AutoQ: An Automata-Based Quantum Circuit Verifier

Abstract

We present a specification language and a fully automated tool named AutoQ for verifying quantum circuits symbolically. The tool implements the automata-based algorithm from [14] and extends it with the capabilities for symbolic reasoning. The extension allows to specify relational properties, i.e., relationships between states before and after executing a circuit. We present a number of use cases where we used AutoQ to fully automatically verify crucial properties of several quantum circuits, which have, to the best of our knowledge, so far been proved only with human help.

1 Introduction

Recently, quantum computing has received much attention, driven by several technological breakthroughs [7] and increasing investments. Prototype quantum computers are already available. The opportunities for the general public—particularly students, researchers, and technology enthusiasts—to access quantum computing devices are rapidly increasing, e.g., through cloud services such as Amazon Braket [1] or IBM Quantum [2]. Due to the complexity and probabilistic nature of quantum computing, the chance of errors in quantum programs is much higher than that of traditional programs, and conventional means for correctness assurance, such as testing, are much less applicable in the quantum world. Quantum programmers need better tools to help them write correct programs. Therefore, researchers anticipate that formal verification will play a crucial role in quantum software quality assurance and have, in recent years, invested significant effort in this direction [5, 11, 21, 41,42,43, 45, 46]. Nevertheless, practical tools for automated quantum program/circuit verification are still missing.

This paper introduces AutoQ¹, a fully automated tool for quantum circuit verification based on the approach proposed in [14]. In particular, AutoQ checks the validity of a Hoare-style specification \(\{\texttt{Pre}\}~{C}~\{\texttt{Post}\}\), where C is a quantum circuit (a sequence of quantum gates) in the OpenQASM format [17] and the precondition \(\texttt{Pre}\) and postcondition \(\texttt{Post}\) represent sets of (pure) quantum states. The check is done by executing the circuit with all quantum states satisfying \(\texttt{Pre}\) (using a symbolic representation) and testing that all resulting quantum states are in the set denoted by \(\texttt{Post}\).

AutoQ combines two main techniques to efficiently and effectively represent and reason about (potentially infinite) sets of quantum states:

1. 1.

   As in [14], we use tree automata (TAs), finite-state automata accepting languages of trees, to efficiently represent sets of quantum states: Each quantum state over n qubits can be seen as a binary decision tree over n variables such that, e.g., in a 3-qubit circuit with qubits \(|{x_1 x_2 x_3}\rangle \), if the computational basis state \(|{010}\rangle \) in a quantum state has the probability amplitude \(\frac{1}{4}\), then there will be a branch \(x_1 \xrightarrow {0} x_2 \xrightarrow {1} x_3 \xrightarrow {0} \frac{1}{4}\) in the corresponding tree. The use of TA-based representation of a set of quantum states has several advantages: (a) It is concise: e.g., in order to represent the set of all \(2^n\) basis states of an n-qubit quantum circuit, we suffice with a TA with \(\mathcal {O}(n)\) states and transitions. (b) It allows to efficiently perform quantum gate operations on the whole set of quantum states represented by a TA at once [14].

2. 2.

   In this work, we further consider symbolic quantum states, represented by assigning symbolic values to computational basis states (and having an additional formula to relate these symbolic values). For instance, we can represent the set of all n-qubit quantum states where the computational basis \(|{0\ldots 0}\rangle \) has a strictly larger probability of measurement than all other basis states by a symbolic quantum state assigning \(|{0\ldots 0}\rangle \mapsto v_h\) and \(|{y_1 \ldots y_n}\rangle \mapsto v_\ell \) for all \(y_1 \ldots y_n \ne 0\ldots 0\), together with the formula \(|v_h|^2 > |v_\ell |^2 \wedge |v_h|^2 + (2^n -1) |v_\ell |^2 = 1\), where \(v_h\) and \(v_\ell \) are symbolic variables ranging over complex numbers

By combining these two techniques, i.e., using TAs with symbolic variables in leaves, we can have a representation of all n-qubit quantum states where an arbitrary basis has a strictly larger amplitude than other basis states using \(\mathcal {O}(n)\) states and transitions.

Using such a symbolic encoding is essential to allow us to describe relational specifications, e.g., it allows us to express properties like “the probability amplitude of the basis state \(|{000}\rangle \) is increased after executing the circuit C” (for this, in the postcondition, we use TAs accepting trees with predicates in leaves, a subclass of symbolic tree automata of [36]). Such a property can then be verified by executing the quantum circuit symbolically in the spirit of symbolic execution [27] (i.e., such that the values of amplitudes are not complex numbers but, instead, symbolic terms) and checking whether all trees in the language of the resulting TA satisfy the desired property (using a modified antichain-based algorithm for testing TA language inclusion [4, 10]). Combining TAs and symbolic variables as the language for quantum predicates allows full automation and can be used to express many crucial properties of quantum circuits, as we will demonstrate later. AutoQ is the first tool implementing this approach.

