike the previous proofs, this rule is highly nontrivial, at least in the sense of proof of itself. Given the output a singleton, there are many unreleased properties of the program C. One technique we used here is the puriﬁcation, which allows us to associate pure states with mixed states.

Fact 1. Given any density operator ρA of the system A, and introduce another system R, often called the reference system. If the dimension of R is larger than or equal to A, then there exists a pure state |ψiAR over the composite system AR, such that: trR(|ψiARhψ|) = ρA. Generally, such purifications are not unique, but they are related by a local unitary of reference system R. In detail, for 0 any purifications |ψiAR and |ψ iAR of ρA, there exists a unitary transformation UR acting on system R, such that: 0 |ψ iAR = (IA ⊗ UR)|ψiAR. Step 1: Let us first reveal some variable information from the rule itself. If there exists some input satisfies φ ∗ µ, then obviously, free (φ) ∩ free (µ) = ∅; otherwise, the rule is trivially sound. From the promise free (µ) ∩ var(C) = ∅, we know that free (µ) ∩ (free (φ) ∪ var(C)) = ∅, thus without loss of generality, we can assume free (φ) ⊆ var(C), as we can always add all the variables in free (φ)\var(C) to the program and left them unchanged. Moreover, as ψ is a singleton formula, we must have free (ψ) ⊆ free (φ) ∪ var(C). To see this, suppose q ∈ free (ψ)\(free (φ) ∪ var(C)), then the input state is free on q and the state of q remains unchanged after executing C, so the output state on q is not unique, which is contradictory to the premise that ψ is a singleton formula. In summary, it is sufficient to prove the soundness when free (φ), free (ψ) ⊆ var(C). To simply the representation, we use A to denote free (φ), A0 for free (ψ), B for var(C)\free (φ), C for free (µ), as illustrated in Figure 8. Step 2: Extract hidden information from premise {φ}C{ψ}. In detail, we prove the following Lemma C.2. Let us first extend the system ABC with several mathematically ancilla system RA,RB,RC and R. The dimension of RA is the same as A and it is used for purify density matrix of A, and the similar for RB and RC . System R is used for related the semantics function C (a quantum operation acting on AB) to a unitary transformation URAB acting on RAB; in detail, for any input densityJ operatorK ρAB ∈ D(AB), the output C (ρAB) can be obtained by following step: 1. initial system R in |0iR; 2. apply unitary transformation URAB on RAB;J 3.K trace out the system R; or equivalently: † C (ρAB) = trR URAB(|0iRh0| ⊗ ρAB)URAB . J K

29 Figure 8: Variables. The left one illustrates the relations of variables, where var(C) is the area in red frame, see step 1. The right one shows the auxiliary systems, including RA used for purify ρA, RC used for purify ρC , RARBRC used for purify the input ρABC , and R is the ancilla system with initial state |0i used to purify the quantum operation EAB, see step 2 and step 3.

0 P Suppose ρA ∈ D(A) is any state that satisfies φ, and σA0 ∈ D(A ) with diagonal decomposition σA0 = i λi|αiiA0 hαi| 0 is the only state on A that satisfies ψ. Assuming |ΨARA i ∈ H(ARA) is a purification of ρA. We now prove that,

σC = |ΨBRB CRC ihΨBRB CRC ||C . Realize that the input state indeed satisfies φ because h i † URABRB RC (|ΨARA ihΨARA | ⊗ |ΨBRB CRC ihΨBRB CRC |)UR BR R = |ΨARA ihΨARA ||A = ρA, A B C A 0 0 so after applying C, the reduced state over A of the output must be σA . That is: for fixed URABRB RC and |ΨARA i, the output pure state must have the form X p 0 URABURABRB RC (|0iR|ΨARA i|ΨBRB CRC i = λi|αiiA Xi ⊗ IC |ΨBRB CRC i i 0 where Xi are isometries mapping from BRBRC to RRAB RBRC , and satisfies: 0 ∀ i : kXi ⊗ IC |ΨBRB CRC ik = 1, ∀ i 6= j : hΨBRB CRC |(Xj ⊗ IC )(Xi ⊗ IC )|ΨBRB CRC i.

Since |ΨBRB CRC i are freely chosen, so it can range over all pure state over H(BRBCRC ), we must have: † † ∀ i : Xi Xi = IBRB RC , ∀ i 6= j : Xj Xi = 0. (16)

Let {|eki} be an orthonormal basis of BRBRC , then Xi has the explicit form: X Xi = |βikihek| k 0 where |βiki ∈ H(RRAB RBRC ) and may not be normalized. However, by Eqn. (16), there are many constrains of |βiki: 0 † X X 1 k = k ∀ i : X X = |e 0 ihe | · hβ 0 |β i = |e ihe | ⇒ ∀ i : hβ 0 |β i = i i k k ik ik k k ik ik 0 k 6= k0 kk0 k † X 0 ∀ i 6= j : Xj Xi = |ek0 ihek| · hβjk0 |βiki = 0 ⇒ ∀ i 6= j, ∀ k, k : hβjk0 |βiki = 0. kk0 0 As a consequence, {|βiki}ik is a orthonormal set, and we may extend it as an orthonormal basis of RRAB RBRC : {|βiki, |fmi}. Now, let us start to calculate the explicit form of output: n o † † URABURABRB RC (|0iRh0| ⊗ |ΨARA ihΨARA | ⊗ |ΨBRB CRC ihΨBRB CRC |)UR BR R URAB A B C A0C

Step 3: puriﬁcation of all possible input. In detail, we show that for any input state ρABC |= φ ∗ µ, it can must be written into the form of Lemma C.2; that is, there must exists |ΨARA i ∈ H(ARA), |ΨBRB CRC i ∈ H(BRBCRC ) and unitary transformation URABRB RC acting on RABRBRC , such that h i † URABRB RC (|ΨARA ihΨARA | ⊗ |ΨBRB CRC ihΨBRB CRC |)UR BR R = ρABC . A B C ABC

This step is relatively simple if we realize the fact of freedom of purification. We use the notations ρA = trBC (ρABC ), ρC = trAB(ρABC ) and ρAC = trB(ρABC ), and trivially ρA |= φ and ρC |= µ by restriction. First, there always exists pure state |ΨABCRARB RC i that purify ρABC . Next, let us focus on system AC: note that ρAC is a product state between A and C as ρABC |= φ∗µ (so ρAC |= φ∗µ), thus ρAC = ρA⊗ρC , and set |ΨARA i and |ΨCRC i being the purification of ρA and ρC , then |ΨARA i|ΨCRC i is also a purification of ρAC . If we add |0iBRB , trivially |ΨARA i|0iBRB |ΨCRC i is still a purification of ρAC . Since |ΨABCRARB RC i is a purification of ρABC , it is also a purification of ρAC . Now, we have two purifications |ΨARA i|0iBRB |ΨCRC i and |ΨABCRARB RC i with the same reference system RABRBRC , and due to the freedom of purification, there exists a local unitary transformation URABRB RC that related these two purifications, i.e.,

|ΨABCRARB RC i = URABRB RC |ΨARA i|0iBRB |ΨCRC i.

Set |ΨBRB CRC i = |0iBRB |ΨCRC i and we will obtain:

σC = |ΨBRB CRC ihΨBRB CRC ||C = ρC .

Since σA0 |= ψ and ρC |= µ, so C (ρABC ) |= ψ ∗ µ as we desired. J K

{φ}C{ψ} q ∩ var(C) = ∅ φ[E[q]]↓ ψ[E[q]]↓ UNCR {φ[E[q]]}C{ψ[E[q]]}

Figure 9: Proof rule for dealing with entangled predicates.

31 –UNCR. For ρ ∈ D(V) such that ρ |= φ[E[q]], by Proposition C.4 (2), E(ρ) |= φ, by premise {φ}C{ψ}, C (E(ρ)) |= ψ. By the premise q ∩ var(C) = ∅, C (E(ρ)) = E( C (ρ)), and thus E( C (ρ)) |= ψ. Using Proposition C.4J (2)K again, we have C (ρ) |= ψ[E[q]]. J K J K J K J K

C.7. More explanations for reasoning about entangled predicates

The technique for reasoning about entangled predicates proposed in [21] can be described in following three steps: 1) Pushing out: Introduce auxiliary variables for local reasoning; To capture the behavior how a program affects the entanglement relations between other systems, it is needed to introduce auxiliary variables, at most the fresh copy of each quantum variable as auxiliary variables, in both pre- and post-conditions10. Thanks to Theorem 4.1, this step can be safely down in our logic. 2) Modiﬁcation: Choose appropriate quantum operation E and apply rule UNCR on the auxiliary variables; We use frame rule to glue all preconditions (postcondition) derived by local reasoning together to obtain a valid judgment {φ}C{ψ}. Remember that φ and ψ contains the same set of auxiliary variables. Suppose E is an arbitrary quantum operation acting on auxiliary registers q0 and both E[q0](φ), E[q0](ψ) are deﬁned, for any ρ |= E[q0](φ), we know that: E(ρ) |= φ and so C (E(ρ)) |= ψ. Since C and E[q0] are two quantum operations acting on disjoint registers (i.e., the prime systemJ andK auxiliary system), JC K(E(ρ)) = E( C (ρ)), and thus E( C (ρ)) |= ψ and hence C (ρ) |= E[q0](ψ). In summary, the judgment {E[q0](Jφ)}KC{E[q0](ψ)}JisK valid, which we namedJ K it rule UNCR. J K 3) Pulling back: Using certain equivalence predicates to link the principal and auxiliary variables and then trace out the auxiliary variables. There exist some BI formulas which have a globally equivalent form but with less variables, e.g. the cases of Proposition 4.2. Generally, this step is not feasible for all predicates; however, with a proper choice of E[q0], this step is suitable for lots of scenarios, in particular, it is feasible for all postcondition ψ being projection or observable.

C.8. PEPR: simpliﬁed rule for projections

When BI formula φ and ψ appeared in UNCR are projections, we can derive the following rule by combining the ideas of modification and pulling back: {Ψ}C{Φ} var(C) ⊆ q type(q) = type(q0) q ∩ q0 = ∅ Ψ ∈ P(q, q0)Φ ∈ MES(q, q0) Q ∈ P(q) PEPR {proj [dim(q) · trq0 ((Qq0 ⊗ Iq)Ψ(Qq0 ⊗ Iq))]} C{Q} as an instance of rule UNCR, where MES(q, q0) stands for the set of maximally entangled states of two disjoint registers q, q0 with the same type (i.e., the same dimension of their Hilbert space), and proj maps an observable to the projection onto its eigenspace of eigenvalue 1 (see Section A). Proof. The simplified rule PEPR is indeed a combination of Modification and Pulling back discussed in Section P C.7 whenever postcondition Q ∈ P(q). Suppose Q has the diagonal decomposition Q = i λi|βiiqhβi|, and set P 1 P Q 0 = λ |β i 0 hβ |, N = dim(q) and Φ being the maximally entangled state |Φi = √ |ji |ji 0 with {|ji} q i i i q i N j q q 11 being orthonormal basis of Hq and choose quantum operation X E(ρ) = N · λi|βiiq0 hj|ρ|jiq0 hβi|, ij 0 ∗ ∗ then Φ[E[q ]] = Qq ⊗ Iq0 . First, follows by [21], |= { C (Φ)}C{Φ} and moreover, C (Φ) is the weakest precondition to make it valid. By employing rule UNCR, we obtainJ K J K ∗ 0 0 ∗ 0 {( C (Φ))[E[q ]]}C{Φ[E[q ]]} or equvalently {( C (Φ))[E[q ]]}C{Qq ⊗ Iq0 } J K J K On the other hand, by premise {Ψ}C{Φ}, we have Ψ v C ∗(Φ) J K since C ∗(Φ) is the weakest precondition and thus, J K proj [N · trq0 ((Qq0 ⊗ Iq)Ψ(Qq0 ⊗ Iq))] ⊗ Iq0

10. It is not surprising a fresh copy of all variables is enough, since the semantic function is a quantum operation – quantum operation can be realized by a unitary transformation acting on both prime system and environment as large as the prime system. 11. E deﬁned here is not a trace-preserving quantum operation, similar problems happens in this paragraph. However, it is always possible to add a scalar factor and this does not affect the conclusions.

