Chapter 5 Classically-verifiable quantum advantage from a computational Bell test

The goal of the first round is to generate a superposition over two colliding inputs to the trapdoor claw-free function (TCF). It begins with the verifier choosing an instance $f_i$ of the TCF along with the associated trapdoor data $t$; $f_i$ is sent to the prover. As an example, in the case of $x^2\mathrm{mod}N$, the “index” $i$ is the modulus $N$, and the trapdoor data is its factorization, $p,q$. The prover now initializes two registers of qubits, which we denote as the $x$ and $y$ registers. On these registers, they compute the entangled superposition $|\psi ⟩={\sum }_x|x{⟩}_x|f_i\left(x\right){⟩}_y$, over all $x$ in the domain of $f_i$. The prover then measures the $y$ register in the standard basis, collapsing the state to ${(|x_0⟩+|x_1⟩)}_x|y{⟩}_y$, with $y=f\left(x_0\right)=f\left(x_1\right)$. The measured bitstring $y$ is then sent to the verifier, who uses the secret trapdoor to compute $x_0$ and $x_1$ in full.

At this point, the verifier randomly chooses to either request a projective measurement of the $x$ register, ending the protocol, or to continue with the second and third rounds. In the former case, the prover communicates the result of that measurement, yielding either $x_0$ or $x_1$, and the verifier checks that indeed $f\left(x\right)=y$. In the latter case, the protocol proceeds with the final two rounds.

The second round of interaction converts the many-qubit superposition $|\psi ⟩=|x_0{⟩}_x+|x_1{⟩}_x$ into a single-qubit state $\{|0{⟩}_b,|1{⟩}_b,|+{⟩}_b,|-{⟩}_b\}$ on an ancilla qubit $b$. The final state of $b$ depends on the values of both $x_0$ and $x_1$. The round begins with the verifier choosing a random bitstring $r$ of the same length as $x_0$ and $x_1$, and sending it to the prover. Using a series of CNOT gates from the $x$ register to $b$, the prover computes the state $|r\cdot x_0{⟩}_b|x_0{⟩}_x+|r\cdot x_1{⟩}_b|x_1{⟩}_x$, where $r\cdot x$ denotes the binary inner product. Finally, the prover measures the $x$ register in the Hadamard basis, storing the result as a bitstring $d$ which is sent to the verifier. This measurement disentangles $x$ from $b$ without collapsing $b$’s superposition. At the end of the second round, the prover’s state is $(-1{)}^{d\cdot x_0}|r\cdot x_0{⟩}_b+(-1{)}^{d\cdot x_1}|r\cdot x_1{⟩}_b$, which is one of $\{|0⟩,|1⟩,|+⟩,|-⟩\}$. Crucially, it is cryptographically hard to predict whether this state is one of $\{|0⟩,|1⟩\}$ or $\{|+⟩,|-⟩\}$.

The final round of our protocol can be understood in analogy to the CHSH game [CHS+69]. While the prover cannot extract the polarization axis from their single qubit (echoing the no-signaling property of CHSH), they can make a measurement that is correlated with it. This measurement outcome ultimately constitutes the proof of quantumness. In particular, the verifier requests a measurement in an intermediate basis, rotated from the $Z$ axis around $Y$, by either $\theta =\pi /4$ or $-\pi /4$. Because the measurement basis is never perpendicular to the state, there will always be one outcome that is more likely than the other (specifically, with probability ${\cos }^2\left(\pi /8\right)\approx 0.85$). The verifier returns $Accept$ if this “more likely” outcome is the one received.

In the next section, we prove that a quantum device can cause the verifier to $Accept$ with substantially higher probability than any classical prover. A full test of quantum advantage would consist of running the protocol many times, until it can be established with high statistical confidence that the device has exceeded the classical probability bound.

We now prove completeness (the noise-free quantum success probability) and soundness (an upper bound on the classical success probability). Recall that after the first round of the protocol, the verifier chooses to either request a standard basis measurement of the first register, or to continue with the second and third rounds. In the proofs below, we analyze the prover’s success probability across these two cases separately. We denote the probability that the verifier will accept the prover’s string $x$ in the first case as $p_x$, and the probability that the verifier will accept the single-qubit measurement result in the second case as $p_{CHSH}$.

