Robustness and device independence of verifiable blind quantum computing

Recent advances in theoretical and experimental quantum computing bring us closer to scalable quantum computing devices. This makes the need for protocols that verify the correct functionality of quantum operations timely and has led to the field of quantum verification. In this paper we address key challenges to make quantum verification protocols applicable to experimental implementations. We prove the robustness of the single server verifiable universal blind quantum computing protocol of Fitzsimons and Kashefi (2012 arXiv:1203.5217) in the most general scenario. This includes the case where the purification of the deviated input state is in the hands of an adversarial server. The proved robustness property allows the composition of this protocol with a device-independent state tomography protocol that we give, which is based on the rigidity of CHSH games as proposed by Reichardt et al (2013 Nature 496 456–60). The resulting composite protocol has lower round complexity for the verification of entangled quantum servers with a classical verifier and, as we show, can be made fault tolerant.


Introduction
While the prospect of commercially available universal quantum computing is still distant, a number of experiments involving multi-qubit systems have recently been developed.Irrespective of their applications, these technologies require methods and tools for verifying the correctness of their operations.Assuming that quantum computing is more powerful than classical computing, a simulation-based approach for quantum verification of devices with sufficiently large number of qubits, becomes practically impossible.Aaronson and Arkhipov showed in [3] that even a rudimentary quantum computer constructed with linear-optical elements cannot be efficiently simulated.Similarly, verifying the correct preparation of a general n qubit state via state tomography also involves exponential overhead since it requires collecting statistics from 4 n separate observables [4].
The verification of quantum devices becomes more complicated when the functionality involves cryptographic primitives.In these cases, incorrect operations could be the result of actions of an adversary.Thus it becomes necessary to guarantee the security of the application under certain assumptions about the devices.Ideally a protocol should remain secure even if the devices are faulty and partially controlled by adversaries.This would lead to a solution that is device-independent and robust.However, generating such protocols has proven difficult.Even in quantum key distribution, a complete proof of security for a device-independent protocol, in the presence of noise, has been achieved only recently [5].
The issue of verification needs to be resolved to be able to exploit successfully any future quantum computers.Moreover, one expects that the first large scale quantum devices are unlikely to be personal computers.Instead, they will probably function as servers to which clients can connect and request the computation of some difficult problem.The client may also require his computation to be private, i.e. require that the server does not learn anything about it.We should therefore construct protocols that verify an arbitrary delegated quantum computation and prove the security and correctness of this verification technique.
The approaches that have been so far successful are those based on interactive proof systems [6,7], where a trusted, computationally limited verifier (also known as client, in a cryptographic setting) exchanges messages with an untrusted, powerful quantum prover, or multiple provers (also known as servers).The verifier attempts to certify that, with high probability, the provers are performing the correct quantum operations.Because we are dealing with a new form of computation, the verification protocols, while based on established techniques are fundamentally different from their classical counterparts.A number of quantum verification protocols have been developed, for different functionalities of devices and using a variety of different strategies to achieve verification [1,2,8,9,10,11,12,13,14,15,16,17].The assumptions made depend on the specific target and desired properties of the protocol.For example, if the emphasis is on creating an immediate practical implementation, then this should be reflected in the technological requirements leading to a testable application with current technology [17].Alternatively, if the motivation is to prove a theoretical result, we may relax some requirements such as efficient scaling [2].An important open problem in the field of quantum verification, is whether a scheme with a fully classical verifier is possible [18,19].We know, however, that verification is possible in the following two scenarios: 1.A verifier with minimal quantum capacity (ability to prepare random single qubits) and a single quantum prover [1].This is the Fitzsimons and Kashefi (FK) protocol.
2. A fully classical verifier and two non-communicating quantum provers that share entanglement [20].This is the Reichardt, Unger and Vazirani (RUV) protocol.
One of our objectives is to obtain a device independent (allowing untrusted quantum devices) version of the FK protocol, by composing it with the RUV protocol.The additional properties we aim to achieve from this composition are fault tolerance (allowing noisy devices) and reduced round complexity.Composing protocols can indeed be fruitful since it could lead to new protocols that inherit the advantages of both constituents.The universal composabillity framework, allowing for secure compositions, has been successfully extended to the quantum realm [21,22,23].Recently, the security of single server verifiable universal blind quantum computing protocols has been demonstrated in an abstract cryptographic framework [24] that is also known to be equivalent to the simulation-based composability framework.However this setting does not fulfil the necessary requirements for our composition.This is because, when combining a single server verification scheme (FK) with an entangled server scheme (RUV), there exists the possibility of correlated attacks, which are not explicitly treated in the composability framework.Such attacks can occur when an untrusted server's strategy is correlated with deviations in the protocol's input state.Our robustness result resolves this issue in the stand alone composition setting and the same technique could potentially be extended to the composable framework of [24], thus resolving the problem of correlated attacks.
The type of composition that we require is sequential.We take the output of the first protocol and use it as input for the second.However, in general, the output of the first protocol is not necessarily an acceptable input for the second protocol.In particular, since the verification protocols are probabilistic, their outputs typically deviate by a small amount from the ideal one.Thus, it is necessary that the second protocol remain secure even if the input is slightly deviated from the ideal one.Moreover, we make sure that adversaries cannot exploit any correlations between the deviated input and their strategy to compromise the security of the protocol.Therefore to securely compose the protocols, we need to address these new type of attacks.The main results of this paper can be summarised as follows: 1. We prove that the FK protocol is strongly robust, see Theorem 1. First, we show that FK can tolerate inputs which deviate from their ideal values by a small amount, see Lemma 7.
However, for composition with other protocols a stronger property is needed.We therefore proceed to show that the FK protocol is robust even when the deviated input is correlated with an external system possessed by an adversary (for example the provers' private systems in the RUV protocol), see Lemma 8.
2. An immediate consequence of the robustness theorem is that we can construct a composite protocol combining RUV with FK.The required input states for the FK protocol are prepared via the state tomography sub-protocol of RUV.Our composite protocol inherits the device independence property of RUV, see Theorem 3. Additionally, since we do not require the full RUV protocol, the composite protocol also has an improved round complexity.
3. Lastly, we address the distinction between robustness and fault tolerance and show how the FK protocol can be made fault tolerant, thereby making our proposed composite approach fault tolerant as well.
In Section 1.1 we give some preliminaries.In Section 2 we present the main results, that we summarised above, and outline their proofs.In particular we give robustness in Subsection 2.1, composition in Subsection 2.2 and fault tolerance in Subsection 2.3.Further details of the proofs are given in Section 3 for robustness, in Section 4 for composition and in Section 5 for fault tolerance.We conclude in Section 6.

Preliminaries
We first introduce the relevant concepts used in describing verification protocols and then briefly present the two protocols we will built on (FK and RUV).