Related Work. Our work belongs to the line of Hoare-style verification of quantum programs, which has been widely discussed in the past [22, 29, 35, 40, 44]. This family of approaches follows D’Hondt and Panangaden’s suggestion of using various Hermitian operators as quantum predicates, resulting in a very powerful yet complete proof system [20]. However, specifying properties using Hermitian operators is often not intuitive and is inconvenient for automation due to their enormous matrix sizes. Therefore, often these approaches are implemented on top of proof assistants such as Coq  [9] and Isabelle  [37] and require significant manual work in proof search. The Qbricks  [12] approach alleviates the difficulty of the proof search by combining state-of-the-art theorem provers with decision procedures building on top of the Why3 platform [24]. The approach, however, still requires a significant amount of human intervention.

Regarding other quantum program/circuit/protocol verification tools, circuit equivalence checkers [5, 11, 15, 26, 39] are often quite efficient but less flexible in specifying the desired property (only equivalence). They are particularly useful in compiler validation; notable tools include Qcec  [11], and Feynman  [5]. Quantum model checking supports a rich specification language (flavors of temporal logic [23, 30, 38]) and is more suitable for verifying high-level protocols due to the quite limited scalability [6]. One notable tool in this category is QPMC  [23]. Quantum abstract interpretation [32, 43] is particularly efficient in processing large-scale circuits, but it grossly over-approximates the state space (it cannot verify basic properties of, e.g., Grover’s algorithm) and cannot conclude anything when verification fails. In contrast, AutoQ can be conveniently used for quantum program development and debugging since it automatically computes the exact set of reachable states². The mentioned tools are fully automated but have different goals or address different parts of the software development cycle than AutoQ.

Contributions. AutoQ evolved from a simple prototype used for performance evaluation in [14] into a robust tool. In addition, we added the following major extensions:

1. 1.

   We combined the TA specification with symbolic variables, allowing users to specify advanced relational properties of quantum circuits.

2. 2.

   We developed a new entailment-checking algorithm for the symbolic TA specification based on the antichain algorithm for automata language inclusion testing.

3. 3.

   We introduced a high-level language to simplify writing TA specifications.

These improvements are pushing the capabilities of AutoQ, and also of practical quantum circuit verification itself, much further.

Outline. In Sect. 2, we describe our approach to TA-based specification and verification of quantum circuits. In Sect. 3, we discuss the new entailment-checking algorithm for the symbolic TA representation. We discuss the architecture of AutoQ in Sect. 4 and demonstrate the use of the specification language and AutoQ for automated verification of several case studies in Sect. 5.

Fig. 1.

Verification of a circuit C amplifying the amplitude of \(|{00}\rangle \) w.r.t. the specification \(\{\mathcal {P}, \varphi \}~{C}~\{\mathcal {Q}\}\) with \(\varphi :|v_h+3v_\ell |>|2v_h|\). \(\mathcal {R}\) is the TA obtained by executing \(\mathcal {P}\) on C.

2 Tree Automata-Based Verification of Quantum Circuits

We will begin with minimal formal definitions of the TA-based specification and demonstrate how to use them to verify quantum circuits in AutoQ with examples. We assume a basic knowledge of quantum computation (see, e.g., the classical textbook [31]).

Let us fix a finite set of quantum variables \(\mathbb {X}= \{x_1, \ldots , x_n\}\) with a linear ordering (we assume \(x_1< \ldots < x_n\)) and a disjoint non-empty leaf alphabet \(\varSigma \). We will, in particular, work with \(\varSigma = \varSigma _t\uplus \varSigma _p\) where \(\varSigma _t\) is the alphabet of terms and \(\varSigma _p\) is the alphabet of predicates in a suitable first-order theory (discussed later).

We use \(\{0,1\}^{\le n}\) to denote \(\bigcup _{0\le i \le n} \{0,1\}^i\). A (symbolic binary decision) tree over \(\mathbb {X}\) and \(\varSigma \) is a function \(\tau :\{0,1\}^{\le n} \rightarrow (\mathbb {X}\cup \varSigma )\) such that for all positions \(p \in \{0,1\}^i\) with \(i < n\), we have \(\tau (p) = x_{i+1}\) and for all positions \(p \in \{0,1\}^n\), we have \(\tau (p) \in \varSigma \). An example of a tree \(\tau \) can be found in Fig. 1b, where \(\varSigma =\{v_h,v_\ell \}\), \(\tau (\epsilon )=x_1\), \(\tau (0)=\tau (1)=x_2\), \(\tau (00)=v_h\), and \(\tau (p)=v_\ell \) for \(p\in \{0,1\}^2\setminus \{00\}\).

