A simple protocol for fault tolerant verification of quantum computation

With experimental quantum computing technologies now in their infancy, the search for efficient means of testing the correctness of these quantum computations is becoming more pressing. An approach to the verification of quantum computation within the framework of interactive proofs has been fruitful for addressing this problem. Specifically, an untrusted agent (prover) alleging to perform quantum computations can have his claims verified by another agent (verifier) who only has access to classical computation and a small quantum device for preparing or measuring single qubits. However, when this quantum device is prone to errors, verification becomes challenging and often existing protocols address this by adding extra assumptions, such as requiring the noise in the device to be uncorrelated with the noise on the prover's devices. In this paper, we present a simple protocol for verifying quantum computations, in the presence of noisy devices, with no extra assumptions. This protocol is based on post hoc techniques for verification, which allow for the prover to know the desired quantum computation and its input. We also perform a simulation of the protocol, for a one-qubit computation, and find the error thresholds when using the qubit repetition code as well as the Steane code.


I. INTRODUCTION
There is now substantial evidence that quantum computers cannot be simulated efficiently by their classical counterparts. Shor's factoring algorithm is one example where an efficient (polynomial time) solution to a problem can be found with a quantum computer, but the best classical algorithm that we know runs in superpolynomial time (in the worst case) [1]. While the inability to be efficiently classically simulated can be of great use in computing, it does raise other problems. In particular, how can we check that the device is producing the correct answer if it is hard to simulate with a classical computer? For the case of factoring, we can just multiply the factors, but for other problems (such as simulating a quantum system) there is no a priori classically efficient means of verifying whether a quantum computation was carried out [2].
To be a bit more explicit, the scenario is that of a verifier that can do probabilistic classical computation, and an untrusted prover who is limited to universal quantum computation. The verifier wishes to use the prover's quantum computer, but might not be able to trust the prover's output, and so the verifier will perform some sort of verification. In full generality, the prover and the verifier can exchange multiple rounds of classical communication with each other (as the verifier has no quantum capabilities). Both parties' computations have a running time that is, at most, a polynomial in the size of the input to the computation (hence efficient by standard notions in computational complexity). The verifier would like to be able to perform any efficient quantum computation by delegating the task to the untrusted prover. Clearly, if the prover is honest and actually has a quantum computer, they can perform the task for the verifier. On the other hand, if the prover is dishonest then they could lie or deviate in any manner they deem fit. The goal of verification of quantum computation is to catch (with high probability) when a prover is being dishonest and reject his output.
There has been a lot of progress in the development of verification protocols (see [3] for a survey paper). It is still an open problem whether verification is possible in this setting, with no extra computational assumptions. Two main modifications of the classical client, single server setting have been considered: give the verifier some quantum device and allow some quantum communication between the prover and verifier, or introduce multiple noncommunicating quantum provers that share entanglement. In the former approach -the approach we take in this paper -this quantum device could prepare particular quantum states or make measurements in a particular basis, and this quantum process becomes an integral part of the prover's quantum computation. In this approach, existing protocols typically assume an ideal setting in which the only "errors" that can occur are a result of malicious behaviour of the prover. But realistically, quantum devices are highly susceptible to noise, and so a verifier could introduce noise into a computation implemented by an honest prover. Reducing this noise and controlling it is one of the great challenges in de-veloping scalable quantum computers. The threshold theorem shows that as long the error rate per quantum gate is below a constant threshold, it is always possible to perform a fault tolerant quantum computation with only a polylogarithmic increase in overhead [4].
We would like to avoid the verifier's quantum device becoming too powerful, even being polylogarithmic in the size of the input to the computation would be too powerful [5]. Therefore, we want to restrict it to having a quantum register that is constant-size. Even if the errors of the verifier's device can be suppressed, it still needs to be proven that this is not detrimental for the verification of a quantum computation. To wit, we want that a malicious prover does not exploit these errors in order to successfully trick the verifier into accepting incorrect results.
