Accrediting outputs of noisy intermediate-scale quantum computing devices

We present an accreditation protocol for the outputs of noisy intermediate-scale quantum devices. By testing entire circuits rather than individual gates, our accreditation protocol can provide an upper-bound on the variation distance between noisy and noiseless probability distribution of the outputs of the target circuit of interest. Our accreditation protocol requires implementing quantum circuits no larger than the target circuit, therefore it is practical in the near term and scalable in the long term. Inspired by trap-based protocols for the verification of quantum computations, our accreditation protocol assumes that single-qubit gates have bounded probability of error. We allow for arbitrary spatial and temporal correlations in the noise affecting state preparation, measurements, single-qubit and two-qubit gates. We describe how to implement our protocol on real-world devices, and we also present a novel cryptographic protocol (which we call ‘mesothetic’ protocol) inspired by our accreditation protocol.


Introduction
Quantum computers promise to expand our computing capabilities beyond their current horizons. Several commercial institutions [1][2][3] are taking steps towards building the first prototypes of quantum computers that can outperform existing supercomputers in certain tasks [4][5][6][7][8][9], the so-called 'Noisy Intermediate-Scale Quantum' (NISQ) computing devices [10]. As all their internal operations such as state preparations, gates, and measurements are by definition noisy, the outputs of computations implemented on NISQ devices are unreliable. It is thus essential to devise protocols able to accredit these outputs.
A commonly employed approach involves simulating the quantum circuit whose output we wish to accredit, the target circuit, on a classical computer. This is feasible for small circuits, as well as for circuits composed of Clifford gates [11] and few non-Clifford gates [12,13]. Classical simulations have been performed for quantum computations of up to 72 qubits, often exploiting subtle insights into the nature of specific quantum circuits involved [14,15]. Though practical for the present, classical simulations of quantum circuits are not scalable. Worthwhile quantum computations will not be efficiently simulable on classical computers, hence we must seek for alternative methods.
Another approach employed in experiments consists of individually testing classes of gates present in the target circuit. This is typically undertaken using a family of protocols centered around randomized benchmarking and its extensions [16][17][18][19][20][21]. These protocols allow extraction of the fidelity of gates or cycles of gates and can witness progresses towards fault-tolerant quantum computing [22]. However they rely on assumptions that may be invalid in experiments. In particular, they require the noise to be Markovian and cannot account for temporal correlations [23,24]. Quantum circuits are more than the sum of their gates, and the noise in the target circuit may exhibit characteristics that cannot be captured by benchmarking its individual gates independently.
This calls for protocols able to test circuits as a whole rather than individual gates. Such protocols have been devised inspired by Interactive proof Systems [25]. In these protocols (which we call 'cryptographic protocols') the outputs of the target circuit are verified through an interaction between a trusted verifier and an untrusted prover ( figure 1(a)). The verifier is typically allowed to possess a noiseless quantum device able to prepare [26][27][28][29][30][31][32][33] or N2: Noise in single-qubit gates is a CPTP map SE  of the form r r 1

SE SE
 is the identity on system and environment and SE  ¢ is an arbitrary (potentially gate-dependent) CPTP map encompassing the whole system and the environment.
Inspired by cryptographic protocols [26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44], our accreditation protocol is trap-based, meaning that the target circuit being accredited is implemented together with a number v of classically simulable circuits (the 'trap' circuits) able to detect all types of noise subject to conditions N1 and N2 above. A single run of our protocol requires implementing the target circuit being accredited and v trap circuits. It provides a binary outcome in which the outputs of the target circuit are either accepted as correct (with confidence increasing linearly with v) or rejected as potentially incorrect. More usefully, consider running our protocol d times, each time with the same target and v potentially different trap circuits. Suppose that the output of the target is accepted as correct by N 0 acc > runs. With )is a tunable parameter that affects both the confidence and the upper-bound, p s noiseless ( ) and p s noisy ( ) are the noiseless and noisy probability distributions of the outputs s { } of the target circuit respectively and v 1 e µ . Bounds of this type can fruitfully accredit the outputs of experimental quantum computers as well as underpin attempts at demonstrating and verifying quantum supremacy in sampling experiments [4][5][6][7][8][9].
