Simple Tests of Quantumness Also Certify Qubits

Abstract

A test of quantumness is a protocol that allows a classical verifier to certify (only) that a prover is not classical. We show that tests of quantumness that follow a certain template, which captures recent proposals such as [KCVY21, KLVY22], can in fact do much more. Namely, the same protocols can be used for certifying a qubit, a building-block that stands at the heart of applications such as certifiable randomness and classical delegation of quantum computation.

Certifying qubits was previously only known to be possible based on families of post-quantum trapdoor claw-free functions (TCF) with an advanced “adaptive hardcore bit” property, which have only been constructed based on the hardness of the Learning with Errors problem [BCM+21] and recently isogeny-based group actions [AMR23]. Our framework allows certification of qubits based only on the existence of post-quantum TCF, without the adaptive hardcore bit property, or on quantum fully homomorphic encryption. These can be instantiated, for example, from Ring Learning with Errors. This has the potential to improve the efficiency of qubit certification and derived functionalities.

On the technical side, we show that the quantum soundness of any such protocol can be reduced to proving a bound on a simple algorithmic task: informally, answering “two challenges simultaneously” in the protocol. Our reduction formalizes the intuition that these protocols demonstrate quantumness by leveraging the impossibility of rewinding a general quantum prover. This allows us to prove tight bounds on the quantum soundness of [KCVY21] and [KLVY22], showing that no quantum polynomial-time prover can succeed with probability larger than \(\cos ^2 \frac{\pi }{8}\approx 0.853\). Previously, only an upper bound on the success probability of classical provers, and a lower bound on the success probability of quantum provers, were known. We then extend this proof of quantum soundness to show that provers that approach the quantum soundness bound must perform almost anti-commuting measurements. This certifies that the prover holds a qubit.

The full version of this paper can be found at https://arxiv.org/abs/2303.01293.

A A Trigonometric Identity

Lemma A.1

The following inequality holds for all \(\alpha , \beta \in [0, 2\pi ]\):

$$\begin{aligned} \cos ^2(\alpha ) + \cos ^2(\beta ) \le \left| 2\cos ^2(\alpha - \beta ) - 1 \right| + 2 \cos ^2(\pi /8) \end{aligned}$$

Proof

Using \(\cos ^2(\phi ) = \frac{1}{2}(1 + \cos (2 \phi ))\) and that \(\cos ^2(\pi /8) = \frac{1}{2}\left( 1 + \frac{1}{\sqrt{2}} \right) \), we can rewrite the inequality as

$$\begin{aligned} \frac{1}{2}(2 + \cos (2\alpha ) + \cos (2\beta )) \le \left| 2\cos ^2(\alpha - \beta ) - 1 \right| + 1 + \frac{1}{\sqrt{2}}\;, \end{aligned}$$

which after simplification and using the cosine sum rule becomes

$$\begin{aligned} \cos (\alpha + \beta ) \cos (\alpha - \beta ) \le \left| 2\cos ^2(\alpha - \beta ) - 1 \right| + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

Let \(x = \alpha + \beta , y = \alpha - \beta \), so that it will suffice to show

$$\begin{aligned} \cos (x)\cos (y) \le \left| 2\cos ^2(y) - 1 \right| + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

Note that if \(\cos (x)\) and \(\cos (y)\) have opposite signs, the inequality is trivially satisfied, as the left-hand side will be non-positive while the right-hand side is always positive. Without loss of generality we restrict to the case where \(\cos (x) \ge 0\) and \(\cos (y) \ge 0\) (the case where they’re both negative is analogous). As \(\cos (x) \le 1\), it’s sufficient to show that

$$\begin{aligned} \cos (y) \le \left| 2\cos ^2(y) - 1 \right| + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

Taking \(t = \cos (y)\), with \(0 \le t \le 1\), it suffices to show

$$\begin{aligned} t \le \left| 2t^2 - 1 \right| + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

Suppose first that \(2t^2 - 1 \ge 0\) which means (since \(t \ge 0\)) that \(t \ge \frac{1}{\sqrt{2}}\). In this case, we have to show that

$$\begin{aligned} 0 \le 2t^2 - t - 1 + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

This follows from noting that \(2t^2 - t - 1 + \frac{1}{\sqrt{2}}\) has roots \(t_1 = \frac{1}{2} - \frac{1}{\sqrt{2}}\) and \(t_2 = \frac{1}{\sqrt{2}}\) and is positive for all \(t \le t_1\) and \(t \ge t_2\). Since we assumed \(t \ge \frac{1}{\sqrt{2}}\) the result follows.

Now suppose that \(2t^2 - 1 \le 0\) which means (since \(t \ge 0\)) that \(0 \le t \le \frac{1}{\sqrt{2}}\). In this case, we have to show that

$$\begin{aligned} 0 \le -2t^2 - t + 1 + \frac{1}{\sqrt{2}}\;. \end{aligned}$$

Here, the roots are \(t_1 = -\frac{1}{2} - \frac{1}{\sqrt{2}}\) and \(t_2 = \frac{1}{\sqrt{2}}\) and the expression is positive for all \(t_1 \le t \le t_2\). Since \(0 \le t \le \frac{1}{\sqrt{2}}\), the inequality is satisfied, concluding the proof.