For protocols in which the verifier is fully classical, fault tolerance is not a concern since one can assume that the provers are performing their quantum operations on top of a quantum error correcting code. Since provers are assumed to have universal quantum computing power, we naturally have to assume that they are capable of fault tolerant quantum computation between themselves. We emphasise that discussions about fault tolerance only make sense in the setting in which the verifier possesses a quantum device.
Thus, we are faced with the following problem: Problem statement: Can a verifier with a constant-size and imperfect quantum device verifiably delegate a quantum computation to a single prover?
We show that this is indeed possible. Furthermore, it is possible even if the verifier's device is an imperfect single-qubit measurement device. Our approach is based on that of post hoc verification [6][7][8], where a prover sends quantum systems to a verifier that should be the ground state of a Hamiltonian. This ground state encodes the desired quantum computation and can be used to "read off" the outcome of that computation. If the verifier can indeed certify that this is the ground state, then the computation is verified. In our protocol we encode the qubits of this ground state into a logical ground state where each qubit of the original state is encoded into a larger number of physical qubits via a quantum error correction code. This logical state is then the ground state of a logical Hamiltonian described by the quantum computation. In the protocol, the physical qubits in this logical state are then measured one at a time, and appropriate classical corrections are made on the outcomes of these measurements in post-processing if errors are detected. An honest prover's probability of successful computation will be boosted by this error correction, but importantly we can still verify if the logical ground state was indeed prepared by the prover.
Finally, we consider a simple example of this protocol in the honest prover scenario. That is, using the repetition code and the Steane code, we can simulate and characterise the protocol's behaviour under bit-flip errors and depolarizing noise.
Paper outline -In Section II we give some basic complexity theoretic notions to formalize what we mean by verifying efficient quantum computations. We also outline post hoc quantum verification, which is the basis for our approach. Next, in Section III we give our protocol for fault tolerant verification of quantum computation, and also prove its correctness; we also describe our simulation of the protocol, with various degrees of noise and outline the obtained results. We then conclude, in Section IV, with some discussions and open problems.
Let us first comment on approaches that have also addressed the aforementioned problem of fault tolerant verification.
Related work -For protocols in which the verifier has a small quantum device, the question of fault tolerance has been addressed in [9][10][11][12]. In [9][10][11] the authors proposed protocols in which a classical client possessing either a single qubit preparation or measurement device, susceptible to noise, could verifiably delegate quantum computations to a prover. All these protocols are computationally blind, meaning that the delegated computation is kept secret from the prover. We will return to this issue in detail in Section IV. Moreover, blindness is required for achieving verifiability. However, this requirement of blindness introduces new difficulties when considering fault tolerant computation. To circumvent these difficulties, extra (potentially unrealistic) assumptions were made about the noise, which rule out the possibility of the prover utilising the noise to deceive the verifier. A discussion of the general difficulty in realizing a verifiable, blind, fault tolerant protocol is provided in [12].

A. Complexity theory
Complexity theory classifies computational problems as sets of "yes/no" decision problems that are solvable by a particular model of computation, under certain constraints. Decision problems are modeled as sets of binary strings, known as languages. The input to the problem is a bit string and the output is yes or no, depending on whether the string belongs to the language or not. The primary class that is of interest to us, is that of decision problems decidable efficiently by a quantum computer, which is denoted BQP. By "efficiently" we always mean in a number of time steps that scales as some polynomial in the size of the input to the problem. For completeness we reproduce the definition of this class. Definition 1. A language L ⊆ {0, 1} * belongs to BQP iff there exist a polynomial p, and a uniform quantum circuit family {C n } n , such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, C n (x) accepts with probability at least a, and • when x ∈ L, C n (x) accepts with probability at most b, where a − b ≥ 1/p(n) and |C n | ≤ p(n).
If we replace quantum circuits with classical boolean circuits, having access to random bits, we obtain the class BPP, of problems that can be decided efficiently on a classical computer. We will frequently refer to machines that can solve either BPP problems or BQP problems as BPP machines or BQP machines, respectively.
