A Simple Protocol for Certifying Graph States and Applications in Quantum Networks

Abstract

We present a simple protocol for certifying graph states in quantum networks using stabiliser measurements. The certification statements can easily be applied to different protocols using graph states. We see, for example, how it can be used for measurement based verified quantum computation, certified sampling of random unitaries, quantum metrology and sharing quantum secrets over untrusted channels.

1. Introduction

Graph states are a family of multipartite quantum states, defined in one to one correspondence with a simple graph [1]. They are incredibly useful resources across quantum information, acting as the key entanglement resource for error correction [2], measurement based quantum computation [3], quantum secret sharing [4] and more [1]. Furthermore, they can be implemented in many different ways, for example in optics [5,6,7,8,9] including on chip [10], in ion traps [11,12], super conducting qubits [13] and NV centres [14].

Many methods exist for testing graph states varying in the trust that must be assumed and the kind of statements that are made. With respect to trust assumptions, on the one hand techniques such as tomography [15] and entanglement witnesses [16] make assumptions about the source and measurements (essentially that they are honest but noisy). On the other hand tests which require the least trust, where neither the source nor the measurement devices are trusted, such as self testing [17], are incredibly demanding to implement in a way that closes all loopholes (necessary for security).

In this work we explore the mid ground, where (local) measurement devices are trusted, but sources and channels are not [7,18,19,20,21]. Our statements of confidence are tailored to this end, following the language of quantum authentication [22], particularly suited to applications for quantum networks. At the end of the protocol one gets a quantum output—the state we want to use—and a classical output—which tells us weather we accept or reject. A successful test for us is then one that always accepts an ideal source and outputs the ideal source state (completeness) and, if it accepts, the state is not too far from the ideal state (soundness—see below for technical definitions). With this in hand, we see how it can be used for certification for various quantum network tasks, in particular for delegated computation, generation of randomness, quantum metrology and quantum secret sharing.

For a given graph G with vertices V, and denoting $N\left(i\right)$ as the neighbours of $i\in V$, associating a qubit to each vertex, a graph state $|G\rangle$ on $\left|V\right|=n$ qubits is defined through the associated stabiliser equations

$$\begin{array}{c}\hfill |G\rangle =S_i|G\rangle ,\end{array}$$

(1)

where $S_i$ are the graph stabiliser operators, with generators $S_i:=X_i{\otimes }_{j\in N\left(i\right)}{Z}_j$ associated to each of the N veritces, and $X_i$ and $Z_i$ are Pauli operators. We denote the full stabiliser group $S=\left\{S_i\right\}=<S_1,\dots ,S_n>$, which has $2^N$ elements. We say that the graph state $|G\rangle$ is shared amongst n players, who, depending on the application may be in one physical location or distributed across a network.

The idea of the protocol is very straightforward. The players ask the source for M copies of the graph state. They choose at random one of these to be used, and all the rest are tested by randomly choosing a stabiliser operator and checking it returns the value $+1$. Since the malicious parties (the source, channel... everything except the players) do not know which copy will be tested or used beforehand, the only way they will always pass all the tests is if the players receive the intended graph state each all M times.

We begin in the next section by introducing the basic protocol, along with an example. We then provide the rigorous security statements, followed by several applications. We conclude with discussions on variants of the protocol, some possible further applications and comments on the scaling of the security parameter.

2. Protocol

Many variants of the protocol are possible, in ways that may depend on the application or implementation at hand. For clarity we present one particular simple variant of a protocol. After we will comment on other possibilities. We start in the standard assumption that the honest parties, the players, share a secret classical key $k=\{r,t\}$, composed of $r\in [1\dots M]$, $t={\left\{t_i\right\}}_{i\ne r}$, $t_i\in [1,\dots ,2^n]$ denoting $\mathcal{K}$ the set of all keys ($k\in \mathcal{K}$). The protocol follows the steps below.

• The source distributes Mn-partite systems to the n players. In the honest case, this will be M copies of the graph state $|G\rangle$.
• For copy $i\ne r$, each player performs their part of the measurement of stabiliser $S_{t_i}$. If all the stabilisers output value $+1$, Accept, otherwise Reject.
• For copy r the state is the quantum output of the protocol.

The variable M plays the role of security parameter (see (9)). We briefly comment on some variants. Different parts of the protocol can be changed depending on the application. Indeed even the way the secret keys are shared even before the first step may vary, as we will see for the application to secret sharing. The way that the outcomes of the test in step 2 is shared and acceptance or rejection decided may be important for different cases, for example if some players in the network are dishonest or not trusted. One may also want to lower the accept threshold in step 2 to allow for noisy resource states, for example accepting if something less than 100% of stabiliser tests give the correct output $+1$. We will come back to these variants at different points later, but for now we continue with the simplest version presented above.

