Chapter 6 Implementing interactive protocols on a trapped-ion quantum computer

It is believed to be classically intractable to recover an input vector from the result of certain noisy matrix-vector multiplications—this constitutes the LWE problem [REG09, REG10]. In particular, a secret vector, $s\in \{0,1{\}}^n$, can be encoded into an output vector, $y=As+e$, where $A\in Z_q^{m\times n}$ is a matrix and $e$ is an error vector corresponding to the noise. Using the LWE problem, a TCF can be constructed as $f(b,x)=\lfloor Ax+b\cdot y\rceil$, where $b$ is a single bit that controls whether $y$ gets added to $Ax$ and $\lfloor \cdot \rceil$ denotes a rounding operation [BPR12, AKP+13] (see Methods section 6.6.7 for additional details). Here, $s$ and $e$ play the role of the trapdoor, and a claw corresponds to colliding inputs $\left\{\right(0,x_0),(1,x_1\left)\right\}$ with $f(0,x_0)=f(1,x_1)$ and $x_0=x_1+s$. By implementing the protocol described above and illustrated in Figure 6.1, the prover is able to generate the state $|\psi ⟩=(|0,x_0⟩+|1,x_1⟩)|w⟩$. For the aforementioned “interference” measurement, the prover simply measures each qubit of the superposition in the $X$ basis. Crucially, the result of this measurement is cryptographically protected by the adaptive hardcore bit property, which is a strengthening of the claw-free property [BCM+21]. Informally, it says that for any input $x_0$ (of the prover’s choosing), it is cryptographically hard to determine even a single bit of information about $x_1$ (as opposed to the entire value, which is the guarantee of the claw-free assumption).

The function $f\left(x\right)=x^{2}modN$, with $N$ being the product of two primes, was originally introduced in the context of digital signatures [RAB79, GMR88]. This function has the property that finding two colliding inputs (a claw) in the range $[0,N/2]$ is as hard as factoring $N$. Moreover, the prime decomposition $N=pq$ can serve as a trapdoor, enabling one to invert the function for any output. Thus, $f\left(x\right)$ is a trapdoor claw-free function. However, $f\left(x\right)$ does not have the adaptive hardcore bit property, making the simple $X$-basis “interference” measurement (described in the LWE context above) not provably secure. To get around this, we perform the “interference” measurement differently. First, the verifier chooses a random subset of the qubits of the superposition, and the prover stores the parity of that subset on an ancilla. Then, the prover measures everything except the ancilla in the $X$ basis. Given our cryptographic assumption that the prover cannot find a claw, the prover cannot guess the polarization of the remaining ancillary qubit. This is directly analogous to how, in Bell experiments, the assumption of no-signaling-faster-than-light implies that if Alice measures one half of an EPR pair, a space-like separated Bob who holds the other half is unable to immediately guess its polarization. Following this intuition, the verifier requests a measurement of the ancilla qubit in the $Z+X$ or $Z-X$ basis, effectively completing the Bell test [BEL64, CHS+69]; the verifier accepts if the prover returns the more likely measurement outcome. Crucially, the dependence of the measurement result on the claw renders it infeasible to guess classically [KCV+22].

In Tables 6.1 and 6.2 we present the numerical results for each configuration of the experiment, along with the number of samples obtained ($N_A$ and $N_B$), the measure of quantumness $q$, and the statistical significance of the result (see Methods Section 6.6.11 for a description of how the significance is calculated).

We note that for the computational Bell test protocol, the sample size $N_B$ is less than the actual number of shots that passed postselection (ultimately leading to slightly less statistical significance than might otherwise be expected). This is because the sample size varied for different values of the verifier’s string $r$, yet we are interested in the passing rate $p_B$ averaged uniformly over all $r$ (not weighted by number of shots). To account for this, we simply took the $r$-value with the fewest number of shots, and computed $N_B$ as if every $r$ value had had that sample size (even if some values of $r$ had more).

We also note that in some cases the statistical significance denoted here may be higher than that visually displayed in Figure 6.3 of the main text; this is because the contour lines in that figure correspond to the configuration with the smallest sample size.