Crucially, our accreditation protocol is both experimentally practical and scalable: all circuits implemented in our protocol are no wider (in the number of qubits) or deeper (in the number of gates) than the circuit we seek to accredit. This makes our protocol more readily implementable on NISQ devices than cryptographic protocols. Moreover, our protocol requires no noiseless quantum device, and it only relies on the assumption that the single-qubit gates suffer bounded (but potentially non-local in space and time and gate-dependent) noise-condition N2. This assumption is motivated by the empirical observation that single-qubit gates are the most accurate operations in prominent quantum computing platforms such as trapped ions [45,46] and superconducting qubits [2,47,48].
In addition to its ready implementability on NISQ devices, our accreditation protocol can detect all types of noise typically considered by techniques centered around randomized benchmarking and its extensions [16][17][18][19][20][21]. Moreover it can detect noise that may be missed by those techniques such as noise correlated in time. Mathematically, this amounts to allowing noisy operations to encompass both system and environment ( figure 1(b)) and tracing out the environment only at the end of the protocol. This noise model is more general than the Markovian noise model considered in protocols centered around randomized benchmarking [23,24]. Moreover, by testing circuits rather than gates, our protocol ensures that all possible noise (subject to condition N1 and N2) in state preparation, measurement and gates is detected, even noise that arises only when these components are put together to form a circuit. On the contrary, benchmarking isolated gates can sometimes yield over-estimates of their fidelities [21], and consequently of the fidelity of the resulting circuit. We note that noise of the type N2 excludes unbounded gate-dependent errors in single-qubit gates such as systematic over-or under-rotations, as also is the case for other works [16][17][18][19][20][21].
Inspired by our accreditation protocol we also present a novel cryptographic protocol, which we call 'mesothetic verification protocol'. In the mesothetic protocol the verifier implements the single-qubit gates in all circuits while the prover undertakes all other operations. This is distinct from prepare-and-send [26][27][28][29][30][31][32][33] or receive-and-measure [34][35][36][37][38] cryptographic protocols in that the verifier intervenes during the actual implementation of the circuits, and not before or after the circuits are implemented.
Our paper is organized as follows. In section 1 of Results we introduce the notation, in section 2 we provide the necessary definitions, in sections 3 and 4 we present our protocol and prove our results and in section 2.5 we present the mesothetic verification protocol.

Notation
We indicate unitary matrices acting on the system with capital letters such as U V , and W, and Completely Positive Trace Preserving (CPTP) maps with calligraphic letters such as , ,    and . We indicate the 2×2 identity matrix as I, the single-qubit Pauli gates as X Y Z , , , the controlled-Z gate as cZ, the controlled-X gate as cX, the Hadamard gate as H and S i diag 1, = ( ). The symbol •denotes the composition of CPTP maps: is the trace over the environment, D , Tr 2 s t s t = -( ) | | is the trace distance between the states σ and τ. We say that a noisy implementation   of  suffers bounded noise if   can be written as for some CPTP map  and number r 0 1  < , otherwise if r=1 we say that the noise is unbounded [49].

Background
We start by defining our notion of protocol:  1(b)), the state of the system at the end of a noisy protocol run is where E r is the state of the environment at the beginning of the protocol. We allow each map SE p  ( ) to depend arbitrarily on the corresponding operation S p  ( ) . A trap-based accreditation protocol is defined as follows. A single run of such a protocol takes as input a classical description of the target circuit and a number v, implements v 1 + circuits (the target and v traps) and returns the outputs of the target circuit, together with a 'flag bit' set to 'acc' ('rej') indicating that the output of the target must be accepted (rejected if the following two properties hold: (1) The state of the system at the end of a single protocol run (equation (2)) can be expressed as b b l l acc acc 1 acc acc 1 rej rej , 3 out out tar out tar out is the state of the target circuit at the end of a noiseless (noisy) protocol run, out tar t is an arbitrary state for the target circuit, accñ | is the state of the flag indicating acceptance, rej ].