In this section we describe two variations on the protocol, the goal of both of which is to remove the need for the “preimage” test (Step 6a of Fig. 5.1). The main benefit of doing so is that it simplifies and improves the classical bound, to simply $p\le 3/4+ϵ\left(n\right)$, where $p$ now is the overall probability that the prover succeeds (equivalent to $p_{CHSH}$ in the normal protocol, because $p_x$ no longer exists). A secondary benefit is that it slightly simplifies the experimental implementation by making the protocol less complicated.

The idea is simple: in Step 6b of Fig. 5.1, instead of choosing a single random bitstring $r$, the verifier chooses two, $r_0$ and $r_1$. Then, in Step 7b, instead of using the single $r$ for both $x_0$ and $x_1$, the prover instead computes $|r_0\cdot x_0{⟩}_b|x_0{⟩}_x+|r_1\cdot x_1{⟩}_b|x_1{⟩}_x$—a different inner product for each of the preimages. Applying the proof of Theorem 3 to this scheme, the responses of the classical machine $A$ can be used to reconstruct whether $r_0\cdot x_0=r_1\cdot x_1$ (where originally we reconstructed simply whether $r\cdot x_0=r\cdot x_1$). The key insight is that the truth value of this new equality is equal to $\left(r_0||r_1\right)\cdot \left(x_0||x_1\right)$, where $||$ denote concatenation. This fact can be used to construct a noisy oracle for the inner product of $x_0||x_1$ with arbitrary strings, to which the Goldreich-Levin theorem can be applied to find $x_0||x_1$, fully revealing both $x_0$ and $x_1$. (This should be compared to the original proof, which could only decode $x_0\oplus x_1$ via the Goldreich-Levin theorem, and thus required the preimage test to supply $x_0$ or $x_1$ and thus reveal the claw). Since $x_0$ and $x_1$ can both be reconstructed from only the CHSH portion of the protocol, the “preimage” test is not necessary for classical hardness and can be removed.⁶⁶ 6 This variant of the protocol was published in [BGK+23].

The downside of this variation of the protocol is that the prover needs to somehow be able to distinguish $x_0$ from $x_1$, so that the appropriate inner product can be taken with each. For many TCFs, such as the one based on LWE [BCM+21] and the DDH-based TCF we present in this chapter, this is not a problem—there is an extra qubit in the preimages which is in the state $|0⟩$ for $x_0$ and $|1⟩$ for $x_1$. However for $x^{2}modN$, it is not so straightforward. Via the Jacobi symbol it is technically possible to distinguish the two preimages, because it is a fact of $x^{2}modN$ that one preimage will have Jacobi symbol $+1$ and the other $-1$. However actually computing the Jacobi symbol is very expensive, much moreso than computing $x^{2}modN$ itself, defeating our goal of having an efficient implementation! Another somewhat less expensive strategy is to switch to the pair of functions $f_0\left(x\right)=x^{2}modN$ and $f_1\left(x\right)=4x^{2}modN$, with their domain defined as the set of quadratic residues less than $N$ (instead of the set of integers $[0,N/2]$ that were used before). By splitting into two functions we get the desired “marker” qubit distinguishing the two preimages, but we run into the problem of generating a uniform superposition of quadratic residues modulo $N$. To our knowledge the best way to generate such a superposition is to start with the set of all integers less than $N$, and square them. Then, another square must be taken to actually implement the TCF. So, it seems that using this TCF would require a quantum circuit twice as large as the original protocol using $x^{2}modN$—a tradeoff that is probably not worth it for the extra simplicity of removing the preimage test. That being said, if a function other than $x^{2}modN$ is used which does have the extra qubit, this variation is almost certainly the right choice.