The trapped ion quantum computer used for this study was designed, built, and operated at the University of Maryland and is described elsewhere [EDN+21, CEN+22]. The system consists of a chain of fifteen single ¹⁷¹Yb⁺ ions confined in a Paul trap and laser cooled close to their motional ground state. Each ion provides one physical qubit in the form of a pair of states in the hyperfine-split ${}^2{S}_{1/2}$ ground level with an energy difference of 12.642821 GHz, which is insensitive to magnetic fields to first order. The qubits are collectively initialized through optical pumping, and state readout is accomplished by state-dependent fluorescence detection [OYM+07]. Qubit operations are realized via pairs of Raman beams, derived from a single 355-nm mode-locked laser [DLF+16]. These optical controllers consist of an array of individual addressing beams and a counter-propagating global beam that illuminates the entire chain. Single qubit gates are realized by driving resonant Rabi rotations of defined phase, amplitude, and duration. Single-qubit rotations about the z-axis, are performed classically with negligible error. Two-qubit gates are achieved by illuminating two selected ions with beat-note frequencies near motional sidebands and creating an effective Ising spin-spin interaction via transient entanglement between the two ion qubits and all modes of motion [MS99, SdZ99, MSJ00]. To ensure that the motion is disentangled from the qubit states at the end of the interaction, we used a pulse shaping scheme by modulating the amplitude of the global beam [CDM+14].

In this section we explicitly state the checks performed by the verifier to decide whether to accept or reject the prover’s responses for each run of the protocol. We emphasize that these checks are performed on a per-shot basis, and the empirical success rates $p_A$ and $p_B$ are defined as the fraction of runs (after postselection, see below) for which the verifier accepted the prover’s responses.

For both protocols, the “A" or “standard basis" branch check is simple. The prover has already supplied the verifier with the output value $w$; for this test the prover is expected to measure a value $x$ such that $f\left(x\right)=w$. Thus in this case the verifier simply evaluates $f\left(x\right)$ for the prover’s supplied input $x$ and confirms that it is equal to $w$.

For the “B" or “interference" measurement, the measurement scheme and verification check is different for the two protocols. For the LWE-based protocol, the interference measurement is an $X$-basis measurement of all of the qubits holding the input superposition $|x_0⟩+|x_1⟩$. This measurement will return a bitstring $d$ of the same length as the number of qubits in that superposition, where for each qubit, the corresponding bit of $d$ is 0 if the measurement returned the $|+⟩$ eigenstate and 1 if the measurement returned the $|-⟩$ eigenstate. The verifier has previously received the value $w$ from the prover and used the trapdoor to compute $x_0$ and $x_1$; the verifier accepts the string $d$ if it satisfies the equation

where $(\cdot )$ denotes the binary inner product, i.e. $a\cdot b={\sum }_i{a}_i{b}_i\mathrm{mod}2$. It can be shown that a perfect (noise-free) measurement of the superposition $|x_0⟩+|x_1⟩$ will yield a string $d$ satisfying Eq. 6.1 with probability 1.

The interference measurement for the computational Bell test involves a sequence of two measurements (in addition to the first measurement of the string $w$). The first measurement yields a bitstring $d$ as above. After performing that measurement, the prover holds the single-qubit state $(-1{)}^{d\cdot x_0}|r\cdot x_0⟩+(-1{)}^{d\cdot x_0}|r\cdot x_0⟩$, where $(\cdot )$ is the binary inner product as above and $r$ is a random bitstring supplied by the verifier. This state is one of $\{|0⟩,|1⟩,|+⟩,|-⟩\}$, and is fully known to the verifier after receiving $d$ (via use of the trapdoor to compute $x_0$ and $x_1$). The second measurement is of this single qubit, in an intermediate basis $Z+X$ or $Z-X$ chosen by the verifier. For any of the four possible states, one eigenstate of the measurement basis will be measured with probability ${\cos }^2\left(\pi /8\right)\approx 85\%$ (with the other having probability $\sim 15\%$), just as in a Bell test. The verifier accepts the measurement result if it corresponds to this more-likely result; an ideal (noise-free) prover will be accepted with probability $\sim 85\%$ (see Figure 6.3 of the main text).

Both the factoring-based and LWE-based protocols involve post-selection on the measurement results throughout the experiment.

For the factoring-based protocol, this post-selection is performed on the measured value of the output register $w$. Due to quantum errors in the experiment, in practice it is possible to measure a value of $w$ that does not correspond to any inputs of the TCF—that is, there do not exist $x_0,x_1$ for which $f\left(x_0\right)=f\left(x_1\right)=w$, due to noise. Because such a result would not be possible without errors, measuring such a value indicates that a quantum error has occurred [KCV+22]. Thus, we perform post-selection by discarding all runs for which the measured value $w$ does not have two corresponding inputs.