(2) After d protocol runs with the same target circuit and v potentially different trap circuits, if all these runs are affected by independent and identically distributed (i.i.d.) noise, then the variation distance between noisy and noiseless probability distribution of the outputs of each of the N d 0, acc Î [ ]protocol runs ending with flag bit in the state accñ | is upper-bounded as in equation (1).
Property 1 ensures that the probability of accepting the outputs of a single protocol run when the target circuit is affected by noise (the number b in equation (3)) is smaller than a constant ε. The constant ε is a function of the number of trap circuits, of the protocol and of the noise model and is to be computed analytically. The quantity 1 e quantifies the credibility of the accreditation protocol.
Note that Property 1 in the above definition implies Property 2. To see this, assume Property 1 is valid for a given protocol. Suppose that this protocol is run d times with i.i.d. noise (a standard assumption in trap-based cryptographic protocols [29,36]) and suppose that N 0 acc > protocol runs end with flag bit in the state accñ | . For each of these N acc runs, the state of the system at the end of the protocol run is thus of the form (see equation (3) This yields a bound on the variation distance of the type [50] p s p s where in the last inequality we used that b  e (Property 1) and that the quantity prob(acc) b l b 1 = -+ ( ) is the probability of accepting (equation (3)). Hoeffding's Inequality ensures that N d prob acc ) and this yields Property 2. Bounding the variation distance as in equation (1) requires knowledge of the two numbers ε and N acc , the former obtained theoretically from the protocol and the latter experimentally from the device being tested. ε is a property of the protocol, of its input and of the noise model and can be computed without running the protocol. However, different devices running the same target circuit will suffer different noise levels and this is captured by N acc , which depends on the experimental device being tested. It is important to note that the bound on the variation distance is valid only for the outputs of the N acc protocol runs ending with flag bit in the state accñ | . If a protocol run ends with flag bit in the state rejñ | , Property 1 implies no bound on the variation distance and all rejected outputs must be discarded.
We can now present our accreditation protocol (a formal description can be found in Box 1 in the Methods).

Our accreditation protocol
Our accreditation protocol takes as input a classical description of the target circuit and the number v of trap circuits. The target circuit (figure 2) must start with qubits in the state +ñ | , contain only single-qubit gates and cZ gates and end with a round of measurements in the Pauli-X basis 1 . Moreover, it must be decomposed as a sequence of bands, each one containing one round of single-qubit gates and one round of cZ gates. We will indicate the number of qubits with n and the number of bands with m.
In our accreditation protocol v 1 + circuits are implemented, one (chosen at random) being the target and the remaining v being the traps. The trap circuits are obtained by replacing the single-qubit gates in the target circuit with other single-qubit gates, but input state, measurements and cZ gates are the same as in the target (figure 3(a); all single-qubit gates acting on the same qubit in the same band must be recompiled into one gate , the trap circuits are a sequence of (randomly oriented) cX gates acting on In the absence of noise, they always output s 0 = .
Our protocol requires appending a Quantum One-Time Pad (QOTP) to all single-qubit gates in all circuits (target and traps). This is described in Routine 1 in the Methods and is done as follows: • For all bands j=1,K,m and qubits i=1,K,n, a random Pauli gate is appended after each gate U i j , (figure 4(a)). This yields a a ¢ Î { }are random bits.