Interactive Proof Systems
As explained in [6,10], a language L is said to admit an interactive proof system if there exists a computationally unbounded prover P and a BPP verifier V, such that for any x ∈ L, P convinces V that x ∈ L with probability ≥ 2 3 .Additionally, when x ∈ L, P convinces V that x ∈ L with probability ≤ 13 .Mathematically, we have the following two conditions 1 : The set of languages which admit such an interactive proof system define the complexity class IP.We are interested in the case when the prover is a polynomial-time quantum computer (i.e. a BQP machine).In [10], the first definition of such a quantum interactive proof system was given, which we use here: [10] Quantum Prover Interactive Proof (QPIP) is an interactive proof system with the following properties: (i) The prover is computationally restricted to BQP.
(ii) The verifier is a hybrid quantum-classical machine.Its classical part is a BPP machine.The quantum part is a register of c qubits (for some constant c), on which the prover can perform arbitrary quantum operations.At any given time, the verifier is not allowed to possess more than c qubits.The interaction between the quantum and classical parts is the usual one: the classical part controls which operations are to be performed on the quantum register, and outcomes of measurements of the quantum register can be used as input to the classical machine.
(iii) There are two communication channels: one quantum and one classical.
The completeness and soundness conditions are identical to the IP conditions.
We are also interested in interactive protocols that use more than one prover.There are only two differences, first that the verifier can interact with multiple provers instead of just one, and second that the provers are not allowed to communicate.The conditions for completeness and soundness remain unchanged.The analogous complexity class that involves multiple provers is called Multi-Prover Interactive Proof System and denoted MIP [25].It is defined as the set of all languages which admit an interactive proof system with one or more non-communicating provers.If the number of provers is fixed to be k, the corresponding complexity class is MIP [k].A closely related class is MIP* where the multiple non-communicating provers share entangled states.
In all of these cases, the verifier is essentially delegating a difficult computation to the prover(s).This computation can be universal with respect to the computation model of the prover(s).In our case, this means universal for polynomial-time quantum computations.The number of classical messages exchanged between the verifier and the prover, throughout the run of the protocol, as a function of the input size is known as the round complexity of the protocol.

Quantum Protocols
Throughout this subsection, we assume the reader is familiar with the teleportation-based and more generally measurement-based quantum computing (MBQC) models, described in detail in [26,27].
We first summarise the FK protocol [1] which is a QPIP protocol.It is also known as unconditionally secure, verifiable, universal blind quantum computing.The protocol is "blind" which means that no information about the computation is leaked to the prover, apart from its size.This property can be exploited by allowing the verifier to insert hidden "traps" within the computation.The traps are deterministic tests which the verifier can perform in order to verify that the prover is not deviating from the protocol.Blindness ensures that the traps are indistinguishable from the computation.
The basic idea of this protocol is that the verifier prepares and sends qubits to the prover.The prover entangles these qubits and then performs adaptive measurements (sending the measurement outcomes to the verifier) that will overall implement a certain unitary operation, as in the MBQC model of computation.The traps are single isolated qubits, disentangled from the rest of the computation, and when measured in suitable bases give deterministic outcomes that are known to the verifier (but not to the prover).Since the prover is completely blind and does not know which qubits are traps and which are part of the actual computation, any attempt to cheat has some probability to affect the trap and thus be detected.
The FK protocol is based on a universal resource state for the MBQC model, known as the dotted-complete graph state.The details of this resource state are not crucial for understanding this paper, apart from the fact that, as part of the FK protocol, the appropriate operators are performed by the untrusted server to prepare this generic state.In particular, a series of controlled-Z operators are performed by the server, according to the dotted-complete graph structure, for entangling the individual qubits prepared in advance by the verifier.These initial qubits, that are sometimes referred to as the input of the FK protocol, are sent to the server at the first stage of the protocol.This fact is used to prove some basic properties needed for our main robustness result, see Theorem 2. Therefore, for the purpose of completeness, we state here the definition of the dotted-complete graph state, taken from [1], see also Figure 1.

Definition 2.
[1] Let K N denote the complete graph of N vertices.Define the dotted-complete graph, denoted as KN , to be a graph where every edge in K N is replaced with a new vertex connected to the two vertices originally joined by that edge.We call the quantum state corresponding to KN the dotted-complete graph state.This multi-partite entangled state is prepared by replacing every vertex with a qubit in the state |+ and applying a controlled-Z operator for every edge in the graph.The family of dotted-complete graph states is universal for quantum computation.Moreover, any other graph state could be obtained from a large enough dotted-complete graph state by applying the appropriate Pauli measurements over some of the vertices (the ones shown in white, in Figure 1).Concretely, in order to construct any desired graph of N vertices from a dottedcomplete graph KN , Pauli Y measurements are performed in order to keep a specific edge, and Pauli Z measurements in order to remove it (alternatively, one could use the states |0 , |1 for the edges which should be removed, instead of performing a Pauli Z measurement).This can be done Protocol 1 Fitzsimons, Kashefi QPIP Protocol from [1]

Assumptions
The verifier wants to delegate a quantum computation described by the graph G and specific measurement angles φ i ∈ {0, π/4...7π/4} chosen to define a desired computation.He chooses a security parameter d and encodes this graph into the topological error correcting scheme of Raussendorf, Harrington and Goyal [28], that can correct or detect errors with weight less than d.The encoded graph, G, will have N qubits.He then considers a random hidden partitioning of the vertices of the dotted-complete graph K 3N into 3 subgraphs: the computation graph G, and two different types of isolated traps which the verifier will use in order to test the prover's honesty in performing measurements.All measurements are performed in the XY -plane.Protocol 1. Verifier prepares and sends the 3N (3N + 1)/2 qubits to the prover (the number of vertices in K 3N ).These consist of dummy qubits which are either |0 or |1 (isolating their neighbouring vertices from the rest of the computation) and computation or trap qubits which are of the form ), where θ ∈ {0, π/4...7π/4}.
2. The prover entangles the qubits according to the structure of the K 3N graph by applying controlled-Z operations between any pair of vertices that are connected with an edge.