On the other hand, for the LWE protocol, we post-select in order to satisfy the conditions for the adaptive hardcore bit property to hold, as without this property, the protocol could be susceptible to attacks. In particular, the adaptive hardcore bit property requires that the result obtained from measuring the $x$ register using the “interference” measurement scheme be a nonzero bitstring [BCM+21]. Hence, we simply post-select on this condition for the LWE case. Tables 6.3 and 6.4 explicitly show how many runs are kept using each post selection scheme.

We note that in both cases, post-selection does not affect the soundness of the protocols. We only require that a non-negligible fraction of runs pass post-selection (to give good statistical significance for the results). This is indeed the case for our experiment, as can be seen in Tables 6.3, 6.4, as well as the statistical significance of the results in Tables 6.1, 6.2.

We control the position of the ions and run the split and shuttling sequences by changing the electrostatic trapping potential in a microfabricated chip trap [MAU16] maintained at room temperature. We generate 40 time-dependent signals using a multi-channel DAC voltage source, which controls the voltages of the 38 inner electrodes at the center of the chip and the voltages of two additional outer electrodes. Owing to the strong radial confining potential used (with secular trapping frequencies near $3$ MHz), the central electrodes’ potential affects predominantly the axial trapping potential, and in turn, generates movement predominantly along the linear trap axis. To maintain the ions at a constant height above the trap surface, we simulate the electric field based on the model in Ref. [MAU16], and compensate for the average variation of its perpendicular component by controlling the voltages of the outer two electrodes.

In the first sequence, we split the 15-ion chain into two sub-chains of 7 and 8 ions, and shuttle the 8-ion group to $x=0.55$ mm away from the trap center at $x=0$. We then align the 7-ion chain with the individual-addressing Raman beams for the first mid-circuit measurement. For the LWE-based protocol, we then reverse the shuttling process and re-merge the ions to a 15-ion chain, completing the circuit and performing a final measurement. For the factoring-based protocol, we shuttle the 8-ion sub-chain to the trap center and the 7-ion sub-chain to $x=-0.55$ mm. We then split this chain into 5- and 3-ion sub-chains, shuttle the 3-ion sub-chain to $x=0.55$ mm, and align the 5 ions at the trap center with the Raman beams to perform additional gates and a second mid-circuit measurement. Finally, we move away the measured ions and align the 3-ion group to the center of the trap to complete the protocol. Reversing the sequence then prepares the ions in their initial state. For each protocol, all branches use the same shuttling sequences but differ in the qubit assignment and the realized gates. The mid-circuit measurement duration was experimentally determined prior to the experiment by maximizing the average fidelity of a Ramsey experiment using single-qubit gates, approximately optimizing for the trade-off between efficient detection of each sub-chain and stray light decoherence.

To enable efficient performance of the split and shuttling sequences we numerically simulate the electrostatic potential and the motional modes of the ions that are realized in the sequences. We minimize heating of the axial motion from low-frequency electric-field noise by ensuring that the calculated lowest axial frequency does not go below $100$ KHz. We also minimize the frequency of ions loss due to collisions with background gas by maintaining a calculated trap depth of at least $20$ meV for each of the sub-chains throughout the shuttling sequences. The simulations enable efficient alignment of the sub chains with the Raman beams, taking into account the variation of the potential induced by all electrodes.

We account and correct for various systematic effects and drifts which appear in the experiment. To eliminate the effect of systematic variation of the optical phases between the individual beams on the ions, we align each ion with the same individual beam throughout the protocol. Prior to the experiment, we run several calibration protocols which estimate the electrostatic potential at the center of the trap through a Taylor series representation up to the fourth order, estimating the dominant effect of stray electric fields on the precalculated potential. We then cancel the effect of these fields using the central electrodes during the alignment and split sequences, as these sequences are most sensitive to the exact shape of the actual electrostatic potential. Additionally, we routinely measure the common-mode drift of the individual addressing optical Raman beams along the linear axis of the trap and correct for them by automatic repositioning of the ions achieved by varying the potential.