32 ∗ v proj [N · trq0 ((Qq0 ⊗ Iq) C (Φ)(Qq0 ⊗ Iq))] ⊗ Iq0 ∗ J K ∗ 0 = N · (Qq0 ⊗ Iq) C (Φ)(Qq0 ⊗ Iq) = ( C (Φ))[E[q ]]. J K J K ∗ 0 or equivalently, proj [N · trq0 ((Qq0 ⊗ Iq)Ψ(Qq0 ⊗ Iq))] ⊗ Iq0 → ( C (Φ))[E[q ]] by Proposition B.4 (2). Then by rule WEAK and Proposition C.2, we have J K

` {proj [N · trq0 ((Qq0 ⊗ Iq)Ψ(Qq0 ⊗ Iq))] ⊗ Iq0 }C{Qq ⊗ Iq0 } According to Proposition B.4(3) and B.4(1) and applying rule WEAK again, we conclude

` {proj [N · trq0 ((Qq0 ⊗ Iq)Ψ(Qq0 ⊗ Iq))]} C{Q}.

C.9. Veriﬁcation of Example 4.2

First let us define the maximally entangled states Φ± as |Φi = √1 (|0i |0i ± |1i |1i . The program C defined in pq pq 2 p q p q Example 4.2 is: √ √ C ≡ Z[q1]; Z[q2]. We aim to prove {Φ+ }C{Φ− }. As discussed above, our proof has following steps: q1q2 q1q2 √ 0 • Local reasoning, pushing out. For subprogram Z[q1], let us introduce an auxiliary qubit q1. Using rule UNIT, we have: √ + 1 0 √ {Ψq1q } Z[q1]{Φq q0 } with |Ψipq = (|0ip|0iq − i|1ip|1iq). 1 1 1 2 √ + 0 Similarly, we have {Ψq2q } Z[q2]{Φ 0 }. With FRAME,SEQ and WEAK and Proposition 3.2, we obtain: 2 q2q2 √ √ + + + + + 0 0 0 0 0 ` {Ψq1q ⊗ Ψq2q }{Ψq1q ∧ Ψq2q } Z[q1]{Φ 0 ∧ Ψq2q } Z[q2]{Φ 0 ∧ Φ 0 }{Φ 0 ⊗ Φ 0 }. 1 2 1 2 q1q1 2 q1q1 q2q2 q1q1 q2q2 + + 0 0 • modification and pulling back. Note that Φ 0 ⊗Φ 0 ∈ MES[q1q2, q1q2], we apply rule PEPR (an instance of UNCR, q1q1 q2q2 see Section C.8) to obtain:

n h − − io − 0 0 proj 4 · trq q (Φ 0 0 ⊗ Iq1q2 )Ψ(Φ 0 0 ⊗ Iq1q2 ) C{Φq q }. 1 2 q1q2 q1q2 1 2 Φ+ A careful calculation shows that the precondition is exactly q1q2 as we desired. Appendix D. Local Reasoning: Analysis of Variational Quantum Algorithms, details for Section 5

D.1. VQA in the Tutorial of Cirq

The VQA presented in the tutorial of Cirq 12 deals with a 2D +/− Ising model of size N ×N with objective Hamiltonian (observable) X X H = hijZij + Jij;i0j0 ZijZi0j0 , (i,j) (i,j;i0,j0)∈S where each index pair (i, j) is associated with a vertex in a the N × N grid, S is the set of all neighboring vertices in the grid, and all hij and Jij;i0j0 are either +1 or −1. The algorithm for preparing the ansatz state with real parameters (α, β, γ) given in the tutorial of Cirq can be rewritten in the quantum-while language as follows: VQA(N) ≡ for j = 1, ··· ,N do ProcC(j) od; for i = 1, ··· ,N do ProcR(i) od with following subprograms: ProcC(j) ≡ for i = 1, ··· ,N do ProcR(i) ≡ for j = 1, ··· ,N − 1 do

α (Jcij =−1) qij = X [qij]; qij = X [qij];

β(hij =1) (Jcij =−1) qij = Z [qij] od; qi(j+1) = X [qi(j+1)]; γ for i = 1, ··· ,N − 1 do qij, qi(j+1) = CZ [qij, qi(j+1)];

12. https://quantumai.google/cirq/tutorials/variational algorithm

33 (Jrij =−1) (Jcij =−1) qij = X [qij]; qij = X [qij];

(Jrij =−1) (Jcij =−1) q(i+1)j = X [q(i+1)j]; qi(j+1) = X [qi(j+1)]; γ qij, q(i+1)j = CZ [qij, q(i+1)j]; od;

(Jrij =−1) qij = X [qij];

(Jrij =−1) q(i+1)j = X [q(i+1)j] od;

(Jcij =−1) where for simplicity, we write some logical judgments as superscripts; for example X means that if Jcij = −1, apply the X gate, and otherwise skip. Since the parameters h, Jc and Jr are given a priori, this notation should not lead to any confusion.

D.2. Specifying Incorrectness in Quantum Separation Logic

As pointed out at the beginning of this section, we can use our quantum separation logic to show that algorithm VQA(N) is indeed incorrect. Let us ﬁrst describe its incorrectness in our logical language. Suppose the Hamiltonian H has eigenvalues E0,E1, ... ranged in increasing order, with corresponding eigenspaces (projections) Q0,Q1.... If for each i ≤ n, we can ﬁnd Pi a precondition Pi ∈ P such that |= {Pi}VQA(N){1 − k=0 Qi} (i = 0, 1, ..., n), then by showing that |0i (the initial state of quantum circuit) is close to Pi; that is, h0|Pi|0i ≥ δi, we can conclude that the approximate ground energy computed by VQA(N) is at least n X E0 + (Ei+1 − Ei)δi. (17) i=1 Proof. For input ρ = |0ih0|, the output is σ = VQA(N) (ρ). We have following observations of the energy of output by P J K realizing Ei is an increasing sequence and i≥0 Qi = I:

  n !   X X X tr(Hσ) = tr  EiQiσ ≥ tr EiQiσ + tr En+1 Qiσ i≥0 i=0 i≥n+1 n i ! ! X X = tr(E0σ) + tr (Ei+1 − Ei) 1 − Qi σ . i=0 k=0 Pi On the other hand, suppose |= {Pi}VQA(N){1 − k=0 Qi} (i = 0, 1, ..., n). According to the lifting principle (see [17] Theorem 3.2), we know that, for any two projections P and Q, if {P }C{Q} is valid, then for any input state ρ, tr(P ρ) ≤ tr(Q C )(ρ). Thus, we obtain: J K i ! ! X tr(Piρ) ≤ tr 1 − Qi σ k=0 which implies that the energy of output n n n X X X tr(Hσ) ≥ tr(E0σ) + tr ((Ei+1 − Ei)Piρ) = E0 + (Ei+1 − Ei)h0|Pi|0i ≥ E0 + (Ei+1 − Ei)δi i=0 i=0 i=0 if h0|Pi|0i ≥ δi for all 0 ≤ i ≤ n, as we desired.

Therefore, whenever the quantity in (4) is far away from the real ground energy E0, then VQA(N) is incorrect. To illustrate our idea more explicitly, let us consider the simplest case of 2 × 2 grid (N = 2) with parameters: −1 −1 −1 −1 1 h = 1 1 , Jc = −1 , Jr = and Jij;(i+1)j = Jrij and Jij;i(j+1) = Jcij. The eigenvalues of the Hamiltonian H in this case are E0, ··· ,E5 = −6, −4, −2, 0, 2, 4 with corresponding eigenspaces Q0,Q1, ··· ,Q5, respectively. If we can ﬁnd preconditions P0 and P1 satisfying:  n o |= {P }VQA(N) 1 − Pi Q (i = 0, 1),  i k=0 i 1 4 15 (18) h0|P0|0i = 1 − 16 sin(απ) ≥ 16 ,  1 2 13 h0|P1|0i = 1 − 32 (7 + cos(2απ)) sin (απ) ≥ 16 , then it follows from (4) that the approximate ground energy of VQA is at least −2.5, which is much higher than the real ground energy E0 = −6.

34 D.3. Verifying Incorrectness in Quantum Separation Logic

Now we use the inference rules of quantum separation logic to derive preconditions P0 and P1 required in (18) and thus show that VQA(N) is indeed incorrect. The derivation is given following the three steps outlined at the end of Subsection 4.4. Pushing out: This step is essentially local reasoning. For each subprogram ProcC(j) or ProcR(i), We derive a certain precondition of it with (the projection onto the one-dimensional subspace spanned by) the maximally entanglement as their postconditions, which plays the role of pushing out to connect the variables in the subprogram with some auxiliary variables. For example, consider:

γ ProcR(1) ≡ q11 = X[q11]; q12 = X[q12]; q11, q12 = CZ [q11, q12]; q11 = X[q11]; q12 = X[q12]

0 0 R1 R1 R1 R1 We introduce auxiliary variables q11, q12 with the same types as q11, q12. For postcondition Φ = |Φ ihΦ | with |Φ i = 1 P R1 R1 R1 |ii |ji |ii 0 |ji 0 , we can use rules UNIT and SEQ to derive precondition Ψ = |Ψ ihΨ | with 2 i,j∈{0,1} q11 q12 q11 q12 |ΨR1i = X X CZγ X X |ΦR1i ` {ΨR1}ProcR(1){ΦR1}. q11 q12 q11,q12 q11 q12 such that Similarly, we can derive preconditions ΨR2, ΨC1, ΨC2 such that ` {ΨR2}ProcR(2){ΦR2}, ` {ΨC1}ProcC(1){ΦC1}, ` {ΨC2}ProcC(2){ΦC2}.

Modiﬁcation and pulling back: Now we apply PEPR (which is an instance of UNCR, see Section C.8) to VQA. With FRAME,SEQ and WEAK and Proposition 3.2, we obtain: ` {ΨR1 ⊗ ΨR2}{ΨR1 ∧ ΨR2}ProcR(1){ΦR1 ∧ ΨR2}ProcR(2){ΦR1 ∧ ΦR2}{ΦR1 ⊗ ΦR2}, Note that ⊗ is the tensor product in mathematics and ΨR1 ⊗ ΨR2 and ΦR1 ⊗ ΦR2 are still projections. Similarly, it holds that ` {ΨC1 ⊗ ΨC2}ProcC(1); ProcC(2){ΦC1 ⊗ ΦC2}. Realizing the fact that the tensor product of maximally entangled 0 0 0 0 state is still a maximally entangled state, i.e., Φ1 ∈ MES(q1, q1) and Φ2 ∈ MES(q2, q2) imply Φ1 ⊗Φ2 ∈ MES(q1q2, q1q2), we can use rule PEPR to derive: R1 R2 ` {R}ProcR(1); ProcR(2){Q},R , proj 16 · trq0 (Qq0 ⊗ Iq)(Ψ ⊗ Ψ )(Qq0 ⊗ Iq) 0 0 0 0 0 where q = q11, q12, q21, q22 and q = q11, q12, q21, q22. Similarly, we have: C1 C2 ` {P }ProcC(1); ProcC(2){R},P , proj 16 · trq0 (Rq0 ⊗ Iq)(Ψ ⊗ Ψ )(Rq0 ⊗ Iq) .

The explicit expressions of P, Q, R are involved. Here, we only display the closed form of (P0)11 and (P1)11 for Q = I − Q0 and I − Q0 − Q1 respectively: 1 1 (P ) = 1 − sin(απ)4, (P ) = 1 − (7 + cos(2απ)) sin2(απ), 0 11 16 1 11 32 since h0|Pi|0i = (Pi)11 is what actually needed in (18).