A (symbolic) tree automaton (TA) is a tuple \(\mathcal {A}= (S, \varDelta , F)\) where S is a finite set of states, \(\varDelta \subseteq (S\times \mathbb {X}\times S \times S) \cup (S \times \varSigma )\) is a transition relation, and \(F \subseteq S\) is the set of root (final) states. We denote transitions from \(\varDelta \) as \(s \xrightarrow {x_i} (s_0, s_1)\) and \(s \xrightarrow {a} ()\) respectively. An example of a TA with the set of root states \(\{s\}\) can be found in Fig. 1a.

A run of \(\mathcal {A}\) on \(\tau \) is a function \(\rho :\{0,1\}^{\le n} \rightarrow S\) s.t. for all positions \(p \in \{0,1\}^i\) with \(i < n\), it holds that \(\rho (p) \xrightarrow {\tau (p)} (\rho (p.0), \rho (p.1)) \in \varDelta \) and for all positions \(p \in \{0,1\}^n\), it holds that \(\rho (p) \xrightarrow {\tau (p)} () \in \varDelta \). The run \(\rho \) is accepting iff \(\rho (\epsilon ) \in F\) and the language of \(\mathcal {A}\) is \(\mathcal {L}(\mathcal {A})= \{\tau \mid \mathcal {A}\text { has an accepting run on } \tau \}\). Observe that the tree in Fig. 1b is in the language of the TA \(\mathcal {P}\) in Fig. 1a with the run \(\rho \) such that \(\rho (\epsilon )=s\), \(\rho (0)=s_1\), \(\rho (1)=s_0\), \(\rho (00)=s_3\), and \(\rho (p)=s_2\) for \(p\in \{0,1\}^2\setminus \{00\}\).

Now we are ready to demonstrate how to write specifications of quantum circuits with TAs using a running example. We assume that C is a 2-qubit circuit that amplifies the amplitude of the basis state \(|{00}\rangle \) (under some constraint \(\varphi \) over input states) and reduces the amplitudes of other basis states. We first prepare the precondition of C, which consists of a pair \((\mathcal {P}, \varphi )\), where \(\mathcal {P}\) is a TA with the root state s, a set of terms \(\varSigma _t\) as the leaf alphabet, and the set of transitions from Fig. 1a, and \(\varphi \) is a first-order constraint over the variables used in \(\varSigma _t\). In \(\varSigma _t\), we use two variables over complex numbers, \(v_\ell \) and \(v_h\), to denote the corresponding amplitude (low and high). The constraint \(\varphi \) states that \(|v_h+3v_\ell |>|2v_h|\) (required by this circuit C, cf. Sect. 5.4). Recall that the TA \(\mathcal {P}\) from Fig. 1a accepts the tree from Fig. 1b, which in turn represents the quantum state

$$\begin{aligned} s = v_h|{00}\rangle + v_\ell |{01}\rangle + v_\ell |{10}\rangle + v_\ell |{11}\rangle . \end{aligned}$$

(1)

AutoQ will execute the gates in C to transform the TA \(\mathcal {P}\) to another TA \(\mathcal {R}\) capturing the effect of executing C over all quantum states encoded in \(\mathcal {P}\). The algorithm for gate operations is almost the same as the one in [14], except that now the update of leaf symbols works symbolically (similarly to symbolic execution [27]: each leaf symbol is a term over \(v_h\) and \(v_\ell \) and quantum gates change the terms by accumulating the operations that would be performed on them, potentially simplifying them). In this example, the TA \(\mathcal {R}\) will accept only one tree representing the quantum state

$$\begin{aligned} \textstyle s'=(\frac{v_h + 3v_\ell }{2})|{00}\rangle + (\frac{v_h - v_\ell }{2})|{01}\rangle + (\frac{v_h - v_\ell }{2})|{10}\rangle + (\frac{v_h - v_\ell }{2})|{11}\rangle , \end{aligned}$$

(2)

Observe that under the precondition \(\varphi =|v_h+3v_\ell |>|2v_h|\), the probability of \(|{00}\rangle \) is indeed increased (\(\textstyle |\frac{v_h + 3v_\ell }{2}|^2 > |v_h|^2\)). The tree representation of \(s'\) can be found in Fig. 1c. The TA \(\mathcal {Q}\) of the postcondition can be found in Fig. 1a. The leaf alphabet of \(\mathcal {Q}\) is the set of predicates \(\varSigma _p=\{|\square |>|v_h|,|\square |<|v_\ell |\}\) where \(\square \) denotes a free variable. Observe that \(\mathcal {Q}\) accepts the tree from Fig. 1e.