Another class of interest is MA which consists of decisions problems for which the "yes" instances can be checked by a BPP machine, when given access to a polynomial-sized bitstring known as a proof. More formally, MA is defined as follows: Definition 2. A language L ⊆ {0, 1} * belongs to MA iff there exist a polynomial p, and a BPP machine V (known as verifier), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a string w ∈ {0, 1} ≤p(n) such that V(x, w) accepts with probability at least a, and • when x ∈ L, for all strings w ∈ {0, 1} ≤p(n) , V(x, w) accepts with probability at most b, Essentially, one can view problems in MA as those for which a computationally powerful prover can convince a BPP verifier that the answer is "yes", with high probability, by providing a proof string that the verifier can check. There is a quantum analogue of this known as QMA, in which the proof string is a quantum state. Specifically: Definition 3. A language L ⊆ {0, 1} * belongs to QMA iff there exist a polynomial p, and a BQP machine V (known as verifier), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a quantum state |ψ having at most p(n)-many qubits, such that V(x, |ψ ) accepts with probability at least a, and • when x ∈ L, for all quantum states |ψ having at most p(n)-many qubits, V(x, |ψ ) accepts with probability at most b, Clearly, BQP ⊆ QMA, since the BQP verifier can simply ignore the proof state from the prover. It is believed that the containment is strict, since, in principle, the prover can produce proof states that cannot be generated by the poly-time quantum verifier. In fact, it was shown in [13] that the "quantum overhead" of the verifier can be reduced to simply performing single-qubit measurements, while maintaining the ability to correctly decide all problems in QMA. This is achieved by instructing the prover to prepare special states that satisfy two properties: • Any BQP computation can be performed through suitable single-qubit measurements of these states.
• Any such state of a given size can be tested through single-qubit measurements.
If one adds a further condition, namely that these special states can be prepared by a BQP machine (essentially restricting the prover to BQP), then one obtains a scheme for verifying an arbitrary BQP computation using only single-qubit measurements. This is precisely what Fitzsimons, Hajdušek and Morimae have done in their post hoc verification protocols [6][7][8]. One could ask whether this merely allows the verifier to check the "yes" instances of BQP problems, however BQP is closed under complement [14] meaning that the "no" instances can also be verified.

B. Post hoc verification
As mentioned, the core idea of post hoc verification is to have a BQP prover (or provers) prepare a quantum proof state that the verifier can check using single-qubit measurements. To explain how the protocol works, we first define a problem known as the k-local Hamiltonian problem, which was introduced by Kitaev in [15]. A k-local Hamiltonian, acting on a system of n qubits, is a hermitian operator H that can be expressed as H = i H i , where each H i is a hermitian operator which acts non-trivially on at most k qubits. The k-local Hamiltonian problem, for which we have taken the definition from [16], is then the following: Definition 4 (The k-local Hamiltonian (LH) problem).
• Input: H 1 , . . . , H m , a set of m Hermitian matrices each acting on k qubits out of an n-qubit system and satisfying H i ≤ 1. Each matrix entry is specified by poly(n)-many bits. Apart from the H i we are also given two real numbers, a and b (again, with polynomially many bits of precision) such that a − b > 1/poly(n).
• Output: Is the smallest eigenvalue of H = H 1 + H 2 + ... + H m smaller than b or are all its eigenvalues larger than a?
Kitaev showed that this problem is complete for the class QMA. In other words, the problem is in QMA and any problem in QMA can be reduced to it, in (classical) polynomial time [15]. The idea is essentially this: for some language L ∈ QMA, and given a and b, one can construct a k-local Hamiltonian such that, whenever x ∈ L, its smallest eigenvalue is less than b and whenever x ∈ L, all of its eigenvalues are greater than a. The proof state, |ψ , when x ∈ L, is the eigenstate of H corresponding to its lowest eigenvalue (or a state that is close, in trace distance, to this state), known as the ground state. The verifier receives the state from the prover and measures one of the local terms H i (which is an observable) on that state. One can prove that this can be done with a polynomial-sized quantum circuit. This yields an estimate for measuring H itself. Therefore, when x ∈ L and the prover sends |ψ , with high probability the verifier will obtain the corresponding eigenvalue of |ψ which will be smaller than b.