We also note that we learned via personal correspondence with Eitan Porat, Zvika Brakerski, and Thomas Vidick that they found that the original protocol is actually classically hard without the preimage test. The intuitive idea is that we can learn more information from the “measurement results” than just whether $r\cdot x_0=r\cdot x_1$. In particular, when that equality holds, we also get access to the value of $r\cdot x_0$ (and $r\cdot x_1$, since they are equal). With this extra information it is possible to use a more complicated scheme based on the Goldreich-Levin theorem to decode $x_0$ and $x_1$ in full, proving the hardness of passing just the CHSH portion directly from the hardness of finding claws. However, apparently the classical bound is not quite as powerful due to the more complicated decoding process.

The existence of a finite gap between the classical and quantum success probabilities implies that our protocol can tolerate a certain amount of noise. A direct implementation of our interactive protocol on a noisy quantum device would require an overall fidelity of $\sim 83$% in order to exceed the classical bound ⁷⁷ 7 This number comes from solving the classical bound (Equation 5.1) for circuit fidelity $F$, with $p_x=F$ and $p_{CHSH}=\frac{1}{2}+F/2$.. To allow devices with lower fidelities to demonstrate quantum advantage, our protocol allows for a natural tradeoff between fidelity and runtime, such that the classical bound can, in principle, be exceeded with only a small [e.g. $1/poly\left(n\right)$] amount of coherence in the quantum device ⁸⁸ 8 This is true even if the coherence is exponentially small in $n$. Of course, with arbitrarily low coherence the runtime may become excessively large such that quantum advantage cannot be demonstrated—the point is that regardless of runtime, the classical probability bound can be exceeded with a device that has arbitrarily low circuit fidelity..

The key idea is based upon postselection. For most TCFs, there are many bitstrings of the correct length that are not valid outputs of $f$. Thus, if the prover detects such a $y$ value in step 3 (Fig. 1), they can simply discard it and try again ⁹⁹ 9 This scheme will only remove errors in the first round of the protocol, but fortunately, one expects the overwhelming majority of the quantum computation, and thus also the majority of errors, to occur in that round.. In principle, the verifier can even use their trapdoor data to silently detect and discard iterations of the protocol with invalid $y$ ¹⁰¹⁰ 10 This procedure does not leak data to a classical cheater, because the verifier does not communicate which runs were discarded. Furthermore, it does not affect the soundness of Theorem 3, because the machine $B$ in that theorem’s proof can simply iterate until it encounters a valid $y$.. Since $y$ is a function of $x_0$ and $x_1$, one might hope that this postselection scheme also rejects states where $x_0$ or $x_1$ has become corrupt. Although this may not always be the case, we demonstrate numerically that this assumption holds for a specific implementation of $x^{2}modN$ in the following subsection. One could also compute a classical checksum of $x_0$ and $x_1$ before and after the main circuit to ensure that they have not changed during its execution. Assuming that such bit-flip errors are indeed rejected, the possibility remains of an error in the phase between $|x_0⟩$ and $|x_1⟩$. In Section 5.7.9, we demonstrate that a prover holding the correct bitstrings but with an error in the phase can still saturate the classical bound; if the prover can avoid phase errors even a small fraction of the time, they will push past the classical threshold.

The central computational step in our interactive protocol (i.e. step 2, Fig. 5.1) is for the prover to apply a unitary of the form:

where $f_i\left(x\right)$ is a classical function and $m$ is the length of the output register. This type of unitary operation is ubiquitous across quantum algorithms, and a common strategy for its implementation is to convert the gates of a classical circuit into quantum gates. Generically, this process induces substantial overhead in both time and space complexity owing to the need to make the circuit reversible to preserve unitarity [BEN89, LS90]. This reversibility is often achieved by using an additional register, $g$, of so-called “garbage bits” and implementing: $U_{f_i}^{\prime }{\sum }_x|x{⟩}_x|0^{\otimes m}{⟩}_y|0^{\otimes l}{⟩}_g={\sum }_x|x{⟩}_x|f_i\left(x\right){⟩}_y|g_i\left(x\right){⟩}_g$. For each gate in the classical circuit, enough garbage bits are added to make the operation injective. In general, to maintain coherence, these bits cannot be discarded but must be “uncomputed” later, adding significant complexity to the circuits.