Appendix E. Scalable Reasoning: Veriﬁcation of Security, Details for Section 6

E.1. Security of Quantum Secret Sharing

We here prove the validity of |= PS[p, q, r] → (U[p] ∧ U[q] ∧ U[r]) (see Section 6.2.2). First, for any pure state |ψipqr ∈ PS[p, q, r], it can be written as: 2 X |ψipqr = λi|eiipqr, i=0

35 E.2. Security against Eavesdropper

As one can imagine, veriﬁcation of quantum secret sharing with eavesdroppers is harder. Let us consider a slightly more complicated situation than its original design in [25], [26], [34]: the quantum secret is unknown for the sender and thus cannot be re-prepared by the sender. A protocol for secret transmission in this case was recently proposed in [56], and an instance of it can be written as the following program:

QSS E(n) ≡ for i = 1, ··· , n do C0[p, q, r, hi] ≡ p, hi := Perm(p, hi 7→ hi, p)[p, hi];

Enc[p, q, r]; q, r := Urec[q, r]; c := |0i; c := H[c]; p, q := Perm(p, q 7→ q, p)[p, q];

if M[c] = 0 → C0[p, q, r, hi] 1 → C1[p, q, r, hi]; ﬁ C1[p, q, r, hi] ≡ q, hi := Perm(q, hi 7→ hi, q)[q, hi]; od p, r := Perm(p, r 7→ r, p)[p, r]; This is a n + 1-round protocol: in each round, Alice encodes a qutrit to p, q, r, and Eva tosses the fresh coin c by Hadamard gate H and measures it by computational basis M to decide which qutrit he is going to steal; Alice ﬁrst tries to send p to Bob and then q to Charlie. If the coin is head (0), then Eva steals p and stores it in her own register hi, and Alice recovers the message from q, r and sets it as the secret for next round; and if the coin is tail (1), then Eva steals q and stores in hi, and Alice sets r as the secret for next round. It can be shown at the end if Eva doesn’t steal p and q at the n + 1 round, the qutrit(s) that Bob and Charlie get are indeed what they want (anyone has no information about secret but they together can recover the secret). The security of QSS E(n) can be expressed as the uniformity:

` {>}QSS E(n){U[h1, ··· , hn]}, (19) which means that all qutrits Eva stolen are in fact useless. We show how (19) can be proved in our quantum separation logic. First, by the frame rule CONST and (9), we have for all i = 1, ··· , n:

` {U[h1, ··· , hi−1]} p, q, r = Enc[p, q, r] {PS[p, q, r] ∧ U[h1, ··· , hi−1]}. Next, we consider the ﬁrst branch of the if-statement in QSS E(n) and obtain:

`{PS[p, q, r] ∧ U[h1, ··· , hi−1]}

• Perm(p, hi 7→ hi, p)[p, hi]; PERM

{PS[hi, q, r] ∧ U[h1, ··· , hi−1]} WEAK

{U[h1, ··· , hi]} (20)

• q, r := Urec[q, r]; p, q := Perm(p, q 7→ q, p)[p, q]; UNIT, FRAME

{U[h1, ··· , hi]}

Note that (PS[hi, q, r] ∧ U[h1, ··· , hi−1]) → U[h1, ··· , hi] in assertion logic is derived from Proposition B.4 (5). Similarly we have: ` {PS[hi, q, r] ∧ U[h1, ··· , hi−1]}C1[p, q, r, hi]{U[h1, ··· , hi]} (21) the second branch of the if-statement in QSS E(n). Now, using rule RIF we can combine (20) and (21) to derived the following for the if-statement in QSS E(n):

` {(PS[p, q, r] ∧ U[h1, ··· , hi−1]) ∗ Ic}if ··· ﬁ{U[h1, ··· , hi]}.

Finally, we use WEAK and SEQ repeatedly to glue the above judgments together: `{>} • for i = 1, ··· , n do SEQ

{U[h1, ··· , hi−1]} • p, q, r = Enc[p, q, r];

{PS[p, q, r] ∧ U[h1, ··· , hi−1]} WEAK (PS[p, q, r] ∧ U[h1, ··· , hi−1]) ∧ Ic ∧ (Ipqrh1···hi−1 ∗ I∅) • c := |0i; c := H[c]; UNIT, FRAME

{(PS[p, q, r] ∧ U[h1, ··· , hi−1]) ∗ Ic}

36 • if M[c] = 0 → C0[p, q, r, hi] 1 → C1[p, q, r, hi] ﬁ {U[h1, ··· , hi]} • od

{U[h1, ··· , hn]}.

Appendix F. BI with domain - Constructing 2-BID Logic

As discussed in Section 3.3, the failure of existence of extensions makes some BI formulas nonrestrictive – satisfaction relation ρ |= φ depends on the variables outside free (φ). On the other hands, restriction property is so important in program logic that we need to focus on those restrictive BI formulas when we establish QSL. Pointed out in Section 7, a possible way is to modify the BI frame to make restriction property intrinsic. Here and the following context focus on the aim, along the line that first introduce 2-BID logic, and then construct QSL based on 2-BID. As the first step, we define the assertion language as an extension of BI-logic, tailored for specifying properties of quantum states, with a special consideration of accommodating entanglement and separation together.

F.1. BI-Logic with nondeterministic composition

Here, we give an alternative definition of BI frame with nondeterministic composition, i.e., x◦y is a set of worlds rather than a single world. Definition F.1 (BI frame [1], [11]). A BI frame is a tuple X = (X, ◦, , e), where X is a set equipped with a preorder , and ◦ : X × X → ℘(X) is a binary operation mapping to the power set of X with an unit element e and satisfying the following conditions: 1) (Commutativity) z ∈ x ◦ y ⇒ z ∈ y ◦ x; 2) (Unit Existence) x ∈ x ◦ e; 3) (Coherence) x ∈ y ◦ z ⇒ x y; 4) (Associativity) t0 t ∈ x ◦ y ∧ w ∈ t0 ◦ z ⇒ ∃s, s0, w0(s0 s ∈ y ◦ z ∧ w w0 ∈ x ◦ s0). Moreover, a BI frame is said to be Downwards Closed (DC) if it satisfies (5) (Downwards Closed) z ∈ x ◦ y ∧ x0 x ∧ y0 y ⇒ ∃z0(z0 ∈ x0 ◦ y0 ∧ z0 z) The downwards closed property was identified in [57] to simplify the semantics of magic wand −∗; we also find it useful for proving the restriction property of ∗. A valuation is a mapping V : AP → ℘(X), and it is monotonic if x ∈ V(p) and y x implies y ∈ V(p). A BI frame X together with a monotonic valuation V gives a BI model M. Definition F.2 (Satisfaction in BI models [1], [11]). Given a BI formula φ and a BI model M = (X, ◦, , e, V). For each x ∈ X, satisfaction relation x |=M φ is defined by induction on φ:

x |=M p iff x ∈ V(p) x |=M > : always x |=M ⊥ : never

The judgment φ |=M ψ asserts that for every x ∈ X, whenever x |=M φ, it follows x |=M ψ. We write φ |= ψ iff φ |=M ψ holds for all models, and we say φ is valid, written |= φ, iff > |= φ. Though the nondeterministic composition is considered and the deﬁnition of BI frame and BI model are somewhat different from standard ones (see Section 2.3), it enjoys the same proof system in Hilbert-style is presented in Fig. 5. In particular, it not only sound but also complete. We use φ ` ψ to denote provability. In particular, we say φ is provable if > ` φ is provable. Theorem F.1 (Soundness and Completeness of BI, c.f. [1], [11]). For BI formulas φ and ψ, φ |= ψ iff φ ` ψ in Hilbert system shown in Fig. 5.

37 ξ ` φ µ ` ψ free(φ) ⊆ free(ξ) free(ψ) ⊆ free(µ) µ ∗ φ ` ψ free(µ) ⊆ free(ψ)\free(φ) 110. 120. ξ ∗ µ ` φ ∗ ψ µ ` φ −∗ ψ ξ ` φ −∗ ψ µ ` φ free(ψ)\free(φ) ⊆ free(ξ) free(φ) ⊆ free(µ) free(µ) ⊆ free(φ) 130. 17. ξ ∗ µ ` ψ (φ ∗ ψ) ∧ µ ` (φ ∧ µ) ∗ ψ

Figure 10: Hilbert-style rules for BID.

F.2. BID: BI with Domains

As discussed before, restriction property is not intrinsic in a standard BI logic. To preserve the restriction property of implication in the quantum setting, we need to introduce domains for both states (i.e. elements of a BI-frame) and atomic propositions in order to explicitly specify the (quantum) variables under consideration. Deﬁnition F.3 (BID frame). A BID frame (a BI frame with domains) is a downwards closed BI frame X = (X, ◦, , e) together with a domain function dom : X → ℘(Y ), where Y is a nonempty set of (quantum) variables, that satisﬁes: 1) (Monotonicity) x y implies dom(x) ⊆ dom(y);

2) (Restriction) For any S ⊆ Y and x ∈ X, there is exactly one x|S ∈ X such that x|S x and dom(x|S) = S∩dom(x); 3) (Extension) For any S ⊆ Y and x ∈ X such that dom(x) ⊆ S, there exists y ∈ X such that x y and dom(y) = S; 4) (Union) z ∈ x ◦ y implies dom(z) = dom(x) ∪ dom(y). Deﬁnition F.4 (BID model). A BID model M is a tuple M = (X, ◦, , e, dom, free, V), where (X, ◦, , e, dom, V) is a BID model, and free : AP → ℘(Y ) is a domain function for atomic propositions, such that for any x, y ∈ X and p ∈ AP, 1) (Monotonicity) x y and x ∈ V(p) implies y ∈ V(p);

2) (Restriction) x ∈ V(p) implies free(p) ⊆ dom(x) and x|free(p) ∈ V(p). Intuitively, free(p) defines the minimal domain of atomic proposition p, in the sense that the domain of any state x ∈ V(p) must contain free(p). The domain function free can be extended from atomic propositions to all BI formula as follows: 1) if φ ≡ > or ⊥, then free(φ) = ∅; 2) if φ ≡ φ1 ∧ φ2, φ1 ∨ φ2, φ1 → φ2, φ1 ∗ φ2, then free(φ) = free(φ1) ∪ free(φ2); 3) if φ ≡ φ1 −∗ φ2, then free(φ) = free(φ2)\free(φ1). Now we can define satisfaction of BI-formulas in BID models. Here, we adopt a basic idea in classical separation logic [5], [6], [7], [8]: satisfaction x |= φ is only defined when dom(x) ⊇ free(φ). Definition F.5 (Satisfaction in BID models). Given a BID model M = (X, ◦, , e, V, dom, free). Let x ∈ X and φ be a BI-formula with dom(x) ⊇ free(φ). Then satisfaction relation x |=M φ is defined by induction on φ:

Accordingly, judgment φ |=M ψ now asserts that for every x ∈ X such that dom(x) ⊇ free(φ) ∪ free(ψ), whenever x |=M φ, it holds that x |=M ψ. Moreover, φ |= ψ means that φ |=M ψ holds for all BID models, and φ is valid iff > |= ψ holds. It is particularly important to see that monotonicity and the restriction property hold for satisfaction in BID models with the downwards closed property. Proposition F.1 (Monotonicity and Restriction). Given a BID model M, for all x, y ∈ X and BI-formula φ such that x y and free(φ) ⊆ dom(x), x |=M φ if and only if y |=M φ. A proof system (for reasoning about validity of BI-logical formulas in BID models) can be obtained by modifying the proof system of BI-logic with appropriate domain assumptions. More precisely, it consists of rules 1–10 and 14–16 in Fig. 5 together with rules 110–130 and 17 in Fig. 10. Note that rule 17 is introduced so that the ordinary conjunction ∧ can be pulled into the separation conjunction ∗ (under certain domain conditions). Theorem F.2 (Soundness of BID). For any BI-formulas φ and ψ, if φ ` ψ is provable in the BID proof system, then φ |= ψ for BID models. It should be pointed out that the interpretation of separation implication −∗ in BID (see Deﬁnition F.5) is different from that in BI (see Deﬁnition F.2). Thus, rules 11–13 are in general not sound for BID, and the domain assumptions in 110–130 are necessary for soundness of these rules. Moreover, soundness of rule 17 is ensured by the restriction property.

