 Hi, my name is Xu Han Hong. Today, I'm going to talk about how to verify quantum computation non-interactivity and in-zero knowledge. This is a joint work with Corey Alegage, Andrew Charles, and Alex Grillo. Our paper is available on Archive. We believe that quantum devices outperform classical computers. Recently, Google announced an experiment using their 54-QP processor, Cyclemore, to demonstrate quantum supremacy based on the circuit sample. They showed that there exists a task which can be done using their processor in a few seconds. But the same task has to take more than 10,000 years to finish using non-classical algorithms on classical hardware. Imagine one day, a university or a company builds a powerful quantum machine which is available for people that get remote access to. You could ask it to, for example, perform large integer factorization or Hamiltonian simulation by sending it an email message describing the task. After a reasonable amount of time, it gets back to you another email message describing the answer. Perhaps the first question you, as the user, would like to know is how you check if the result is correct or not. The answers to some problems are easy to check. For example, for integer factorization, you could check whether the return factor really divides the integer you sent. But does every problem solved for a quantum polynomial time have a classical verification procedure? If so, can we make the procedure very simple? This is a motivation of our work. In theory, the task of verification can be formalized as an interactive proof system or an argument system, provided the prove is provided. Interactive proof system or a protocol consists of two machines. One weaker machine called a verifier who cannot compute the answer itself. But it can use some helper, which is a stronger machine called a prover, to help it decide. A protocol for language L is complete, if for all yes instances. There exists a prover called an honest prover who competes a verifier with high probability. A protocol is solved if for all no instances, no matter how the prover tries to cheat, the verifier rejects with high probability. In addition, sometimes it's desirable that the information conveys no information about the witness. So this is about the privacy of the witness. A nice property in this setting, a nice property to have is the zero knowledge property. The formally, a protocol is zero knowledge. If there exists a simulator, who can simulate the interaction between the verifier and the prover without having access to the witness. In the context of delegation of quantum computation, the question to ask is that how we verify quantum computation when classical simulation is not possible. There are a few different approaches. One is to have the verifier, interrogate multiple provers, who are not allowed to communicate with each other. But they can share entanglement before verification starts. In a single device setting, if the verifier owns a small but reliable quantum computer, which can perform measurement in fixed spaces on a small number of qubits, then we know how to delegate any quantum computation or any languages in BQP. Recently, in a breakthrough, one that showed the first purely classical verification of quantum computation against the quantum prover, who cannot break the assumption of learning with errors. In the following, I will introduce protocols that fall into these two categories. If the verifier owns a small quantum computer that can perform X or Z basis measurements on two qubits, then here is a protocol that verifies a local Hamiltonian problem. The idea is simple. After receiving the instance, the prover prepares a quantum state, which is a ground state of a Hamiltonian, and sends it over to the verifier. The verifier samples a local term that performs X or Z basis measurements on two qubits. Then he checks the parity of the outcomes. For this approach to work, we are distinguishing the Hamiltonian whose ground state energy is below some threshold, or at least inverse polynomial above the equation. Also, the protocol can be used to verify every language in BQP, because there is a reduction from every language in BQP to a local Hamiltonian problem. The protocol also works for QMA. If the quantum efficient prover is given access to a quantum witness, which may not be efficiently prepared. The MADA protocol is a combination of the X, Z Hamiltonian protocol with a verifiable remote X, Z basis measurement procedure, which she calls a measurement protocol. The idea is as follows. After receiving the instance, the verifier samples a local term and the key pair, depending on the term. The public key, pk, encodes a so-called trapdoor or trapdoor injective function. The prover prepares a ground state and query the function at pk on the state. The verifier fixes the state by requesting a measurement on the image register. After receiving the image Y, the verifier tosses a random coin C, indicating the protocol is entering the test round, i.e. c equals 0, or a hard amount round, c equals 1. In the test round, the verifier checks whether the prover owns a preimage. In the hard amount round, the verifier decrypts a transcript into X or Z basis measurement outcome and checks if the outcome is accepted to the X, Z verification protocol. For this approach to work, the verifier samples a key pair according to a local term. And from the public key, pk, the prover is unable to tell it's going to major in the X or Z basis. Also, it must be hard for the prover to prepare the preimage superposition without the knowledge of the secret key. My adept shows that there exists an instantiation based on plan LWE. Also, because the prover can always choose to win a test round, the sound is error is constant. In this work, we are trying to answer the following questions. First, can quantum computation be certified with a single message up to instance-independent preprocessing? Second, can certified quantum computation be performed in zero knowledge? We answer these questions by upgrading the model protocol in the following steps. First, we show that the key generation step can be made instance-independent. So this can be done before the verification starts. And this turns the four-message protocol into a three-message protocol with an instance-independent preprocessing. And then the constant sound is error can be improved by applying parallel repetition. So we show a parallel repetition theorem for the verification protocol. And then we apply the run reduction technique called fission