A particularly appealing feature of our protocol is the existence of a measurement scheme to discard garbage bits, allowing for the direct mapping of classical to quantum circuits with no overhead. Specifically, we envision the prover measuring the qubits of the $g$ register in the Hadamard basis and storing the results as a bitstring $h$, yielding the state,

The prover has avoided the need to do any uncomputation of the garbage bits, at the expense of introducing phase flips onto some elements of the superposition. These phase flips do not affect the protocol, so long as the verifier can determine them. While classically computing $h\cdot g_i\left(x\right)$ is efficient for any $x$, computing it for all terms in the superposition is infeasible for the verifier. However, our protocol provides a natural way around this. The verifier can wait until the prover has collapsed the superposition onto $x_0$ and $x_1$, before evaluating $g_i\left(x\right)$ only on those two inputs ¹¹¹¹ 11 This is true because $g_i\left(x\right)$ is the result of adding extra output bits to the gates of a classical circuit, which is efficient to evaluate on any input..

Crucially, the prover can measure away garbage qubits as soon as they would be discarded classically, instead of waiting until the computation has completed. If these qubits are then reused, the quantum circuit will use no more space than the classical one. This feature allows for significant improvements in both gate depth and qubit number for practical implementations of the protocol (see last rows of Table I in Methods). We note that performing many individual measurements on a subset of the qubits is difficult on some experimental systems, which may make this technique challenging to use in practice. However, recent hardware advances have demonstrated these “intermediate measurements” in practice with high fidelity, for example by spatially shuttling trapped ions [ZKL+21, RBL+21]. We thus expect that the capability to perform partial measurements will not be a barrier in the near term. This issue can also be mitigated somewhat by collecting ancilla qubits and measuring them in batches rather than one-by-one, allowing for a direct trade-off between ancilla usage and the number of partial measurements.

In Chapter 7 we present what to our knowledge are the most highly optimized circuits known for $x^{2}modN$. Here, we present four more basic circuits, that exhibit the range of possible implementations of $x^{2}modN$ and provide a good comparison for the optimizations in that chapter. For the circuits presented here, implementations in Python using the Cirq library are included as supplementary files ¹³¹³ 13 Code is available at https://github.com/GregDMeyer/quantum-advantage and is archived on Zenodo [MEY22]. The first two are quantum implementations of classical circuits for the Karatsuba and “schoolbook” classical integer multiplication algorithms, where we leverage the reversibility optimizations described in Section 5.3.5 (see Section 5.7.8 for details of their implementation). The latter pair, which we call the “phase circuits” and describe below, are intrinsically quantum algorithms that use Ising interactions to directly compute $x^{2}modN$ in the phase. Using those circuits, we propose a near-term demonstration of our interactive protocol on a Rydberg-based quantum computer [LKS+19, BL20]; crucially, the so-called “Rydberg blockade” interaction natively realizes multi-qubit controlled phase rotations, from which the entire circuits shown in Figure 3 are built (up to single qubit rotations). A comparison of approximate gate counts for each of the four circuits can be seen in Table I in the Methods. Of the circuits explored here, the Karatsuba algorithm is the most efficient in total gates and circuit depth, while the phase circuits are most efficient in terms of qubit usage and measurement complexity. Chapter 7 manages to combine the benefits of both, yielding circuits with gate counts better than the Karatsuba circuits here and qubit usage and measurement complexity comparable to the phase circuits.

We now describe the two circuits, amenable to near-term quantum devices, that utilize quantum phase estimation to implement the function $f\left(x\right)=x^{2}modN$. The intuition behind our approach is as follows: we will compute $x^2/N$ in the phase and transfer it to an output register via an inverse quantum Fourier transform [DRA00, BEA03]; the modulo operation occurs automatically as the phase wraps around the unit circle, avoiding the need for a separate reduction step.