If the prover is malicious then it would have to convince the verifier to accept when x ∈ L. However, when this is the case, all the eigenvalues of H will be larger than a and so, no matter what state the prover sends, when the verifier measures the local term H i it will, with high probability, obtain a value greater than b and will therefore reject. We will refer to a − b as the promise gap of the local Hamiltonian.
The constant k in the definition of the k-local Hamiltonian problem is not arbitrary. In the initial construction of Kitaev, k had to be larger than 5 for the problem to be QMA-complete. Subsequent work has shown that even with k = 2 the problem remains QMA-complete [17]. In fact, H can be a particular type of 2-local Hamiltonian known as an XZ-Hamiltonian and this is the type of Hamiltonian used in the post hoc protocol of Morimae and Fitzsimons [6,8].
To define an XZ-Hamiltonian, we introduce some helpful notation. Consider an n-qubit operator S, which we shall refer to as XZ-term, such that: with P j ∈ {I, X, Z}, where X and Z are the Pauli X and Z operators and I is the identity. Denote w X (S) as the X-weight of S, representing the total number of j's for which P j = X. Similarly denote w Z (S) as the Z-weight for S. An XZ-Hamiltonian is then a 2-local Hamiltonian of the form: where the a i 's are real numbers and the S i 's are XZ-terms having w X (S i ) ≤ 1 and w Z (S i ) ≤ 1. Essentially, as the name suggests, an XZ-Hamiltonian is one in which each local term has at most one X operator and one Z operator.
We can now explain the post hoc protocol of [8]. The protocol relies on the observation that BQP ⊆ QMA. This means that any problem in BQP can be viewed as an instance of the 2-local Hamiltonian problem. Therefore, for any language L ∈ BQP there exists an XZ-Hamiltonian, H, and a polynomial-time quantum verifier which can measure a local term of H on the quantum witness sent by the prover and decide the problem correctly, with high probability. But since the local terms of an XZ-Hamiltonian have at most one X operator and one Z operator, the verifier will essentially have to measure at most two qubits, one in the standard basis (|0 , |1 ) and the other in the Hadamard basis (|+ , |− ).
We now restrict attention to L ∈ BQP. As mentioned, when x ∈ L, the proof state that the prover should send to the verifier should be close to the ground state of the XZ-Hamiltonian. When L ∈ BQP, the Hamiltonian can be chosen so that the ground state is close to a particular type of state known as a Feynman-Kitaev clock state (also known as history state), which can be prepared by a BQP prover [15]. To describe this state, consider a quantum circuit C = U T U T −1 ...U 1 , with classical input |x , where T = poly(|x|), for testing whether x ∈ L. Denoting U 0 = I, the Feynman-Kitaev state associated to C and |x is the following: There exists an XZ-Hamiltonian, H, such that when x ∈ L, we have that ψ|H|ψ < a, and when x ∈ L we have that for any |φ , φ|H|φ > b, for some a, b such that a − b > 1/poly(|x|). The exact form of H is not important for understanding the protocol.
What is important is that for any L ∈ BQP, the verifier can efficiently compute the description of H. The post hoc protocol then works as follows: 1. The verifier computes the terms a i of the XZ-Hamiltonian, H = i a i S i , corresponding to L and input x. They then send the description of H and x to the prover.
2. The prover responds by preparing the ground state of H (the Feynman-Kitaev state, described above), denoted |ψ , and sends it to the verifier. This constitutes the quantum proof state for the statement that x ∈ L (if x ∈ L, the same procedure is performed for the complement of L, denoted L c , which is also in BQP).
3. The verifier chooses one of the XZ-terms S i , according to the normalized probability distribution {|a i |} i , and measures it on |ψ . They accept on outcome −sgn(a i ) of the measurement.