2.1 High-Level Specification Language

In AutoQ, we provide a simple specification language that can be automatically translated to TAs. The language allows users to focus on the properties they want to express without the need to specify details of the TA structure. Our language is particularly suitable for describing sets of states with one high probability branch and other branches with uniformly low or zero probability, a very common pattern of quantum circuit’s correctness properties. For example, in the language, we can use \((|{00}\rangle \!\!:v_h, |{*}\rangle \!\!:v_\ell ),\) where “\(|{*}\rangle \)” denotes “other basis states,” to define the tree language of the TA in Fig. 1a, which accepts a single tree representing the quantum state \(v_h|{00}\rangle +v_\ell |{01}\rangle +v_\ell |{10}\rangle +v_\ell |{11}\rangle \) from Fig. 1b. Similarly, we can use \((|{00}\rangle \!\!:|\square |>|v_h|, |{*}\rangle \!\!:|\square |<|v_\ell |)\) to represent the language of the TA in Fig. 1d. The set of all 2-qubit basis states \(\{|{i}\rangle \mid i\in \{0,1\}^2\}\) is expressed as \(\exists {i\in \{0,1\}^2}:(|{i}\rangle \!\!:1, |{*}\rangle \!\!:0)\) (we can see it as a predicate that is satisfied by the described quantum states). We also allow the tensor product \(\otimes \) operator, which multiplies the amplitude of the product basis states. For example, \((|{00}\rangle \!\!:1, |{*}\rangle \!\!:0) \otimes (|{00}\rangle \!\!:v_h, |{*}\rangle \!\!:v_\ell ) \otimes (|{00}\rangle \!\!:1, |{*}\rangle \!\!:0)\) represents the (singleton) set of states compactly \(\{v_h|{000000}\rangle +\sum _{j\in \{01,11,10\}} v_\ell |{00j00}\rangle \}.\)

A more challenging example is to represent the set of states

$$\begin{aligned} \bigg \{v_h|{ii000}\rangle + \sum _{j\in \{0,1\}^3 \wedge j\ne i} v_\ell |{ij000}\rangle ~\bigg |~ i\in \{0,1\}^3\bigg \}. \end{aligned}$$

(3)

Such a set can be described with the help of the \(\otimes \) and \(\exists \) operators as follows:

$$\begin{aligned} \exists i\in \{0,1\}^3:(|{i}\rangle \!\!:1, |{*}\rangle \!\!:0) \otimes (|{i}\rangle \!\!:v_h, |{*}\rangle \!\!:v_\ell ) \otimes (|{000}\rangle \!\!:1, |{*}\rangle \!\!:0). \end{aligned}$$

(4)

Below is the grammar of specification spec:

$$\begin{aligned} spec \,\,{:}{:}\!={}&state \bigm | \exists i\in \{0,1\}^n:state \bigm | spec, state\\ state\,\, {:}{:}\!={}&(|{c_1}\rangle \!\!:t, \ldots , |{c_k}\rangle \!\!:t, |{*}\rangle \!\!:t) \bigm | (|{i}\rangle \!\!:t, |{*}\rangle \!\!:t) \bigm | state\otimes state\\&t \in \varSigma ,\ n\in \mathbb {N} \text{, } \text{ and } c_1, \ldots , c_k \in \{0,1\}^n \end{aligned}$$

A spec is ill-formed when a free variable i appears in state, if some basis is repeated in the rule \((|{c_1}\rangle \!\!:t, \ldots , |{c_k}\rangle \!\!:t, |{*}\rangle \!\!:t)\), or if the previous rule contains two bases of different lengths. If all basis states of the given length are specified in \((|{c_1}\rangle \!\!:t, \ldots , |{c_k}\rangle \!\!:t, |{*}\rangle \!\!:t)\), the \(|{*}\rangle \!\!:t\) part is not required any more. The specification is then converted into a TA using a straightforward algorithm; in the following we often confuse a TA and its specification.

2.2 Complex Number Representation

In a (pure) quantum state, the amplitude of a basis computational state is a complex number, and the corresponding probability is the square of the absolute value of the amplitude. For verification, we need an exact representation of complex numbers that can be used in computers. In AutoQ, we use a subset of complex numbers that can be expressed by the following algebraic encoding (cf. [14, 34, 46]):

$$\begin{aligned} \mathchoice{\Big (\frac{1}{\sqrt{2}}\Big )}{\big (\frac{1}{\sqrt{2}}\big )}{TODO}{TODO}^k (a + b \omega +c \omega ^2 +d \omega ^3 ), \end{aligned}$$

(5)

where \(a,b,c,d \in \mathbb {Z}\), \(k \in \mathbb {N}\), and \(\omega = e^{\frac{i\pi }{4}}= \cos {45^\circ }+i \sin {45^\circ } = \frac{\sqrt{2}}{2} + i\frac{\sqrt{2}}{2}\), the unit vector that makes an angle of \(45^\circ \) with the positive real axis in the complex plane. A complex number is then represented by a quadruple (a, b, c, d) of integers and a normalization factor k. Although the considered set of complex numbers is only a small subset of all complex numbers (it is countable, while the set of all complex numbers is uncountable), the subset is sufficient to describe various standard quantum gates. Currently, AutoQ supports the set of quantum gates X, H, Y, Z, S, T, Rx(\(\frac{\pi }{2}\)), Ry(\(\frac{\pi }{2}\)), CNOT, CZ, Toffoli (cf. the list in [14]), which already includes a set of universal quantum gates. From the Solovay-Kitaev theorem [18], gates performing rotations of \(\frac{\pi }{2^n}\), used, e.g., in Shor’s algorithm [33] and quantum Fourier transform (QFT) [16], can be approximated with an error rate \(\epsilon \) by \(\mathcal {O}(\textrm{log}^{3.97}(\frac{1}{\epsilon }))\)-many H, CNOT, and T gates. The algebraic representation is also sufficient to represent all reachable states in OpenQASM circuits with the set of supported gates, where the initial basis state is \(|{0\ldots 0}\rangle \).