In order to implement ${\sum }_x|x{⟩}_x|x^{2}modN{⟩}_y$, we design a circuit to compute:

where $H$ is a Hadamard gate, $IQFT$ represents an inverse quantum Fourier transform, $w\equiv x^2/N=0.w_1{w}_2\cdots w_m$ is an $m$-bit binary fraction ¹⁴¹⁴ 14 We must take $m>n+O\left(1\right)$ to sufficiently resolve the value $x^{2}modN$ in post-processing, and ${\tilde{U}}_{w_N}$ is the diagonal unitary,

The simplest circuit to implement ${\tilde{U}}_{w_N}$ simply decomposese $x$ and $z$ in binary, and performs a digit-by-digit multiplication using the schoolbook algorithm:

With this, one immediately finds that ${\tilde{U}}_{w_N}$ is equivalent to applying a series of controlled-controlled-phase rotation gates of angle,

Here, the control qubits are $i,j$ in the $x$ register, while the target qubit is $k$ in the $y$ register. Crucially, the value of this phase for any $i,j,k$ can be computed classically when the circuit is compiled.

Figure 5.3 shows two explicit circuits to implement ${\tilde{U}}_{w_N}$, one optimizing for qubit count, and the other optimizing for gate count. The first circuit [Fig. 5.3(a)] takes advantage of the fact that the output register is measured immediately after it is computed; this allows one to replace the $m$ output qubits with a single qubit that is measured and reused $m$ times. Moreover, by replacing groups of doubly-controlled gates with a Toffoli and a series of singly-controlled gates, one ultimately arrives at an implementation, which requires $n^3/2+O\left(n^2\right)$ gates, but only $n+O\left(1\right)$ qubits. We note that this does require individual measurement and re-use of qubits, which has been a challenge for experiments; recent experiments however have demonstrated this capability [ZKL+21, RBL+21].

The second circuit [Fig. 5.3(b)], which optimizes for gate count, leverages the fact that ${\varphi }_{ijk}$ (Eqn. 5.9) only depends on $i+j+k$, allowing one to combine gates with a common sum. In this case, one can define $\ell =i+j$ and then, for each value of $\ell$, simply “count” the number of values of $i,j$ for which both control qubits are 1. By then performing controlled gates off of the qubits of the counter register, one can reduce the total gate complexity by a factor of $n/\log n$, leading to a implementation with $2n^2\log n+O\left(n^2\right)$ gates.

Motivated by recent advances in the creation and control of many-body entanglement in programmable quantum systems [ZPH+17, AAB+19, SSW+21, EWL+21], we propose an experimental implementation of our interactive protocol based upon neutral atoms coupled to Rydberg states [BL20]. We envision a three dimensional system of either alkali or alkaline-earth atoms trapped in an optical lattice or optical tweezer array [Fig. 5.4(a)] [WZC+15, WKW+16, KWG+18]. To be specific, we consider ${}^{87}Rb$ with an effective qubit degree of freedom encoded in hyperfine states: $|0⟩=|F=1,m_F=0⟩$ and $|1⟩=|F=2,m_F=0⟩$. Gates between atoms are mediated by coupling to a highly-excited Rydberg state $|r⟩$, whose large polarizability leads to strong van der Waals interactions. This microscopic interaction enables the so-called Rydberg “blockade” mechanism—when a single atom is driven to its Rydberg state, all other atoms within a blockade radius, $R_b$, become off-resonant from the drive, thereby suppressing their excitation [Fig. 5.4(a,b)] [SAF16].

Somewhat remarkably, this blockade interaction enables the native implementation of all multi-qubit-controlled phase gates depicted in the circuits in Figure 5.3. In particular, consider the goal of applying a $C^k{R}_{\varphi }^{\ell }$ gate; this gate applies phase rotations, $\{{\varphi }_1,{\varphi }_2,\dots ,{\varphi }_{\ell }\}$, to target qubits $\{j_1,j_2,\dots j_{\ell }\}$ if all $k$ control qubits $\{i_1,i_2,\dots i_k\}$ are in the $|1⟩$ state [Fig. 5.4(d)]. Experimentally, this can be implemented as follows: (i) sequentially apply (in any order) resonant $\pi$-pulses on the $|0⟩\leftrightarrow |r⟩$ transition for the $k$ desired control atoms, (ii) off-resonantly drive the $|1⟩\leftrightarrow |r⟩$ transition of each target atom with detuning $\Delta$ and Rabi frequency $\Omega$ for a time duration $T=2\pi /({\Omega }^2+{\Delta }^2{)}^{1/2}$ [Fig. 5.4(c)], (iii) sequentially apply [in the opposite order as in (i)] resonant $-\pi$-pulses (i.e. $\pi$-pulses with the opposite phase) to the $k$ control atoms to bring them back to their original state. The intuition for why this experimental sequence implements the $C^k{R}_{\varphi }^{\ell }$ gate is straightforward. The first step creates a blockade if any of the control qubits are in the $|0⟩$ state, while the second step imprints a phase, $\varphi =\pi (1-\Delta /\sqrt{{\Delta }^2+{\Omega }^2})$, on the $|1⟩$ state, only in the absence of a blockade. Note that tuning the values of ${\varphi }_i$ for each of the target qubits simply corresponds to adjusting the detuning and Rabi frequency of the off-resonant drive in the second step [Fig. 5.4(c,d)].