The protocol is correct, in that when the prover aims to convince the verifier that x ∈ L (or x ∈ L c , respectively) and sends the correct state (for the Hamiltonian corresponding to L or to L c , respectively), the verifier will accept with probability: Additionally, the protocol is sound in that when the prover aims to convince the verifier that x ∈ L (or x ∈ L c , respectively), irrespective of the state that the prover sends, the verifier will accept with probability: Since i |a i | is a constant and a − b > 1/poly(|x|), the gap between the two probabilities is inverse polynomial in the size of the input.

III. FAULT TOLERANT VERIFICATION OF QUANTUM COMPUTATION
The protocol described above works assuming an ideal setting in which the quantum devices of both the prover and the verifier are perfect. Of course, this is an unrealistic assumption since any implementation of the protocol will be subject to noise stemming from an imperfect isolation of the quantum systems from the environment, and the use of faulty devices. It is straightforward to show that a constant rate of noise on these devices will lead to the failure of the protocol for sufficiently large computations. This is because the gap between acceptance and rejection, defined by a − b, is inverse polynomial in the size of the input. As a result of noisy devices, the acceptance threshold is shifted to a − c, and the rejection threshold is shifted to b + c, where c is some positive constant that depends on the noise rate of the devices. We can see that as long as c < (a − b)/2, the verifier can still distinguish reliably between acceptance and rejection. However, it is clear that for a sufficiently long input, we will have that c ≥ (a − b)/2. At this point, the protocol no longer satisfies the correctness nor the soundness criteria. In fact, this is common to all other verification protocols in the single-prover setting [3]. To address this issue we now give a fault tolerant version of the post hoc protocol that works in the presence of quantum devices subject to local noise having a constant error-rate.

A. The fault tolerant protocol
Our construction is simple: we ask the prover to encode the history state in a CSS (Calderbank-Shor-Steane) error-correcting code [18] and send it to the verifier. The verifier will then perform a transversal measurement of the X and Z operators. Transversality results in the logical operators being expressed as tensor products of physical X and Z operators, i.e.:X whereX andZ are the logical (or encoded) X and Z operators. In effect, the original Hamiltonian is replaced with an encoded Hamiltonian by substituting each XZ-term with its corresponding logical form. CSS codes are transversal and this ensures that the verifier needs to perform only single-qubit measurements. We also require an additional property, that is possessed by CSS codes, namely that the outcomes for the transversal measurements (of the X and Z operators) are encoded in a classical errorcorrecting code. This is because the verifier will not perform any quantum correction on the state sent by the prover. Instead, this state will be measured and the measurement outcomes are classically postprocessed.
To clarify, consider the following simple example. Assume that the CSS code is a repetition code in which| 0 = |0 ⊗m and| 1 = |1 ⊗m , for some odd m > 1. This code can correct ⌊ m 2 ⌋ bit-flip errors. If the verifier wishes to measure theZ observable on an encoded state, they will instead measure m i=1 Z i . The m-bit outcome corresponds to the outcome of Z encoded in a classical repetition code. Thus, the verifier will simply take the majority bit as the outcome ofZ.
For our protocol, the verifier will measure a local term of the encoded Hamiltonian, in a transversal way, and perform the classical post-processing of the results in order to extract the corrected measurement outcome. With this corrected outcome, the acceptance condition is the same as in the "unencoded" case (i.e. if the outcome for the measurement of termS i is −sgn(a i )).
To guarantee that this construction works, we show the following: (1) The encoded Hamiltonian preserves the a − b promise gap of the original Hamiltonian. This is equivalent to showing that the encoded ground state of the original Hamiltonian is a ground state of the encoded Hamiltonian having the same energy.
(2) A polylogarithmic number of concatenations of the CSS code is sufficient to maintain an inverse polynomial acceptance-rejection gap in the presence of noise.