AutoQ operates on the introduced representation of complex numbers. More precisely, for a specification \(\{\mathcal {P},\varphi \}~{C}~\{\mathcal {Q}\}\), the leaf symbols of \(\mathcal {P}\) are quadruples of integer terms (a, b, c, d). We assume that all leaf symbols of \(\mathcal {P}\) share a common normalization factor k, so we do not store the value of k explicitly since it can be inferred from the fact that the probability sum over all basis states is one. Instead, we remember a constant natural number value \(k_c\), the difference of the k value between \(\mathcal {P}\) and \(\mathcal {R}\), and use it to normalize the amplitudes. Recall that \(\mathcal {R}\) is the TA accepting all states after executing C from some states accepted by \(\mathcal {P}\). The initial value of \(k_c\) is zero, and each application of H, Rx(\(\frac{\pi }{2}\)), or Ry(\(\frac{\pi }{2}\)) gates will increase it by one (cf. [14]). We normalize all quadruple leaf symbols (a, b, c, d) of \(\mathcal {R}\) by multiplying them with \(\mathchoice{\Big (\frac{1}{\sqrt{2}}\Big )}{\big (\frac{1}{\sqrt{2}}\big )}{TODO}{TODO}^{k_c}\) once \(\mathcal {R}\) is computed.

Next, we show how to compose a specification of our running example from Fig. 1 using the algebraic representation. The specification can now be written as

$$\begin{aligned}&\mathcal {P}:(|{00}\rangle \!\!:(v^a_h,v^b_h,v^c_h,v^d_h), |{*}\rangle \!\!:(v^a_\ell ,v^b_\ell ,v^c_\ell ,v^d_\ell )\\&\textstyle \mathcal {Q}:(|{00}\rangle \!\!:|(\square _1,\square _2,\square _3,\square _4)|^2>|(v^a_h,v^b_h,v^c_h,v^d_h)|^2, |{*}\rangle \!\!:|(\square _1,\square _2,\square _3,\square _4)|^2<|(v^a_\ell ,v^b_\ell ,v^c_\ell ,v^d_\ell )|^2), \end{aligned}$$

$$\begin{aligned} \begin{aligned} \text{ where } \quad |(a,b,c,d)|^2= {}&|a + b \omega +c \omega ^2 +d \omega ^3 |^2\\ {}={}&\textstyle \big |a+b(\frac{\sqrt{2}}{2} + \frac{\sqrt{2}}{2} i)+ci+d(-\frac{\sqrt{2}}{2} + \frac{\sqrt{2}}{2} i)\big |^2\\ {}={}&\textstyle (a+b \frac{\sqrt{2}}{2} -d \frac{\sqrt{2}}{2})^2+(b \frac{\sqrt{2}}{2} -c+d \frac{\sqrt{2}}{2})^2 \end{aligned} \end{aligned}$$

2.3 Precise Semantics of the Specification

As mentioned above, for verifying \(\{\mathcal {P},\varphi \}~{C}~\{\mathcal {Q}\}\), we start with a TA \(\mathcal {P}\) representing the set of all quantum states satisfying the precondition and compute a TA \(\mathcal {R}\) representing the set of states reachable after executing the circuit C. Then, we test whether \(\mathcal {R}\) entails \(\mathcal {Q}\) (w.r.t. \(\varphi \)), i.e., whether all reachable states satisfy the postcondition.

Formally, we say that a tree \(\tau _1\) is entailed by a tree \(\tau _2\) w.r.t. a first-order formula \(\varphi \), denoted as \(\tau _1 \mathrel {\models _\varphi }\tau _2\), if for all positions \(p \in \{0,1\}^n\) it holds that either (i) \(\tau _1(p) = \tau _2(p)\) or (ii) \(\tau _1(p) = (t_1,\ldots ,t_k) \in \varSigma _t\), \(\tau _2(p) = \psi \in \varSigma _p\), and \(\varphi \Rightarrow \psi [t_1/\square _1]\ldots [t_k/\square _k]\). We lift the entailment to TAs: \(\mathcal {A}_1 \mathrel {\models _\varphi }\mathcal {A}_2\) iff for all trees \(\tau _1 \in \mathcal {L}(\mathcal {A}_1)\) there exists a tree \(\tau _2 \in \mathcal {L}(\mathcal {A}_2)\) s.t. \(\tau _1 \mathrel {\models _\varphi }\tau _2\).³