3.
For each qubit i, the verifier computes the measurement angle δ i = θ i + φ i + r i π, where φ i is the adapted version of the computation angle φ i , and r i is a randomly chosen bit {0, 1}.Adapted computation angles are used to account for corrections from previous measurements.The measurement angles φ i , for the trap qubits, are randomly fixed to be 0 or π.However, due to blindness provided by the initial θ i rotations in the preparation of individual qubits (Step 1 above), the value of δ i is uniformly distributed over the set {0, π/4...7π/4}.The verifier sends these measurement angles one by one to the prover.The prover measures each corresponding qubit in the |+ δ i , |− δ i basis, and sends his reply b i to the verifier.
4. The verifier accepts if for all trap qubits, the reported measurement outcome b t is the same as the expected outcome r t .
blindly in order to hide the target graph.The detailed construction is not important for the rest of this paper and hence omitted (see Section 5 in [1]).We give a brief description of FK, shown here as Protocol 1.
According to Definition 1 the quantum channel between verifier and prover is one-way (from the verifier to the prover).Moreover, the constant c, representing the number of qubits that the verifier can possess at any given time, is exactly one.We refer the reader to [1] for a more in depth description of the protocol and its associated concepts.However, we recall the key properties of the protocol in the following lemma.
Lemma 1. Assuming the verifier wants to delegate the computation of a circuit of size N , the FK protocol has O(N 2 ) round complexity and uses O(N 2 ) qubits with completeness being exactly 1 while the soundness is upper bounded by (2/3) 2d 5 , where d is the security parameter.
Proof.It is clear from Protocol 1 that the total number of qubits used in the protocol is 3N (3N + 1)/2, where N is the number of qubits for the encoded graph G. Additionally, we have the same number of rounds of classical communication, corresponding to the measurements of qubits in the dotted-complete graph (each measurement requires 3 classical bits to specify the measurement angle and 1 bit to specify the outcome).Both the overall round complexity and the required quantum resources are thus O(N 2 ).As described in Protocol 1, the verifier accepts if and only if all trap measurements succeed.This is always the case if the prover is honest and follows the instructions, since the trap measurements are deterministic.Therefore, the probability that the verifier accepts when the prover is honest is exactly 1 (completeness).On the other hand, it is shown in [1] that in the case of classical output, the protocol is (2/3) 2d 5 -verifiable, meaning the soundness is upper bounded by (2/3) 2d 5 .
Next we summarise the RUV protocol [2] which is a MIP* protocol.It relies on the rigidity of CHSH games [29,20] to test the honesty of the provers (c.f.traps at the FK protocol), and on gate teleportation to perform the computation.In particular, the verifier directs the provers to perform a series of local measurements of their parts of the shared entangled states.The purpose of this is to check for statistical violations of Bell's inequality.At the same time, the verifier makes the provers teleport quantum states into gates in order to perform his desired quantum computation [20].Importantly, the verifier alternates between these strategies in such a way that the provers are not aware (they are blind) in which strategy their measurement belongs.Moreover, the two provers cannot use previous results in order to deviate from the protocol (i.e.there is no adaptive cheating strategy).This is summarised as Protocol 2. Due to the rigidity of the CHSH games, as proved in [2], the verifier can determine if the two provers are being honest or not from the statistical outcomes.To ensure the verification of universal computations, the resource preparation stage of the protocol will prepare multiple copies of the states: which is shared among the two provers.In fact the provers share multiple copies of |ψ * , each prover having one qubit from each Bell pair.Without loss of generality, we can assume that prover 1 has the first qubit and prover 2 has the second qubit.The Hadamard, Phase and controlled-Not gates (denoted as {H, G, CN OT }) constitute a universal gate set for quantum computation.The subscript indices indicate on which qubits the gate acts.An arbitrary quantum circuit is thus simulated by repeatedly doing gate teleportations, while keeping the computation blind from the two provers the entire time.
Lemma 2. Assuming the verifier wants to delegate the computation of a circuit of size n, the round complexity of the RUV protocol is O(n c ), where there exists some constant c, such that c ≥ 8192.
Proof.To determine an upper bound for the round complexity we only need to inspect the number of rounds of CHSH games, since the protocol randomly alternates between this and the other three subprotocols.As shown in Protocol 2, the verifier plays N sets of CHSH games with the two provers.Each set consists of qn s games and n s ≥ n 64 .Additionally, it is required that N ≥ (qn s ) α−1 , where n α/2 ≥ n 64 , so α ≥ 128.These conditions are necessary for the correctness of the state tomography and process tomography subprotocols [20].We then have that N ≥ dn 8128 , where d is a constant of the form d = q α−1 .This is the number of sets of CHSH games and hence the number of required games is lower bounded by n 8192 .It follows that the number of rounds is O(n c ), where c ≥ 8192.Note that by "lower bounded" we refer to the case when all of the CHSH statistics are consistent and the verifier does not reject.In the case of inconsistent statistics, the verifier can reject before playing n 8192 games.
The subprotocols of the RUV protocol are themselves verification protocols as proved in [20].The subprotocol that we will use is the state tomography protocol.As part of the RUV protocol, it is used to prepare resource states which are XZ-determined, i.e. states that are uniquely determined by their traces against X and Z operators.To compose the RUV with the FK protocol we will use a modified version of the state tomography subprotocol, so that we can prepare all states that are allowed inputs for the FK protocol.We will give the modified protocol in the next section.

Assumptions
The verifier delegates a quantum circuit of size n to two quantum provers.Let ).The two provers share N n g Bell states.

Protocol
The verifier alternates randomly between four subprotocols.He chooses the first three with probability (1 − δ)/3) and the last one with probability δ.
1. CHSH games.The verifier referees N sets of sequential CHSH games, each consisting of n g games between the provers.He rejects if they win less than: of the games.
2. State tomography.The verifier chooses K ∈ [N ] uniformly at random and referees K − 1 sets of CHSH games.He sends the questions from the Kth set to prover 1, while running a state tomography protocol with prover 2. In this protocol prover 2 is asked to prepare q-qubit resource states by measuring his halves of the shared Bell states.This will collapse prover 1's states to the same q-qubit resource states up to corrections.The verifier checks this using the CHSH measurement outcomes from prover 1.These outcomes tomographically determine the states that are being prepared.He rejects if the tomography statistics are inconsistent.
3. Process tomography.The verifier chooses K ∈ [N ] uniformly at random and referees K − 1 sets of CHSH games.He sends the questions from the Kth set to prover 2, while running a process tomography protocol with prover 1.In this protocol prover 1 is asked to perform Bell measurements on his halves of the shared Bell states.The verifier checks this using the CHSH measurement outcomes from prover 2.He rejects if the tomography statistics are inconsistent.

4.
Computation.The verifier chooses K ∈ [N ] uniformly at random and refereed K − 1 sets of CHSH games.In the Kth game he runs a state tomography protocol with prover 2 and a process tomography protocol with prover 1.The combination of these two achieves computation via gate teleportation.
2 Main Results

Robustness
The first result we prove is that the FK protocol is robust with respect to small variations in the input.Throughout this paper, by "input" we are referring to the quantum states that the verifier sends to the prover and not the computation input.Without loss of generality we can assume that the desired computation that will be delegated to the server has the fixed classical input 0, . . .0. Dealing with arbitrary classical or quantum input is straightforward, as explained in [1], and makes no difference for our result.Hence, for the rest of this paper we define the input state of the FK protocol to be the tensor product of the individual qubits prepared by the verifier, comprising the dotted-complete graph before the prover applies controlled-Z to entangle them (these include the computation, trap and dummy qubits).
The fact that FK is robust means that the protocol's input state can be deviated from its ideal value by some small amount and the protocol will continue to function.In particular, this input state could be the output of some other protocol, provided that this state was close to its ideal value.As we will see in the next subsection, the RUV protocol is capable of such a preparation.We start by formally defining robustness in this context.