Having these properties guarantees that the fault tolerant post hoc protocol is both correct and sound, even in the presence of noisy devices. In other words: Proof. LetX andZ be the logical X and Z operators in the chosen CSS code. We have that {X,Z} = 0 and we will assume that these operators act on m > 0 qubits. Since these are operators for an error correcting code, there exists an encoding unitary, denoted E, such that: Now let H = i a i S i be an XZ-Hamiltonian acting on n > 0 qubits, and let H ′ = H ⊗ I n(m−1) . Clearly, H and H ′ have the same eigenvalues. But note that using Equations 7 and 8 we have that: whereS i is obtained by replacing X, Z and I byX, Z and I ⊗m , respectively. This then implies that: whereH = i a iSi is the encoded XZ-Hamiltonian. Thus, sinceH and H ′ are unitarily related, they will also have the same eigenvalues. Moreover, if ψ = E ⊗n |ψ |anc is the encoded version of some n-qubit state |ψ , for a suitably chosen ancilla state |anc , it is clear that for any such |ψ we have that: Therefore, if |ψ is a ground state of H, ψ will be a ground state ofH. This proves property (1), since it shows that the encoded Hamiltonian will have the same promise gap as the original Hamiltonian.
To prove property (2), we first need to describe what we mean by noisy measurements. The verifier makes X and Z measurements, but with probability ǫ m there is an error in the measurement. The probability of error is independent between uses of the measurement devices, i.e. there are no correlated errors [19]. To be a bit more precise, for ideal measurement operator M x for outcome x, we apply a unital map E to M x , where with probability 1 − ǫ m , M x is unchanged, and with probability ǫ m , M x is changed to something else. Alternatively, if we measure an n-qubit state ρ one qubit at a time, the noisy measurement is equivalent to transforming ρ to (E † ) ⊗n (ρ), and then making an ideal measurement on each qubit individually, where E † is the channel that is dual to E.
This error model of the measurement device is exactly how errors are traditionally modelled in quantum computation, where they are identically and independently distributed on the qubits. So if each qubit in the Hamiltonian is encoded in a block of qubits, then due to the error-correcting code, the probability of obtaining an incorrect outcome (after classical post-processing) has been suppressed from ǫ m on the original qubit to at most αǫ 2 m on the whole block, for some constant α (determined by the code).
Here we have implicitly used the fact that the measurement outcome for the logical qubit in one block is obtained through classical error correction (postprocessing) of the outcomes of measuring the block qubits. Concatenating k times then results in probability α (2 k −1) ǫ 2 k m of there being an error upon measuring an encoded qubit.
The verifier will make two logical qubit measurements, so to achieve a final error rate η, we must have the error for each logical qubit after k concatenations be α (2 k −1) ǫ 2 k m ≤ η 2 . Provided that α is below the threshold probability p th = α −1 of the code, then if each block consists of b qubits with k levels of concatenation, for each qubit we have which is O(polylog( 2 η )). So if the total number of qubits in the ground state of the original Hamiltonian is n, after k levels of encoding in blocks of size b, the total number of qubits in the encoded ground state is O(n polylog( 2 η )). If the probability of acceptance (rejecting) in the original protocol (without noisy measurements) is p acc (p rej ) and we have that p acc − p rej ≤ 1 poly(n) . Now with noisy measurements, we have that the new probability of acceptance (with error correction) is p acc ≥ p acc − η andp rej ≤ p rej + η. Therefore, to maintain a polynomial gap between acceptance and rejection we must have that η is sufficiently smaller than an inverse polynomial, which only incurs a polylogarithmic overhead. Note that only a polynomial overhead is required if we wish for η to be exponentially small.
The idea of encoding the proof state in an errorcorrecting code while maintaining a single-qubit measurement device for the verifier has also been considered, in the context of general QMA problems, in [20]. In that case, however, the proof state is a graph state that is used by the verifier to perform a fault tolerant measurement-based quantum computation. The verifier is also required to test that this state corresponds to the correct graph state and this is achieved through a stabilizer test.
In our case, by restricting to BQP computations, we simply require the verifier to measure the history state associated to the quantum computation. By showing that the encoded Hamiltonian has the same promise gap as the original Hamiltonian it is therefore sufficient to request that the prover encode the history state in a CSS code.