Demonstrations of our protocol can already be implemented in current generation Rydberg experiments, where a number of essential features have recently been shown, including: 1) the coherent manipulation of individual qubits trapped in a 3D tweezer array [WZC+15, WKW+16], 2) the deterministic loading of atoms in a 3D optical lattice [KWG+18], and 3) fast entangling gate operations with fidelities, $F\ge 0.974$ [LKS+19, GKG+19, MCS+20]. In order to estimate the number of entangling gates achievable within decoherence time scales, let us imagine choosing a Rydberg state with a principal quantum number $n\approx 70$. This yields a strong van der Waals interaction, $V\left(\overrightarrow{r}\right)=C_6/r^6$, with a $C_6$ coefficient $\sim \left(2\pi \right)880$ GHz$\cdot \mu$m⁶ [LWN+12]. Combined with a coherent driving field of Rabi frequency $\Omega \sim \left(2\pi \right)1-10$ MHz, the van der Waals interaction can lead to a blockade radius of up to, $R_b={\left(C_6/\Omega \right)}^{1/6}\sim 10\mu$m. Within this radius, one can arrange $\sim {10}^2$ all-to-all interacting qubits, assuming an atom-to-atom spacing of approximately, $a_0\approx 2\mu$m ¹⁵¹⁵ 15 We note that this spacing is ultimately limited by a combination of the optical diffraction limit and the orbital size of $n\approx 70$ Rydberg states.. In current experiments, the decoherence associated with the Rydberg transition is typically limited by a combination of inhomogeneous Doppler shifts and laser phase/intensity noise, leading to $1/T_2\sim 10-100$ kHz [dBL+18, LKS+19, LSF+21b]. Taking everything together, one should be able to perform $\sim {10}^3$ entangling gates before decoherence occurs (this is comparable to the number of two-qubit entangling gates possible in other state-of-the-art platforms [AAB+19, SBT+18]). While this falls short of enabling an immediate full-scale demonstration of classically verifiable quantum advantage, we hasten to emphasize that the ability to directly perform multi-qubit entangling operations significantly reduces the cost of implementing our interactive protocol. For example, the standard decomposition of a Toffoli gate uses 6 CNOT gates and 7 $T$ and $T^{†}$ gates, with a gate depth of 12 [NC11, SM09, BBC+95]; an equivalent three qubit gate can be performed in a single step via the Rydberg blockade mechanism.

In this section we prove a bound on the probability that list decoding will succeed for a particular value of $y$, given an oracle’s noise rate over all values of $y$. Recall that by the Goldreich-Levin theorem [GL89], list decoding of the Hadamard code is possible if the noise rate is noticeably less than $1/2$.

Here we present two trapdoor claw-free function families (TCFs) for use in the protocol of this paper. These families are defined by three algorithms: $Gen$, a probabilistic algorithm which selects an index $i$ specifying one function in the family and outputs the corresponding trapdoor data $t$; $f_i$, the definition of the function itself; and $T$, a trapdoor algorithm which efficiently inverts $f_i$ for any $i$, given the corresponding trapdoor data $t$. Here we provide the definitions of the function families; proofs of their cryptographic properties are included in the supplementary information. In these definitions we use a security parameter $\lambda$ following the notation of cryptographic literature; $\lambda$ is informally equivalent to the “problem size” $n$ defined in the main text as the length of the TCF input string.