Automated Quantum Program Verification in Dynamic Quantum Logic

Abstract

Dynamic Quantum Logic (DQL) has been used as a logical framework for manually proving the correctness of quantum programs. This paper presents an automated approach to quantum program verification at the cost of simplifying DQL to Basic Dynamic Quantum Logic (BDQL). We first formalize quantum states, quantum gates, and projections in bra-ket notation and use a set of laws from quantum mechanics and matrix operations to reason on quantum computation. We then formalize the semantics of BQDL and specify the behavior and desired properties of quantum programs in the scope of BDQL. Formal verification of whether a quantum program satisfies desired properties is conducted automatically through an equational simplification process. We use Maude, a rewriting logic-based specification/programming language, to implement our approach. To demonstrate the effectiveness of our automated approach, we successfully verified the correctness of five quantum protocols: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, and Quantum Gate Teleportation, using our support tool.

Appendix

1.1 Proof of Theorem 1

Before embarking on the proof of Theorem 1, we show a lemma.

Lemma 1

The following holds for any M:

1. 1.

   \([\![[\textbf{skip}]A]\!]^M=[\![A]\!]^M\);

2. 2.

   \([\![[\textbf{abort}]A]\!]^M=\mathcal {H}\);

3. 3.

   \([\![[\textbf{abort};b]A]\!]^M=[\![[\textbf{abort}]A]\!]^M\);

4. 4.

   \([\![[\textbf{skip};b]A]\!]^M=[\![[b]A]\!]^M\);

5. 5.

   \([\![[(a\mathrel {;}b)\mathrel {;}c]A]\!]^M=[\![[a\mathrel {;}(b\mathrel {;}c)]A]\!]^M\);

6. 6.

   \([\![[(a\cup b)\mathrel {;}c]A]\!]^M=[\![(a\mathrel {;}c)\cup (b\mathrel {;}c)]A]\!]^M\);

7. 7.

   \([\![[a\mathrel {;}b]A]\!]^M=[\![[a][b]A]\!]^M\);

8. 8.

   \([\![[a\cup b]A]\!]^M=[\![[a]A]\!]^M\cap [\![[b]A]\!]^M\);

9. 9.

   \([\![[B?]A]\!]^M=[\![B\rightarrow A]\!]^M\in \mathcal {C}(\mathcal {H})\), where \(B\rightarrow A\) denotes the Sasaki hook [18] defined as \(\lnot (A\wedge \lnot (A\wedge B))\).

Proof

1 to 8 are easy to show. For 9, some knowledge of Hilbert space theory is required. Observe that \([\![[B?]A]\!]^M\) is the inverse image \(P_{[\![B]\!]^M}^{-1}([\![A]\!]^M)\) of \([\![A]\!]^M\) under \(P_{[\![B]\!]^M}\). That is,

$$\begin{aligned}{}[\![[B?]A]\!]^M&=P_{[\![B]\!]^M}^{-1}([\![A]\!]^M)=\{s\in \mathcal {H}:P_{[\![B]\!]^M}(s)\in [\![A]\!]^M\} \\ &=\{s\in \mathcal {H}:P_{[\![A]\!]^M}P_{[\![B]\!]^M}(s)=P_{[\![B]\!]^M}(s)\}. \end{aligned}$$

Therefore, \([\![[B?]A]\!]^M=[\![B\rightarrow A]\!]^M\in \mathcal {C}(\mathcal {H})\) (see [15]).

We use Lemma 1 to prove Theorem 1 without mentioning it.

Proof

We prove by simultaneous structural induction on formulas in BDQL and star-free regular programs. The case \(A=p\in L_0\) is immediate. The cases \(A=\lnot B\) and \(A=B\wedge C\) follow from the basic fact in Hilbert space theory. Thus, we only discuss the case \(A=[a]B\).

• Case 1 \(a=\textbf{skip}\). We have \([\![[a]B]\!]^M=[\![B]\!]^M\in \mathcal {C}(\mathcal {H})\) by the induction hypothesis \([\![B]\!]^M\in \mathcal {C}(\mathcal {H})\).