We briefly present a small example to illustrate how the protocol works. In Figure 1 we illustrate the square graph associated to the graph state $|C4\rangle$. The generators of the stabiliser group are given by

$$\begin{array}{ccc}\hfill S_1& =& X_1\otimes Z_2\otimes Z_3\otimes I_4,\hfill \\ \hfill S_2& =& Z_1\otimes X_2\otimes I_3\otimes Z_4,\hfill \\ \hfill S_3& =& Z_1\otimes I_2\otimes X_3\otimes Z_4,\hfill \\ \hfill S_4& =& I_1\otimes Z_2\otimes Z_2\otimes X_4.\hfill \end{array}$$

The stabiliser group $S=<S_1,S_2,S_3,S_4>$ is the set of all products of the generators. In step 1 of the protocol the source is requested to generate M copies of the state $|C4\rangle$. In step two all but one of the copies (identified by r) are tested by each time randomly choosing one of the stabilisers to measure. For example if $S_1$ were chosen to be tested on the $i\ne r$th copy, the first party would measure X and parties two and three would measure Z. They would then compare all their answers, and if the product of their results was $+1$ they would accept. The example state here is the one of the simplest graph states, yet has been experimentally already used to demonstrate computation [23], error correction [24] and secret sharing [7]. The additional difficulty in performing our protocol to verify these applications is minimal as it just requires asking for many copies of the resource state, which is in any case how the set up works in all these implementations.

3. Security

We first formalise our notions of security, following [22]. For simplicity we encode the classical output as orthogonal quantum states ${|ACC\rangle }_R$ for accept and ${|REJ\rangle }_R$ for reject. The output state will in general depend on the classical key $k=\{r,t\}$. For each key $k\in \mathcal{K}$, we denote the output state of the players plus classical reference system as ${\rho }^k$. We say the protocol is $ϵ$-secure if it satisfies the following two properties

• Completeness. If the players recieve M copies of the ideal resource state $|G\rangle$, then for all keys k

  $${\rho }^k={|G\rangle }_P\langle G|\otimes {|ACC\rangle }_R\langle ACC|.$$

  (2)
• Soundness. Denoting the expected output state over all key strings as ${\rho }_{out}:=\frac{1}{\left|\mathcal{K}\right|}{\sum }_{k\in \mathcal{K}}{\rho }^k$, and denoting the projection $P_{fail}:={(I-|G\rangle }_P\langle G\left|\right)\otimes {|ACC\rangle }_R\langle ACC|$, then

  $$\mathrm{Tr}\left(P_{fail}{\rho }_{out}\right)\le ϵ.$$

  (3)

Completeness is trivially guaranteed since the test uses the stabilisers of the state itself, so it will always accept. Note that this definition of correctness is somewhat impractical, as one can never expect to have a perfect entangled state in any realistic source. However it is important in the sense of an ideal property of a protocol. Furthermore, our protocol can easily be adapted for more practical versions of completeness, as we discuss in the conclusions (see also Reference [25]).

Soundness follows through a similar reasoning to that in Reference [21]. Let us denote by $\rho$ the state of all the $Mn$ systems that the players receive in step 1 of the protocol. In order to bound (3) we only need to consider the output state conditioned on accept, let us denote it by ${\rho }_{ACC}$. To find this we start with the fact that for a given key $k=\{r,t\}$, the projection corresponding to accepting all $M-1$ tests can be written as:

$$M_{accept}^{r,t}=\underset{i\ne r}{⨂}\frac{(S_{t_i}+{\mathbb{I}}_i)}{2}\otimes {\mathbb{I}}_r.$$

(4)

From this we have that ${\rho }_{ACC}$ can be written as

$${\rho }_{ACC}=\sum _{r=1}^M\sum _t\frac{1}{M}\frac{1}{{\left|S\right|}^{M-1}}{\rho }_{r,t},$$

(5)

with

$${\rho }_{r,t}=\frac{1}{\mathrm{Tr}\left(M_{accept}^{r,t}\rho \right)}{\mathrm{Tr}}_{r^c}\left(M_{accept}^{r,t}\rho \right),$$

(6)

where $A^c$ denotes the complement of set A.