38 F.3. 2-BID

The BID models defined in the above subsection are still not strong enough for description of quantum states with entanglement resides between subsystems. In order to distinguish separable quantum states and entangled quantum states, we use ∗ in BI-logic as an uncorrelated conjunction and introduce as a general (possibly entangled) conjunction (a detailed discussion why is employed can be found in Section G.3): Definition F.6 (Syntax of 2-BID). The 2-BID formulas are generated by the following syntax: φ, ψ ::= p ∈ AP | > | ⊥ | φ ∧ ψ | φ ∨ ψ | φ → ψ | φ ∗ ψ | φ −∗ ψ | φ ψ | φ − ψ. Entanglement can now be expressed as a 2-BID formula of the form (φ ψ) ∧ ¬χ, where χ describes the probabilistic combination of a family of formulas φi ∗ ψi with φi and ψi depicting certain properties of the subsystems. To define the semantics of 2-BID formulas, we propose a 2-BID frame as a tuple X = (X, ◦, •, , e, dom : X → ℘(Y )), where both (X, ◦, , e, dom) and (X, •, , e, dom) are BID frames and they are related by the following condition: (Weakening) z ∈ x ◦ y → z ∈ x • y. Various syntactic and semantic notions defined in the previous subsections can be straightforwardly generalised to 2- BID. First, a domain function free : AP → ℘(V) for atomic propositions can be extended to all 2-BID formulas with the following additional clauses for and −: 1) if φ ≡ φ1 φ2, then free(φ) = free(φ1) ∪ free(φ2); 2) if φ ≡ φ1 − φ2, then free(φ) = free(φ2)\free(φ1). Next, the satisfaction relation x |=M φ for states x in a 2-BID model M with dom(x) ⊇ free(φ) can be added by introducing the following additional clauses: 0 0 1) x |= φ1 φ2 iff exists x , x1, x2 s.t. x x ∈ x1 • x2, x1 |= φ1 and x2 |= φ2; 2) x |= φ − φ iff for all x0, x , x s.t. x0 x| and x ∈ x0 • x , x |= φ implies x |= φ . 1 2 1 2 free(φ1−φ2) 2 1 1 1 2 2 We write |= φ when φ holds for all state x such that dom(x) ⊇ free(φ). As (D, ◦, , 1, dom) and (D, •, , 1, dom) are both BID frames, all properties of BID models automatically hold for 2-BID models. In particular, Proposition F.1 (monotonicity and the restriction property) is still true for 2-BID. A Hilbert-style proof system for 2-BID can be introduced as a combination of two subsystems, one for ∗, −∗ and one for , −, related by a rule defining the entailment between ∗ and . More precisely, it comprises all BID rules for (i.e. rules 1-10, 110–130 and 14–17 in Fig. 5 and 10) and their variants for , − as well as the following additional rule: (Conjunction Weakening). . φ ∗ ψ ` φ ψ The soundness of this proof system for 2-BID is a direct corollary of Theorem F.2 together with a trivial checking of the rule (Conjunction Weakening). For convenience, we present several useful derived rules in the following: Proposition F.2. 1) If |= φ → ψ and |= ψ → µ, then |= φ → µ. 2) |= (φ ∧ ψ) ∗ µ → (φ ∗ µ) ∧ (ψ ∗ µ), |= (φ ∧ ψ) µ → (φ µ) ∧ (ψ µ); 3) |= φ ∗ ψ → φ ψ, |= φ ψ → φ ∧ ψ; 4) |= φ ∗ ψ → φ, |= φ ψ → φ; 5) If |= φ ↔ ψ and free(φ) = free(ψ), then for any µ, |= µ ↔ µ[φ/ψ] where µ[φ/ψ] is obtained by replacing all ψ in µ by φ.

Appendix G. Quantum Interpretation of 2-BID Logic

As said before, 2-BID logic is designed as the assertion language of our quantum separation logic. More precisely, it is used to describe properties of the states of quantum programs. An abstract semantics of 2-BID was deﬁned in the previous section in terms of 2-BID frames. In this section, this semantics will be concretised by deﬁning a quantum frame.

G.1. 2-BID Frame of Quantum States

Basically, we consider the quantum states over specific registers as resources. Then two kinds of conjunction should be introduced to model combinations of spatially separate quantum resources (quantum states over disjoint registers): a uncorrelated conjunction “tensor product” ◦ and a general conjunction “coupling” •. Formally, they are defined as follows: Definition G.1. The binary function ◦ and • : D × D → ℘(D) mapping each pair of quantum states to a set of quantum states are defined by:

39 1) ρ1 ◦ ρ2 , {ρ1 ⊗ ρ2} if dom(ρ1) ∩ dom(ρ2) = ∅; otherwise, ρ1 ◦ ρ2 , ∅; 2) ρ • ρ ρ ∈ D(dom(ρ ) ∪ dom(ρ )) ρ| = ρ , ρ| = ρ if dom(ρ ) ∩ dom(ρ ) = ∅; otherwise, 1 2 , 1 2 dom(ρ1) 1 dom(ρ2) 2 1 2 ρ1 • ρ2 , ∅; where dom is the domain function which specifies the quantum register that a quantum state lies on. The functions ◦ and • are used to collect the tensor product and the couplings of two quantum states, respectively, whenever they exist. If the domains of ρ1 and ρ2 have a nonempty overlap, then their tensor product and couplings are not well-defined and thus ρ1 ◦ ρ2 and ρ1 • ρ2 return the empty set. As a comparison, ◦ defined here and in Definition 3.1 are the same in principle. A partial order over quantum states considered as resources is the same as we defined in main text (Section 3, Definition 3.2). The partial order is preserved under restriction:

Proposition G.1. 1) For any S ⊆ V and ρ ∈ D, ρ|S ρ. Indeed, ρ|S is the unique quantum state with domain S ∩ dom(ρ) and ρ|S ρ. 0 0 0 2) For any S ⊆ V and ρ, ρ ∈ D, if ρ ρ , then ρ|S ρ |S. Combining all of the ingredients deﬁned above, we obtain: Proposition G.2. (D, ◦, •, , 1, dom) forms a 2-BID frame, where scalar number 1 is understood as a state over the empty register, and dom denotes for the domain of quantum states.

G.2. Atomic Propositions about Quantum States

Now we can interpret 2-BID logic in the quantum frame (D, ◦, •, , 1, dom). As a common practice, we need to choose different sets of atomic propositions in different applications of our 2-BID logic. But the following assumptions about atomic propositions should be satisﬁed: 1) The domain function for atomic propositions free : AP → ℘(V) is deﬁned so that for each atomic proposition p ∈ AP, free(p) is a family of sets of quantum variables; 2) The interpretation − : AP → ℘(D) of atomic propositions is given so that for each atomic proposition p ∈ AP, p is a set of quantumJ statesK that is upward-closed and closed under restriction: for any ρ, σ ∈ D and p ∈ AP, J K a) ρ σ and ρ ∈ p implies σ ∈ p ; J K J K b) ρ ∈ p implies free(p) ⊆ dom(ρ) and ρ|free(p) ∈ p . J K J K G.3. Quantum Interpretation of 2-BID Connectives

We saw in Section F.3 that the main difference between BI logic and 2-BID logic comes from spatial (separating) conjunctions and implications. Now we can further examine the difference in terms of their quantum interpretations with the domain assumption. Spatial Conjunctions: Only one spatial conjunction is needed in both classical and probabilistic separation logic. However, entanglement between quantum systems forces us to consider two different spatial conjunctions. First, independence between registers in probabilistic separation logic [9] can be naturally generalised into the quantum setting: for two formulas φ1 and φ2 with disjoint domains, φ1 ∗ φ2 holds in quantum state ρ if ρ can be split into two uncorrelated states ρ1 and ρ2 that satisfy φ1 and φ2, respectively. Formally, ρ |= φ1 ∗ φ2 if and only if there exist two states ρ1 and ρ2 such that ρ ρ1 ◦ ρ2 and ρi |= φi for i = 1, 2 (see Definition G.1 for operation ◦). To enable local reasoning in the presence of entanglement, we here introduce an additional spatial conjunction . One might question why no is employed in main text (see Section 3), basically there are two reasons: 1. can be encoded by ∧ and a side condition for free variables, i.e., φ ψ ↔ φ ∧ ψ if we assume free (φ) ∩ free (ψ) = ∅; 2. the side condition for free variables can be easily checked syntactically if no subscripting/aliasing is allowed in program logic; however, as we point out in Conclusion (Section 8), we aim to verify programs with subscripting/aliasing, which would make checking side conditions for free variables difficult, at least syntacticlly difficult. Therefore, we introduce rather than use ∧. For two formulas φ1 and φ2 with disjoint domains, a quantum state ρ ∈ D(S) satisfies φ1 φ2 if its restrictions on two disjoint subsystems S ,S ⊆ S, ρ| and ρ| satisfy φ and φ , respectively. Note that unlike in the case of independent 1 2 S1 S2 1 2 conjunction ∗, here state ρ can be entangled. This enables to be used in a situation where a program can be divided into several parts acting on different registers, but its input is often entangled between these subsystems. In fact, many of the existing quantum algorithms are designed in such a way. Spatial Implications: Usually, an implication is linked to its corresponding conjuction through a Galois connection. In BI-logic, the semantics of spatial −∗ corresponding to spatial conjunction ∗ is defined as follows: 0 0 0 ρ |= φ1 −∗ φ2 iff for all ρ , ρ1, ρ2 s.t. ρ ρ and ρ2 ∈ ρ ◦ ρ1 : ρ1 |= φ1 implies ρ2 |= φ2 (22)

40 In 2-BID logic, however, we have to reconsider the above definition with the domain assumption. It is reasonable to set the domain of spatial implication free(φ1 −∗ φ2) = free(φ2)\free(φ1). If we still adopt equation (22) to define the semantics of −∗, then the restriction property will be violated. We choose to modify defining equation (22) as follows: ρ |= φ −∗ φ iff for all ρ0, ρ , ρ s.t. ρ0 ρ| and ρ ∈ ρ0 ◦ ρ , ρ |= φ implies ρ |= φ . (23) 1 2 1 2 free(φ1−∗φ2) 2 1 1 1 2 2 Note that in equation (23) ρ0 is required to range over all states ρ| . Thus, the restriction property is automatically free(φ1−∗φ2) satisfied by −∗. The above discussion also applies to the spatial implication − corresponding to conjunction .