• Case 2 \(a=\textbf{abort}\). We have \([\![[a]B]\!]^M=\mathcal {H}\in \mathcal {C}(\mathcal {H})\).

• Case 3 \(a=\pi \in \varPi _0\). Observe that \([\![[a]B]\!]^M\) is the inverse image of \([\![B]\!]^M\) under v(a). In other words, \([\![[a]B]\!]^M\) is the image \((v(a)^\dagger )([\![B]\!]^M)\) of \([\![B]\!]^M\) under the adjoint operator \(v(a)^\dagger \) of v(a). Let \(X^\perp \) be the orthogonal complement of a subspace X of \(\mathcal {H}\), and write \(X^{\perp \perp }\) for \((X^\perp )^\perp \). Recall that \(X\in \mathcal {C}(\mathcal {H})\) if and only if \(X^{\perp \perp }=X\). By the induction hypothesis \([\![B]\!]^M\in \mathcal {C}(\mathcal {H})\),

  $$\begin{aligned} ([\![[a]B]\!]^M)^{\perp \perp }&=((v(a)^\dagger )([\![B]\!]^M))^{\perp \perp }=((v(a)^\dagger )(([\![B]\!]^M)^\perp ))^\perp \\ &=(v(a)^\dagger )(([\![B]\!]^M)^{\perp \perp })=(v(a)^\dagger )([\![B]\!]^M)=[\![[a]B]\!]^M. \end{aligned}$$

  Consequently, \([\![[a]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

• Case 4 \(a=b\mathrel {;}c\). We further split the case with respect to b.

  • Case 4.1 \(b=\textbf{skip}\). \([\![[a]B]\!]^M=[\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\) by the induction hypothesis \([\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

  • Case 4.2 \(b=\textbf{abort}\). \([\![[a]B]\!]^M=[\![[\textbf{abort}]B]\!]^M=\mathcal {H}\in \mathcal {C}(\mathcal {H})\).

  • Case 4.3 \(b=\pi \). \([\![[a]B]\!]^M=[\![[\pi ][c]B]\!]^M\). By the induction hypothesis, \([\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\). Thus, it follows from the similar argument of case 3 above that \([\![[a]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

  • Case 4.4 \(b=b_1\mathrel {;}b_2\).

    $$ [\![[a]B]\!]^M=[\![[b_1\mathrel {;}(b_2\mathrel {;}c)]B]\!]^M=[\![[b_1][b_2\mathrel {;}c]B]\!]^M\in \mathcal {C}(\mathcal {H}) $$

    by the induction hypothesis \([\![[b_1][b_2\mathrel {;}c]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

  • Case 4.5 \(b=b_1\cup b_2\).

    $$ [\![[a]B]\!]^M=[\![[(b_1\mathrel {;}c)\cup (b_2\mathrel {;}c)]B]\!]^M=[\![[b_1\mathrel {;}c]B]\!]^M\cap [\![[b_2\mathrel {;}c]B]\!]^M\in \mathcal {C}(\mathcal {H}) $$

    by the induction hypothesis \([\![[b_1\mathrel {;}c]B]\!]^M,[\![[b_2\mathrel {;}c]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

  • Case 4.6 \(b=C?\).

    $$ [\![[a]B]\!]^M=[\![[C?][c]B]\!]^M=[\![C\rightarrow [c]B]\!]^M\in \mathcal {C}(\mathcal {H}) $$

    by the induction hypothesis \([\![C]\!]^M,[\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

• Case 5 \(a=b\cup c\). We have \([\![[a]B]\!]^M=[\![[b]B]\!]^M\cap [\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\) by the induction hypothesis \([\![[b]B]\!]^M,[\![[c]B]\!]^M\in \mathcal {C}(\mathcal {H})\).

• Case 6 \(a=C?\). We have \([\![[C?]B]\!]^M=[\![C\rightarrow B]\!]^M\in \mathcal {C}(\mathcal {H})\) by the induction hypothesis \([\![B]\!]^M,[\![C]\!]^M\in \mathcal {C}(\mathcal {H})\).