During shuttling, the ions traverse an inhomogeneous magnetic field and consequently, each ion spin acquires a shuttling-induced phase ${\varphi }_s^{\left(i\right)}$ which depends on its realized trajectory. We calibrate this by performing a Ramsey sequence in which each qubit is put in a superposition of $(|0{⟩}_i+|1{⟩}_i)/\sqrt{2}$ before shuttling, and after the shuttling $R_x^{\left(i\right)}\left(\pi /2\right)R_z^{\left(i\right)}\left(\varphi \right)$ gates are applied, with $\varphi$ scanned from $0$ to $2\pi$. Fitting the observed fringe for each ion enables estimation of the phases ${\varphi }_s^{\left(i\right)}$, which are corrected in the protocols by application of the inverse operation $R_z^{\left(i\right)}(-{\varphi }_s^{\left(i\right)})$ after shuttling.

In this section, we describe the procedure for preparing the quantum superposition of all the claws in the factoring-based protocol, as shown in Fig. 6.3(a) of the main text.

This is achieved by generating

and then measuring the $y=|f\left(x\right)⟩$ register. We calculate $f\left(x\right)$ using a unitary $U(x,y)$ to encode the function into the phase of the $y$ register and applying a inverse quantum Fourier transform (QFT^†) to extract the result.

To start, we apply Hadamard gates to all qubits to prepare a uniform superposition of all the possible bit strings for the $x$ and $y$ registers:

where $\alpha$ is the normalization factor.

Next, we evolve the state with the unitary $U(x,y)=e^{2\pi i\frac{x^{2}y}{N}}$. Since the phase has period $2\pi$, the unitary is equivalent to $U(x,y)=e^{2\pi i\frac{x^{2}ymodN}{N}}$. We now show how to efficiently implement $U(x,y)=e^{2\pi i\frac{x^{2}y}{N}}$ on the ion trap quantum computer.

First, note the multiplication in the phase can be expressed as a sum of bit-wise multiplication

This bit-wise multiplication can be expressed using Pauli operators:

We then organize the operators into three terms:

We use $\alpha$’s, $\beta$’s, and $\gamma$’s to represent the phases generated by these terms, which can be calculated from Eq. 6.5. The third term contains single-qubit $Z$ rotations that are implemented efficiently as software-phase advances. The $ZZ$ interactions in the second term are implemented as $XX$ gates sandwiched between single qubit rotations. The first term includes three-body $ZZZ$ interactions, which can be decomposed using $ZZ$ interactions using the following relation:

This decomposition enables efficient construction of the following cascade of $ZZZ$ interactions:

which are efficiently implemented using the native $XX$ interaction and single-qubit rotations.

Using the decomposition above, we can implement the first term in Eq. 6.6 using the circuit shown in Fig. 6.4.

With this term implemented, we complete the construction of the full unitary $U(x,y)$. After applying the unitary, we obtain the state

We then apply the inverse quantum Fourier transform $QF{T}^{†}$ to the $y$ register, which gives us:

Next, we measure the $y$ register to find an output $w$, and the $x$-register contains the superposition of a colliding input pair.

The number of qubits used to represent $y$ in experiments are 3, 4, 4, and 5 for $N=8$, $N=15$, $N=16$, and $N=21$, respectively. The number of qubits used to represent $x$ in experiments equals the length of the $r$ string in Table 6.4.

In this section, we describe the procedure for implementing the circuit $U(A,b,x,y)$, displayed in Fig. 6.3(d). Here, the matrix $A$ and vector $y$ are classical inputs, and the bit $b$ and vector $x$ are quantum values held in the qubits to which the unitary is applied. The circuits evaluate the function $f(b,x)=\lfloor Ax+b\cdot y\rceil$ in superposition, where $\lfloor \cdot \rceil$ denotes a rounding operation corresponding to taking the most significant bit of each component in the vector $Ax+b\cdot y$. (It should be noted that this specific function, which uses rounding, differs from the TCF used by Brakerski et al. [BCM+21], but is nevertheless still a TCF [LG22].) This TCF is based on the LWE problem: for a secret vector $s$ and “noise” vector $e$, find $s$ (or equivalently $e$) with knowledge of only $A$ and $y=As+e$. The LWE assumption states that doing so is cryptographically hard. It is straightforward to see that finding claws in the function $f$ is as hard as breaking the LWE assumption, by observing that for a colliding pair $\left(\right(0,x_0),(1,x_1\left)\right)$, $x_1=x_0+s$ (up to the noise vector $e$, whose effect disappears due to the rounding).