B. Example
Let us consider a toy example of our protocol in the case of an honest prover, for which we will give numerical results when using the repetition code and the Steane code, respectively. To start with, we should consider a quantum computation for which we want to construct a history state. Given that the Steane code will encode one logical qubit as 7 physical qubits, this computation needs to be small enough so that we are able to perform multiple runs of the protocol, in a reasonable amount of time. For this reason, we will choose the following one-qubit computation:

FIG. 1. Example computation.
where: Note that D(φ) is universal for single-qubit quantum computations [21]. The computation has two time steps, hence T = 2. Consider the case x = 0. The input state starts out as |0 , it is then flipped to |1 and upon application of the D(π/8) gate it becomes sin(π/8)|0 − cos(π/8)|1 . If we designate output |1 as acceptance, then this circuit will accept x = 0 with probability cos(π/8) 2 . The history state, for x = 0, will be: where we have separated the computation register from the clock register. For the x = 1 case, the history state will be: We now need to consider an XZ-Hamiltonian such that the ground state is close to |ψ x=0 . Since the 2local construction is fairly involved and we are only interested in a simple example, we will instead consider a 3-local Hamiltonian. This, of course, does not change the protocol in any way and the verifier will still perform single-qubit X and Z measurements. Following the works of [17,22], the Hamiltonian will have the following form: • H in penalizes terms in which the input is not of the correct form, at the start of the computation (T = 0).
• H clock penalizes terms in which the clock register is not of the correct form, throughout the computation.
• H prop penalizes terms that do not correspond to the chosen computation.
• H out penalizes terms for which the output of the computation register is not |1 (i.e. nonaccepting computations).
In our case, we have: where: and finally: It should be noted that |ψ x is the ground state of H in + H clock + H prop , but not the ground state of H.
It is the H out term that singles out |ψ x=0 and makes the ground state of H be close, in trace distance, to the history state for the x = 0 case. This is because in that case, the output of the computation will be |1 , with high probability. We now write H in XZ form: The protocol proceeds as follows. The verifier will inform the prover that they wish to perform the computation from Figure 1, for input x = 0. The prover reports that the computation accepts (with high probability) and prepares the history state |ψ x=0 , encoded in a CSS code. This state is sent qubit by qubit to the verifier. The verifier, will choose one of the terms from Equation 14, with its corresponding probability, and perform the transversal measurement of the state. For instance, the term XZX will be chosen with probability 1 2K sin(π/8), where K = i |a i | ≈ 4.8. The verifier measures the X and Z operators, performs classical post-processing on their results and combines them so as to recover the outcome of measuring XZX. She accepts on outcome −1 for this measurement, since 1 2 sin(π/8) is positive.
For the x = 1 case, the situation is similar. In this case, the prover will inform the verifier that the computation rejects (with high probability) and so the verifier will change the H out term of the Hamiltonian to: and otherwise proceed as in the x = 1 case.

C. Numerical results
To simulate the above protocol, we considered two error-correcting codes: the repetition code and the Steane code. In both instances, we wanted to compare how the verifier's probability of acceptance changes as we increase the amount of noise applied to the history state. Before showing the results, we should first ask: what is the probability of acceptance, for x = 0, when there is no noise in the system? One can show that: and in our case ψ x=0 |H|ψ x=0 ≈ 0.0488. We therefore find that p acc ≈ 0.4949. The first case we considered is the repetition code, with 3 physical qubits per logical state. This code can only correct for X errors. We therefore considered the noise channel: acting independently on each individual qubit. The results are shown in Figure 2.
As we can see, the point where the encoded state yields the same acceptance probability as the unencoded state is p = 0.5. The acceptance probabilities for the unencoded state were determined by applying the channel F to each qubit in |ψ x=0 , resulting in a state ρ, and then computing: The same is true for the encoded state, except that logical Z operators are replaced with: where: Essentially, the +1 eigenspace of Z M is spanned by states containing a majority of |0 and the −1 eigenspace is spanned by states containing a majority of |1 . Measuring Z M is the same as performing a transversal Z measurement and taking the majority outcome.