• For all bands j=2,K,m and qubits i=1,K,n, another Pauli gate is appended before each single-qubit gate. This Pauli gate is chosen so that it undoes the QOTP coming from the previous band ( figure 4(b)). Choosing   figure 2 and (b) overall computation implemented through this trap circuit. All the single-qubit gates acting on the same qubit in the same band must be recompiled into one gate-for instance, in figure 3(a), the H t -gate and subsequent S-gate acting on qubit 1 in band 1 must be implemented as one gate SH t .
this Pauli gate requires using the identities X I cZ cZ X Z , 7

This yields
is a Pauli gate that depends on the QOTP in the previous band.
• A random Pauli-X gate is appended before all the gates U i,1 ¢ in the first band. This yields U U X 10 Overall, replacing each gate U i j , with U i j ,  yields a new circuit that is equivalent to the the original one, apart from the un-recovered QOTP in the last band. Since all measurements are in the Pauli-X basis, the Pauli-X component of this un-recovered QOTP is irrelevant, while its Pauli-Z component bit-flips some of the outputs. These bit-flips can be undone by replacing each output s i with s i im , a Å (a procedure that we call 'classical post-processing of the outputs'). This allows to recover the correct outputs.
After all the circuits have been implemented and the outputs have been post-processed, the flag bit is initialized to acc 0 ñ = ñ | | , then it is checked whether all the traps gave the correct output s 0 = . If they do, the protocol returns the output of the target together with the bit accñ | , otherwise it returns the output of the target together with the bit rej 1 ñ = ñ | | . The output of the target is only accepted in the first case, while it is discarded in the second case.
In the absence of noise, our protocol always returns the correct output of the target circuit and always accepts it. Correctness of the target is ensured by the fact that the QOTP has no effect on the computation, as all the extra Pauli gates cancel out with each other or are countered by the classical post-processing of the outputs. Acceptance is ensured by the fact that in the absence of noise all the trap circuits always yield the correct outcome s 0 = .
We will now consider a noisy implementation of our protocol, explain the role played by the various tools (QOTP, trap circuits etc.) and show that with single-qubit gates suffering bounded noise, our protocol ensures that wrong outputs are rejected with high probability.

The credibility of our protocol
As per equation (2), we model noise as a set of CPTP maps acting on the whole system and on the environment ( figure 5). For simplicity, let us begin with the assumption that all the rounds of single-qubit gates in our protocol are noiseless, i.e. that for all circuits k v 1, , 1 = ¼ + and bands j=1,K,m, a noisy implementation of the round of single-qubit gates is (see figure 5 for notation) where SE  is the identity on system and environment. Under this assumption, a first simplification to the noise of type N1 comes from the QOTP, a tool used in many works in verification [25] and benchmarking protocols [20,51] that also plays a crucial role in our protocol. If single-qubit gates are noiseless, the QOTP allows to randomize all noise processes, even those non-local in space and time, to classically correlated Pauli errors (see lemma 1 in appendix A). A similar result was previously proven in [51] for Markovian noise, and here we show that this result holds also if the noise creates correlations in time.
Having reduced arbitrary non-local noise to Pauli errors via the QOTP, we show (see lemma 2 in appendix B) that our trap circuits detect all Pauli errors with non-zero probability. The reasoning is as follows: since the trap circuits contain only Clifford gates, the noise acting at any point of a trap circuit can be factored to the end of the circuit. The noisy trap circuit is thus rewritten as the original one (figure 3(a)) with a Pauli-Z error P I Z , n Î Ä { } applied before the measurements. If P I n ¹ Ä , the trap outputs a wrong output (s 0 ¹ ) and the noise is detected. However, if the errors in different parts of the circuit happen to cancel out, then P I n = Ä , the trap outputs s 0 = and the noise is not detected. The role of H and S-gates in our trap circuits is to ensure that this happens with suitably low probability for all types of noise that can possibly affect the trap. These gates map Pauli errors into other Pauli errors as where we omit unimportant prefactors (global phases do not affect outputs). Therefore, the random implementation of H and S-gates prevents errors in state preparation and two-qubit gates from canceling trivially. Similarly, the rounds of Hadamard gates activated at random at the beginning and at the end of the trap circuits prevent measurement errors from canceling trivially with noise happening before. These arguments are used to prove the claim of lemma 2, that states that our trap circuits can detect all possible Pauli errors with probability larger than 1/4.