In our implementation, the matrix $A\in Z_q^{m\times n}$ and vector $s\in \{0,1{\}}^n$ are sampled uniformly at random by the verifier¹¹ 1 Technically, the matrix $A$ is sampled together with the TCF trapdoor. However, as explained in [BCM+21], the distribution from which the matrix is sampled is statistically close to a uniform distribution over $Z_q^{m\times n}$. The vector $e\in Z_q^m$ is sampled from a discrete Gaussian distribution (see Brakerski et al. [BCM+21] for more details on the parameter choices). The verifier constructs $y=As+e\in Z_q^m$ and sends $A$ and $y$ to the prover.

To perform the coherent evaluation, the prover will use three registers (for the $b$ and $x$ inputs, as well as for the output of the TCF) to create the superposition state as well as a fourth ancilla register, which will be used to perform the unitary $U(A,b,x,y)$. The prover starts by applying a layer of Hadamard gates to all input qubits and the ancilla register (that were initialized as $|0⟩$). The resulting state will be

for some normalization constant $\alpha$ and where the third register is the ancilla register and the last register is the output register. In this output register, the prover must coherently add $\lfloor Ax+b\cdot y\rceil$. As $Ax+b\cdot y$ is an $m$-component vector, we will explain the prover’s operations, at a high level, for each component of the vector. For the $i$’th component of this vector, the prover first computes the inner product modulo $q$ between the $i$’th row of $A$ and $x$ and places the result in the ancilla register. Since the prover has a classical description of $A$, this will involve a series of controlled operations between the $x$ register and the ancilla register. Similar to the factoring case, this arithmetic operation is easiest to perform in the Fourier basis, which is why Hadamard gates are applied to the ancilla register. Once the inner product has been computed, the prover will perform a controlled operation between the $b$ qubit and the ancilla register in order to add the $i$’th component of $y$. Finally, the prover will “copy” the most significant bit of the result into the output register. This is done via another controlled operation. The prover then uncomputes the result in the ancilla, clearing that register. In this way, the $i$’th component of $\lfloor Ax+b\cdot y\rceil$ has been added into the output register. Repeating this procedure for all components will yield the desired state

with normalization constant ${\alpha }^{\prime }$.

Having given the high level description, let us now discuss in more detail the specific circuits of the current implementation. From the above analysis, we can see that the total number of qubits is $N=1+n{\log }_2\left(q\right)+{\log }_2\left(q\right)+m$. In the instance for this experiment, we chose $m=4,n=2,q=4$, resulting in $N=11$ qubits. The first register contains $|b⟩$ which requires only one qubit. In the second register, the vector $x=(x_0,x_1)$ consists of two components modulo $4$, which is encoded in binary with four qubits as $|x⟩=|x_{11},x_{12},x_{21},x_{22}⟩$. The third register, the ancilla, is one modulo $4$ component and will thus consist of two qubits. Lastly, in the fourth register, we store the result of evaluating the function, which requires another four qubits. As mentioned, the matrix $A$ and the vector $y$ are specified classically. In the experiment, we considered four different input configurations, corresponding to four different choices for $A$, $s$ and $e$. These choices are explicitly described later in the appendix.

To detail the operations implemented, as discussed previously, the prover first puts the ancilla register into the Fourier basis using the quantum Fourier transform (QFT). This allows them to more easily compute $⟨a_i,x⟩+b\cdot y_i$ in the ancilla register, where $a_i$ is the $i$’th row of the matrix $A$ and $⟨\cdot ,\cdot ⟩$ denotes the inner product modulo $q$. The explicit rotation gates to compute this in the Fourier basis are given in Fig. 6.6. After computing this for one row $a_i$, the prover converts the ancilla back into the computational basis and “copies” the most significant bit stored in the ancilla register into the output register, using a $CNOT$ gate, to compute the rounding function. This completes the evaluation of the function for one bit. In order to reuse the qubits in the ancilla register, the prover then reverses this computation and repeats for each row of the matrix $A$. This process of evaluating the function and reversing that computation is depicted in Fig. 6.5.

Finally, after completing the evaluation of the TCF, the prover measures the output register to recover the rounded result of $\lfloor Ax+b\cdot y\rceil$ for a certain value of $x$. The prover will then measure the $b$ and $x$ registers in either the $Z$ basis or $X$ basis, according to the challenge issued by the verifier. Should the verifier request measurements in the $X$ basis, the prover applies Hadamard gates on all qubits in the $b$ and $x$ registers before measuring in the computational basis.