Definition 3 (Robustness).
A verification protocol with quantum input is robust if, given that the protocol input is -close in trace distance to the ideal input, in the limit where → 0 the completeness and soundness bounds remain unchanged.
Mathematically, if we denote the multi-qubit input state as ρ, and the pure states comprising the ideal input as π i , where i goes from 1 to the number of qubits, we have that: Note that ρ is of the same dimension as i π i as it does not contain any ancilla qubits from the environment.Given the definition of robustness, we prove that: Theorem 1.The FK protocol is robust and given an input which is -close to its ideal value, the completeness is lower bounded by 1 − 2 and the soundness bound changes by at most O( √ ).
Because we are tracing out the environment, which could be controlled by an adversary, the security of the protocol, with a deviated input state, needs to be re-established.We highlight this in the following proof sketch of Theorem 1: Proof sketch.We first examine soundness which considers the case of a dishonest prover.Intuitively, when the prover is malevolent, he will try to convince the verifier to accept an incorrect outcome and thus deviate from the correct protocol.However, as shown in [1], no matter how much the prover deviates, the probability for the verifier to accept a wrong outcome is bounded.If the input to the protocol is already deviated from the ideal, one could expect that the soundness bound remains unchanged.The effect of a deviated input could be incorporated in the deviated actions of the prover.This is indeed the case when the input is uncorrelated with any external system and we can express the deviation as a CPTP map (see Lemma 7 for detailed proof).
In the general case, however, the deviated input could be correlated with subsystems controlled by adversaries.This deviation could be used by the prover to improve his cheating probability.Mathematically this is manifested by the fact that the prover's action in the presence of initial correlations is not in general a trace preserving map.It can be expressed as a linear combination of a CPTP deviation and an inhomogeneous term which could be either positive or negative as shown in the [30].In this case, we use the -closeness of the input state to derive a bound of order O( √ ) for the norm of the inhomogeneous term.From linearity, and using the previous argument it follows that in the general case the soundness bound changes by at most O( √ ) (see Lemma 8 for detailed proof).
In the case of completeness, we are assuming the prover is honest.If we start with an -close input state, because of the linearity of the operators involved, we will end up with an output state that is O( )-close to the ideal output (see Lemma 9 for detailed proof).
A similar approach to Lemma 7 was used in [31] for defining approximate blindness, and in [24] to prove universal composability for blind quantum computing protocols.However, to our knowledge, these results are not strong enough to cover the requirements for the composition with the RUV protocol.In [31] only the blindness property was examined while verifying the computation was not considered.In [24] they considered local-verifiability which does not take into account for example, the possibility of correlated attacks such as those that are possible when the two provers have a prearranged correlated strategy.

Composition
One of our main objectives is to construct a device independent version of the FK protocol.The first step, was to show that FK is robust.This property guarantees that if we have an input state that is only approximately the ideal one, the protocol continues to work.We can now break the task of achieving device independent FK into two parts, which we need to compose sequentially.
1. State Preparation -use a device independent protocol to prepare on the prover's side a state which is -close to the FK input.
2. Verified Delegated Computation -run the FK protocol with the prover that has the -close input state (since robustness allows this).
The advantage of this technique is that we are free to use any protocol for state preparation as long as we have the guarantee of -closeness.This is due to our strong robustness result, which shows that FK will work even if the deviation in the prepared state is correlated with the prover's cheating strategy in the delegated computation stage.In this paper, we achieve state preparation using the device-independent state tomography sub-protocol of RUV.This sub-protocol has the -closeness property that we require, as explained in [20].The resulting composite protocol will have a better round complexity than the full RUV protocol for the verification of quantum computations.The complexity can be improved further if a more efficient state preparation protocol is used.Recently, in an independent work that simultaneously appeared with our arxiv version, a more efficient scheme for state preparation is proposed that is based on a self-testing approach [32] rather than the rigidity of CHSH games [20].We first clarify some details of the RUV protocol, which are essential in understanding how our composite protocol will work.RUV uses the rigidity property of CHSH games to determine that the provers share multiple copies of the Bell state |Φ + = (|00 + |11 )/ √ 2, which is XZ-determined.They can then use XZ state tomography to verify the preparation of any other XZ-determined state.In particular, they use it to tomographically verify the preparation of a set of states which can be used to perform universal computation.They also describe how it is possible to extend the protocol in order to have full tomography with the Y operator as well [20].However, because they are using the |Φ + Bell state, it is only possible to fix the Y operator up to a sign change.That is, the provers can always choose to measure in either the Y or −Y bases without being detected (this corresponds to complex conjugating the states with respect to their representations in the computational basis).In fact this problem has been noticed by others as well [12,33].As explained in [20], it is possible to force the provers to consistently choose either Y or −Y for their measurements.This makes the resulting state prepared by state tomography close to either the ideal state or the complex conjugate of the ideal state.
At first glance it would seem that this could be problematic for the FK protocol.We would have to show that running the FK protocol with an input state that is close to the complex conjugated version of the ideal input would be detected by the verifier.Intuitively this is the case, since trap qubits are in the XY -plane and complex conjugating them would lead to different measurement outcomes.We will not prove this and instead provide a simpler solution.
The problem stems from the fact that we are using the XZ-determined |Φ + state.Let us instead consider the state Using Theorem 2 from [20], and the fact that |Ψ + has stabilizer generator set {X ⊗ X, Y ⊗ Y } which belongs to {I, X, Y } ⊗2 we have that this state is XY -determined.

Theorem 2. [20]
A stabilizer state is determined by any of its sets of stabilizer generators.
In principle it is possible to run a form of the RUV protocol in which we choose the CHSH games such that we rigidly determine that the provers share multiple copies of the Bell state |Ψ + instead of |Φ + .Analogous to the previous case, the extended form of the protocol would then fix the Z operator up to a sign change (instead of the Y operator).This means that the provers can always perform a reflection about the XY plane with no noticeable changes.However, the XY plane states are invariant under such a reflection.We can therefore use this to prepare the input which will be used by the FK protocol.The only problem we encounter is that we also require the preparation of |0 and |1 states which act as dummy qubits in the FK protocol [1].As described in Protocol 1 these dummy qubits are measured in order to "break" the dotted-complete graph into the computation graph and the two trap graphs.The problem is that the XY plane reflection has the effect of flipping the computational basis states (state |0 becomes |1 and state |1 becomes |0 ).However this deviation (flip) has to be applied globally otherwise it affects the statistics of the CHSH game and thus the verifier rejects [20].Such a global flip is detected by the FK protocol.A formal proof is given in Lemma 10, Section 4, while below we give a sketch of the proof.
In the honest scenario for the FK protocol, the measurement of a dummy qubit in state |1 introduces an additional Z correction to its neighbouring qubits (this is because we are using the controlled-Z operation for entangling qubits).Hence in a malicious setting the effect that a flip has on a trap qubit with an odd number of neighbouring dummy qubits, leads to an extra Z operation.Such a Z flip changes a |+ θ state to |− θ .Thus, the measurement of this trap qubit will deterministically fail and the verifier will detect this.On the other hand, since the verifier chooses the input, he can always pad the computation such that the overall graph has trap qubits with an odd number of neighbour dummy qubits.This is due to the fact that in a dotted-complete graphs (Definition 2), some of the traps will have N − 1 neighbouring dummy qubits.Therefore, if the size of the input computation N is odd, the verifier need only pad the computation size to become N + 1.Now we are in a position to construct the composite protocol which composes RUV with FK.We give a modified version of the state tomography protocol of RUV (see Protocol 3).Proof that Protocol 3 is valid verification protocol is given in Section 4. The purpose of this modification is to verifiably prepare the minimal resource states which are subsequently used as inputs for the FK protocol.