G.4. Quantum Modiﬁcation of 2-BID Formulas

We conclude this section by presenting a technique of modifying 2-BID formulas, similar to the modification of BI formulas (see Section 3.4) but much more general since implication and separating implications are considered. Definition G.2 (Modification of atomic propositions). Let C be a unitary transformation q := U[q] or an initialisation q := |0i. For any atomic proposition p ∈ AP, if there exists a 2-BID formula φ such that: 1) p and φ have the same domain: free(p) = free(φ); 2) for all ρ ∈ D(free(p) ∪ var(C)), ρ |= φ if and only if C (ρ) |= p; J K then we say that φ is an C-modification of p and write p[C] , φ. The modification of some atomic propositions may not exists. We write φ[C]↓ whenever φ[C] is defined. The following examples give the modifications of those atomic propositions needed in the applications of quantum separation logic considered in this paper. The notion of modification can be easily extended to all 2-BID formulae: Definition G.3 (Modification of 2-BID formulas). Let C be unitary transformation q := U[q] or initialisation q := |0i. The modification φ[C] of 2-BID formula φ is defined by induction on the structure of φ: 1) if φ ≡ > or ⊥, then φ[C] ≡ φ; 2) if φ ≡ p ∈ AP, then φ[C] is defined according to Definition G.2; 3) if φ ≡ φ1 4 φ2 where 4 ∈ {∧, ∨, →, } and φ1[C]↓ and φ2[C]↓, then φ[C] ≡ φ1[C] 4 φ2[C]; 4) if φ ≡ φ1 ∗ φ2, then a) if C ≡ q := U[q] and φi[C]↓ and q ⊆ free (φi) or q ∩ free (φi) = ∅ for i = 1, 2, then φ[C] ≡ φ1[C] ∗ φ2[C]; b) if C ≡ q := |0i, then (φ [C] φ [C]) ∧ (I ∗ I ) if q ∈ free(φ ) ∪ free(φ ), φ [C]↓and φ [C]↓ φ[C] ≡ 1 2 free(φ1)\q free(φ2)\q 1 2 1 2 φ if q∈ / free(φ1) ∪ free(φ2)

5) if φ ≡ φ1 4 φ2 where 4 ∈ {−, −∗} and C ≡ q := U[q] or q := |0i, then φ 4 φ [C] if var(C) ⊆ free(φ )\free(φ ) and φ [C]↓13 φ[C] ≡ 1 2 2 1 2 φ if var(C) ∩ free(φ2)\free(φ1) = ∅

The modification of 2-BID formula is not as convention. Since implication is considered, it is necessary to find the weakest precondition of φ, to make the proof rules INIT and UNIT sound. For example, an initialization command q := |0i makes q uncorrelated with all other registers. As a consequence, the postcondition Iq ∗ Iq0 which asserts that two registers 0 0 q and q are independent does not imply the precondition should assert the independence of q and q , e.g., Iq ∗ Iq0 , even if Iq[q := |0i] = Iq and Iq0 [q := |0i] = Iq0 . In addition, the assumption of command variables and domains is declared for modification of − and −∗, since we failed to derive the modified formula for the case var(C) ⊃ free(φ2)\free(φ1). A close connection between the semantics of a 2-BID formula φ and its modification φ[C] is shown in the following: Proposition G.3. Let C be unitary transformation q := U[q] or initialisation q := |0i, and φ be any 2-BID formula. If its modification φ[C] is defined, then: 1) φ and φ[C] have the same domain: free(φ) = free(φ[C]); 2) for all ρ ∈ D(free(φ) ∪ var(C)), ρ |= φ[C] if and only if C (ρ) |= φ. J K We can also generalize the concept of modification to quantum operation. Formally, we define the E-Modification as follows:

13. φ1[C] 4 φ2[C] also works for this case, but it is weaker since additional φ1[C]↓ should be assumed.

41 0 {φ ∗ M1}C{φ ∗ Iq} φ ∈ CM PERM 0 0 RLOOP {φ[q 7→ q]}q := Perm(q 7→ q )[q]{φ} {φ ∗ Iq}while{φ M0} φ → φ0 {φ0}C{ψ0} ψ0 → ψ WEAK0 {φ}C{ψ} {φ}C{ψ} free(µ) ∩ var(C) = ∅ free(ψ) ⊆ free(φ) ∪ var(C) FRAMEE {φ µ}C{ψ µ}

Figure 11: Inference Rules for QSL of 2-BID. In RLOOP, while is the abbreviation of while M[q] = 1 do C od, and 0 M0,M1 in assertions are regarded as projective predicates acting on q. In PERM, Perm(q 7→ q )[q] stands for the unitary transformation which permutes the variables from q to q0 (see Section A for details).

Definition G.4 (E-Modification). Let E be quantum operation on q. The E-Modification of a 2-BID formula φ is defined inductively: 1) (Atomic Propositions) For atomic proposition p ∈ AP, if there exists 2-BID formula ψ such that: a) p and ψ have the same domain: free(p) = free(ψ); b) for all ρ ∈ D(free(p) ∪ q), ρ |= ψ if and only if E(ρ) |= p; then we say that ψ is an E-modification of p and write p[E[q]] , ψ. 2) (Induction step) We write φ[E[q]]↓ if φ[E[q]] is defined. a) if φ ≡ > or ⊥, then φ[E[q]] ≡ φ; b) if φ ≡ p ∈ AP, then φ[E[q]] is defined according to Clause (1); c) if φ ≡ φ1 4 φ2 where 4 ∈ {∧, ∨, →, } and both φ1[E[q]]↓ and φ2[E[q]]↓, then φ[E[q]] ≡ φ1[E[q]] 4 φ2[E[q]]. Intuitively, if E[q](φ)↓, then for any state ρ, E(ρ) |= φ if and only if ρ |= E[q](φ).

Appendix H. Separation Logic for Quantum Programs with 2-BID as assertion logic

Now we are ready to present our separation logic for quantum programs with 2-BID logic interpreted in the quantum frame deﬁned in the last section as the assertion language. Since all 2-BID formulas are restrictive, in contrast to Section 4, now a judgment is a Hoare triple of the form {φ}C{ψ} with both precondition φ and postcondition ψ being 2-BID formulas. Deﬁnition H.1 (Validity). Let V be a set of quantum variables with free(φ), free(ψ), var(C) ⊆ V. Then a correctness formula {φ}C{ψ} is true in the sense of partial correctness with respect to V, written V |= {φ}C{ψ}, if we have:

∀ρ ∈ D(V), ρ |= φ ⇒ C V(ρ) |= ψ. J K Here, satisfaction relation ρ |= φ and C V(ρ) |= ψ are deﬁned according to the quantum interpretation of 2-BID logic given in Section G. J K Similarly, satisfaction does not depends on auxiliary variables. Theorem H.1. For any two sets V and V0 of variables, V |= {φ}C{ψ} if and only if V0 |= {φ}C{ψ}. As a consequence, we can drop V from V |= {φ}C{ψ} and simply write |= {φ}C{ψ}.

H.1. Inference Rules

Most of the inference rules shown in main text (see Section 4, Figs. 2, 3 and 4) are sound. We list the different rules here and comment them in a few words. • Rule PERM: At the ﬁrst glance, one may think that this rule is a special case of rule UNIT because permutation is a unitary transformation. Indeed, it is strictly stronger that what can be derived from UNIT because entanglement is not invariant under a permutation between quantum registers; in particular when the 2-BID formulas describing the involved quantum systems contain independence conjunction ∗ and implication −∗. 0 • Rules RLOOP : This one is slightly different than the one shown in Fig. 2 since if fact, φ and M0 have the disjoint domains, which leads to φ ∧ M0 equivalent to φ M0.

42 0 • Rules WEAK : note that the satisfaction relation for implication in 2-BID is different from it in BI, the φ → ψ is exactly equivalent to φ →G ψ. Thus, we can directly use the →. • Rules FRAMEE: The conditions free(µ) ∩ var(C) = ∅ and free(ψ) ⊆ free(φ) ∪ var(C) in the premise ensur that (1) satisfaction of µ is unchanged after executing C; and (2) if φ µ has a non-empty interpretation, then ψ µ is well-deﬁned in the sense that the domains of ψ and µ do not overlap: free(ψ) ∩ free(µ) = ∅. Since all formulas considered here are 2-BID formulas, the set of CM and SP (see Deﬁnition 4.2 and 4.4) can be generalized to larger sets: Proposition H.1. The formulas generated by following grammar are CM.

φ, ψ ::= p ∈ P ∪ U ∪ Up | > | ⊥ | φ ∧ ψ | φ ψ | µ −∗ ψ | φ ∈ SP | µ1 ∗ φ where µ is an arbitrary 2-BID formula, and µ1 ∈ SP. Proposition H.2. The formulas generated by following grammar are SP:

φ, ψ ::= p ∈ U | p ∈ Pof rank 1 | > | ⊥ | φ ∗ ψ | µ1 −∗ φ | µ1 − φ where Pof rank 1 consists all rank 1 projections, and µ1 is formula with non-empty interpretation. To conclude this section, we show that quantum separation logic QSL consisting of all the proof rules listed in Figure 2, 3 and 4 and 11 (RLOOP and WEAK are replaced by RLOOP0 and WEAK0, respectively) are sound. Theorem H.2 (Soundness of QSL). The proof system QSL of 2-BID is sound for terminating programs; that is, if C is a terminating program, then ` {φ}C{ψ} implies |= {φ}C{ψ}.

Appendix I. Deferred Proofs for Section F G and H

Most of the proofs in this part are tedious, and some of them are similar to previous proofs. Please ﬁnd the proofs if needed. Proposition I.1. Suppose X = (X, ◦, , e, dom : X 7→ ℘(Y )) is a BI frame with domain. Then the following statements hold: 0 0 0 0 1) for any x, x ∈ X and S ⊆ Y , if x x and S ⊆ dom(x ), then x |S = x|S. 0 0 0 2) for any S ⊆ Y and x ∈ X such that S ⊆ dom(x), x|S is the unique least element of set {x | x x and S ⊆ dom(x )}. 0 0 0 3) for any x, x ∈ X and S ⊆ Y , if x x, then x |S x|S. 0 4) for any x ∈ X and S ⊆ S ⊆ Y , x|S0 x|S. 0 0 0 0 Proof. 1. Note that x |S x x and dom(x |S) = S, so x |S = x|S according to the uniqueness of domain restriction. 0 0 0 0 0 2. For any x such that x x and S ⊆ dom(x ), x|S = x |S x , so x|S is a least element of the set. Moreover, suppose y is another least element of the set, then x|S y and y x|S, by domain monotonicity, dom(y) = dom(x|S) = S, so y = x|S according to the uniqueness of domain restriction. Therefore, x|S is the unique least element of the set. 0 0 0 0 3. x x implies dom(x ) ⊆ dom(x). Note that dom(x |S) = dom(x ) ∩ S ⊆ dom(x) ∩ S = dom(x|S), and 0 0 0 x |S x x, x|S x, so x |S x|S according to 2. 0 4. Note that dom(x|S0 ) = dom(x) ∩ S ⊆ dom(x) ∩ S = dom(x|S), and x|S0 x, x|S x, so x|S0 x|S according to 2.

Claim 1. φ |=M ψ if and only if |=M φ → ψ. Proof. At first, by the definition of domain for BI formula, free(φ → ψ) = free(φ) ∪ free(ψ). (if part). For any x such that dom(x) ⊇ free(φ → ψ) and x0 x, note that by domain monotonicity (see Definition F.3 0 0 0 (1)), dom(x ) ⊇ dom(x) ⊇ free(φ → ψ), thus by assumption, x |=M φ implies x |=M ψ, which leads to |=M φ → ψ. (only if part). If |=M φ → ψ, then for any x such that dom(x) ⊇ free(φ → ψ), x |=M φ → ψ. Note that x x by reflexivity of preorder, so by the definition of satisfaction relation, x |=M φ implies x |=M ψ.

Proof of Proposition F.1 Proposition I.2 (Monotonicity and Restriction, Proposition F.1). Given a BID model M, for all x, y ∈ X and BI-formula φ such that x y and free(φ) ⊆ dom(x), x |=M φ if and only if y |=M φ.

43 Proof. The monotonicity holds as usual. Lemma I.1 (Monotonicity). Monotonicity extends to all formulas with respect to BID semantics. That is, for all BI-formula φ and x, y ∈ X, x y and x |=M φ implies y |=M φ. Moreover, with the downwards closed property, we can prove the restriction lemma for a BID model. 0 Lemma I.2 (Restriction). Given a BID model M, for all x ∈ X and BI-formula φ, x |=M φ implies for any x x such 0 0 that dom(x ) ⊇ free(φ), x |=M φ. Proof of Lemma I.1 It is a corollary of the case for original BI [1], [2]. We prove it here by induction on the structure of the formulas.