here to reduce the run complexity down to a single message. Finally, I will also show you that how we turn the protocol into an interactive classical zero knowledge for BQP or QM. The first step is to show that the key generation can be done before the verification starts, i.e. before they receive the instance. The idea is simple. First, we sample basis randomly and then sample the keys according to a random basis. After receiving the instance, the verifier samples a real basis according to the Hamiltonian. If they don't match the verifier accepts, otherwise they run the same verification procedure as before. In the soundless analysis, because the Hamiltonian is too local, with probability of fourth, the match and the cost that the gap gets decreased by a factor of one fourth. This is fine because we can apply a standard amplification procedure to amplify the gap. Now we have a three-message protocol with an instance in dependent preprocessing. Now we show that the soundless error can be improved by applying parallel repetition. Given a protocol with a small company in the soundless gap, there are two possibilities to amplify the gap. One approach is by sequential repetition, which means that you run a protocol sequentially and then you accept if many rounds are complete. What's nice about it is that it always amplifies the gap. The downside is that it requires more interaction. The other approach is by parallel repetition, which means that you run a protocol in parallel and then you accept if many copies are accepted. What's nice about it is that no more interaction required. But the downside is that it does not always reduce the soundless error. In fact, there is a counter example for which the soundless error stays the same using a two-fold repetition. In this work, we show that parallel repetition works for the verification protocol. The soundless error of a K-copy protocol is negative records to the negative K. The idea is as follows. In the parallel repeated protocol, the prover prepares the constant row, which is fixed by the verifier by requesting a measurement on the image registers. After receiving K-change coins, we characterize the prover and the verifier's behavior. As a binary measurement that depends on the secret key, the sample to local term and the challenge coins. We show that the accepting projectors are nearly orthogonal with respect to any state that can be prepared by the prover. Otherwise, there exists an adversary who wins a single-copy protocol with probability arbitrary cost one. That contradicts the soundless guarantee of the one-copy, single-copy protocol. Then this means that any prover can win at most a single challenge out of the two-to-K possibilities. We are ready to apply the wrong reduction technique called fissure mirror to turn a protocol into a non-interactive one. The fissure mirror transform turns a signal protocol, which means that it's a free message of the coin protocol into a non-interactive one. The idea is as follows. Because the second message is a random coin, instead of having the verifier toss it, the prover gets a coin by hashing the instance in the first part of the message. Because the verifier can check whether this is a correct hash, the prover is unable to pick a random coin that he knows how to win. We show that the fear transformation of the verification protocol has a negligible soundness error. The proof idea is as follows. Assuming there exists an adversary A who breaks the transform protocol. That means that there must be a noticeable fraction of bad keys with which the adversary wins the protocol with non-manageable probability. Then by the same reduction as the paper by Don Fair, Mayans and Schaffner, there exists an adversary B who wins a free message protocol with probability arbitrary close to one. By the soundness guarantee of the free message protocol, we get a contradiction. The last step I'm gonna talk about today is the classical non-interactive zero knowledge for BQP or QMN. In particular, we show that there exists a classical non-interactive zero knowledge using a circuitry secure FHE and an ISIC for MP. I'll sketch your construction here. First in the center phase, the prover gets encryption of the secret key. The reason that is that it is part of the instance to some impure relation defined by the verifier's final verdict. The security still holds because from ciphertext, the prover is unable to tell what the secret key is. The original protocol is not zero knowledge because the first step, the first message is obtained by querying the function fpk on the winning state. We'll get from around this by having a prover encrypt the winning state with a quantum one-time pad and convince to the keys. So prover is unable to change a value afterwards. So now the first message is obtained by querying fpk on a maximally mixed state. So the first message is simulatable. In the last step, the prover gets accepted by sending the openings and the measurement outcomes, which makes the protocol not zero knowledge. So we get around this by viewing these strings as a witness to the impure relation. Instead of sending the witness in the plain text, the prover sends a homomorphically evaluated music group. So by the zero knowledge property of the music scheme, the protocol is zero knowledge. In summary, we showed classical verification of quantum computation can be performed non-interactively and in zero knowledge. This is done by upgrading the model protocol in a few steps. First, we show that the key generation can be made instance independent. So this can be done in a set of phase. Next, we show that the soundness error can be improved by applying parallel repetition. Also, we show that the wrong complexity can be reduced by applying field shemmier transform to a single message. Finally, I also presented classical non-interactive zero knowledge for pqp or curing. I'll wrap up with a few open questions. First, can we prove security when the protocol is instantiated with a concrete hash function? Now that the security holds in the random oracle model, in practice, we will need to replace it with a concrete construction. Can we show that there is a construction that the security still holds? Next, can we show a parallel repetition theorem for any interactive argument against the quantum proven? Finally, can we give a simple analysis argument for pqp or curing? Our construction relies on a music for MP and a security secure, FHE. Can we use a lighter construction for the same task? That ends my talk. Thanks for listening.