The above arguments and lemmas can be used to prove that our protocol can detect arbitrary noise in state preparation, measurement and two-qubit gates, provided that single-qubit gates are noiseless: Theorem 1. Suppose that all single-qubit gates in our accreditation protocol are noiseless. For any number v 3  of trap circuits, our accreditation protocol can accredit the outputs of a noisy quantum computer affected by noise of the form N1 with v 1 , )we write the state of the system at the end of a noisy protocol run as in equation (3). We do this using lemmas 1 and 2. The proof of theorem 1 is in appendix C. We now relax the assumption of noiseless single-qubit gates and generalize our results to noise of the form N2. We assume that all rounds of single-qubit gates suffer bounded noise, i.e. that for all circuits k v 1, , 1 = ¼ + and bands j=1,K,m, a noisy implementation of the round of single-qubit gates is (see Figure 5 for notation) ( ) for some arbitrary CPTP map j k  ¢ ( ) acting on both system and environment and for some number . We refer to the number r j k ( ) as 'error rate' of j k  ( ) . Since each j k  ( ) is chosen at random (depending on whether circuit k is the target or a trap and on the QOTP) and since noise in single-qubit gates is potentially gate-dependent (condition N2), let us indicate with r j k max, ( ) the maximum error rate of single-qubit gates in band j of circuit k, the maximum being taken over all possible choices of j k  ( ) . We can now state theorem 2:  of trap circuits can accredit the outputs of a noisy quantum computer affected by noise of the form N1 and N2 with To calculate ε for the protocol with noisy single-qubit gates we use that where j k  ( ) is a CPTP map encompassing the system and the environment. We can then rewrite the state of the system at the end of the protocol as where out r is the state of the system at the end of a protocol run with noiseless single-qubit gates-which by theorem 1 is of the form of equation ( As it can be seen, the probability that the target is in the wrong state and the flag bit is in the state accñ ) from theorem 1. This probability reaches its maximum for h=1, therefore we have It is worth noting that our theorem 1 also holds if single-qubit gates suffer unbounded noise, provided that this noise is gate-independent. Indeed, if j does not depend on the parameters in j k  ( ) (see figure 5 for we can factor this noise into that of j  and prove v 1 e k = + ( )with the same arguments used in theorem 1. Similarly, we also expect our theorem 2 to hold if noise in single-qubit gates has a weak gate-dependence, as is the case for some of the protocols centered around randomized benchmarking [19]. We leave the analysis of weakly gate-dependent noise to future works.

Mesothetic verification protocol
In Box 4 in the Methods we translate our accreditation protocol into a cryptographic protocol, obtaining what we call 'mesothetic' verification protocol. To verify an n-qubit computation, in the mesothetic protocol the verifier (Alice) must possess a device that can receive n qubits from the prover (Bob), implement single-qubit gates on all of them and send the qubits back to the Bob. In appendix D we present theorems D1 and D2, which are the counterparts of theorems 1 and 2 for the cryptographic protocol. In the first two theorems the number ε is replaced by the soundness cr e (see definition 4 in appendix D.2), namely the probability that Alice accepts a wrong output for the target when Bob is cheating. Our mesothetic verification protocol is different from prepare-and-send [26][27][28][29][30][31][32][33] or receive-and-measure [34][35][36][37][38] cryptographic protocols in that Alice encrypts the computation through the QOTP during the actual implementation of the circuits, and not before or after the implementation. To do this, she must possess an nqubit quantum memory and be able to execute single-qubit gates. Despite being scalable, our protocol is more demanding that those in [27][28][29][30][31][32][33][34][35][36][37][38], where Alice only requires a single-qubit memory. This suggests the interesting possibility that protocols optimized for experiments may translate into more demanding cryptographic protocols and vice-versa.