Protocol
The verifier alternates uniformly at random between the following subprotocols: 1. CHSH games.Verifier referees 6N sets of sequential CHSH games, such that each group of N sets is one of the six possible CHSH types of games.Each set consists of n g games between prover 1 and prover 2. For each group of N CHSH games the verifier rejects if the two provers win less than: of the games.
2. State tomography.Verifier chooses K ∈ [N ] uniformly at random and also randomly chooses CHSH i as one of the six possible CHSH games.Then he referees K − 1 sets of CHSH i games, sending the questions from the Kth set to prover 1, while running a state tomography protocol with prover 2. In this protocol prover 2 is asked to prepare resource states by measuring his halves of the shared Bell states.This will collapse prover 1's states to the same resource states up to corrections.In the context of composition, these resource states will constitute the FK input.The verifier uses the measurement outcomes of prover 1 to tomographically check this preparation.He rejects if the tomography statistics are inconsistent.In the end, if the verifier accepts, he concludes that with high probability prover 1 has a state which is close in trace distance to the tensor product of resource states.The formal statement of this fact is given in Theorem 5, taken from [20], and more precisely in Equation 42 from Lemma 12.
since prover 1 is involved in both state tomography as well as the FK protocol, the strong version of the robustness property is required.This is to address the effect of any potential correlated attacks where provers 1 and 2 have agreed in advance on a strategy.The deviations of prover 2, in the preparation stage, could be correlated with the deviations of prover 1 during the computation stage (FK).This is the first rigorous proof of a protocol that involves lifting the FK protocol to the entangled provers setting.We give here the correctness and soundness of this protocol and show that it is more efficient than the RUV protocol (Theorem 3) while in Section 4 we give the proof of this theorem.
), where d is the security parameter of the FK protocol, and round complexity O(n c ), where there exists some constant c such that c > 2048.
While the obtained round complexity is an improvement over RUV (Lemma 2) it is still far from practical.However, we believe our approach serves as a proof of principle, that this type of composition can be beneficial.It also highlights where improvements could be made.It is the state tomography subprotocol that increases the round complexity, while the FK protocol has a relatively low complexity2 .The detailed proofs are given in Section 4.

Fault Tolerance
In constructing our composite verification protocol, we used the robustness of the FK protocol.Our last result is to characterise the difference between robustness and fault tolerance and to show that the FK protocol can be made fault tolerant using a topological error correcting code.Consequently, our composite protocol can also be made fault tolerant provided that the state tomography part is run on top of an error correcting code.
As mentioned before robustness is a protocol's ability to continue to function given a deviated input.Fault tolerance is when a protocol functions correctly in the presence of error prone devices.The essential assumption for robustness is that the actual (multi-qubit) input is -close to its ideal value.Fault tolerant protocols, on the other hand, assume that errors can occur at each individual qubit.The faulty devices are usually represented by the action of a partially depolarizing channel: ).Here p is the probability of error, and the square brackets indicate the action of an operator.This leads to the following observation: Lemma 3. Let σ = ⊗ n i=1 ρ i be a system of n qubits.Assume each qubit goes through a partially depolarizing channel E having probability of error p > 0. Let the state of the system, after all qubits have passed through the channel, be σ = ⊗ n i=1 E(ρ i ).We have that σ − σ T r ≤ min(1, np) and there exist states σ for which σ − σ T r = 1.This means that the deviation of an n-qubit system from the ideal input is not bounded by some constant amount.This is intuitively clear, since by adding more qubits, we introduce more errors and the state of the composite system is further from its intended value.In contrast to this, when considering robustness, the distance between the actual and ideal state is bounded by an arbitrarily small quantity.We will now address how can we do verification in an error prone setting.
Lemma 4. Assume we run the FK protocol with N T traps and each qubit is subject to the action of a partially depolarizing channel E having probability of error p > 0. Given the simplifying assumption Protocol 5 Fault Tolerant FK Protocol

Assumptions
The verifier wants to compute the execution of a measurement graph G having n qubits.Both the verifier and prover's devices are subject to noise modelled as a partially depolarizing channel acting on the preparation of the qubits and the application of the quantum gates.For single qubits the channel is described by: And for two qubit states by: Additionally assume p ≤ p correct , where p correct is a threshold such that depolarizing noise bellow this threshold is corrected by the topologically protected code from [28].
Let G ν denote a brickwork state encoding the graph G and containing one trap qubit, as explained in [1].Let L ν denote a fault tolerant encoding of the graph G ν using the topologically protected code from [28].The encoding is done as explained in [34], hence L ν will be decorated lattices (see Figures 1, 2 in [34]).The index ν denotes the randomness in the θ angles for the encoding as chosen by the verifier.Let We will refer to S ν as a sequence of encodings.Protocol 1.The verifier chooses R > 1 and constructs the random set ν.
2. The verifier prepares the qubits for the sequence S ν and sends them to the prover along with instructions on how to construct S ν .
3. The verifier sends measurement instructions to the prover in order to compute the executions of the encoded graphs.
4. The prover sends the measurement outcomes to the verifier.

Steps 3 and 4 repeat until the verifier either accepts or rejects.
The verifier rejects if any of the traps fail.He takes the outcome of the computation to be the majority outcome over all computations (graphs L ν i ).
that if a qubit is changed (through the action of an X, Y or Z operator) it will produce an incorrect measurement outcome, the completeness of this protocol is upper bounded by It is evident that assuming faulty devices where each qubit behaves as if it crossed a partially depolarizing channel, the completeness of the protocol becomes exponentially small (as function of the number of traps).This is clearly unsatisfactory.The arguably simplest solution would be to alter the acceptance condition of the protocol.Since it is unlikely that all trap measurements succeed, even for honest prover, the verifier should accept a result if the traps that succeed are above some fixed fraction.
Lemma 5. Assume we run a modified FK protocol with N T traps and each qubit is subject to the action of a partially depolarizing channel E having probability of error p > 0. The modification is that the verifier accepts if there are fewer than N T (p + ) mistakes at trap measurements, where > 0 is a suitably chosen small number.The completeness of this protocol is lower bounded by 1 − exp(−2 2 N T ).
The above modification resolves the issue raised regarding the completeness bound.However, if we were to make such modification, we have the following consequence for the soundness of the protocol: Lemma 6. Assume we run a modified FK protocol with N T traps, N qubits in total and each qubit is subject to the action of a partially depolarizing channel E having probability of error p > 0. The modification is that the verifier accepts if there are fewer than N T (p + ) mistakes at trap measurements, where > 0 is a suitably chosen small number.The soundness of this protocol is We can see that introducing a threshold of acceptance leads to an increased bound on soundness.Again, expected, since we allow the prover to tamper with some of the traps (and, by extension, with the computation as well) without rejecting the output.To solve these problems we need to use a fault tolerant code.The FK protocol already uses a fault tolerant code to encode the computation graph.However this is done in order to boost the value of the soundness parameter.The trap qubits are not encoded with the code (only the computation is).Thus we propose a modified FK protocol.This is described in Protocol 5.In this protocol we encode both computations and traps in a fault tolerant code and use sequential repetitions (also used in [17]).This leads to our final main result: Theorem 4.Under the assumption of a faulty setting where qubit preparation and quantum gates are subject to partially depolarizing noise having bounded probability p, Protocol 5 is a valid verification protocol having completeness 1, soundness upper bounded by (1/2) R , where R is a constant such that R > 1.The protocol has round complexity O(n 2 ).
The proof of this theorem (and previous lemmas) are given in Section 5.An important point to make is that the composite protocol we constructed can also be made fault tolerant.To achieve this the state tomography protocol should be run on top of a fault tolerant code.As mentioned in [20], in principle, this is straightforward for blind, verified computation, since the provers can work on top of a quantum error-correcting code and entanglement can be distilled with the help of the verifier [35,36].