Here, we explicitly detail the LWE instances that were used in the experiment. Recall that such an instance is defined by $A,s,$ and $e$, where $A\in Z_q^{m\times n}$, $s\in \{0,1{\}}^n,$ and $e\in Z_q^m$ for integers $m,n,q\in Z$. In this experiment, we used $m=4,n=2,q=4$ for all of the instances. Table 6.5 displays the explicit matrices and vectors used.

In cryptography, showing that a new protocol is secure for practical use (meaning, in our case, that the proof cannot be spoofed by a classical prover) follows two broad steps: 1) proving that it is secure asymptotically (showing that the computational cost of cheating is at least superpolynomial in the problem size), and 2) picking a finite set of parameters such that cheating is not possible under certain classical resources (computational power and time, usually). What particular limitations to set on the resources available to the classical cheater is ultimately up to the user. In this section, we attempt to make precise exactly which statements are asymptotic (step 1), and how these statements make the jump in step 2 to finite, real parameters.

The first asymptotic statement, which is perhaps the most obvious, is that finding claws of the TCF is hard. In the theory papers upon which this work is based, this is shown by reducing the problem of finding claws to related problems, about which there exist standard cryptographic assumptions. [BCM+21, KCV+22] In particular, the assumptions are that the factoring and LWE problems have superpolynomial classical complexity. As discussed above, when using the test in practice we would pick finite parameters in a way that finding a claw is infeasible for the set of classical resources we wish our quantum computer to outcompete (for a rigorous demonstration of quantum advantage, probably a large supercomputer with ample runtime). Importantly, the reduction between the hardness of finding claws and breaking the cryptographic assumption is not in any sense asymptotic: for both TCFs, if a machine can find claws for a specific, finite set of parameters, they can directly use those claws to break the cryptographic assumption in practice. Therefore if the cryptographic assumption holds for a finite set of parameters, we can be sure that the claw-freeness does as well.

The second asymptotic statement that appears in the analysis of these protocols is in regard to the probability that a classical cheater passes a single iteration of the test. In Section 6.4 of the main text, we discuss the “classical thresholds,” which must be exceeded to demonstrate quantum capability. To be very precise about what we mean by this, we reproduce exactly what the theorems underlying these protocols state: if a classical prover’s true success probabilities (not the empirically determined ones, which are subject to statistical fluctuation) exceed the given bound by a non-negligible amount, that prover could be used as a subroutine in a larger program which finds a claw in the TCF in polynomial time. Thus, if it is not possible for a classical prover with certain resources to find a claw (in a TCF with some specific parameters), it is provably also not possible for a classical prover with similar resources to non-negligibly exceed the threshold. There are two asymptotic portions of this statement: the polynomial time in which the larger program extracts a claw using the prover as a subroutine (which is the reason for the word “similar” in the previous sentence), and in fact the word “negligible.” Negligible has a technical definition in cryptography, which is the sense in which we use it here. It means that a value (in this case the amount by which the threshold can be exceeded) is bounded by a function which goes exponentially to zero in the problem size. The precise form of this exponential is not intended to be determined, but instead the exponential decay is used to argue that the negligible function is “essentially” zero for any reasonable problem size that would be used in practice.

It is worth noting that for the small problem sizes we implement in this work, there is one instance in which this negligible function would meaningfully affect the classical success threshold—and we modify the protocol slightly to account for this. In the $x^{2}modN$ (Rabin’s function) protocol, the value $r$ sent by the verifier is supposed to be a uniformly random bitstring. If $r$ happens to be all zero, the product $r\cdot x$, whose value is supposed to be cryptographically hard to guess, is simply zero. This is not an issue for problem sizes that would be used for a full-scale test in practice, because an all-zero $r$ is extremely unlikely to occur if $r$ is of length several hundred bits. But for our smaller experiments with $r$ of only a few bits, the all-zero string represents a sizable fraction of possible $r$. To prevent this from affecting the results, we simply choose our $r$ from the set of non-zero bitstrings rather than all bitstrings. We note that excluding the all zero string helps us better resolve the experiment’s performance, too: when $r=0^n$ the qubit measured in the last step of the protocol never interacts with any of the other qubits throughout the whole circuit, so the measurement result has nothing to do with the fidelity of the TCF circuit!