3 Entailment Checking

We will now describe how we perform the entailment check \(\mathcal {R}\mathrel {\models _\varphi }\mathcal {Q}\). Since we operate with trees and tree automata over symbolic values, we cannot establish entailment by running a classical TA language inclusion test based on complementing the automaton \(\mathcal {Q}\) first. Instead, our algorithm for testing the entailment \(\mathcal {R}\mathrel {\models _\varphi }\mathcal {Q}\) is based on an on-the-fly TA inclusion checking algorithm [4, 10], which avoids complementation. The on-the-fly inclusion-checking algorithm can be seen as an optimization of the classical construction, which would establish \(\mathcal {L}(\mathcal {R}) \cap \overline{\mathcal {L}(\mathcal {Q})} {\mathop {=}\limits ^{?}} \emptyset \) by first computing the complement \(\mathcal {Q}^{\complement }\) of \(\mathcal {Q}\) (using a bottom-up TA determinization), followed by computing the intersection \(\mathcal {A}_{\cap }\) of \(\mathcal {Q}^{\complement }\) and \(\mathcal {R}\), and, finally, checking language emptiness of \(\mathcal {A}_{\cap }\). In particular, the on-the-fly inclusion checking algorithm can be seen as doing all the operations at once. Furthermore, the algorithms in [4, 10] also make use of the so-called antichains and TA simulation to prune the explored state space.

Our modification of the inclusion algorithm to test TA entailment, given in Algorithm 1, mainly differs from [4, 10] in the way initial sets of state pairs are computed on Line 3. In particular, we match a state \(s_r\) that can perform a leaf transition over \(t_r\) in \(\mathcal {R}\) with the set \(U_q\) of all states in \(\mathcal {Q}\) that can perform a leaf transition either over \(t_r\) or over a predicate \(p_q\) such that \(\varphi \Rightarrow p_q[t_r/\square ]\) (we use \(p_q[t_r/\square ]\) for a tuple \(t_r\) to denote the substitution of the tuple’s components into the corresponding free variables of \(p_q\)).

After that, the algorithms perform a simultaneous bottom-up traversal through \(\mathcal {R}\) (represented by states \(s_r\)) and the determinized version of \(\mathcal {Q}\) (represented by sets of states \(U_q\)). For each such pair \((s_r, U_q)\), the algorithm first checks whether \(s_r\) is a root state and \(U_q\) does not contain any root state (cf. Line 6; this would mean that \(\mathcal {R}\) accepts some tree that is not accepted by \(\mathcal {Q}\)). If this does not hold, then the algorithm tries to find all already processed pairs that can make a transition with \((s_r, U_q)\) (cf. Line 8) and continue from all such pairs. Each bottom-up successor \((s_r', U_q')\) is then added to \( Worklist \) in the case it has not been seen previously (cf. Line 13).

The algorithm uses the function \( Min \) (cf. Lines 3, 7, and 13) to minimize the sets \( Worklist \) and \( Processed \) w.r.t. a subsumption relation, and the downward closure for \(\lceil Processed \cup Worklist \rceil \) on Line 12 to prune the explored state space. Due to lack of space, we refer to the works [4, 10] for more details about these optimizations.

4 Architecture

Fig. 2.

The architecture of AutoQ. The input verification problem is \(\{\mathcal {P},\varphi \}~{C}~\{\mathcal {Q}\}\).

We illustrate the architecture of AutoQ in Fig. 2. The tool is written in C++ and uses the following external tools: the TA library Vata  [28] for efficient testing of TA inclusion (when the postcondition uses only the term alphabet \(\varSigma _t\)) and the SMT solver Z3 for entailment checking of leaf symbols in Algorithm 1. We allow any theory solver supported by Z3. In our experiment, we use QF_NIRA. AutoQ takes as an input a quantum circuit in the OpenQASM format accompanied with the specification written as tree automata (.aut files) or the high-level specification language (.hsl files) introduced in Sect. 2.1.

Preprocessor reads the input files (.aut, .smt, .qasm, and .hsl files), translates specifications in the .hsl files into tree automata, and stores them using AutoQ ’s internal data structures. Circuit Executor then reads the circuit C and the TA \(\mathcal {P}\) and generates another TA \(\mathcal {R}\) obtained as the result after executing C from states in \(\mathcal {P}\), using the approach of [14] with the symbolic extension discussed in Sect. 2. AutoQ can also output the TA \(\mathcal {R}\) for further analysis. Finally, Entailment Checker checks whether \(\mathcal {R}\mathrel {\models _\varphi }\mathcal {Q}\) and reports “verified” when the entailment holds and “bug found” otherwise.