Proof of Robustness
In this section we prove the robustness of the FK protocol.We start by first proving a simpler result, namely the robustness of the protocol under the assumption that the input is uncorrelated with any external system.We then remove this assumption and use our results to prove the main theorem, necessary for the composition with the RUV protocol.Lemma 7. If the initial input state of the FK protocol is -close to the ideal input state and uncorrelated with any external system, the soundness bound does not change.
Proof.We will follow the same proof technique as in [1] and show that the soundness bound does not change.This is done by incorporating the assumption of a deviated input into that proof.The outcome density operator of the protocol is denoted B j (ν), where ν denotes the verifier's choices of input variables and j ranges over the prover's choices of possible actions (j = 0 is the correct/honest action).If the outcome is incorrect it means that all of the traps have passed, but the computation is not correct.This is associated with the following projection operator [1]: Here, |Ψ ideal Ψ ideal | is the ideal output state, and t∈T |η ν T t η ν T t | is the state associated with the trap qubits.Notice that we are projecting to a state in which the output is orthogonal to its ideal value, and the traps are correct.This expresses the fact that the verifier will accept an incorrect computation.The associated probability for that event is p incorrect and can be expressed as: Which is a weighted average of the incorrect outcome probabilities (expressed by the trace operator) over all possible input states.The outcome density operator can be written as: Input state Notice the following, as explained in [1]: • We are tracing over the prover's qubits; • We have denoted the joint state, comprised of the input and the prover's qubits, as σ ν,b ; • j ranges over the prover's possible strategies (j = 0 is the honest strategy); • b indicates the possible branches of computation parametrised by the measurement results sent by the prover to the verifier; • c r indicates corrections that need to be performed on the final, classical output due to the MBQC computation together with the random phase introduced by the verifier; • P is the computation that we want the prover to do; • Ω is the prover's deviation from the desired computation; • C ν C ,b are the corrections the prover applies to its quantum output depending on the measurement outcomes (as in the measurement-based model); We now need to incorporate the approximate input state into this operator.We will not use the -closeness of the deviated state to the ideal one, and prove a stronger result, that the soundness bound does not change regardless of the input state.Concretely, assume the deviated input is: Where E is a CPTP map which represents any deviation from the ideal input state either from incorrect preparation, a malicious prover or faulty devices.This is equivalent to applying some unitary U to the input state tensored with some environment qubits that are traced out.We can express this mathematically as: The joint system state σ ν,b becomes3 : Let us consider a new unitary V = (I ⊗ U ).This allows us to rewrite the joint system state as: Since P , the computation, is a unitary operator, there must exists some unitary V such that V = P † V P .Substituting this into the previous expression gives us: Incorporating Equation 11into the expression for B j (ν) in Equation 6we obtain: The assumption of the lemma is that the input state is not correlated with any external system.Hence, the spaces E and P are independent.This means that the prover's deviation, Ω, is not acting on E and therefore we can "push" the inner trace operator to the beginning of the equation.Also using the fact that P P † = P † P = I, we obtain: We can now include the input deviation given by V into the prover deviation Ω, by considering Ω = ΩV .This is possible because we are bounding the probability over all possible deviations, Ω, of the prover in the computation and all possible deviations, V , from the preparation part.Thus, we can consider this to be a single, global, deviation given by Ω .
As a result, the above equation has the same form as the undeviated input scenario of Equation 6.This makes sense since all we have done is to incorporate the deviation of the input into the prover's cheating strategy.The original proof continues as it is in [1], and the bound remains unchanged The type of robustness guaranteed by this lemma is not sufficient to prove the security of any protocol that composes RUV with FK.For example if we use prover 2 of RUV to prepare the input of the FK protocol for prover 1, this input is in general correlated with prover 2's system.To address this issue, we use from [20] the following corollary of the gentle measurement lemma and the special Kraus representation in the presence of initial correlations given in [30].
Corollary 1. [20] Let ρ be a state on H 1 ⊗ H 2 , and let π be a pure state on H 1 .If for some δ ≥ 0, Lemma 8.If the initial input state of the FK protocol is -close to the ideal input state the soundness bound changes by at most O( √ ).
Proof.Consider a composite correlated state ρ AB where systems A and B are not communicating and let ρ A = T r B (ρ AB ) and ρ B = T r A (ρ AB ).If ρ A is used as input for the FK protocol, the existence of correlations (not present in the previous lemma) can be exploited by an adversarial prover.Hence the deviation can no longer be expressed as a CPTP map over this subsystem.As it is shown in [30], in presence of initial correlations defined as: the evolution of the subsystem ρ A is the following: Here E is a CPTP map and δρ A is an inhomogeneous term which is added to the CPTP evolution due to the presence of initial correlations.In addition we have the following property: We can see that substituting ρ A in the outcome density operator of the FK protocol gives different soundness bound than the one in Lemma 7. The difference stems from the extra δρ term.However we can use the fact that ρ is -close to the ideal state (lemma assumption) to show that the norm of δρ A is at most of order O( √ ).To prove this we first find a bound for the norm of ρ corr , and since δρ A is just a CPTP map applied to ρ corr it follows that the norm of δρ A has the same bound.Moreover, the action of the FK protocol can be modelled as a CPTP map, therefore acting on δρ A will not increase the norm.It follows that the overall soundness bound changes by at most O( √ ).If we denote the ideal state as |ψ , we know that: It is also known, from the relationship between fidelity and trace distance, that: Combining these two yields: Recall that T r(|ψ ψ| ρ A ) = ψ| ρ A |ψ , using Equation 22and Corollary 1 (where ρ is substituted with ρ AB and π with |ψ ψ|) we have: The trace norm of ρ corr is simply the trace distance between ρ AB and ρ A ⊗ ρ B as can be seen from the definition.Using the triangle inequality, we have: For the last term, using the additivity of trace distance with respect to tensor product, we get: Combining these last three inequalities we obtain: Since 0 ≤ ≤ 1, the bound is of order O( √ ).We have therefore bounded the norm of ρ corr and thus the norm of δρ A .
We can now take our expression for the deviated input from Equation 18and substitute it into Equation 8, from Lemma 7. Since trace is a linear operation, it will result in the addition of an inhomogeneous term to each equation that involves the outcome density operator.But since the inhomogeneous term has bounded trace norm, and the action of the outcome density operator is trace preserving, it follows that we obtain the same bound as in Lemma 7 with the addition of an extra term of order O( √ ).This concludes the proof.
Lemma 9.If the initial input state of the FK protocol is -close to the ideal input state, the completeness is lower bounded by 1 − 2 .
Proof.In the simplest sense, the FK protocol can be abstractly thought of as a CPTP map P, that takes some input state to an output state.Since we are assuming the prover is honest, the output state will be B 0 (ν).However, this is in the case where the input is assumed to be ideal.We are dealing with a deviated input, hence our output state will be B 0 (ν).Writing these out explicitly we have: B 0 (ν) = P(ρ ν ) ( Where, ρ ν is the deviated input, and by assumption Note that in the following we do not need to consider non CPTP map evolution since the provers are assumed to behave honestly.Hence even in the presence of initial correlation, the subsystem will evolve according to the desired CPTP map of the protocol.However CPTP maps cannot increase the trace distance, which leads to: This also applies for projection operators and if in particular we consider P correct , the projection onto the correct output state, we also have that: Next we use the reverse triangle inequality, which gives us: And since we are dealing with positive definite operators, we know that: But T r(P correct B 0 (ν)) = 1 (the completeness when we have ideal input), so: Lastly, because T r(P correct B 0 (ν)) ≤ 1, we get: Thus, the probability of accepting a correct outcome, under the assumption that the input state is -close to the ideal input, is greater than 1 − 2 .
It is now easy to see that the Proof of Theorem 1 follows directly from Definition 3 and Lemmas 8 and 9. Having the robustness property, the FK protocol can receive an input, which is -close to its ideal value, from another protocol.As we have shown, even if this input is correlated with an external system, we can still perform the verification as long as we have -closeness.

Proof of Compositionality
To prove the security of the composite protocol (Theorem 3), we first need to prove that the FK protocol rejects with high probability a state close to a reflection about the XY -plane (Lemma 10).Then we prove that the modified state tomography protocol (Protocol 3), satisfies the -closeness property required by the (robust) FK.This is achieved by showing Lemmas 11 and 12. Finally we give the proof of Theorem 3.
Lemma 10.If the initial input state of the FK protocol is -close to a reflection about the XY -plane of the ideal input state, the protocol will reject it with high probability.O 1 , . . ., O n .Then there exists an isometry X A : H A → (C 2 ) ⊗m ⊗ H A such that letting ρ σ,j be X A ρX A † reduced to Alice's qubits {σ(j, i) Here, the probability is over K, the first (K − 1)m games and O 1 , . . ., O n .
We give the following corollary to this theorem: Corollary 2. By changing the measurement operators accordingly, a state tomography protocol for q-qubit XY -determined (YZ-determined) states exists, and achieves the same completeness and soundness bound as the one from Theorem 5.
Proof.As mentioned, if we consider the extended CHSH game (comprising of 6 CHSH games) and try to rigidly determine the existence of a tensor product of |Ψ + states, we can fix the strategies of the provers up to an XY plane reflection.In particular, the results of an XZ state tomography in the original setting hold here for XY (YZ) tomography.Therefore, it is possible to certify the preparation of q-qubit XY -determined (YZ-determined) states.
We can now present the main lemma proving that Protocol 3 is a verification protocol.Proof.According to corollary 2, the six state tomography protocols that constitute Protocol 3 are valid verification protocols achieving the same bounds for completeness and soundness as the original protocol from Theorem 5. We will ignore the case of XY plane reflections since, as we have shown in Lemma 10, these are detected with overwhelming probability by the FK protocol.These protocols can be "stitched" together in the same way the subprotocols of the RUV protocol are stitched together.In fact, our case requires a much simpler analysis since the six state tomography protocols are independent of each other.This means that in each subprotocol, the verifier is not basing his questions on the results of any previous subprotocol.This nonadaptive technique contrasts the RUV protocol in which the questions were adaptive.In the case of honest provers, the verifier accepts if all subprotocols succeed.For each one, we know from Theorem 5 that the probability of acceptance is ≥ 1 − O(n −1/2 ), hence for the whole protocol the probability of acceptance is ).Thus, we see that the completeness bound remains unchanged.For soundness, assuming the provers are dishonest we know, again from Theorem 5, that the probability of accepting an incorrect outcome is ≤ 4n −1/12 .In our protocol, the provers can be dishonest in any of the six subprotocols, therefore, by a union bound the probability of accepting an incorrect outcome is ≤ 6 • 4n −1/12 = 24n −1/12 .Therefore, we can say that the soundness of our protocol is upper bounded by O(n −1/12 ).
We are now able to give the proof of our main result (Theorem 3) which concerns the properties of the composite protocol (Protocol 4).To do this, we require an additional property.
Lemma 12. Assume the verifier wants to prepare a state ρ consisting of tensor products of qubits which are all determined in either the XZ, XY or YZ bases.A successful run of Protocol 3 certifies that, prover 1 has a state ρ such that ρ and ρ are close in trace distance.
Proof.The proof is partially given in [20].In the state tomography protocol, a prover prepares multiple copies of a resource state.In [20] it is stated that if the verifier accepts, then, with high probability, a subset of states of the prover are close in trace distance to copies of the resource state.
The soundness condition of Theorem 5 states that: It is shown in [20] that this condition translates to the fact that with probability at least 1 − O(n −1/48 ) we have: Where S is uniformly random subset of size O(n 1/64 ).If we denote O(n −1/64 ) as , O(n −1/48 ) as p, ρ S (O 1,n ) as ρ and ⊗ j∈S π O j as ρ id then the state ρ , that prover 1 has, is: We can see that, for sufficiently large n, the values of p and tend to 0. Consequently, ρ approaches ρ and ρ approaches the ideal state, ρ id .Computing the trace distance between ρ and ρ id , we obtain: And using inequality 42, we have: Therefore, the state that prover 1 has, conditioned on his messages O 1,n , is close to the state comprised of copies of the resource states.Depending on which type of state tomography is done, the resource states are determined in either the XZ, XY or Y Z bases.
Proof of Theorem 3.According to Lemmas 11 and 12, Protocol 3 is capable of preparing with high probability, a multi-qubit state ρ on prover 1's side, such that ρ is -close to a tensor product of states determined in either the XZ, XY or Y Z bases.In fact, each subprotocol is capable of such a preparation.For the two XY state tomography protocols we choose the resource state to be: For the two XZ state tomography protocols we choose the resource state to be: This allows us to prepare multi-qubit states on prover 1's side which are close in trace distance to the FK input consisting of XY -plane states and dummy qubits (the |0 , |1 qubits).If we denote as ρ 1 the multi-qubit state consisting of multiple copies of the XY resource state and ρ 2 as the multi-qubit state consisting of multiple copies of the XZ resource state, then the FK input is effectively ρ 1 ⊗ ρ 2 .Lemma 12 shows that with high probability prover 1 will have a state ρ 1 that is prep -close to ρ 1 and a state ρ 2 that is prep -close to ρ 2 , where prep = O(n −1/64 ).Therefore, [20] it is proven in the state tomography protocol prover 1 is completely blind regarding his state.Given this, and using Theorem 1, we can compose the modified state tomography protocol (Protocol 3) with the FK protocol to achieve a new blind verification protocol.The state ρ 1 ⊗ ρ 2 is used as input for the FK protocol, since it is -close to the ideal input, where = 2 prep .The bound on completeness for the new protocol can be computed from the completeness bounds of the constituent protocols.In the honest provers setting, the verifier's acceptance probability for modified state tomography is 1 − O(n −1/2 ), and for FK with deviated input it is 1 − O( √ ) = 1 − O(n −1/128 ).Multiplying these together and taking the leading order terms we find that completeness of the protocol is upper bounded by 1 − O(n −1/128 ).For soundness, in the dishonest setting if the verifier would reject in either modified state tomography or FK then he would reject in the new protocol as well.The bound on soundness for modified state tomography is O(n −1/12 ) and for FK is 2 3 2d 5 , where d is the security parameter of the FK protocol that specifies the size of the encoding for the computation graph.From a union bound we get that the soundness for our composite approach is 2 3 2d 5 + O(n −1/12 ).The last part of the proof deals with the round complexity of our composite approach.In the previous proof of Lemma 12 we mentioned that prover 1's state restricted to subset of O(n 1/64 ) qubits is close in trace distance to the ideal state.However we need n to be sufficiently large so that this subset of qubits can encompass the entire FK input.We know that the FK input comprises of O(|C| 2 ) qubits, where C is the computation the verifier wants to perform.This means, that we need O(|C| 128 ) qubits in total so that we can claim that a state of O(|C| 2 ) qubits is close to its intended value.Recall that from Thereom 5, the number of rounds for state tomography is O(n α ), where we know from [20] that α > 16.This means that the total number of rounds must be O(|C| c ), where c > 128 • 16 = 2048.If we relabel n to be |C| then the round complexity is O(n c ).