Similarly to post-hoc verification protocols [35,43], our protocol is not blind. Alice leaks crucial information to Bob regarding the target circuit, such as the position of two-qubit gates. This is not a concern for our goals, as verifiability in our protocol relies on Bob being incapable to distinguish between target and trap circuits, i.e. to retrieve the number v 0 , see lemma D3 in appendix D.2.
Blindness may be required to protect user's privacy in future scenarios of delegated quantum computing [53]. In appendix D.2 we thus show how to make our protocol blind. This requires recompiling the target circuit into a circuit in normal form with fixed cZ gates, such as the brickwork-type circuit in figure 6. This yields an increase in circuit depth, hence the minimal overheads of our protocol must be traded for blindness.

Discussion
We have presented a trap-based accreditation protocol for the outputs of NISQ devices. Our protocol is scalable and practical, and relies on minimal assumptions on the noise. Specifically, our protocol requires that singlequbit gates suffer bounded (but potentially gate-dependent and non-local in space and time) noise.
A single protocol run ends by either accepting or rejecting the output of the target circuit that we seek to accredit. We can then run our accreditation protocol multiple times (with the same target and with the same number of traps), each time keeping the output if the protocol accepts and discarding it if the protocol rejects. After multiple runs with i.i.d. noise, our protocol allows to bound the variation distance between noisy and noiseless probability distribution of the accepted outputs (equation (1)).
Real-world devices can be accredited by running our protocol on them. The accreditation is provided by bounds on the variation distance that rely on ε, which we obtained in theorems 1 and 2, and the acceptance probability prob(acc) of our accreditation protocol. The latter is estimated experimentally by running our protocol multiple times on the device being accredited.
Some noise models allow to lower-bound the acceptance probability analytically and consequently to upperbound the variation distance. For instance, if all operations S p  ( ) in our protocol suffer bounded noise and have error rates r p , we can write the state of the system at the end of the protocol as where out tar s is the state of the target at the end of a noiseless protocol run, t  is an arbitrary state for target and flag and This yields prob(acc)  d and (see equation (5)) In figure 7 we plot the RHS of the above equation. Plots of this type can be used to seek error rates that will provide the desired upper-bound on the variation distance. Figure 6. (a) Six-qubit example of circuit in normal form. This circuit has the same repetitive structure as the Brickwork States [52].
Recompiling the target circuit into a normal form of this type can always be done using the circuit identities (b) and (c).
Considering the error rates of present NISQ devices [2,[45][46][47][48] we expect that our protocol may provide worthwhile upper-bounds for target circuits with up to n 7 » qubits and m 7 » bands (figure 7(a)). We also expect that larger target circuits may yield upper-bounds that are too large to be useful. In fact, for large target circuits, it is also possible that none of the protocol runs will accept the output of the target, and thus that our protocol will provide no upper-bound. Nevertheless, it is worth remarking that this does not indicate that our accreditation protocol is unable to accredit computations on NISQ devices. On the contrary, by providing large upper-bounds, our protocol reveals that the device being tested suffers high levels of noise and that its outputs are not credible. Our work leaves several open questions. Our theorem 2 shows that our protocol requires reducing the error rates of single-qubit gates with the size of the target circuit. This requirement is similar to that found in other works [29,38,41], and is a known obstacle towards scalable quantum computing. A strategy that has been exploited in previous works is to incorporate fault-tolerance into the existing protocols [29,41]. Another has been to define verifiable fault-tolerance using notions such as acceptability and detectability [54]. Interfacing fault tolerance with accreditation is an interesting challenge for the future.