– φ ≡ p ∈ AP. x |=M p implies dom(x) ⊇ free(p) and x ∈ V(p), so dom(y) ⊇ free(p) and y ∈ V(p) due to the monotonicity of domain and V, or equivalently, y |=M p. – φ ≡ >(⊥). Trivial. – φ ≡ φ1 ∧(∨) φ2. x |=M φ1 ∧(∨) φ2 implies dom(x) ⊇ free(φ1 ∧(∨) φ2) and x |=M φ1 and(or) x |=M φ2, by induction hypothesis and monotonicity of domain, dom(y) ⊇ free(φ1 ∧(∨) φ2) and y |=M φ1 and(or) y |=M φ2, so y |=M φ1 ∧(∨) φ2. 0 0 – φ ≡ φ1 → φ2. x |=M φ1 → φ2 implies that, dom(x) ⊇ free(φ1 → φ2) and for all x x , x |=M φ1 implies 0 0 0 0 x |=M φ2. By monotonicity of domain, dom(y) ⊇ free(φ1 → φ2). Moreover, for any y y , y must satisfy x y , 0 0 therefore, y |=M φ1 implies y |=M φ2, which concludes y |=M φ1 → φ2. 0 0 – φ ≡ φ1 ∗φ2. x |=M φ1 ∗φ2 implies that, dom(x) ⊇ free(φ1 ∗ φ2) and there exists x , x1, x2 such that x x ∈ x1 ◦x2, 0 x1 |=M φ1 and x2 |=M φ2. Note that dom(y) ⊇ dom(x) ⊇ free(φ1 ∗ φ2) and y x x , so y |=M φ1 ∗ φ2.

Theorem I.1 (Deduction Theorem for BID). For any BI formulas φ and ψ, φ ` ψ is provable iff φ → ψ is provable.

44 Proof of Theorem I.1 Indeed, with Hilbert rule 1, 2, 6, 9, 10 shown in Figure 5, the deduction theorem holds. For example, we may take the following proofs: (only if part): φ ` ψ, > ∧ φ ` ψ (6), > ` φ → ψ (10). (if part): > ` φ → ψ, φ ∧ > ` φ → ψ (6), φ ` > → (φ → ψ) (10), φ ` > (2), φ ` φ → ψ (9), φ ` φ (1), φ ` ψ (10).

Proof of Theorem F.2 Theorem I.2 (Soundness of BID, Theorem F.2). For any BI-formulas φ and ψ, if φ ` ψ is provable in the BID proof system, then φ |= ψ for BID models.

µ ` φ µ ` ψ φ ` ψ ∧ ψ 1. 2. 3. 4. 5. 1 2 φ ` φ φ ` > ⊥ ` φ µ ` φ ∧ ψ φ ` ψi φ ` ψ µ ` ψ φ ` ψ φ ` ψ µ ` φ → ψ µ ` φ µ ∧ φ ` ψ 6. 7. 8. i 9. 10. µ ∧ φ ` ψ µ ∨ φ ` ψ φ ` ψ1 ∨ ψ2 µ ` ψ µ ` φ → ψ ξ ` φ µ ` ψ free(φ) ⊆ free(ξ) free(ψ) ⊆ free(µ) µ ∗ φ ` ψ free(µ) ⊆ free(ψ)\free(φ) 110. 120. ξ ∗ µ ` φ ∗ ψ µ ` φ −∗ ψ ξ ` φ −∗ ψ µ ` φ free(ψ)\free(φ) ⊆ free(ξ) free(φ) ⊆ free(µ) 130. 14. ξ ∗ µ ` ψ φ ∗ ψ ` ψ ∗ φ free(µ) ⊆ free(φ) 15. 16. 17. (φ ∗ ψ) ∗ ξ ` φ ∗ (ψ ∗ ξ) φ ∗ > a` φ (φ ∗ ψ) ∧ µ ` (φ ∧ µ) ∗ ψ

Figure 12: Hilbert-style rules for BID. i = 1 or 2 for rules 5 and 8.

45 – rule 120: by assumption, 1. free(µ) ⊆ free(ψ)\free(φ) = free(φ −∗ ψ), and so 2. free(µ) ∪ free(φ) ∪ free(ψ) = free(φ) ∪ free(ψ), and 3. ∀x : dom(x) ⊇ free(φ) ∪ free(ψ), x |=M µ ∗ φ ⇒ x |=M ψ. For any x such that dom(x) ⊇ 0 free(µ) ∪ free(φ −∗ ψ) = free(φ −∗ ψ), if x |=M µ, then for any x x|free(φ−∗ψ), note that x|free(φ−∗ψ) x|free(µ) by Proposition I.1, so according to Proposition F.1, we have x |=M µ ⇔ x|free(µ) |=M µ ⇔ x|free(φ−∗ψ) |=M µ ⇔ 0 0 0 x |=M µ. For any y |=M φ and z ∈ x ◦ y, by deﬁnition, z |=M µ ∗ φ, and note that dom(z) = dom(x ) ∪ dom(y) ⊇ free(φ −∗ ψ) ∪ free(φ) = free(ψ) ∪ free(φ), so z |=M ψ. Thus, we have µ |=M φ −∗ ψ. 0 0 – rule 13 : for any x such that dom(x) ⊇ free(ξ ∗ µ) ∪ free(φ), suppose x |=M ξ ∗ µ, then there exist x , y, z such 0 that x x ∈ y ◦ z, y |=M ξ, z |=M µ. On the one hand, by assumptions µ |=M φ and free(φ) ⊆ free(µ), so dom(z) ⊇ free(µ) = free(µ) ∪ free(φ), and z |=M φ. On the other hand, by another two assumptions, we realize that dom(y) ⊇ free(ξ) = free(ξ) ∪ (free(ψ)\free(φ)) = free(ξ) ∪ free(φ −∗ ψ) and thus y |=M φ −∗ ψ. Recall that 0 0 y y|free(φ−∗ψ), so z |=M µ and x ∈ y ◦ z imply x |=M ψ. Finally by monotonicity, x |=M ψ. 0 – rule 14: for any x such that dom(x) ⊇ free(φ) ∪ free(ψ), if x |=M φ ∗ ψ, then there exists x , x1, x2 such that 0 0 x x ∈ x1 ◦ x2, x1 |=M φ and x2 |=M ψ. The commutativity of ◦ ensures that x ∈ x2 ◦ x1, therefore, x |=M ψ ∗ φ. 0 – rule 15: For any x such that dom(x) ⊇ free(φ) ∪ free(ψ) ∪ free(ξ), x |=M (φ ∗ ψ) ∗ ξ, then there exists x , y, z s.t. 0 0 0 x x ∈ y ◦ z, y |=M φ ∗ ψ, z |=M ξ, then there exists y , w, t s.t. y y ∈ w ◦ t, w |=M φ, t |=M ψ. Note that x0 ∈ y ◦ z and y y0 ∈ w ◦ t, by associativity, there exists s, s0, w0, such that s0 s ∈ t ◦ z and x0 w0 ∈ w ◦ s0. So, 0 0 s |=M ψ ∗ ξ and by monotonicity, s |=M ψ ∗ ξ, and thus, x |=M φ ∗ (ψ ∗ ξ), again by monotonicity, we conclude x |=M φ ∗ (ψ ∗ ξ) as desired. 0 0 – rule 16: (`) For any x such that dom(x) ⊇ free(φ), if x |=M φ∗>, so there exists x , x1, x2 such that x x ∈ x1 ◦x2, 0 x1 |=M φ and x2 |=M >. Coherence property of ◦ ensures that x x x1, and by Proposition F.1, x |=M φ. (a) For any x such that dom(x) ⊇ free(φ), if x |=M φ, the existence of unit of ◦ ensures that, x x ∈ x ◦ e, and note that e |=M >, so x |=M φ ∗ >. 0 0 – rule 17: For any x such that x |=M (φ ∗ ψ) ∧ µ, there exists x , x1, x2 such that x x ∈ x1 ◦ x2 such that x1 |=M φ 0 and x2 |=M ψ. Note that, dom(x1) ⊇ free(φ) ⊇ free(µ), and x x x1 by coherence of ◦, thus x1 |=M µ by Proposition F.1, so x1 |=M φ ∧ µ which leads to x |=M (φ ∧ µ) ∗ ψ.

Proof of Proposition F.2 Proposition I.3 (Proposition F.2). 1) If |= φ → ψ and |= ψ → µ, then |= φ → µ. 2) |= (φ ∧ ψ) ∗ µ → (φ ∗ µ) ∧ (ψ ∗ µ), |= (φ ∧ ψ) µ → (φ µ) ∧ (ψ µ); 3) |= φ ∗ ψ → φ, |= φ ψ → φ; 4) |= φ ∗ ψ → φ ψ, |= φ ψ → φ ∧ ψ; 5) If |= φ ↔ ψ and free(φ) = free(ψ), then for any µ, |= µ ↔ µ[φ/ψ] where µ[φ/ψ] is obtained by replacing all ψ in µ by φ. Proof. 1) Trivially using rules 6, 9 and 10. 2) By rule 110, |= (φ ∧ ψ) ∗ µ → φ ∗ µ and |= (φ ∧ ψ) ∗ µ → ψ ∗ µ, then by rule 4, |= (φ ∧ ψ) ∗ µ → (φ ∗ µ) ∧ (ψ ∗ µ). Same for . 3) By rule 110, φ ψ |= φ > and by rule 16, φ ψ |= φ. 4) |= φ ∗ ψ → φ ψ followed by rule Conjunction Weakening. By (3) and rule 4, it is straightforward that φ ψ |= φ ∧ ψ. 5) Since |= φ ↔ ψ and free(φ) = free(ψ), we can realize that φ = ψ , and thus |= µ ↔ µ[φ/ψ] is straightforward. Mathematically, it can be proved by induction on the structureJ ofK µ JandK we omit it here.

Since we ﬁxed the quantum interpretation of 2-BID, we have the following proposition which is convenient for uses. Proposition I.4 (Equivalent forms). We introduce the following proposition for some satisfaction relations based on the deﬁnitions of • and ◦ as they are more convenient in use. 1. (a) ρ |= φ ψ iff (b) dom(ρ) ⊇ free(φ) ∪ free(ψ) and exists disjoint S ,S ⊆ dom(ρ) such that ρ| |= φ and ρ| |= ψ iff 1 2 S1 S2 (c) dom(ρ) ⊇ free(φ) ∪ free(ψ) and free(φ) ∩ free(ψ) = ∅, ρ |= φ, ρ |= ψ. 2. (a) ρ |= φ ∗ ψ iff (b) dom(ρ) ⊇ free(φ) ∪ free(ψ) and free(φ) ∩ free(ψ) = ∅, ρ |= φ, ρ |= ψ, ρ ρ|free(φ) ⊗ ρ|free(ψ). 3. (a) ρ |= φ − ψ iff (b) ∀ρ1, ρ2 such that dom(ρ1) = free(φ) and ρ2 ∈ ρ|free(φ−ψ) • ρ1, ρ1 |= φ implies ρ2 |= ψ. 4. (a) ρ |= φ −∗ ψ iff (b) ∀ρ1 such that dom(ρ1) = free(φ), ρ1 |= φ implies ρ|free(φ−ψ) ⊗ ρ1 |= ψ. 5. (a) ρ |= φ → ψ iff (b) dom(ρ) ⊇ free(φ → ψ), and ρ |= φ implies ρ |= ψ. Remark I.1. One might question why we set as a primitive connective in assertion logic since by 1. (c), the domain conditions free(φ) ∩ free(ψ) = ∅ can be checked syntactically and the rest conditions ρ |= φ, ρ |= ψ can be explained by