To close this discussion, it is worth taking a broader perspective and considering how the field of cryptography functions in general. Asymptotic proofs in cryptography are used to show that for any cheating machine with finite resources, the problem can always be made large enough to be hard in practice—and that the hardness grows quickly enough that this is hopefully not an unreasonable pursuit. But ultimately, the question of how large the problem needs to be is an empirical one: experts build the best possible algorithms and hardware they can to attempt to break the assumption, and then the parameters are set to be larger than the largest problem size that can be broken this way (usually with an extra buffer added to secure against improvements in the attacks). In our case, the costs of breaking both factoring and LWE have been extensively explored, and the practical parameters needed for their security against current classical computing power are well understood. As described above, because there are no asymptotic statements in the reduction from the TCF to the underlying cryptographic assumptions, these parameters can be directly used to ensure that finding claws is hard in practice. As described above, the precise relationship between the hardness of exceeding the thresholds and finding claws does rely on asymptotics, but the fact that the asymptotic function appearing in the threshold is shown to decay exponentially suggests strongly that this should not be an issue in practice.

In this section, we state and prove the classical threshold for the LWE-based protocol. The corresponding proof for the factoring-based protocol is contained in the theory manuscript that first presented that protocol. [KCV+22]

Below, the security parameter $\lambda$ is used in the standard cryptographic sense, as a measure of the “problem size”—it can be made larger to increase security, or smaller to improve efficiency. The specifics of how each parameter of the LWE problem is defined as a function of $\lambda$ can be found in the definition of the LWE-based TCF, in the theory work that originally proposed it. [BCM+21]

Here we describe the computation of the contour lines denoting various levels of statistical significance in Figure 6.3(b,e) of the main text. Recall the probabilities $p_A$ and $p_B$ introduced in Section 6.4, which denote a prover’s probability of passing the standard basis and interference test, respectively. Assuming the cryptographic soundness of the claw-free property of the TCF, and in the limit of large problem size, any classical cheating strategy must have true values of $p_A^c$ and $p_B^c$ that obey the bound $p_A^c+2p_B^c-2<0$ for the LWE protocol and $p_A^c+4p_B^c-4<0$ for the factoring-based protocol. To find the statistical significance of a pair of values $p_A$ and $p_B$ measured from an (ostensibly) quantum prover, we consider the null hypothesis that the data was generated by a classical cheater (which obeys the bounds above), and compute the probability that the given data could be generated by that null hypothesis. In particular, since the bounds above exclude a region of a two-dimensional space, we consider an infinite “family” of null hypotheses which lie along the boundary, and define the overall statistical significance of measuring $p_A$ and $p_B$ to be the minimum of the statistical significances across the entire family of null hypotheses—that is, we define it as the significance with respect to the least rejected null hypothesis.

To compute the statistical significance of a result $(p_A,p_B)$ with respect to a particular null hypothesis $(p_A^c,p_B^c)$, we define the “quantumness” $q$ of an experiment as $q(p_A,p_B)=p_A+4p_B-4$ for the factoring-based protocol and $q(p_A,p_B)=p_A+2p_B-2$ for the LWE protocol. Letting $N_A$ and $N_B$ be the number of experimental runs performed for each branch respectively, we define the joint probability mass function (PMF) as the product of the PMFs of two binomial distributions $B(N_A,p_A^c)$ and $B(N_B,p_B^c)$. Mathematically the joint PMF is

where $k_A=p_A{N}_A$ and $k_B=p_B{N}_B$ are the “count” of passing runs for each branch respectively. Finally, we compute the statistical significance of a result $(p_A,p_B)$ as the probability of achieving quantumness measure of at least $q^{\prime }=q(p_A,p_B)$. Under a null hypothesis $(p_A^c,p_B^c)$, this is the sum of the PMF over all $k_A,k_B$ for which $q(k_A/N_A,k_B/N_B)>q^{\prime }$.

In practice, for the contour lines of Figure 6.3(b,e), we begin with a desired level of statistical significance (say, $5\sigma$), and given the sample sizes $N_A$ and $N_B$ we compute the value of $q^{\prime }$ that would achieve at least that significance over all null hypotheses inside the classical bound.

In Fig. 6.3(f), we show the relative performance of the factoring-based protocol for $N=8$, performed both interactively and with delayed measurement. In Fig. 6.7 we display the relative performance for $N\in \{15,16,21\}$ (for which experiments were run with delayed measurement only).