Putting this together, we obtain

$$\mathrm{Tr}\left(P_{fail}{\rho }_{out}\right)=\frac{1}{M}\mathrm{Tr}\left(Q\rho )\right),$$

(7)

where

$$\begin{array}{ccc}\hfill Q& =& {\displaystyle \sum _{r=1}^M}{\displaystyle \sum _t}\frac{1}{S^{M-1}}{\displaystyle \underset{i\ne r}{⨂}}\frac{S_{t_i}+{\mathbb{I}}_i}{2}\otimes \left({\mathbb{I}}_r-\left|G\right.〉\left.〈G\right|\right)\hfill \\ & =& {\displaystyle \sum _{r=1}^M}{\displaystyle \underset{i\ne r}{⨂}}\frac{{\mathbb{I}}_i+{|G\rangle }_i\langle G|}{2}\otimes ({\mathbb{I}}_r-{\left|G\right.〉}_r\left.〈G\right|),\hfill \end{array}$$

(8)

since $1/\left|S\right|{\sum }_i{S}_i=|G\rangle \langle G|$. Note that Q is hermitian and positive. It then remains to check that all eigenvalues of Q are smaller than 1, for which a proof can be found in the Appendix A. It then follows that

$$\mathrm{Tr}\left(P_{fail}{\rho }_{out}\right)\le \frac{1}{M},$$

(9)

for all source states $\rho$.

The protocol also has natural extensions for higher prime dimensional graph states, where proofs also follow straightforwardly.

Below we present several applications, where the security follows directly as above with a simple application of our protocol, or slight variants of the security statement are made (verified t-designs) or some of the variants of the simplest protocol mentioned above give the utility required (quantum secret sharing).

4. Applications

We focus on applications that can be considered as completely positive trace preserving (CPTP) map $\mathrm{\Gamma }$ acting on the quantum output. Since fidelity is monotonic under CPTP maps, the usefulness or soundness is preserved. This is the case, for example, when further interaction with the source is not required to run the protocol.

Formally, with respect to the CPTP application $\mathrm{\Gamma }$ one defines a new fail projector,

$$\begin{array}{c}\hfill P_{Fail}\left(\mathrm{\Gamma }\right):=\left(I-\mathrm{\Gamma }\left(|G\rangle \langle G|\right)\right)\otimes |ACC\rangle \langle ACC|.\end{array}$$

(10)

Due to the monotonicity of fidelity, (3) implies that

$$Tr\left(P_{fail}^{\mathrm{\Gamma }\left(G\right)}\mathrm{\Gamma }\left({\rho }_B\right)\right)\le \frac{1}{M}.$$

(11)

We now go through some examples of applications.

4.1. Verified Blind Quantum Computation

In verified blind quantum computation a technologically limited Alice wishes to delegate some quantum computational task to a server, Bob, in such a way that Bob does not get information about the computation (blind), and moreover, that she can be confident the computation has been carried out correctly (verified). There are many techniques to achieve this—see Reference [26] for a recent overview.

In our scenario Alice is limited to single qubit measurements. Clearly this, on its own, is not enough for universal quantum computation. However, in measurement based quantum computation (MBQC), universal quantum computation is achieved by single qubit measurements on a graph state, with feed forward [3]. Importantly the measurements can be made one qubit at a time. Thus, if Alice asks Bob to provide her with a universal graph states, either cluster states [3] or brickwork states [27] for example—Alice can perform the computation she wants. Moreover this is blind to Bob—he gets only minimal information, an upper bound to the size of the computation (given by the size of the graph state Alice asks for). To verify the computation Alice can simply apply our protocol to test and use a universal graph state of her choice.

One has the same notions of completeness and soundness as those above, replacing the graph state by the ideal output of the computation. Completeness follows immediately from the universality of the chosen graph state. For soundness, we simply note that Alice’s measurement sequence, which affects the computation, can be understood entirely as a CPTP map on the quantum output of our protocol. In this way, the condition (11) ensures soundness also. More specifically, if we denote the ideal output of a computation as ${\rho }_{ideal}^{comp}$, and the average output of a given computation ${\rho }_{out}^{comp}$, the failing projector becomes $P_{Fail}^{comp}:=\left(I-{\rho }_{ideal}^{comp}\right)\otimes |ACC\rangle \langle ACC|$, and we have from (11) a verification soundness condition (see e.g., Reference [28]),

$$Tr\left(P_{Fail}^{comp}{\rho }_{out}^{comp}\right)\le \frac{1}{M}.$$

(12)

Note that, compared to Reference [28], this scaling with resources is poor. We will talk about this in the conclusions, but it is essentially a trade-off between the security scaling, and the entanglement costs of the protocol. In this sense our protocol sacrifices scaling for practicability.