46 ρ |= φ ∧ ψ. An important consideration for is the possible extension of our logic when subscripting/aliasing is allowed in quantum programming languages, since subscripts and aliases are widely used for large quantum programs in most of the current quantum programming platforms. Similar to the motivation of pointer separation logic, the domain side condition free(φ) ∩ free(ψ) = ∅ can no longer be syntactically checked when subscripting/aliasing is allowed and then the separation conjunction is helpful and necessary: spatial separation can be encoded in and thus some involving domain checking may be handled easier elsewhere. 0 0 Proof. 1. If (a), then dom(ρ) ⊇ free(φ) ∪ free(ψ) and exists ρ , ρ1, ρ2 s.t. ρ ρ ∈ ρ1 • ρ2, ρ1 |= φ1 and ρ2 |= φ2. Set S = dom(ρ ) and S = dom(ρ ), so S ,S ⊆ dom(ρ), S ∩ S = ∅, ρ| = ρ , ρ| = ρ , ρ| |= φ and ρ| |= ψ, 1 1 2 2 1 2 1 2 S1 1 S2 1 S1 S2 which implies (b). If (b), then dom(ρ) ⊇ free(φ)∪free(ψ), S1 ⊇ free(φ), S2 ⊇ free(ψ), free(φ)∩free(ψ) = ∅, and by Kripke monotonicity, ρ |= φ, ρ |= ψ, which is just (c). 0 If (c), then set ρ1 = ρ|free(φ) and ρ2 = ρ|free(ψ), as their domain are disjoint, so ρ , ρ|free(φ)∪free(ψ) ∈ ρ1 • ρ2 and 0 ρ ρ , by Proposition F.1, ρ1 |= φ, ρ2 |= ψ, which is (a). Therefore, (a) iff (b) iff (c). 0 0 2. If (a), by deﬁnition, there exists ρ , ρ1, ρ2 such that ρ ρ ∈ ρ1 ◦ ρ2 and ρ1 |= φ, ρ1 |= ψ. Note that if ρ1 ◦ ρ2 is 0 not empty, then ρ = ρ1 ⊗ ρ2 is the only element. By monotonicity, ρ |= φ, ρ |= ψ, and downwards closed property, 0 ρ ρ = ρ1 ⊗ ρ2 ρ|free(φ) ⊗ ρ|free(ψ) if we realize that ρ ρ1 ρ|free(φ) and ρ ρ2 ρ|free(ψ). If (b), by Proposition F.1, ρ|free(φ) |= φ and ρ|free(ψ) |= ψ, and ρ ρ|free(φ) ⊗ ρ|free(ψ) ∈ ρ|free(φ) ◦ ρ|free(ψ). These lead to (a). Thus, (a) iff (b). 3. If (a), then by deﬁnition, (b) trivially holds. 0 0 0 0 0 0 0 0 0 If (b), for all ρ , ρ1, ρ2 such that ρ ρ|free(φ−ψ) and ρ2 ∈ ρ • ρ1, and suppose ρ1 |= φ. Set ρ1 = ρ1|free(φ), and 0 0 0 as ρ1 |= φ, so dom(ρ1) ⊇ free(φ) and ρ1 = free(φ), and ρ1 ρ1, dom(ρ1) |= φ by Proposition F.1. Moreover, by 0 downwards closed property, we know that there exists ρ2 such that ρ2 ∈ ρ|free(φ−ψ) • ρ1 and ρ2 ρ2. By (b), we 0 know that ρ2 |= ψ, which leads to ρ2 |= ψ. Therefore, ρ |= φ − ψ. In summary, (a) iff (b). 4. Similar to arguments of 2, and realize the set of σ1 ◦ σ2 is a empty set or singleton (only element σ1 ⊗ σ2). 5. Trivial by Proposition F.1. In fact, once monotonicity and restriction are assumed, the interpretation of → in intuitionistic logic are equivalent to its in classical logic.

Remarks for Definition G.3 Remark I.2. Indeed, we can use the conventional modification (3) for also − and −∗ when C ≡ q := U[q]. However, (5) is strictly more powerful in the sense that, 1) when φ1[C] is not defined but φ2[C] ↓, (5) gives a valid modification but (3) gives an undefined one and 2) when both φ1[C] ↓ and φ2[C] ↓, (3) is derivable from (5) by using Proposition I.6. Remark I.3. As implication is considered, to make the proof rule (Init) sound, it is necessary to find the weakest precondition of φ. That is why the modification for ∗ is somewhat different: if q := |0i (ρ)|free(φ )∪free(φ ) is a tensor product state J K 1 2 between free (φ1) and free (φ2) and if q ∈ free (φ1), then the input state ρ only need to be a tensor product state between free (φ1)\q and free (φ2). In fact, the initialization of q makes q separable from all other variables, so the input ρ is not necessary to be a tensor product state between free (φ1) and free (φ2).

Proof of Proposition G.3 Proposition I.5. Let C be unitary transformation q := U[q] or initialisation q := |0i, and φ be any 2-BID formula. If its modification φ[C] is defined according to Definition G.2 and G.3, then: 1) φ and φ[C] have the same domain: free (φ) = free (φ[C]); 2) for all ρ ∈ D(free (φ) ∪ var(C)), ρ |= φ[C] if and only if C (ρ) |= φ. J K Proof. (1). Induction on the structure of φ. (2). We will introduce following lemmas which can be realized easily, and set variable set V = D(free (φ) ∪ var(C)). Now we start to prove (2) by following two statements: Statement 1: For any ρ ∈ D(V), ρ |= φ[q := |0i] if and only if q := |0i (ρ) |= φ. 1) φ ∈ AP. By Definition G.2. J K 2) φ ≡ > or ⊥. Trivial.

47 3) φ ≡ φ1 ∧(∨) φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇔ q := |0i (ρ) |= φi for i = 1, 2. Thus, J K

ρ |= φ[q := |0i] ≡ φ1[q := |0i] ∧(∨) φ2[q := |0i]

⇐⇒ ρ |= φ1[q := |0i] and(or) ρ |= φ2[q := |0i]

⇐⇒ q := |0i (ρ) |= φ1 and(or) q := |0i (ρ) |= φ2 J K J K ⇐⇒ q := |0i (ρ) |= φ1 ∧(∨) φ2. J K 4) φ ≡ φ1 → φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇔ q := |0i (ρ) |= φi for i = 1, 2. Thus, J K

ρ |= φ[q := |0i] ≡ φ1[q := |0i] → φ2[q := |0i]

⇐⇒ ρ |= φ1[q := |0i] implies ρ |= φ2[q := |0i]

⇐⇒ q := |0i (ρ) |= φ1 implies q := |0i (ρ) |= φ2 J K J K ⇐⇒ q := |0i (ρ) |= φ1 → φ2. J K 5) φ ≡ φ1 φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇔ q := |0i (ρ) |= φi for i = 1, 2. Thus, by Proposition I.4, J K

ρ |= φ[q := |0i] ≡ φ1[q := |0i] φ2[q := |0i]

⇐⇒ free (φ1[q := |0i]) ∩ free (φ2[q := |0i]) = ∅, ρ |= φ1[q := |0i] and ρ |= φ2[q := |0i]

⇐⇒ free (φ1) ∩ free (φ2) = ∅, q := |0i (ρ) |= φ1 and q := |0i (ρ) |= φ2 J K J K ⇐⇒ q := |0i (ρ) |= φ1 φ2. J K 6) φ ≡ φ1 ∗ φ2. For any ρ ∈ D(V), ﬁrst by induction hypothesis, ρ |= φi[q := |0i] ⇔ q := |0i (ρ) |= φi for i = 1, 2. J K · Case 1: q ∈ free (φ1) ∪ free (φ2) and φ[q := |0i] ≡ (φ1[q := |0i] φ2[q := |0i]) ∧ (Ifree(φ1)\q ∗ Ifree(φ2)\q). Following by Proposition I.4 and Lemma B.3, we have :

ρ |= (φ1[q := |0i] φ2[q := |0i]) ∧ (Ifree(φ1)\q ∗ Ifree(φ2)\q) ⇐⇒ free (φ1[q := |0i]) ∩ free (φ2[q := |0i]) = ∅, ρ |= φ1[q := |0i], ρ |= φ2[q := |0i] and ρ ρ| ⊗ ρ| free(φ1)\q free(φ2)\q ⇐⇒ free (φ1) ∩ free (φ2) = ∅, q := |0i (ρ) |= φ1, q := |0i (ρ) |= φ2 and J K J K q := |0i (ρ) q := |0i (ρ)|free(φ ) ⊗ q := |0i (ρ)|free(φ ) J K J K 1 J K 2 ⇐⇒ q := |0i (ρ) |= φ1 ∗ φ2. J K · Case 2: q∈ / free (φ ) ∪ free (φ ), and φ[q := |0i] ≡ φ [q := |0i] ∗ φ [q := |0i]. So, ρ| = 1 2 1 2 free(φ1)∪free(φ2) q := |0i (ρ)|free(φ )∪free(φ ), then using induction hypothesis we have: J K 1 2 ρ |= φ1[q := |0i] ∗ φ2[q := |0i]

⇐⇒ free (φ1[q := |0i]) ∩ free (φ2[q := |0i]) = ∅, ρ |= φ1[q := |0i], ρ |= φ2[q := |0i] and ρ ρ| ⊗ ρ| free(φ1) free(φ2) ⇐⇒ free (φ1) ∩ free (φ2) = ∅, q := |0i (ρ) |= φ1, q := |0i (ρ) |= φ2 and J K J K q := |0i (ρ) q := |0i (ρ)|free(φ ) ⊗ q := |0i (ρ)|free(φ ) J K J K 1 J K 2 ⇐⇒ q := |0i (ρ) |= φ1 ∗ φ2. J K 7) φ ≡ φ1 − φ2. For any ρ ∈ D(V), we consider following two cases: · Case 1: q∈ / free (φ2)\free (φ1), φ[q := |0i] ≡ φ. Note that free (φ) = free (φ2)\free (φ1), so by Lemma B.1, ρ|free(φ) = q := |0i (ρ)|free(φ), and then ρ |= φ[q := |0i] ⇔ ρ|free(φ) |= φ ⇔ q := |0i (ρ)|free(φ) |= φ ⇔ q := |0i (ρ)J|= φ. K J K · JCase 2: Kq ∈ free (φ2)\free (φ1), φ[q := |0i] ≡ φ1 − φ2[q := |0i]. We proof the following two directions by Proposition I.4. - If ρ |= φ[q := |0i], then q := |0i (ρ) |= φ. J K First we have ∀ρ1 s.t. dom(ρ1) = free (φ1), ∀ρ2 ∈ ρ|free(φ) • ρ1, ρ1 |= φ1 ⇒ ρ2 |= φ2[q := |0i]. Then, ∀ρ1 s.t. dom(ρ1) = free (φ1), ∀ρ3 ∈ q := |0i (ρ)|free(φ) • ρ1, note that q := |0i (ρ)|free(φ) = J K J K q := |0i (ρ|free(φ)), by Lemma B.2, ∃ρ2 ∈ ρ|free(φ) • ρ1 s.t. q := |0i (ρ2) = ρ3. If ρ1 |= φ1, then J K J K