For a conclusive demonstration of quantum advantage, we desire the quantum machine to perform the protocol significantly faster than the amount of time a classical supercomputer would require to break the trapdoor claw-free function—ideally, orders of magnitude faster. To achieve this, we must set the parameters of the cryptographic problem to sufficiently large values. A major benefit of using protocols based off of established cryptographic assumptions (like factoring and LWE) is that the classical hardness of breaking these assumptions is extremely well-studied, due to the implications for security. [BAR16] Thus the most straightforward way to choose parameters for our tests is to rely on publicly-available recommendations for cryptographically secure key sizes, which are used in practice. These parameter settings are designed to be not just slow for classical machines, but infeasible even for classical machines years from now—and thus certainly would constitute a definitive demonstration of quantum advantage. However, setting the parameters to these values may be considered overkill for our purposes, especially since we’d like the problem size to be as small as possible in order to make the protocols maximally feasible on near term quantum devices. With these considerations, in this section we provide two estimates for each protocol: we begin by providing estimates for smaller problem sizes that still would demonstrate some level of quantum advantage, and then give estimates based on cryptographic parameters.

We conservatively estimate that a future quantum device running the protocols investigated in this work at scale would complete the protocols on a time scale of at most hours. Thus, to demonstrate quantum advantage by several orders of magnitude, we desire to set the parameters such that a classical supercomputer would require time on the order of thousands of hours to break the TCF. In 2020, Boudot et al. reported the record-breaking factorization of a 795-bit semiprime [BGG+20]. The cost of the computation was about 1000 core-years, meaning that a 1000-core cluster would complete it in a year. We consider this sufficient cost to demonstrate quantum advantage. We emphasize also that factoring is one of the most well-studied hard computational problems; the record of Boudot et al. is the product of decades of algorithm development and optimization and thus it is unlikely that any innovations will drastically affect the classical hardness of factoring in the near term. The computational Bell test protocol using a 795-bit prime could be performed using only about 800 qubits by computing and measuring the bits of the output value $w$ one-by-one; however the gate count and circuit depth can be dramatically reduced by explicitly storing the full output value $w$, requiring roughly 1600 qubits total [KCV+22]. Because it is so much more efficient in gate count, we use the 1600 qubit estimate as the space requirement to demonstrate quantum advantage with the computational Bell test protocol.

For LWE, estimating parameters for the same level of hardness (1000 core-years) is difficult to do exactly, because to our knowledge that amount of computational resources has never been applied to breaking an LWE instance. However, we may make a rough estimate. There is an online challenge (https://www.latticechallenge.org/lwe_challenge/challenge.php) intended to explore the practical classical hardness of LWE, in which users compete for who can break the largest possible instance. As of this writing, the largest instances which have been solved use LWE vectors of about 500-1000 bits (depending on the noise level of the error vector), but the computational cost of these calculations was only of order 0.5 core-years. To require 1000 core-years of computation time, we estimate that the LWE vectors would need to be perhaps 1000-2000 bits in length; by not explicitly storing the output vector $w$ but computing it element-by-element (similar in principle to the scheme for evaluating $x^{2}modN$ using only $\log \left(N\right)+1$ qubits [KCV+22]) it may be possible to perform the LWE protocol using a comparable number of qubits to the bit length of one LWE vector.

We now provide estimates for cryptographic parameters; that is, parameters for which it expected to be completely infeasible for a classical machine to break the trapdoor claw-free function. For the factoring-based protocol, we may apply NIST’s recommended key sizes for the RSA cryptosystem, whose security relies on integer factorization. NIST recommends choosing a modulus $N$ with length 2048 bits. By using circuits optimized to conserve qubits, it is possible to evaluate the function $x^{2}modN$ using only $\log \left(N\right)+1$ qubits, yielding a total qubit requirement of 2049 qubits [KCV+22]. However, the circuit depth can be improved significantly by including more qubits; a more efficient circuit can be achieved with roughly $2\log \left(N\right)\sim 4100$ qubits. Because LWE is not yet broadly used in practice like RSA is, NIST does not provide recommendations for key sizes in its documentation. However, we can use the estimates of Lindner and Peikert[LP11] to find parameters which are expected to be infeasible classically. In Fig. 3 of that work, the authors suggest using LWE vectors in $Z_q^n$ with $n=256$ and $q=4093$ for a “medium” level of security. Vectors with these parameters are $n\log \left(q\right)\sim 3072$ bits long. To store both an input and output vector would thus require roughly $\sim 6200$ qubits. By repeatedly reusing a set of qubits to compute the output vector element-by-element the computation could be performed using roughly 3100 qubits.