We also note that the idea of testing graph states for MBQC computation has been presented before in several measurement based verification schemes, for example, References [29,30]. Indeed, this application of our protocol is almost identical to the verified computation scheme in Reference [30], the main differences being in the specifics of the test (we measure settings chosen from all stabilisers, they a subset) and the figure of merit used (we use the correctness and soundess above, they use the language of hypothesis testing). We present it here simply as an alternative possible scheme, with similar characteristics. As pointed out in Reference [30], this scenario is suited to performing fault tolerant computation, since Alice could equally ask Bob for a resource graph state for fault tolerant computation, for example the topological scheme in Reference [31] using 3D cluster states. This was the idea of the fault tolerant verified computation presented in Reference [32], note however that this works only if the errors on Alice’s measurement device are assumed to be independent from anything happening on Bob’s side.

4.2. Verified t-Designs

Graph states can also be used to sample from a random ensemble of unitaries—this is effectively MBQC without correction, where the measurement outcomes index which unitary is implemented. In particular, in Reference [33] it was shown that ensembles with a particularly useful property of being t-designs can be efficiently sampled using graph states. A t-design is an ensemble of unitaries with the property that its statistical moments match those of a Haar ensemble up to order t, with applications across quantum information and physics, for example in estimating noise [34], private channels [35], modelling thermalisation [36], photonics [37], and even black hole physics [38]. Later in Reference [39] this approach was developed to show that efficient t-designs can be generated using a regular lattice similar to the brickwork state. Both results rely heavily on the construction of [40,41] using random circuits.

Our protocol can be used to certify the application of a t-design random unitary onto an input, where the source of the graph state is not trusted. For each set of measurement outcomes $\overline{m}$, we denote the applied CPTP map on the graph state as ${\mathrm{\Gamma }}^{\overline{m}}$. For simplicity we consider the action of the induced unitary on the input vertices $I\subset V$ corresponing to inputs in the state $|+\rangle$. Then [33,39] state that measurement result $\overline{m}$, occuring with probability $p_{\overline{m}}$ applies a unitary on the input ${|+\rangle }^{\otimes \left|I\right|}$

$${\mathrm{\Gamma }}^{\overline{m}}\left(\right|G\rangle )=U^{\overline{m}}{|+\rangle }^{\otimes \left|I\right|},$$

(13)

such that the ensemble $\{p_{\overline{m}},U^{\overline{m}}\}$ is an approximate t-design (see Reference [33] for detailed definitions).

For security of verified t-designs one can replace the graph state in the definitions (2) and (3) by the output state (13). The soundness is then guaranteed for each $\overline{m}$ by (11). It can easily be seen that one can flip this around to give a statement on the fidelity,

$$F\left(U^{\overline{m}}\right|\psi \rangle ,{\Gamma }^{\overline{m}}\left({\rho }_{ACC}\right){)}^2\ge 1-\frac{1}{P_{acc}M},$$

(14)

where $P_{acc}$ is the probability of passing the tests and ${\rho }_{ACC}$ is the output of the protocol conditioned on accepting.

4.3. Quantum Metrology

In quantum metrology entangled states are used to measure with more precision than is possible with classical probes [42]. The general setting can be understood as an interferometer which imparts a phase $\psi$ on one arm, each time a system passes through it. The idea is to send in many probes N in an entangled state $\rho$, whereafter measurements can reveal the phase with higher precision than possible sending in separable states.

How well this process allows the parameter $\psi$ to be estimated is quantified by the Quantum Fisher Information, ${\mathcal{F}}_Q\left(\rho \right)$. Note, as indicated by the notation, for a simple interferometer the quantum Fisher information is independent of the value of $\psi$ since it is unitarily encoded [43,44]. In particular, for $\nu$ independent repetitions of the process, the precision is characterised by the mean squared error ${\mathsf{\Delta }}^2\tilde{\psi }$ of a (consistent and unbiased) estimator $\tilde{\psi }$, which is lower bounded by the Quantum Cramér-Rao Bound [45],

$${\mathsf{\Delta }}^2\tilde{\psi }\ge \frac{1}{\nu {\mathcal{F}}_Q\left(\rho \right)}.$$

(15)

For the standard interferometer, the best possible scaling with N is achieved by the N-party GHZ state $\frac{1}{\sqrt{2}}{\left(\right|0\rangle }^{\otimes N}+{|1\rangle }^{\otimes N})$. Denoting its density matrix ${\rho }_{GHZ}$ we have ${\mathcal{F}}_Q\left({\rho }_{GHZ}\right)=N^2$. The GHZ state is locally equivalent to a graph state for the fully connected graph. Our certification protocol can easily be adapted using the same local unitaries to test ${\rho }_{GHZ}$ (simply by rotating the test measurements accordingly).