48 ρ2 |= φ2[q := |0i], by induction hypothesis, q := |0i (ρ2) |= φ2, or equivalently, ρ3 |= φ2. So, q := |0i (ρ) |= φ1 − φ2 ≡ φ. J K J K - If q := |0i (ρ) |= φ, then ρ |= φ[q := |0i]. J K First we have ∀ρ1 s.t. dom(ρ1) = free (φ1), ∀ρ3 ∈ q := |0i (ρ)|free(φ) • ρ1, ρ1 |= φ1 ⇒ ρ3 |= φ2. J K Then, ∀ρ1 s.t. dom(ρ1) = free (φ1), ∀ρ2 ∈ ρ|free(φ) • ρ1, by Lemma B.2, ∃ρ3 ∈ q := |0i (ρ|free(φ)) • ρ1 s.t. J K q := |0i (ρ2) = ρ3. Note that q := |0i (ρ)|free(φ) = q := |0i (ρ|free(φ)), so ρ3 ∈ q := |0i (ρ)|free(φ) • ρ1. J K J K J K J K If ρ1 |= φ1, then ρ3 |= φ2, q := |0i (ρ2) |= φ2, by induction hypothesis, ρ2 |= φ2[q := |0i]. So, ρ |= φ1 − φ2[q := |0i] ≡ φ[q := |0i]. J K 8) φ ≡ φ1 −∗ φ2. For any ρ ∈ D(V), we consider following two cases: · Case 1: q∈ / free (φ2)\free (φ1), φ[q := |0i] ≡ φ. Note that free (φ) = free (φ2)\free (φ1), so by Lemma B.1, ρ|free(φ) = q := |0i (ρ)|free(φ), and then ρ |= φ[q := |0i] ⇔ ρ|free(φ) |= φ ⇔ q := |0i (ρ)|free(φ) |= φ ⇔ q := |0i (ρ)J|= φ. K J K · JCase 2: qK ∈ free (φ2)\free (φ1), φ[q := |0i] ≡ φ1 −∗ φ2[q := |0i]. By Proposition I.4 and Lemma B.1, B.2, we observe:

ρ |= φ[q := |0i] ≡ φ1 −∗ φ2[q := |0i]

⇐⇒ ∀ρ1 s.t. dom(ρ1) = free (φ1), ρ1 |= φ1 ⇒ ρ|free(φ) ⊗ ρ1 |= φ2[q := |0i]

⇐⇒ ∀ρ1 s.t. dom(ρ1) = free (φ1), ρ1 |= φ1 ⇒ q := |0i (ρ|free(φ) ⊗ ρ1) |= φ2 J K ⇐⇒ ∀ρ1 s.t. dom(ρ1) = free (φ1), ρ1 |= φ1 ⇒ q := |0i (ρ)|free(φ) ⊗ ρ1 |= φ2 J K ⇐⇒ q := |0i (ρ) |= φ1 −∗ φ2 ≡ φ J K Statement 2: For any ρ ∈ D(V), ρ |= φ[q := U[q]] if and only if q := U[q] (ρ) |= φ. 1) φ ∈ AP. By Deﬁnition G.2. J K 2) φ ≡ > or ⊥. Trivial. 3) φ ≡ φ1 ∧(∨) φ2. Similar to Statement 1 (3). 4) φ ≡ φ1 → φ2. Similar to Statement 1 (4). 5) φ ≡ φ1 φ2. Similar to Statement 1 (5). 6) φ ≡ φ1 ∗ φ2. By assumption q ∈ Pv(φ), either q ⊆ free (φ1) or q ⊆ free (φ2) or q ∩ (free (φ1) ∪ free (φ2)) = ∅. So according to Lemma B.4 and induction hypothesis we have:

ρ |= φ1[q := U[q]] ∗ φ2[q := U[q]]

Proof of Proposition I.6

Proposition I.6. For any φ1, φ2 and any command C ≡ q := U[q] and φ1[C]↓ and φ2[C]↓, then: 1) If q ∩ free (φ2) = ∅, |= (φ1 −? φ2) ↔ (φ1[C] −? φ2); 2) If q ∩ free (φ2)\free (φ1) = ∅, |= (φ1 −? φ2) ↔ (φ1[C] −? φ2[C]); where −? stands for − or −∗.

Proof. According to Proposition G.3, we have the following statement: if φ[q := U[q]] ↓, then Statement: For any ρ ∈ D(V), ρ |= φ[q := U[q]] if and only if q := U[q] (ρ) |= φ. J K By restriction lemma and the existence of domain extension, we directly have: q q† – if q ⊆ free (φ), then ∀ρ s.t. dom(ρ) = free (φ), ρ |= φ[q := U[q]] ⇔ (U ⊗ Ifree(φ)\q)ρ(U ⊗ Ifree(φ)\q) |= φ. – if q ∩ free (φ) = ∅, then ∀ρ s.t. dom(ρ) = free (φ), ρ |= φ[q := U[q]] ⇔ ρ |= φ.

49 Now let us start to prove two statements for −, and it is similar for −∗. For statements 1 , using Proposition I.4 we observe:

ρ |= φ1 − φ2 ⇐⇒ ∀ρ s.t. dom(ρ ) = free (φ ), ∀ρ ∈ ρ| • ρ , ρ |= φ ⇒ ρ |= φ 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ∀ρ s.t. dom(ρ ) = free (φ ), ∀ρ ∈ ρ| • ρ , ρ |= φ [q := U[q]] ⇒ ρ |= φ 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ρ |= φ1[q := U[q]] − φ2. For statement 2 , there are two cases:

· Case 1: q ⊆ free (φ1). We have:

ρ |= φ1[q := U[q]] − φ2[q := U[q]] ⇐⇒ ∀ρ s.t. dom(ρ ) = free (φ ), ∀ρ ∈ ρ| • ρ , ρ |= φ [q := U[q]] ⇒ ρ |= φ [q := U[q]] 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ∀ρ0 s.t. dom(ρ ) = free (φ ), ∀ρ0 ∈ ρ| • ρ0 , ρ0 |= φ ⇒ ρ0 |= φ 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ρ |= φ1 − φ2.

0 q q† by realizing that there is one-to-one correspondence between ρ1 and ρ1 , (U ⊗ Idom(ρ1)\q)ρ(U ⊗ Idom(ρ1)\q), and between ρ and ρ0 (U q ⊗ I )ρ(U q† ⊗ I ); moreover, ρ ∈ ρ| • ρ if and only if 2 2 , dom(ρ2)\q dom(ρ2)\q 2 free(φ2)\free(φ1) 1 ρ0 ∈ ρ| • ρ0 . These facts come from the reversibility of unitary transformations. 2 free(φ2)\free(φ1) 1 · Case 2: q ∩ free (φ1) = ∅. So q ∩ (free (φ1) ∪ free (φ2)) = ∅. Then obviously,

ρ |= φ1 − φ2 ⇐⇒ ∀ρ s.t. dom(ρ ) = free (φ ), ∀ρ ∈ ρ| • ρ , ρ |= φ ⇒ ρ |= φ 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ∀ρ s.t. dom(ρ ) = free (φ ), ∀ρ ∈ ρ| • ρ , ρ |= φ [q := U[q]] ⇒ ρ |= φ [q := U[q]] 1 1 1 2 free(φ2)\free(φ1) 1 1 1 2 2 ⇐⇒ ρ |= φ1[q := U[q]] − φ2[q := U[q]].

Proof of Theorem H.1 Theorem I.3 (Theorem H.1). For any two sets V and V0 of variables, V |= {φ}C{ψ} if and only if V0 |= {φ}C{ψ}. Proof. Similar to the proof of Theorem 4.1 by employing Proposition F.1.

Proof of Proposition H.1 Proposition I.7 (Proposition H.1, Extended Version). The formulas generated by following grammar are CM.

0 and thus, λρ + (1 − λ)ρ |= µ1 ∗ φ.

Proof of Proposition H.2 Proposition I.8. The formulas generated by following grammar are SP:

φ, ψ ::= U[S] | p ∈ P of rank 1 | > | ⊥ | φ ∗ ψ | µ1 −∗ φ | µ1 − φ where Pof rank 1 consists all rank 1 projections, and µ1 is formula with non-empty interpretation.

IS Proof. 1) U[S]. Trivially, dim(S) is the least element of U[S] . 2) P ∈ Pof rank 1. Trivially, P itself (interpreted as a pureJ quantumK state) is the least element of P . 3) >. Scalar number 1 is the least element of > . J K 4) ⊥. Trivial. J K 5) φ∗ψ. Suppose σφ and σψ are the least elements of φ and ψ respectively, then it is straightforward to show σφ ⊗σψ is the least element of φ ∗ ψ. J K J K 6) µ1 −∗ φ. If µ1 −∗ φ is nonempty, and since µ1 is also nonempty, φ must be nonempty, and suppose σ is the least element of Jφ , thenK it is not difﬁcult to realizeJ thatK σ| JisK the least element of µ −∗ φ . free(φ)\free(µ1) 1 7) µ1 − φ. SimilarJ K to (6). J K

Proof of Proposition I.9 Proposition I.9. 1) If φ[E[q]]↓, free (φ[E[q]]) = free (φ); 2) If φ[E[q]]↓, then for any state ρ ∈ D(free (φ) ⊇ q), E(ρ) |= φ if and only if ρ |= φ[E[q]]. Proof. (1). Induction on the structure of φ. (2). We prove it by induction on the structure of φ. (a) φ ≡ > or ⊥. Trivial. (b) φ ≡ p ∈ AP, trivial by the Deﬁnition G.4 Clause 1. (c) φ ∧ ψ. By induction hypothesis, for any state ρ ∈ D(free (φ ∧ ψ) ∪ q), E(ρ) |= φ ∧ ψ iff E(ρ) |= φ and E(ρ) |= ψ iff ρ |= φ[E[q]] and ρ |= ψ[E[q]] iff ρ |= φ[E[q]] ∧ ψ[E[q]] iff ρ |= (φ ∧ ψ)[E[q]]. (d) φ ∨ ψ. Similar to (c). (e) φ → ψ. By Proposition I.4 (5) and induction hypothesis, for any state ρ ∈ D(free (φ ∧ ψ) ∪ q), E(ρ) |= φ → ψ iff E(ρ) |= φ implies E(ρ) |= ψ iff ρ |= φ[E[q]] implies ρ |= ψ[E[q]] iff ρ |= φ[E[q]] → ψ[E[q]] iff ρ |= (φ → ψ)[E[q]]. (f) φ ψ. Similar to (c) by using Proposition I.4 (1) and statement (1).

Proof of Theorem H.2 The global variable set is denoted by V, which contains all variables of programs and formulas.

51 It is sufﬁcient to show that each of the rules shown in Figure 11 is sound, the proof of other rules are the same as in Proof of Theorem 4.2. –PERM. Also proved in Proof of Theorem 4.2.

–RLOOP0. We here use the notations similar to [29], Section 3.3. Set quantum operation (and its cylinder extension) † Ei(·) = Mi(·)Mi for i = 0, 1. We ﬁrst claim:

Statement:ρ |= φ ∗ Iq implies E0(ρ) |= φ ∗ M0, E1(ρ) |= φ ∗ M1, C ◦c E1(ρ) |= φ ∗ Iq J K by the premises and ◦c denote the composition of quantum operations, i.e., (E ◦c F)(ρ) = E(F(ρ)). Next, by induction and the statement, we have: for all i ≥ 0: i ρ |= φ ∗ Iq implies E0 ◦c ( C ◦c E1) (ρ) |= φ ∗ M0. J K Finally, it has been proved that (see [16]) ∞ X i while (ρ) = E0 ◦c ( C ◦c E1) (ρ) J K i=0 J K and thus if ρ |= φ∗Iq, then while (ρ) |= φ and while (ρ) |= M0 since φ, M0 ∈ CM. And note that free (φ)∩free (M0) = ∅, so while (ρ) |= φ M0J. K J K J K –WEAK. By premise |= (φ → φ0) ∧ (ψ0 → ψ), we know that for any input ρ ∈ D(V) that satisﬁes φ, it must also satisfy φ0. By another premise {φ0}C{ψ0}, then C (ρ) |= ψ0, and thus C (ρ) |= ψ. J K J K –FRAMEE. For any input ρ ∈ D(V) such that ρ |= φ µ, we must have ρ |= φ ∧ µ and free (φ) ∩ free (µ) = ∅. Similar to CONST, we have C (ρ) |= ψ ∧ µ by ﬁrst two premises. Moreover, notice that free (ψ) ∩ free (µ) ⊆ (free (φ) ∪ var(C)) ∩ free (µ) = ∅, thusJ byK Proposition I.4, C (ρ) |= ψ µ. J K