5 Use Cases

In this section, we describe several use cases of quantum algorithms and their important properties that we were able to verify using AutoQ fully automatically. We focus on the use of symbolic TA in this set of experiments and refer the readers to [14] for other experimental results. A selection of the obtained results is given in Table 1. An artifact that allows reproduction of the results is available as [13].

5.1 Hadamard Square is Identity

Our first use case shows that the single qubit gate C that runs two consecutive H gates has the same effect as an identity matrix. We use the specification \(\{\mathcal {P},\varphi \}~{C}~\{\mathcal {Q}\}\) with

$$\begin{aligned}&\mathcal {P}:(|{0}\rangle \!\!:(v_a,v_b,v_c,v_d),|{1}\rangle \!\!:(v'_a,v'_b,v'_c,v'_d)), \qquad \qquad \qquad \qquad \qquad \qquad \varphi : true ,\\&\mathcal {Q}:(|{0}\rangle \!\!:(\square _a,\square _b,\square _c,\square _d)=(v_a,v_b,v_c,v_d), |{1}\rangle \!\!:(\square _a,\square _b,\square _c,\square _d)=(v'_a,v'_b,v'_c,v'_d)). \end{aligned}$$

In this simple example, the precondition \(\mathcal {P}\) encodes an infinite number of quantum states, which is not expressible using the technique in [14]. We also included a buggy version by altering one of the H gates, and AutoQ managed to detect the injected bug. The results can be found in rows H\(^2\) in Table 1.

5.2 Zero Imaginary Part of Amplitudes

One property, which is shared by multiple algorithms, e.g., Bernstein-Vazirani’s [8] and Grover’s algorithm [25], is that the imaginary part of all amplitudes of the result is zero.

Let us focus on Bernstein-Vazirani’s algorithm [8], which finds a secret bit-string s from an oracle using a single query. The algorithm begins with the quantum state \(|{0^n}\rangle \), where n is the length of s, and ends with the quantum state \(|{s}\rangle \). The amplitudes of all basis states are either zero or one, the imaginary part of the amplitudes is, therefore, always zero. For a three-qubit circuit C implementing the algorithm, we can therefore use the specification: \(\{\mathcal {P},\varphi \}~{C}~\{\mathcal {Q}\}\) with

$$\begin{aligned} \mathcal {P}:(|{000}\rangle \!\!:(1,0,0,0),|{*}\rangle \!\!:(0,0,0,0)),{} & {} \varphi : true ,{} & {} \mathcal {Q}:(|{*}\rangle \!\!:\psi _{\Im }), \end{aligned}$$

where \(\psi _{\Im }\equiv (\square _b = -\square _d \wedge \square _c=0)\) (it will also be used later). In the definition of \(\mathcal {P}\), recall that we use the integer-quadruple representation of complex numbers (cf. Eq. (5)). In the postcondition \(\mathcal {Q}\), the free variables \(\square _a, \square _b, \square _c, \square _d\) are to be substituted by the corresponding terms in the obtained integer term quadruple (a, b, c, d) in the entailment check. Note that (a, b, c, d) represents the complex number \((a+b \frac{\sqrt{2}}{2}-d \frac{\sqrt{2}}{2})+i(b \frac{\sqrt{2}}{2}-c+d \frac{\sqrt{2}}{2})\) (obtained from Eq. (5)). Because a, b, c, d are all integers, for the imaginary part to be zero, it must hold that \(c=0\) and \(b=-d\).

When we run C from \(\mathcal {P}\), we obtain a TA \(\mathcal {R}\) encoding \((|{010}\rangle \!\!:(1,0,0,0)\), \(|{*}\rangle \!\!:(0,0,0,0))\) and the entailment \(\mathcal {R}\mathrel {\models _\varphi }\mathcal {Q}\) holds. See the rows BV\((n)\) in Table 1 for the results of verifying the algorithm for circuits with secrets of size n. As in the previous example, we also included a buggy version to demonstrate AutoQ ’s bug-finding capability. We can see that AutoQ could verify the algorithm for secrets of a quite large size.

Table 1. Results of verifying our use cases with AutoQ. The maximum peak memory consumption was 52 MiB for Grover\(_{\text {All}}(9)\). In most cases, the time of entailment was negligible, with the exception of Grover\(_{\text {All}}\) circuits. For instance, Grover\(_{\text {All}}(8)\) takes 2 m18 s for entailment checking (70% of the total time) and Grover\(_{\text {All}}(9)\) takes 21 m36 s for entailment checking (85% of the total time).