In Reference [44], they show that the quantum Fisher information of two states differs by an amount bounded by their fidelity

$$\begin{array}{c}\hfill \left|{\mathcal{F}}_Q\left(\rho \right)-{\mathcal{F}}_Q\left(\sigma \right)\right|\le 6\sqrt{1-F{(\rho ,\sigma )}^2}{N}^2,\end{array}$$

(16)

if $\rho$ or $\sigma$ are pure. That is, if two states are close, as measured by their fidelity, their usefulness for quantum metrology is close. Given the fidelity bound implied by our test (14), we see that the quantum Fisher information is also bounded. For the rotated protocol testing a GHZ states, given the output state conditioned on accepting ${\rho }_{ACC}$, we have,

$$\begin{array}{c}\hfill {\mathcal{F}}_Q\left({\rho }_{ACC}\right)\ge N^2\left(1-\frac{6}{P_{ACC}M}\right).\end{array}$$

(17)

4.4. Secret Sharing over Untrusted Channels

In quantum secret sharing a dealer wishes to distribute a secret quantum state amongst N players such that only certain subsets of players can access the secret—the authorised sets. It was shown in References [4,46] that any secret sharing scheme can be implemented using graph states. However, these rely on the trusted sharing of the graph state. If we are careful, a variant of our protocol can be used to boost these protocols to one where the network of dealer and players do not need to trust the source of the graph state or the channels used to share them.

There are two important subtleties in the application of our protocol here, stemming from the fact that unauthorised sets of players should be treated as adversaries. Firstly, it makes their inclusion in the stabiliser tests not ideal. Secondly, if they also have access to the random key k this could potentially allow attacks. In Reference [21] a protocol was presented which can be understood as a variant of the application of our scheme where (i) the stabiliser tests are restricted to an authorised set, and (ii) the classical key k is distributed by a classical secret sharing scheme, with the same access structure. A proof of principle example of this protocol was implemented in Reference [7], demonstrating its simplicity.

5. Conclusions

In this work we have presented a protocol for certifying graph states and a few applications in quantum networks. There are clearly some applications that our protocol would not be suited for—namely ones where further interactions are required with Bob. Such interactions may allow for Bob to correlate his strategy in cheating the ‘test’ part to the future applications potentially threatening functionality (be it security or otherwise). Nevertheless its simplicity lends itself to many applications as we have seen, not only in the form of protocol presented here, but also its suitability to permit variants, as with secret sharing. A simple variant can also deal with noisy states for example, where one would not expect, even an honest noisy source to pass all the time. In such a case one can change the accept requirement to require some smaller portion of correct answers. One can adapt the security statements and proofs to this end without too much difficulty. Indeed, this is the approach taken in follow up work [25].

We also note that the fidelity of a state to particular graph states can be used as a witness for genuine multipartite entanglement (that is, entanglement which cannot be considered as entanglement between fewer than all the systems) [47]. In this way our protocol can be used to demonstrate this feature also. A related notion is genuine multipartite steering [48], where one considers the capacity of a state to violate a steering inequality [49] across all bipartitions. The fidelity to certain graph states is also known be usable as a witness for genuine multipartite steering [50]. In both these cases, the standard approach uses stabiliser measurements, but assumes that the source is preparing identical copies of the state in each round [47,48,50]. Our protocol relaxes this assumption, yet still allows for witnessing these features within confidence levels.

We end with a discussion on scaling of soundness condition with M. In the kind of protocol presented here, it is impossible to beat the $1/M$ scaling. This is clear simply because a malicious party can behave honestly for all but one requested state, and send one false/dishonest state. With probability $1/M$ the malicious party’s choice of when to be dishonest coincides with the users choice of which one would be used and not tested, so strategy passes the test perfectly yet the state can be arbitrarily far from the ideal one and potentially ruin whatever application. Thus in order to beat the $1/M$ scaling one expects to need some more entanglement. This can be done, for example, by encoding the desired state on some randomly chosen error correcting code—the essential trick used in the original authentication paper by Barnum et al. [22]. Such an approach can give an exponential scaling in security with the number of systems sent. The downside now is that the entanglement required scales with the security. This then suggests a tradeoff between entanglement and scaling.

In this context, the advantage of our protocol is that, for many applications, the difficulty in implementing a certified version of an application becomes only the same difficulty as producing the same resource state many times, rather than asking for much more difficult larger, scaling, entanglement. In optics for example, this advantage makes certified secret sharing possible [7], doing so an entangled code version would require impractical scaling in entanglement.