Proof of Fault Tolerance
The main result of this section is the proof of Theorem 4 that gives a fault tolerant FK protocol.We first prove Lemmas 3, 4, 5 and 6 that as stressed in Section 2.3, highlights why we cannot use results similar to the robustness and why the simplest approaches fail.Then we proceed in the proof of Theorem 4.
Proof of Lemma 3. We can compute a bound on the trace distance between an arbitrary qubit ρ i and E(ρ i ): But we know that the trace distance is upper bounded by 1, so: Now we compute the trace distance between σ = ⊗ n i=1 ρ i and σ = ⊗ n i=1 E(ρ i ): Since the trace distance is upper bounded by 1 and since np can exceed 1 for sufficiently large n, we have: Consider σ = ⊗ n i=1 |0 0|.Under the action of the depolarizing channel the trace distance between σ and σ is n |0 0| − E(|0 0|) T r .However |0 0| − E(|0 0|) T r = 2p 3 , therefore the distance between σ and σ is n 2p 3 .For sufficiently large n this can clearly reach the maximum value of 1.
Proof of Lemma 4. Because of the action of the partially depolarizing channel, each trap qubit has a probability p of being changed.We make the simplifying assumption that an affected qubit will produce a wrong measurement result.This assumption is only valid for completeness, where we assume that the devices are honest but faulty 4 .We then have that the probability of a trap measurement producing a correct outcome is upper bounded by 1−p.Given that trap measurements are independent of each other, and assuming we have N T traps, the probability that all trap measurements produce correct outcomes is upper bounded by (1 − p) N T .Since the verifier accepts if and only if all trap measurements succeed it follows that the completeness is upper bounded by (1 − p) N T .
Proof of Lemma 5. Define the following Bernoulli random variable: 1, if measurement of trap t fails.0, otherwise.
Under the simplifying assumption of the previous lemma, we have P r(X t = 1) = p ≥ 0. Next, we define: It is clear that E(F ) = N T p. Additionally, using a Hoeffding inequality, we have that: This gives the probability that the number of failed traps is greater than our threshold of pN T .The complement of this is the completeness, which is therefore bounded by 1 − exp(−2 2 N T ) Proof of Lemma 6. Recall that soundness is the probability of accepting an incorrect outcome.In the original FK protocol this meant that all the traps succeeded but the computation output was orthogonal to the correct output.This is expressed with the projector P ⊥ ⊗ P T .Here P ⊥ projects the computation output onto the orthogonal state and P T projects the trap outputs onto the correct outputs.If the accepting condition is given by a threshold of correct traps, the projector must change accordingly.This means that there should not be only one trap projector but one for each accepting situation.Taking the threshold to be pN T means that the verifier accepts if T = N T − pN T traps succeeded.Since these traps can be any combination of T out of the possible N T , there are N T T possible accepting situations.Therefore, the trap projector P T becomes a sum of And we finally obtain: Hence, the probability that the prover deceives the verifier is less than (1/2) R and so the soundness of the protocol is upper bounded by this value.Lastly we compute the round complexity of this protocol.For the given sequence we have N encodings and for each encoding we have O(n) qubits5 and a corresponding round complexity of O(n) to compute the execution of that encoding.It follows that the overall complexity is O(N n).
But we know that N < R/ log 1 + 1 cn−1 + O(1), and given that R is a constant, we can show that N is O(n).This follows from the observation that dividing the function 1/ log 1 + 1 cn−1 with (cn − 1) gives a constant in the n → ∞ limit: Incorporating this result yields overall complexity O(n 2 ).Note that this proof technique works for the case of classical output since we are interested in the classical output of each encoding.The encodings are independent from each other, which allows us to bound the probability for the whole sequence.

Conclusion
We have shown that the single server universal verifiable blind quantum computing protocol of [1] is robust even against general adversaries.This protocol is currently the optimal protocol in terms of the verifier's requirements.The robustness result further strengthens the scheme for realistic applications where the effect of noisy devices should also be considered, as highlighted in a recent experimental demonstration of the protocol [17].Moreover, it enables us to compose the FK protocol with other quantum verification protocols, extend it to the entangled servers setting and make it device independent.The key property that we proved, is that the protocol remains secure even against correlated attacks.To achieve this, we considered the deviation of the evolution of a correlated subsystem from the evolution of uncorrelated subsystems.The former could be written mathematically as a non-CPTP map which differs from a CPTP map by an inhomogeneous term.However, for inputs which are -close to the ideal FK input, we showed that this deviation (the inhomogeneous term) is bounded by a term of order O( √ ).Our proof technique is generic and can be potentially applied to other multi-party protocols where sequential composition is required.This result complements the local -verifiability proof of [24] which is based on the universal composability framework.The latter, in its current form, is insufficient for composing entanglement-based protocols, such as RUV, with the FK protocol because of the possibility of correlated attacks.Our robustness result, however, leads to a stand alone secure composite verification protocol.Additionaly, the proposed composition scheme could potentially be used to extend the composable framework of [24] to incorporate multiple provers.
Our proposed composite protocol achieves verification with a classical client (device independence) and gives improved round complexity in comparison to the RUV protocol.It uses only the (modified) state tomography part of RUV as input for the FK protocol.The improved round complexity of the composite protocol is still too high to allow for any practical implementation in the near future.However, the reason for this high round complexity is the state tomography subprotocol and therefore, any improvement on how to prepare the FK inputs (e.g. by exploiting the shared entanglement of the provers or using self-testing techniques as in [32]) will directly improve the efficiency of our composite protocol as well.
Finally we outlined how to make our verification protocol fault tolerant.To do so we constructed a fault tolerant version of the FK protocol which is interesting in its own right.This complements the work presented in [34] which addresses the fault tolerance of a (non-verifiable) blind quantum computing protocol.We used the same topological error correcting code as [34] and a sequential repetition scheme in order to correct for faulty devices.

Figure 1 :
Figure 1: An example of a complete graph, K 6 , and its corresponding dotted-complete graph K6 .
N T T projectors (one for each accepting choice of traps).It therefore follows from linearity that the soundness bound becomes N T