Another open question regards the applicability of our accreditation protocol if single-qubit gates suffer unbounded noise. In its current state, the analysis of our protocol does not account for unbounded gatedependent noise in single-qubit gates, including unitary errors such as over-or under-rotations. The reason is that the QOTP (which maps coherent errors into classically correlated Pauli errors) is applied at the level of single-qubit gates. Unbounded errors that depend on the gates used to randomize arbitrary noise processes to Pauli errors are an obstacle to other works including cryptographic protocols [29] and protocols based on randomized benchmarking [16-18, 20, 21].
Finally, with the mesothetic protocol we show how to adapt our protocol to the cryptographic setting. In the mesothetic protocol the verifier requires an n-qubit memory and the ability to execute single-qubit gates. This protocol ismore demanding than several existing cryptographic protocols [27][28][29][30][31][32][33][34][35][36][37][38] requiring single-qubit memory for the verifier. An interesting question is whether a mesothetic protocol can be devised that only requires single-qubit gates and single-qubit memory for the verifier.

Overhead of our accreditation protocol
Here we count the overhead of our protocol. Our protocol has no quantum overhead, as all circuits have the same size as the one being verified. The classical overhead consists in O(nm) bits for each of the v 1 + computations. Specifically, the target computation has an overhead of nm n 2 + bits (the nm 2 random bits , a a ¢ and the n random bits i g in Routine 1), while the traps have an overhead of at most nm n nm 2 + + bits (the nm n 2 + random bits in Routine 1 and at most nm random bits in Routine 2).  [14] with n=62 qubits and circuit depth m=34. In these plots we assume that all operations are affected by bounded noise. We also assume that single-qubit state preparation, single-qubit measurements and cZ-gates have error rates r 0 , and that all single-qubit gates have error rates r 10 0 . Box 1. Accreditation protocol.
Input: 1. A target circuit that takes as input n qubits in the state +ñ | , contains only single-qubit gates and cZ gates arranged in m bands and ends with Pauli-X measurements ( figure 2). 2. The number v of trap circuits. Routine: 1. Choose a random number v v 1, , where cZ j  is the entangling operation in the jth band.

Notation
In these appendices we will indicate the action of the round of single-qubit gates in a band j m 1, , where S r is the state of the system. Similarly, we will indicate the action of a round of cZ gates on the system as cZ cZ where cZ j  is the tensor product of all cZ gates in band j in the target circuit, and the action of n-qubit Pauli operators as , , , are single-qubit Pauli operators.
In appendix A we provide statement and proof of lemma 1, In appendix B we provide statement and proof of lemma 2 , In appendix C we prove theorem 1 and in appendix D we prove soundness of the mesothetic protocol.

Appendix A. Statement and proof of lemma 1
We now present and prove lemma 1, which is as follows: This lemma shows that if single-qubit gates are noiseless, the QOTP allows to reduce noise of the type N1 to classically correlated Pauli errors. These Pauli errors affect each circuit after state preparation ( k and before the measurements ( m k  ( ) ). Errors in the cZ gates can be Pauli-X, Y and Z, while those in state preparation and measurements are Pauli-Z (this is because their Pauli-X components stabilize in r and Pauli-X measurements respectively).
The main tool used in this section is the 'Pauli Twirl' [18]. Proof. (Lemma 1) We start proving the lemma for the case where we run a single circuit (v = 0), and then we generalize to multiple circuits (v 0 > ). Including all purifications in the environment, we can rewrite the noise as unitary matrices acting on system and environment (for clarity we write these unitaries in bold font   For simplicity, we first prove our result for a circuit with m=2 bands and generalize to m 2 > bands later.
Introducing resolutions of the identity on the environment before and after every noise operator, we have act only on the system, and can thus be written as in table 1. In We will now describe how to apply the Pauli twirl lemmas iteratively, in the order the operations apply on the input. Therefore, we start by showing how to eliminate terms of the sum where 1 1 m n ¹ . Since X stabilizes +ñ | states, we can rewrite in r as X X       F  p k   M  , ,  , , , ,   ,0 ,  , ,  , ,  ,0 ,  , ,  , ,  , ,0, , , } and prob , , ) is the joint probability of Pauli errors , , 0 1 2    . This concludes the proof for the protocol with v=0 and m=2.