5.3 Probability of Measuring the Correct Answer

Grover’s algorithm [25] assumes a Boolean function f over n bits with only one satisfying assignment s and an oracle that evaluates f for a given input. The algorithm finds s with a high probability, say \(>0.9\), using only \(\mathcal {O}(\sqrt{2^n})\) oracle queries. The algorithm works iteratively, where each Grover iteration queries the oracle once and amplifies the amplitude of \(|{s}\rangle \). First, let C be a 6-qubit circuit implementing Grover’s search with the satisfying assignment \(s = 010\), where the first three qubits of C are the work tape, and the following three are the ancillae. We use the following specification:

$$\begin{aligned}&\mathcal {P}:(|{000000}\rangle \!\!:\vec 1,|{*}\rangle \!\!:\vec 0)~\text { where } \vec 1= (1,0,0,0) \text { and } \vec 0= (0,0,0,0), \qquad \varphi : true ,\\&\mathcal {Q}:(|{010}\rangle \!\!:|\square _a|^2> 0.9 \wedge \psi _{\Im },|{*}\rangle \!\!:|\square _a|^2< 0.1 \wedge \psi _{\Im })\otimes (|{000}\rangle \!\!:\vec 1,|{*}\rangle \!\!:\vec 0). \end{aligned}$$

Note that the postcondition \(\mathcal {Q}\) also checks that all amplitudes in the result of the algorithm have a zero imaginary part (using \(\psi _{\Im }\)). See rows Grover\(_{\text {Single}}(n)\) in Table 1 for the results on circuits for n-bit functions f and a single oracle.

Next, we also show the correctness of Grover’s algorithm w.r.t. all possible 3-qubit oracles. Let \(C'\) be a 9-qubit circuit implementing the algorithm, where the first three qubits are used for oracle generation, and the following six are the work tape and ancillae, similarly to Grover\(_{\text {Single}}\). Our specification is now

$$\begin{aligned}&\mathcal {P}:\exists i \in \{0,1\}^3:(|{i000000}\rangle \!\!:\vec 1,|{*}\rangle \!\!:\vec 0), \qquad \qquad \qquad \qquad \qquad \qquad \varphi : true ,\\&\mathcal {Q}:\exists i\in \{0,1\}^3:(|{i}\rangle \!\!:\vec 1, |{*}\rangle \!\!:0)\otimes (|{i}\rangle \!\!:|\square _a|^2> 0.9 \wedge \psi _{\Im }, |{*}\rangle \!\!:|\square _a|^2 < 0.1\wedge \psi _{\Im })\\&\qquad \qquad \qquad \quad {}\otimes (|{000}\rangle \!\!:\vec 1, |{*}\rangle \!\!:\vec 0). \end{aligned}$$

Note that in the postcondition, we use i to relate the oracle value and the value on the work tape. The results are in rows Grover\(_{\text {All}}(n)\) in Table 1.

5.4 Increasing Amplitude of the Correct Answer

Above, we show that we are able to automatically verify moderate-sized circuits for Grover’s algorithm for the values of n up to 9 (for Grover\(_{\text {All}}\)) and 20 (for Grover\(_{\text {Single}}\)), which is quite large, but have difficulties going beyond that. The size of the circuit is \(\mathcal {O}(\sqrt{2^n})\), which is quite large. Therefore, we also verify the algorithm w.r.t. a weaker property, which is, that in one iteration, the amplitude of the correct answer will increase.

Consider a function f over 2 bits with 01 being the only satisfying assignment and let C be a 4-qubit circuit encoding one Grover iteration, with two qubits as the work tape and two ancilla qubits. From Grover’s correctness proof [25], we can derive that when \(v_\ell>0\wedge v_h>0\wedge (2^n-1)v_\ell >v_h\), a correct implementation will increase the probability of \(|{01}\rangle \) and reduce others. We specify the verification problem as follows:

$$\begin{aligned} \mathcal {P}:&(|{01}\rangle \!\!:(v_h,0,0,0), |{*}\rangle \!\!:(v_\ell ,0,0,0))\otimes (|{00}\rangle \!\!:\vec 1, |{*}\rangle \!\!:\vec 0),\\ \varphi :&v_\ell>0\wedge v_h>0\wedge (2^2-1)v_\ell>v_h,\\ \mathcal {Q}:&(|{01}\rangle \!\!:|\square _a|>|v_h| \wedge \psi _{\Im }, |{*}\rangle \!\!:|\square _a|<|v_\ell |\wedge \psi _{\Im })\otimes (|{00}\rangle \!\!:\vec 1, |{*}\rangle \!\!:\vec 0). \end{aligned}$$

The results can be found in rows Grover\(_{\text {Iter}}(n)\) in Table 1. We can see that verification of one Grover iteration w.r.t. the weaker (but still quite useful) property scales much better than verification of full Grover’s circuits, scaling to sizes of \(n \ge 100\).

6 Conclusion

We presented a specification language for specifying useful properties of quantum circuits and a tool AutoQ that can establish the correctness of the specification using an approach combining the technique from [14] with symbolic execution. Using the tool, we were able to fully automatically verify several important properties of a selection of quantum circuits. To the best of our knowledge, for some of the properties, we are the first ones that could verify them fully automatically.