If we increase the size of the encoded state to 5 qubits, we obtain the results from pected, the noise threshold increases and is around p ≈ 0.72. We now consider the Steane code, which can detect and correct for arbitrary errors on a single qubit, while encoding one logical state in 7 physical qubits. This means that the encoded state will comprise of 21 qubits. For this case, we will assume that each qubit is subject to depolarizing noise, characterised by the channel: Due to the large number of entries for the density matrix of the encoded state, we were unable to directly apply the channel D. Instead, for each qubit in ψ x=0 , we chose to either leave it unchanged, with probability (1 − 3p/4) or, with probability p/4, apply either X, Y or Z. This process is repeated multiple times, and in each case the probability of acceptance is computed using Equation 17. The overall probability of acceptance is then estimated by taking the average over all of these runs. The results are shown in Figure 4. We considered 12 data points, spread equally in the interval [0, 1], and for each we performed 1000 repetitions of applying noise in order to estimate p acc . The error bars represent confidence intervals for the computed values, assuming a confidence of 95%. Additionally, the orange curve represents the best fit interpolation of the given samples, when assuming a Gaussian model. As we can see, the threshold point appears to be between 0.1 and 0.2. By considering 12 samples in the range between 0.05 and 0.15, and 4000 repetitions per sample, in Figure 5, we find that the threshold point is between 0.12 and 0.13.
The simulations were performed in MATLAB, on the Eddie Mark 3 cluster of The University of Edinburgh. The code for our simulations is available on Github [23].

IV. CONCLUSIONS
We have given a simple construction for a fault tolerant quantum verification protocol. In a nutshell, the construction involves taking the original post hoc verification protocol of Morimae and Fitzsimons and encoding it in a CSS error-correcting code. Since the original protocol was not blind, neither is its fault tolerant counterpart. A protocol being blind means that the delegated computation is kept secret from the prover, and they only learn at most the size the computation. A major open problem that remains to be addressed is whether one can achieve fault tolerant verification of blind quantum computation without resorting to additional assumptions, as in [9][10][11]. Specifically, the protocols from [9][10][11] assumed (either implicitly or explicitly) that the noise on the verifier's device is independent of the secret parameters that are used to achieve blindness. Additionally, the noise, on that device, should be uncorrelated with the prover's private system.
Following the discussion in [12], the authors stress that, so far, there is no protocol that simultaneously achieves all of the following properties: (1) The verifier has a preparation or measurement device whose size is at most polylogarithmic in the size of the delegated quantum computation.
(2) The noise rate for each quantum operation is below some constant threshold. Additionally, the noise on the verifier's device can depend on whatever operations the verifier performs and can be correlated with the prover's quantum system.
(3) The protocol is unconditionally blind. In other words, throughout the interaction with the verifier, the prover only learns the size of the delegated quantum computation.
As mentioned, previous approaches achieved conditions 1 and 3 but not 2. The protocol we proposed achieves conditions 1 (with a constant size device) and 2 but not 3.
Recently, a protocol has been proposed in which a classical client can delegate and verify the computations performed by a quantum server [24]. This protocol, however, relies on certain computational assumptions about whether a quantum computer can solve a particular problem. Therefore, the verifier would not need to worry about introducing errors into the prover's quantum computation, as was the concern in our work, but this comes at the cost of making these computational assumptions. Interestingly, the protocol in [24] also uses post hoc verification as a primitive, except now the prover measures the qubits in the history state and relays the outcomes to the verifier. The preparation of the history state is slightly more complex than in our case since it uses cryptographic one-way functions which introduce some overhead.
Returning to our results, the simulations are encouraging. Given that the obtained thresholds are higher than the error rates observed in current experimental implementations [25][26][27], a demonstration of the protocol in the near future is likely. The major obstacle to such a demonstration would be the production of these highly entangled history states. The use of CSS codes, however, means that one can encode these states in codes having even higher noise thresholds than the Steane code, such as surface codes [28].