The generalization to a protocol with v=0 and m 2 > is straightforward. Starting from the state in equation (A4), one can use the same arguments as for the two-band circuit. To generalize to multiple circuits (v 0 > ), we start by noticing that the circuits are implemented in series, hence the noise can only affect one circuit at a time. By the principle of deferred measurements, we can execute all the measurements at the end of the protocol. Moreover, we can prepare the input qubits for all the circuits at the beginning of the protocol. Doing this, the state of the system after all circuits have been implemented becomes } for all j=1,K,m and M j is the number of choices of j  . Note that each number M j depends on the number of qubits connected by a cZ in band j of the trap circuit, see Routine 2.
In a trap circuit the gate 1  in the first band is of the form where N j is the number of possible choices of j  .
Using that j j j j 1     = is a tensor product of cX gates, the above state can also be rewritten as Notice that each j  carries an implicit dependency on j  (the orientation of the cX gates depends on j  , see Figure 3).
The probability that the trap outputs s 0 = is To upper-bound this probability by 3/4, we first consider 'single-band' collections of errors, namely collections ¹ . For these collections, we prove that the probability that the output of the trap is the correct one s 0 = is smaller than 1/2: We prove this in Statement 1. Next, we consider 'two-band' collections of errors. We obtain We prove this in Statement 2. To obtain this bound, we move the two errors towards each other (i.e. we commute them with all the gates in the middle) and subsequently merge them, rewriting them as a single Pauli operator. The resulting Pauli operator is the identity  with probability c, or is a different operator with probability c 1 -. In the former case, the errors have canceled out with each other, while in the latter they have reduced to a singleband error. Importantly, in Statement 2 we prove that . We now complete the proof by proving Statement 1 and Statement 2.
where we used cX ++ñ = ++ñ | | and cX 00 00 ñ = ñ | | . We now start from the case j 1 2 = . We then note that (i) if n=1 (single-qubit circuit), all , , The above inequalities for n=1 and n=2 can be proven using that H maps X Y Z , , } under conjugation (apart from unimportant global phases). Extension to more than two qubits is as follows: If s P n prob 0 , qubits 3 4 , then tensoring one more qubit yields where , , n t n n 1, , 1 1, , 1 1, , Tensoring two qubits connected by cZ yields the same bound, and this concludes the proof by induction for j 1 2 = . If j m 1, , To prove the inequality, one can commute j j j To see this, consider first the case t=0, and consider commuting , } with all the gates in the circuit. Since all these gates are cX gates with random orientation, the identities   = (red gates) and t=0. Due to identities B23, commuting 1  with the entangling gate (green box, cX gate with random orientation) make the two errors cancel out if qubit 1 is the control qubit. On the contrary, if qubit 1 is the target qubit, the errors do not cancel and cause a bit-flip of output s 1 . Thus, for t=0 these errors are detected with probability 1/2. The same can be proven for t=1 using identities B24, as well as for all other errors , 0 1   .
) is the probability of single-qubit gates , , m v 1 ) being chosen. Crucially, notice that the probability associated to each collection of Pauli errors does not depend on the specific choice of singlequbit gates j k  ( ) . We can thus rewrite the above state as  } circuits. In this case, as the Pauli errors do not depend on the single-qubit gates, they do not depend on the random number v 0 (which labels the position of the target circuit) nor on the random parameters in the trap circuits. Therefore, summing over all choices of single-qubit gates, the probability that the target is among the v circuits affected by noise is v v 1 +  ( ).

. Background
We will now define the notions of protocol and verifiability in the cryptographic setting. We start by defining quantum states as states belonging to the Hilbert space ABC    The lemma can now be proven following the same steps as in the proof of theorem 1. , Using these three lemmas we can now calculate completeness and soundness for the mesothetic protocol and obtain theorem D1: